News Items

  • news

    Visible to the public "Browser Zero Day: Update Your Firefox Right Now!"

    Researchers have found a flaw in Firefox 72 just two days after it was released. The issue researchers identified is called CVE-2019-17026. CVE-2019-17026 is a type confusion bug affecting Firefox's IonMonkey JavaScript Just-in-Time (JIT) compiler. The JIT compiler takes JavaScript source code and converts it to executable computer code for the JavaScript to run directly inside Firefox as if it were a built-in part of the app. The problem is fixed, and Firefox urges users to download the newest update to fix the issue.

    Naked Security reports: "Browser Zero Day: Update Your Firefox Right Now!"

  • news

    Visible to the public "These Hacking Groups Are Eyeing Power Grids, Says Security Company"

    In a report, titled The North American Electric Cyber Threat Perspective, released by the cybersecurity company, Dragos, security researchers discuss the rise in threats to electric utilities in North America stemming from political and military tensions. The energy infrastructure is at risk, as indicated by the observation of multiple intrusions into industrial control system (ICS) networks. According to the report, security researchers are tracking seven hacking groups, three of which have demonstrated the capability to invade and disrupt the operation of power grids. The three hacking groups are known as Xenotime, Dymalloy, and Electrum. Security experts suggest following security practices such as segmenting networks, installing security patches, and using strong passwords to improve the security of ICS networks. This article continues to discuss the increase in cyber threats against electricity grids, three hacking groups capable of disrupting power grids across the US, and how ICS networks can be protected against cyberattacks.

    ZDNet reports "These Hacking Groups Are Eyeing Power Grids, Says Security Company"

  • news

    Visible to the public "Attackers Invent New Evasion Techniques to Conceal Web Skimmer Activity"

    A security researcher at Malwarebytes recently reported the discovery of the first payment card skimmer to use steganography to evade detection. There has been an increase in the use of steganography to hide and deliver malicious data. Digital steganography refers to the covert communication of data via unsuspected formats such as image files, video clips, and audio files. Steganography differs from cryptography because the method hides the communication of data in addition to the data itself. The skimmer found by the researcher used an image of a free shipping ribbon commonly seen on shopping sites to conceal malicious JavaScript code. According to the same security researcher, some digital attackers are now using the WebSockets communications protocol instead of HTML to exchange data with skimmers, using a single TCP connection. This article continues to discuss the discovery of a payment card skimmer and its use of steganography, as well as the increased use of new techniques for web skimmers and how security professionals can defend against evasive attacks.

    Security Intelligence reports "Attackers Invent New Evasion Techniques to Conceal Web Skimmer Activity"

  • news

    Visible to the public "Facebook Moves to Detect and Remove Deepfake Videos"

    The social media giant, Facebook, recently announced its plan to ban deepfake videos. Deepfakes are fake videos, photos, and audio recordings that cannot easily be distinguished by humans from authentic ones. Generative adversarial networks are used to develop deepfakes. Monica Bickert, Facebook's vice-president for global policy management, expressed the threat posed by deep fakes to the social media industry and society as a whole. Bickert stated that any video that has been created through the use of AI or machine learning to make it appear authentic would be removed. However, this policy does not apply to content created for the purpose of parody or satire, and videos edited to remove or change the order of words. This article continues to discuss the new policy that will be enforced by Facebook to detect and remove deepfake videos.

    Infosecurity Magazine reports "Facebook Moves to Detect and Remove Deepfake Videos"

  • news

    Visible to the public "TikTok Riddled With Security Flaws"

    Security researchers at Check Point recently discovered several security vulnerabilities in the popular Chinese-owned platform used for short-form mobile videos, TikTok. According to researchers, one of the vulnerabilities found in the platform could be exploited by hackers to allow them to hijack parts of a user's TikTok account remotely. Hackers could perform activities such as upload or delete videos, as well as alter video settings to change videos from being hidden to being exposed to the public. The exploitation could also allow hackers to send an SMS invite message to a victim, making it possible to send links that redirect users to malicious websites. Another vulnerability could allow hackers to collect personal information belonging to users, such as their email addresses. This article continues to discuss the popularity of the video-sharing app, the vulnerabilities found in the app by researchers, and the response to these findings by TikTok.

    Threatpost reports "TikTok Riddled With Security Flaws"

  • news

    Visible to the public "New Standards Set to Reshape Future of Email Security"

    Email remains one of the most popular attack vectors used by hackers. Phishing and email-based malware still pose significant threats to the communications media. According to recent studies, more than 90% of all cyberattacks have involved email. Therefore, the email industry is developing standards to address the most notable weakness of email, which is the ability to send email as someone else. The weak sender identity model has increased the performance of spoofing. A research report from Valimail reveals that an estimate of 6.4 billion spoofed emails is distributed every day, calling for the implementation of stronger sender identity protections. There are four new standards aimed at strengthening sender identity and email security. These standards include Domain-based Message Authentication, Reporting & Conformance (DMARC) 2.0, Brand Indicators for Message Identification (BIMI), AMP, Schema.org, STARTTLS, and MTA Strict Transport Security (MTA-STS). This article continues to discuss the significant role of email in the execution of cyberattacks and new standards set to improve email security.

    Dark Reading reports "New Standards Set to Reshape Future of Email Security"

  • news

    Visible to the public "Smartphone Analysis & Stats: Personal Use Leaves Work Smartphones Hackable"

    Researchers conducted new research on what mobile phone brands and smartphone applications got targeted the most, through the year of 2019 in the United Kingdom. The data got collected trough analyzing monthly Google search data in 2019 on how many British users were searching for methods to hack different apps and phone brands. The researchers found that iPhone was the most targeted phone brand (10,040 searches), and Samsung came a distant second (700 searches). At the same time, Instagram was the most targeted application (12,410 searches), followed by Snapchat (7,380 searches) and Whatsapp (7,100 searches). The researchers also discovered that owners with iPhones are 167 times more at risk of people trying to hack them than other phone brands. Instagram app is also 16 times more at risk of getting hacked than a Netflix application.

    SC Media reports: "Smartphone Analysis & Sats: Personal Use Leaves Work Smartphones Hackable"

  • news

    Visible to the public "DHS Tells U.S. Organizations to Clamp Down on Cybersecurity in Wake of Soleimani Killing"

    The Department of Homeland Security (DHS) on Monday issued a statement meant for U.S. companies and government agencies about securing their computer networks following the killing last week of a top Iranian general. Iran has considerable capabilities when it comes to cyberattacks. Iran and its proxies have a history of conducting disruptive and destructive cyber operations against strategic targets, including finance, energy, and telecommunications organizations. This year they have had an increased interest in industrial control systems and operational technology.

    CyberScoop reports: "DHS Tells U.S. Organizations to Clamp Down on Cybersecurity in Wake of Soleimani Killing"

  • news

    Visible to the public "The Psychology of Ransomware"

    According to recent studies, ransomware attacks are growing in sophistication and cost. Organizations must go beyond the exploration of technicalities of ransomware to bolster their security posture against such attacks. Security experts encourage organizations to delve deeper into the psychological nature of ransomware attacks. Organizations should be examining the factors that lead users to opening emails, links, or attachments sent from unknown entities despite their awareness of attacks that can be performed via these mediums. There are psychological factors that hackers abuse in the execution of ransomware attacks, which include compassion, helplessness, humiliation, and responsibility. This article continues to discuss the rise in ransomware attacks and the psychological factors that have led to the success of these attacks.

    SC Magazine reports "The Psychology of Ransomware"

  • news

    Visible to the public "DHS, GSA Propose Centralized Vulnerability Disclosure Platform"

    The Department of Homeland Security (DHS) and the General Services Administration (GSA) recently issued a request for information, asking for feedback on how to set up a cloud-based centralized vulnerability disclosure platform for the federal government. The platform will facilitate the submission of vulnerabilities found in government agencies' internet-accessible systems by security researchers. The central platform will also track and validate incoming reports as well as allow web-based communication between reporters and agencies in efforts to remediate vulnerabilities. The system is essential as most federal agencies do not have formal mechanisms in place to receive reports from security researchers on potential security vulnerabilities contained by their systems. This article continues to discuss the proposed centralized vulnerability disclosure platform, the lack of defined strategies for managing vulnerability disclosure reports in most federal agencies, and concerns about the legal protection of security researchers.

    FCW reports "DHS, GSA Propose Centralized Vulnerability Disclosure Platform"

  • news

    Visible to the public "Is the Inability to Baseline Systems Crippling Cybersecurity Progress and Oversight?"

    Due to a lack of visibility into an organization's security posture, it is difficult for government leaders to make decisions as to how defenses are prioritized. Government leaders rely on audit results to prioritize defenses. However, a more proactive approach to measuring and prioritizing risk is needed to help defenders figure out which areas to focus on securing. Baselining is a method that establishes what is known about a network or system, allowing defenders to detect abnormalities possibly caused by an attempted attack quickly. Although most agencies recognize the importance of baselining as a security control, the attention commanded by other more basic controls such as vulnerability scanning, asset discovery, and more, hinders the practice of baselining. Also, security leaders often get distracted by emerging technologies. This article continues to discuss the concept of baselining, the importance of this practice, why most agencies fail to practice baselining, and how agencies can start to baseline effectively.

    GCN reports "Is the Inability to Baseline Systems Crippling Cybersecurity Progress and Oversight?"

  • news

    Visible to the public Cybersecurity Snapshots #1 - Phishing Attacks Are Becoming More of a Problem For Organizations

    Cybersecurity Snapshots #1

    Phishing Attacks Are Becoming More of a Problem for Organizations

  • news

    Visible to the public "Automotive Cybersecurity Incidents Doubled in 2019, up 605% Since 2016"

    The number of automotive cybersecurity incidents has increased dramatically. Since 2016, the number of annual incidents against automobiles has increased by 605%, with incidents more than doubling in the last year alone. The top three attack vectors over the past 10 years include keyless entry systems (30%), backend servers (27%), and mobile apps (13%). The top three impacts of automotive cybersecurity incidents over the past ten years were car thefts/break-ins (31%), control over car systems (27%), and data/privacy breaches (23%). Most of the automotive cybersecurity incidents that occurred in 2019 were caused by remote attacks (82%).

    Help Net Security reports: "Automotive Cybersecurity Incidents Doubled in 2019, up 605% Since 2016"

  • news

    Visible to the public SoS Musings #32 - Neurodiversity in Cybersecurity

    SoS Musings #32 -
    Neurodiversity in Cybersecurity

  • news

    Visible to the public "Planning for 2020? Here Are 3 Cybersecurity Trends to Look Out For"

    Cyber professionals should be prepared to address three major cybersecurity trends in 2020. These trends include the consideration of cyber risks by financial investors, the increase in blunt-force attacks, and the adoption of cyber insurance policies by more companies. Investors will pay closer attention to the security of companies before investing in them. More hackers will use less complicated strategies to perform attacks, such as infiltrating a network via a third-party instead of exploiting zero-day vulnerabilities. Cyber insurance plans will be a more significant part of their cyber plans as cyberattacks grow in frequency and impact. This article continues to discuss the critical security trends cyber professionals should be on the lookout for in order to alter their cybersecurity plans and operations accordingly.

    Help Net Security reports "Planning for 2020? Here Are 3 Cybersecurity Trends to Look Out For"

  • news

    Visible to the public Cyber Scene #39 - The Future is Looking Up

    Cyber Scene #39 -
    The Future is Looking Up

  • news

    Visible to the public "FBI Warns U.S. Companies About Maze Ransomware, Appeals for Victim Data"

    The FBI is warning U.S. companies about a new series of ransomware attacks using Maze ransomware. The adversaries conducting the ransomware attacks, sometimes pose as government agencies. The adversaries steal data of companies and then encrypt the data and demand a ransom. The new ransomware Maze uses multiple methods for intrusion. Sometimes adversaries create malicious look-a-like cryptocurrency sites, and other times the adversaries conduct malspam campaigns, impersonating government agencies and well-known security vendors.

    CyberScoop reports: "FBI Warns U.S. Companies About Maze Ransomware, Appeals for Victim Data"

  • news

    Visible to the public Spotlight on Lablet Research #1 - Analytics for Cyber-Physical Systems Cybersecurity

    Spotlight on Lablet Research #1

    Project: Analytics for Cyber-Physical Systems Cybersecurity

    Lablet: Vanderbilt University
    Participating Sub-Lablet: Massachusetts Institute Technology

    Mounting concerns about safety and security have resulted in an intricate ecosystem of guidelines, compliance measures, directives and policy reports for cybersecurity of all critical infrastructure. By definition, such guidelines and policies are written in linear sequential text form that makes them difficult to integrate, or to understand the policy-technology-security interactions, thus limiting their relevance for science of security. The challenges are to develop a structured system model from text-based policy guidelines and directives in order to identify major policy-defined system-wide parameters, situate vulnerabilities, map security requirements to security objectives, and advance research on how multiple system features respond to diverse policy controls to strengthen the security of fundamentals in cyber-physical systems.

  • news

    Visible to the public "Google Chrome Impacted by New Magellan 2.0 Vulnerabilities"

    Researchers have discovered a new set of SQLite vulnerabilities that can allow attackers to run malicious code inside Google Chrome remotely. There were 5 vulnerabilities found in total and were named Magellan 2.0. All apps that use an SQLite database are vulnerable to Magellan 2.0; however, the danger of "remote exploitation" is smaller than the one in Chrome, where a feature called the WebSQL API exposes Chrome users to remote attacks. The vulnerabilities could allow a malicious website to run malicious code against its Chrome visitors. The researchers who discovered the vulnerabilities notified Google and the SQLite team of these issues. Google Chrome fixed the vulnerabilities with the new Google Chrome update, and the SQLite project fixed the vulnerabilities in a series of patches they completed.

    ZDNet reports: "Google Chrome Impacted by New Magellan 2.0 Vulnerabilities"

  • news

    Visible to the public "Interest in Cybersecurity Needs to Start at Top, New Research Argues"

    Despite the increase in cyberattacks against US towns, cities, and counties, local governments are still not prepared to address cyber threats. A new paper, titled Managing Cybersecurity at the Grassroots: Evidence from the First Nationwide Survey of Local Government Cybersecurity, developed by professors at the University of Maryland, Baltimore County discusses the results of a survey to which local governments responded, sharing their insight and experiences regarding the frequency of attacks against their networks, employee cybersecurity training, and institutional support. Although almost 50% of government organizations that participated in the survey face an attack on their network at least once a day, only a few manage cybersecurity risks effectively. The researchers suggest the need for more support from elected officials and other top managers in efforts to strengthen local government cybersecurity. This article continues to discuss key findings from the survey regarding the frequency of cyberattacks on local governments, the adoption of cybersecurity tools, security awareness training for employees, and the need for executive interest in cybersecurity.

    StateScoop reports "Interest in Cybersecurity Needs to Start at Top, New Research Argues"

  • news

    Visible to the public "Deepfakes Pose New Security Challenges"

    Security experts expect deepfakes to pose a greater threat to cybersecurity in 2020. This expectation derives from the increasing implementation of biometrics to identify and authenticate a person. Deepfakes are fake, realistic-looking images, text, and video generated using a technique called a generative adversarial network (GAN). Researchers at McAfee stress that true facial recognition will be difficult to accomplish due to the continued advancement of deepfakes. According to researchers, improvements made to the execution of deepfakes will allow cybercriminals to more effectively perform activities such as impersonating a person to steal money, igniting information warfare, and more. This article continues to discuss the concept of deepfakes, the threat posed by deepfake attacks, the vulnerability of facial recognition systems, and the current limitations of deepfake technology.

    Security Boulevard reports "Deepfakes Pose New Security Challenges"

  • news

    Visible to the public "How AI and Cybersecurity Will Intersect in 2020"

    Artificial intelligence and machine learning technologies (AI/ML) are expected to grow in sophistication and application in the cybersecurity field as well as in the realm of business. However, the growth of these advanced technologies will be accompanied by new risks and threats as adversaries also apply AI/ML in the performance of attacks or exploit the vulnerabilities in AI/ML technologies. CISOs and security professionals must continue exploring AI/ML technologies regarding the new risks and threat models that will emerge when these technologies are applied. It is also important to discover new areas of expertise and security solutions that will be needed with the increased implementation of AI/ML technologies. The security industry needs to be aware of the different attacks that can be executed against AI/ML models such as data poisoning as well as the malicious activities that can be powered by AI/ML such as the creation of deepfakes. This article continues to discuss the growth in AI/ML and the threats posed by these technologies that the security industry should look out for.

    Dark Reading reports "How AI and Cybersecurity Will Intersect in 2020"

  • news

    Visible to the public "267 Million Facebook Users Exposed in Accessible Database"

    Comparitech and security researcher, Bob Diachenko, discovered an unsecured Elasticsearch database online, which exposed sensitive information belonging to more than 267 million Facebook users, most of which reside in the US. The personal data exposed by the easily accessible database includes user IDs, phone numbers, and names. The internet service provider (ISP) managing the IP address of the server in which the database was stored, removed access to the data. However, researchers found that the data was already available to cybercriminals on a hacker forum as the database was exposed for two weeks prior to its removal. Evidence suggests that the data was collected as a part of an illegal scraping operation or through the abuse of the Facebook application programming interface (API). This article continues to discuss the discovery of an unprotected database that exposed information on over 267 million Facebook users, the type of information contained by the database, how cybercriminals may have stolen the data, and how this data can be used.

    Security Week reports "267 Million Facebook Users Exposed in Accessible Database"

  • news

    Visible to the public "Microsoft Seizes Network of 50 Domains From Hacker Group With Ties to North Korea"

    50 websites have been seized by Microsoft that were being used by North Korean hacker group Thallium to target government employees, universities, human rights organizations, and nuclear proliferation groups in the U.S., Japan, and South Korea. The hacking group was using the network of websites, domains, and connected computers to send out spear-phishing emails. When a target clicked on a link in the email, the hackers then, in some cases, compromised the user's online accounts, infect their computers, compromised the security of their networks, and stole sensitive information.

    GeekWire reports: "Microsoft Seizes Network of 50 Domains From Hacker Group With Ties to North Korea"

  • news

    Visible to the public "2019: The Year Ransomware Targeted State & Local Governments"

    In 2019, ransomware wreaked havoc on governments, hospitals, schools, and more, causing significant disruptions to operations and impacting finances. The most notable ansomware incidents of 2019 include those faced by Baltimore, Louisiana state government agencies, 22 Texas cities, and the DCH Health System in Alabama. Some governments and hospitals decided to pay ransomware attackers due to the criticality of their services. However, federal authorities have suggested that victims of such attacks do not give in to hackers' demands for ransom payments, as it would encourage the execution of more ransomware attacks. This article continues to discuss the ransomware attack trends observed in 2019 and what security industry experts expect to see in 2020 in regard to ransomware, as well as other 2019 cybersecurity highlights.

    GovTech reports "2019: The Year Ransomware Targeted State & Local Governments"

  • news

    Visible to the public "The State of Continuous Diagnostics and Mitigation"

    It is important that federal organizations successfully implement continuous diagnostics and mitigation (CDM) capabilities as hackers continue to execute increasingly sophisticated cyberattacks involving advanced technologies such as automation and artificial intelligence. Cyberattacks on federal agencies pose a significant threat to national security. The Department of Homeland Security's (DHS) Continuous Diagnostics and Mitigation (CDM) was established in 2013 to help federal agencies improve their security posture by providing cybersecurity tools. However, many agencies are still struggling to implement CDM capabilities because they lack visibility of their cyber terrain. In order for agencies to protect their data, they need to understand their assets, network terrain, threats targeting their environments, the location of their sensitive data, and more. This article continues to discuss the CDM program, the Homeland Security's .gov Cybersecurity Architecture Review program, the challenges faced by agencies in the implementation of CDM capabilities, and what agencies must understand to protect their data.

    NextGov reports "The State of Continuous Diagnostics and Mitigation"

  • news

    Visible to the public "Wyze: Data Leak Exposes 2.4 Million Customers"

    The company Wyze discovered that two databases between December 4th and December 27th were not appropriately secured. Information of 2.4 million customers with home security systems was exposed. User data relating to Wi-Fi service set identifiers, device information, body metrics, Alexa integration tokens, and email addresses were exposed. Passwords, government-issued identification, and financial information did not get exposed. Since discovering the databases, Wyze has secured those databases and is conducting an investigation.

    PCMag reports: "Wyze: Data Leak Exposes 2.4 Million Customers"

  • news

    Visible to the public "Maastricht University Ransomware Attack: All Systems Blacked-Out"

    Maastricht University in the Netherlands was recently hit by a major ransomware attack that took down almost all of its Windows systems and impacted the email services used by the University, inconveniencing both students and staff. The University responded to the incident by disabling all its systems, reporting it to the police and getting help from specialists on the staff and external specialists in the cybersecurity field. As of yet, the type of ransomware executed in this attack has not been disclosed. The Australian National University faced a similar incident in which students' sensitive information such as their names, addresses, personal email addresses, bank account details, tax file numbers, and more were exposed. This article continues to discuss the ransomware attack faced by Maastricht University, the response to this incident, and the major data breach experienced by the Australian National University.

    CISOMAG reports "Maastricht University Ransomware Attack: All Systems Blacked-Out"

  • news

    Visible to the public "Uninstall This Alleged Emirati Spy App From Your Phone Now"

    US intelligence officials urge those that downloaded the social messaging app, ToTok, to uninstall the app immediately as it is supposedly a surveillance tool used by the government of the United Arab Emirates to collect data. In response to this discovery, Google and Apple have removed the app from its stores. However, if the app is already on a user's phone, it will continue functioning and possibly performing espionage for the UAE government. ToTok was ranked as the most popular app in many regions with 7.5 million downloads on Google Play and 2.3 million downloads on Apple's App Store. Patrick Wardle, a security researcher at Jamf, conducted a technical analysis of Totok, revealing that the app continuously runs in the background. With permission, the app also accesses users' microphones, location data, photos, contacts, and more. This article continues to discuss the ToTok messaging app's alleged use as an espionage tool, in addition to its features and supposed links.

    Wired reports "Uninstall This Alleged Emirati Spy App From Your Phone Now"

  • news

    Visible to the public "Closing a Critical Gap in Cybersecurity"

    The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) was established as the nation's risk adviser to work with different entities within the realms of government and industry to strengthen the country's cybersecurity. One of the principal responsibilities of the agency is to protect U.S. critical infrastructure from cyberattacks by sharing cyber threat information with public and private entities. According to the CISA's first director, Christopher Krebs, the agency discovered the exposure of industrial control systems (ICS), including those used for water pumps, emergency management equipment, and a natural gas facility, to the public Internet. However, the identity of the owner or operator of these vulnerable systems is often unable to be determined by the CISA due to current laws that limit information-sharing by internet service providers (ISPs). The inability to identify the owner or operator of a vulnerable system makes it difficult to address vulnerabilities as those behind the operation of these systems would need to be contacted and advised on how to mitigate the vulnerabilities. This article continues to discuss the CISA's role and responsibilities, as well as the challenges the agency faces in protecting the nation's critical infrastructure.

    Homeland Security News Wire reports "Closing a Critical Gap in Cybersecurity"

  • news

    Visible to the public "Thai Officials Say Prison Cameras Were Hacked, Broadcast"

    An incident in which prison cameras were hacked is being investigated by authorities in Thailand. According to the Thai officials, a hacker was able to compromise the security camera system at Lang Suan Prison in the southern province of Chumphon and broadcast live surveillance video from the cameras, showing the prisoners performing different activities. The incident brings further attention to the importance of addressing the security vulnerabilities contained by Internet of Things (IoT) devices. This article continues to discuss the incident and how Thai officials have responded.

    The New York Times report "Thai Officials Say Prison Cameras Were Hacked, Broadcast"

  • news

    Visible to the public "Mobile Devices Blur Work and Personal Privacy Raising Cyber Risks"

    The Bring Your Own Device (BYOD) culture is increasingly being adopted by enterprises to allow employees to use their laptops, smartphones, tablets, and other personal devices for work. Although this culture boosts productivity, it introduces privacy and security challenges. Dr. Kenan Degirmenci from the Queensland University of Technology's Science and Engineering Faculty's School of Information Systems conducted research in which he further highlights how far behind organizations are in addressing the cybersecurity threats posed by the BYOD culture. Organizations are recommended to implement policies to protect employees' data and usage, as well as increase efforts to bolster BYOD security management. This article continues to discuss Dr. Degirmenci's research on BYOD cultures in different countries and the cyber risks associated with this growing trend.

    Science Daily reports "Mobile Devices Blur Work and Personal Privacy Raising Cyber Risks"

  • news

    Visible to the public "Only 54% of Security Pros Have a Written Policy on Length and Randomness for Keys for Machine Identities"

    In a new survey of 1500 IT security professionals, researchers discovered that about half (54%) of organizations have a written policy on length and randomness for keys for machine identities, but 85% have a policy that governs password length for human identities. The researchers also found out that less than half (49%) of organizations audit the length and randomness of their keys, while 70% do so for passwords. Only 55% of organizations have a written policy stating how often certificates and private keys should be changed, while 79% have the equivalent policy for passwords. Out of the 1500 participants, only 42% of organizations they worked for automatically enforce the rotation of TLS certificates, compared with 79% that automatically enforce the rotation of passwords.

    Help Net Security reports: "Only 54% of Security Pros Have a Written Policy on Length and Randomness for Keys for Machine Identities"

  • news

    Visible to the public "Looking Ahead to 2020 Cybersecurity Trends and a New Decade"

    New cybersecurity threats, risks, and incidents will emerge in the coming year. Security professionals are encouraged to further examine the cybersecurity trends observed this year to prepare for what's to come in 2020. According to security experts, deepfakes are considered one of the top cybersecurity threats to look out for in 2020. Deepfakes are fake photos, videos, and audio recordings generated through the use of artificial intelligence (AI). Researchers pointed out deepfakes pose a significant threat as they can be used in disinformation campaigns, social media manipulation, and business fraud. In a report released by Forrester Research, titled Predictions 2020: Cybersecurity, it is predicted that deep fakes will cost businesses over a quarter of a billion dollars. Ransomware is also expected to increase in the new year, continuing to be targeted at enterprises, hospitals, utilities, and governments. This article continues to discuss the predicted rise in deepfakes, ransomware, and phishing attacks in 2020, as well as consumers' cybersecurity expectations and how enterprises can prepare for 2020 cybersecurity trends.

    Security Intelligence reports "Looking Ahead to 2020 Cybersecurity Trends and a New Decade"

  • news

    Visible to the public Pub Crawl #33


    Pub_Crawl_web.jpgPub Crawl summarizes, by hard problems, sets of publications that have been peer reviewed and presented at SoS conferences or referenced in current work. The topics are chosen for their usefulness for current researchers.

  • news

    Visible to the public  "Ransomware Situation Goes From Bad to Worse"

    Ransomware was a big issue for organizations in 2019. Researchers are predicting that the number of ransomware attacks increases in 2020. The reason why ransomware attackers were frequently successful in 2019 is that criminal groups started to collaborate. Once criminal groups with different specialties started to collaborate, it made the distribution of ransomware much easier.

    DARKReading reports: "Ransomware Situation Goes From Bad to Worse"

  • news

    Visible to the public "Peters, Scott Introduce Bipartisan Legislation to Protect K-12 School Systems from Cyber-Attacks"

    U.S. Senators, Gary Peters (D-MI) and Rick Scott (R-FL), introduced bipartisan legislation aimed at helping K-12 educational institutions strengthen their cybersecurity systems. The two Senators stressed the importance of the K-12 Cybersecurity Act of 2019 as schools across the nation are struggling to protect the large amounts of personal data belonging to students and faculty due to lack of resources and awareness for preventing cyberattacks on school systems. The K-12 Cybersecurity Act of 2019 directs the Department of Homeland Security (DHS) to take part in the assessment of risks and challenges faced by schools when securing their systems. The proposed legislation also directs DHS's Cybersecurity and Infrastructure Security Agency (CISA) to develop cybersecurity recommendations and other resources that can be used by schools to improve their cybersecurity systems. The enforcement of the bill would help bolster schools' cybersecurity defenses against cyberattacks such as ransomware attacks, which have been increasingly targeted at educational institutions. This article continues to discuss the goal, requirements, and support of the bill, as well as the importance of government collaboration to address the rise in cyberattacks on schools.

    The U.S. Senate Committee on Homeland Security & Governmental Affairs report "Peters, Scott Introduce Bipartisan Legislation to Protect K-12 School Systems from Cyber-Attacks"

  • news

    Visible to the public "New Security System to Revolutionize Communications Privacy"

    Researchers at the University of St Andrews, King Abdullah University of Science and Technology (KAUST) and the Center for Unconventional Processes of Sciences (CUP Sciences) have developed a new security system said to be uncrackable by hackers. The system proposed by the team of scientists aims to bolster the privacy of communications through the use of inexpensive, electronic compatible optical chips. The silicon chips used in the system allows information to be sent in a one-time key that cannot be recovered or intercepted by attackers. According to researchers, the system addresses the threat posed by quantum computers, which are expected to crack current communication methods in the future. The keys generated by the optical chips to unlock messages are never stored or communicated with the message. Additionally, the keys cannot be recreated by the users, which adds another layer of security. This article continues to discuss the new uncrackable security system that strengthens communications privacy and how the method used in this system is an improvement over current standard cryptographic techniques.

    The University of St Andrews report "New Security System to Revolutionize Communications Privacy"

  • news

    Visible to the public "Detecting Backdoor Attacks on Artificial Neural Networks"

    A team of researchers at Duke Engineering's Center for Evolutionary Intelligence has made an advancement in the detection of backdoor attacks against machine learning models. The execution of backdoor attacks involves poisoning the data fed to a machine learning model so that the model produces incorrect output or predictions. For example, a model can be taught by an attacker to label anyone wearing a black-and-white cap as "Frank Smith". According to researchers, these types of backdoors are hard to detect because the shape and size of their triggers can be designed by attackers. These triggers can be a hat, flower, or other harmless-looking objects. The team's software identifies backdoor triggers by finding out the class in which the trigger was injected, where the trigger was placed, and the form of the trigger. This article continues to discuss the concept of backdoor attacks on artificial neural networks, the significant threat posed by such attacks, and the software developed by the Duke team to identify backdoor triggers.

    Duke reports "Detecting Backdoor Attacks on Artificial Neural Networks"

  • news

    Visible to the public "FBI Warns Against Using Free WiFi Networks While Traveling"

    If you are traveling this holiday season, the FBI is warning travelers of the dangers of using free WiFi networks while traveling, such as hotels or airports. Connecting to a free WiFi network can allow an adversary to load malware, steal the user's passwords and PINs, or take remote control of the user's contacts and camera. If you do use a public WiFi network, then do not use the network to look or login to anything that could contain sensitive information, for example, like bank accounts.

    ZDNet reports: "FBI Warns Against Using Free WiFi Networks While Traveling"

  • news

    Visible to the public "Twitter Warns Millions of Android App Users to Update Immediately"

    Twitter discovered a flaw in its Android application that could let hackers see users "nonpublic account information" and commandeer their accounts to send tweets and direct messages. The hacker who found the flaw could also access data like location information and protected tweets. Twitter's iOS application does not have this flaw. Twitter patched the vulnerability in a new update. Android users need to update the application to the newest version. There is currently no evidence to suggest any bad actors have exploited this vulnerability.

    Gizmodo reports: "Twitter Warns Millions of Android App Users to Update Immediately"

  • news

    Visible to the public "Wawa Reveals Massive Data Breach"

    Wawa locations have been affected by a data breach. The breach was discovered on December 10, 2019, contained by December 12, 2019, and has potentially affected all Wawa locations beginning at different points in time after March 4, 2019. The data breach affected credit and debit card numbers, expiration dates, and cardholder names for potentially all purchases made in Wawa locations and at fuel dispensers. No other personal information was accessed, including PIN numbers, credit card CVV2 numbers, and driver's license information.

    Business Insider reports: "Wawa Reveals Massive Data Breach"

  • news

    Visible to the public "Seizure-Triggering Attack Is Stark Example of How Social Media Can Be Weaponized"

    Attackers sent GIFs and videos to followers of the Epilepsy Foundation's Twitter account, showing flashing strobe lights in an attempt to cause those with the condition to have seizures. The attackers sent the GIFs and videos to followers, using the foundation's Twitter handle and hashtags, during National Epilepsy Awareness Month. Although this activity does not have the traditional characteristics of a cyberattack in that users were not tricked into clicking malicious links or websites, and the Twitter account did not get hacked, such attacks would still be considered cyberattacks. These attacks show that the normal functions of an online platform can be used to execute attacks designed to cause physical harm to targets. This article continues to discuss the seizure triggering attacks performed on Twitter, how the social media platform responded to the attacks and another cyber incident in which a strobe light GIF was sent to a journalist with epilepsy.

    CyberScoop reports "Seizure-Triggering Attack Is Stark Example of How Social Media Can Be Weaponized"

  • news

    Visible to the public "Attackers Using Taylor Swift Image to Hide Malware Payloads"

    Security researchers at Sophos have discovered the use of steganography techniques by a hacking group, named MyKingz. Steganography is an ancient practice in which messages are communicated via formats that conceal the delivery of the messages. Cybercriminals have been using steganography techniques to hide malicious data or malware in image files, video clips, audio files, and other unsuspecting formats. The MyKingz group is applying steganography by using a JPEG image of Taylor Swift to hide a malicious EXE file. According to researchers, the group has been targeting Windows systems to execute cryptojacking attacks. This article continues to discuss the concept of steganography, the use of this technique by the MyKingz group, and other notable attacks in which steganography methods were used.

    CISOMAG reports "Attackers Using Taylor Swift Image to Hide Malware Payloads"

  • news

    Visible to the public "Ransomware 'Crisis' in US Schools: More Than 1,000 Hit So Far in 2019"

    Many hackers target school organizations. The main form of attack used against schools are Ransomware attacks. New data due to be published today by security firm Armor concludes that a total of 72 US school districts so far have suffered ransomware attacks this year, which means the number of victimized schools could be at 1,040 to date. Even more unnerving: 11 of those school districts, home to 226 schools, have been attacked just since late October.

    DarkReading reports: Ransomware 'Crisis' in US Schools: More Than 1,000 Hit So Far in 2019

  • news

    Visible to the public "'Inconsistent and Misleading' Password Meters Could Increase Risk of Cyber Attacks"

    A study conducted by Steve Furnell, Professor of Information Security and leader of the Centre for Security, Communications and Network Research (CSCAN) at the University of Plymouth, explored the effectiveness of password meters. Password meters are supposed to guide users in the creation of strong passwords to bolster the security of their accounts and personal data. However, the assessment of 16 commonly used passwords meters revealed that the effectiveness among these meters vary as some push for the creation of more complex passwords, while other meters allow significantly weak passwords. In addition to examining the effectiveness of dedicated password meter websites, the study also assessed meters embedded in Dropbox, Reddit, and other common online services, as well as those used by some devices. This article continues to discuss the study and its key findings surrounding password meters.

    The University of Plymouth reports "'Inconsistent and Misleading' Password Meters Could Increase Risk of Cyber Attacks"

  • news

    Visible to the public "Brainwave Devices Can Leak Sensitive Medical Conditions and Personal Information"

    Brain-computer interfaces (BCI) are devices that allow people to use their brain activity to control their computers. A study conducted by UAB (University of Alabama at Birmingham) researchers on the privacy of BCI devices found that these devices can reveal a user's personal information and privacy-sensitive medical conditions such as their age and whether they have an alcohol use disorder (AUD). It was discovered that access to the brainwave signals recorded by BCI devices is not controlled. BCI devices' lack of control over access to brainwave signals can allow attackers to use malicious apps or websites to record a user's brainwaves as they browse the internet. The researchers designed an attack, called Hemorrhage, to analyze brainwave signals captured when a user views an image or video to determine whether they have an AUD and belong in a certain age group. This article continues to discuss the use of BCI headsets, as well as the study and its findings on the privacy of these devices.

    UAB reports "Brainwave Devices Can Leak Sensitive Medical Conditions and Personal Information"

  • news

    Visible to the public "Hacking and Malware Cause 75% of all Data Breaches in the Financial Services Industry"

    Financial services firms made up 6 percent of all the breaches in 2019. In total, more than 60% of all leaked records in 2019 were exposed by financial services organizations, partly due to the Capital One mega breach, which compromised more than 100 million records. Despite this outlier, average breaches in financial services companies still tend to be more significant and more detrimental than other sectors' breaches. Hacking and malware remain the primary cause of data breaches in financial services at 74.5%.

    Help Net Security reports: "Hacking and Malware Cause 75% of all Data Breaches in the Financial Services Industry"

  • news

    Visible to the public "Visa Warns Against New PoS Attacks, Fin8 Fingered As the Culprit"

    Visa's Payment Fraud Disruption department identified three separate attacks on point-of-sale (PoS) systems used by gas stations and hospitality merchants. According to the credit card company, these attacks began last summer. These attacks aimed to steal payment card data. One attack was executed through the performance of a phishing attack on a company employee. The success of the phishing attack led to the installation of a remote access trojan, which then allowed cybercriminals to move laterally through a network to the PoS system. In another attack, criminals were able to compromise the PoS environment by accessing the company network using a RAM scraper and an unknown method. Findings from the analysis of the malware used in these attacks suggest that FIN8, a financially-motivated hacking group, is likely the perpetrator. This article continues to discuss the new PoS attacks and the supposed group behind the launch of these attacks.

    SC Magazine reports "Visa Warns Against New POS Attacks, Fin8 Fingered As the Culprit"

  • news

    Visible to the public "Your Car May Be Vulnerable to Cyberattacks – Even the Smartest of Smart Cars Have Issues"

    While smart cars offer unique benefits, they also introduce significant security risks that have the potential to lead to loss of life. As vehicles increase in connectivity to the internet, they become more vulnerable to being hacked, manipulated, and disabled. The presence of vulnerabilities in connected vehicles creates more opportunities for cybercrime. A study conducted by researchers at Michigan State University explores automotive cybersecurity through the lenses of criminal justice theory and social sciences as such aspects are often under-examined. The study calls for automotive and equipment manufacturers to be active guardians in the cybersecurity of smart cars by constantly applying system patching updates, writing new code, and more. Automotive manufacturers need to be as active as smartphone manufacturers in the release of security updates to connected vehicles. This article continues to discuss key findings of the study and suggestions on how to improve automotive cybersecurity.

    SciTechDaily reports "Your Car May Be Vulnerable to Cyberattacks - Even the Smartest of Smart Cars Have Issues"