News Items

  • news

    Visible to the public HoTSoS 2022 Best Undergraduate Poster Award

    HOTSOS 2022 BEST UNDERGRADUATE POSTER AWARD

    Congratulations to Sanjana Cheerla at NCSU for winning the HoTSoS Best Undergraduate Poster Award for their poster Identifying Online Misbehavior.

    Check out the Announcement & Closing Remarks stream here!

  • news

    Visible to the public HoTSoS 2022 Best Poster Award

    HOTSOS 2022 BEST POSTER AWARD

    Congratulations to Samin Yaseer Mahmud & William Enck at NCSU for winning the HoTSoS Best Poster Award for their poster A Study of Security Weakness in Android Payment Service Provider SDKs

    Check out the Announcement & Closing Remarks stream here!

  • news

    Visible to the public Science of Security and Privacy 2022 Annual Report

    The Science of Security and Privacy 2022 Annual Report is now available.

    This report highlights the progress and accomplishments of the Science of Security and Privacy initiative.

  • news

    Visible to the public Paper on One-Way-Functions Wins NSA Paper Competition

    "On One-way Functions and Kolmogorov Complexity" wins the 9th Annual Best Scientific Cybersecurity Paper Competition. This paper was written by Yanyi Liu from Cornell University and Rafael Pass from Cornell Tech.

    An honorable mention award was given to "Retrofitting Fine Grain Isolation in the Firefox Renderer” written by Shravan Narayan, Craig Disselhoen, Tal Garfinkel, Nathan Froyd, Sorin Lerner, Eric Rahm, Hovav Shacham and Deian Stefan.

  • news

    Visible to the public NSF 21-122 Dear Colleague Letter: Enabling Secure and Trustworthy Cyberspace (SaTC) CISE-SBE Interdisciplinary Collaborations

    NSF 21-122

    Dear Colleague Letter: Enabling Secure and Trustworthy Cyberspace (SaTC) CISE-SBE Interdisciplinary Collaborations

    Proposals are due Dec 10, 2021, but an approval letter from a program officer is required before you can submit. Submitting in response to that DCL does *not* count against the limit of the number of proposals that can be submitted against the SaTC solicitation.


    September 27, 2021

    https://www.nsf.gov/pubs/2021/nsf21122/nsf21122.jsp

  • news

    Visible to the public Solicitation: NSF Secure and Trustworthy CyberSpace (SaTC) [Solicitation 22-517]

    Secure and Trustworthy Cyberspace (SaTC)

    PROGRAM SOLICITATION
    NSF 22-517

    REPLACES DOCUMENT(S):
    NSF 21-500

    National Science Foundation

    Directorate for Computer and Information Science and Engineering
         Division of Computer and Network Systems
         Division of Computing and Communication Foundations
         Division of Information and Intelligent Systems
         Office of Advanced Cyberinfrastructure

  • news

    Visible to the public HoTSoS 2022 Call for Papers! Deadline December 17th!

    HoTSoS 2022 Call for Papers! Deadline December 17th!

    The HoT Topics in the Science of Security (HoTSoS) Symposium is now soliciting submissions for the 2022 program. Following the success of the virtual HoTSoS Symposium in 2021, HoTSoS`22 will be a virtual event held the week of April 4th, 2022. In addition to research paper discussions and presentations, the symposium program will also include invited talks and panels.

    We are accepting submissions in the following three categories:

  • news

    Visible to the public Follow @SoS_VO_org on Twitter!

    Follow @SoS_VO_org on Twitter!

    The SoS-VO team is excited to announce that we recently updated the homepage of the website to link to the official Science of Security & Privacy twitter account where we will be making daily announcements about noteworthy news items, upcoming opportunities, and impending deadlines in the SoS community.

  • news

    Visible to the public Predictive Intelligence for Pandemic Prevention (PIPP) Webinars

    Predictive Intelligence for Pandemic Prevention (PIPP) Webinars


    February 16, 2021 11:00 AM to
    February 17, 2021 6:45 PM
    Virtual Workshop

    Save the Date

    February 25, 2021 11:00 AM to
    February 26, 2021 6:00 PM
    Virtual Workshop

    Save the Date

  • news

    Visible to the public HoTSoS 2021: Works-in-Progress Co-Chairs

    Meet the HoTSoS 2021 Team:
    Works-in-Progress Co-Chairs

    Kurt Kelville (MIT) and Aron Laszka (University of Houston) are our Works-in-Progress Co-Chairs for the 2021 Symposium. Happy to have these two on the Program Committee Team!

    About the Chairs

  • news

    Visible to the public Call for Participation: Canberra Artificial Intelligence Summer School

    Call for Participation

    Canberra Artificial Intelligence Summer School

    Virtual, December 4-7th, 2020

    FREE

    Website: http://canberraai.net/caiss2020/
    Discord: https://discord.com/invite/rcKuNm4

    [If interested in staying up-to-date, please join this Discord channel!]


    Introduction

  • news

    Visible to the public Take my word for it: Privacy and COVID alert apps can coexist

    BY LORRIE CRANOR, OPINION CONTRIBUTOR -- 11/10/20 09:30 AM EST

    Since the COVID-19 pandemic began, technologists across the country have rushed to develop digital apps for contact tracing and exposure notifications. New York, New Jersey, Pennsylvania, and Delaware have all recently announced the launch of such apps, announcements which generated excitement. But the advent of these tools has also created questions. Chief among them: Do these apps protect privacy?

  • news

    Visible to the public CPS-VO.org now supports DOI!

    The latest release of the CPS-VO.org has added Zenodo support for generating archives and including DOI information for content types such as files, news items, web pages, and wiki pages!

  • news

    Visible to the public NIST Releases Draft Security Feature Recommendations for IoT Devices

    NIST Releases Draft Security Feature Recommendations for IoT Devices

    "Core Baseline" guide offers practical advice for using everyday items that link to computer networks.

    August 01, 2019

  • news

    Visible to the public NSA-approved cybersecurity law and policy course now available online

    NSA-approved cybersecurity law and policy course now available online

    Cyber Scoop

    Shannon Vavra

    August 27th, 2019

    Anyone who is interested in cybersecurity law and policy can now take an online course that was partly shaped by National Security Agency.

  • news

    Visible to the public Verification Tool Competition

    ARCH brings together researchers and practitioners to establish a curated set of benchmarks for verification, testing and reachability, and evaluate them in a friendly competition. ARCH started in 2014 and has sustained a vibrant community since. Since 2017, ARCH has organized as a part of the workshop the International Competition on Verifying Continuous and Hybrid Systems (ARCH-COMP, https://cps-vo.org/group/ARCH/), now in its 3rd iteration.

  • news

    Visible to the public Game-theoretic Paper Wins Annual Paper Competition

    The winner of the 6th Annual Best Scientific Cybersecurity Paper Competition is How Shall We Play a Game? A Game-theoretical Model for Cyber-warfare Games by Tiffany Bao, Yan Shoshitaishvili, Ruoyu Wang, Christopher Kruegel, Giovanni Vigna, and David Brumley. These researchers are from Carnegie Mellon University and University of California, Santa Barbara. This paper was originally accepted at 30th IEEE Computer Security Foundations Symposium (CSF '17).

    To learn more visit the competition homepage: https://cps-vo.org/group/sos/papercompetition/pastcompetitions

  • news

    Visible to the public Secretary of Energy Rick Perry Announces $68.5 Million for Advanced Vehicle Technologies Research

    WASHINGTON, D.C. - Today, U.S. Secretary of Energy Rick Perry announced up to $68.5 million in available funding for early-stage research of advanced vehicle technologies that will enable more affordable mobility, strengthen domestic energy security, and enhance U.S. economic growth.

  • news

    Visible to the public 2018 NSF CPS Program Solicitation

    The 2018 Cyber-Physical Systems Program Solicitation has been released. The submission window for proposals is April 27, 2018 - May 8, 2018. Please see the full solicitation for additional details and the summary of program requirements: https://cps-vo.org/node/45729

  • news
  • news

    Visible to the public NSA SoS Lablet Call for Proposals is Open

    The National Security Agency has distributed its BAA (really a request for proposals) for its next generation of SoS Lablets. These lablets include lablets on the 5 Hard Problem areas in Science of Security, on the Science of Privacy and dealing with Cyber Physical Systems. Proposals are due August 21. While the SoS team is not the point of contact for the contracting process, we can aid in directing: https://cps-vo.org/group/SoS/contact

  • news

    Visible to the public U.S. Department of Transportation Launches Smart City Challenge to Create a City of the Future

    Smart City Challenge

  • news

    Visible to the public NEW 2016 NSF-USDA Solicitation: Innovations at the Nexus of Food, Energy, and Water Systems (INFEWS)

    Innovations at the Nexus of Food, Energy and Water Systems (INFEWS)


    Program Solicitation
    NSF 16-524

    National Science Foundation

  • news

    Visible to the public Sticky News Item

    This news item always appears at the top of the 'recent news' list because the 'pin to top of lists' box is checked under 'publishing options' below. News Items can also be set to show in the spotlight slideshow feature.

  • news

    Visible to the public Sticky News Item

    This news item always appears at the top of the 'recent news' list because the 'pin to top of lists' box is checked under 'publishing options' below. News Items can also be set to show in the spotlight slideshow feature.

  • news

    Visible to the public "Vishing Cases Reach All Time High"

    Researchers from Agari and PhishLabs have discovered that vishing (voice phishing) cases have increased almost 550 percent over the last twelve months (Q1 2022 to Q1 2021). In Q1 2022, Agari and PhishLabs detected and mitigated hundreds of thousands of phishing, social media, email, and dark web threats targeting many enterprises and brands. According to the researchers, vishing attacks have overtaken business email compromise (BEC) as the second most reported response-based email threat since Q3 2021. The researchers stated that by the end of the year, more than one in four of every reported response-based threat was a vishing attack, and this makeup continued through Q1 2022. Hybrid vishing campaigns continue to generate stunning numbers, representing 26.1% of the total share in volume so far in 2022. During their research, the researchers also found that social media impersonation attacks are on the rise. Since Q2 2021, the volume of brand impersonations increased by 339%, and executive impersonations by 273%. Credential theft email scams continue to be the most common email threat type reported by employees, contributing to nearly 59% of all threat types encountered.

    Help Net Security reports: "Vishing Cases Reach All Time High"

  • news

    Visible to the public "SwRI Creates Cyber Threat Detection System"

    Researchers at the Southwest Research Institute (SwRI) developed an Intrusion Detection System (IDS) for Industrial Control Systems (ICS) aimed at helping government and industry improve the detection of cyber threats to industrial networks in critical infrastructure. The IDS, funded by SwRI, addresses emerging cyber threats faced in the continuously changing industrial automation ecosystem. The team applied algorithms to scan for cyber threats across network protocols that transmit industrial control data for natural gas pipelines, manufacturing robots, and more, which led to the development of the IDS for ICS. The design of ICS historically did not consider security as there was the benefit of having an air gap to enable ICS to operate securely without a connection to IT networks. However, it is no longer an option to unplug industrial networks from IT networks for modern automation systems that depend on Internet of Things (IoT) devices to transmit large amounts of data. Connecting IoT devices and other hardware leaves industrial networks vulnerable. Malicious actors could launch attacks via a vulnerable IoT device, network protocols, and outdated software. The SwRI team focused their research on scanning for cyberattacks over the Modbus/TCP protocol, which utilities and industry have used in Supervisory Controls and Data Acquisition (SCADA) systems equipment for decades. The algorithms they developed were applied in testing the recognition of normal Modbus/TCP traffic and identifying cyberattack vectors, such as data fuzzing/manipulation, address probing, and out-of-band timing. Their algorithms classify data packets as "regular" if they originate from an uncompromised industrial control device or "attack" if the source is an unexpected or compromised device. This article continues to discuss SwRI's research and development of the IDS system for ICS.

    TRR reports "SwRI Creates Cyber Threat Detection System"

  • news

    Visible to the public "Strong Password Policy Isn't Enough, Study Shows"

    Security researchers at Specops Software analyzed a database of more than 800 million known-breached passwords and found that 83% of the passwords met basic security standards set by five different standards agencies. The researchers stated that minimum password lengths prescribed by NIST, HITRUST for HIPPS, PCI, ICO for GDPR, and Cyber Essentials for NCSC ranged from seven to 10 and included requirements for password complexity, special characters, and numbers. None of the requirements were enough to keep compliant passwords off the breached list. Darren James stated that what the data is showing is that there is an excellent reason why some regulatory recommendations now include a compromised password check. Darren noted that complexity and other rules might help, but the most compliant password in the world doesn't do anything to protect your network if it's on a hacker's compromised password list.

    Dark Reading reports: "Strong Password Policy Isn't Enough, Study Shows"

  • news

    Visible to the public "IBM is Helping These Schools Build up Their Ransomware Defenses"

    IBM announced on Tuesday that it has expanded a program to improve the cybersecurity defenses of public schools with $5 million in grants. IBM stated that $5 million of in-kind grants would be awarded to public schools, including K-12 institutions in the United States. While IBM's existing grants program has previously focused on US schools, the scheme has now expanded to other countries. IBM said these programs are necessary to "help address cybersecurity resiliency in schools, including against ransomware." IBM noted that six grants are being awarded to US school districts. In addition, four grants are destined for Brazil, Costa Rica, Ireland, and the United Arab Emirates. Each award is worth $500,000, bringing the total to $5 million in resources and hours. IBM teams will work with schools to audit existing defenses and create playbooks for incident response. In addition, they will address cybersecurity awareness and training for staff, students, and parents and develop a management-level strategic plan for handling communication in the aftermath of a cyberattack. According to research by Emsisoft, more than 1,000 educational establishments in the US alone suffered a ransomware attack in 2021, including school districts, colleges, and universities. Charles Henderson, head of IBM Security X-Force, stated that for schools, a significant barrier to strengthening their cybersecurity posture often comes down to constrained budgets.

    ZDNet reports: "IBM is Helping These Schools Build up Their Ransomware Defenses"

  • news

    Visible to the public "New Countermeasure Against Unwanted Wireless Surveillance"

    Smart devices are intended to make our lives easier, but at the same time, they can serve as a conduit for passive eavesdropping. Researchers from the Max Planck Institute for Security and Privacy, the Horst Gortz Institute for IT Security at Ruhr-Universitat Bochum (RUB), and the Cologne University of Applied Sciences have developed a novel system for protecting privacy in wireless communication to prevent possible surveillance of the movement profile within one's home. Their approach is based on the technology of Intelligent Reflective Surfaces (IRS). To counter the method known as "adversarial wireless sensing," the team investigated the use of IRS, a forward-looking technology for establishing intelligent wireless environments. With this technology, many reflective elements are distributed over a surface, and their reflective behavior can be individually and electronically adjusted. This allows the elements to manipulate the incident radio waves dynamically. IRS can be configured to reflect signals in a specific direction. The researchers are the first to propose IRS as a practical countermeasure against passive wireless eavesdropping attacks. Their system called "IRShield" uses a specially designed algorithm that creates a random IRS configuration, thus disguising the wireless channels so that attackers can no longer read information about movements in the room from the signal. IRShield is designed to be a standalone privacy-friendly extension for plug-and-play integration into existing wireless infrastructures. This article continues to discuss the capabilities and testing of the IRShield system.

    RUB reports "New Countermeasure Against Unwanted Wireless Surveillance"

  • news

    Visible to the public "A 'Whale' of a Threat Evolves in the Financial Industry to Steal Sensitive Data"

    In cybersecurity, "whaling" refers to cybercriminals targeting high-level executives to steal the most privileged information and obtain access to the most sensitive data. According to Tonia Dudley, strategic adviser at Cofense, these whaling attempts typically begin with a phishing email. The FBI revealed that high-level whaling attacks cost businesses more than $12.5 billion in losses in 2021. Dudley pointed out that the themes observed across many campaigns were typically finance-related as they involved invoices, purchase orders, or quotes. Dudley added that Cofense has seen fewer attachments reaching the inbox for users to interact with, but HTML and HTM files have been observed consistently making it through security filters. Whaling campaigns are increasingly leveraging multiple stages in their attacks. For example, the first stage could begin with a link to a file-sharing cloud site such as Google, Dropbox, or DocuSign. Once the file has been downloaded, embedded files or links to pages will run the second stage, which might contain anything from a credential login page to malware leading to an entry point for a ransomware attack. This article continues to discuss the threat of whaling attacks against the financial industry.

    SC Media reports "A 'Whale' of a Threat Evolves in the Financial Industry to Steal Sensitive Data"

  • news

    Visible to the public "PyPI Served Malicious Version of Popular 'Ctx' Python Package"

    Researchers at Sonatype, SANS Institute, and an independent researcher have discovered that a popular Python package was compromised recently and replaced with a malicious version designed to help the attacker obtain AWS credentials. The researchers stated that two libraries appear to have been targeted in the attack, but only one of them may have had a more significant impact. The Python package named Ctx, which has, on average, 22,000 downloads per week, was compromised on the Python Package Index (PyPI) on May 14. The last Ctx update prior to this attack was uploaded to PyPI in December 2014, but new versions were published on and after May 14. The investigation by the researchers revealed that the original maintainer's domain name expired, and the attacker registered the domain on May 14. With access to the domain, they could have created an email address to which the password reset link would be sent. The Ctx versions uploaded by the attacker, 0.1.2 (this was also the last version of the original), 0.2.2, and 0.2.6 included functionality to steal data and upload it to a remote location controlled by the attacker. The researchers noted that targeted data in one version included AWS access key ID, computer name, and AWS secret access key when a dictionary is created. Another malicious version of Ctx targeted all environment variables. The second compromised library discovered by the researchers was the PHPass portable PHP password hashing framework. The original PHPass was deleted in September 2021, along with its original developer's account. The developer's username became available, and it was claimed by the attacker, giving them access to the project's GitHub account. The researchers noted that both impacted libraries have been taken down. While the malicious Ctx version may have impacted many users, PHPass appears to have had only a handful of installations in recent weeks. The researchers saw evidence that suggested the two incidents are related.

    SecurityWeek reports: "PyPI Served Malicious Version of Popular 'Ctx' Python Package"

  • news

    Visible to the public "Senate Report: US Government Lacks Comprehensive Data on Ransomware"

    According to a new report by the United States Senate Committee on Homeland Security & Governmental Affairs, the US government lacks comprehensive data on ransomware attacks, including how much is lost in payments. The report presented the findings of a 10-month investigation into the growing threat of ransomware. It cited FBI figures showing that the agency had received 3729 ransomware complaints with adjusted losses of more than $49.2m. However, it was stated that even these figures "likely drastically underestimate the actual number of attacks and ransom payments made by victims and related losses." Following numerous interviews with federal law enforcement and regulatory agencies, in addition to private companies that assist ransomware victims with extortion demands, the report concluded that there is a lack of data on this surging attack vector at the government level. It was noted that changing this is vital because "more data is needed to better understand and combat these attacks." In addition, it noted that this information will assist the investigation and prosecution of ransomware threat actors. The committee also emphasized the significant threat ransomware poses to US national security. According to the committee's report, the committee stated that data reporting and collection on ransomware attacks and payments is fragmented and incomplete. This is partly due to two separate federal agencies, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, hosting different websites that each claim to host the government's one-stop location for reporting ransomware attacks. While the agencies state they share data with each other, companies that handle ransomware incident responses questioned the effectiveness of such communication channels' impact on assisting victims of an attack. The investigation also highlighted the growing role of cryptocurrencies, particularly Bitcoin, in ransomware attacks, which "has become a near-universal form of ransom payment." The committee noted that the decentralized nature of these currencies makes it challenging for law enforcement to identify and arrest the perpetrators, particularly foreign-based groups. Therefore, the committee recommended the prioritization of data collection on ransomware attacks as a crucial means of addressing increased national security threats.

    Infosecurity reports: "Senate Report: US Government Lacks Comprehensive Data on Ransomware"

  • news

    Visible to the public "Verizon DBIR: Healthcare Cyberattacks Increase, Insider Threats Remain"

    Verizon's 2022 Data Breach Investigations Report (DBIR) revealed a growth in cyberattacks across all sectors, including healthcare. Verizon discovered a 13 percent spike in ransomware year-over-year, representing an increase that is more significant than the previous five years combined. Researchers analyzed 23,896 security incidents, 849 of which were faced by the healthcare industry. In healthcare, 571 of the detected cyber events resulted in confirmed data leakage. Last year's Verizon report revealed that researchers observed 655 healthcare incidents, with 472 resulting in confirmed data disclosures. Although insider threats are prevalent in healthcare, external threats accounted for 61 percent of threat actors, a percentage that did not change by one percentage point from the previous year's report. The top three patterns did not change, but the order did. In the healthcare sector, basic web application attacks have surpassed other errors as the leading cause of breaches. Basic web application attacks, miscellaneous errors, and system intrusions accounted for 76 percent of all healthcare breaches. This article continues to discuss key findings from Verizon's DBIR regarding healthcare cyberattacks and threats.

    HealthITSecurity reports "Verizon DBIR: Healthcare Cyberattacks Increase, Insider Threats Remain"

  • news

    Visible to the public "Hospital Cyberattack Compromises Data From Decades Ago"

    A December cyberattack on a Canadian healthcare organization compromised a wide range of data, including patient information dating back to 1996 and personnel vaccination records from last year. Some of the compromised data came from a non-profit organization of affiliated clinicians. Arnprior Regional Health (ARH), which includes a hospital, long-term health facility, and other healthcare services in Arnprior, Ontario, Canada, claims it learned of unauthorized access to its IT system on December 21, 2021, during which data was stolen. According to ARH, the incident impacted 13 different categories of data, including several groupings of information regarding colonoscopies, COVID-19 and flu vaccinations, emergency room and in-patient satisfaction surveys, and patients on waiting lists. Individuals' personal and health information that could have been compromised included name, date of birth, health card number, time of visit, procedure and diagnosis, and demographics, depending on the category of data affected. This article continues to discuss the December cyberattack faced by ARH and recommendations for protecting legacy data.

    InfoRiskToday reports "Hospital Cyberattack Compromises Data From Decades Ago"

  • news

    Visible to the public "RansomHouse: Bug Bounty Hunters Gone Rogue?"

    A new cybercrime group that calls itself RansomHouse is attempting to carve out a niche of the cyber extortion market for itself by hitting organizations, stealing their data, and offering to delete it and provide a full report on how and what vulnerabilities were exploited in the process if the organization pays their demands. Researchers at Cyberint stated that RansomHouse's sole purpose is not to act as another ransomware group but rather to act as a pentesting/bug bounty group that forces their services on whoever does not take organizational security seriously enough. The group does not encrypt the organization's data, they just steal it and promise to delete it if they get paid. If the victim doesn't pay up, they either attempt to sell the stolen data or leak it online for everyone to see if no one is interested in buying. The researchers stated that the no-encryption approach is a technique they have seen on the rise lately, although its effect is not always what the threat groups might hope for. The researchers noted that overall, this technique will not work on every organization, and it depends on what type of data was stolen. For example, this technique will have a much higher success rate on organizations that are working on secret projects or patents rather than a company whose leak contains a minor number of customers' information. The researchers stated that by analyzing the contents of the group's Telegram channels, they believe the group might have a blue and red team background and might even be disgruntled bug bounty hunters.

    Help Net Security reports: "RansomHouse: Bug Bounty Hunters Gone Rogue?"

  • news

    Visible to the public "Microsoft: Credit Card Skimmers Are Changing Their Tactics to Remain Undetected"

    According to Microsoft, card-skimming malware is increasingly using malicious PHP software on web servers to modify payment sites and avoid browser safeguards activated by JavaScript code. Card skimming has been fueled in recent years by Magecart malware that uses JavaScript code to inject scripts into checkout sites and transmit malware that captures and steals credit card information. Injecting JavaScript into front-end processes was "very conspicuous," according to Microsoft, because it may have triggered browser defenses like Content Security Policy (CSP), which prohibits external scripts from loading. By attacking web servers with malicious PHP scripts, malicious actors identified a less noisy technique. Microsoft discovered two malicious image files on a Magento-hosted server in November 2021, one of which was a fake browser favicon. The images contained an embedded PHP script, which did not run by default on the compromised web server. Instead, in order to target customers, the PHP script only begins once cookies validate that the web administrator is not currently signed in. The PHP script got the URL of the current page and searched for the keywords "checkout" and "one page," which are connected to Magneto's checkout page. The FBI recently issued a warning about new incidents of card-skimming cybercriminals infecting US corporate checkout sites with web shells that allow backdoor remote access to the web server via malicious PHP. According to Sucuri, PHP skimmers targeting backend web servers accounted for 41 percent of new credit card-skimming malware found in 2021. This article continues to discuss observations surrounding credit-skimming cybercriminals' tactics.

    CyberIntelMag reports "Microsoft: Credit Card Skimmers Are Changing Their Tactics to Remain Undetected"

  • news

    Visible to the public "Cisco Warns of Exploitation Attempts Targeting New IOS XR Vulnerability"

    Cisco recently informed its customers that it is aware of in-the-wild exploitation attempts targeting a new vulnerability affecting its IOS XR software. The flaw, tracked as CVE-2022-20821, was discovered by Cisco during the resolution of a support case. The vulnerability, which has a "medium severity" rating based on its CVSS score of 6.5, can allow a remote, unauthenticated attacker to access a Redis instance that is running within a container named "NOSi." Cisco noted that the issue affects the health check RPM in IOS XR software and is related to the TCP port 6379, which the RPM opens by default on activation. Cisco stated that an attacker could exploit this vulnerability by connecting to the Redis instance on the open port. A successful exploit could allow the attacker to write to the Redis in-memory database, write arbitrary files to the container filesystem, and retrieve information about the Redis database. Cisco noted that given the configuration of the sandboxed container that the Redis instance runs in, a remote attacker would be unable to execute remote code or abuse the integrity of the Cisco IOS XR Software host system. The vulnerability only impacts Cisco 8000 series routers running IOS XR 7.3.3 with the health check RPM active. A patch is included in version 7.3.4. Cisco has provided instructions for determining if a device is vulnerable and detailed information for applying workarounds.

    SecurityWeek reports: "Cisco Warns of Exploitation Attempts Targeting New IOS XR Vulnerability"

  • news

    Visible to the public "US Car Giant General Motors Hit by Cyberattack Exposing Car Owners' Personal Info"

    General Motors (GM), a US automobile manufacturer, announced that it was hit by a credential stuffing attack last month that exposed customer information and allowed hackers to redeem rewards points for gift cards. GM said they detected the malicious login activity between April 11-29, 2022. GM stated that there is no evidence that the log in information was obtained from GM based on the investigation to date. GM noted that they believe that unauthorized parties gained access to customer login credentials that were previously compromised on other non-GM sites and then reused those credentials on the customer's GM account. The personal information of affected customers includes first and last names, personal email addresses, home addresses, usernames and phone numbers for registered family members tied to the account, last known and saved favorite location information, currently subscribed OnStar package (if applicable), family members' avatars and photos (if uploaded), profile pictures and search and destination information. Other information available to hackers included car mileage history, service history, emergency contacts, and Wi-Fi hotspot settings (including passwords). GM advised users to reset their passwords, and that affected individuals should request credit reports from their banks and place a security freeze if required. GM also confirmed that hackers redeemed customer reward points for gift cards in some instances.

    Infosecurity reports: "US Car Giant General Motors Hit by Cyberattack Exposing Car Owners' Personal Info"

  • news

    Visible to the public  "Towards Having Your Privacy and Security and Exchanging Crypto Too"

    A team of researchers wrote a new paper outlining a new protocol for better privacy and security protections when exchanging cryptocurrencies. Currently, if two people or entities want to exchange one cryptocurrency for another, they can do so directly between themselves, but there is always the risk that one of the two parties will be dishonest and not keep their end of the deal. Another option is to have a third-party exchange service mediate the transaction. However, the concern remains as to whether the exchange service is an adversary seeking to steal coins from both parties. There is also the problem of confidentiality. For example, if an e-commerce website only takes one cryptocurrency and you only have coins in a different cryptocurrency, you will need to convert your coins to the appropriate currency before making a purchase. The exchange required for this conversion can reveal sensitive information. The new study proposes a protocol to address these concerns about security and privacy. The protocol is universal, thus allowing for cross-exchanges between all present and future cryptocurrencies. Without relying on third parties, the swap protocol ensures that the exchange will be performed honestly or not at all, guaranteeing that no one will maliciously lose coins. Finally, the protocol allows for the simultaneous exchange of different types of cryptocurrency, such as Bitcoin, Ethereum, Dogecoin, and more. This article continues to discuss the study on the secure exchange of coins across all blockchains.

    CyLab reports "Towards Having Your Privacy and Security and Exchanging Crypto Too"

  • news

    Visible to the public "Scientists Create New Method to Kill Cyberattacks in Less Than a Second"

    Researchers at Cardiff University have developed a new method for automatically detecting and killing cyberattacks on laptops, desktops, and smart devices in less than a second. The method, which uses Artificial Intelligence (AI) and Machine Learning (ML) in a novel way, has been found to successfully protect up to 92 percent of files on a computer from being corrupted, with malware removal taking only 0.3 seconds on average. According to the researchers, this is the first demonstration of a system that can both detect and wipe out malware in real-time. The new approach, developed in collaboration with Airbus, is based on monitoring and predicting malware behavior rather than more standard antivirus methods that analyze how malware looks. It is feasible to rapidly predict how malware will behave further down the line in less than a second by training computers to execute simulations on specific pieces of malware. When a piece of the malware is flagged, the next step is to remove it, which is where the new research comes in. To test the novel detection system, the researchers set up a virtual computing environment to mimic a number of regularly used laptops, each of which could run up to 35 programs at once to simulate usual behavior. Thousands of malware samples were then used to test the AI-based detection approach. This article continues to discuss the team's new method capable of automatically detecting and killing malware in under a second.

    Cardiff University reports "Scientists Create New Method to Kill Cyberattacks in Less Than a Second"

  • news

    Visible to the public Pub Crawl #62


    Pub_Crawl_web.jpgPub Crawl summarizes, by hard problems, sets of publications that have been peer reviewed and presented at SoS conferences or referenced in current work. The topics are chosen for their usefulness for current researchers.

  • news

    Visible to the public "Hackers Compromised Some Zola User Accounts to Buy Gift Cards"

    Zola, a wedding planning startup that allows couples to create websites, budgets, and gift registries, recently discovered that hackers gained access to user accounts but has denied a breach of its systems. The incident first came to light over the weekend after Zola customers took to social media to report their accounts had been hijacked. Some Zola customers reported that hackers had depleted funds held in their Zola accounts, while others said they had thousands of dollars charged to their credit cards. A Zola spokesperson stated that the accounts had been breached due to a credential stuffing attack, where existing sets of exposed or breached usernames and passwords are used to access accounts on different websites that share the same set of credentials. Zola said fewer than 0.1% of accounts were compromised but would not say specifically how many users that equates to. Zola said it temporarily suspended its iOS and Android apps during the incident and reset all user passwords out of an "abundance of caution.

    TechCrunch reports: "Hackers Compromised Some Zola User Accounts to Buy Gift Cards"

  • news

    Visible to the public "Conti Ransomware Operation Shut Down After Brand Becomes Toxic"

    Security researchers at AdvIntel have discovered that the Conti ransomware operation has undergone some significant organizational structure changes in the past months after the brand became toxic due to its affiliation with the Russian government. While the group appeared to be very active, researchers stated that the group has been in the process of shutting down the Conti brand and switching to a different organizational structure that involves multiple subgroups. The researchers noted that the downfall of the Conti brand was when Conti pledged to support Russia. With sanctions mounting against Russia and their declaration of support, the cybercriminals could be considered a payment to Russia and implicitly a violation of sanctions. The researchers stated that many victims of Conti were prohibited from paying the ransom. Other victims and companies who would have negotiated ransomware payments were more ready to risk the financial damage of not paying the ransom than they were to make payments to a state-sanctioned entity. Instead of suddenly disappearing like REvil tried to do, Conti has decided to gradually shift to a new strategy put into practice well before the Conti brand would be shut down. The researchers stated that the Conti operation was officially shut down on May 19, when their site's admin panel and negotiations service went offline, and the rest of the infrastructure was reset. However, before the shutdown, the group continued to appear active and made a grand exit by hacking into the systems of Costa Rica, claiming that their goal was to overthrow the government. Currently, the Conti brand has been terminated, and the group's leaders have switched to what AdvIntel describes as a "network organizational structure" that is more "horizontal and decentralized" compared to the previous hierarchy, which has been described as "rigid." The researchers noted that the new structure will be a coalition of several equal subdivisions, some of which will be independent and some existing within another ransomware collective. However, they will all be united by internal loyalty to both each other and the Conti leadership, especially Conti project frontman 'reshaev', the cybersecurity firm explained. The researchers stated that the Conti network now includes fully autonomous groups, such as Karakurt, Black Basta, and BlackByte, which do not use data-encrypting malware and instead only rely on the theft of valuable information to extort victims. The new Conti network also includes semi-autonomous groups that use locker malware, such as AlphV (BlackCat), HIVE, HelloKitty (FiveHands), and AvosLocker.

    SecurityWeek reports: "Conti Ransomware Operation Shut Down After Brand Becomes Toxic"

  • news

    Visible to the public  "Hackers Can Hack Your Online Accounts Before You Even Register Them"

    According to security researchers, hackers can hijack online accounts before users even register them. This is possible through the exploitation of vulnerabilities that have already been resolved on popular websites, including Instagram, LinkedIn, Zoom, WordPress, and Dropbox. Of the 75 analyzed popular online services, at least 35 were found to be vulnerable to account pre-hijacking attacks, according to Andrew Paverd, a researcher at the Microsoft Security Response Center (MSRC), and Avinash Sudhodanan, an independent security researcher. The type and severity of these attacks vary, but they all arise from poor security policies followed by the websites. First, a hacker must know a target's email address for a pre-hijacking attack to work, which is easy to obtain through email correspondence or data breaches faced by companies. Next, the attacker uses the target's email address to create an account on a vulnerable website, hoping that the victim will ignore the notification sent to their inbox as spam. Finally, the attacker either waits for the victim to sign up for the site or tricks them into doing so. During this process, there are five different attacks that threat actors can perform, including the classic-federated merge (CFM), the unexpired session (US) ID, the trojan identifier (TID), the unexpired email change (UEC), and the non-verifying (NV) identity provider (IDP) attack. This article continues to discuss the researchers' findings surrounding the performance and potential impact of the pre-hijacking attacks.

    BC reports "Hackers Can Hack Your Online Accounts Before You Even Register Them"

  • news

    Visible to the public "Anonymous Declares Cyberwar on Pro-Russian Hacker Gang Killnet"

    Hacktivist group Anonymous has recently announced that it is launching a cyberwar against pro-Russian group Killnet, which recently attacked European institutions. Last week, Killnet attacked the websites of various Italian institutions and government ministries, including the superior council of the judiciary, its customs agency, its foreign affairs, education ministries, and cultural heritage ministries. Killnet also launched attacks in early May, targeting Italy's upper house of parliament, the National Health Institute (ISS), and the Automobile Club d'Italia. Shortly. after Anonymous declared a cyberwar against Killnet on Twitter, they announced on Twitter that the official Killnet site was taken offline. This news comes a few days after cybersecurity agencies in the US, UK, Australia, Canada, and New Zealand warned organizations beyond Ukraine's borders that pro-Russian hackers may soon target them.

    Infosecurity reports: "Anonymous Declares Cyberwar on Pro-Russian Hacker Gang Killnet"

  • news

    Visible to the public "Ransomware Hackers Steal Personal Data of 500,000 Students and Staff in Chicago"

    It has recently been discovered that the personal information of more than half a million Chicago Public Schools (CPS) students and staff was leaked in a ransomware attack last December, and the breach wasn't reported until April. On Friday, the district said that technology vendor Battelle for Kids notified CPS of the breach on April 25. CPS stated that a server used to store student and staff information was breached, and four years' worth of records were accessed. CPS said that 495,448 student and 56,138 employee records were accessed from 2015-16 through 2018-2019 school years. Student information involved in the breach included students' names, schools, dates of birth, gender, CPS identification numbers, state student identification numbers, class schedule information, and scores on course-specific assessments. Employee information included names, employee identification numbers, school and course information, emails, and usernames. CPS noted that the affected information did not include Social Security numbers, financial information, health data, current course or schedule information, home addresses and course grades, standardized test scores, or teacher evaluation scores.

    Infosecurity reports: "Ransomware Hackers Steal Personal Data of 500,000 Students and Staff in Chicago"

  • news

    Visible to the public "International Experts Forecast Food Cyber Risks for AG-Tech"

    Researchers at Flinders University in Australia, in collaboration with King Abdulaziz University in Saudi Arabia and Aix-Marseille University in France, have identified cybersecurity risks in the use of smart ag-tech. According to King Abdulaziz University lead author Professor Abel Alahmadi, smart sensors and systems are utilized to monitor crops, plants, the environment, water, soil moisture, and diseases. The transition to digital agriculture will increase the quality and quantity of food available to the world's growing population, which is expected to reach 10.9 billion by 2100. However, the researchers warn that this advancement in production, genetic modification for drought-resistant crops, and other technology is vulnerable to cyberattack, especially if the ag-tech sector does not take necessary safeguards like other corporate or defense sectors. Dr. Saeed Rehman of Flinders University says the rise in Internet connectivity and smart low-power devices has facilitated the digitalization of many labor-intensive food production jobs, including modern techniques for accurate irrigation, soil, and crop monitoring using drone surveillance, but we cannot disregard digital agriculture security threats, particularly potential side-channel attacks specifically against ag-tech applications. This article continues to discuss the researchers' study on cybersecurity threats and side-channel attacks against digital agriculture.

    Food Magazine reports "International Experts Forecast Food Cyber Risks for AG-Tech"

  • news

    Visible to the public "Ransomware Still Winning: Average Ransom Demand Jumped by 45 Percent"

    Group-IB has released its "Ransomware Uncovered 2021/2022" guide to the evolution of the number one threat. According to the findings of the second edition of the research, the ransomware empire's winning streak continued, with the average ransom demand increasing by 45 percent to $247,000 in 2021. Since 2020, ransomware gangs have gotten greedier. Hive demanded a record-breaking ransom of $240 million ($30 million in 2020). Hive and Grief rose to the top ten gangs based on the number of victims publicized on Dedicated Leak Sites (DLS). Ransomware has become more sophisticated, as evidenced by the victim's downtime, which climbed from 18 days in 2020 to 22 days in 2021. Ransomware-as-a-Service (RaaS) programs began offering affiliates custom tools for data exfiltration in order to simplify and streamline operations. The double extortion tactic became even more common as sensitive victim data was exfiltrated to obtain the ransom in 63 percent of the cases examined. Ransomware groups posted data belonging to almost 3,500 victims on DLS during Q1'2021 and Q1'2022. The majority of enterprises whose data was released on DLS by ransomware operators in 2021 were based in the US, Canada, and the UK, with the manufacturing, real estate, and professional services industries being the most affected. The most aggressive gangs were Lockbit, Conti, and Pysa, with 670, 640, and 186 victims uploaded to DLS. This article continues to discuss key findings from Group-IB's recent ransomware report.

    Help Net Security reports "Ransomware Still Winning: Average Ransom Demand Jumped by 45 Percent"

  • news

    Visible to the public "Snake Keylogger Spreads Through Malicious PDFs"

    Researchers at HP Wolf Security have discovered a campaign that combines a malicious PDF file and a 22-year-old Office bug to spread the Snake Keylogger malware. According to the researchers, the campaign's goal is to trick victims with an attached PDF file purporting to contain details on a remittance payment. Instead, it executes the information-stealing malware while employing various evasion techniques to escape detection. Although Microsoft Office formats continue to be popular, this operation demonstrates how attackers are also employing weaponized PDF documents to infect systems. According to researchers at Fortinet, Snake Keylogger is a.NET-based malware that first appeared in late 2020 and is designed to steal sensitive information from a victim's device, such as saved credentials, keystrokes, screenshots of the victim's screen, and clipboard data. This article continues to discuss the new PDF-based threat campaign spreading the Snake Keylogger malware.

    Threatpost reports "Snake Keylogger Spreads Through Malicious PDFs"