News Items

  • news

    Visible to the public HoTSoS 2022 Best Undergraduate Poster Award


    Congratulations to Sanjana Cheerla at NCSU for winning the HoTSoS Best Undergraduate Poster Award for their poster Identifying Online Misbehavior.

    Check out the Announcement & Closing Remarks stream here!

  • news

    Visible to the public HoTSoS 2022 Best Poster Award


    Congratulations to Samin Yaseer Mahmud & William Enck at NCSU for winning the HoTSoS Best Poster Award for their poster A Study of Security Weakness in Android Payment Service Provider SDKs

    Check out the Announcement & Closing Remarks stream here!

  • news

    Visible to the public Science of Security and Privacy 2022 Annual Report

    The Science of Security and Privacy 2022 Annual Report is now available.

    This report highlights the progress and accomplishments of the Science of Security and Privacy initiative.

  • news

    Visible to the public Paper on One-Way-Functions Wins NSA Paper Competition

    "On One-way Functions and Kolmogorov Complexity" wins the 9th Annual Best Scientific Cybersecurity Paper Competition. This paper was written by Yanyi Liu from Cornell University and Rafael Pass from Cornell Tech.

    An honorable mention award was given to "Retrofitting Fine Grain Isolation in the Firefox Renderer” written by Shravan Narayan, Craig Disselhoen, Tal Garfinkel, Nathan Froyd, Sorin Lerner, Eric Rahm, Hovav Shacham and Deian Stefan.

  • news

    Visible to the public NSF 21-122 Dear Colleague Letter: Enabling Secure and Trustworthy Cyberspace (SaTC) CISE-SBE Interdisciplinary Collaborations

    NSF 21-122

    Dear Colleague Letter: Enabling Secure and Trustworthy Cyberspace (SaTC) CISE-SBE Interdisciplinary Collaborations

    Proposals are due Dec 10, 2021, but an approval letter from a program officer is required before you can submit. Submitting in response to that DCL does *not* count against the limit of the number of proposals that can be submitted against the SaTC solicitation.

    September 27, 2021

  • news

    Visible to the public Solicitation: NSF Secure and Trustworthy CyberSpace (SaTC) [Solicitation 22-517]

    Secure and Trustworthy Cyberspace (SaTC)

    NSF 22-517

    NSF 21-500

    National Science Foundation

    Directorate for Computer and Information Science and Engineering
         Division of Computer and Network Systems
         Division of Computing and Communication Foundations
         Division of Information and Intelligent Systems
         Office of Advanced Cyberinfrastructure

  • news

    Visible to the public HoTSoS 2022 Call for Papers! Deadline December 17th!

    HoTSoS 2022 Call for Papers! Deadline December 17th!

    The HoT Topics in the Science of Security (HoTSoS) Symposium is now soliciting submissions for the 2022 program. Following the success of the virtual HoTSoS Symposium in 2021, HoTSoS`22 will be a virtual event held the week of April 4th, 2022. In addition to research paper discussions and presentations, the symposium program will also include invited talks and panels.

    We are accepting submissions in the following three categories:

  • news

    Visible to the public Follow @SoS_VO_org on Twitter!

    Follow @SoS_VO_org on Twitter!

    The SoS-VO team is excited to announce that we recently updated the homepage of the website to link to the official Science of Security & Privacy twitter account where we will be making daily announcements about noteworthy news items, upcoming opportunities, and impending deadlines in the SoS community.

  • news

    Visible to the public Predictive Intelligence for Pandemic Prevention (PIPP) Webinars

    Predictive Intelligence for Pandemic Prevention (PIPP) Webinars

    February 16, 2021 11:00 AM to
    February 17, 2021 6:45 PM
    Virtual Workshop

    Save the Date

    February 25, 2021 11:00 AM to
    February 26, 2021 6:00 PM
    Virtual Workshop

    Save the Date

  • news

    Visible to the public HoTSoS 2021: Works-in-Progress Co-Chairs

    Meet the HoTSoS 2021 Team:
    Works-in-Progress Co-Chairs

    Kurt Kelville (MIT) and Aron Laszka (University of Houston) are our Works-in-Progress Co-Chairs for the 2021 Symposium. Happy to have these two on the Program Committee Team!

    About the Chairs

  • news

    Visible to the public Call for Participation: Canberra Artificial Intelligence Summer School

    Call for Participation

    Canberra Artificial Intelligence Summer School

    Virtual, December 4-7th, 2020



    [If interested in staying up-to-date, please join this Discord channel!]


  • news

    Visible to the public Take my word for it: Privacy and COVID alert apps can coexist


    Since the COVID-19 pandemic began, technologists across the country have rushed to develop digital apps for contact tracing and exposure notifications. New York, New Jersey, Pennsylvania, and Delaware have all recently announced the launch of such apps, announcements which generated excitement. But the advent of these tools has also created questions. Chief among them: Do these apps protect privacy?

  • news

    Visible to the public now supports DOI!

    The latest release of the has added Zenodo support for generating archives and including DOI information for content types such as files, news items, web pages, and wiki pages!

  • news

    Visible to the public NIST Releases Draft Security Feature Recommendations for IoT Devices

    NIST Releases Draft Security Feature Recommendations for IoT Devices

    "Core Baseline" guide offers practical advice for using everyday items that link to computer networks.

    August 01, 2019

  • news

    Visible to the public NSA-approved cybersecurity law and policy course now available online

    NSA-approved cybersecurity law and policy course now available online

    Cyber Scoop

    Shannon Vavra

    August 27th, 2019

    Anyone who is interested in cybersecurity law and policy can now take an online course that was partly shaped by National Security Agency.

  • news

    Visible to the public Verification Tool Competition

    ARCH brings together researchers and practitioners to establish a curated set of benchmarks for verification, testing and reachability, and evaluate them in a friendly competition. ARCH started in 2014 and has sustained a vibrant community since. Since 2017, ARCH has organized as a part of the workshop the International Competition on Verifying Continuous and Hybrid Systems (ARCH-COMP,, now in its 3rd iteration.

  • news

    Visible to the public Game-theoretic Paper Wins Annual Paper Competition

    The winner of the 6th Annual Best Scientific Cybersecurity Paper Competition is How Shall We Play a Game? A Game-theoretical Model for Cyber-warfare Games by Tiffany Bao, Yan Shoshitaishvili, Ruoyu Wang, Christopher Kruegel, Giovanni Vigna, and David Brumley. These researchers are from Carnegie Mellon University and University of California, Santa Barbara. This paper was originally accepted at 30th IEEE Computer Security Foundations Symposium (CSF '17).

    To learn more visit the competition homepage:

  • news

    Visible to the public Secretary of Energy Rick Perry Announces $68.5 Million for Advanced Vehicle Technologies Research

    WASHINGTON, D.C. - Today, U.S. Secretary of Energy Rick Perry announced up to $68.5 million in available funding for early-stage research of advanced vehicle technologies that will enable more affordable mobility, strengthen domestic energy security, and enhance U.S. economic growth.

  • news

    Visible to the public 2018 NSF CPS Program Solicitation

    The 2018 Cyber-Physical Systems Program Solicitation has been released. The submission window for proposals is April 27, 2018 - May 8, 2018. Please see the full solicitation for additional details and the summary of program requirements:

  • news
  • news

    Visible to the public NSA SoS Lablet Call for Proposals is Open

    The National Security Agency has distributed its BAA (really a request for proposals) for its next generation of SoS Lablets. These lablets include lablets on the 5 Hard Problem areas in Science of Security, on the Science of Privacy and dealing with Cyber Physical Systems. Proposals are due August 21. While the SoS team is not the point of contact for the contracting process, we can aid in directing:

  • news

    Visible to the public U.S. Department of Transportation Launches Smart City Challenge to Create a City of the Future

    Smart City Challenge

  • news

    Visible to the public NEW 2016 NSF-USDA Solicitation: Innovations at the Nexus of Food, Energy, and Water Systems (INFEWS)

    Innovations at the Nexus of Food, Energy and Water Systems (INFEWS)

    Program Solicitation
    NSF 16-524

    National Science Foundation

  • news

    Visible to the public Sticky News Item

    This news item always appears at the top of the 'recent news' list because the 'pin to top of lists' box is checked under 'publishing options' below. News Items can also be set to show in the spotlight slideshow feature.

  • news

    Visible to the public Sticky News Item

    This news item always appears at the top of the 'recent news' list because the 'pin to top of lists' box is checked under 'publishing options' below. News Items can also be set to show in the spotlight slideshow feature.

  • news

    Visible to the public "Cybersecurity Risks of Automotive OTA"

    Vehicle Original Equipment Manufacturers (OEMs) will contact vehicle owners remotely about Operating System (OS) updates that add new features and/or fixes, as well as software bugs and vulnerabilities, similar to how smartphones do. All of this must be done securely, but over-the-air technology (OTA) is still relatively immature regarding safety-critical applications. The Advanced Driver Assistance Systems (ADAS), as well as the electronic dashboard, powertrain, and infotainment systems, are all controlled by software in modern vehicles. Through OTA updates, vehicles could operate more efficiently, benefit from improved Electronic Vehicle (EV) battery performance, and stay current with technology for longer. These updates can be delivered directly from OEMs or via vehicle dealers. Honda recalled 608,000 vehicles in the US in 2020 to fix software bugs that were causing instruments to display incorrect speed information and other errors with rear-view camera video. Updates are broadly classified into two types: critical and non-critical. Important updates have a direct impact on engine and powertrain performance and safety, while non-critical updates, for example, add new features to infotainment systems. However, OTA has some drawbacks. According to the National Highway Traffic Safety Administration (NHTSA), Tesla recalled more than 40,00 Model S and Model X vehicles built between 2017 and 2021 in October 2022 due to a software update issue. A different issue was caused by an OTA firmware release intended to update the calibration values of the electronic power assist steering system. After hitting a pothole or a bump, some vehicle owners experienced a loss of power steering ability, which required another OTA update to correct. Another challenge is that implementing security in any market is difficult, particularly in complex systems like automotive, where the use of third-party Intellectual Property (IP) is increasing. That IP can take the form of software or hardware, and if it is poorly designed or integrated, or is so complex that it can never be verified and debugged properly, it can open the door to cyberattacks. This article continues to discuss the cybersecurity risks of automotive OTA technology.

    Semiconductor Engineering reports "Cybersecurity Risks of Automotive OTA"

  • news

    Visible to the public  "AI Tools Could Boost Social Media Users' Privacy"

    According to researchers at the University of Edinburgh, by fighting Artificial Intelligence (AI) with AI, digital assistants could help prevent users from unknowingly revealing their views on social, political, and religious issues. Their findings imply that automated assistants could provide users with real-time advice on how to modify their online behavior in order to mislead AI opinion-detection tools and keep their opinions private. The study is the first to show how Twitter users can hide their opinions from opinion-detecting algorithms that help authoritarian governments or fake news sources target them. Previous research has focused on steps that social media platform owners can take to improve privacy, though the team notes that such actions can be difficult to enforce. Data from over 4,000 Twitter users in the US was used by Edinburgh researchers and academics from New York University Abu Dhabi. The team used the data to examine how AI can predict people's opinions based on their online activities and profile. They also tested designs for an automated assistant to help Twitter users keep their views on potentially divisive topics private. Their findings suggest that a tool could assist users in hiding their views on their profiles by identifying key indicators of their opinions, such as accounts they follow and interact with. This article continues to discuss the team's study on how AI can help strengthen social media users' privacy.

    University of Edinburgh reports "AI Tools Could Boost Social Media Users' Privacy"

  • news

    Visible to the public "To Fill the Cybersecurity Skills Gap, the Sector Needs to Boost Diversity"

    The global cybersecurity skills gap and the lack of diversity in the cybersecurity workforce are the two main issues facing the cybersecurity sector. According to research, 3.4 million additional people are required to close the global cybersecurity workforce gap. A World Economic Forum survey found that 59 percent of businesses would struggle to respond to a cybersecurity incident because of the skills gap. According to data from 2022, the issue is getting worse as the workforce gap widened by 26.2 percent from 2021 to 2022. There is a noticeable lack of diversity in the cybersecurity industry. In Science, Technology, Engineering, and Math (STEM) fields, women are generally underrepresented, and in cybersecurity specifically, they account for only about 24 percent of the workforce. About 26 percent of cybersecurity professionals are minorities. According to Fortinet's research into the cybersecurity skills gap, it negatively affects businesses by raising the possibility of security breaches, which can result in financial and reputational losses. With nearly $600 billion, or one percent of the global GDP, lost to cybercrime each year, cybersecurity incidents are having a greater impact on the world economy than ever before. Research also reveals that the number of new ransomware variants discovered in the first half of 2022 increased by almost 100 percent compared to the prior six months. Many people might think they cannot work in cybersecurity because they lack the necessary experience or technical training, but there are opportunities in the cybersecurity industry for almost everyone, as people can acquire the technical skills they need to pursue careers in the field by completing training programs and earning certifications. This article continues to discuss the need for diversity in the cybersecurity workforce, what could be holding potential candidates back, and making cybersecurity training more accessible for everyone.

    World Economic Forum reports "To Fill the Cybersecurity Skills Gap, the Sector Needs to Boost Diversity"

  • news

    Visible to the public "Android Phone Makers' Encryption Keys Stolen and Used in Malware"

    Although Google develops its open-source Android mobile Operating System (OS), the Original Equipment Manufacturers (OEMs) that make Android smartphones, such as Samsung, play a significant role in customizing and securing the OS for their devices. However, a recent discovery made public by Google reveals that several digital certificates used by vendors to authenticate essential system applications were recently compromised and have already been used to certify malicious Android apps. Similar to nearly every other computer OS, Google's Android is built with a "privilege" model. As a result, the software running on an Android phone, from third-party apps to the OS itself, is limited as much as possible and only given system access based on their needs. This enables the photo editing app to access the camera roll while preventing a game from covertly collecting all of a user's passwords. Digital certificates signed with cryptographic keys enforce the entire structure. Attackers can give their own software access to resources it should not be allowed to have if the keys are stolen. According to Google, manufacturers of Android-based devices have implemented mitigations, rotating keys, and automatically distributing updates to users' phones. Additionally, the company has implemented scanner detections to look for malware that tries to exploit the compromised certificates. Google says there is no proof that the malware was on the Google Play Store, indicating that it spread through third parties. Through a group known as the Android Partner Vulnerability Initiative, information about the threat was disclosed, and action was coordinated to address it. An attacker would be able to develop malware that has numerous permissions by abusing the compromised platform certificates without having to trick users into giving them permission. Lukasz Siewierski, an Android reverse engineer, provided some malware samples from his Google report that exploited the stolen certificates. Among other manufacturers whose certificates were compromised, they list Samsung and LG as two of them. This article continues to discuss the compromise of digital certificates by vendors to validate critical system applications.

    Wired reports "Android Phone Makers' Encryption Keys Stolen and Used in Malware"

  • news

    Visible to the public  "US Cyber Command, DARPA Initiate Rapid Cyber Capability Prototyping and Integration Pilot"

    A pilot program launched by the Defense Advanced Research Projects Agency (DARPA) and the US Cyber Command (CYBERCOM) aims to put new cyber capabilities in the hands of cyber operators more quickly. By developing a user-directed, incremental, and iterative pipeline for the creation, proving, adoption, and delivery of those capabilities into the software ecosystem of CYBERCOM, the Constellation pilot program will facilitate the flow of new cyber capabilities resulting from high-risk, high-reward cyber science and technology research. According to Mike Clark, Director of Cyber Acquisition and Technology at the CYBERCOM, innovation is at the heart of the command's strategy, which is why CYBERCOM and DARPA are collaborating more closely than ever to develop emerging tactical and strategic cyber capabilities and integrate them into operational warfighting platforms. Therefore, Constellation's success depends on speeding up the transfer of technology from DARPA research and development to CYBERCOM for operational use. In order to overcome the difficulties the Department of Defense (DOD) encounters when developing software systems, such as rapidly evolving technology, acceptance, and usability for both expert and non-expert providers, it is crucial to foster an agile-style pipeline from research to operations. In order to close the gap between science and technology, Constellation will provide a framework, develop mechanisms, and procure the necessary personnel, contracts, relationships, research, development, and operational warfighting capabilities. It will also provide feedback to the science and technology community on the changing nature of cyber threats and mission requirements. This article continues to discuss the goals of the new Constellation pilot program.

    HSToday reports "US Cyber Command, DARPA Initiate Rapid Cyber Capability Prototyping and Integration Pilot"

  • news

    Visible to the public "Florida State Tax Website Bug Exposed Filers' Data"

    A researcher discovered that a security flaw on the Florida Department of Revenue website exposed the bank account and Social Security numbers of at least hundreds of taxpayers. By changing the portion of the website address that contains the taxpayers' application number, Kamran Mohsin said the security flaw, which has since been fixed, allowed him or anyone else who was logged in to the state's business tax registration website to access, modify, and delete the personal data of business owners whose information is on file with the state's tax authority. According to Mohsin, application numbers are sequential, making it possible for anyone to compile data on taxpayers by simply increasing the application number by one digit. There were over 713,000 applications in the system. A server vulnerability called Insecure Direct Object Reference (IDOR) exposes files or data stored on the server because there are insufficient or no security controls in place. It is similar to having a key that opens a mailbox and every other mailbox in a neighborhood. In comparison to other bugs, IDOR vulnerabilities have the advantage of typically being quickly fixed at the server level. Mohsin provided screenshots of the website bug, showing examples of names, residential and commercial addresses, bank account and routing numbers, Social Security numbers, and other special tax identifiers used for submitting paperwork to the state and federal governments. Scammers and cybercriminals often target tax identifiers, such as Social Security numbers, to file false tax returns and steal tax refunds, costing taxpayers billions of dollars annually. On October 27, Mohsin contacted the Florida Department of Revenue, which gave him an email address to report the vulnerability. Soon after the flaw was reported, it was fixed. According to the Florida Department of Revenue, the vulnerability was fixed four days after Mohsin reported it, and two unnamed security firms have verified the website's security. This article continues to discuss the exposure of taxpayers' data by the Florida Department of Revenue website.

    TechCrunch reports "Florida State Tax Website Bug Exposed Filers' Data"

  • news

    Visible to the public "Vanuatu Struggles Back Online After Cyberattack"

    Vanuatu's government recently stated that it was slowly getting its communications back online following a cyberattack that knocked out emergency services, emails, and phone lines for weeks. Chief information officer Gerard Metsan stated that 70 percent of the government network had now been restored, including crucial emergency lines for ambulance, police, and fire services. He did not give details of which services remained affected but said all government departments were back online after some hardware was replaced. Government servers and websites on the Pacific island nation had been out since November 6, when suspicious activity was first detected. The cyberattack knocked out online services, email, and network-sharing systems, in many cases forcing officials to use other platforms to communicate. Vanuatu's newly elected Prime Minister Ishmael Kalsakau stated that experts from Australia were called in to help and that it remained unclear who was behind the cyberattack. Kalsakau noted that data analysis of the hackers showed "persistent traffic" from Europe, Asia, and the United States, "but these indications could be misleading." The prime minister could not say whether the attack was state-sponsored, adding it was also too early to determine the full extent of the damage. The experts from Australia believe that the cyberattack came through a non-secure government website managed by third parties and workstations with known security weaknesses. Police are currently investigating whether locals helped assist the hackers. The small South Pacific nation of 315,000 had limited ability to deal with the problem, and Kalsakau said safeguards were being installed in the network to reduce the risk of another cyberattack.

    SecurityWeek reports: "Vanuatu Struggles Back Online After Cyberattack"

  • news

    Visible to the public "Three Innocuous Linux Vulnerabilities Chained to Obtain Full Root Privileges"

    Qualys' Threat Research Unit recently showed how a new Linux vulnerability could be chained with two other apparently harmless flaws to gain full root privileges on an affected system. The researchers stated that the new vulnerability, tracked as CVE-2022-3328, is a race condition in Snapd, a Canonical-developed tool used for the Snap software packaging and deployment system. Specifically, the flaw impacts the "snap-confine" program used by Snapd to construct the execution environment for Snap applications. The researchers noted that the affected program is present by default in Ubuntu, whose developers described CVE-2022-3328 as a high-severity flaw that can be exploited for local privilege escalation and arbitrary code execution. Qualys researchers have shown how CVE-2022-3328 could be combined with other innocuous vulnerabilities for a high-impact attack. The researchers chained CVE-2022-3328 (this issue was introduced in February 2022 by the patch for a flaw tracked as CVE-2021-44731) with two recently discovered issues affecting Multipathd. The researchers noted that Multipathd is a daemon in charge of checking for failed paths that is running as root in the default installation of Ubuntu and other distributions. The researchers stated that Multipathd is affected by an authorization bypass issue that can be exploited by an unprivileged user to issue privileged commands to Multipathd (CVE-2022-41974) and a symlink attack (CVE-2022-41973) that can be used to force the execution of malicious code. The researchers noted that chaining the Snapd vulnerability with the two Multipathd flaws can allow any unprivileged user to gain root privileges on a vulnerable device. The researchers have verified the vulnerability, developed an exploit, and obtained full root privileges on default installations of Ubuntu. The vulnerability is not exploitable remotely, but the researchers warn that it's dangerous because it can be exploited by an unprivileged user.

    SecurityWeek reports: "Three Innocuous Linux Vulnerabilities Chained to Obtain Full Root Privileges"

  • news

    Visible to the public "'CryWiper' Trojan Disguises as Ransomware"

    Researchers have discovered a new wiper Trojan disguised as a ransomware payload in the wild. CryWiper, named after the distinctive '.cry' extension it appends to files, appears to be a new ransomware strain at first glance. The victims' devices appear to be encrypted, and a ransom note is left demanding money be sent to a bitcoin wallet address, but the files are corrupted beyond repair. Evidence shows that the malware is a wiper that corrupts all but the most critical system files, overwriting each with data generated by a pseudo-random number generator. When CryWiper is installed on a victim's system, it sends the name of the victim's device to a command-and-control (C2) server and waits for an activation command to launch an attack. This uses a similar methodology to ransomware, with functions such as deleting volume shadow copies to prevent file restoration and scheduling itself in Windows Task Scheduler to restart every five minutes. CryWiper also disables MS SQL, MySQL, MS Active Directory, and MS Exchange services, allowing files associated with them to be corrupted. A wiper is made to randomly destroy systems or otherwise cause havoc on a victim's device. Wipers are a component of a malware arsenal that has served as the foundation of the growing threat against critical national infrastructure, and they have been widely used by Russia in its cyberwar against Ukraine. The ransom text file contains an email address that has been in use since 2017, making it associated with a number of previous ransomware families. No group has yet been definitively linked by an identification. This article continues to discuss the CryWiper Trojan that has been disguised as ransomware.

    ITPro reports "'CryWiper' Trojan Disguises as Ransomware"

  • news

    Visible to the public "Cyber Extortion Dominates the Threat Landscape"

    Cyber extortion affects businesses of all sizes worldwide, with 82 percent of cases observed being small businesses, up from 78 percent last year. According to Orange Cyberdefense's latest Security Navigator report, there was a noticeable slowdown in cybercrime at the start of the Ukraine war, but the intensity quickly increased again. For example, the number of cyber extortion victims in East Asia and South East Asia has increased by 30 percent and 33 percent, respectively, in the last six months. Furthermore, from 2021 to 2022, victim volumes increased by 18 percent in the EU, 21 percent in the UK, and 138 percent in the Nordic countries. However, volumes fell by 8 percent in North America and 32 percent in Canada. Small businesses are targeted four and a half times more than medium and large businesses combined, while the public sector accounts for the fifth highest proportion of incidents in Orange's CyberSOCs. The manufacturing sector remains the most vulnerable to cyber extortion, despite ranking fifth among industries most willing to pay ransoms, according to the research. Criminals in this sector are compromising conventional Information Technology (IT) systems rather than the more specialized Operational Technology (OT). In 2021, 547 Android vulnerabilities and 357 iOS vulnerabilities were reported. In comparison, only 24 percent of iOS vulnerabilities have a low attack complexity. Due to the ecosystem's uniformity, the findings show that a higher number of iPhone users are vulnerable when a security issue is first disclosed. Users migrate to a new version quickly, with 70 percent updating within 51 days of the patch's release. Since the Android ecosystem is more fractured, devices are often left open to more old exploits, while fewer may be vulnerable to new exploits. This article continues to discuss key findings from Orange Cyberdefense's latest Security Navigator report.

    BetaNews reports "Cyber Extortion Dominates the Threat Landscape"

  • news

    Visible to the public "Google: After Using Rust, We Slashed Android Memory Safety Vulnerabilities"

    Google appears to be reaping the benefits of its decision to use Rust for new code in Android in order to reduce memory-related flaws. Memory safety flaws in Android have been reduced by more than half, a significant achievement coinciding with Google's transition from C and C++ to the memory-safe programming language Rust. This is the first year that memory safety flaws have not been the most common type of security flaw, and it comes a year after Google made Rust the default language for new code in the Android Open Source Project (AOSP). Other memory-safe languages used by Google for Android include Java and the Java-compatible Kotlin. Although C and C++ remain dominant languages in AOSP, Android 13 is the first version in which most of the new code is written in memory-safe languages. Rust now accounts for approximately 21 percent of new code after Google adopted it for AOSP in April 2021. This year, the Linux kernel project designated Rust as the new official second language to C. Android 10 from 2019 had 223 memory safety bugs, while Android 13 has 85 known memory safety issues. Memory safety vulnerabilities have dropped from 76 percent to 35 percent of Android's total vulnerabilities during that time, according to Android security software engineer Jeffrey Vander Stoep. Google is seeing a decrease in critical and remotely exploitable flaws as memory safety vulnerabilities decline. The Android team intends to increase its use of Rust, but there are no plans to abandon C and C++ for system programming. Stoep does point out that correlation does not imply causation, but the percentage of memory safety security bugs, which dominate high severity bugs, closely matches the languages used for new code. According to Google, security tools such as fuzzing have also had a significant impact on memory safety bugs. This article continues to discuss the reduction of memory-related flaws after Google decided to use Rust for new code in Android.

    ZDNet reports "Google: After Using Rust, We Slashed Android Memory Safety Vulnerabilities"

  • news

    Visible to the public "Russian Hackers Steal 50 Million Passwords From 111 Countries Using Infostealer Malware"

    Group-IB found almost three dozen groups of Russian hackers using the stealer-as-a-service model to spread infostealer malware. An infostealer is a type of malware that collects browser credentials, payment card numbers, and cryptocurrency wallet credentials and sends them to threat actor-controlled servers. According to the researchers, the threat groups have infected 890,000 user devices with infostealers, stealing 50 million passwords in the first seven months of 2022, which is an increase of 80 percent over the previous period. Furthermore, threat actors stole 2,117,626,523 cookie files, 113,204 cryptocurrency wallets, and 103,150 credit cards. The digital risk protection team at Group-IB discovered that 34 groups of Russian hackers used Raccoon and Redline infostealer malware to steal passwords from Steam, Roblox, Amazon, PayPal, cryptocurrency wallets, and credit card information. PayPal and Amazon are the most targeted, accounting for 16 percent and 13 percent of all stolen data, respectively. The report discovered that Russian hackers coordinated their hacking activities through Russian-speaking Telegram groups with an average of 200 active members, most of whom were previously involved in Classiscam. Although they communicate in Russian, they target victims in 111 countries, mainly the US, Brazil, India, Germany, and Indonesia. Redline was ranked as the most popular malware by Group-IB researchers, with the variant being used by 23 of 34 groups. Raccoon infostealer malware came in second place, with only eight groups using it, while custom infostealers have only three groups dedicated to them. Group administrators provide their employees with both Redline and Raccoon infostealers and claim a cut of the stolen data or profits. Some organizations employ up to three infostealer malware variants, while others employ only one. Cybercriminals can rent malware from the dark web for as little as $150-200 per month. This article continues to discuss Group-IB's findings regarding groups of Russian hackers spreading infostealer malware.

    CPO Magazine reports "Russian Hackers Steal 50 Million Passwords From 111 Countries Using Infostealer Malware"

  • news

    Visible to the public "New DuckLogs Malware Service Claims Having Thousands of 'Customers'"

    A new Malware-as-a-Service (MaaS) operation called 'DuckLogs' is providing low-skilled attackers with easy access to multiple modules for data theft, keystroke logging, clipboard data access, and remote access to the compromised host. DuckLogs is completely web-based and claims that thousands of cybercriminals have paid a subscription to generate and launch over 4,000 malware builds. Some customers appear to receive additional services from the operators, such as assistance in distributing the payload, a tool for dropping files, and an extension changer. According to the web panel, over 2,000 cybercriminals are using the malicious platform, and the current victim count exceeds 6,000. DuckLogs primarily consists of an information stealer and a Remote Access Trojan (RAT), but it also includes over 100 individual modules that target specific applications. The RAT component includes functions for retrieving and running files from the command-and-control (C2) server, displaying a crash screen, shutting down, restarting, logging out, or locking the device, and opening URLs in the browser. Other DuckLogs modules include keystroke logging to steal sensitive information, a clipper, and a screenshot tool. The malware also supports Telegram notifications, encrypted logs and communication, code obfuscation, process hollowing to launch payloads in memory, a persistence mechanism, and a Windows User Account Control bypass, according to Cyble researchers. The web-based panel is currently available on four clearnet domains and appears to provide powerful payload-building features, including the ability to add modules and functions to the final malware build. This article continues to discuss findings surrounding the new DuckLogs MaaS.

    Bleeping Computer reports "New DuckLogs Malware Service Claims Having Thousands of 'Customers'"

  • news

    Visible to the public  "Hackers Exploiting Redis Vulnerability to Deploy New Redigo Malware on Servers"

    A previously unknown Go-based malware is targeting Redis servers with the intent of taking control of infected systems and likely establishing a botnet network. According to cloud security firm Aqua, the attacks involve exploiting a critical security vulnerability in the open-source, in-memory, key-value store Redigo, which was disclosed earlier this year. The vulnerability, tracked as CVE-2022-0543 and assigned a CVSS score of 10.0, is related to a case of sandbox escape in the Lua scripting engine that could be exploited to gain Remote Code Execution (RCE). This is not the first time the flaw has been actively exploited. in March 2022, Juniper Threat Labs discovered attacks carried out by the Muhstik botnet to execute arbitrary commands. The Redigo infection chain is similar in that the adversaries search for exposed Redis servers on port 6379 to gain initial access before downloading a shared library called "exp" from a remote server. This library file comes with an exploit for CVE-2022-0543 to execute a command in order to retrieve Redigo from the same server, in addition to taking steps to mask its activity by simulating legitimate Redis cluster communication over port 6379. According to Aqua researcher Nitzan Yaakov, the dropped malware mimics Redis server communication, allowing the adversaries to conceal communications between the targeted host and the command-and-control (C2) server. This article continues to discuss the exploitation of the Redis vulnerability to deploy Redigo malware on servers.

    THN reports "Hackers Exploiting Redis Vulnerability to Deploy New Redigo Malware on Servers"

  • news

    Visible to the public "Mitsubishi Electric PLCs Exposed to Attacks by Engineering Software Flaws"

    Security researchers at industrial cybersecurity firm Nozomi Networks have recently discovered three vulnerabilities in Mitsubishi Electric's GX Works3 engineering workstation software that could be exploited to hack safety systems. GX Works3 is the configuration and programming software provided by Mitsubishi Electric for its MELSEC iQ-F and iQ-R programmable logic controllers (PLCs). The three security holes discovered are tracked as CVE-2022-29831, CVE-2022-29832, and CVE-2022-29833 and could allow an attacker to obtain information from GX Works3 project files to compromise connected safety CPU modules. The researchers noted that the project files for these modules are encrypted, and a user-configured username and password are required to open them. However, the researchers discovered hardcoded passwords, cleartext storage, and insufficient credential protection issues that expose these credentials and other sensitive information. The researchers noted that a threat actor could obtain a project file from a misconfigured file server, from a shared computer, or by intercepting unprotected communications. Once they have the file, they can exploit the vulnerabilities to obtain information needed to hack industrial control systems (ICS). According to the researchers, an attacker could abuse the first two issues and obtain confidential information included in the project file about the project itself, as well as about the usernames of the accounts registered on the related safety CPU module. The researchers noted that if an asset owner has opted to re-use the same credentials for accessing the safety CPU module to also protect the related project file, a much more dangerous scenario would occur. In this situation, an attacker may chain all three issues and obtain a remarkably powerful attack primitive that would allow them to directly access the safety CPU module. This would give them the potential opportunity to compromise it and, therefore, disrupt the managed industrial process. Mitsubishi has yet to release patches and has only provided mitigations and workarounds. Nozomi has not made public any technical information in an effort to prevent potential exploitation by malicious actors.

    SecurityWeek reports: "Mitsubishi Electric PLCs Exposed to Attacks by Engineering Software Flaws"

  • news

    Visible to the public "Financial Organizations More Prone to Accidental Data Leakage"

    Netwrix has released additional findings from its global 2022 Cloud Security Report for the financial and banking sectors. Financial institutions are much more concerned about users who have legitimate access to their cloud infrastructure than other industries surveyed. In this sector, 44 percent believe their own IT staff is the greatest threat to cloud data security, while 47 percent are concerned about contractors and partners, compared to 30 percent and 36 percent in the other verticals polled. Phishing is the most common type of attack reported by all sectors. On the other hand, ninety-one percent of financial institutions say they can detect phishing within minutes or hours, compared to 82 percent of respondents in other verticals. Financial organizations are more likely than other industries to experience accidental data leakage, with 32 percent of them reporting this type of security incident in the last 12 months, compared to an average of 25 percent. This is a valid reason for them to be concerned about users who may inadvertently disclose sensitive information. To address this threat, organizations should adopt a zero-standing privilege approach in which elevated access rights are granted only when and for as long as they are required, according to Dirk Schrader, VP of security research at Netwrix. This article continues to discuss key findings from the 2022 Cloud Security Report.

    Help Net Security reports "Financial Organizations More Prone to Accidental Data Leakage"

  • news

    Visible to the public "Artifact Poisoning in GitHub Actions Imports Malware via Software Pipelines"

    When an attacker submits changes to an open-source repository on GitHub, downstream software projects that include the most recent version of a component may compile updates containing malicious code. According to Legit Security, a software supply chain security firm, this "artifact poisoning" vulnerability could affect software projects that use GitHub Actions, a service for automating development pipelines, by triggering the build process when a change in a software dependency is detected. Legit Security simulated an attack on the project that manages Rust, causing the project to recompile using a customized and malicious version of the popular GCC software library. According to Liav Caspi, chief technology officer of Legit Security, the problem likely affects a large number of open-source projects because maintainers typically run tests on contributed code before analyzing it themselves. He describes it as a common pattern nowadays. Many open-source projects today run a slew of tests to validate a change request because the maintainer does not want to have to review the code first. Instead, it runs tests automatically. The attack makes use of the automated build process provided by GitHub Actions. The vulnerable pattern in the Rust programming language could have allowed an attacker to execute code in a privileged manner as part of the development pipeline, stealing repository secrets and potentially tampering with code. Any GitHub user can create a fork that generates an artifact, then inject it into the repository's build process and modify its output. Another type of software supply chain attack in which an attacker modifies the build output. This article continues to disucss artifact poisoning in GitHub Actions.

    Dark Reading reports "Artifact Poisoning in GitHub Actions Imports Malware via Software Pipelines"

  • news

    Visible to the public "Cuba Ransomware Actors Pocket $60m"

    The US Cybersecurity and Infrastructure Security Agency (CISA) has warned of the continued threat posed by the Cuba ransomware variant, which has made its affiliates and developers $60m as of August. CISA revealed in a new alert that the ransomware had compromised at least 100 entities worldwide, having doubled its victim count in the US since last December. CISA noted that the group and its affiliates mainly target financial services, government, healthcare, critical manufacturing, and IT companies. CISA stated that, disappointingly, ransoms are increasingly being paid. The group has demanded $145m to date in recorded attacks. CISA said that threat actors use one of several tried-and-tested techniques to gain initial access: phishing campaigns, vulnerability exploitation, compromised credentials, and remote desktop protocol (RDP) tools. Once inside, the ransomware itself is distributed via a loader known as "Hancitor." CISA noted, however, since spring this year, the group has modified some of its tactics, techniques, and procedures (TTPs). CISA stated that it uses a dropper that writes a kernel driver to the file system called ApcHelper.sys, in order to terminate any security products running on victims' machines. It also exploits CVE-2022-24521 to steal system tokens and elevate privileges and CVE-2020-1472 to gain domain administrator privileges.

    Infosecurity reports: "Cuba Ransomware Actors Pocket $60m"

  • news

    Visible to the public "NATO Launches Massive Cyber-Defense Exercise"

    This week, NATO kicked off its Cyber Coalition 22 exercise to enhance cyber resilience among its members. NATO brought together 1000 defenders from 26 member countries plus Finland and Sweden, Georgia, Ireland, Japan, Switzerland, and the EU, as well as participants from industry and academia. NATO stated that the five-day exercise is designed to pose real-life challenges to participants, such as cyberattacks on power grids and NATO assets, with a view to enhancing their ability to defend networks and collaborate in cyberspace. NATO noted that Cyber Coalition 22 provides a unique platform for collaboration, experimentation, sharing of experience, and developing best practices. NATO's Cyber Coalition is taking place in the Estonian capital of Tallin, with participants also joining remotely from other locations.

    Infosecurity reports: "NATO Launches Massive Cyber-Defense Exercise"

  • news

    Visible to the public "Simple Hardware to Defend Microgrid Attacks"

    Small-scale renewable energy systems have the advantage of being able to be set up into networks that, when necessary, can run independently of the primary electric grid. KAUST researchers are now creating strategies to defend these networks, known as microgrids, from cyberattacks. Microgrids are prime targets for community-disrupting cyberattacks due to their relative isolation and simplicity. In their efforts to improve microgrid security, the team used Hardware Performance Counters (HPCs), which are special registers embedded in most computers that monitor events such as how many times a specific command has been executed. They used HPCs to detect code patterns indicating malicious code execution on their devices, specifically the embedded controllers of solar inverters, which convert the output of solar photovoltaic panels into usable power for consumers. For cost reasons, solar inverter controllers do not include HPCs. Therefore, the researchers developed custom HPCs that could monitor inverter commands without interfering with their primary function of converting solar energy to electricity. The team included time series classifiers, which are algorithms that correlate potentially malicious command combinations with the time sequence of HPC firing events, thus adding another layer of security. They were able to detect malware in inverter controllers with more than 97 percent accuracy using a classifier trained on a single custom-built HPC, achieving their original goal of a low-cost and low-complexity defense countermeasure. This article continues to discuss the method devised by KAUST researchers to protect microgrids using low-cost hardware-based malware detection mechanisms.

    KAUST Discovery reports "Simple Hardware to Defend Microgrid Attacks"

  • news

    Visible to the public "Electrical Engineering Doctoral Student Mohammadamin Moradi Uses Deep-Q Learning to Find and Combat Power Grid Cybersecurity Weaknesses"

    As power grids become more reliant on computer-based systems, they become more vulnerable to cyberattacks. Mohammadamin Moradi, an electrical engineering doctoral student at Arizona State University (ASU), used Artificial Intelligence (AI) to analyze the most damaging attacks against the power grid and best possible defenses with guidance from Ying-Cheng Lai, a Regents Professor of electrical engineering, and Yang Weng, an Assistant Professor of electrical engineering. The US Department of Energy (DOE) and the Israeli Ministry of Energy funded this research through the Israel-US Binational Industrial Research and Development (BIRD) Foundation to help both countries improve their cybersecurity defenses. The researchers used deep-Q Reinforcement Learning (RL), a type of Machine Learning (ML), in conjunction with stochastic game theory, to simulate which cyberattacks would cause the most damage to a power grid and the best countermeasures to keep the grid running as efficiently as possible in the face of such attacks. Deep-Q learning examines the outcomes of inputs in order to maximize the reward for an action. In traditional Q-learning, various user inputs are mapped to output values in a table known as the Q-table. However, creating a Q-table presents numerous challenges because it requires a significant amount of computation as the number of input values grows. When the number of inputs and outputs reaches a certain size, this can cause a computer to struggle and malfunction, prompting Moradi to study deep-Q learning. Moradi also chose deep-Q learning because it can be used in environments with unknown parameters, such as when the optimal attack and defense strategies are unknown before running the deep-Q learning simulation. Although deep-Q learning addresses the issue of required computing power, the algorithm model used by the system to learn must also be optimized to ensure the best results. This is where Moradi got the idea to turn the scenario into a stochastic game. This article continues to discuss the team's study on defending smart electrical power grids against cyberattacks with deep-Q RL.

    ASU reports "Electrical Engineering Doctoral Student Mohammadamin Moradi Uses Deep-Q Learning to Find and Combat Power Grid Cybersecurity Weaknesses"

  • news

    Visible to the public "Abuse of Privilege Enabled Long-Term DIB Organization Hack"

    The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) responded to an advanced cyberattack on a Defense Industrial Base (DIB) organization's network from November 2021 to January 2022. During that time, Advanced Persistent Threat (APT) adversaries breached the environment and further penetrated the organization's network using an open-source toolkit called Impacket. According to CISA, multiple APT groups may have hacked into the organization's network. These types of data breaches are almost always the result of compromised endpoints and privileged credentials. In this incident, user and admin privilege abuse was critical to the attack's success. The APT group's attack demonstrates the importance of monitoring and protecting privileged accounts for strong security. APT actors gained access to the organization's Microsoft Exchange Server as early as mid-January 2021 in the early stages of the attack. The initial access vector is still unknown. The threat actors collected information about the exchange environment and searched mailboxes within four hours of the initial breach. Four days later, the APT actors used Windows Command Shell to explore the organization's environment and start collecting data. Exfiltrated data from shared drives included sensitive contract-related information. In another system, the APT actors implanted Impacket, a Python toolkit for building and manipulating network protocols programmatically. The actors were also able to move laterally within the network using this toolkit. They obtained and misused existing account credentials for initial access, persistence, privilege escalation, and defense evasion. Their demonstrated ability to maintain persistent, long-term access in compromised enterprise environments prompted the CISA, FBI, and National Security Agency (NSA) to urge organizations to monitor logs for unusual Virtual Private Server (VPS) and Virtual Private Network (VPN) connections. Examining connection logs for access from unusual ranges is part of this. Organizations should also monitor for unusual account activity, such as the inappropriate or unauthorized use of administrator, service, or third-party accounts. This article continues to discuss the advanced cyberattack faced by a DIB organization's network.

    Security Intelligence reports "Abuse of Privilege Enabled Long-Term DIB Organization Hack"

  • news

    Visible to the public "Census Bureau Comes up Short Against 'Red Team' Attack"

    According to a new report by the Commerce Department Office of Inspector General (IG), a team of government-contracted red team hackers gained unauthorized and undetected control of critical Census Bureau systems in a simulated attack test, which revealed major cybersecurity flaws within the Federal agency. The cybersecurity experts, tasked with simulating a real-world hacking attempt on an organization's system, were able to breach the agency's systems via a domain administrator account and gain access to employees' Personally Identifiable Information (PII). The red team exercise was held between August 2021 and March 2022. The Census Bureau stated in its response to the IG report that it intends to release a detailed action plan to address the security vulnerabilities exposed by the attack. According to department guidelines, the agency has 60 days to submit the plan. The Census Bureau failed to restrict or disable access to an out-of-date account management control tool, allowing the security firm access to the agency's systems and allowing the red team to run commands as a user with elevated privileges. The red team was so successful in its simulated attack that it was able to send fake emails through insecure programs and execute additional malicious actions, resulting in the discovery of 11 security flaws. However, to protect sensitive information about the Census Bureau's Information Technology (IT) vulnerabilities, the IG redacted some details from its report. The evaluation's goal was to determine the effectiveness of the Bureau's cybersecurity posture in the face of a simulated real-world attack. Hackers successfully exploited a security flaw in the Bureau's virtual desktop infrastructure in January 2020, which prompted the IG's Office of Audit and Evaluation to form a cyber red team to conduct a simulated attack on the Census Bureau and assess the effectiveness of the Bureau's cybersecurity posture. According to the report, the Census Bureau failed to address its cyber vulnerabilities and still requires effective cybersecurity measures to prevent attacks capable of limiting its defensive options. This article continues to discuss the red team attack against the Census Bureau.

    MeriTalk reports "Census Bureau Comes up Short Against 'Red Team' Attack"

  • news

    Visible to the public  "New CLI Tool Allows Java Devs to Add 'Fuzzing' to JUnit"

    Code Intelligence, a provider of automated testing tools, has released CI Fuzz CLI, an open-source Command-Line Interface (CLI) tool that allows Java developers to incorporate fuzz testing into their existing JUnit setups. JUnit is an open-source, Java-based unit-testing framework created by Parasoft used to write and run repeatable automated tests. It is regarded as one of the leading tools for regression testing, a type of software testing that examines whether recent changes to code have had an adverse effect on previously written code. According to the company, Java developers can now use the CI Fuzz CLI tool to find functional bugs and security vulnerabilities at scale. Fuzz testing, also known as fuzzing, is an automated software testing method that introduces invalid, incorrect, or unexpected inputs into a system in order to detect software defects and vulnerabilities. A fuzzing tool, such as CI Fuzz CLI, presents these unexpected inputs into the system and then monitors reactions indicating security, performance, or quality issues. It is considered a complementary approach to unit testing, which involves testing an application's smallest testable unit. The company states that CI Fuzz CLI was designed to address the current challenges associated with fuzz testing, such as a lack of understanding and implementation challenges, by making fuzz testing accessible to developers directly from their command line or Integrated Development Environment (IDE). CI Fuzz CLI uses genetic and evolutionary algorithms along with automated instrumentation to generate millions of unusual inputs in real time to test applications for unexpected behaviors that could result in crashes, Denial-of-Service (DoS) attacks, or zero day exploits. The tool enables continuous application security testing directly in the Continuous Integration (CI) and Continuous Delivery (CD) process by providing new fuzzing capabilities for Java. Code Intelligence says this is especially useful for companies with cloud-based products and services wanting to develop a mature DevSecOps pipeline. This article continues to discuss the new CI Fuzz CLI tool.

    ADT MAG reports "New CLI Tool Allows Java Devs to Add 'Fuzzing' to JUnit"

  • news

    Visible to the public "Delta Electronics Patches Serious Flaws in Industrial Networking Devices"

    Taiwan-based Delta Electronics has recently patched potentially serious vulnerabilities in two of its industrial networking products. Security researchers at CyberDanube discovered the flaws in Delta's DX-2100-L1-CN 3G cloud router and the DVW-W02W2-E2 industrial wireless access point. The researchers conducted their analysis on so-called digital twins, which involve virtualization techniques, rather than by looking at the actual devices. The researchers stated that in the 3G router, they discovered an authenticated command injection issue and a stored cross-site scripting (XSS) flaw. The researchers noted that the command injection vulnerability can allow an attacker with credentials for the web service to execute system commands on the OS with root privileges. The researchers stated that while exploitation of the security hole requires authentication, the XSS vulnerability could be leveraged by an attacker to bypass the authentication requirement. In the case of the Delta access point, the researchers discovered an authenticated command injection vulnerability. The researchers stated that this vulnerability allows an attacker to gain full access to the underlying operating system of the device with all implications. The researchers noted that if such a device is acting as a key device in an industrial network or controls various critical equipment via serial ports, more extensive damage in the corresponding network can be done by an attacker. The researchers noted that in the case of this vulnerability, an attacker could obtain the credentials required for exploitation by doing ARP spoofing on the network or through brute-force attacks, noting that the difficulty of obtaining the credentials generally depends on the strength of the password. The vulnerabilities are both rated "high impact" by CyberDanube and were reported to the vendor in August. Firmware patches were released in November. The cybersecurity firm has released advisories with technical details for both products (DX-2100-L1-CN and DVW-W02W2-E2).

    SecurityWeek reports: "Delta Electronics Patches Serious Flaws in Industrial Networking Devices"