News Items

  • news

    Visible to the public Open for Nominations!

    The 8th Annual Best Scientific Cybersecurity Paper Competition is now open for nominations. This year's nominating period runs through midnight on March 31, 2020. We look forward to receiving your nominations.

  • news

    Visible to the public We're Surrounded by Billions of Internet-connected Devices. Can We Trust Them?

    BY ADAM PIORE ON 10/24/19 AT 12:24 PM EDT - NEWSWEEK MAGAZINE

    In 2009, just as consumers had begun to buy wifi-enabled thermostats and front-door cams and other early devices that now make up the "Internet of Things," computer scientist Ang Cui had gotten the idea to scan the Web for "trivially vulnerable" embedded devices.

  • news

    Visible to the public Winner of 7th Paper Competition is Evaluating Fuzz Testing

    The winning paper is Evaluating Fuzz Testing by George Klees, Andrew Ruef, Benji Cooper, Shiyi Wei, and Michael Hicks. This paper was presented at ACM SIGSAC Conference on Computer and Communications Security (CCS '18) in Toronto.

  • news

    Visible to the public NSA Launches Latest Codebreaker Challenge

    By Betsy Stein NSA/CSS Communications Officer

    FORT MEADE, MD, Sept. 20, 2019 --

    Are you a U.S. undergraduate or graduate student interested in attempting to crack a cyber-challenge similar to those that regularly threaten national security? Then sign up for the 2019 NSA Codebreaker Challenge!

  • news

    Visible to the public NIST Releases Draft Security Feature Recommendations for IoT Devices

    NIST Releases Draft Security Feature Recommendations for IoT Devices

    "Core Baseline" guide offers practical advice for using everyday items that link to computer networks.

    August 01, 2019

  • news

    Visible to the public NSA-approved cybersecurity law and policy course now available online

    NSA-approved cybersecurity law and policy course now available online

    Cyber Scoop

    Shannon Vavra

    August 27th, 2019

    Anyone who is interested in cybersecurity law and policy can now take an online course that was partly shaped by National Security Agency.

  • news

    Visible to the public Game-theoretic Paper Wins Annual Paper Competition

    The winner of the 6th Annual Best Scientific Cybersecurity Paper Competition is How Shall We Play a Game? A Game-theoretical Model for Cyber-warfare Games by Tiffany Bao, Yan Shoshitaishvili, Ruoyu Wang, Christopher Kruegel, Giovanni Vigna, and David Brumley. These researchers are from Carnegie Mellon University and University of California, Santa Barbara. This paper was originally accepted at 30th IEEE Computer Security Foundations Symposium (CSF '17).

    To learn more visit the competition homepage: https://cps-vo.org/group/sos/papercompetition/pastcompetitions

  • news

    Visible to the public NSA SoS Lablet Call for Proposals is Open

    The National Security Agency has distributed its BAA (really a request for proposals) for its next generation of SoS Lablets. These lablets include lablets on the 5 Hard Problem areas in Science of Security, on the Science of Privacy and dealing with Cyber Physical Systems. Proposals are due August 21. While the SoS team is not the point of contact for the contracting process, we can aid in directing: https://cps-vo.org/group/SoS/contact

  • news

    Visible to the public "Microsoft Exposed 250 Million Customer Support Records"

    Researchers discovered that more than 250 million customer service and support records were exposed by Microsoft over two days in December 2019 due to a server misconfiguration. The records included logs of exchanges between Microsoft's customer support and its customers, spanning a 14- year period from 2005 to 2019. Most of the sensitive personally identifiable information was redacted, but there were still some things that were in plain-text form. These records included IP addresses, locations, internal notes which were marked "confidential", customer email addresses, descriptions of customer service support claims and cases, Microsoft support agent emails, case numbers, resolutions, and remarks. The researchers notified Microsoft immediately when found. Microsoft then immediately secured the data and started an investigation within two days of being notified. Microsoft has detected no malicious use of the leaky servers that the records were on.

    WeLiveSecurity reports: "Microsoft Exposed 250 Million Customer Support Records"

  • news

    Visible to the public "Some Hackers Take the Ransom and Run"

    A survey conducted by security researchers at Proofpoint to which 600 security professionals in seven countries responded, revealed that 33% of organizations that were hit with ransomware attacks gave in to the demands for a ransom payment. However, 22% of those organizations that paid the ransom were still not able to recover the files encrypted by ransomware. The decision to pay the ransom is often based on the criticality of the service provided by the targeted organization. Ransomware attacks can result in the disruption of operations associated with critical infrastructure and life-saving services. This article continues to discuss the findings of the Proofpoint survey regarding the impact of ransomware attacks and the response to these attacks.

    The Business Times report "Some Hackers Take the Ransom and Run"

  • news

    Visible to the public "An Open Source Effort to Encrypt the Internet of Things"

    Teserakt, a Swiss firm specialized in cryptography, recently introduced a type of cryptographic implant named E4, which is aimed at providing end-to-end encryption for Internet of Things (IoT) devices. E4 would be integrated into IoT manufacturers' servers to support consistent protection as IoT data traverse the web. The implementation of E4 will ensure the encryption of data transmitted between IoT devices and their manufacturers. However, IoT developers need to keep in mind that E4 only touches on one component of data protection, not the security of the IoT devices themselves or the protection of a manufacturers' servers from being compromised. Security still needs to be considered in the design and management of IoT devices and their servers. This article continues to discuss the aim and development of Teserakt's E4, as well as the need for larger services to continue their efforts toward enhancing encryption for peripherals and IoT devices.

    Wired reports "An Open Source Effort to Encrypt the Internet of Things"

  • news

    Visible to the public Human Factors and Ergonomics Society (HFES) - Call for Papers

    Human Factors and Ergonomics Society (HFES) - Call for Papers

    HFES is looking for submissions of research and practice related to the human and cybersecurity! HFES is interested in building a broad community between human and cyber experts. The HFES society has added a CyberTechnical Group which will be accepting papers and awarding a cash award for Best paper at their Annual Meeting. In addition, they have added a cybersecurity focus at their pre-conference "ErgoX" event this year, ErgoX CYBER.

  • news

    Visible to the public "Cybercriminals: Things Are About to Get a Lot More Confusing for You"

    Studies conducted by Cleotilde Gonzalez, a professor in Social and Decision Sciences at Carnegie Mellon and her colleagues, delve deeper into the use of deception in cybersecurity. Using deception in cyber defense operations could help prevent the performance of malicious adversarial activities. Cyber deception reduces the exposure and theft of valuable information. The technique allows defenders to detect, investigate, and lead attackers away from sensitive information when they enter a targeted network or system. Although cyber deception is not a new concept, Gonzalez and her team approach the method through the lens of cognitive science. Their studies propose using defense algorithms that take advantage of attackers' cognitive biases to increase the effectiveness of cyber deception. This article continues to discuss the concept of cyber deception and cognitive science-based strategic techniques that can be used to deceive attackers effectively.

    CyLab reports "Cybercriminals: Things Are About to Get a Lot More Confusing for You"

  • news

    Visible to the public Spotlight on Lablet Research - Automated Synthesis Framework for Network Security and Resilience

    Spotlight on Lablet Research #2

    Project: Automated Synthesis Framework for Network Security and Resilience

    Lablet: University of Illinois at Urbana-Champaign
    Participating Sub-Lablet: Illinois Institute of Technology

    This project proposes to develop the analysis methodology needed to support scientific reasoning about the resilience and security of networks, with a particular focus on network control and information/data flow. The core of this vision is an Automated Synthesis Framework (ASF), which will automatically derive network state and repairs from a set of specified correctness requirements and security policies. ASF consists of a set of techniques for performing and integrating security and resilience analyses applied at different layers (i.e., data forwarding, network control, programming language, and application software) in a real-time and automated fashion. The ASF approach is exciting because developing it adds to the theoretical underpinnings of SoS, while using it supports the practice of SoS.

  • news

    Visible to the public "2020 Outlook for Cybersecurity Legislation"

    Several cybersecurity-related bills have been passed by the House or the Senate and are likely to be candidates for further action. CSO Online gives an overview of these bills, which include the Cybersecurity Vulnerability Remediation Act, Hack Your State Department Act, National Cybersecurity Preparedness Consortium Act, and IoT Cybersecurity Improvement Act. There are also a number of hot topic cybersecurity issues gaining focus in the proposal of new legislation and the 2020 Congressional debate such as election security, ransomware attacks, supply chain threats, and more. This article continues to discuss the cybersecurity bills passed by the House and the Senate, security-related formal bills that have been introduced in either House or Senate committees, as well as the hot cybersecurity topics this year.

    CSO Online reports "2020 Outlook for Cybersecurity Legislation"

  • news

    Visible to the public "Data Breach Exposes Personal Information on Cannabis Users"

    On December 24, 2019, security researchers with VPNMentor discovered an unsecured Amazon S3 bucket owned by THSuite, a point-of-sale system (PoS) system in the cannabis industry. The database lacked authentication and security, thus leading to the exposure of sensitive data belonging to multiple marijuana dispensaries in the US and more than 30,000 customers. US laws require cannabis dispensaries to collect large amounts of sensitive information about their clients to comply with US laws. Therefore, the database contained scanned government IDs, employee IDs, and other personally identifiable information. Cybercriminals can use this data to perform malicious activities such as identity theft, phishing, and more. This article continues to discuss the data breach regarding its discovery, scope, and impact.

    TechNadu reports "Data Breach Exposes Personal Information on Cannabis Users"

  • news

    Visible to the public "How Blockchain Could Prevent Future Data Breaches"

    Right before the start of the new year, a data breach faced by LifeLabs, one of Canada's major lab diagnostic and testing services, impacted 15 million Canadians. Data exposed in this breach included names, addresses, emails, login passwords, lab test results, and more. These incidents continue to result in the loss of trust and the reluctance to share health data with such services, which could impact healthcare for consumers and research advancements in personalized healthcare. A recent focus group study conducted by the blockchain research cluster at the University of British Columbia, Blockchain@UBC, found that some Canadians are willing to turn to blockchain technology to address the threats of frequent data breaches and unauthorized secondary uses of their data. The use of blockchains can allow consumers to manage their data as well as how the information is shared. This article continues to discuss the LifeLabs data breach, the societal costs of such data breaches, the use of blockchain technology to protect health data, and challenges to using this technology for health data management.

    TechXplore reports "How Blockchain Could Prevent Future Data Breaches"

  • news

    Visible to the public "FBI Shuts Down Website Selling Billions of Stolen Records"

    US law enforcement has seized the WeLeakInfo.com domain name. WeLeakInfo.com contained personal data of individuals stolen in data breaches. The website offered a pay-to-play scenario that allowed anyone to search for and obtain personal details of individuals. The records on the website came from over 10,000 data breaches, and the website contained over 12 billion indexed records. The records primarily included names, email addresses, usernames, phone numbers, and passwords for online accounts.

    WeLiveSecurity reports: "FBI Shuts Down Website Selling Billions of Stolen Records"

  • news

    Visible to the public "Hong Kong Looks to GDPR as it Strengthens Privacy Laws"

    Hong Kong will enforce stronger privacy laws similar to that of the European Union's General Protection Regulation (GDPR), which aims to ensure the protection of personal data belonging to EU residents by enforcing a standard upon any companies that manage this data. A significant breach faced by Cathay Pacific Airways, the flag carrier of Hong Kong, prompted the need to apply stricter penalties for data protection failures. This article continues to discuss the proposed amendments to the regional government's Personal Data (Privacy) Ordinance and the Cathay Pacific Data breach that exposed personal data belonging to 9.4 million passengers.

    Infosecurity Magazine reports "Hong Kong Looks to GDPR as it Strengthens Privacy Laws"

  • news

    Visible to the public "Cybercrime: Internet Erodes Teenage Impulse Controls"

    A new study conducted by Flinders Criminology found that teenagers' struggle to control their impulses on the internet could make them more susceptible to engaging in cybercriminal activities. Researchers behind the study delved into how the nature of the internet encourages adolescents between the ages of 12 and 19 to become cybercriminals. The internet provides a platform for adolescents to tap into their curiosity and experiment with activities that they would not explore in the outside world. It is important to examine further how young people's emotions and motivations can lead them to commit cybercrimes in order to develop or alter policies consisting of interventions accordingly. This article continues to discuss the aim and key findings of the study published in the European Society of Criminology.

    EurekAlert! reports "Cybercrime: Internet Erodes Teenage Impulse Controls"

  • news

    Visible to the public "What do Online File Sharers Want With 70,000 Tinder Images?"

    A researcher has discovered a collection of over 70,000 photographs harvested from the dating app Tinder on several undisclosed websites. The data found also contained around 16,000 unique Tinder user IDs. The images are available for free. The researcher believes that the reason the adversary collected the pictures and posted the pictures on the undisclosed sites, was so that hackers could create fake online accounts using the images found to lure unsuspecting victims into scams.

    Naked Security reports: "What do Online File Sharers Want With 70,000 Tinder Images?"

  • news

    Visible to the public "Worldwide IT Spending to Total $3.9 Trillion in 2020"

    In a new study conducted by Gartner, researchers found that worldwide IT spending will total $3.9 trillion in 2020, an increase of 3.4% from 2019. Global IT spending is going to be around $4 trillion in 2021. Researchers also discovered that the fastest-growing major market this year is going to be software, reaching double-digit growth at 10.5 percent. The researchers also concluded that Enterprise IT spending is going to be more focused on cloud-based offerings then traditional (non-cloud) IT offering through 2022.

    Help Net Security reports: "Worldwide IT Spending to Total $3.9 Trillion in 2020"

  • news

    Visible to the public "FBI Takes Down Site Selling Subscriptions to Stolen Data"

    The FBI, with support from the UK's National Crime Agency, the Dutch National Police Corp, the German Bundeskriminalamtt, and the Police Service of Northern Ireland, took down a site called WeLeakInfo, that was used by cybercriminals to sell stolen personal data to subscribers. The malicious webpage sold plaintext passwords belonging to other people, with subscription fees ranging from $2 to $70, depending on the amount of time chosen to have access to the stolen data provided by the site. The personal data, searchable on the site, was said to be from 10,000 data breaches. Using the WeLeakInfo website, cybercriminals could have accessed data from a collection of 12 billion records, containing information such as names, email addresses, usernames, and phone numbers in addition to passwords to online services. This article continues to discuss what the WeLeakInfo website was used for, as well as the investigation and takedown of the site.

    Security Week reports "FBI Takes Down Site Selling Subscriptions to Stolen Data"

  • news

    Visible to the public "Homomorphic Encryption Improves Cloud Security"

    A team of researchers outlined a proposed homomorphic encryption system in the International Journal of Cloud Computing. Homomorphic encryption takes on a new approach to encryption by performing computations on encrypted data without having to decrypt the data first. This method of encryption addresses users' concerns surrounding cloud computing services regarding the exposure of private or personal data to a third-party entity such as the cloud service provider itself. This article continues to discuss homomorphic encryption, how this form of encryption improves cloud security, and issues of trust associated with cloud computing.

    Homeland Security News Wire reports "Homomorphic Encryption Improves Cloud Security"

  • news

    Visible to the public "SIM Swap Attacks Making Two-Factor Authentication via Smartphones Obsolete"

    Security researchers at PhishLabs further emphasized that SIM swap attacks are making SMS two-factor authentication (2FA) obsolete. A SIM swapping attack refers to the performance of social engineering to trick mobile carriers into transferring control over a legitimate user's mobile account to threat actors. In a blog post, the researchers highlighted a recent Princeton study in which 50 attempts were made to port a stolen number to a SIM card via North American prepaid telecom companies. The study found that in most cases, only one question asked by customer service needed to be answered correctly to authenticate successfully, despite failure to answer previous authentication questions. The success of such attacks can lead to the hijacking of victims' bank accounts. Researchers call for the use of device-based 2FA instead of number-based 2FA to reduce the threat of these attacks. This article continues to discuss SIM swap attacks and how organizations can protect themselves from these attacks.

    SC Media reports "SIM Swap Attacks Making Two-Factor Authentication via Smartphones Obsolete"

  • news

    Visible to the public "Software Detects Backdoor Attacks on Facial Recognition"

    The growing use of facial and object recognition by the US Army to train artificial intelligent (AI) systems in the identification of threats call for increased efforts toward bolstering the security of such technology against attacks. Researchers at Duke University have made a significant advancement in an Army project aimed at improving mitigation against backdoor attacks on facial and object recognition systems. Backdoor attacks are executed by poisoning the data fed to a machine learning model so that the model produces incorrect output or predictions. This article continues to discuss the importance of safeguarding the recognition systems used by the Army, the concept of backdoor attacks, and the success of software developed by researchers to detect such attacks.

    The United States Army reports "Software Detects Backdoor Attacks on Facial Recognition"

  • news

    Visible to the public "Detecting and Mitigating Network Attacks With a Multi-Prong Approach"

    An international team of researchers developed an approach to detecting malicious attacks such as jamming attacks, replay attacks, and more, on the communication network and the physical system in a networked control system. These types of attacks often share the ability to cause abnormal traffic flow in the communications links, resulting in delays in packet losses. The approach developed by researchers is a hybrid learning approach in that it detects attacks as well as allows the targeted system to react and perform in the best way possible even when it is under attack. This article continues to discuss the researchers' proposed multi-prong approach to detecting and mitigating network attacks in addition to the scope of future work for this approach.

    ScienMag reports "Detecting and Mitigating Network Attacks With a Multi-Prong Approach"

  • news

    Visible to the public "Apps are Sharing More of Your Data With Ad Industry Than you may Think"

    In a new study, researchers analyzed data traffic from ten popular Android apps (which are also all available on iPhones). The ten apps researched include Grindr, OkCupid, Tinder, Clue, MyDays, Perfect365, My Talking Tom 2, Qibla Finder, Happn, and Wave Keyboard. The researchers chose these apps because the apps were likely to have access to highly personal information. The ten analyzed apps transmit user data to at least 135 different third parties involved in advertising and/or behavioral profiling. The researchers also discovered that all but one of the apps share data beyond the device advertising ID, including a user's IP address and GPS position, personal attributes such as gender and age, and app activities such as GUI events.

    Naked Security: "Apps are Sharing More of Your Data With Ad Industry Than you may Think"

  • news

    Visible to the public "'Cable Haunt' Vulnerability Exposes 200 Million Modem Cables to MITM Attacks"

    Researchers from Lyrebirds, along with an independent researcher, discovered a security vulnerability, named Cable Haunt, in Broadcom's cable modem. The flaw left an estimate of 200 million home broadband gateways susceptible to remote hijacking attacks. The exploitation of the flaw tracked as CVE-2019-19494 could allow malicious actors to trick victims into clicking a web page containing a malicious JavaScript code. Once the malicious code is executed on a modem, remote attackers can intercept private messages, redirect traffic, and more. This article continues to discuss the discovery of the Cable Haunt security vulnerability and the malicious activities that could be performed by attackers through the exploitation of the flaw.

    CISOMAG reports "'Cable Haunt' Vulnerability Exposes 200 Million Modem Cables to MITM Attacks"

  • news

    Visible to the public "Lawmakers Ask FCC to Protect Consumers from Phone Hijackers"

    Lawmakers are asking the Federal Communications Commission (FCC) to use the regulatory agency's authority over wireless carriers to enforce better protection for consumers from SIM swap scams. Fraudsters perform these scams by persuading wireless carriers to transfer control over a mobile account to them, allowing the hijacking of credentials. Using these attacks, scammers can hijack login credentials, bypass two-factor authentication (2FA), and commit crimes such as emptying a victim's bank account. Consumers are often unaware of the existing options they have to protect their wireless accounts until they fall victim to these forms of attacks. Additionally, available options are limited. Therefore, consumers have to depend on phone companies to protect them. A letter written by Sen. Ron Wyden, D-Ore., and signed by five House and Senate members calls on the FCC to hold mobile carriers responsible for securing their systems. This article continues to discuss the request to the FCC to protect consumers from phone hijackers and rise in SIM swap attacks.

    NextGov reports "Lawmakers Ask FCC to Protect Consumers from Phone Hijackers"

  • news

    Visible to the public "How to Implement a 'Threat Model' to Beef up Your Organization’s Security"

    Security professionals are encouraged to practice threat modeling to bolster the security of their organizations. Threat modeling refers to the classification of assets associated with a system, identifying the possible attacks against these assets, the potential actors behind attacks, and how the assets could be protected. Threat modeling should apply to the software development lifecycle as well as to firmware and hardware. This article continues to discuss the concept of threat modeling, how to build an effective threat model.

    TNW reports "How to Implement a 'Threat Model' to Beef up Your Organization's Security"

  • news

    Visible to the public "2020 Forecast: Attackers Will Target Non-Traditional Systems"

    Researchers believe that API security is going to be a significant threat surface in 2020. The increase of using container ecosystem and the popularity of mobile apps that connect to backend services have pushed the microservices architecture to the forefront. A variety of information, such as airline ticketing to online ordering, can be exposed through insecure APIs. Researchers also believe that IoT devices will be a primary target of adversaries in 2020. As the number of connected devices that individuals and companies use increases, the attack surface area must be monitored.

    Help Net Security reports: "2020 Forecast: Attackers Will Target Non-Traditional Systems"

  • news

    Visible to the public "Texas School District Loses $2.3M to Phishing Attack"

    A new phishing attack has affected The Manor Independent School District (MISD), located roughly 15 miles outside Austin, Texas. MISD made three payments amounting to 2.3 million dollars. The school did not realize the bank account information got altered before making the payments, which means the three payments did not go to where they attended but to an adversary. Authorities believe that this is a case of business email compromise (BEC). BEC is when an adversary manipulates a victim into wiring money or changing bank account details. BEC attacks grew 295 percent in 2019. The investigation is still ongoing.

    DARKReading reports: "Texas School District Loses $2.3M to Phishing Attack"

  • news

    Visible to the public "Exploit Fully Breaks SHA-1, Lowers the Attack Bar"

    Researchers from INRIA in France and the Nanyan Technological University in Singapore developed a proof-of-concept attack that is capable of breaking the Secure Hash Algorithm-1 (SHA-1) code-signing encryption. The exploit developed by Gaetan Leurent and Thomas Peyrin is said to be less complicated and expensive than previous PoC attacks on SHA-1, lowering the level of complexity for attackers. The attack leaves users of GnuPG, OpenSSL, and GIT in danger as they still support SHA-1 in some way. This article continues to discuss the continued use of SHA-1 despite efforts to phase the cryptographic function out and the latest PoC attack on SHA-1.

    Threatpost reports "Exploit Fully Breaks SHA-1, Lowers the Attack Bar"

  • news

    Visible to the public "A Case for Establishing a Common Weakness Enumeration for Hardware Security"

    Attacks on modern computers are growing more frequent, pervasive, and sophisticated because they are not only impacting the software layer but also the hardware layer. The industry is bolstering efforts to deliver microarchitectural improvements that address hardware-based security. However, the industry needs a better understanding of the common hardware security vulnerabilities taxonomy. There must be information on how vulnerabilities in products emerge, their possible exploitation, and related risks, in addition to how architects and developers can prevent and identify security flaws in the design and development of products. MITRE's Common Weakness Enumeration (CWE) system and Common Vulnerability and Exposures (CVE) system do not categorize hardware-centric weaknesses. The absence of reference materials for hardware vulnerabilities in the CWE makes it difficult for researchers to share information about such vulnerabilities and for hardware vendors to develop more secure solutions. Therefore, a standardized hardware CWE is needed. This article continues to discuss the importance of hardware-based security, the difference between the CWE and CVE systems, as well as how the industry would benefit from a standardized hardware CWE.

    Help Net Security reports "A Case for Establishing a Common Weakness Enumeration for Hardware Security"

  • news

    Visible to the public "A Billion Medical Images Are Exposed Online, As Doctors Ignore Warnings"

    Security researchers from the Germany-based security firm Greenbone Networks discovered the exposure of a billion medical images online. The exposure of these images is the result of hospitals, medical offices, and imaging centers using unprotected servers. The insecure servers expose patients' personal health information in addition to medical images, with almost half belonging to patients in the United States. Medical practitioners use the DICOM (Digital Imaging and Communications in Medicine) standard to store, retrieve, and transmit medical images to other medical practices. DICOM images can be viewed using any free-to-use apps and are usually stored in a PACS server, which is a picture archiving and communications system. However, medical offices often overlook security, connecting the PACS server to the internet without a password. This article continues to discuss the exposure of over 1 billion medical images, the research behind this discovery, and how medical organizations have responded.

    TechCrunch reports "A Billion Medical Images Are Exposed Online, As Doctors Ignore Warnings"

  • news

    Visible to the public "What Students Think About University Data Security"

    During a new study, researchers surveyed 1000 undergraduate students. The researchers discovered that 69 percent of students are concerned about how the education system protects their personal data. 65% of the respondents said that if a college had a poor security reputation about protecting personal data, they would have been less likely to apply to that school. Out of the 1000 students surveyed, 45 percent of them felt confident that their college would keep their personal data secure and private.

    Help Net Security reports: "What Students Think About University Data Security"

  • news

    Visible to the public "Connected Cars Moving Targets for Hackers"

    The growth in connected vehicles creates opportunities for cyberattacks that pose a significant threat to the safety of drivers. The cybersecurity firm, GuardKnox, highlighted the danger in a demonstration at the recent Consumer Electronics Show in Las Vegas. Researchers demonstrated the potential impact of cyberattacks on connected vehicles in a Formula 1 driving simulation, which showed the compromise of a steering wheel by a hacker to remove its control over a speeding car. The scenario could become a real incident soon as new cars increase in connection to computer chips, sensors, and mobile technology. These elements will increasingly be abused by hackers to disrupt the operations of a vehicle. This article continues to discuss the hacked driving simulation demonstrated by GaurdKnox and the expected rise in attacks on connected cars.

    TechXplore reports "Connected Cars Moving Targets for Hackers"

  • news

    Visible to the public "U.S. Monitoring Cyberspace for Signs of Iranian Aggression"

    U.S. government officials are on the lookout for indicators of cyberattacks executed by Iran following the recent drone strike that killed Quds Force commander Qassem Soleimani. The Department of Homeland Security's latest advisory expressed that specific, credible threats to the U.S. remain unseen. U.S. government officials noted that the capabilities of Iranian cyber actors match those of cyber actors in Russia, China, and North Korea regarding the launch of cyberattacks on industrial control systems or physical infrastructure. DHS is working to improve coordination and situational awareness if specific threats appear. This article continues to discuss Iran's cyber activity and what the U.S. government is doing to prepare for potential attacks by Iranian cyber actors.

    Homeland Security News Wire reports "U.S. Monitoring Cyberspace for Signs of Iranian Aggression"

  • news

    Visible to the public "Browser Zero Day: Update Your Firefox Right Now!"

    Researchers have found a flaw in Firefox 72 just two days after it was released. The issue researchers identified is called CVE-2019-17026. CVE-2019-17026 is a type confusion bug affecting Firefox's IonMonkey JavaScript Just-in-Time (JIT) compiler. The JIT compiler takes JavaScript source code and converts it to executable computer code for the JavaScript to run directly inside Firefox as if it were a built-in part of the app. The problem is fixed, and Firefox urges users to download the newest update to fix the issue.

    Naked Security reports: "Browser Zero Day: Update Your Firefox Right Now!"

  • news

    Visible to the public "These Hacking Groups Are Eyeing Power Grids, Says Security Company"

    In a report, titled The North American Electric Cyber Threat Perspective, released by the cybersecurity company, Dragos, security researchers discuss the rise in threats to electric utilities in North America stemming from political and military tensions. The energy infrastructure is at risk, as indicated by the observation of multiple intrusions into industrial control system (ICS) networks. According to the report, security researchers are tracking seven hacking groups, three of which have demonstrated the capability to invade and disrupt the operation of power grids. The three hacking groups are known as Xenotime, Dymalloy, and Electrum. Security experts suggest following security practices such as segmenting networks, installing security patches, and using strong passwords to improve the security of ICS networks. This article continues to discuss the increase in cyber threats against electricity grids, three hacking groups capable of disrupting power grids across the US, and how ICS networks can be protected against cyberattacks.

    ZDNet reports "These Hacking Groups Are Eyeing Power Grids, Says Security Company"

  • news

    Visible to the public "Attackers Invent New Evasion Techniques to Conceal Web Skimmer Activity"

    A security researcher at Malwarebytes recently reported the discovery of the first payment card skimmer to use steganography to evade detection. There has been an increase in the use of steganography to hide and deliver malicious data. Digital steganography refers to the covert communication of data via unsuspected formats such as image files, video clips, and audio files. Steganography differs from cryptography because the method hides the communication of data in addition to the data itself. The skimmer found by the researcher used an image of a free shipping ribbon commonly seen on shopping sites to conceal malicious JavaScript code. According to the same security researcher, some digital attackers are now using the WebSockets communications protocol instead of HTML to exchange data with skimmers, using a single TCP connection. This article continues to discuss the discovery of a payment card skimmer and its use of steganography, as well as the increased use of new techniques for web skimmers and how security professionals can defend against evasive attacks.

    Security Intelligence reports "Attackers Invent New Evasion Techniques to Conceal Web Skimmer Activity"

  • news

    Visible to the public "Facebook Moves to Detect and Remove Deepfake Videos"

    The social media giant, Facebook, recently announced its plan to ban deepfake videos. Deepfakes are fake videos, photos, and audio recordings that cannot easily be distinguished by humans from authentic ones. Generative adversarial networks are used to develop deepfakes. Monica Bickert, Facebook's vice-president for global policy management, expressed the threat posed by deep fakes to the social media industry and society as a whole. Bickert stated that any video that has been created through the use of AI or machine learning to make it appear authentic would be removed. However, this policy does not apply to content created for the purpose of parody or satire, and videos edited to remove or change the order of words. This article continues to discuss the new policy that will be enforced by Facebook to detect and remove deepfake videos.

    Infosecurity Magazine reports "Facebook Moves to Detect and Remove Deepfake Videos"

  • news

    Visible to the public "TikTok Riddled With Security Flaws"

    Security researchers at Check Point recently discovered several security vulnerabilities in the popular Chinese-owned platform used for short-form mobile videos, TikTok. According to researchers, one of the vulnerabilities found in the platform could be exploited by hackers to allow them to hijack parts of a user's TikTok account remotely. Hackers could perform activities such as upload or delete videos, as well as alter video settings to change videos from being hidden to being exposed to the public. The exploitation could also allow hackers to send an SMS invite message to a victim, making it possible to send links that redirect users to malicious websites. Another vulnerability could allow hackers to collect personal information belonging to users, such as their email addresses. This article continues to discuss the popularity of the video-sharing app, the vulnerabilities found in the app by researchers, and the response to these findings by TikTok.

    Threatpost reports "TikTok Riddled With Security Flaws"

  • news

    Visible to the public "New Standards Set to Reshape Future of Email Security"

    Email remains one of the most popular attack vectors used by hackers. Phishing and email-based malware still pose significant threats to the communications media. According to recent studies, more than 90% of all cyberattacks have involved email. Therefore, the email industry is developing standards to address the most notable weakness of email, which is the ability to send email as someone else. The weak sender identity model has increased the performance of spoofing. A research report from Valimail reveals that an estimate of 6.4 billion spoofed emails is distributed every day, calling for the implementation of stronger sender identity protections. There are four new standards aimed at strengthening sender identity and email security. These standards include Domain-based Message Authentication, Reporting & Conformance (DMARC) 2.0, Brand Indicators for Message Identification (BIMI), AMP, Schema.org, STARTTLS, and MTA Strict Transport Security (MTA-STS). This article continues to discuss the significant role of email in the execution of cyberattacks and new standards set to improve email security.

    Dark Reading reports "New Standards Set to Reshape Future of Email Security"

  • news

    Visible to the public "Smartphone Analysis & Stats: Personal Use Leaves Work Smartphones Hackable"

    Researchers conducted new research on what mobile phone brands and smartphone applications got targeted the most, through the year of 2019 in the United Kingdom. The data got collected trough analyzing monthly Google search data in 2019 on how many British users were searching for methods to hack different apps and phone brands. The researchers found that iPhone was the most targeted phone brand (10,040 searches), and Samsung came a distant second (700 searches). At the same time, Instagram was the most targeted application (12,410 searches), followed by Snapchat (7,380 searches) and Whatsapp (7,100 searches). The researchers also discovered that owners with iPhones are 167 times more at risk of people trying to hack them than other phone brands. Instagram app is also 16 times more at risk of getting hacked than a Netflix application.

    SC Media reports: "Smartphone Analysis & Sats: Personal Use Leaves Work Smartphones Hackable"

  • news

    Visible to the public "DHS Tells U.S. Organizations to Clamp Down on Cybersecurity in Wake of Soleimani Killing"

    The Department of Homeland Security (DHS) on Monday issued a statement meant for U.S. companies and government agencies about securing their computer networks following the killing last week of a top Iranian general. Iran has considerable capabilities when it comes to cyberattacks. Iran and its proxies have a history of conducting disruptive and destructive cyber operations against strategic targets, including finance, energy, and telecommunications organizations. This year they have had an increased interest in industrial control systems and operational technology.

    CyberScoop reports: "DHS Tells U.S. Organizations to Clamp Down on Cybersecurity in Wake of Soleimani Killing"

  • news

    Visible to the public "The Psychology of Ransomware"

    According to recent studies, ransomware attacks are growing in sophistication and cost. Organizations must go beyond the exploration of technicalities of ransomware to bolster their security posture against such attacks. Security experts encourage organizations to delve deeper into the psychological nature of ransomware attacks. Organizations should be examining the factors that lead users to opening emails, links, or attachments sent from unknown entities despite their awareness of attacks that can be performed via these mediums. There are psychological factors that hackers abuse in the execution of ransomware attacks, which include compassion, helplessness, humiliation, and responsibility. This article continues to discuss the rise in ransomware attacks and the psychological factors that have led to the success of these attacks.

    SC Magazine reports "The Psychology of Ransomware"

  • news

    Visible to the public "DHS, GSA Propose Centralized Vulnerability Disclosure Platform"

    The Department of Homeland Security (DHS) and the General Services Administration (GSA) recently issued a request for information, asking for feedback on how to set up a cloud-based centralized vulnerability disclosure platform for the federal government. The platform will facilitate the submission of vulnerabilities found in government agencies' internet-accessible systems by security researchers. The central platform will also track and validate incoming reports as well as allow web-based communication between reporters and agencies in efforts to remediate vulnerabilities. The system is essential as most federal agencies do not have formal mechanisms in place to receive reports from security researchers on potential security vulnerabilities contained by their systems. This article continues to discuss the proposed centralized vulnerability disclosure platform, the lack of defined strategies for managing vulnerability disclosure reports in most federal agencies, and concerns about the legal protection of security researchers.

    FCW reports "DHS, GSA Propose Centralized Vulnerability Disclosure Platform"