News Items

  • news

    Visible to the public HoTSoS 2023: Registration Open March 7th!

    HoTSoS 2023: Registration Open March 7th!

    The Hot Topics in the Science of Security (HoTSoS) Symposium is a research event centered on the Science of Security, which aims to address the fundamental problems of security in a principled manner. The tenth annual event will be virtually held April 3-5, 2023.

    Registration for HoTSoS is scheduled to open March 7th!

    Visit the HoTSoS 2023 home page for more information about the schedule of events and important deadlines.

  • news

    Visible to the public 11th Annual Best Scientific Cybersecurity Paper Competition Now Live!

    The eleventh NSA Competition for Best Scientific Cybersecurity Paper i

  • news

    Visible to the public 10th Annual Best Scientific Cybersecurity Paper Winners Announced

    The tenth NSA Competition for Best Scientific Cybersecurity Paper reco

  • news

    Visible to the public HoTSoS 2022 Best Undergraduate Poster Award

    HOTSOS 2022 BEST UNDERGRADUATE POSTER AWARD

    Congratulations to Sanjana Cheerla at NCSU for winning the HoTSoS Best Undergraduate Poster Award for their poster Identifying Online Misbehavior.

    Check out the Announcement & Closing Remarks stream here!

  • news

    Visible to the public HoTSoS 2022 Best Poster Award

    HOTSOS 2022 BEST POSTER AWARD

    Congratulations to Samin Yaseer Mahmud & William Enck at NCSU for winning the HoTSoS Best Poster Award for their poster A Study of Security Weakness in Android Payment Service Provider SDKs

    Check out the Announcement & Closing Remarks stream here!

  • news

    Visible to the public NSF 21-122 Dear Colleague Letter: Enabling Secure and Trustworthy Cyberspace (SaTC) CISE-SBE Interdisciplinary Collaborations

    NSF 21-122

    Dear Colleague Letter: Enabling Secure and Trustworthy Cyberspace (SaTC) CISE-SBE Interdisciplinary Collaborations

    Proposals are due Dec 10, 2021, but an approval letter from a program officer is required before you can submit. Submitting in response to that DCL does *not* count against the limit of the number of proposals that can be submitted against the SaTC solicitation.


    September 27, 2021

    https://www.nsf.gov/pubs/2021/nsf21122/nsf21122.jsp

  • news

    Visible to the public Solicitation: NSF Secure and Trustworthy CyberSpace (SaTC) [Solicitation 22-517]

    Secure and Trustworthy Cyberspace (SaTC)

    PROGRAM SOLICITATION
    NSF 22-517

    REPLACES DOCUMENT(S):
    NSF 21-500

    National Science Foundation

    Directorate for Computer and Information Science and Engineering
         Division of Computer and Network Systems
         Division of Computing and Communication Foundations
         Division of Information and Intelligent Systems
         Office of Advanced Cyberinfrastructure

  • news

    Visible to the public HoTSoS 2022 Call for Papers! Deadline December 17th!

    HoTSoS 2022 Call for Papers! Deadline December 17th!

    The HoT Topics in the Science of Security (HoTSoS) Symposium is now soliciting submissions for the 2022 program. Following the success of the virtual HoTSoS Symposium in 2021, HoTSoS`22 will be a virtual event held the week of April 4th, 2022. In addition to research paper discussions and presentations, the symposium program will also include invited talks and panels.

    We are accepting submissions in the following three categories:

  • news

    Visible to the public Follow @SoS_VO_org on Twitter!

    Follow @SoS_VO_org on Twitter!

    The SoS-VO team is excited to announce that we recently updated the homepage of the website to link to the official Science of Security & Privacy twitter account where we will be making daily announcements about noteworthy news items, upcoming opportunities, and impending deadlines in the SoS community.

  • news

    Visible to the public Predictive Intelligence for Pandemic Prevention (PIPP) Webinars

    Predictive Intelligence for Pandemic Prevention (PIPP) Webinars


    February 16, 2021 11:00 AM to
    February 17, 2021 6:45 PM
    Virtual Workshop

    Save the Date

    February 25, 2021 11:00 AM to
    February 26, 2021 6:00 PM
    Virtual Workshop

    Save the Date

  • news

    Visible to the public HoTSoS 2021: Works-in-Progress Co-Chairs

    Meet the HoTSoS 2021 Team:
    Works-in-Progress Co-Chairs

    Kurt Kelville (MIT) and Aron Laszka (University of Houston) are our Works-in-Progress Co-Chairs for the 2021 Symposium. Happy to have these two on the Program Committee Team!

    About the Chairs

  • news

    Visible to the public Call for Participation: Canberra Artificial Intelligence Summer School

    Call for Participation

    Canberra Artificial Intelligence Summer School

    Virtual, December 4-7th, 2020

    FREE

    Website: http://canberraai.net/caiss2020/
    Discord: https://discord.com/invite/rcKuNm4

    [If interested in staying up-to-date, please join this Discord channel!]


    Introduction

  • news

    Visible to the public Take my word for it: Privacy and COVID alert apps can coexist

    BY LORRIE CRANOR, OPINION CONTRIBUTOR -- 11/10/20 09:30 AM EST

    Since the COVID-19 pandemic began, technologists across the country have rushed to develop digital apps for contact tracing and exposure notifications. New York, New Jersey, Pennsylvania, and Delaware have all recently announced the launch of such apps, announcements which generated excitement. But the advent of these tools has also created questions. Chief among them: Do these apps protect privacy?

  • news

    Visible to the public CPS-VO.org now supports DOI!

    The latest release of the CPS-VO.org has added Zenodo support for generating archives and including DOI information for content types such as files, news items, web pages, and wiki pages!

  • news

    Visible to the public NIST Releases Draft Security Feature Recommendations for IoT Devices

    NIST Releases Draft Security Feature Recommendations for IoT Devices

    "Core Baseline" guide offers practical advice for using everyday items that link to computer networks.

    August 01, 2019

  • news

    Visible to the public NSA-approved cybersecurity law and policy course now available online

    NSA-approved cybersecurity law and policy course now available online

    Cyber Scoop

    Shannon Vavra

    August 27th, 2019

    Anyone who is interested in cybersecurity law and policy can now take an online course that was partly shaped by National Security Agency.

  • news

    Visible to the public Verification Tool Competition

    ARCH brings together researchers and practitioners to establish a curated set of benchmarks for verification, testing and reachability, and evaluate them in a friendly competition. ARCH started in 2014 and has sustained a vibrant community since. Since 2017, ARCH has organized as a part of the workshop the International Competition on Verifying Continuous and Hybrid Systems (ARCH-COMP, https://cps-vo.org/group/ARCH/), now in its 3rd iteration.

  • news

    Visible to the public Game-theoretic Paper Wins Annual Paper Competition

    The winner of the 6th Annual Best Scientific Cybersecurity Paper Competition is How Shall We Play a Game? A Game-theoretical Model for Cyber-warfare Games by Tiffany Bao, Yan Shoshitaishvili, Ruoyu Wang, Christopher Kruegel, Giovanni Vigna, and David Brumley. These researchers are from Carnegie Mellon University and University of California, Santa Barbara. This paper was originally accepted at 30th IEEE Computer Security Foundations Symposium (CSF '17).

    To learn more visit the competition homepage: https://cps-vo.org/group/sos/papercompetition/pastcompetitions

  • news

    Visible to the public Secretary of Energy Rick Perry Announces $68.5 Million for Advanced Vehicle Technologies Research

    WASHINGTON, D.C. - Today, U.S. Secretary of Energy Rick Perry announced up to $68.5 million in available funding for early-stage research of advanced vehicle technologies that will enable more affordable mobility, strengthen domestic energy security, and enhance U.S. economic growth.

  • news

    Visible to the public 2018 NSF CPS Program Solicitation

    The 2018 Cyber-Physical Systems Program Solicitation has been released. The submission window for proposals is April 27, 2018 - May 8, 2018. Please see the full solicitation for additional details and the summary of program requirements: https://cps-vo.org/node/45729

  • news
  • news

    Visible to the public NSA SoS Lablet Call for Proposals is Open

    The National Security Agency has distributed its BAA (really a request for proposals) for its next generation of SoS Lablets. These lablets include lablets on the 5 Hard Problem areas in Science of Security, on the Science of Privacy and dealing with Cyber Physical Systems. Proposals are due August 21. While the SoS team is not the point of contact for the contracting process, we can aid in directing: https://cps-vo.org/group/SoS/contact

  • news

    Visible to the public U.S. Department of Transportation Launches Smart City Challenge to Create a City of the Future

    Smart City Challenge

  • news

    Visible to the public NEW 2016 NSF-USDA Solicitation: Innovations at the Nexus of Food, Energy, and Water Systems (INFEWS)

    Innovations at the Nexus of Food, Energy and Water Systems (INFEWS)


    Program Solicitation
    NSF 16-524

    National Science Foundation

  • news

    Visible to the public Sticky News Item

    This news item always appears at the top of the 'recent news' list because the 'pin to top of lists' box is checked under 'publishing options' below. News Items can also be set to show in the spotlight slideshow feature.

  • news

    Visible to the public Sticky News Item

    This news item always appears at the top of the 'recent news' list because the 'pin to top of lists' box is checked under 'publishing options' below. News Items can also be set to show in the spotlight slideshow feature.

  • news

    Visible to the public "Paper: Stable Diffusion 'Memorizes' Some Images, Sparking Privacy Concerns"

    Artificial Intelligence (AI) researchers from Google, DeepMind, UC Berkeley, Princeton, and ETH Zurich have published a paper describing an adversarial attack that can extract a small percentage of training images from latent diffusion AI image synthesis models such as Stable Diffusion. This attack challenges the notion that image synthesis models do not memorize their training data and that, if not published, training data may remain private. AI image synthesis models have sparked ethical debate and legal action. Proponents and opponents of these new technologies often debate the privacy and copyright issues of generative AI tools. Further igniting either side of the debate might have a significant impact on potential legal regulation of the technology. Therefore, this latest work has piqued the interest of AI researchers. This article continues to discuss the study on extracting training data from diffusion models that is raising privacy concerns.

    Ars Technica reports "Paper: Stable Diffusion 'Memorizes' Some Images, Sparking Privacy Concerns"

  • news

    Visible to the public "New York Attorney General Orders Stalkerware Maker to Notify Hacked Victims"

    Following a deal with the New York attorney general's office, a New York-based spyware maker will notify the individuals whose phones were compromised by its mobile spying software. Under the terms of the agreement, Patrick Hinchy, whose 16 companies promoted apps such as PhoneSpector and Highster, will also pay $410,000 in civil fines for illegally promoting mobile surveillance software that allowed its clients to secretly spy on another person's phone. According to the New York attorney general's office, the apps allowed customers to secretly monitor a victim's phone and access their device data, including text messages, emails, images, browsing history, and location information. This article continues to discuss the New York-based spyware maker agreeing to notify those whose phones were compromised by its mobile surveillance software.

    TechCrunch reports "New York Attorney General Orders Stalkerware Maker to Notify Hacked Victims"

  • news

    Visible to the public "Tallahassee Hospital Diverting Patients, Canceling Non-emergency Surgeries After Cyberattack"

    A cyberattack has prompted a Tallahassee hospital to move patients to other hospitals and cancel all non-emergency surgical procedures. Tallahassee Memorial HealthCare, one of the largest hospitals servicing a 21-county region in north Florida and south Georgia, revealed that it had been forced to take its Information Technology (IT) systems offline because of the security issue. Tallahassee Memorial HealthCare operates a 772-bed acute care hospital, a surgery and adult ICU center, a psychiatric hospital, and more. Although there have been debates over whether ransomware attacks on hospitals can directly contribute to loss of life, multiple experts said events over the last five years were proof that the attacks are causing significant and actual real-world harm. The attack on Tallahassee Memorial HealthCare comes only one day after pro-Russian hackers launched Distributed Denial-of-Service (DDoS) attacks against hospitals in at least 25 US states, knocking many offline for hours. This article continues to discuss the impact of the cyberattack on Tallahassee Memorial HealthCare and the increased targeting of hospitals by cybercriminals.

    The Record reports "Tallahassee Hospital Diverting Patients, Canceling Non-emergency Surgeries After Cyberattack"

  • news

    Visible to the public "Cloud Security Outlook 2023 Confirms the 'Continued Surge in Cloud Adoption' but Highlights Associated Security and Resilience Issues"

    ManageEngine has released the findings of its new study titled "Cloud Security Outlook 2023." According to the study, 72 percent of respondents are using multi-cloud applications, and 5 percent are using hybrid cloud systems. In 2023 and 2024, the adoption rate will increase because 23 percent of respondents plan to migrate to the cloud over the following two years. The report also revealed that organizations have a limited number of analysts managing their Security Operations Centers (SOCs) and are using different tools to handle their cloud security. In addition, the ManageEngine study indicated that it is becoming increasingly difficult for companies to gain visibility into cloud activities and comply with numerous demanding regulations. Nearly half of the respondents believe compliance with cybersecurity laws, particularly those pertaining to the cloud, is extremely difficult. These challenges are prompting companies to implement a consolidated security architecture that enables streamlined and effective security operations. In 2023, 97 percent of respondents will evaluate a solution that combines all security functions into a single console. This article continues to discuss findings and key points shared in ManageEngine's Cloud Security Outlook 2023 report.

    Continuity Central reports "Cloud Security Outlook 2023 Confirms the 'Continued Surge in Cloud Adoption' but Highlights Associated Security and Resilience Issues"

  • news

    Visible to the public "IT and Security Pros Spend Over 4,000 Hours a Year on Compliance"

    According to a new survey from the automation platform Drata, Information Technology (IT) and security professionals spend an annual average of 4,300 hours achieving or maintaining compliance. Drata surveyed 300 IT and security professionals in fast-growing organizations across the US and discovered that 87 percent of respondents have experienced the consequences of not having continuous compliance, such as slowed sales cycles, security breaches, business interruption, loss of business relationships, a damaged reputation, or fines. The majority of survey respondents indicated that increasing budgets and automating processes would improve their operations if they were able to address the issue of insufficient staff. Due to a lack of bandwidth or resources, 74 percent of respondents admit that there are vulnerabilities in their risk or security programs that are not being addressed or handled. This article continues to discuss key findings from Drata on compliance trends among IT and security professionals.

    BetaNews reports "IT and Security Pros Spend Over 4,000 Hours a Year on Compliance"

  • news

    Visible to the public "Vice Media Data Breach Included Financial Data"

    Vice Media notified users whose personal data may have been compromised as a result of a data breach involving the media organization. According to Vice's filings with Maine's Attorney General, over 1,700 individuals were affected by the incident. Unauthorized access to Vice's systems may have exposed users' bank account numbers or payment card numbers, along with security codes, access codes, passwords, or PINs. Vice discovered abnormal system activity on March 29, 2022, and later secured the company's networks and hired cybersecurity firms to examine the nature of the attack. Experts in cyber security criticize companies for taking months to alert customers of potential data breaches. While hacked organizations perform internal investigations, threat actors may exploit stolen information to launch attacks. This article continues to discuss the Vice Media data breach and criticisms of companies taking long periods of time to notify customers.

    Cybernews reports "Vice Media Data Breach Included Financial Data"

  • news

    Visible to the public "Passion Botnet Cyberattacks Hit Healthcare, as Actors Offer Threat as DDoS-As-A-Service"

    The US and other NATO-affiliated nations are the focus of another Distributed Denial-of-Service (DDoS) attack vector aimed at the healthcare industry. According to a new security advisory from Radware, the Passion Group, which has ties to Killnet and Anonymous Russia, has been delivering DDoS-as-a-service to pro-Russian hacktivists. The Radware analysis indicates the Passion botnet was likely used in the January 27 attacks detailed by the Department of Health and Human Services Cybersecurity Coordination Center, which also warned that the Killnet gang is continuing to target the industry with DDoS attacks. Recently, health and personal information associated with global health entities was released publicly on the Killnet list as a result of the recent DDoS attack. The Radware report cautions that the threat actors behind the Passion botnet are providing access to their botnet service via Telegram. Synmirai is a current merchant selling subscriptions to the Passion botnet for $30 per week of service or $1,440 for a year. This article continues to discuss the Passion botnet cyberattacks targeting healthcare entities.

    SC Magazine reports "Passion Botnet Cyberattacks Hit Healthcare, as Actors Offer Threat as DDoS-As-A-Service"

  • news

    Visible to the public "GoAnywhere MFT Zero-Day Vulnerability Lets Hackers Breach Servers"

    Customers of the GoAnywhere MFT file transfer solution are being warned of a zero-day Remote Code Execution (RCE) vulnerability on exposed administrator consoles. GoAnywhere is a secure web file transfer system that enables organizations to transfer encrypted data to their partners securely while maintaining detailed audit logs of file access. The GoAnywhere security advisory was made public by the reporter Brian Krebs, who posted a copy on Mastodon. A customer who received the message revealed that this affects both on-premise and Software-as-a-Service (SaaS) deployments of GoAnywhere. According to the security advisory, the exploit requires access to the administrative console, which ordinarily should not be exposed to the Internet. This article continues to discuss the potential exploitation and impact of the GoAnywhere MFT zero-day RCE vulnerability.

    Bleeping Computer reports "GoAnywhere MFT Zero-Day Vulnerability Lets Hackers Breach Servers"

  • news

    Visible to the public "MITRE Releases Tool to Design Cyber Resilient Systems"

    MITRE has launched the Cyber Resiliency Engineering Framework (CREF) Navigator, which is a free visualization tool for engineers creating resilient cyber systems. The Navigator helps organizations customize their cyber resiliency goals, objectives, and techniques in accordance with NIST Special Publication (SP) 800-160, which describes the standards for developing cyber-resilient systems. MITRE incorporated the MITRE ATT&CK techniques and mitigations into the Navigator tool to help engineers gain further insight into how the systems they are creating may be targeted. The CREF framework provides guidance to engineers regarding four fundamental principles: Anticipate, Withstand, Recover, and Adapt. This article continues to discuss the CREF Navigator released by MITRE.

    Dark Reading reports "MITRE Releases Tool to Design Cyber Resilient Systems"

  • news

    Visible to the public "MalVirt: Malvertising Attacks Are Distributing .Net Malware Loaders"

    Malvertising attacks are being used to spread highly obfuscated virtualized .NET loaders that drop information-stealing malware. According to threat researchers at SentinelOne's SentinelLabs, the loaders, called MalVirt, are implemented in .NET and use virtualization through the KoiVM virtualizing protection solution for .NET applications. The KoiVM tool helps in obscuring the implementation and execution of MalVirt loaders, which are distributing the Formbook information-stealing malware collection as part of an ongoing campaign. Formbook and the more recent XLoader version pose various threats, such as keylogging, screenshot theft, credential theft, and malware staging. This article continues to discuss findings surrounding the MalVirt malvertising campaign.

    The Register reports "MalVirt: Malvertising Attacks Are Distributing .Net Malware Loaders"

  • news

    Visible to the public "Iranian OilRig Hackers Using New Backdoor to Exfiltrate Data from Govt. Organizations"

    OilRig, an Iranian nation-state hacking group, has continued to target Middle Eastern government organizations as part of a cyber espionage campaign involving a novel backdoor to exfiltrate data. According to Trend Micro researchers, the campaign exploits legitimate but compromised email accounts to relay stolen data to external attacker-controlled mail accounts. While this method is not new, this is the first time OilRig has incorporated it into its playbook, demonstrating the continuing growth of its tactics to circumvent security measures. Since at least 2014, the Advanced Persistent Threat (APT) group, also known as APT34, Cobalt Gypsy, Europium, and Helix Kitten, has been linked to targeted phishing attacks in the Middle East. This article continues to discuss the OilRig Iranian nation-state hacking group and its use of a new backdoor to exfiltrate data.

    THN reports "Iranian OilRig Hackers Using New Backdoor to Exfiltrate Data from Govt. Organizations"

  • news

    Visible to the public "F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution"

    F5 has recently warned of a high-severity format string vulnerability in BIG-IP that could allow an authenticated attacker to cause a denial-of-service (DoS) condition and potentially execute arbitrary code. Tracked as CVE-2023-22374, the security defect impacts iControl SOAP, an open API that enables the communication between systems, which runs as root. The SOAP interface is accessible from the network, either via the BIG-IP management port and/or self IP addresses, and is restricted to administrative accounts. Security researchers at Rapid7, who identified the bug, explained that exploitation is possible by inserting format string specifiers into specific parameters that are passed into the syslog function, resulting in the service reading and writing memory addresses referenced from the stack. The researchers noted that the attacker cannot read the memory unless they have access to the syslog. The researchers stated that it is "difficult to influence the specific addresses read and written, which makes this vulnerability very difficult to exploit (beyond crashing the service) in practice." According to F5's advisory, an attacker looking to exploit the flaw for code execution would first need to harvest information about the environment running the vulnerable component. However, only the control plane, but not the data plane, is exposed by this bug. The researchers noted that the most likely impact of a successful attack is to crash the server process. A skilled attacker could potentially develop a remote code execution exploit, which would run code on the F5 BIG-IP device as the root user. The vulnerability impacts BIG-IP versions 13.1.5, 14.1.4.6 to 14.1.5, 15.1.5.1 to 15.1.8, 16.1.2.2 to 16.1.3, and 17.0.0. No patch is currently available for the vulnerability, but F5 says an engineering hotfix is available. The company stated that because the flaw can only be exploited by authenticated users, access to the iControl SOAP API should be restricted to trusted users.


    SecurityWeek reports: "F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution"

  • news

    Visible to the public "Atlassian Patches Critical Authentication Flaw in Jira Software"

    Atlassian has recently released multiple patches to fix a critical security vulnerability in Jira Service Management Server and Data Center. The flaw (tracked CVE-2023-22501) has a CVSS score of 9.4 and can reportedly be exploited by attackers to impersonate other users and obtain unauthorized access to affected instances. The company noted that with write access to a User Directory and outgoing email enabled on a Jira Service Management instance, an attacker could gain access to sign-up tokens sent to users with accounts that have never been logged into. The company stated that access to these tokens can be obtained either via an attacker being included on Jira issues or requests with these users or if the attacker is forwarded (or otherwise gains access to) emails containing a "View Request" link. The company noted that bot accounts are particularly susceptible to this scenario. In instances with single sign-on, external customer accounts can be affected in projects where anyone can create their own account. The Jira versions affected by the vulnerability are 5.3.0, 5.3.1, 5.3.2, 5.4.0, 5.4.1, and 5.5.0. Atlassian has confirmed patches were released for versions 5.3.3, 5.4.2, 5.5.1, and 5.6.0. The company has urged customers to update to the latest patched version to protect their Jira instances from threat actors.

    Infosecurity reports: "Atlassian Patches Critical Authentication Flaw in Jira Software"

  • news

    Visible to the public "Quarter of CFOs Have Suffered $1m+ Breaches"

    According to security researchers at PwC, around a quarter of UK business leaders expect cyber threats to significantly increase this year, with a similar number of global firms having already suffered costly breaches in the past. The researhcers interviewed over 3500 senior business and technology executives globally, including 249 in the UK, to conduct their study. The researchers found that 27% of global CFOs have suffered a significant data breach in the past three years, costing their organization over $1m. According to IBM, the average global cost of a breach currently stands at nearly $4.4m. The researchers noted that this experience might inform attitudes toward cyber risk over the coming year. Some 27% of UK respondents said they expect business email compromise (BEC) and "hack and leak" attacks to significantly increase in 2023, and 24% said the same about ransomware. Digital transformation appears to be a core challenge. Around two-thirds of UK execs admitted they still haven't fully mitigated the cyber risks associated with such projects, while two-fifths (39%) said they expect cloud-based risks to significantly affect their organization in 2023. Attacks on cloud management interfaces (33%), industrial internet of things (IIoT) systems (20%), and operational technology (20%) are also expected to increase in 2023. The researchers stated that an overwhelming majority (90%) of UK senior executives ranked the "increased exposure to cyber risk due to accelerating digital transformation" as the most significant cybersecurity challenge their organization has experienced since 2020.

    Infosecurity reports: "Quarter of CFOs Have Suffered $1m+ Breaches"

  • news

    Visible to the public "US Man Charged in $110m Crypto Trading Scheme"

    A US man could face a maximum jail term of 40 years after being charged with fraudulently obtaining $110m of cryptocurrency from crypto exchange Mango Markets and its customers. According to the Department of Justice (DoJ), Avraham Eisenberg, 27, was living in Puerto Rico when he carried out the alleged scheme. He has now been charged with one count of commodities fraud, one count of commodities manipulation, and one count of wire fraud. Mango Markets reportedly wants $47m in damages plus interest starting from the time of the attack. Mango Markets is run by the Mango Decentralized Autonomous Organization (DAO), which has its own crypto token (MNGO) that investors can buy and sell. Eisenberg is accused of manipulating the price of perpetual contracts for MNGO. Perpetual contracts are a type of contract popular in crypto markets. The DoJ noted that Eisenberg manipulated the price of the perpetual contracts by selling huge amounts of MNGO perpetual contracts to himself, thereby rapidly inflating the price of those contracts by a reported 1300% in under an hour. Eisenberg then allegedly used the increased value of his MNGO perpetual futures position to borrow and withdraw approximately $110m in various crypto assets from Mango Markets, effectively draining the platform of all its assets. In addition to the criminal charges filed against him, Eisenberg is facing an SEC complaint regarding his alleged violation of securities laws. The regulator is seeking civil penalties alongside "permanent injunctive relief," "a conduct-based injunction," and "disgorgement with prejudgment interest."

    Infosecurity reports: "US Man Charged in $110m Crypto Trading Scheme"

  • news

    Visible to the public "How Berkeley Lab Helped Develop One of the World's Most Popular Open-Source Security Monitoring Platforms"

    In the 1990s, when Vern Paxson was a graduate student in the Network Research Group at Lawrence Berkeley National Laboratory (Berkeley Lab), he developed what is now known as Zeek software. He made this software at Berkeley Lab based on his Internet traffic research. It has become one of the most popular open-source security monitoring platforms in the world. Microsoft announced Zeek's integration into the Windows operating system in October 2022, which will help security teams gain better network visibility and respond more effectively to attacks. Zeek monitors network traffic, as well as records and stores the traffic details in a condensed format. It accomplishes this without interfering with network traffic, which is a requirement when transferring massive data sets generated by US Department of Energy (DOE) science projects. Then, security teams can use Zeek data to analyze potential attacks and gain further insight into network activity. Now, in an effort to enhance its own security systems with a strong and dynamic tool, Microsoft is integrating Zeek into a Windows endpoint security product. This article continues to discuss the Berkeley Lab origins of the Zeek software and its integration into the Windows operating system.

    Berkeley Lab reports "How Berkeley Lab Helped Develop One of the World's Most Popular Open-Source Security Monitoring Platforms"

  • news

    Visible to the public "Digital Privacy of Smartphone Camera-Based Assistive Technology for Users With Visual Disabilities"

    There are significant privacy concerns regarding using smartphones with camera-based assistive technology. Visually impaired users who rely on this technology for facial recognition and object identification may expose themselves and others to compromise if malicious actors take over their device, connections, or software. Hyung Nam Kim of North Carolina A&T State University in Greensboro, North Carolina, wrote in the International Journal of Human Factors and Ergonomics about user perspectives and the current state of digital privacy issues. He conducted a small-scale survey of visually impaired users of this technology and related applications. The survey found that very few visually impaired users were knowledgeable about the privacy policies and potential risks associated with the use of assistive technology. In addition, they were generally unaware of the potential problems related to privacy and security breaches. Kim's research aims to help form a conceptual framework that researchers and professionals in this field could use to provide better support and education for those with visual impairment relying on this technology. This article continues to discuss the research on promoting privacy for camera-based assistive technology.

    Inderscience Publishers reports "Digital Privacy of Smartphone Camera-Based Assistive Technology for Users With Visual Disabilities"

  • news

    Visible to the public Pub Crawl #70


    Pub_Crawl_web.jpgPub Crawl summarizes, by hard problems, sets of publications that have been peer reviewed and presented at SoS conferences or referenced in current work. The topics are chosen for their usefulness for current researchers.

  • news

    Visible to the public "Google Shells Out $600,000 for OSS-Fuzz Project Integrations"

    Google recently announced an extension to its OSS-Fuzz rewards program, an initiative meant to reward contributors for integrating projects into OSS-Fuzz. Launched in 2016, OSS-Fuzz is intended to help identify vulnerabilities in open source software through continuous fuzzing, with a declared goal of making common software infrastructure more secure. Six months after the launch, Google announced that it was offering rewards between $1,000 and $20,000 for integrating projects into OSS-Fuzz, and now says that it has paid over $600,000 to more than 65 different contributors as part of the program. The company has now increased the highest reward available for new project integration to $30,000, which can be awarded depending on "the criticality of the project." The Fuzz Introspector tool analyzes functions, static call graphs, and runtime coverage information to provide insights into fuzzing coverage blockers. Google noted that the Fuzz Introspector tool provides these insights by identifying complex code blocks that are blocked during fuzzing at runtime, as well as suggesting new fuzz targets that can be added. By increasing payouts and expanding the OSS-Fuzz rewards program, Google seeks to strengthen OSS-Fuzz to find more vulnerabilities before they are exploited.

    SecurityWeek reports: "Google Shells Out $600,000 for OSS-Fuzz Project Integrations"

  • news

    Visible to the public "HPE, NetApp Warn of Critical Open-Source Bug"

    Hewlett Packard Enterprise (HPE) has issued an alert regarding its OneView infrastructure management platform, warning of a use-after-free vulnerability that enables remote attackers to execute arbitrary code on targeted systems, leak data, and more. The vulnerability stems from the use of the Expat XML parser third-party code. The bug, tracked as CVE-2022-40674, has a severity rating of 9.8. The vulnerable code has affected enterprise-class software from other vendors, including NetApp and IBM, which have also issued customer alerts to mitigate the same flaw. There are no reports of the vulnerability being exploited in the wild, nor is there a published proof-of-concept (POC) attack. IBM and NetApp have offered remediation but have indicated that there are no workarounds or mitigations for the specific Expat vulnerability. However, both vendors offer security upgrades for affected products. Recently, NetApp alerted users that eleven of its enterprise products were vulnerable to the Expat flaw. NetApp is still trying to determine whether any host utilities for SAN for Windows may also be affected. This article continues to discuss findings and warnings regarding the critical open-source bug.

    SC Magazine reports "HPE, NetApp Warn of Critical Open-Source Bug"

  • news

    Visible to the public "Experts Warn of Two Flaws in Popular Open-Source Software ImageMagick"

    Researchers at Metabase Q found two security flaws in the open-source image manipulation software ImageMagick that could lead to information exposure or a Denial-of-Service (DoS) condition. ImageMagick is a free, open-source software suite for displaying, converting, and modifying raster and vector image files. One of the flaws, tracked as CVE-2022-44267, is a DoS vulnerability that can be caused by parsing a PNG image with a single dash filename. The other flaw, tracked as CVE-2022-44268, is an information disclosure vulnerability that can be used to read arbitrary files from a server when parsing an image. To remotely exploit the vulnerabilities, an attacker must upload a specially crafted image to a website using ImageMagick. The attacker can create the image by inserting a text chunk specifying certain metadata, such as the filename, which must be set to "-" for exploitation. The two vulnerabilities impact ImageMagick version 7.1.0-49. This article continues to discuss the two security flaws found in the open-source software ImageMagick that could result in information disclosure or trigger a DoS condition.

    Security Affairs reports "Experts Warn of Two Flaws in Popular Open-Source Software ImageMagick"

  • news

    Visible to the public "Scammers Managed to Slip Crypto Apps Onto Apple, Google App Stores"

    According to a new report by Sophos, scammers were able to get two fraudulent apps onto both Google's Play Store and Apple's App Store, allowing them to persuade users into making fake cryptocurrency investments. Sophos researchers found Ace Pro and MBM_BitScan in both stores. The apps are part of a scheme known as "pig butchering," in which scammers build relationships with their victims, get them to download an app, and then convince them to deposit money onto the app. Jagadeesh Chandraiah, a senior threat researcher at Sophos, explained that the scammers are suspected of getting past App Store security by connecting the apps to a remote website with benign functionality when they were originally submitted for review. The domain had code for QR scanning to make it appear legitimate to app reviewers. Once the apps were approved, the fraudsters were able to redirect the website to a domain registered in an unnamed country in Asia. This article continues to discuss the malicious apps discovered to be part of a pig butchering scam.

    The Record reports "Scammers Managed to Slip Crypto Apps Onto Apple, Google App Stores"

  • news

    Visible to the public "Number of New Common Vulnerabilities and Exposures (CVEs) Expected to Increase in 2023"

    The cyber insurance company Coalition predicts that in 2023, there will be more than 1,900 new Common Vulnerabilities and Exposures (CVEs) every month, including 270 high-severity and 155 critical-severity vulnerabilities, a 13 percent rise from 2022. According to Coalition, most CVEs are exploited within 90 days of being made public, with the majority being abused within the first 30 days. The report is based on information gathered from Coalition's active risk management and reduction technology, combining data from underwriting and claims, Internet scans, and the company's global network of honeypot sensors. Over 90 percent of organizations scanned in the last year were found to have at least one exposed, unencrypted service. Remote Desktop Protocol (RDP) is still the most frequently scanned protocol by attackers, indicating that old protocols are still being used with new vulnerabilities to infiltrate systems. This article continues to discuss key findings from Coalition's Cyber Threat Index 2023 report.

    BetaNews reports "Number of New Common Vulnerabilities and Exposures (CVEs) Expected to Increase in 2023"

  • news

    Visible to the public "Andersen Corporation Leaks Customer Home Photos and Addresses"

    The Cybernews research team found an unprotected Azure storage blob holding around one million files belonging to Renewal by Andersen, a subsidiary of the international Andersen Corporation, on January 18, 2023. Andersen Corporation is the largest maker of windows and doors in North America, with around 12,000 employees globally. Nearly 300,000 documents on the cloud exposed customers' home addresses, contact information, and home renovation orders, as well as photos of the interiors and exteriors of client residences across the US. The researchers warn that such data leaks are dangerous because threat actors can use information such as names, emails, phone numbers, and addresses for phishing attacks, identity theft, and other forms of fraud. Photos and descriptions of homes can make the victims more prone to burglary. In addition, compromised physical signatures in the form of hashes enable threat actors to impersonate the individual and sign papers on their behalf. This article continues to discuss the construction and home renovation giant Andersen Corporation exposing clients' private data, including home photos and addresses, as well as the potential impact of this leak.

    Cybernews reports "Andersen Corporation Leaks Customer Home Photos and Addresses"