News Items

  • news

    Visible to the public "Lack of Secure Coding Called a National Security Threat"

    The lack of secure coding is a pervasive and serious threat to national security. In order to fix the problem of coders not performing secure coding, one needs to come up with an objective standard, and a legislative mandate that requires a certain level of assurance to provide an assured product. Fixing this problem will not be easy, due to the problems of speed-to-market pressures and the sheer number of IoT devices being produced. Even though it will be tough to fix, it is important that one takes unsecured coding seriously, in order to help keep individuals information more secure and so software can be produced that is less vulnerable to attacks.

    Bank Info Security reports: "Lack of Secure Coding Called a National Security Threat"

  • news

    Visible to the public "Bluetooth's Complexity Has Become a Security Risk"

    Bluetooth security vulnerabilities arise on account of the protocol's complexity. The documentation for the Bluetooth standard is significantly longer and more comprehensive than the material provided for other wireless protocols, making it increasingly complex and difficult for manufacturers to handle. According to Ken Kolderup, vice president of marketing at the Bluetooth Special Interest Group (SIG), the standard's documentation is extensive because it defines a radio frequency for the standard and covers components of hardware, applications, and more, in order to ensure that interoperability between Bluetooth devices is enabled. This article continues to discuss vulnerabilities associated with the Bluetooth standard, the complexity of the Bluetooth standard, recent discoveries in relation to Bluetooth implementation and configuration issues, and how the Bluetooth SIG plans to help improve to the security of Bluetooth implementations.

    Wired reports "Bluetooth's Complexity Has Become a Security Risk"

  • news

    Visible to the public "EU Approves Cyber-Attack Sanctions Ahead of Election"

    The European Union (EU) has agreed upon the enforcement of new cyber sanctions that would penalize cyberattackers by freezing their assets and banning them from traveling. The aim of the automatic set of sanctions is to discourage the future launch of cyberattacks as malicious actors have made attempts at attacking the EU's critical infrastructure, stealing commercial secrets, and more. This article continues to discuss the EU's approval of a cyber sanctions regime plan, the aim of cyberattack sanctions, and recent high-profile cyberattacks against the EU.

    Engadget reports "EU Approves Cyber-Attack Sanctions Ahead of Election"

  • news

    Visible to the public "Will the U.S. Government Draft Cybersecurity Professionals?"

    The National Commission on Military, National, and Public Service, is considering modernizing the Selective Service System (SSS) to include the possible conscription of those that are highly skilled in cybersecurity. One of the goals of this modification is to recruit and promote cybersecurity experts that are of greater age with a lot of experience, thus focusing on experts that are 30 or older. This article continues to discuss the possible compulsory enlistment of cybersecurity experts to serve in the military and civil service, current Selective Service rules, changing the shape of the military with cybersecurity professionals, and the increased deployment of more experienced security practitioners by the U.S. Army Cyber Command.

    CSO Online reports "Will the U.S. Government Draft Cybersecurity Professionals?"

  • news

    Visible to the public Winners of the 2019 NSA Research Directorate Awards at ISEF 2019

    Phoenix, AZ - On Thrusday Night, May 16, 2019, The National Security Agency Executive Director, Mr. Harry Coker, and NSA Researcher and Science of Security and Privacy (SoS) Technical Lead, Dr. Adam Tagert, presented the NSA Research Directorate Awards to 10 outstanding high school scientists. These students were finalists at the 2019 Intel International Science and Engineering Fair (ISEF).

  • news

    Visible to the public "How to Break Our Bad Online Security Habits – with a Flashing Cyber Nudge"

    Cyberattacks continue to rise as a result of human error, the growing complexity of technology, and the increasing sophistication of attack methods. It is important that methods for encouraging good cybersecurity behaviors continue to be explored and developed. A circuit board, called the Adafruit Circuit Playground, can be used to nudge end users into following proper cybersecurity practices. This article continues to discuss privacy fatigue, the exploitation of users' busyness to launch attacks, approaches to breaking bad cybersecurity habits, and the idea behind the Adafruit Circuit Playground.

    Phys.org reports "How to Break Our Bad Online Security Habits - with a Flashing Cyber Nudge"

  • news

    Visible to the public 2019 Music City BEST Season Registration is Open!

    I am excited to announce the 2019 Season Dates! This year's game is "Off the Grid". Team registration is now open.

    • Kickoff - 09/21/19 - Allen Arena
    • Practice (late afternoon practice, time is TBD) - 10/26/19 - McQuiddy Gym
    • Game Day - 11/02/19 - Allen Arena

    This should be a fun challenge and very relevant to existing technical challenge in several US locations.

  • news

    Visible to the public "Unsecured Survey Database Exposes Info of 8 Million People"

    An independent security researcher, named Sanyam Jain, discovered an unsecured Elasticsearch database, which exposed personal information belonging to 8 million people who have responded to online surveys, entered sweepstakes, and requested free product samples. The information exposed by this database included full names, home addresses, email addresses, IP addresses, phone numbers, and more. A performance-based marketing company, named Ifficient, was found to be the owner of the database. This article continues to discuss the discovery of the unsecured database, what information was exposed, and Ifficient's response to this discovery.

    Bleeping Computer reports "Unsecured Survey Database Exposes Info of 8 Million People"

  • news

    Visible to the public "Blockchains Are Being Exploited by Bots for Profit"

    New research conducted at Cornell Tech brings attention to the exploitation of weaknesses in blockchains by attackers through the use of bots for the purpose of gaining profit. The blockchain is a decentralized distributed ledger used to process and finalize cryptocurrency transactions. According to researchers, bots are exploiting time delays in the blockchain system in order to make trades at a higher speed than humans. As a result, bots can have access to information in advance, which could be used to make deals. This article continues to discuss blockchain technology, research discoveries surrounding the inefficiencies of the blockchain system, and the exploitation of these weaknesses by an army of bots.

    Homeland Security News Wire reports "Blockchains Are Being Exploited by Bots for Profit"

  • news

    Visible to the public "Billions of Malicious Bot Attacks Take to Cipher-Stunting to Hide"

    In addition to the growing advancement of malware development, cybercriminals are also increasing the complexity of the ways in which they evade detection. According to researchers at Akamai, attackers have been observed to be increasing their use of a TLS tampering technique, called cipher stunting, which masks malicious bot activity as live human traffic on the web, thus allowing detection attempts to be evaded. This article continues to discuss the concept, increased performance, and targets of cipher stunting.

    Threatpost reports "Billions of Malicious Bot Attacks Take to Cipher-Stunting to Hide"

  • news

    Visible to the public "CyberPatriot Competitions Offer Answers to U.S. Cybersecurity Workforce Challenges"

    A section in the new Executive Order on America's Cybersecurity Workforce calls for the establishment of more cyber competitions in support of raising awareness about the cybersecurity field, cultivating cyber skills, and sustaining a national cybersecurity workforce. It is important that efforts are made to further prepare the next generation of cybersecurity professionals. The CyberPatriot Program, created by the Air Force Association, is aimed at developing the cyber skills of middle school and high school students, and encouraging them to explore career paths in cybersecurity or other STEM disciplines. This article continues to discuss the objective of CyberPatriot and its National Youth Cyber Defense Competitions.

    GovTech reports "CyberPatriot Competitions Offer Answers to U.S. Cybersecurity Workforce Challenges"

  • news

    Visible to the public "Before Blaming Hackers, Check Your Configurations"

    Widely-used cloud platforms, such as Office 365 from Microsoft or G-Suite from Google are often administered by IT professionals tasked with all aspects of configuration; security is not their primary focus. Most Software as a Service (SaaS), have default settings that are tuned to empower end-users with full control over collaboration and data access. The default setting are usually configured to easy access and usability instead of better security. Users of SaaS should look at the default settings and change them to be focus more on security. Improving configuration management in SaaS applications can minimize the risk of data loss, phishing campaigns and can help prevent breaches.

    InfoSecurity reports: "Before Blaming Hackers, Check Your Configurations"

  • news

    Visible to the public "How AI Augments Mobile Authentication"

    The U.S. Department of Defense recently awarded a 20-month $2.42 million contract to a company, named TWOSENSE.AI, in support of developing technology that uses artificial intelligence (AI) to learn about mobile users' behavior and continuously authenticates the users based on the behaviors learned by the AI. The behaviors that will be monitored and learned by the technology include gait, keystrokes, and fingertip pressure. The technology will supplement traditional authenticators instead of replace them as users will still be asked to provide usernames, passwords, one-time personal identification numbers, or biometric identifiers, if the authentication process involving learned behaviors goes wrong. This article continues to discuss the concept, support, development, and research behind this technology.

    GCN reports "How AI Augments Mobile Authentication"

  • news

    Visible to the public "A Cisco Router Bug Has Massive Global Implications"

    Security researchers at Red Balloon have discovered two vulnerabilities in the Cisco 1001-X series router. Cisco's 1001-X routers are used for connectivity at stock exchanges, local malls, corporate offices, and more. The exploitation of these security flaws could allow hackers to steal the data that passes through the routers. These bugs are significant in that they enable hackers to remotely gain root access to routers and circumvent the security protection, Trust Anchor, which has been built into most of Cisco's enterprise devices since 2013. According to researchers, the techniques used to bypass Trust Anchor could be used by attackers to infiltrate the networks in which these devices are connected. This article continues to discuss the vulnerabilities and the potential impact that these flaws could have on institutions, along with some concerns surrounding the mitigation of the vulnerabilities and the research conducted behind these discoveries.

    Wired reports "A Cisco Router Bug Has Massive Global Implications"

  • news

    Visible to the public "Why Local Governments Are a Hot Target for Cyberattacks"

    Cyberattacks against local governments have been on the rise as indicated by the recent wave of ransomware attacks faced by municipalities within the U.S. Security experts have provided reasons as to why local governments have become an attractive target for cyberattacks. According to researchers, cities are increasingly utilizing the Internet to deliver services, city systems are storing massive amounts of data, cities are resource-constrained in regard to cybersecurity, and more. This article continues to discuss recent cases in which U.S. municipalities have been hit with malware and ransomware, and why cities are vulnerable to cyberattacks.

    CSO Online reports "Why Local Governments Are a Hot Target for Cyberattacks"

  • news

    Visible to the public "Employees are aware of USB drive security risks, but don’t follow best practices"

    In a study that was conducted, employees were found to be aware of the risks associated with inadequate USB drive security. It was found that while 91 percent of respondents claimed that encrypted USB drives should be mandatory, 58 percent of respondents confirmed that they regularly use non-encrypted USB drives. Although 64 percent of organizations have a policy outlining acceptable use of USB devices, 64 percent of respondents said their employees use USB drives without obtaining advance permission to do so. It was also discovered that nearly half of the respondents lost a USB drive without notifying appropriate authorities about the incident. It is important that employers implement strict security policies to defend against the shortcuts employees will take. Beyond policies and procedures, organizations should reinforce that their employees use encrypted USB drives that require a unique PIN to make information on USB drives more secure.

    HELPNETSECURITY reports: "Employees are aware of USB drive security risks, but don't follow best practices"

  • news

    Visible to the public "Intel CPUs Impacted by New Zombieload Side-Channel Attack"

    A team of researchers have recently disclosed a new side-channel attack, called Zombieload. This attack is of the same category as Meltdown, Spectre, and Foreshadow in that it also abuses the speculative execution capabilities of modern CPUs to gain access to sensitive data. Zombieload exploits the speculative execution capabilities of CPUs' microarchitectural data structures, used to increase the speed at which data is read or written, in order to make assumptions about the data that is being processed in the CPU by other applications. This article continues to discuss Zombieload and other Microarchitectural Data Sampling (MDS) attacks discovered by researchers.

    ZDNet reports "Intel CPUs Impacted by New Zombieload Side-Channel Attack"

  • news

    Visible to the public "Design Flaws Create Security Vulnerabilities for 'Smart Home' Internet-of-Things Devices"

    Flaws in the design of smart home Internet of Things (IoT) devices have been discovered by researchers at North Carolina University. The discovery of these design flaws is shared in a paper, titled Blinded and Confused: Uncovering Systemic Flaws in Device Telemetry for Smart-Home Internet of Things. According to researchers, the exploitation of these design flaws could lead to the prevention of security information sharing by smart home IoT devices to homeowners. Notifications pertaining to security problems such as break-ins can be blocked by attackers. This article continues to discuss the design flaws in smart home IoT devices that have been identified by researchers, the suppression attacks that can be performed through the abuse of the flaws, and potential solutions for addressing these vulnerabilities.

    Science Daily reports "Design Flaws Create Security Vulnerabilities for 'Smart Home' Internet-of-Things Devices"

  • news

    Visible to the public "WhatsApp flaw used to install spyware by simply calling the target"

    A security vulnerability in the popular Facebook-owned end-to-end encrypted messaging app WhatsApp allowed attackers to install spyware on smartphones without any user interaction or knowledge. WhatsApp discovered the vulnerability in early May, and discovered that the vulnerability was being exploited to deliver the Pegasus mobile spyware and was being distributed to distinct targets. The current number of individuals targeted by the attack is currently unknown. It is recommended that every user of WhatsApp downloads the new update, which fixes the vulnerability.

    HELPNETSECURITY reports: "WhatsApp flaw used to install spyware by simply calling the target"

  • news

    Visible to the public "Flaws in a Popular GPS Tracker Leak Real-Time Locations and Can Remotely Activate Its Microphone"

    Security vulnerabilities have been discovered in a popular GPS tracker used to monitor children, track vehicles, and send alerts pertaining to elderly patients. The white-label location tracker is manufactured in China and is sold by companies, including Pebble by HoIP Telecom, OwnFone Footprint, SureSafeGo, and more. According to cybersecurity researchers from Fidus Information Security, these flaws could be exploited by attackers to retrieve information about a user's real-time location, secretly listen in on users, or completely disable the device. This article continues to discuss the GPS tracker, the security flaws that it has been discovered to contain, how attackers can exploit these vulnerabilities, and how this problem could be addressed.

    TechCrunch reports "Flaws in a Popular GPS Tracker Leak Real-Time Locations and Can Remotely Activate Its Microphone"

  • news

    Visible to the public "Hackers Still Outpace Breach Detection, Containment Efforts"

    Reports recently released by security researchers, including the Trustwave 2019 Global Security Report and the FireEye 2019 Mandiant M-Trends Report, indicate that there has been an improvement in the discovery and containment of data breaches as organizations have increased the speed at which cyber incidents are detected. According to the results of studies highlighted by these reports, the time between intrusion and detection has been shortened significantly by days. Mandiant shared that the time between the occurrence of compromise and its discovery decreased from 101 days in 2017 to 78 days in 2018, showing a major decrease in dwell time. Dwell time is the amount of time attackers go undetected in a system or the time it takes for an organization to become aware of an incident. Cybersecurity teams should continue striving to reduce dwell time. However, security researchers still emphasize that attackers do not need a lot of time to inflict major damage. This article continues to discuss findings in relation to the improvement in breach detection and containment, and the use of automation to improve such efforts.

    Dark Reading reports "Hackers Still Outpace Breach Detection, Containment Efforts"

  • news

    Visible to the public "Three Ways GDPR Benefits US Companies"

    The European Union's General Protection Regulation (GDPR) went into effect on May 25, 2018. The purpose of the GDPR is to ensure the protection of personal data belonging to EU residents by enforcing a standard upon any companies that manage this data. The GDPR has a far-reaching impact as any company that conducts business with EU citizens are expected to comply with this regulation, pressuring organizations to improve their efforts in regard to privacy and security. There are ways in which U.S. organizations have benefited from GDPR in that this regulation has pushed organizations to improve their incident response strategies, make great efforts to strengthen Internet of Things (IoT) security, and prepare for U.S. data privacy regulations. This article continues to discuss GDPR and how U.S. organizations have benefited from the regulation, along with the GDPR's next steps.

    Help Net Security reports "Three Ways GDPR Benefits US Companies"

  • news

    Visible to the public "Despite warnings, most people still don’t change their passwords"

    1050 individuals were surveyed about their passwords. It was discovered that 64% of people used the same password for some, or even all, of their online accounts, while only 21% used a different password for each account. 21% of the respondents used personal information to create passwords. 9% of respondents said that they had never changde their main email account password. It was also discovered that 45% of users include special characters in their passwords such as @ or $, while 32% say their passwords contain fewer than eight letters. Most passwords (35%) have up to ten characters, while 16% are the most security-conscious, with over 12 characters. It is important for individuals and businesses to take password security seriously, because week passwords, make it much easier for hackers to access sensitive information and cause a data breach.

    HELPNETSECURITY reports: "Despite warnings, most people still don't change their passwords"

  • news

    Visible to the public "Artificial Intelligence May Not 'Hallucinate' After All"

    Great advancements have been made in machine learning in regard to image recognition as this technology can now identify objects in photographs as well as generate authentic-looking fake images. However, the machine learning algorithms used by image recognition systems are still vulnerable to attacks that could lead to the misclassification of images. Researchers continue to explore the problem of adversarial examples, which could be used by attackers to cause a machine learning classifier to misidentify an image. This article continues to discuss the concept and new research behind adversarial examples.

    Wired reports "Artificial Intelligence May Not 'Hallucinate' After All"

  • news

    Visible to the public "This Ransomware Sneakily Infects Victims by Disguising Itself With Anti-Virus Software"

    According to cybersecurity researchers at Trend Micro, ransomware, called Dharma, which emerged in 2016, has been updated to deceive users into installing it by posing as anti-virus software. New details pertaining to the updated version of Dharma ransomware reveal that the file-locking malware hides inside a fake anti-virus software installation. Researchers suggest that organizations implement stronger cybersecurity practices such as securing email gateways, frequently backing up files, and more, in order to avoid being hit by Dharma and other similar cyberattacks. This article continues to discuss Dharma ransomware in relation to its impact, process, and distribution, along with how organizations can avoid such threats.

    ZDNet reports "This Ransomware Sneakily Infects Victims by Disguising Itself With Anti-Virus Software"

  • news

    Visible to the public "Study Finds Wi-Fi Location Affects Online Privacy Behavior"

    A team of scientists conducted a study to see if a person's location offline affects how they behave online in regard to privacy. The study also explores changes in online privacy behavior resulting from the presence of a virtual private network (VPN) logo, the provision of terms and conditions by the wireless provider, and more. The study was conducted by observing the online behavior of participants from Amazon Mechanical Turk in four different types of physical locations, including a coffee shop, a university, an Airbnb, and home. Scientists observed unethical behavior, ethical behavior, and the disclosure of private information online. This article continues to discuss the purpose and findings of this study.

    Tech Explorist reports "Study Finds Wi-Fi Location Affects Online Privacy Behavior"

  • news

    Visible to the public "Bypassing Popular Passwords"

    A new model for password protection has been proposed by Jaryn Shen and Qinqkai Zeng of the State Key Laboratory for Novel Software Technology, and Department of Computer Science and Technology, at Nanjing University, China. The new approach is aimed to protect passwords from online and offline attacks without requiring users to create and memorize their passwords as it is difficult to get users to create more complex passwords, use password managers, and enable multi-factor authentication. This article continues to discuss the new password protection approach proposed by researchers.

    Phys.org reports "Bypassing Popular Passwords"

  • news

    Visible to the public "The IoT threat landscape is expanding rapidly, yet few companies are addressing third party risk factors"

    There is a dramatic increase in IoT-related data breaches specifically due to an unsecured IoT device or application since 2017. It has jumped from 15 percent to 26 percent, and the results might actually be greater, because most organizations are not aware of every unsecured IoT device or application in their environment or from third party vendors. Most organizations surveyed have no centralized accountability to address or manage IoT risks. Less than half of company board members approve programs intended to reduce third party risk and only 21 percent of board members are highly engaged in security practices and understand third party and cybersecurity risks in general. Companies will have too take all risks, including IoT risks seriously if they want to lessen the chances of a breach occurring.

    HELPNETSECURITY reports: "The IoT threat landscape is expanding rapidly, yet few companies are addressing third party risk factors"

  • news

    Visible to the public "Critical flaw allows attackers to take over Cisco Elastic Services Controllers"

    Cisco had a critical flaw which allowed attackers to take over Cisco Elastic Services Controllers (ESC). ESC is a popular enterprise software for managing virtualized resources. The vulnerability is due to improper validation of API requests. An attacker who found the flaw could exploit this vulnerability by sending a crafted request to the REST API. A successful exploit could allow the attacker to execute arbitrary actions through the REST API with administrative privileges on an affected system. The flaw has since been patched on the critical, remotely exploitable authentication bypass vulnerability in Cisco Elastic Services Controller.

    HELPNETSECURITY reports: "Critical flaw allows attackers to take over Cisco Elastic Services Controllers"

  • news

    Visible to the public F1/10

    F1/10 is a high-performance autonomous racing car that is 1/10th the size of a real car and can reach a top speed of 50mph. It carries a full suite of sensors; the perception, control and networking software stacks that make it autonomous. Out of the box, F1/10 can map an environment, plan a path in it, and follow that path while avoiding obstacles. If you needed to augment the capabilities of the car to enable the research (e.g.

  • news

    Visible to the public The 3rd International Competition on Verifying Continuous and Hybrid Systems (ARCH-COMP'19)

    The 3rd International Competition on Verifying Continuous and Hybrid Systems (ARCH-COMP'19) held as a part of the 6th International Workshop on Applied Verification for Continuous and Hybrid Systems (ARCH'19) occurred on April 15, 2019 as a part of the ACM/IEEE Cyber-Physical Systems and Internet-of-Things Week (CPS-IoT Week).

  • news

    Visible to the public "Flaws in Metrics for User Login Systems"

    A study conducted at Rutgers University-New Brunswick brings further attention to flaws in the metrics used to measure the performance of user login systems. In addition to highlighting these flaws, the study proposes a solution towards measuring the success of authentication systems. According to researchers, the solution involves combining the strengths of popular metrics from other fields with a metric that is rarely used. The proposed method can be used by researchers, government agencies, the public, and more, to increase the success of their authentication systems. This article continues to discuss the study done by Rutgers engineers and the novel solution they have proposed.

    Homeland Security News Wire reports "Flaws in Metrics for User Login Systems"

  • news

    Visible to the public "Unhackable? New chip makes the computer an unsolvable puzzle"

    A new computer processor architecture called MORPHEUS could usher in a future where computers proactively defend against threats. It would be able to render the current electronic security model of bugs and patches obsolete. MORPHEUS has been developed at the University of Michigan. The way it works is that the chip blocks potential attacks by encrypting and randomly reshuffling key bits of its own code and data 20 times per second-infinitely faster than a human hacker can work and thousands of times faster than even the fastest electronic hacking techniques.

    HELPNETSECURITY reports: "Unhackable? New chip makes the computer an unsolvable puzzle"

  • news

    Visible to the public "Industry Warns of Flaws as Gov’t Proposes Mandatory IoT Security Labelling"

    The UK government is considering establishing an IoT security labelling scheme, which will help inform consumers about how secure IoT products are. The consultation suggests three security requirements laid out by the UK government's "Secure by Design" Code of Practice, which calls for the building of cybersecurity measures in the design phase of IoT products. Manufacturers of IoT devices would be required to ensure that IoT device passwords are highly unique and unable to be reset to factory default passwords. This article continues to discuss the IoT security labelling consultation and concerns surrounding the proposed IoT security legislation.

    CBR reports "Industry Warns of Flaws as Gov't Proposes Mandatory IoT Security Labelling"

  • news

    Visible to the public "50,000 Companies Exposed to Hacks of 'Business Critical' SAP Systems: Researchers"

    New ways of exploiting vulnerabilities in SAP software have been discovered by security researchers. These vulnerabilities leave the 50,000 companies that use this software susceptible to being hacked. The exploitation of these vulnerabilities could enable hackers to hinder the operations of companies, steal information on companies' SAP systems, and alter this information, allowing the performance of financial fraud, the withdrawal of money, and more. This article continues to discuss the use of SAP software and what the abuse of vulnerabilities in SAP software could allow hackers to do to companies.

    Reuters report "50,000 Companies Exposed to Hacks of 'Business Critical' SAP Systems: Researchers"

  • news

    Visible to the public Executive Order on America’s Cybersecurity Workforce

    The White House released an Executive Order on America's Cybersecurity Workforce. It call this workforce a national asset. It calls for the government to enhance mobility of the workforce to move between public and private employment. It call for development of skills and that the government must recognize and reward the highest-performing cybersecurity workers.

    It calls for the creation of an annual cybersecurity competition for federal civilian and military members. The first competition is to be held in 2019.

    For the order and additional details:

  • news

    Visible to the public "Majority of Encrypted Email Clients Vulnerable to Signature Spoofing"

    Researchers from the Ruhr University Bochum and Munster University of Applied Sciences examined the implementation of two major email encryption standards, OpenPGP and S/MIME. According to the findings of this analysis, the majority of leading encrypted email clients that support these standards are vulnerable to digital signature spoofing. Five different classes of attack are described by researchers, which are CMS attacks, GnuPG API attacks, MIME attacks, ID attacks, and UI attacks. This article continues to discuss the susceptibility of encrypted email clients to digital signature spoofing, the classes of attack described by researchers, and what the results of this investigation suggest.

    SecurityWeek reports "Majority of Encrypted Email Clients Vulnerable to Signature Spoofing"

  • news

    Visible to the public "GAO Flags New Cybersecurity Issues for Upcoming Census"

    The Government Accountability Office (GAO) urges the Census Bureau to improve upon its cybersecurity. The public will be allowed to respond to the 2020 Decennial Census via the internet. In addition, field-based enumerators will be allowed to use applications on mobile devices to gather survey data from households. Personally identifiable information such as names, birth dates, living situations, and more, will be more susceptible to being digitally hacked as a result of these changes. This article continues to discuss how the 2020 Decennial Census will be conducted, the security risks that will be introduced by changes made to the collection of data, and recommendations for the Bureau in relation to the improvement of its posture against security risks.

    Nextgov reports "GAO Flags New Cybersecurity Issues for Upcoming Census"

  • news

    Visible to the public "Can Wi-Fi Networks Be Completely Secure?"

    Researchers in China have reviewed different Wi-Fi hacking techniques that attackers have been discovered to use and suggested ways in which the security of a wireless infrastructure can be improved. Rogue AP, ARP spoofing, and Wi-Fi MITM are three of the top exploit kits used to hack Wi-Fi, which have also been examined by researchers. It has been highlighted that hackers and crackers will always find ways to break into a Wi-Fi network even if the network has the latest security measures, firewall protection, and more. This article continues to discuss the fundamental security flaw in all Wi-Fi systems and concerns surrounding the exploit kits used by attackers to break into Wi-Fi.

    Homeland Security News Wire reports "Can Wi-Fi Networks Be Completely Secure?"

  • news

    Visible to the public "How much does the average employee know about data privacy?"

    The 2018 Eye on Privacy report found that 58 percent of employees had never heard of the PCI Standard. PCI Standards are a global set of payment card industry (PCI) guidelines that govern how credit card information is handled. It was also found that 12 percent of employees were unsure if they should report a cybercriminal stealing sensitive client data while at work. Employees within the Technology sector were least likely to identify and prioritize the most sensitive information. For example, 73 percent of those in the tech sector ranked Social Security numbers as most sensitive, compared to 88 percent of employees in all other industries ranking this type of data as most sensitive. The study also found that employees were more comfortable with a mobile device app tracking their device's location, than with an app accessing contact and browser information, being able to take pictures and video, and posting to social media. Theft of login credentials was considered the most serious threat to sensitive data, with disgruntled employees stealing data and phishing emails coming next. The findings give weight to the vital role employees play in a strong data privacy posture and the continuing need for privacy awareness training in protecting sensitive information.

    HELPNETSECURITY reports: "How much does the average employee know about data privacy?"

  • news

    Visible to the public "Further Details on Wipro Phishing Attack Revealed"

    More details have been shared by Flashpoint researchers, Jason Reaves, Joshua Platt, and Allison Nixon, pertaining to a phishing attack recently faced by the Indian IT consultancy firm, Wipro. Researchers have revealed that the perpetrators behind the launch of this phishing attack were able to access over 100 of Wipro's computers. The goal behind the attack appears to be to access gift card and rewards programs. This article continues to discuss the discoveries made by researchers surrounding the phishing attack experienced by Wipro.

    SC Media reports "Further Details on Wipro Phishing Attack Revealed"

  • news

    Visible to the public  "2 Million IoT Devices Vulnerable to Complete Takeover"

    More than two million Internet of Things (IoT) devices, including IP security cameras, baby monitors, and smart doorbells, have been discovered to be vulnerable to being hijacked by attackers. Through the take over of these devices, attackers would be able to spy on their owners. According to the security engineer, named Paul Marrapese, who discovered the flaws that would allow over two million IoT devices to be hijacked, these vulnerabilities derive from the peer-to-peer (P2P) communication technology used by all of these IoT devices, called iLnkP2P. This article continues to discuss the vulnerabilities, how IoT device users can find out if they are affected by these vulnerabilities, and what they should do if they are impacted, as well as past discoveries of security issues in surveillance cameras.

    Threatpost reports "2 Million IoT Devices Vulnerable to Complete Takeover"

  • news

    Visible to the public "Data Privacy Research Front and Center at Human Computer Interaction Event"

    There are studies that have been conducted by researchers at the University of Michigan that explore best practices for phishing warnings and the flaws associated with breach notifications. Findings of research on data breaches reveal that most data breach notifications are difficult to read and understand based on readability metrics and the language used in these notifications, which may contribute to the lack of action taken by consumers when they have experienced security breaches. In regard to phishing, researchers have found that forcing users to click on phishing warnings is the most effective away of alerting users of potentially suspicious links. This article continues to discuss the studies by the University of Michigan on data breaches and phishing.

    University of Michigan News report "Data Privacy Research Front and Center at Human Computer Interaction Event"

  • news

    Visible to the public "Flaws Left Unpatched, Unstopped Malware Contribute to Growing IoT Attacks"

    According to a recent Internet of Things (IoT) security report completed by F-Secure, many users and companies who use IoT devices, lack good password security or do not use passwords at all to protect the devices. Also many users and companies have unpatched vulnerabilities in software on their IoT devices. Week or no password security and unpatched vulnerabilities in software contributes to about 87 percent of all IoT attacks. It is important for businesses and users of Internet of Things devices to have strong password security, and should keep the software up to date so that the unpatched vulnerabilities on the devices are fixed. This will make Internet of Things devices more secure from attacks.

    ADTMAG reports: "Flaws Left Unpatched, Unstopped Malware Contribute to Growing IoT Attacks"

  • news

    Visible to the public "Researchers Explore Remote Code Injection in macOS"

    Code injection is a method that is frequently used by malware authors to conceal their malicious activities and circumvent security protections implemented on targeted systems. Research surrounding code injection methods usually explore the use of these methods on the Windows operating system. Therefore, a cybersecurity company, named Deep Instinct, decided to conduct code injection research with focus on macOS as this operating continues to grow in popularity. The code injection techniques tested by researchers can circumvent widely-used security tools for macOS. This article continues to discuss the remote code injection methods and custom-built Mach-O loader tested by researchers.

    Dark Reading reports "Researchers Explore Remote Code Injection in macOS"

  • news

    Visible to the public "Over 50% of Firms Have 1,000+ Exposed Files, Ghost Users, Stale Passwords"

    The analysis of data risk assessments carried out by data security company's Varonis' engineers, used 700 companies across 30 industries to perform their study. It was found that more than half of all companies leave over 1,000 sensitive files accessible to every single company employee, causing serious data risk. On average 22 percent of a company's folders were accessible to every employee. It was also found that, 61 percent of the companies had over 500 users with passwords that never expire, and 58 percent of companies contained over 1,000 stale user accounts. It is important for companies to put policies in place, to make sure that sensitive information is not stolen by hackers.

    Computer Business Review reports: "Over 50% of Firms Have 1,000+ Exposed Files, Ghost Users, Stale Passwords"

  • news

    Visible to the public "Chrome on Android: Phishing Attackers Can Now Trick You with Fake Address Bar"

    A new inception attack brings attention to the importance of displaying the URL bar on a mobile device as the possibility of phishing attackers abusing the concealment of the URL bar has been highlighted. According to a developer, named James Fisher, the Google Chrome feature for Android that enables more screen space by hiding information about the URL can be abused by a phishing attacker to trick users into thinking a phishing web page is a legitimate website. This article continues to discuss potentials ways in which this URL bar-concealing feature on Google Chrome for Android could be abused by phishing attackers and other Google features that were discovered to be exploitable by scammers.

    ZDNet reports "Chrome on Android: Phishing Attackers Can Now Trick You with Fake Address Bar"

  • news

    Visible to the public "Researchers Warn of Unpatched Vulnerability in Oracle WebLogic Server"

    Attackers' scans for the presence of a vulnerability in Oracle WebLogic servers have been detected by several security companies. According to researchers, the vulnerability that has not yet been patched is a deserialization bug that can be exploited by attackers to remotely execute code. Serialization refers to the process in which data is converted to a binary format in order for the data to be transmitted over the network safely. The process of deserialization coverts the serialized data back to its original format. This article continues to discuss the discoveries surrounding this vulnerability and the blacklist approach to fixing vulnerabilities.

    CSO Online reports "Researchers Warn of Unpatched Vulnerability in Oracle WebLogic Server

  • news

    Visible to the public "Exposed Database Reveals Details on Over 80 Million Us Households"

    Consumers' privacy has been invaded yet again as discovered by independent researchers led by Noam Rotem. The researchers discovered an unsecured databased stored on the cloud in which the details of more than 80 million U.S. households are exposed. The exposed database includes information such as names, ages, genders, income levels, and marital status. The owner of the database has not been identified by researchers yet. This incident further highlights issues in relation to cloud data storage. This article continues to discuss the unsecured database, the information that has been exposed by this database, the research behind this discovery, and other discoveries pertaining to organizations' unsecured databases.

    CNET reports "Exposed Database Reveals Details on Over 80 Million Us Households"

  • news

    Visible to the public "Attackers breached Docker Hub, grabbed keys and tokens"

    Docker, the company behind a popular virtualization tool, discovered that it had been breached by hackers. On Thursday, April 25th, 2019, the company discovered unauthorized access to a single Hub database storing a subset of non-financial user data. 190,000 accounts may have been exposed due to this breach. Data breached includes usernames, hashed passwords, and Github and Bitbucket tokens for Docker autobuilds. The attackers were most likely after the tokens and access keys, which then will allow them to access companies' critical code repositories and inject malicious code in auto-built containers. This breach in tokens also can affect companies that do not use Docker Hub, but whose developers might have used Docker with GitHub integration.

    HELPNETSECURITY reports: "Attackers breached Docker Hub, grabbed keys and tokens"