News Items

  • news

    Visible to the public Game-theoretic Paper Wins Annual Paper Competition

    The winner of the 6th Annual Best Scientific Cybersecurity Paper Competition is How Shall We Play a Game? A Game-theoretical Model for Cyber-warfare Games by Tiffany Bao, Yan Shoshitaishvili, Ruoyu Wang, Christopher Kruegel, Giovanni Vigna, and David Brumley. These researchers are from Carnegie Mellon University and University of California, Santa Barbara. This paper was originally accepted at 30th IEEE Computer Security Foundations Symposium (CSF '17).

    To learn more visit the competition homepage: https://cps-vo.org/group/sos/papercompetition/pastcompetitions

  • news

    Visible to the public NSA SoS Lablet Call for Proposals is Open

    The National Security Agency has distributed its BAA (really a request for proposals) for its next generation of SoS Lablets. These lablets include lablets on the 5 Hard Problem areas in Science of Security, on the Science of Privacy and dealing with Cyber Physical Systems. Proposals are due August 21. While the SoS team is not the point of contact for the contracting process, we can aid in directing: https://cps-vo.org/group/SoS/contact

  • news

    Visible to the public "Data Breaches Increased 54% in 2019 so Far"

    According to Risk Based Security, there has been a 54% increase in data breaches so far this year with a number of 3,800 breaches. The report highlights that outside attacks were the primary cause of these data breaches. The management of sensitive data by third parties also plays a part in the increase in data breaches. This article continues to discuss the significant rise in data breaches, what has contributed to this increase, and which industry has been affected the most.

    TechRepublic reports "Data Breaches Increased 54% in 2019 so Far"

  • news

    Visible to the public "Electric Car Charging Stations May Be Portals for Power Grid Cyberattacks"

    A new study conducted by researchers at the New York University Tandon School of Engineering has brought attention to the possible launch of cyberattacks on urban power grids through the exploitation of electric car charging stations. The connection between electric vehicle charging stations and plug-in electric cars is a high-wattage access point that could be abused by hackers to impact the grid. This article continues to discuss how electric car charging stations and electric vehicles could be exploited to execute an attack on a power grid, along with other incidents in which a power grid has been crippled by hackers and the importance of developing a cybersecurity protocol to protect data produced by electric car charging stations.

    TechXplore reports "Electric Car Charging Stations May Be Portals for Power Grid Cyberattacks"

  • news

    Visible to the public "Organizations Fail to Remediate App Security Vulnerabilities"

    According to the 2019 WhiteHat Application Security Statistics report, vulnerability remediation remains a challenge for organizations. Findings from the analysis of 17 million application security scans show an increase in application testing by organizations. However, there has been a decrease in vulnerability remediation rates. Vulnerability remediation is said to be harder as a result of embedded components, which make up a third of security vulnerabilities found in applications. This article continues to discuss the fall in remediation rates, vulnerabilities surrounding embedded components, and a phase metrics-drive DevSecOps approach to addressing these issues.

    SDTimes reports "Organizations Fail to Remediate App Security Vulnerabilities"

  • news

    Visible to the public "New Vulnerability Found in Internet-Connected Building Automation Devices"

    A cybersecurity researcher, named Bertin Bervis, recently discovered the vulnerability of critical internet-connected smart building devices to an attack in which sensitive information is stolen from technicians or engineers who interact with these devices. According to Bervis, the attack involves the exploitation of the Bacnet protocol's properties. Bacnet is a building automation protocol that allows monitoring and setup changes to be performed by technicians and engineers. The protocol also enables a variety of key smart systems to be controlled remotely. This article continues to discuss the vulnerability and what its exploitation could allow attackers to do.

    Homeland Security News Wire reports "New Vulnerability Found in Internet-Connected Building Automation Devices"

  • news

    Visible to the public "Serious Flaws in six Printer Brands Discovered, Fixed"

    Researchers have discovered that many companies overlook the security risks of having printers. A security company NCC Group took a closer look at printer security and discovered serious flaws in six popular printer brands that could allow attackers to take over accounts or comb through company documents. The researchers found several classes of bugs that recurred across many of these devices. The problems have since been fixed by the companies.

    Naked Security reports: "Serious Flaws in six Printer Brands Discovered, Fixed"

  • news

    Visible to the public "Attackers Could Be Listening to What You Type"

    A new study conducted by researchers from Southern Methodist University's (SMU) Darwin Deason Institute for Cybersecurity has discovered a way in which hackers can determine what a user is typing in order to obtain personal information. According to researchers, acoustic signals produced when users type on a keyboard, could be intercepted and deciphered by hackers through the use of a nearby smartphone. Using this method, researchers were able to detect what people are typing with a 41 percent accuracy rate. Findings of this study emphasize the need for smartphone makers to increase their efforts toward enhanced privacy in regard to smartphone sensors. This article continues to discuss how this study was conducted by researchers, concerns surrounding 'always-on' sensing devices such as the smartphone, and the accuracy with which attackers can detect what a user is typing.

    Science Daily reports "Attackers Could Be Listening to What You Type"

  • news

    Visible to the public "Link Between Personality Type and Vulnerabilities to Cybercrime"

    It has been discovered that only four in 10 (42%) businesses focus on compliance training as part of their cybersecurity protocol to ensure sensitive data is kept secure. Even more worryingly 63% rely predominantly on passwords to protect their data. The research also went on to identify people's potential strengths and weaknesses, and concluded that that people who focus their attention on the outside world (Extraversion) are more vulnerable to manipulation and persuasion by cybercriminals. People that lean towards Sensing preferences (people that observe and remember details) may be better suited to spotting risks as they arise. Companies need to improve employees' self-awareness, which will lead to them maximizing individual and team performance, and will decrease the likeliness of a cyberattacks from occurring, because of traits an individual has.

    Help Net Security reports: "Link Between Personality Type and Vulnerabilities to Cybercrime"

  • news

    Visible to the public "British Airways Check-In Flaw Exposes Personal Data"

    British Airways (BA) has been discovered to contain a security flaw in its e-ticketing system. According to security researchers at Wandera, the e-ticketing system used by BA lacks encryption, allowing the exposure of passenger data such as booking details, names, telephone numbers, email addresses, and more. The security flaw could also allow malicious actors to modify a passenger's flight booking details. Security experts call for developers to consider security in the design of such systems. This article continues to discuss the flaw discovered in the BA e-ticketing system, what types of data can be exposed through the exploitation of this flaw, BA's response to this discovery, and the importance of designing such systems with security in mind.

    Silicon UK reports "British Airways Check-In Flaw Exposes Personal Data"

  • news

    Visible to the public "Biometrics of One Million People Discovered on Publicly Accessible Database"

    A biometrics database used by banks, defense contractors, and the police was discovered by security researchers to be unprotected online. According to researchers at vpnMentor, the database, called Biostar 2, contained unencrypted fingerprint data, facial recognition data, access logs, and more. As the Biostar 2 database is used by organizations for the security of warehouses and offices, there was also an exposure of user names, passwords, and personal information in relation to employees. This article continues to discuss the breach in regard to what types of data was exposed, how many users have been affected, and the response to this discovery.

    Computing reports "Biometrics of One Million People Discovered on Publicly Accessible Database"

  • news

    Visible to the public "4 Dating Apps Pinpoint Users’ Precise Locations – and Leak the Data"

    It has been discovered that four popular dating apps that together have 10 million users have been found to leak precise locations of their members. The 4 companies include Grindr, Romeo, Recon and 3fun. The researchers found that the location data collected and stored by these apps is also very precise - 8 decimal places of latitude/longitude in some cases. The data collected allowed the researchers to track users exact movements, so that they could tell where individuals lived, socialized, and what paths they used every day to walk. This can be dangerous for individuals using these dating apps, and can lead to them being stalked and even could cause worse things to occur. These companies have been notified of this.

    Threatpost reports: "4 Dating Apps Pinpoint Users' Precise Locations - and Leak the Data"

  • news

    Visible to the public "New Vulnerability Risk Model Promises More-Efficient Security"

    Michael Roytman, chief data scientist at Kenna Security, and Jay Jacobs, a security data scientist at the Cyentia Institute, gave a presentation at the 2019 Black Hat security conference in which they discussed a Predictive Vulnerability Scoring System. They further highlighted the challenge of prioritizing vulnerabilities. Organizations must be able to identify the vulnerabilities that pose the greatest risk to their most critical systems. Roytman and Jacobs have developed a methodology, called the Exploit Prediction System (EPSS), which improves upon remediation prioritization by using different factors such as the CVE, CVSS score, exploits in the wild, and more, to predict whether a vulnerability has a high chance of being exploited or not. This article continues to discuss the difficultly in managing vulnerabilities and how the Exploit Prediction Scoring System (EPSS) improves this management.

    Dark Reading reports "New Vulnerability Risk Model Promises More-Efficient Security"

  • news

    Visible to the public "Hackers Can Turn Everyday Speakers Into Acoustic Cyberweapons"

    Matt Wixey, the cybersecurity researcher lead at PWC UK, has demonstrated that it is possible for hackers to weaponize speakers such as Bluetooth speakers, parametric speakers, vibration speakers, and more. According to Wixey, custom malware can easily be written to make such speakers emit inaudible high-frequency sounds or high-volume sounds. These attacks have the potential to damage a user's hearing, cause tinnitus, or have psychological effects. This article continues to discuss the potential creation of acoustic malware by hackers to weaponize commercial speakers and the discovery other attacks that can be perfomed via speakers, which could impact the security and privacy of users.

    Wired reports "Hackers Can Turn Everyday Speakers Into Acoustic Cyberweapons"

  • news

    Visible to the public "These Legit-Looking iPhone Lightning Cables Will Hijack Your Computer"

    Security researchers have discovered that it is possible to hack a computer through the use of a malicious tool, called the O.MG Cable, which is a modified Apple lightning cable. According to researchers, the O.MG cable appears legitimate because it performs the same expected functions as a regular cable. However, this cable has been modified to contain additional components that could allow hackers to remotely hijack a victim's computer, run malicious payloads, and more. This article continues to discuss the creation and possible activities that can be performed by hackers via the use of the O.MG cable.

    Motherboard reports "These Legit-Looking iPhone Lightning Cables Will Hijack Your Computer"

  • news

    Visible to the public  "Hacking One of the World's Most Secure Industrial Programmable Logic Controllers (PLC)"

    A team of researchers from the Technion - Israel Institute of Technology and Tel Aviv University, together with the Israel National Cyber Directorate have demonstrated an attack on a Siemens programmable logic controller (PLC) that could allow for the hijacking of this system. This discovery is significant in that a Siemens PLC is often praised as one of the most secure controllers in the world. This article continues to discuss what the attack could allow malicious actors to do, the research conducted behind the attack, and the importance of securing industrial control systems.

    Homeland Security News Wire reports "Hacking One of the World's Most Secure Industrial Programmable Logic Controllers (PLC)"

  • news

    Visible to the public "More Than 2m AT&T Phones Illegally Unlocked by Bribed Insiders"

    It has been discovered that between 2012 and 2017, an individual recruited AT&T employees at the company's call center in Bothell, Washington, to plant malware and misuse the company's computer networks to illegally unlock phones. To do that, the insiders who were bribed disabled proprietary software that locked AT&T phones and prevented them from being used on other carriers' systems. When people slip out of the proprietary locking software, they're also slipping out of the long-term service contracts that bind them to AT&T's wireless network.

  • news

    Visible to the public "Security Researchers Find That DSLR Cameras Are Vulnerable to Ransomware Attack"

    Security researchers at Check Point have released a new report, detailing the vulnerability of digital DSLR cameras to being hit by ransomware attacks. According to a researcher, named Eyal Itkin, malware could be delivered to these cameras through the abuse of the standardized Picture Transfer Protocol, which is unauthenticated. Itkin demonstrated the exploitation of a Canon E0S 80D over Wi-Fi and the encryption of a SD card to the extent at which a user would not be able to access images on the card. This article continues to discuss the vulnerability of DSLR cameras to being infected by ransomware, why cameras are an attractive target for hackers, and the disclosure of the discovered vulnerability to Canon.

    The Verge reports "Security Researchers Find That DSLR Cameras Are Vulnerable to Ransomware Attack"

  • news

    Visible to the public "Attackers’ Growing use of Anti-Analysis, Evasion Tactics Pose a Challenge to Enterprises"

    It has been dicovered that it is becoming harder for organizatioins to detect malware. Many modern malware tools are now incorporating features for evading antivirus or other threat detection measures, but cyber adversaries are becoming more sophisticated in their obfuscation and anti-analysis practices to avoid detection. With the growing use of anti-analysis and broader evasion tactics, companies should make sure to have a multi-layered defenses and behavior-based threat detection systems in place.

    Help Net Security reports: "Attackers' Growing use of Anti-Analysis, Evasion Tactics Pose a Challenge to Enterprises"

  • news

    Visible to the public "Yet Another Hacking Group Is Targeting Oil and Gas Companies"

    A new hacking group, dubbed Hexane, has been discovered by the industrial security company, Dragos. The newly discovered hacking group targets telecommunications, oil, and gas companies in the Africa, Central Asia, and the Middle East. Hexane is one of five hacking groups known to be targeting companies in the oil and gas sector. This discovery further indicates the growing interest among hacking groups in the compromise of industrial control systems (ICS) that support energy infrastructure. This article continues to discuss Hexane in relation to its activity, hacking tools, interests, and supposed connections, along with the increased targeting of oil and gas industries by state-associated actors.

    CyberScoop reports "Yet Another Hacking Group Is Targeting Oil and Gas Companies"

  • news

    Visible to the public "Tablet for Kids Had Flaws That Exposed Info, Location"

    The LeapPad Ultimate is a tablet designed for children between the ages of 3 and 6 that has recently been discovered by researchers from Checkmarx to be vulnerable to hacking. According to researchers, the tablet contains flaws that could be exploited by attackers to perform a number of malicious activities such as executing man-in-the-middle attacks, tracking devices, and sending messages to children. This article continues to discuss the security vulnerabilities found in the LeapPad Ultimate, what the exploitation of these security flaws could allow malicious actors to do, LeapFrog's response to these findings, and other discoveries of vulnerabilities in children's products.

    CNET reports "Tablet for Kids Had Flaws That Exposed Info, Location"

  • news

    Visible to the public "Researchers Show Vulnerabilities in Facial Recognition"

    Research conducted by Yu Chen, Bin Ma, and Zhou (HC) Ma at Tencent Security's Zuanwu Lab explored the implementation and defense mechanisms of biometric authentication. One of the researchers performed a demonstration at Black Hat USA 2019 in which they highlighted the vulnerabilities in facial recognition. The demonstration showed that it is possible to bypass a facial recognition system's liveness detection, which is put in place to detect fake faces and perform anti-face spoofing. This article continues to discuss the purpose of this research, previous studies on biometric authentication, the concept of liveness detection, and the demonstration in which the vulnerability of the liveness test was proven to exist.

    Dark Reading reports "Researchers Show Vulnerabilities in Facial Recognition"

  • news

    Visible to the public "U.S. Utility Firms Hit by State-Sponsored Spear-Phishing Attack"

    Three U.S. utility companies were the targets of a spear phishing campaign in which new malware, called LookBack, was used. The spear phishing emails sent to these companies appeared to be from a U.S.-based engineering licensing board. However, once the malicious attachment in these emails were opened, the remote access Trojan, LookBack, would be executed. According to researchers at Proofpoint, LookBack would allow attackers delete files, execute commands, take screenshots, and more, on infected systems. This article continues to discuss the spear phishing campaign in regard to its targets, techniques, and malware in addition to the suspected perpetrators behind the launch of this attack.

    TechRadar reports "U.S. Utility Firms Hit by State-Sponsored Spear-Phishing Attack"

  • news

    Visible to the public "New SWAPGS Side-Channel Attack Bypasses Spectre and Meltdown Defenses"

    Researchers from the security firm, Bitdefender, have demonstrated a new side-channel attack similar to that of Spectre and Meltdown, called SWAPGS. The attacks could be performed through the abuse of modern CPUs' speculative execution capabilities, which allow the high-performance microprocessors to predict future instructions. Hackers can use SWAPGS to gain access to passwords, encryption keys, and other sensitive data in the operating system kernel memory. According to researchers the SWAPGS side-channel attack can circumvent mitigations implemented for Spectre and Meltdown. This article continues to discuss the impact and performance of the new SWAPGS side-channel attack, as well as the bypassing of existing mitigations by this attack.

    Threatpost reports "New SWAPGS Side-Channel Attack Bypasses Spectre and Meltdown Defenses"

  • news

    Visible to the public "A Model Hospital Where the Devices Get Hacked—on Purpose"

    A mock hospital, called the Medical Device Village, will be set up at the 2019 DefCon hacking conference. The model hospital will consist of various medical devices, including pacemakers, insulin pumps, and other gadgets that one would find in an actual medical facility. In order to increase interest in bolstering the security of medical devices, researchers are encouraged to hack the devices in the model hospital. In addition to the mock hospital, there will be a formal capture the flag hacking competition and an opportunity for participants to get a more hands-on hacking experience. This article continues to discuss the Medical Device Village in relation to its purpose, pervious versions, and support, along with the importance of implementing security in the design of medical devices.

    Wired reports "A Model Hospital Where the Devices Get Hacked--on Purpose"

  • news

    Visible to the public "New Windows Malware can Also Brute-Force WordPress Websites"

    A new malware strain has been discovered named Clipsa. Clipsa has been affecting users for the past year and has affected users all over the world. This malware is different from most forms of malware mainly because it can conduct brute-force attacks against WordPress sites. Most malware detection systems can detect this malware, so it is important to make sure individuals keeps malware detection systems on their computers up to date.

    ZDNet reports: "New Windows Malware can Also Brute-Force WordPress Websites"

  • news

    Visible to the public Summer Internship at NSA in Science of Security

    The National Security Agency is currently taking applications for internships in the summer 2020 for its Summer Program in Science of Security. Applications are being accepted until October 15, 2019.

  • news

    Visible to the public "From State-Sponsored Attackers to Common Cybercriminals: Destructive Attacks on the Rise"

    According to a report recently released by IBM X-Force Incident Response and Intelligence Services (IRIS), there has been a significant increase in destructive attacks against organizations. These attacks aim to paralyze organizations by deleting data, encrypting data, disabling devices, and more. Destructive malware used to be a tool mostly used by sophisticated nation-state actors, but an analysis of X-Force's incident response data reveals the increased use of such malware by cybercriminal attackers. Organizations are encouraged to test their response plans, leverage threat intelligence, create effective strategies for data backup, and more, in order to reduce the risks posed by destructive malware attacks. This article continues to discuss the rise in destructive attacks, the potential consequences of such attacks, the concept of destructive malware, the targeting of various types of businesses, and what organizations can do to reduce the risk of destructive malware attacks.

    Security Intelligence reports "From State-Sponsored Attackers to Common Cybercriminals: Destructive Attacks on the Rise"

  • news

    Visible to the public "Connected Cars Could be a Threat to National Security, Group Claims"

    Consumer Watchdog (CW) has released a new report, titled Kill Switch: Why Connected Cars Can be Killing Machines and How to Turn Them Off, which highlights the threat posed by connected vehicles to national security. While connected vehicle technologies offer unique benefits, they also introduce significant security risks, which have the potential to cause loss of life. Connected cars are more vulnerable to being hacked, manipulated, and disabled by hackers. According to the report, as the use of connected cars increases, the possibility of a large-scale hack on such vehicles that could lead to fatalities grows. This article continues to discuss the growing number of connected cars on the road, the threat posed by connected cars, automotive cybersecurity, and recommendations to improve the security of connected vehicles.

    Security Week reports "Connected Cars Could be a Threat to National Security, Group Claims"

  • news

    Visible to the public "Romance Scams Soar as Victims Become Unwitting Money Mules"

    It has been discovered that losses from romance scams soared by over 71% from 2017-18. Victims of romance scams are increasingly recruited as money mules. In 2017 15,000 victims reported romance and confidence scams, and cost the victims 211 million dollars. By the following year 18,000 victims were reporting being apart of a romance and confidence scams. The 18,000 victims in 2018 reported losses of over 362 million dollars.

    InfoSecurity reports: "Romance Scams Soar as Victims Become Unwitting Money Mules"

  • news

    Visible to the public "Vital Infrastructures in the Netherlands Vulnerable to Hackers"

    A new report, titled Online Discoverability and Vulnerabilities of ICS/SCADA Devices in the Netherlands, recommends that vital infrastructure is protected differently as a result of the significant consequences that could occur when hackers attack such infrastructure. Research conducted by the University of Twente for the Scientific Research and Documentation Centre (WODC) of the Dutch Ministry of Justice and Security highlights the possibility of hackers disrupting critical infrastructures' operations and proper functions. This article continues to discuss the threats posed to critical infrastructure by hackers, cases in which hackers have targeted vital systems in different countries, and key findings of the report.

    The University of Twente reports "Vital Infrastructures in the Netherlands Vulnerable to Hackers"

  • news

    Visible to the public "New Tool Could Reduce Security Analysts' Workloads by Automating Data Triage"

    A new tool aimed at improving the performance of security analysts has been developed by researchers at Penn State and the U.S. Army Research Office. The tool reduces security analysts' workloads by automatically assigning degrees of urgency to repetitive tasks often performed by analysts. The automation of data triage operations in cyber analytics would allow analysts to dedicate more time to detecting and analyzing security-related events that have went undiscovered. The technique used by this tool involves non-intrusive tracing of human-data triage operations, data mining of operation traces, and more. This article continues to discuss why data triage is a time-consuming stage in cyber analytics and the tool developed by researchers to reduce security analysts' workloads.

    TechXplore reports "New Tool Could Reduce Security Analysts' Workloads by Automating Data Triage"

  • news

    Visible to the public "New Dragonblood Vulnerabilities Found in Wi-Fi WPA3 Standard"

    Earlier this year, security researchers named Mathy Vanhoef and Eyal Ronen uncovered critical design flaws in the Wi-Fi security and authentication standard, Wi-Fi Protected Access 3 (WPA3), which they dubbed Dragonblood vulnerabilities. Vanhoef and Ronen have discovered two new Dragonblood vulnerabilities that impact the WPA3 Protocol. According to the researchers, the exploitation of these vulnerabilities could allow attackers to recover Wi-Fi passwords as well as leak information from the standard's cryptographic operations. The Wi-Fi Alliance is now updating WPA3 to prevent the attacks highlighted by researchers. However, researchers are calling for the Wi-Fi alliance to allow the open-source community to help bolster the security of the standard. This article continues to discuss the impacts of the new Dragonblood vulnerabilities, the response to this discovery, and Wi-Fi Alliance's closed standards development process.

    ZDNet reports "New Dragonblood Vulnerabilities Found in Wi-Fi WPA3 Standard"

  • news

    Visible to the public "Cyberattacks Against Industrial Targets Have Doubled Over the Last 6 Months"

    It has been discovered that cyberattacks designed to cause damage have doubled in the past six months, and 50 percent of organizations affected are in the manufacturing sector. IBM reports that during the first half of 2019 the use of malware designed to cause damage has doubled in comparison to the second half of 2018. Manufacturing entities appear to be a constant target of these attacks, of which 50 percent of cases recorded relate to industrial companies. Organizations in oil, gas, and education are also more at risk of being subject to wipers and destructive attacks. It is important for organizations in oil, gas, education, and manufacturing take security seriously, so that an expensive data breach or shut down of production does not occur.

    ZDNet reports: "Cyberattacks Against Industrial Targets Have Doubled Over the Last 6 Months"

  • news

    Visible to the public Pub Crawl #29

  • news

    Visible to the public "Warning over Boom in Web Skimming Cyber Crime Targeting Online Stores"

    The security firm, Malwarebytes, has issued a warning to ecommerce companies about an increase in Magecart attacks that target online payments systems. Magecart is made up of sophisticated hacking groups that perform web-based card-skimming attacks to steal credit card numbers. According to Malwarebytes, 65,000 web-skimming Magecart data theft attempts were blocked in July. This article continues to discuss the growth, methods, targets, and alleged perpetrators of Magecart attacks, along with the difficulty of identifying the groups behind web-skimming attacks.

    Computing reports "Warning over Boom in Web Skimming Cyber Crime Targeting Online Stores"

  • news

    Visible to the public "Hacking Connected Cars to Gridlock Whole Cities"

    Internet-connected cars are more vulnerable to being hacked and disabled. A study conducted by a team of physicists at the Georgia Institute of Technology and Multiscale Systems Inc. looked into the effects that a large-scale hack on Internet-connected vehicles could have on traffic flow in a city. The study brings further attention to the physical consequences that could occur when cars are compromised by hackers. This article continues to discuss the study and its findings, along with some ideas as to how the potential damage inflicted by hacked connected cars could be reduced.

    Homeland Security News Wire reports "Hacking Connected Cars to Gridlock Whole Cities"

  • news

    Visible to the public "How to Reduce the Risk Posed by Vulnerable Mobile Apps"

    Findings of a recent study on the vulnerabilities contained by mobile apps for Android and iOS, call for the bolstering of mobile security. Inadequate mobile security poses a risk to the security and privacy of individuals and organizations as more people use mobile devices and apps to perform activities that involve sensitive data such as credit card numbers, social security numbers, and more. In order to reduce the risk presented by vulnerable mobile apps, organizations are encouraged to choose the right mobile security solution for their business, assess their IT environment, reevaluate their BYOD practices, and determine the amount of risk they are willing to take. This article continues to discuss the vulnerability of mobile apps and how organizations could reduce the risk posed by these apps.

    Security Intelligence reports "How to Reduce the Risk Posed by Vulnerable Mobile Apps"

  • news

    Visible to the public "Teenage Hackers Are Offered a Second Chance Under European Experiment"

    A legal intervention campaign aimed at giving young first-time cybercrime offenders a second chance, called Hack_Right, has been created by police in the U.K. and the Netherlands. The effort is geared towards people between the ages of 12 and 23 who are suspected to have committed cybercrimes. These hackers would be pushed into doing community service in which they are required to complete 10 to 20 hours of ethical computer training. The program also puts participants in contact with professionals who can help them explore possible career paths and educational opportunities that would support their interests. This article continues to discuss the aim and structure of the Hack_Right program, as well as how European and American approaches to cybercriminal enforcement are different.

    CyberScoop reports "Teenage Hackers Are Offered a Second Chance Under European Experiment"

  • news

    Visible to the public "Companies Struggle With the Slow, Unpredictable Nature of AI Projects"

    AI is becoming more frequently used in every day businesses. Even though AI is increasingly in use throughout the modern enterprise, many organizations will be unable to realize the full potential of their deployments until they find faster and more efficient means of tracking data, code, models and metrics across the entire AI lifecycle. In fact 64.4% of organizations deploying AI said that it is taking between seven to 18 months to get their AI workloads from idea into production, illustrating the slow, unpredictable nature of AI projects today. It is important that business understand that using AI efficiently is not going to come quickly, and will take companies time to get used to and perfect the way they use AI.

    Help Net Security reports: "Companies Struggle With the Slow, Unpredictable Nature of AI Projects"

  • news

    Visible to the public "One Million Bank Phone Calls Found in Exposed Server"

    An independent researcher has the discovered the exposure of an Amazon S3 bucket that contains data belonging to Bank of Cardiff. This data contains more than one million audio recordings of phone calls made by the bank's employees. Some of the phone conversations include the names and direct phone numbers of specific Bank of Cardiff employees. Other audio recordings include employees' calls to customers about loans, potential customers' discussions about their financial plans, and more. Based on the AWS folder directory, many of these recordings were made between 2015 and 2017. This article continues to discuss the exposure of Bank of Cardiff phone calls, the sensitive information revealed by these audio recordings, and the bank's response to this discovery.

    Motherboard reports "One Million Bank Phone Calls Found in Exposed Server"

  • news

    Visible to the public "Capital One Breach Also Hit Other Major Companies, Say Researchers"

    Researchers at the security firm, CyberInt, say that the recent data breach faced by Capitol One may affect other major organizations, including Vodafone, Ford, Michigan State University and the Ohio Department of Transportation. Slack messages sent by the alleged hacker behind the Capitol One breach, named Paige Thompson, indicate that these organizations may have also been impacted. This article continues to discuss the recent Capitol One breach, responses from other companies that may have also been hit by the same data breach, and other recent data breaches in which a significant amount of sensitive information was leaked.

    TechCrunch reports "Capital One Breach Also Hit Other Major Companies, Say Researchers"

  • news

    Visible to the public "Tech Companies Not Doing Enough to Protect Users from Phishing Scams"

    Academics from Plymouth's Center for Security, Communications, and Network (CSCAN) Research conducted a study in which they examined the effectiveness of phishing filters in different email providers. The majority of potential phishing messages used in this study successfully reached inboxes and were not labeled as spam or suspicious, which indicates the significant inadequacy of email providers' phishing filters. Findings of the study calls for technology companies to improve their efforts in protecting individuals and organizations against phishing threats. This article continues to discuss the study and its findings, as well as the rising number of phishing incidents, the different forms of phishing, and the importance of improving phishing detection.

    Science Daily reports "Tech Companies Not Doing Enough to Protect Users from Phishing Scams"

  • news

    Visible to the public "New to Autonomous Security"

    Efforts continue to be made to make cybersecurity more autonomous. According to the Defense Advanced Research Project Agency (DARPA), cybersecurity is about being faster than adversaries and keeping up with the continuously changing threat landscape. Autonomous security systems can help these efforts by making decisions previously made by humans such as the vulnerability of code and the deployment of patches. A fully autonomous security system should be capable of automatically detecting new vulnerabilities, rewriting applications in a way that prevents their exploitation, measuring the business impact of protection measures, and more. This article continues to discuss the concept of autonomy in cybersecurity, the DARPA Cyber Grand Challenge aimed at demonstrating autonomous application security, the components of a fully autonomous security system, the categories of AppSec technologies, and the goals of autonomous security.

    CSO Online reports "New to Autonomous Security"

  • news

    Visible to the public "AWDL Flaws Open Apple Users to Tracking, MitM, Malware Planting"

    It has been discovered that there are vulnerabilities in Apple Wireless Direct Link (AWDL), the wireless protocol that underpins Apple's AirPlay and AirDrop services. These vulnerabilities could allow attackers to track users in spite of MAC randomization, to intercept and modify transmitted files, and to prevent transmission or crash devices altogether. Apple has been notified of these vulnerabilities and has fixed one Denial of Service (DoS) bug, but to address the rest of the vulnerabilities discovered, they have to redesign some of their services.

    Help Net Security reports: "AWDL Flaws Open Apple Users to Tracking, MitM, Malware Planting"

  • news

    Visible to the public "Google Researchers Disclose Vulnerabilities for 'Interactionless' iOS Attacks"

    Two members of Google's team of security analysts dedicated to finding zero-day vulnerabilities in software products, called Project Zero, have released details on six critical vulnerabilities that affect the iOS operating system. These vulnerabilities are considered to be interactionless in that users do not need to interact their iOS device for the vulnerabilities to be exploited. Four of the security bugs can enable the execution of malicious code, while the other two bugs can allow attackers to leak data and read files. The iOS 12.4 update released earlier this month addressed these vulnerabilities. This article continues to discuss the iOS security flaws discovered by Google researchers and the presentation that will be given at the 2019 Black Hat security conference about these vulnerabilities.

    ZDNet reports "Google Researchers Disclose Vulnerabilities for 'Interactionless' iOS Attacks"

  • news

    Visible to the public "U.S. Issues Hacking Security Alert for Small Planes"

    The U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued an alert for small planes pertaining to the vulnerability of modern flight systems to hacking. According to the ICS Alert, a small device could be attached to an avionic CAN bus, allowing attackers to manipulate engine readings, compass data, altitude, and more, so that incorrect measurements are given to pilots. A pilot that is dependent on instrument readings could lose control of an aircraft if they are given false readings. Therefore, plane owners are urged to restrict physical access to their aircraft by unauthorized individuals. In addition, manufacturers of aircraft are encouraged to review the implementation of the CAN bus to limit the performance of such attacks. This article continues to discuss the vulnerability of small planes to being hacked and concerns surrounding aviation cybersecurity.

    AP reports "U.S. Issues Hacking Security Alert for Small Planes"

  • news

    Visible to the public "Researchers Hack Surveillance Systems to Show Fake Video Feed"

    Security researchers at Forescout conducted a study in which they examined the security vulnerabilities contained by Internet of Things (IoT) devices being used in smart buildings such as IP cameras, smart lighting, and more. Organizations are increasingly turning to automation provided by connected devices in order to increase efficiency and reduce operational costs. However, these devices can introduce security risks if they are not properly configured and managed. The IoT devices analyzed in this study were discovered to be relying on insecure streaming protocols for video streaming, file transfer, and web management as encrypted protocols were not supported or enabled by default. The poor configuration of these IoT devices could allow malicious actors to sniff traffic for sensitive information or tamper with video footage. This article continues to discuss the increased dependence on IoT systems by corporations, the default insecurity of IoT devices, and the attacks demonstrated by researchers on a video surveillance system (VSS) and a smart lighting system, along with the implementation of network segmentation to improve IoT security.

    Bleeping Computer reports "Researchers Hack Surveillance Systems to Show Fake Video Feed"

  • news

    Visible to the public "Capital One Breach: Info on 106 Million Customers Compromised, Hacker Arrested"

    It has been discovered that Capital One, has been affected by a massive data breach, which allowed the attacker to retrieve information related to people who had applied for its credit card products and to Capital One credit card customers. Approximately 100 million individuals in the United States and approximately 6 million in Canada were affected by this breach. Beyond the credit card application data, the individual also obtained portions of credit card customer data, including: customer status data, for example: credit scores, credit limits, balances, payment history, contact information, and fragments of transaction data from a total of 23 days during 2016, 2017 and 2018. The company also discovered that credit card account numbers or log-in credentials were not compromised, but that around 140,000 Social Security numbers of their credit card customers, around 80,000 linked bank account numbers of their secured credit card customers, and approximately 1 million Social Insurance Numbers of their Canadian credit card customers were. The individual responsible for this data breach has been arrested.

    Help Net Security reports: "Capital One Breach: Info on 106 Million Customers Compromised, Hacker Arrested"