News Items

  • news

    Visible to the public NSF 20-052 - Dear Colleague Letter on the Coronavirus Disease 2019 (COVID-19)

    Dear Colleague,

    In light of the emergence and spread of the coronavirus disease 2019 (COVID-19) in the United States and abroad, the National Science Foundation (NSF) is accepting proposals to conduct non-medical, non-clinical-care research that can be used immediately to explore how to model and understand the spread of COVID-19, to inform and educate about the science of virus transmission and prevention, and to encourage the development of processes and actions to address this global challenge.

  • news

    Visible to the public Call to Action to the Tech Community on New Machine Readable COVID-19 Dataset

    Office of Science and Technology Policy

    March 16, 2020

    Today, researchers and leaders from the Allen Institute for AI, Chan Zuckerberg Initiative (CZI), Georgetown University's Center for Security and Emerging Technology (CSET), Microsoft, and the National Library of Medicine (NLM) at the National Institutes of Health released the COVID-19 Open Research Dataset (CORD-19) of scholarly literature about COVID-19, SARS-CoV-2, and the coronavirus group.

  • news

    Visible to the public NIST Releases Draft Security Feature Recommendations for IoT Devices

    NIST Releases Draft Security Feature Recommendations for IoT Devices

    "Core Baseline" guide offers practical advice for using everyday items that link to computer networks.

    August 01, 2019

  • news

    Visible to the public NSA-approved cybersecurity law and policy course now available online

    NSA-approved cybersecurity law and policy course now available online

    Cyber Scoop

    Shannon Vavra

    August 27th, 2019

    Anyone who is interested in cybersecurity law and policy can now take an online course that was partly shaped by National Security Agency.

  • news

    Visible to the public Verification Tool Competition

    ARCH brings together researchers and practitioners to establish a curated set of benchmarks for verification, testing and reachability, and evaluate them in a friendly competition. ARCH started in 2014 and has sustained a vibrant community since. Since 2017, ARCH has organized as a part of the workshop the International Competition on Verifying Continuous and Hybrid Systems (ARCH-COMP,, now in its 3rd iteration.

  • news

    Visible to the public Game-theoretic Paper Wins Annual Paper Competition

    The winner of the 6th Annual Best Scientific Cybersecurity Paper Competition is How Shall We Play a Game? A Game-theoretical Model for Cyber-warfare Games by Tiffany Bao, Yan Shoshitaishvili, Ruoyu Wang, Christopher Kruegel, Giovanni Vigna, and David Brumley. These researchers are from Carnegie Mellon University and University of California, Santa Barbara. This paper was originally accepted at 30th IEEE Computer Security Foundations Symposium (CSF '17).

    To learn more visit the competition homepage:

  • news

    Visible to the public Secretary of Energy Rick Perry Announces $68.5 Million for Advanced Vehicle Technologies Research

    WASHINGTON, D.C. - Today, U.S. Secretary of Energy Rick Perry announced up to $68.5 million in available funding for early-stage research of advanced vehicle technologies that will enable more affordable mobility, strengthen domestic energy security, and enhance U.S. economic growth.

  • news

    Visible to the public 2018 NSF CPS Program Solicitation

    The 2018 Cyber-Physical Systems Program Solicitation has been released. The submission window for proposals is April 27, 2018 - May 8, 2018. Please see the full solicitation for additional details and the summary of program requirements:

  • news

    Visible to the public NSA SoS Lablet Call for Proposals is Open

    The National Security Agency has distributed its BAA (really a request for proposals) for its next generation of SoS Lablets. These lablets include lablets on the 5 Hard Problem areas in Science of Security, on the Science of Privacy and dealing with Cyber Physical Systems. Proposals are due August 21. While the SoS team is not the point of contact for the contracting process, we can aid in directing:

  • news

    Visible to the public U.S. Department of Transportation Launches Smart City Challenge to Create a City of the Future

    Smart City Challenge

  • news

    Visible to the public NEW 2016 NSF-USDA Solicitation: Innovations at the Nexus of Food, Energy, and Water Systems (INFEWS)

    Innovations at the Nexus of Food, Energy and Water Systems (INFEWS)

    Program Solicitation
    NSF 16-524

    National Science Foundation

  • news

    Visible to the public Sticky News Item

    This news item always appears at the top of the 'recent news' list because the 'pin to top of lists' box is checked under 'publishing options' below. News Items can also be set to show in the spotlight slideshow feature.

  • news

    Visible to the public Sticky News Item

    This news item always appears at the top of the 'recent news' list because the 'pin to top of lists' box is checked under 'publishing options' below. News Items can also be set to show in the spotlight slideshow feature.

  • news

    Visible to the public "How Hackers Could Spy on Satellite Internet Traffic With Just $300 of Home TV Equipment"

    A researcher at Oxford University demonstrated the potential exploitation of vulnerabilities in satellite broadband communications to intercept unencrypted web traffic through the use of an inexpensive satellite dish and a digital broadcasting satellite tuner. Attackers could abuse the vulnerabilities to spy on sensitive communications covertly from an extremely far distance. The researcher was able to intercept real traffic from ships, law firms, and Internet of Things (IoT) providers from a fixed point in the UK. This article continues to discuss the technique demonstrated to gain access to sensitive information via traffic transmitted by satellites.

    "How Hackers Could Spy on Satellite Internet Traffic With Just $300 of Home TV Equipment"

  • news

    Visible to the public "Malware Attacks Exploiting Machine Identities Double"

    New research by threat analysts at Venafi reveals that the number of commodity malware campaigns exploiting machine identities doubled between 2018 and 2019. Applications and devices use machine identities that are made from cryptographic keys and digital certificates. These identities support application and device authentication for secure communication. According to researchers, attackers' utilization of machine identities has grown eightfold in the last ten years. The number of attacks increased at a significant rate within the last five years. One researcher emphasized the shift in the exploitation of machine identities for large-scale cybercriminal operations to the misuse of these identities in off-the-shelf-malware. This article continues to discuss the use and the increased exploitation of machine identities in malware attacks and how organizations can defend themselves against such attacks.

    Infosecurity Magazine reports "Malware Attacks Exploiting Machine Identities Double"

  • news

    Visible to the public "Consumers Don't Fully Trust Smart Home Technologies"

    Although smart home technologies are marketed to increase the convenience of our daily lives, many consumers still do not trust the privacy and security of these technologies. Researchers from WMG and Computer Science, University of Warwick, conducted a survey to which 2,101 UK consumers responded. The survey asked respondents questions regarding their awareness of the Internet of Things (IoT), their current ownership of smart home devices, experiences with using these devices, as well as their trust in the reliability, competence, privacy, and security of smart home devices. The survey findings suggest that consumers do have anxiety about the possibility of a security incident resulting from the use of smart home technology. Overall, respondents were unconvinced that their privacy and security would not be at risk when using such technology. Other survey results highlighted trends in smart home technology adoption based on gender, age, and education level. This article continues to discuss findings from the study of trust in smart home technologies' security and privacy.

    Science Daily reports "Consumers Don't Fully Trust Smart Home Technologies"

  • news

    Visible to the public "Researchers Found Another Way to Hack Android Cellphones via Bluetooth"

    Security researchers at DBAPPSecurity have discovered an authentication bypass vulnerability, dubbed "BlueRepli." An adversary can bypass authentication by imitating a device that has previously been connected with a target. Victims do not need to give permission to a device for the exploit to work. The exploit makes it so that the victim has no awareness at all when attackers access their phone book or SMS messages. If the vulnerability is exploited, attackers can steal users' contacts, call logs, and short messages. The vulnerability also allows adversaries to send fake text messages from victim devices if they exploit any device made by one particular Android manufacturer.

    CyberScoop reports: "Researchers Found Another Way to Hack Android Cellphones via Bluetooth"

  • news

    Visible to the public "TeamViewer Flaw Could be Exploited to Crack Users’ Password"

    Security researchers have discovered a high-risk vulnerability (CVE-2020-13699) in TeamViewer for Windows. If the vulnerability is exploited, remote attackers could crack the users' password, which could lead to further system exploitation. CVE-2020-13699 is a security weakness arising from an unquoted search path or element. More specifically, the vulnerability is due to the application not properly quoting its custom URI handlers. According to the company, the vulnerability affects TeamViewer versions 8 through 15 (up to 15.8.2) for the Windows platform. The company is advising users to upgrade to version 15.8.3 to close the hole.

    Help Net Security reports: "TeamViewer Flaw Could be Exploited to Crack Users' Password"

  • news

    Visible to the public "New EtherOops Attack Takes Advantage of Faulty Ethernet Cables"

    A team of researchers from the Internet of Things (IoT) security company Armis discovered a technique, dubbed EtherOops, that could be used to attack devices placed inside closed enterprise networks. According to the researchers, the method can only be executed if the targeted network has faulty Ethernet cables. The EtherOops technique is a theoretical attack discovered in a laboratory setting and is not a widespread issue facing networks globally in their default states. However, researchers warn that the technique could be used under a particular set of circumstances by sophisticated attackers such as nation-state actors. The EtherOops attack is considered a packet-in-packet attack in which network packets are nested inside each other, with the outer packet being benign and the inner packet consisting of malicious code or commands. The outer packet enables the attack payload to circumvent firewalls and other initial network defenses. This article continues to discuss how faulty Ethernet cables come to play in the EtherOops attack and the attack's chances of success.

    ZDNet reports "New EtherOops Attack Takes Advantage of Faulty Ethernet Cables"

  • news

    Visible to the public "Misconfigured Servers Contributed to More Than 200 Cloud Breaches"

    A new report from Accurics, titled "The State of DevSecOps," reveals that the misconfiguration of storage services in over 90 percent of cloud deployments have led to more than 200 breaches in the past two years. These breaches have exposed more than 30 billion records. The velocity and scale of cloud breaches are predicted to continue increasing as public cloud adoption grows. According to the report, about 91 percent of the evaluated cloud deployments had at least one significant data breach, and 50 percent of the deployments had unprotected credentials stored in container configuration files. This article continues to discuss key findings from Accurics' report on the impact of cloud misconfiguration on organizations' security.

    SC Media reports "Misconfigured Servers Contributed to More Than 200 Cloud Breaches"

  • news

    Visible to the public "Your Mobile Location Data Could Pose Security Threats: NSA"

    The U.S. National Security Agency (NSA) released a report on how location data tracked via mobile phones and other connected devices such as fitness trackers, smartwatches, and built-in vehicle communication devices could threaten security. While the guidance provided by the report is intended primarily for the Department of Defense (DoD) and federal agency personnel, it could also be helpful to a wide range of users. The NSA stressed the importance of protecting device geolocation information from adversaries as this type of information could reveal user movements, unknown connections between users and locations, and how many users are in a location. Security measures recommended to mitigate location data risks include disabling location services settings on the device, minimizing the amount of data with location information stored in the cloud, disabling Bluetooth and turning off Wi-Fi if these capabilities are not in use, and more. This article discusses the vulnerability of mobile devices and other connected devices to location tracking risks, and the NSA's suggested strategies for mitigating these risks.

    CISO MAG reports "Your Mobile Location Data Could Pose Security Threats: NSA"

  • news

    Visible to the public "Researchers Uncover Vulnerabilities in Devices Used at Industrial Facilities"

    After 2015 when Russian hackers were able to hack three Ukrainian power companies, some security experts took it on themselves to show how protocol gateways could be exploited at other utilities. New research has been conducted by researchers at Trend Micro, where they tested five protocol gateways, which are small boxes that translate communications between different devices at industrial facilities, including those that monitor temperatures and interact with machinery. They found multiple vulnerabilities, the most critical of which, if exploited, could allow an adversary to disable sensors for monitoring a facility's temperature and performance. Other issues found by the researchers include a weak encryption implementation and a bug that could allow an attacker to send malicious packets to the gateways, forcing them to reboot.

    CyberScoop reports: "Researchers Uncover Vulnerabilities in Devices Used at Industrial Facilities"

  • news

    Visible to the public "4 in 10 Organizations Punish Staff For Cybersecurity Errors"

    To examine the prevalence of punishment in businesses and the impact of this on staff, a team of researchers led by Dr. John Blythe, Head of Behavioral Science at CybSafe, conducted a survey of cybersecurity awareness professionals as well as an experimental lab study, designed to mimic real-world outcomes when employees click simulated phishing emails. The researchers found that 42% of the organizations surveyed take disciplinary action against staff who make cybersecurity errors. In UK businesses, punishments range in severity and are often directed at those who "fail" phishing simulations: 15% of organizations name and shame employees, 33% of organizations decrease access privileges, 63% inform employees' line managers, and 17% lock employee's computers until appropriate training has been completed.

    Help Net Security reports: "4 in 10 Organizations Punish Staff For Cybersecurity Errors"

  • news

    Visible to the public "Interpol Warns of 'Alarming' Cybercrime Rate During Pandemic"

    The international criminal police organization Interpol has warned of the significant rise in cybercrime during the coronavirus pandemic. An assessment conducted by the organization has revealed that cybercriminals have shifted their focus from individuals and small businesses to major corporations, governments, and critical infrastructure. According to Interpol's Secretary-General Juergen Stock, the fear stemming from the unpredictable social and economic situation created by the pandemic has led to an increased rate at which cybercriminals are developing and enhancing their attacks. The increased dependence on the internet has also created new opportunities for cybercriminals to execute attacks. This article continues to discuss the growth in cybercrime during the COVID-19 pandemic.

    Security Week reports "Interpol Warns of 'Alarming' Cybercrime Rate During Pandemic"

  • news

    Visible to the public "Research Reveals Dangerous Design Flaws and Vulnerabilities in Legacy Programming Languages"

    Trend Micro shared new research conducted in collaboration with Politecnico di Milano that brings further attention to the design flaws in legacy languages and introduces new secure coding guidelines. The study provides details about how design flaws in legacy programming languages such as RAPID, KRL, AS, PDL2, and PacScript could lead to the development of vulnerable automation programs. These vulnerabilities could allow attackers to take over industrial robots and automation machines to interfere with operations and steal intellectual property. Researchers also demonstrated the creation of a new type of self-propagating malware using one of the legacy programming languages. This article continues to discuss new research on the potential exploitation and impact of design flaws in legacy languages, the importance of upfront secure development in the industrial automation world, network-security best practices for that Industry 4.0 developers, and a new tool developed to detect malicious code in task programs.

    PRN reports "Research Reveals Dangerous Design Flaws and Vulnerabilities in Legacy Programming Languages"

  • news

    Visible to the public "New Method to Defend Against Smart Home Device (IoT) Attacks Developed by BGU Researchers"

    A team of researchers from Ben-Gurion University of the Negev (BGU) and the National University of Singapore (NUS) developed a new method that Telecommunications Service Providers (TSPs) and Internet Service Providers (ISPs) can use to detect vulnerable smart home devices before they are used in cyberattacks. A study published in Computers & Security emphasizes the growing risk of distributed denial-of-service (DDoS) attacks via botnets composed of compromised Internet of Things (IoT) devices. As customers often lack awareness and knowledge about the protection of vulnerable smart home devices from attacks, the responsibility of attack prevention and handling falls on TSPs and ISPs. The method developed by the researchers enables TSPs and ISPs to monitor traffic from each smart home device in order to verify whether vulnerable devices are connected to the home network and take preventive actions. This article continues to discuss the growing risk of IoT-based DDoS attacks, the difficulty in detecting IoT devices from outside the home network, and the new method developed to defend smart home devices against attacks.

    BGU reports "New Method to Defend Against Smart Home Device (IoT) Attacks Developed by BGU Researchers"

  • news

    Visible to the public "FBI Warns on New E-Commerce Fraud"

    The FBI is warning the public of a new wave of fraudulent shopping websites, often advertised on social media platforms. The fraudulent shopping websites take orders for a wide range of products and then never deliver. The fraudulent sites tend to offer prices considerably lower than comparable legitimate sites, require payment by online money transfer, and display content and layout copied from other, more traditional e-commerce sites. The public should be careful of websites using the Internet top-level-domains ".club" and ".top". The public should also be cautious of web addresses that have been registered within the last six months.

    Dark Reading reports: "FBI Warns on New E-Commerce Fraud"

  • news

    Visible to the public ARCH 2020 Best Result Award

    The ARCH 2020 Best Result Award goes to Luis Benet, Marcelo Forets, Daniel Freire, David P. Sanders, and Christian Schilling (in alphabetical order) for their verification tool JuliaReach. The award comes with a 500 Euro prize. Congratulations!

  • news

    Visible to the public "Meetup Critical Flaws Allow 'Group' Takeover, Payment Theft"

    Researchers at Checkmarx have disclosed several critical flaws in the popular online social service, Meetup, which have now been fixed. Meetup is a platform used to find events and build groups based on similar interests. The exploitation of the flaws discovered in the platform could have allowed attackers to take over any Meetup group, access members' details, and redirect Meetup payments to a PayPal account belonging to an attacker. One of the security flaws was a Cross-Site Scripting (XSS) vulnerability contained by Meetup's discussion feature. Another problem the researchers found was a Cross-Site Request Forgery (CSRF) glitch on the Payments Received API endpoint of Meetup. This article continues to discuss the security issues found in the Meetup platform.

    Threatpost reports "Meetup Critical Flaws Allow 'Group' Takeover, Payment Theft"

  • news

    Visible to the public "'Hidden Property Abusing' Allows Attacks on Node.js Applications"

    A team of researchers from the Georgia Institute of Technology discovered a new method for exploiting Node.js applications. The technique involves the abuse of hidden properties used to track internal program states. A remote attacker can use the technique, called Hidden Property Abusing, to inject new values into Node.js programs by passing objects that the framework, under certain conditions, will consider as internal data. The researchers analyzed a sample of 60 major Node.js components, using a tool they developed dubbed Lynx. The tool helped them identify 13 vulnerabilities, including SQL injection and the ability to circumvent input validation. This article continues to discuss the Hidden Property Abusing attack technique that could be used against Node.js applications, the discovery of vulnerabilities in Node.js components, and the Lynx tool created to help developers identify potential attack vectors in their Node.js programs.

    Dark Reading reports "'Hidden Property Abusing' Allows Attacks on Node.js Applications"

  • news

    Visible to the public  "NetWalker Ransomware Gang Has Made $25 Million Since March 2020"

    Researchers at McAfee have discovered that the operators of the NetWalker ransomware have likely earned more than $25 million from ransom payments since March this year. The $25 million figure puts NetWalker close to the top of the most successful ransomware gangs known today, with other known names such as Ryuk, Dharma, and REvil (Sodinokibi). NetWalker, as a ransomware strain, first appeared in August 2019. The ransomware operates as a closed access RaaS ransomware-as-a-service portal. Other hacker gangs sign up and go through a vetting process, after which they are granted access to a web portal where they can build custom versions of the ransomware.

    ZDNet report: "NetWalker Ransomware Gang Has Made $25 Million Since March 2020"

  • news

    Visible to the public  "Travel Company CWT Avoids Ransomware Derailment by Paying $4.5m Blackmail Demand"

    According to reports, Minnesota-based business travel company CWT has been affected by a ransomware attack. The reports show that the adversaries claimed they had scrambled files on 30,000 computers and uploaded 2 terabytes of company data. Researchers believe those high numbers sound doubtful, but it was enough pressure that CWT paid the adversaries $4,500,000 in Bitcoin. The adversaries originally asked for $10,000,000. CWT received the cryptographic material to decrypt the scrambled files, and the adversaries "promised" that they did not have access to the stolen data anymore.

    Naked Security reports: "Travel Company CWT Avoids Ransomware Derailment by Paying $4.5m Blackmail Demand"

  • news

    Visible to the public "Election Cyber Surge Initiative Launches"

    The Cyber Policy Initiative (CPI) at the University of Chicago recently announced the launch of the Election Cyber Surge initiative. The initiative aims to help connect state and local election offices with volunteer technologists. According to CPI, the Election Cyber Surge program will develop a database of technologists who are willing to help advise state and local election officials and administrators in addressing different cybersecurity issues. Officials will use the database to search for potential volunteer technologists by skillset, cybersecurity experience, and more. This article continues to discuss the goal and importance of the Election Cyber Surge program.

    Homeland Security News Wire reports "Election Cyber Surge Initiative Launches"

  • news

    Visible to the public "Theoretical Technique to Abuse EMV Cards Detected Used in the Real World"

    Researchers from Cyber R&D Lab conducted an experiment in which they examined how 11 banks from the US, the UK, and the EU implement EMV (Europay, Mastercard, and Visa) chip cards on their networks. The researchers used tools similar to those used by cybercriminal groups to copy information from EMV cards and their magnetic stripes. The data copied from the EMV card was then used to create a magnetic stripe version of the same card but without the chip. This technique, known as EMV-Bypass Cloning, was first described in 2008. However, fears surrounding this technique's abuse had been dismissed due to the expectation of banks to move all users to EMV cards and remove magstripe cards. Banks have not met these expectations or performed a set of security checks before approving inter-technology payments. Therefore, the loop first described in 2018 remains. A report recently published by the security firm Gemini Advisory reveals that the EMV-Bypass Cloning technique has been abused in the wild this year. This article continues to discuss new research on the EMV-Bypass Cloning method and evidence showing the abuse of this technique by criminals.

    ZDNet reports "Theoretical Technique to Abuse EMV Cards Detected Used in the Real World"

  • news

    Visible to the public "Hackers Breached Twitter Accounts by Targeting Employees by Phone"

    In a new update, Twitter clarifies some of the events around a July 15 breach in which attackers took over accounts belonging to former president Barack Obama, Amazon chief executive Jeff Bezos, and rapper Kanye West to solicit bitcoin. The scammers targeted 130 accounts, tweeted from 45 accounts, accessed the direct messages of 36 of the accounts, and downloaded Twitter data of about seven users. Twitter has discovered that the attackers targeted a small number of Twitter employees through a phone spear phishing attack. Not all the affected employees had access to account management tools, the company said, but hackers used their credentials to gather information about Twitter's internal processes. The adversaries then used that reconnaissance data to inform attacks on Twitter personnel with deeper access.

    CyberScoop reports: "Hackers Breached Twitter Accounts by Targeting Employees by Phone"

  • news

    Visible to the public "Startups Disclose Data Breaches After Massive 386M Records Leak"

    A threat actor, named ShinyHunters, has leaked stolen databases of 18 web sites on a hacker forum. Most of the companies affected by this massive leak are startups. One of the leaked databases belongs to Drizly, an alcohol delivery startup. Drizly's database contained 2.5 million records that include customers' emails, names, hashed passwords, addresses, phone numbers, and other personal information. Another leaked database belonging to Scentbird, a fragrance subscription service, contained personal information such as names, encrypted account passwords, dates of birth, gender, and more. This article continues to discuss the disclosure and impact of data breaches recently faced by startup companies.

    Bleeping Computer reports "Startups Disclose Data Breaches After Massive 386M Records Leak"

  • news

    Visible to the public "Private Browsing: What It Does – and Doesn't Do – to Shield You From Prying Eyes on the Web"

    A survey conducted in 2017 showed that nearly half of American internet users have enabled "Private Browsing," "Privacy Mode," "Secret Mode," or "Incognito Mode" in their web browsers to preserve their privacy online. However, a new study by researchers at Carnegie Mellon University found that many people who use their browsers in a privacy-protecting mode have misconceptions about the protection provided by private browsing tools. A common misconception is that private-browsing features offer total anonymity to users when surfing the web. This article continues to discuss the popularity of private browsing tools, how these tools work, reasons people use private browsing mode, and what this mode does not do.

    GovTech reports "Private Browsing: What It Does - and Doesn't Do - to Shield You From Prying Eyes on the Web"

  • news

    Visible to the public "Nation-State Attackers Shift to Credential Theft"

    According to Jens Monrad, head of Mandiant Threat Intelligence for EMEA at FireEye, nation-state attackers such as those from Russia, Iran, and China have shifted their focus to credential theft. Monrad revealed an increase in the detection of credential-stealing malware observed by FireEye customers. He emphasized that stolen credentials allow cybercriminals to increase the stealth of their entry into systems and the operations that follow once they have successfully gained access to the systems. Organizations are encouraged to improve the management of their credentials, increase monitoring for stolen credentials, enforce multi-factor authentication, and more, in order to mitigate credential theft. This article continues to discuss why nation-state attackers are focussing more on credential theft.

    Infosecurity Magazine reports "Nation-State Attackers Shift to Credential Theft"

  • news

    Visible to the public "New Bug in PC Booting Process Could Take Years to Fix, Researchers Say"

    In June, the antivirus company ESET discovered an insidious strain of ransomware that prevents a computer from loading and locks its data. For the ransomware attack to work, a ubiquitous feature known as UEFI Secure Boot, which protects computers from getting malicious code slipped on their systems, would have to be disabled. Now researchers at a hardware security company Eclypsium have found a vulnerability that, if exploited, would allow the ransomware to work on computers that have the Secure Boot feature enabled. The vulnerability is located in a bundle of code known as a GRUB2 bootloader. The researchers estimate that billions of devices are affected by this vulnerability.

    CyberScoop reports: "New Bug in PC Booting Process Could Take Years to Fix, Researchers Say"

  • news

    Visible to the public "US, UK Warn of Malware Targeting QNAP NAS Devices"

    An alert issued by the United States Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom's National Cyber Security Centre (NCSC) warns of the infection of more than 62,000 QNAP network-attached storage (NAS) devices by a piece of malware, called QSnatch. The malware was first discovered last year and was observed to be capable of harvesting confidential information, such as login credentials and system configuration, from compromised QNAP devices. According to the joint alert from CISA and NCSC, all NAS devices from QNAP may be vulnerable to QSnatch. The alert states that the malware has infected thousands of devices, mostly in North America and Europe. Attackers can prevent administrators from successfully activating firmware updates through the infection of a QNAP NAS device. The two agencies identified two QSnatch campaigns, one of which ran between 2014 and 2017, and the other between late 2018 and late 2019. Users are advised to apply the newest security patches to avoid this threat. This article continues to discuss the impact and capabilities of the QSnatch malware, and how recommendations for organizations on how to protect against this malware.

    Security Week reports "US, UK Warn of Malware Targeting QNAP NAS Devices"

  • news

    Visible to the public "Energy Unveils Blueprint for Nationwide, 'Unhackable' Quantum Internet"

    The U.S. Department of Energy (DOE) recently released a strategic blueprint for constructing a nationwide quantum internet that is impenetrable to hackers. In February, a workshop held by DOE resulted in the plan to develop a prototype that uses quantum mechanics to connect next-generation computers and sensors, as well as strengthen communications security. The DOE's 17 national laboratories will provide the foundation for the system. The quantum internet is expected to build new types of devices consisting of robust applications and communication for national security, medicine, and more. The strategic blueprint explores various hardware and software needed to build the quantum internet, and gives details about the development of quantum networks over time. This article continues to discuss the blueprint for an unhackable quantum internet and other recent advancements toward the development of quantum networks.

    NextGov reports "Energy Unveils Blueprint for Nationwide, 'Unhackable' Quantum Internet"

  • news

    Visible to the public "The Privacy Paradox: We Claim We Care About Our Data, So Why Don't Our Actions Match?"

    Most people would say they care about their personal information being shared online. However, a smaller percentage of people take the necessary steps to protect their online privacy. This phenomenon is known as the "privacy paradox" in which people express privacy concerns, but fail to take action to preserve their privacy. A team of researchers conducted a new study to examine the privacy paradox further. They found that participants were willing to give up some of their privacy in order to take advantage of the services and convenience provided by an Internet of Things (IoT) device. One of the suggested reasons behind the privacy paradox is that people find it difficult to determine the value of their privacy, thus resulting in the failure to consider the importance of protecting it. Another reason may be that people lack awareness and understanding of their privacy rights or privacy issues. People believe that their personalized experience via an internet-connected device outweighs the potential risks. IoT device users are encouraged to read privacy policies, assume that their personal information is highly valuable, change the default password on any new IoT device, and more. This article continues to discuss a recent study of the privacy paradox and how it applies to IoT devices, as well as how people can match their privacy concerns with their protective behaviors.

    The Conversation reports "The Privacy Paradox: We Claim We Care About Our Data, So Why Don't Our Actions Match?"

  • news

    Visible to the public "Burglars Expose Walgreens Customer Data in a Different Kind of Breach"

    In late May and early June, groups of unidentified thieves broke into multiple Walgreens stores and stole prescription information and other data on some 70,000 customers. The thieves forced their way behind pharmacy counters, stole drug prescriptions, and took a "very limited" number of hard drives attached to stolen cash registers. According to Walgreens, customers' health insurance and vaccination information may have been swept up in the breach, but credit card data and Social Security numbers were not affected. The incidents are a reminder that, as healthcare organizations try to guard their networks from hackers, physical attacks can also compromise sensitive customer data.

    Cyberscoop reports: "Burglars Expose Walgreens Customer Data in a Different Kind of Breach"

  • news

    Visible to the public "Public Cloud Environments Leave Numerous Paths Open For Exploitation"

    In a new study conducted by Orca Security, they found that organizations across industries are rapidly deploying more assets in the public cloud with Amazon, Microsoft, and Google, leaving numerous paths open for exploitation. The study found that more than 80 percent of organizations have at least one neglected, internet-facing workload, meaning it's running on an unsupported operating system or has remained unpatched for 180 days or more. More than half of the organizations had at least one neglected internet-facing workload that has reached its end of life and is no longer supported by manufacturer security updates. Almost half of the organizations (44 percent) have internet-facing workloads containing secrets and credentials that include clear-text passwords, API keys, and hashed passwords that allow lateral movement across their environment. Almost a quarter of the organizations have at least one cloud account that doesn't use multi-factor authentication for the super admin user. Five percent of the organizations have cloud workloads that are accessible using either a weak or leaked password.

    Help Net Security reports: "Public Cloud Environments Leave Numerous Paths Open For Exploitation"

  • news

    Visible to the public "Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness"

    The "2020 State of Public Cloud Security Risks" report published by the cloud security firm Orca Security reveals that more than 80% of companies have an Internet-facing cloud asset that is out-of-date or running an end-of-life operating system or other software. The report also reveals that almost a quarter of organizations do not have multi-factor authentication enabled for an administrator or root cloud account. This article continues to discuss key findings pertaining to the security state of public-cloud assets, the importance of securing such assets, and small and medium-sized organizations' continued struggle to improve their security efforts as they move to cloud services.

    Dark Reading reports "Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness"

  • news

    Visible to the public "New VPN Flaws Highlight Proven Pathway for Hackers Into Industrial Organizations"

    Industrial companies have been advised to secure their Virtual Private Network (VPN) connections used by employees for remote connectivity in order to avoid providing entry points for hackers seeking sensitive data. This advice is even more essential now with the rise in remote work during the COVID-19 pandemic. Researchers from the cybersecurity company, Claroty, recently published data on multiple remote-connectivity products widely used in oil, gas, and other industrial sectors, highlighting the importance of securing VPN connections. The researchers discovered new vulnerabilities in VPN servers and devices that could be exploited by attackers to gain access to industrial computers used to connect to machinery. The three vendors whose products were discovered to contain the vulnerabilities are HMS Networks, Moxa, and Secomea. This article continues to discuss notable attacks faced by industrial organizations involving the abuse of remote-access technology, the increased targeting of civilian infrastructure by foreign powers, and the discovery of new flaws in VPN products.

    CyberScoop reports "New VPN Flaws Highlight Proven Pathway for Hackers Into Industrial Organizations"

  • news

    Visible to the public "Randomness Theory Could Hold Key to Internet Security"

    The question about whether there is an unbreakable code has been central to cryptography and efforts to maintain the security of personal information on the internet. In a new paper, titled "On One-Way Functions and Kolmogorov Complexity," Cornell Tech researchers identified a natural 'mother' problem with cryptography that could hold the key to whether all encryption schemes and digital signatures can be broken. The research also shows a connection between two areas of mathematics and computer science: cryptography and algorithmic information theory, also known as the theory of Kolmogorov complexity. This article continues to discuss the result of this study and its potential impact on internet security.

    Science Daily reports "Randomness Theory Could Hold Key to Internet Security"

  • news

    Visible to the public "Source Code From 50+ Companies, Including Nintendo, Microsoft and Adobe, Published Online"

    Researchers have discovered source code from dozens of companies that have been published online on public repositories. Some of the companies affected include Microsoft Corp., Adobe Systems Inc., Lenovo Group Ltd., Advanced Microsoft Devices Inc., Qualcomm Inc., Mediatek Inc., GE Appliances, Nintendo Co. Ltd. and the Walt Disney Co. There is some concern that the leaked code may be used for nefarious purposes. Tom Guide, a security specialist, stated that "losing control of the source code on the internet is like handing the blueprints of a bank to robbers." The published code from Nintendo gives an inside look at the source code behind a range of classic games, including Mario, Mario Kart, Zelda, F-Zero, and Pokemon series. The Nintendo code also includes pre-release art, fully playable prototypes of some games, and even references to projects that were never completed.

    siliconANGLE reports: "Source Code From 50+ Companies, Including Nintendo, Microsoft and Adobe, Published Online"

  • news

    Visible to the public "No Honor Among Cyber Thieves"

    A study published in the June edition of Social Science Computer Review examined user activity on two online carding forums, which are cybercrime marketplaces (illegal sites) dedicated to sharing stolen credit card information. Instances of online identity theft and other forms of cybercrime continue to increase during the coronavirus pandemic. The research gives insight into cybercriminal operations and marketplaces to help apprehend criminals and protect regular internet users. According to Washington State University criminologist and lead author of the study, Alex Kigerl, carding forums have grown in popularity due to their ease of access, short shelf life, and boards of specialized topics such as free tutorials on hacking. This article continues to discuss findings from Kigerl's analysis of data from two carding forums pertaining to the forums' structure, administrator, and users, as well as the spike in daily cybercrimes since the start of stay-at-home restrictions.

    WSU Insider reports "No Honor Among Cyber Thieves"