News Items

  • news

    Visible to the public We're Surrounded by Billions of Internet-connected Devices. Can We Trust Them?

    BY ADAM PIORE ON 10/24/19 AT 12:24 PM EDT - NEWSWEEK MAGAZINE

    In 2009, just as consumers had begun to buy wifi-enabled thermostats and front-door cams and other early devices that now make up the "Internet of Things," computer scientist Ang Cui had gotten the idea to scan the Web for "trivially vulnerable" embedded devices.

  • news

    Visible to the public Winner of 7th Paper Competition is Evaluating Fuzz Testing

    The winning paper is Evaluating Fuzz Testing by George Klees, Andrew Ruef, Benji Cooper, Shiyi Wei, and Michael Hicks. This paper was presented at ACM SIGSAC Conference on Computer and Communications Security (CCS '18) in Toronto.

  • news

    Visible to the public NSA Launches Latest Codebreaker Challenge

    By Betsy Stein NSA/CSS Communications Officer

    FORT MEADE, MD, Sept. 20, 2019 --

    Are you a U.S. undergraduate or graduate student interested in attempting to crack a cyber-challenge similar to those that regularly threaten national security? Then sign up for the 2019 NSA Codebreaker Challenge!

  • news

    Visible to the public NIST Releases Draft Security Feature Recommendations for IoT Devices

    NIST Releases Draft Security Feature Recommendations for IoT Devices

    "Core Baseline" guide offers practical advice for using everyday items that link to computer networks.

    August 01, 2019

  • news

    Visible to the public NSA-approved cybersecurity law and policy course now available online

    NSA-approved cybersecurity law and policy course now available online

    Cyber Scoop

    Shannon Vavra

    August 27th, 2019

    Anyone who is interested in cybersecurity law and policy can now take an online course that was partly shaped by National Security Agency.

  • news

    Visible to the public NSA-approved cybersecurity law and policy course now available online

    NSA-approved cybersecurity law and policy course now available online

    Cyber Scoop

    Shannon Vavra

    August 27th, 2019

    Anyone who is interested in cybersecurity law and policy can now take an online course that was partly shaped by National Security Agency.

  • news

    Visible to the public Logical Foundations of Cyber-Physical Systems (15-424)

    This video sequence accompanies the textbook on Logical Foundations of Cyber-Physical Systems, which teaches undergraduate students the core principles behind CPSs. Designing algorithms for CPSs is challenging due to their tight coupling with physical behavior, while it is vital that these algorithms be correct because we rely on them for safety-critical tasks.

  • news

    Visible to the public Verification Tool Competition

    ARCH brings together researchers and practitioners to establish a curated set of benchmarks for verification, testing and reachability, and evaluate them in a friendly competition. ARCH started in 2014 and has sustained a vibrant community since. Since 2017, ARCH has organized as a part of the workshop the International Competition on Verifying Continuous and Hybrid Systems (ARCH-COMP, https://cps-vo.org/group/ARCH/), now in its 3rd iteration.

  • news

    Visible to the public Game-theoretic Paper Wins Annual Paper Competition

    The winner of the 6th Annual Best Scientific Cybersecurity Paper Competition is How Shall We Play a Game? A Game-theoretical Model for Cyber-warfare Games by Tiffany Bao, Yan Shoshitaishvili, Ruoyu Wang, Christopher Kruegel, Giovanni Vigna, and David Brumley. These researchers are from Carnegie Mellon University and University of California, Santa Barbara. This paper was originally accepted at 30th IEEE Computer Security Foundations Symposium (CSF '17).

    To learn more visit the competition homepage: https://cps-vo.org/group/sos/papercompetition/pastcompetitions

  • news

    Visible to the public Secretary of Energy Rick Perry Announces $68.5 Million for Advanced Vehicle Technologies Research

    WASHINGTON, D.C. - Today, U.S. Secretary of Energy Rick Perry announced up to $68.5 million in available funding for early-stage research of advanced vehicle technologies that will enable more affordable mobility, strengthen domestic energy security, and enhance U.S. economic growth.

  • news

    Visible to the public 2018 NSF CPS Program Solicitation

    The 2018 Cyber-Physical Systems Program Solicitation has been released. The submission window for proposals is April 27, 2018 - May 8, 2018. Please see the full solicitation for additional details and the summary of program requirements: https://cps-vo.org/node/45729

  • news

    Visible to the public NSA SoS Lablet Call for Proposals is Open

    The National Security Agency has distributed its BAA (really a request for proposals) for its next generation of SoS Lablets. These lablets include lablets on the 5 Hard Problem areas in Science of Security, on the Science of Privacy and dealing with Cyber Physical Systems. Proposals are due August 21. While the SoS team is not the point of contact for the contracting process, we can aid in directing: https://cps-vo.org/group/SoS/contact

  • news

    Visible to the public U.S. Department of Transportation Launches Smart City Challenge to Create a City of the Future

    Smart City Challenge

  • news

    Visible to the public NEW 2016 NSF-USDA Solicitation: Innovations at the Nexus of Food, Energy, and Water Systems (INFEWS)

    Innovations at the Nexus of Food, Energy and Water Systems (INFEWS)


    Program Solicitation
    NSF 16-524

    National Science Foundation

  • news

    Visible to the public Sticky News Item

    This news item always appears at the top of the 'recent news' list because the 'pin to top of lists' box is checked under 'publishing options' below. News Items can also be set to show in the spotlight slideshow feature.

  • news

    Visible to the public Sticky News Item

    This news item always appears at the top of the 'recent news' list because the 'pin to top of lists' box is checked under 'publishing options' below. News Items can also be set to show in the spotlight slideshow feature.

  • news

    Visible to the public "Phishing Campaigns Spoof Government Agencies: Report"

    New research has lead to the discovery of a new hacking group. The hacking group is using an array of sophisticated spoofing and social engineering techniques to imitate government agencies, including the U.S. Postal Service. They do this to plant malware in victims' devices and networks via phishing campaigns. They have been successful, and the malware they deliver through their emails includes backdoor Trojans as well as certain strains of ransomware.

    Bank Info Security reports: "Phishing Campaigns Spoof Government Agencies: Report"

  • news

    Visible to the public "WPI Researchers Discover Vulnerabilities Affecting Billions Of Computer Chips"

    An international team of researchers led by Worcester Polytechnic Institute (WPI) security researchers Berk Sunar and Daniel Moghimi, found flaws that affect Intel and STMicroelectronics CPUs. These security vulnerabilities impact billions of devices, including laptops, servers, tablets, and desktops. The flaws are contained by trusted platform modules (TPMs), which are specialized, tamper-resistant computer chips with cryptographic functionality to prevent unauthorized access to devices. According to researchers, the exploitation of the newly discovered vulnerabilities in TPMs could allow hackers to execute timing side-channel attacks to steal cryptographic keys stored by the chips. Using the stolen cryptographic keys, hackers can alter encrypted information, forge digital signatures, and more. This article continues to discuss the new vulnerabilities found in computer chips made by Intel Corp. and STMicroelectronics.

    Science Blog reports "WPI Researchers Discover Vulnerabilities Affecting Billions Of Computer Chips"

  • news

    Visible to the public "Facebook Confirms Bug That Activated iOS Cameras"

    It has been discovered that there is a new bug affecting Facebook's iOS application. While using Facebook's iOS app, it activates the iPhone owners' cameras while they scroll through their news feeds. The bug started when the company tried fixing an issue, with the way Facebook's iOS app launched. A Facebook representative commented that "They inadvertently introduced a bug that caused the app to partially navigate to the camera screen adjacent to News Feed when users tapped on photos. We have seen no evidence of photos or videos being uploaded due to this bug." Facebook has reported the bug to Apple to be fixed. Even though this was a mistake, it is causing users of Facebook to be more worried about their privacy.

    CyberScoop reports: "Facebook Confirms Bug That Activated iOS Cameras"

  • news

    Visible to the public "Facebook Bug Turns on iPhone Cameras"

    Facebook users are facing another privacy issue stemming from the social media platform's app. Users of Facebook have reported that their iPhones' rear cameras turn on and function in the background when they view photos and watch videos on their timelines via the app. The camera-related bugs have sparked further discussions about the possible planting of such bugs to collect information for the purpose of improving targeted advertising. Facebook's vice president of integrity, Guy Rosen, has confirmed that the camera-related bugs have not resulted in the uploading of user pictures or videos to Facebook. This article continues to discuss the new Facebook bug, as well as how these privacy incidents impact the trust between companies and the public.

    Infosecurity Magazine reports "Facebook Bug Turns on iPhone Cameras"

  • news

    Visible to the public "Malware Attacks on Hospitals are Rising Fast, and the Problem is About to get a lot Worse"

    In a new study, it has been found that healthcare organizations are being increasingly targeted by attackers because they are seen as an easy target. In the first 9 months of 2019 alone, there has been a 60% increase in trojan malware detections. The rise has been particularly significant in the third quarter of this year, with an 82% increase in detections when compared with the previous quarter. Trickbot and Emotet are the most common forms of trojan malware targeting the health sector. These trojans can be used as a gateway to deliver other malicious payloads, and have been used to drop ransomware onto compromised systems

    ZDNet reports: "Malware Attacks on Hospitals are Rising Fast, and the Problem is About to get a lot Worse"

  • news

    Visible to the public "Iowa Asked Researchers to Break Into a Courthouse, Then It Arrested Them"

    Recent ransomware attacks on the cities of Atlanta and Baltimore have emphasized the importance of improving the protection of state and municipal governments against such cyberattacks. These incidents prompted the state of Iowa to hire security researchers from the cybersecurity firm Coalfire to conduct a penetration test on servers and physical buildings to find vulnerabilities that could be exploited by attackers to gain access to sensitive data or equipment. However, two Coalfire researchers were charged with felony accusations of burglary after checking the lock of an open door to the Dallas Courthourse. Although the charges were expected to be dropped, they were instead reduced to criminal trespass. Such incidents continue to raise concerns among security experts as to whether they will be protected by contracts with their clients. This article continues to discuss the Coalfire-Iowa incident and the potential impact of this incident on security research.

    Engadget reports "Iowa Asked Researchers to Break Into a Courthouse, Then It Arrested Them"

  • news

    Visible to the public "Nautilus ATM Flaws Could Allow Hackers Access to Cash, Data"

    Brenda So and Trey Keown, security researchers at Red Balloon Security Inc., discovered flaws in ATMs manufactured by Nautilus Hyosung America, the leading provider of ATMs to retail and financial institutions in the U.S. The exploitation of these vulnerabilities could allow hackers to steal cash, credit card data, debit card data, and other personal financial information. According to the researchers, if a hacker were to gain access to the network to which a targeted ATM is connected, they could hijack the machine and circumvent the security measures that were implemented for it. These vulnerabilities only impact retail versions of Nautilus ATMs. In addition, the researchers also brought further attention to the availability of master keys to the ATMs for purchase on Amazon. This article continues to discuss the vulnerabilities found in Nautilus ATMs, what the exploitation of these vulnerabilities could allow criminals to do, how many machines have been impacted by the security flaws, and how Nautilus Hyosung America responded to this discovery.

    Bloomberg reports "Nautilus ATM Flaws Could Allow Hackers Access to Cash, Data"

  • news

    Visible to the public "Researchers Find New Approach to Attacking Cloud Infrastructure"

    Igal Gofman, head of security research at XM Cyber, and Yaron Shani, XM senior security researcher, will demonstrate a new approach to attacking cloud infrastructure at the 2019 Black Hat Europe. In regard to the use of public cloud infrastructure by organizations, there is a lack of understanding about the cloud identity and access management layer, often leading to security failures such as misconfigurations that threaten customer privacy and security. Existing security practices and controls have been proven inadequate in the mitigation of risks presented by misunderstandings of the public cloud. Research conducted by Gofman and Shani revealed that many traditional defense mechanisms only address specific attacks vectors. In addition, these mechanisms are usually defensive, not predictive. The methodology developed by Gofman and Shani involves the use of a graph to help red and blue teams understand permission relationships between different entities in cloud environments. Further understanding of these connections would reveal how features can be abused by attackers to gain privileges. This article continues to discuss the common misunderstandings about cloud infrastructure, as well as popular defense mechanisms for the cloud and the new approach to attacking such infrastructure.

    Dark Reading reports "Researchers Find New Approach to Attacking Cloud Infrastructure"

  • news

    Visible to the public "Academic Study Links Healthcare Cyberattacks to Decreased Hospital Quality, Patient Health"

    A new study conducted by a team of researchers from Vanderbilt University and the University of Central Florida reveals that the cyberattacks on hospitals have had an impact on the effectiveness of medical treatment and the well-being of patients. The study further highlights the risks posed to patients by cyberattacks on hospitals. Security professionals in healthcare organizations are encouraged to work closely with IT management to improve and develop security measures, as well as build incident response teams that can stop security issues from becoming actual breaches of security. Security experts also call on organizations to continuously monitor all activities performed via connected medical devices to immediately detect suspicious behavior that may indicate an intrusion into the network. This article continues to discuss the performance and key findings of the study, as well as the potential impact of healthcare cyberattacks on patients and what healthcare organizations can do to defend themselves against such attacks.

    Security Intelligence reports "Academic Study Links Healthcare Cyberattacks to Decreased Hospital Quality, Patient Health"

  • news

    Visible to the public "The Password Reuse Problem is a Ticking Time Bomb"

    Password reuse is an understandable human behavior, however it is a big issue. In a current study, it has been found that a staggering 50 percent of users use the same passwords for their personal and work accounts. It was also identified that 65 percent of people use the same password for multiple or all accounts. In the first six months of 2019 alone, data breaches exposed 4.1 billion records and, according to the 2018 Verizon Data Breach Incident Report, compromised passwords were responsible for 81% of hacking-related breaches. Organizations need to make good password hygiene a priority to ensure that passwords are not a weak link in their security posture. To do this every user, system, application, service, router, switch, and IP camera should have a unique, strong password. One should make sure users select strong passwords that are not vulnerable to dictionary attacks. It is also suggested by NIST that companies verify passwords used, to make sure they are not compromised before they are activated and one should check the status of used passwords on an ongoing basis. If a password is detected to have been compromised, then the password needs to be changed immediately.

    Help Net Security reports: "The Password Reuse Problem is a Ticking Time Bomb"

  • news

    Visible to the public "DHS CISA Warns of Critical Issues in Medtronic Medical Equipment"

    The U.S. DHS Cybersecurity & Infrastructure Security Agency (CISA) published an advisory, warning of three recently patched vulnerabilities in Medtronic Valleylab FT10 and FX8 devices. According to the advisory, the exploitation of these vulnerabilities could allow attackers to perform malicious activities such as overwriting files and remotely executing code. The first vulnerability derives from the use of hardcoded credentials. The second vulnerability is associated with the use of a vulnerable version of the rssh utility, which is used in devices to ease the process of uploading files. Another vulnerability stems from the use of the DESCRYPT algorithm for OS password hashing. Medtronic recommends that these devices are only connected to the hospital network when needed until the new software update is complete. This article continues to discuss the critical security flaws affecting Medtronic Valleylab products, what the exploitation of these flaws could allow attackers to do, and recommendations to minimize the risk of the abuse of these flaws.

    Security Affairs reports "DHS CISA Warns of Critical Issues in Medtronic Medical Equipment"

  • news

    Visible to the public "Ransomware Attack Downs Hosting Service SmarterASP.NET"

    It has been discovered that SmarterASP.NET, a popular web hosting provider with more than 440,480 customers, has been hit with a ransomware attack. The ransomware attack took down its customers' websites that were hosted by the company. SmarterASP.NET offers shared web hosting services. The customer files were encrypted by a version of the Snatch ransomware, which is known for being distributed via spam email containing infected attachments or by exploiting vulnerabilities in the operating system and installed software. Typically Snatch ransomware locks down victim data and asks for a ransom between $500 to $1500 in Bitcoin.

    ThreatPost reports: "Ransomware Attack Downs Hosting Service SmarterASP.NET"

  • news

    Visible to the public "Legislation Introduced to Bolster Cyber Workforce"

    Bipartisan legislation aimed at strengthening cybersecurity education and addressing the cybersecurity workforce gap has recently been introduced by lawmakers. The Harvesting American Cybersecurity Knowledge through Education (HACKED) Act would expand upon science education and cybersecurity programs currently established in several federal agencies, including the National Institute of Standards and Technology (NIST), National Science Foundation (NSF), and the National Aeronautics and Space Administration (NASA). The HACKED Act would also offer new incentives to increase the recruitment of cybersecurity educators as well as support collaboration between employers and universities to fill the cybersecurity workforce gap. This article continues to discuss the purpose and proposals of the HACKED Act.

    NextGov reports "Legislation Introduced to Bolster Cyber Workforce"

  • news

    Visible to the public "A Laser Pointer Could Hack Your Voice-Controlled Virtual Assistant"

    A team of researchers from the University of Michigan and the University of Electro-Communications in Tokyo have proven that it is possible for hackers to trick voice-controlled virtual assistants, including Siri, Alexa, and Google Assistant, into registering light as audio commands by using a laser beam. The team demonstrated that attackers can perform a number of different malicious activities through the use of Light Commands such as unlocking smart lock-protected front doors, opening connected garage doors, making purchases for victims on e-commerce websites, unlocking connected vehicles, and more. The researchers used up to 60 milliwatts of laser power to hijack smart home devices, phones, and tablets. They are working working with Google, Apple, and Amazon to help implement hardware and software fixes to protect users from Light Commands. This article continues to discuss the vulnerability of voice assistants to Light Commands, the risks associated with such attacks, and how these attacks can be prevented by users.

    The University of Michigan reports "A Laser Pointer Could Hack Your Voice-Controlled Virtual Assistant"

  • news

    Visible to the public "Data Points Way to More Efficient, Secure Networks"

    Electrical and Computer Engineering professor Abdallah Shami and his team of researchers at the Optimized Computing and Communications (OC2) lab in Western Engineering are working to improve the security and efficiency of content delivery services (CDNs) through the use of a database, containing 450 million data points provided by the telecommunications company Ericsson. Such efforts are necessary as attacks aimed at jamming telecommunications services and compromising intermediary servers are possible. Researchers are looking for patterns in the anonymized data set in relation to frequency, location, type and timing of requests, which could be used to identify normal customer behavior and attempted hacks. Their goal is to develop an algorithm to assign scores to anomalous events. This article continues to discuss the research being conducted to make CDNs more secure and efficient.

    TechXplore reports "Data Points Way to More Efficient, Secure Networks"

  • news

    Visible to the public "Scammers Favor Malicious URLs Over Attachments in Email Phishing Attacks"

    According to Proofpoint's Third Quarter 2019 Threat Report, malicious URLs are dominating over attachments in email phishing attacks. One key takeaway from the third quarter of 2019 is that malicious URL messages made up 88% of all messages, containing malware-infested links and attachments, combined globally. This finding highlights the growing advancement of social engineering attacks. Security experts have advised organizations to take a multi-layered approach to mitigating social engineering attacks, which involves increasing the security of the email channel and identifying highly targeted users. This article continues to discuss key takeaways from Proofpoint's recently released quarterly threat report in relation to the increased use of malicious URLs in phishing attacks, the decrease in ransomware attacks, the return of the Emotnet botnet, and the mitigation of social engineering attacks.

    TNW reports "Scammers Favor Malicious URLs Over Attachments in Email Phishing Attacks"

  • news

    Visible to the public "New Cyber Security Guide Is the First to Gather Global Expertise"

    Cybersecurity experts have combined their academic and industry expertise to assemble a new authoritative cybersecurity guide. The guide, titled Cyber Security Body of Knowledge (CyBOK), was developed in support of filling the security skills gap and providing reliable advice to organizations on cybersecurity. CyBOK covers cybersecurity issues, including human error, hardware security, and the prevention of cyberattacks on critical national infrastructure. In addition, the CyBOK delves into topics such as criminal behaviors, mobile security, privacy rights, risk management, regulations, and more. This article continues to discuss the development, support, goal, and contents of the CyBOK.

    University of Bristol reports "New Cyber Security Guide Is the First to Gather Global Expertise"

  • news

    Visible to the public "Machine Learning Advances New Tool to Fight Cybercrime in the Cloud"

    The increasing use of cloud applications such as Dropbox and Google Drive has raised concerns about the use of cloud information by cybercriminals in performance of illegal activities. A cloud forensic model has been developed by researchers at Purdue University, which can help defenders gather evidence of cybercrimes in relation to child exploitation, illegal drug trafficking, and more. The tool uses deep learning models to classify and analyze transactions uploaded to cloud storage applications that indicate the performance of illegal cloud activities. This article continues to discuss the Purdue system's use of deep learning models to fight cybercrime in the cloud as well as the importance of automating the processes of digital forensics and incident response.

    Purdue University reports "Machine Learning Advances New Tool to Fight Cybercrime in the Cloud"

  • news

    Visible to the public "Only 47% of Cybersecurity Pros are Prepared to Deal With Attacks on Their IoT Devices"

    In a new study, it was found that fewer than half (47%) of cybersecurity professionals have a plan in place to deal with attacks on their IoT devices and equipment. These findings come at a time in which 48% of organizations admitted to experiencing a cyberattack against their IoT or connected devices and equipment in the last year alone. Just over a quarter (27%) of participants reported feeling 'very confident' that their personnel would know how to protect against such attacks, while 38% participants claimed they are currently in the process of developing a plan. IoT devices are found in many homes and businesses, so it is important that the security of IoT devices are taken seriously.

    Help Net Security reports: "Only 47% of Cybersecurity Pros are Prepared to Deal With Attacks on Their IoT Devices"

  • news

    Visible to the public "Amazon Fixes Ring Video Doorbell Wi-Fi Security Vulnerability"

    Researchers at Bitdefender have reported the presence of a security vulnerability in Amazon's Ring Video Doorbell that could have been exploited by hackers to gain access to an owner's home Wi-Fi network. The vulnerability derived from the process of configuring the device to the local network in which the Ring smartphone app sends wireless connections to Amazon's cloud servers. In response to the discovery for this vulnerability, Amazon released a security patch. This article continues to discuss the growing popularity of internet-connected doorbells, the security vulnerability contained by Amazon's Ring Video Doorbell Pro, what the exploitation of this vulnerability could have allowed hackers to do, and Amazon's response to this discovery.

    ZDNet reports "Amazon Fixes Ring Video Doorbell Wi-Fi Security Vulnerability"

  • news

    Visible to the public "Determined Hackers Will Crack Voting Machines, Security Researchers Say"

    Harri Hursti and Matt Blaze, founders of the Voting Village at the DefCon security conference in Las Vegas, have stressed the importance of strengthening the security of voting machines ahead of election day. Voting machine vendors need to increase their efforts to identify, analyze, and fix security vulnerabilities that emerge throughout a machine's lifecycle such as those associated with the supply chain of parts used to build such machines. Foreign intelligence agencies are expected to use their tools and resources to exploit these vulnerabilities. This article continues to discuss common myths that have prevented improvements in voting technology, the security vulnerabilities in voting machines that should be addressed by vendors, and what efforts should be made to bolster the security of voting system infrastructure.

    GCN reports "Determined Hackers Will Crack Voting Machines, Security Researchers Say"

  • news

    Visible to the public "Phishing Attacks at Highest Level in Three Years"

    In a news study, researchers found that the total number of phishing sites detected in July through September 2019 was 266,387. This was up 46 percent from the 182,465 seen in the second quarter of 2019, and almost double the 138,328 seen in Q4 2018. This is the worst period for phishing that the researchers have seen in three years, since the fourth quarter of 2016. In addition to the increase in phishing volume, the number of brands that were attacked by phishers in Q3 was also up. The researchers saw attacks against more than 400 different brands (companies) per month in Q3, versus an average of 313 per month in Q2. The top targeted industries are largely consistent with previous quarters. Webmail and SaaS sites remained the biggest targets of phishing.

    Help Net Security reports: "Phishing Attacks at Highest Level in Three Years"

  • news

    Visible to the public "Study Finds Companies May Be Wise to Share Cybersecurity Efforts"

    A study conducted by researchers at North Carolina State University found that companies are considered less attractive when they share a field with a company that has a faced a cybersecurity breach. Companies that are more transparent about how they manage cybersecurity risks perform better than those that do not disclose information about their cybersecurity practices. Studies on the contagion effect in the realm of cybersecurity breaches have found that organizations can take steps to reduce its impact. The researchers also studied the impact of another effect known as the competition effect in which investors consider a cybersecurity breach faced by one company as an advantage for the competitors of that company, thus making the competitors increasingly appealing to investors. This article continues to discuss key findings from studies on the contagion effect and the competition effect in regard to cybersecurity breaches experienced by companies, in addition to the importance of disclosing cybersecurity risk management efforts.

    TechXplore reports "Study Finds Companies May Be Wise to Share Cybersecurity Efforts"

  • news

    Visible to the public "Defenders Can Discover Phishing Sites Through Web Analytics IDs"

    There has been an increase in the use of web analytics services by phishing websites. The unique tracking IDs added to the code of phishing websites when these services are used can help defenders detect phishing attacks. Web analytics services help phishing kit developers get a better idea of how effective their campaigns are. The data collected via web analytics services can allow cybercriminals to measure the effectiveness of their phishing attacks and adjust their targeting accordingly. An analytics UID added to multiple phishing pages can be used to create a detection signature as well as a web firewall rule, which could help security vendors and enterprise security teams discover and block multiple phishing pages from the same campaign. This article continues to discuss the use of web analytics services by phishing kit developers, how defenders can use analytics UIDs to detect phishing websites, and two examples in which researchers were able to identity much larger campaigns through the use of these UIDs.

    CSO AU reports "Defenders Can Discover Phishing Sites Through Web Analytics IDs"

  • news

    Visible to the public "Cybersecurity Workforce Needs to Grow 145% to Close Skills Gap"

    Researchers during a new study concluded that there is a current shortage of skilled cybersecurity professionals. The researchers estimate that the current cybersecurity workforce at 2.8 million professionals, and estimates that 4.07 million professionals will be needed to close the skills gaps world wide. The 2019 (ISC)2 Cybersecurity Workforce Study also indicated a necessary cybersecurity workforce increase of 145%. In the U.S. market, the current cybersecurity workforce is estimated at 804,700 and the shortage of skilled professionals is 498,480, requiring an increase of just 62% to better defend U.S. organizations. The size of the current workforce still leaves a significant gap between the number of cybersecurity professionals working in the field and the number needed to keep organizations safe, this needs to be addressed in the future, in order to defend against the ever growing amount of cyberattacks that occur.

    Security Magazine reports: "Cybersecurity Workforce Needs to Grow 145% to Close Skills Gap"

  • news

    Visible to the public "Machine Learning: With Great Power Come New Security Vulnerabilities"

    There have been many advancements in machine learning (ML) as it has been applied in the operation of self-driving cars, speech recognition, biometric authentication, and more. However, ML models remain vulnerable to a variety of attacks that could lead to the production of incorrect output, posing a threat to safety and security. In order to bolster ML security we should conduct further research on the potential adversaries in ML attacks, the different factors that can influence attackers to target ML systems, and the different ways in which ML attacks can be executed. Using these factors, distinct ML attacks, including evasion, poisoning, and privacy attacks can be identified. This article continues to discuss the importance of understanding why and how ML attacks occur, as well as the structured approach to ML security.

    Security Intelligence reports "Machine Learning: With Great Power Come New Security Vulnerabilities"

  • news

    Visible to the public "Chinese Researchers Reveal Method to Bypass Biometric Fingerprint Scanners in Smartphones"

    Security researchers from X-Lab at Tencent gave a presentation at the GeekPwn 2019 conference in which they brought further attention to the possible circumvention of fingerprint security. The researchers claimed to have successfully bypassed biometric fingerprint scanners in Android and iOS devices through the use of fingerprint photos taken by a smartphone, recreated fingerprints, and an app that they developed. Using their method, they were able unlock three different phones, each of which contains scanning technologies with capacitive, optical, and ultrasonic sensors. This article continues to discuss the fingerprint hacking method and a security vulnerability discovered in the biometric fingerprint recognition function offered by the Samsung Galaxy S10 smartphone.

    Biometric Update reports "Chinese Researchers Reveal Method to Bypass Biometric Fingerprint Scanners in Smartphones"

  • news

    Visible to the public "Alexa, Siri, Google Assistant Smart Speakers – They're All Open to Remote Laser Attacks"

    In a new study conducted by researchers at the University of Electro-Communications in Tokyo and the University of Michigan, found a new way for hackers to affect smart devices. The new way to affect smart devices is through Light Commands. Light Commands is a vulnerability of MEMS microphones that allows attackers to remotely inject inaudible and invisible commands. Any device with MEMS (microelectromechanical systems) microphones, can be attacked using this method. These devices include: Google Assistant, Amazon Alexa, Facebook Portal, and Apple Siri. Given that many individuals use smart gadgets to control different devices in their houses, the MEMS mic vulnerability should be taken seriously. The vulnerability could allow an attacker to issue commands to do things like open a garage door, open doors protected by smart locks, or even unlock and start a Tesla that's connected to a Google account.

    ZDNet reports: "Alexa, Siri, Google Assistant Smart Speakers - They're All Open to Remote Laser Attacks"

  • news

    Visible to the public "Boeing’s Poor Information Security Posture Threatens Passenger Safety, National Security"

    Chris Kubecka, a security researcher and critical infrastructure expert, recently gave a presentation at the Aviation Cyber Security conference in London in which she discussed the threat posed by Boeing's inadequate information security practices to aviation safety and national security. According to Kubecka, one or more of Boeing's emails are infected with malware. These infected email servers are also believed to be used to obtain sensitive intellectual property such as software source code. Security failures include the public exposure of Boeing's test development network to the internet, a lack of a TLS certificate to allow encrypted web traffic via HTTPS on Boeing's official website, and more. This article continues to discuss the discoveries made surrounding Boeing's information security practices, the response to these discoveries, Boeing's vulnerability disclosure program, and aviation cybersecurity research.

    CSO Online reports "Boeing's Poor Information Security Posture Threatens Passenger Safety, National Security"

  • news

    Visible to the public "Cybersecurity: Under Half of Organizations Are Fully Prepared to Deal With Cyberattacks"

    FireEye's Cyber Trendscape 2020 report highlights thoughts from CISOs on the current cyber threat landscape. According to a study conducted by FireEye, a little under half of organizations claimed to be fully prepared to handle cyberattack or data breach, while a small number of organizations expressed that they are not ready to face such attacks at all. Efforts being made to improve the cybersecurity of organizations include the implementing security software, managing vulnerabilties, and providing security awareness training to employees. The report also emphasized that phishing remains a top threat faced by organizations as 20% of those that have experienced cyberattacks in the 12 months cited phishing as the method used in the attacks. In regard to concerns surrounding the source of attacks, a third of organizations have expressed their fear of hacking groups. This article continues to discuss key findings of the report in relation to organizations' readiness to respond to a cyberattack, in addition to security measures, top cyber threats, and the sources of cyberattacks.

    ZDNet reports "Cybersecurity: Under Half of Organizations Are Fully Prepared to Deal With Cyberattacks"

  • news

    Visible to the public "A Plan to Crowdsource Voting Machines’ Security Problems"

    The Information Technology-Information Sharing and Analysis Center (IT-ISAC), a northern Virginia infrastructure-threat clearinghouse, is exploring the possibility of creating a coordinated vulnerability disclosure (CVD) program, which would send alerts to voting system companies about security vulnerabilities in their machines. The IT-ISAC is reviewing responses from its request for information in relation to how comprehensive the CVD program should be in scope. The input touches on whether vulnerabilities should only be examined in voting machines or should there also be focus on security flaws contained by other election-related infrastructure. This article continues to discuss what is being considered in the creation of a CVD program to help voting-system manufacturers learn about vulnerabilities in their machines in addition to other efforts to improve election security.

    Defense One reports "A Plan to Crowdsource Voting Machines' Security Problems"

  • news

    Visible to the public "Are Researchers Helping Criminal Groups?"

    The tools and exploits developed and publicly released by penetration testers and security researchers are expected to continue helping adversaries launch attacks aimed at compromising targets. The public release of offensive tools used by penetration testers and security researchers are said to lead to the discovery of possible attacks and the development of mitigations that work against testers and adversaries. However, it has been found that many intrusion groups often leverage public security tools and exploits. In addition, if anyone can access public offensive tools on the Internet, attribution becomes more difficult. Penetration testers and security researchers are encouraged to provide information pertaining to detection, mitigation, and countermeasures when they release new tools and exploits to the public. This article continues to discuss the argument in support of public offensive tool releases, concerns about the negative impact that offensive research can have on enterprise security, and what should be shared in conjunction with security researchers' new offensive capabilities.

    Tech Radar reports "Are Researchers Helping Criminal Groups?"

  • news

    Visible to the public "Hackers Plead Guilty to Breach That Uber Covered up"

    The inviduals who were in charge of the the 2016 data breach of Uber, Brandon Charles Glover, 26, of Florida, and Vasile Mereacre, 23, of Toronto, pleaded guilty last week to stealing the companies' personal information that was stored on Amazon Web Services from October 2016 to January 2017 and then demanding money to destroy their copies of the data. The data of 57 million drivers and customers were stolen in the 2016 data breach. Uber not only kept the breach secret from the victims, but they also paid $100,000 in hush/delete-the-data money, as in, $50,000 to each of the two crooks. It wasn't until 10 months later, in November 2017, that Uber told riders and drivers that it had lost control of their personal information and that the data had been breached. The company not only hid the breach from those affected, but also from the Federal Trade Commission (FTC). Both the 2014 and the 2016 hacks were made possible by the same exact security fail: in both breaches, Uber's engineers left the keys of Amazon Web Services S3 cloud servers, sitting around, publicly available, on GitHub.

    Naked Security reports: "Hackers Plead Guilty to Breach That Uber Covered up"