News Items

  • news

    Visible to the public Game-theoretic Paper Wins Annual Paper Competition

    The winner of the 6th Annual Best Scientific Cybersecurity Paper Competition is How Shall We Play a Game? A Game-theoretical Model for Cyber-warfare Games by Tiffany Bao, Yan Shoshitaishvili, Ruoyu Wang, Christopher Kruegel, Giovanni Vigna, and David Brumley. These researchers are from Carnegie Mellon University and University of California, Santa Barbara. This paper was originally accepted at 30th IEEE Computer Security Foundations Symposium (CSF '17).

    To learn more visit the competition homepage: https://cps-vo.org/group/sos/papercompetition/pastcompetitions

  • news

    Visible to the public Getting Started on Science Fair Projects

    What makes a great cyber science fair project? The SoS-VO has a node for that...

  • news

    Visible to the public NSA SoS Lablet Call for Proposals is Open

    The National Security Agency has distributed its BAA (really a request for proposals) for its next generation of SoS Lablets. These lablets include lablets on the 5 Hard Problem areas in Science of Security, on the Science of Privacy and dealing with Cyber Physical Systems. Proposals are due August 21. While the SoS team is not the point of contact for the contracting process, we can aid in directing: https://cps-vo.org/group/SoS/contact

  • news

    Visible to the public "Consumer IoT Devices Are Compromising Enterprise Networks"

    The number of consumer Internet of Things (IoT) devices connected to enterprise networks has increased significantly. According to the 2019 IoT Threats Report, which highlights findings of a study conducted by researchers at Zscaler ThreatLabZ, many IoT data transactions conducted within the enterprise network are poorly encrypted. The top four IoT devices found in these business environments include set-up boxes, smart TVs, smart watches, and media players. This study brings further attention to the security challenges associated with a BYOD (bring your own device) environment. This article continues to discuss findings of the study in relation to the connection of consumer-grade IoT devices to enterprise networks, the security risks posed by this connection, and security challenges faced by organizations with BYOD environments.

    Dark Reading reports "Consumer IoT Devices Are Compromising Enterprise Networks"

  • news

    Visible to the public "Ransomware Not Gone but More Targeted, Report Says"

    According to the Q1 Global Threat Landscape Report recently released by Fortinet, the launch of ransomware has decreased. However, this form of malware has become more targeted. Ransomware is being tailored more for high-profile targets that could allow attackers to gain access to entire networks. The recent ransomware attack on the Norwegian aluminum company, Norse Hydro ASA, and two U.S.-based chemical companies, Hexion and Momentive, known as LockerGoga is an example of targeted ransomware. This article continues to discuss recent observations surrounding ransomware as well as the tools used to execute cyberattacks and the trend of shared infrastructure between threats.

    Infosecurity Magazine reports "Ransomware Not Gone but More Targeted, Report Says"

  • news

    Visible to the public "Middle East-Linked Hacking Group Is Working Hard to Mask Its Moves"

    Researchers from Cisco's Talos have discovered that the hacking group supposedly linked to the Middle East, called BlackWater, is trying to mask its activities by circumventing host-based signatures and Yara signatures. According to researchers, these hackers have been successful at evading detection systems through the use of PowerShell stager attacks and a Visual Basic for Applications (VBA) script in addition to a separate command and control server. The actors behind BlackWater and the Iranian threat group, MuddyWater, are believed to be related as the code used by the two groups is the same and their targets are similar. This article continues to discuss the BlackWater hacking group in relation to its obfuscating tactics, tools, targets, and supposed links.

    CyberScoop reports "Middle East-Linked Hacking Group Is Working Hard to Mask Its Moves"

  • news

    Visible to the public "Database May Have Exposed Instagram Data for 49 Million"

    It has been identified, that there has been a potential leak of personally identifiable information from Instagram. There was an online database discovered which contained 49 million Instagram users private information, including their email addresses and phone numbers. It was discovered during the investigation, that Chrtbox, a social media company, had stored the information onto the database. Chrtbox is located in India. The database, which was hosted on Amazon Web Services, was left open without password protection on the internet. Chrtbox has since pulled the database offline.

    BankInfoSecurity reports: "Database May Have Exposed Instagram Data for 49 Million"

  • news

    Visible to the public "Google Research: Most Hacker-For-Hire Services Are Frauds"

    According to new research conducted by Google and academics at the University of California, San Diego, most hacker-for-hire services offered online are fraudulent and unsuccessful. The research conducted behind this discovery involved engaging with 27 account hacking service providers and setting up honey pot Gmail accounts. Out of the 27 hacking services, only five executed attacks against the honey pot Gmail accounts. These attacks were performed using social engineering tactics. This article continues to discuss the study in relation to how it was conducted by researchers, along with key observations pertaining to hacking services' techniques, pricing, and responses to inquiries.

    ZDNet reports "Google Research: Most Hacker-For-Hire Services Are Frauds"

  • news

    Visible to the public "Industrial Robotics - Are You Increasing Your Cybersecurity Risk?"

    Industrial robots have been used to support product manufacturing, productivity, and safety. Though there has not been a wave of cyberattacks against industrial robots that we know of, such robots are expected to become a more attractive target for hackers as the costs of such technology decrease and number of robots increases. Researchers have already demonstrated proof-of-concept (POC) attacks on well-known robots in which ransomware was executed. As cyberattacks on robots in industrial environments can impact the operation of businesses and the physical safety of workers, it is important that the security of such technology is improved through further research and developments. This article continues to discuss the growing use of robots in industrial environments, challenges associated with industrial robots, the cybersecurity risks raised by these robots, and the importance of designing robots with security in mind.

    Security Week reports "Industrial Robotics - Are You Increasing Your Cybersecurity Risk?"

  • news

    Visible to the public "Researchers: Aircraft Landing Systems Vulnerable"

    Researchers from Khoury College of Computer Sciences at Northeastern University in Boston have demonstrated the vulnerability of aircraft landing systems to spoofing attacks, which could be launched by attackers to misguide planes into missing runways. The possibility of spoofing wireless signals to critical aircraft landing systems have been demonstrated by researchers through the use of inexpensive software-defined radios (SDRs). It has been emphasized that most wireless systems used by aviation technology are vulnerable to cyber-physical attacks. The research is detailed in a paper, titled Wireless Attacks on Aircraft Instrument Landing Systems. This article continues to discuss how this study was conducted by researchers, the guidance systems used by modern airplanes, the attacks demonstrated against these navigation tools, and the need for more research in regard to building more secure aircraft landing systems.

    ISMG Network reports "Researchers: Aircraft Landing Systems Vulnerable"

  • news

    Visible to the public "How effective are login challenges at preventing Google account takeovers?"

    Despite the increased use of implementation of bugs that might affect the security of physical security keys, Google argues that physical security keys are still the strongest protection against phishing currently available. On-device prompts and SMS codes are also extremely successful at blocking account hijacking attacks that are caused by automated bots and bulk phishing attacks. On-device prompts and SMS codes still can be bypassed by attackers with some level of skill that focus on targeting specific users. Knowledge-based challenges (recovery phone number, last sign-in location, etc.) are fantastic at stopping bots, but are not very good at preventing bulk phishing and targeted attacks. In the event of a suspicious sign-in attempt, Google's risk analysis engine selects the strongest challenge that an account's legitimate owner should ideally be able to solve. Google's research has shown that simply adding a recovery phone number to one's Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks. Google is urging medium to low risk users to choose strong and unique passwords, set up a recovery phone number or email address and to set up two-factor authentication to decrease likelihood of successful attacks. Google has also urged high-risk users to start using Advanced Protection Program, which requires the use of a physical keys, and limits full access to users' Gmail and Drive to specific apps, and also adds extra steps to the account recovery process. If these procedures are followed, then attacks will be much less likely to be successful.

    HELPNETSECURITY reports: "How effective are login challenges at preventing Google account takeovers?"

  • news

    Visible to the public "Lack of Secure Coding Called a National Security Threat"

    The lack of secure coding is a pervasive and serious threat to national security. In order to fix the problem of coders not performing secure coding, one needs to come up with an objective standard, and a legislative mandate that requires a certain level of assurance to provide an assured product. Fixing this problem will not be easy, due to the problems of speed-to-market pressures and the sheer number of IoT devices being produced. Even though it will be tough to fix, it is important that one takes unsecured coding seriously, in order to help keep individuals information more secure and so software can be produced that is less vulnerable to attacks.

    Bank Info Security reports: "Lack of Secure Coding Called a National Security Threat"

  • news

    Visible to the public "Bluetooth's Complexity Has Become a Security Risk"

    Bluetooth security vulnerabilities arise on account of the protocol's complexity. The documentation for the Bluetooth standard is significantly longer and more comprehensive than the material provided for other wireless protocols, making it increasingly complex and difficult for manufacturers to handle. According to Ken Kolderup, vice president of marketing at the Bluetooth Special Interest Group (SIG), the standard's documentation is extensive because it defines a radio frequency for the standard and covers components of hardware, applications, and more, in order to ensure that interoperability between Bluetooth devices is enabled. This article continues to discuss vulnerabilities associated with the Bluetooth standard, the complexity of the Bluetooth standard, recent discoveries in relation to Bluetooth implementation and configuration issues, and how the Bluetooth SIG plans to help improve to the security of Bluetooth implementations.

    Wired reports "Bluetooth's Complexity Has Become a Security Risk"

  • news

    Visible to the public "EU Approves Cyber-Attack Sanctions Ahead of Election"

    The European Union (EU) has agreed upon the enforcement of new cyber sanctions that would penalize cyberattackers by freezing their assets and banning them from traveling. The aim of the automatic set of sanctions is to discourage the future launch of cyberattacks as malicious actors have made attempts at attacking the EU's critical infrastructure, stealing commercial secrets, and more. This article continues to discuss the EU's approval of a cyber sanctions regime plan, the aim of cyberattack sanctions, and recent high-profile cyberattacks against the EU.

    Engadget reports "EU Approves Cyber-Attack Sanctions Ahead of Election"

  • news

    Visible to the public "Will the U.S. Government Draft Cybersecurity Professionals?"

    The National Commission on Military, National, and Public Service, is considering modernizing the Selective Service System (SSS) to include the possible conscription of those that are highly skilled in cybersecurity. One of the goals of this modification is to recruit and promote cybersecurity experts that are of greater age with a lot of experience, thus focusing on experts that are 30 or older. This article continues to discuss the possible compulsory enlistment of cybersecurity experts to serve in the military and civil service, current Selective Service rules, changing the shape of the military with cybersecurity professionals, and the increased deployment of more experienced security practitioners by the U.S. Army Cyber Command.

    CSO Online reports "Will the U.S. Government Draft Cybersecurity Professionals?"

  • news

    Visible to the public Winners of the 2019 NSA Research Directorate Awards at ISEF 2019

    Phoenix, AZ - On Thrusday Night, May 16, 2019, The National Security Agency Executive Director, Mr. Harry Coker, and NSA Researcher and Science of Security and Privacy (SoS) Technical Lead, Dr. Adam Tagert, presented the NSA Research Directorate Awards to 10 outstanding high school scientists. These students were finalists at the 2019 Intel International Science and Engineering Fair (ISEF).

  • news

    Visible to the public "How to Break Our Bad Online Security Habits – with a Flashing Cyber Nudge"

    Cyberattacks continue to rise as a result of human error, the growing complexity of technology, and the increasing sophistication of attack methods. It is important that methods for encouraging good cybersecurity behaviors continue to be explored and developed. A circuit board, called the Adafruit Circuit Playground, can be used to nudge end users into following proper cybersecurity practices. This article continues to discuss privacy fatigue, the exploitation of users' busyness to launch attacks, approaches to breaking bad cybersecurity habits, and the idea behind the Adafruit Circuit Playground.

    Phys.org reports "How to Break Our Bad Online Security Habits - with a Flashing Cyber Nudge"

  • news

    Visible to the public "Unsecured Survey Database Exposes Info of 8 Million People"

    An independent security researcher, named Sanyam Jain, discovered an unsecured Elasticsearch database, which exposed personal information belonging to 8 million people who have responded to online surveys, entered sweepstakes, and requested free product samples. The information exposed by this database included full names, home addresses, email addresses, IP addresses, phone numbers, and more. A performance-based marketing company, named Ifficient, was found to be the owner of the database. This article continues to discuss the discovery of the unsecured database, what information was exposed, and Ifficient's response to this discovery.

    Bleeping Computer reports "Unsecured Survey Database Exposes Info of 8 Million People"

  • news

    Visible to the public "Blockchains Are Being Exploited by Bots for Profit"

    New research conducted at Cornell Tech brings attention to the exploitation of weaknesses in blockchains by attackers through the use of bots for the purpose of gaining profit. The blockchain is a decentralized distributed ledger used to process and finalize cryptocurrency transactions. According to researchers, bots are exploiting time delays in the blockchain system in order to make trades at a higher speed than humans. As a result, bots can have access to information in advance, which could be used to make deals. This article continues to discuss blockchain technology, research discoveries surrounding the inefficiencies of the blockchain system, and the exploitation of these weaknesses by an army of bots.

    Homeland Security News Wire reports "Blockchains Are Being Exploited by Bots for Profit"

  • news

    Visible to the public "Billions of Malicious Bot Attacks Take to Cipher-Stunting to Hide"

    In addition to the growing advancement of malware development, cybercriminals are also increasing the complexity of the ways in which they evade detection. According to researchers at Akamai, attackers have been observed to be increasing their use of a TLS tampering technique, called cipher stunting, which masks malicious bot activity as live human traffic on the web, thus allowing detection attempts to be evaded. This article continues to discuss the concept, increased performance, and targets of cipher stunting.

    Threatpost reports "Billions of Malicious Bot Attacks Take to Cipher-Stunting to Hide"

  • news

    Visible to the public "CyberPatriot Competitions Offer Answers to U.S. Cybersecurity Workforce Challenges"

    A section in the new Executive Order on America's Cybersecurity Workforce calls for the establishment of more cyber competitions in support of raising awareness about the cybersecurity field, cultivating cyber skills, and sustaining a national cybersecurity workforce. It is important that efforts are made to further prepare the next generation of cybersecurity professionals. The CyberPatriot Program, created by the Air Force Association, is aimed at developing the cyber skills of middle school and high school students, and encouraging them to explore career paths in cybersecurity or other STEM disciplines. This article continues to discuss the objective of CyberPatriot and its National Youth Cyber Defense Competitions.

    GovTech reports "CyberPatriot Competitions Offer Answers to U.S. Cybersecurity Workforce Challenges"

  • news

    Visible to the public "Before Blaming Hackers, Check Your Configurations"

    Widely-used cloud platforms, such as Office 365 from Microsoft or G-Suite from Google are often administered by IT professionals tasked with all aspects of configuration; security is not their primary focus. Most Software as a Service (SaaS), have default settings that are tuned to empower end-users with full control over collaboration and data access. The default setting are usually configured to easy access and usability instead of better security. Users of SaaS should look at the default settings and change them to be focus more on security. Improving configuration management in SaaS applications can minimize the risk of data loss, phishing campaigns and can help prevent breaches.

    InfoSecurity reports: "Before Blaming Hackers, Check Your Configurations"

  • news

    Visible to the public "How AI Augments Mobile Authentication"

    The U.S. Department of Defense recently awarded a 20-month $2.42 million contract to a company, named TWOSENSE.AI, in support of developing technology that uses artificial intelligence (AI) to learn about mobile users' behavior and continuously authenticates the users based on the behaviors learned by the AI. The behaviors that will be monitored and learned by the technology include gait, keystrokes, and fingertip pressure. The technology will supplement traditional authenticators instead of replace them as users will still be asked to provide usernames, passwords, one-time personal identification numbers, or biometric identifiers, if the authentication process involving learned behaviors goes wrong. This article continues to discuss the concept, support, development, and research behind this technology.

    GCN reports "How AI Augments Mobile Authentication"

  • news

    Visible to the public "A Cisco Router Bug Has Massive Global Implications"

    Security researchers at Red Balloon have discovered two vulnerabilities in the Cisco 1001-X series router. Cisco's 1001-X routers are used for connectivity at stock exchanges, local malls, corporate offices, and more. The exploitation of these security flaws could allow hackers to steal the data that passes through the routers. These bugs are significant in that they enable hackers to remotely gain root access to routers and circumvent the security protection, Trust Anchor, which has been built into most of Cisco's enterprise devices since 2013. According to researchers, the techniques used to bypass Trust Anchor could be used by attackers to infiltrate the networks in which these devices are connected. This article continues to discuss the vulnerabilities and the potential impact that these flaws could have on institutions, along with some concerns surrounding the mitigation of the vulnerabilities and the research conducted behind these discoveries.

    Wired reports "A Cisco Router Bug Has Massive Global Implications"

  • news

    Visible to the public "Why Local Governments Are a Hot Target for Cyberattacks"

    Cyberattacks against local governments have been on the rise as indicated by the recent wave of ransomware attacks faced by municipalities within the U.S. Security experts have provided reasons as to why local governments have become an attractive target for cyberattacks. According to researchers, cities are increasingly utilizing the Internet to deliver services, city systems are storing massive amounts of data, cities are resource-constrained in regard to cybersecurity, and more. This article continues to discuss recent cases in which U.S. municipalities have been hit with malware and ransomware, and why cities are vulnerable to cyberattacks.

    CSO Online reports "Why Local Governments Are a Hot Target for Cyberattacks"

  • news

    Visible to the public "Employees are aware of USB drive security risks, but don’t follow best practices"

    In a study that was conducted, employees were found to be aware of the risks associated with inadequate USB drive security. It was found that while 91 percent of respondents claimed that encrypted USB drives should be mandatory, 58 percent of respondents confirmed that they regularly use non-encrypted USB drives. Although 64 percent of organizations have a policy outlining acceptable use of USB devices, 64 percent of respondents said their employees use USB drives without obtaining advance permission to do so. It was also discovered that nearly half of the respondents lost a USB drive without notifying appropriate authorities about the incident. It is important that employers implement strict security policies to defend against the shortcuts employees will take. Beyond policies and procedures, organizations should reinforce that their employees use encrypted USB drives that require a unique PIN to make information on USB drives more secure.

    HELPNETSECURITY reports: "Employees are aware of USB drive security risks, but don't follow best practices"

  • news

    Visible to the public "Intel CPUs Impacted by New Zombieload Side-Channel Attack"

    A team of researchers have recently disclosed a new side-channel attack, called Zombieload. This attack is of the same category as Meltdown, Spectre, and Foreshadow in that it also abuses the speculative execution capabilities of modern CPUs to gain access to sensitive data. Zombieload exploits the speculative execution capabilities of CPUs' microarchitectural data structures, used to increase the speed at which data is read or written, in order to make assumptions about the data that is being processed in the CPU by other applications. This article continues to discuss Zombieload and other Microarchitectural Data Sampling (MDS) attacks discovered by researchers.

    ZDNet reports "Intel CPUs Impacted by New Zombieload Side-Channel Attack"

  • news

    Visible to the public "Design Flaws Create Security Vulnerabilities for 'Smart Home' Internet-of-Things Devices"

    Flaws in the design of smart home Internet of Things (IoT) devices have been discovered by researchers at North Carolina University. The discovery of these design flaws is shared in a paper, titled Blinded and Confused: Uncovering Systemic Flaws in Device Telemetry for Smart-Home Internet of Things. According to researchers, the exploitation of these design flaws could lead to the prevention of security information sharing by smart home IoT devices to homeowners. Notifications pertaining to security problems such as break-ins can be blocked by attackers. This article continues to discuss the design flaws in smart home IoT devices that have been identified by researchers, the suppression attacks that can be performed through the abuse of the flaws, and potential solutions for addressing these vulnerabilities.

    Science Daily reports "Design Flaws Create Security Vulnerabilities for 'Smart Home' Internet-of-Things Devices"

  • news

    Visible to the public "WhatsApp flaw used to install spyware by simply calling the target"

    A security vulnerability in the popular Facebook-owned end-to-end encrypted messaging app WhatsApp allowed attackers to install spyware on smartphones without any user interaction or knowledge. WhatsApp discovered the vulnerability in early May, and discovered that the vulnerability was being exploited to deliver the Pegasus mobile spyware and was being distributed to distinct targets. The current number of individuals targeted by the attack is currently unknown. It is recommended that every user of WhatsApp downloads the new update, which fixes the vulnerability.

    HELPNETSECURITY reports: "WhatsApp flaw used to install spyware by simply calling the target"

  • news

    Visible to the public "Flaws in a Popular GPS Tracker Leak Real-Time Locations and Can Remotely Activate Its Microphone"

    Security vulnerabilities have been discovered in a popular GPS tracker used to monitor children, track vehicles, and send alerts pertaining to elderly patients. The white-label location tracker is manufactured in China and is sold by companies, including Pebble by HoIP Telecom, OwnFone Footprint, SureSafeGo, and more. According to cybersecurity researchers from Fidus Information Security, these flaws could be exploited by attackers to retrieve information about a user's real-time location, secretly listen in on users, or completely disable the device. This article continues to discuss the GPS tracker, the security flaws that it has been discovered to contain, how attackers can exploit these vulnerabilities, and how this problem could be addressed.

    TechCrunch reports "Flaws in a Popular GPS Tracker Leak Real-Time Locations and Can Remotely Activate Its Microphone"

  • news

    Visible to the public "Hackers Still Outpace Breach Detection, Containment Efforts"

    Reports recently released by security researchers, including the Trustwave 2019 Global Security Report and the FireEye 2019 Mandiant M-Trends Report, indicate that there has been an improvement in the discovery and containment of data breaches as organizations have increased the speed at which cyber incidents are detected. According to the results of studies highlighted by these reports, the time between intrusion and detection has been shortened significantly by days. Mandiant shared that the time between the occurrence of compromise and its discovery decreased from 101 days in 2017 to 78 days in 2018, showing a major decrease in dwell time. Dwell time is the amount of time attackers go undetected in a system or the time it takes for an organization to become aware of an incident. Cybersecurity teams should continue striving to reduce dwell time. However, security researchers still emphasize that attackers do not need a lot of time to inflict major damage. This article continues to discuss findings in relation to the improvement in breach detection and containment, and the use of automation to improve such efforts.

    Dark Reading reports "Hackers Still Outpace Breach Detection, Containment Efforts"

  • news

    Visible to the public "Three Ways GDPR Benefits US Companies"

    The European Union's General Protection Regulation (GDPR) went into effect on May 25, 2018. The purpose of the GDPR is to ensure the protection of personal data belonging to EU residents by enforcing a standard upon any companies that manage this data. The GDPR has a far-reaching impact as any company that conducts business with EU citizens are expected to comply with this regulation, pressuring organizations to improve their efforts in regard to privacy and security. There are ways in which U.S. organizations have benefited from GDPR in that this regulation has pushed organizations to improve their incident response strategies, make great efforts to strengthen Internet of Things (IoT) security, and prepare for U.S. data privacy regulations. This article continues to discuss GDPR and how U.S. organizations have benefited from the regulation, along with the GDPR's next steps.

    Help Net Security reports "Three Ways GDPR Benefits US Companies"

  • news

    Visible to the public "Despite warnings, most people still don’t change their passwords"

    1050 individuals were surveyed about their passwords. It was discovered that 64% of people used the same password for some, or even all, of their online accounts, while only 21% used a different password for each account. 21% of the respondents used personal information to create passwords. 9% of respondents said that they had never changde their main email account password. It was also discovered that 45% of users include special characters in their passwords such as @ or $, while 32% say their passwords contain fewer than eight letters. Most passwords (35%) have up to ten characters, while 16% are the most security-conscious, with over 12 characters. It is important for individuals and businesses to take password security seriously, because week passwords, make it much easier for hackers to access sensitive information and cause a data breach.

    HELPNETSECURITY reports: "Despite warnings, most people still don't change their passwords"

  • news

    Visible to the public "Artificial Intelligence May Not 'Hallucinate' After All"

    Great advancements have been made in machine learning in regard to image recognition as this technology can now identify objects in photographs as well as generate authentic-looking fake images. However, the machine learning algorithms used by image recognition systems are still vulnerable to attacks that could lead to the misclassification of images. Researchers continue to explore the problem of adversarial examples, which could be used by attackers to cause a machine learning classifier to misidentify an image. This article continues to discuss the concept and new research behind adversarial examples.

    Wired reports "Artificial Intelligence May Not 'Hallucinate' After All"

  • news

    Visible to the public "This Ransomware Sneakily Infects Victims by Disguising Itself With Anti-Virus Software"

    According to cybersecurity researchers at Trend Micro, ransomware, called Dharma, which emerged in 2016, has been updated to deceive users into installing it by posing as anti-virus software. New details pertaining to the updated version of Dharma ransomware reveal that the file-locking malware hides inside a fake anti-virus software installation. Researchers suggest that organizations implement stronger cybersecurity practices such as securing email gateways, frequently backing up files, and more, in order to avoid being hit by Dharma and other similar cyberattacks. This article continues to discuss Dharma ransomware in relation to its impact, process, and distribution, along with how organizations can avoid such threats.

    ZDNet reports "This Ransomware Sneakily Infects Victims by Disguising Itself With Anti-Virus Software"

  • news

    Visible to the public "Study Finds Wi-Fi Location Affects Online Privacy Behavior"

    A team of scientists conducted a study to see if a person's location offline affects how they behave online in regard to privacy. The study also explores changes in online privacy behavior resulting from the presence of a virtual private network (VPN) logo, the provision of terms and conditions by the wireless provider, and more. The study was conducted by observing the online behavior of participants from Amazon Mechanical Turk in four different types of physical locations, including a coffee shop, a university, an Airbnb, and home. Scientists observed unethical behavior, ethical behavior, and the disclosure of private information online. This article continues to discuss the purpose and findings of this study.

    Tech Explorist reports "Study Finds Wi-Fi Location Affects Online Privacy Behavior"

  • news

    Visible to the public "Bypassing Popular Passwords"

    A new model for password protection has been proposed by Jaryn Shen and Qinqkai Zeng of the State Key Laboratory for Novel Software Technology, and Department of Computer Science and Technology, at Nanjing University, China. The new approach is aimed to protect passwords from online and offline attacks without requiring users to create and memorize their passwords as it is difficult to get users to create more complex passwords, use password managers, and enable multi-factor authentication. This article continues to discuss the new password protection approach proposed by researchers.

    Phys.org reports "Bypassing Popular Passwords"

  • news

    Visible to the public "The IoT threat landscape is expanding rapidly, yet few companies are addressing third party risk factors"

    There is a dramatic increase in IoT-related data breaches specifically due to an unsecured IoT device or application since 2017. It has jumped from 15 percent to 26 percent, and the results might actually be greater, because most organizations are not aware of every unsecured IoT device or application in their environment or from third party vendors. Most organizations surveyed have no centralized accountability to address or manage IoT risks. Less than half of company board members approve programs intended to reduce third party risk and only 21 percent of board members are highly engaged in security practices and understand third party and cybersecurity risks in general. Companies will have too take all risks, including IoT risks seriously if they want to lessen the chances of a breach occurring.

    HELPNETSECURITY reports: "The IoT threat landscape is expanding rapidly, yet few companies are addressing third party risk factors"

  • news

    Visible to the public "Critical flaw allows attackers to take over Cisco Elastic Services Controllers"

    Cisco had a critical flaw which allowed attackers to take over Cisco Elastic Services Controllers (ESC). ESC is a popular enterprise software for managing virtualized resources. The vulnerability is due to improper validation of API requests. An attacker who found the flaw could exploit this vulnerability by sending a crafted request to the REST API. A successful exploit could allow the attacker to execute arbitrary actions through the REST API with administrative privileges on an affected system. The flaw has since been patched on the critical, remotely exploitable authentication bypass vulnerability in Cisco Elastic Services Controller.

    HELPNETSECURITY reports: "Critical flaw allows attackers to take over Cisco Elastic Services Controllers"

  • news

    Visible to the public "Flaws in Metrics for User Login Systems"

    A study conducted at Rutgers University-New Brunswick brings further attention to flaws in the metrics used to measure the performance of user login systems. In addition to highlighting these flaws, the study proposes a solution towards measuring the success of authentication systems. According to researchers, the solution involves combining the strengths of popular metrics from other fields with a metric that is rarely used. The proposed method can be used by researchers, government agencies, the public, and more, to increase the success of their authentication systems. This article continues to discuss the study done by Rutgers engineers and the novel solution they have proposed.

    Homeland Security News Wire reports "Flaws in Metrics for User Login Systems"

  • news

    Visible to the public "Unhackable? New chip makes the computer an unsolvable puzzle"

    A new computer processor architecture called MORPHEUS could usher in a future where computers proactively defend against threats. It would be able to render the current electronic security model of bugs and patches obsolete. MORPHEUS has been developed at the University of Michigan. The way it works is that the chip blocks potential attacks by encrypting and randomly reshuffling key bits of its own code and data 20 times per second-infinitely faster than a human hacker can work and thousands of times faster than even the fastest electronic hacking techniques.

    HELPNETSECURITY reports: "Unhackable? New chip makes the computer an unsolvable puzzle"

  • news

    Visible to the public "Industry Warns of Flaws as Gov’t Proposes Mandatory IoT Security Labelling"

    The UK government is considering establishing an IoT security labelling scheme, which will help inform consumers about how secure IoT products are. The consultation suggests three security requirements laid out by the UK government's "Secure by Design" Code of Practice, which calls for the building of cybersecurity measures in the design phase of IoT products. Manufacturers of IoT devices would be required to ensure that IoT device passwords are highly unique and unable to be reset to factory default passwords. This article continues to discuss the IoT security labelling consultation and concerns surrounding the proposed IoT security legislation.

    CBR reports "Industry Warns of Flaws as Gov't Proposes Mandatory IoT Security Labelling"

  • news

    Visible to the public "50,000 Companies Exposed to Hacks of 'Business Critical' SAP Systems: Researchers"

    New ways of exploiting vulnerabilities in SAP software have been discovered by security researchers. These vulnerabilities leave the 50,000 companies that use this software susceptible to being hacked. The exploitation of these vulnerabilities could enable hackers to hinder the operations of companies, steal information on companies' SAP systems, and alter this information, allowing the performance of financial fraud, the withdrawal of money, and more. This article continues to discuss the use of SAP software and what the abuse of vulnerabilities in SAP software could allow hackers to do to companies.

    Reuters report "50,000 Companies Exposed to Hacks of 'Business Critical' SAP Systems: Researchers"

  • news

    Visible to the public Executive Order on America’s Cybersecurity Workforce

    The White House released an Executive Order on America's Cybersecurity Workforce. It call this workforce a national asset. It calls for the government to enhance mobility of the workforce to move between public and private employment. It call for development of skills and that the government must recognize and reward the highest-performing cybersecurity workers.

    It calls for the creation of an annual cybersecurity competition for federal civilian and military members. The first competition is to be held in 2019.

    For the order and additional details:

  • news

    Visible to the public "Majority of Encrypted Email Clients Vulnerable to Signature Spoofing"

    Researchers from the Ruhr University Bochum and Munster University of Applied Sciences examined the implementation of two major email encryption standards, OpenPGP and S/MIME. According to the findings of this analysis, the majority of leading encrypted email clients that support these standards are vulnerable to digital signature spoofing. Five different classes of attack are described by researchers, which are CMS attacks, GnuPG API attacks, MIME attacks, ID attacks, and UI attacks. This article continues to discuss the susceptibility of encrypted email clients to digital signature spoofing, the classes of attack described by researchers, and what the results of this investigation suggest.

    SecurityWeek reports "Majority of Encrypted Email Clients Vulnerable to Signature Spoofing"

  • news

    Visible to the public "GAO Flags New Cybersecurity Issues for Upcoming Census"

    The Government Accountability Office (GAO) urges the Census Bureau to improve upon its cybersecurity. The public will be allowed to respond to the 2020 Decennial Census via the internet. In addition, field-based enumerators will be allowed to use applications on mobile devices to gather survey data from households. Personally identifiable information such as names, birth dates, living situations, and more, will be more susceptible to being digitally hacked as a result of these changes. This article continues to discuss how the 2020 Decennial Census will be conducted, the security risks that will be introduced by changes made to the collection of data, and recommendations for the Bureau in relation to the improvement of its posture against security risks.

    Nextgov reports "GAO Flags New Cybersecurity Issues for Upcoming Census"

  • news

    Visible to the public "Can Wi-Fi Networks Be Completely Secure?"

    Researchers in China have reviewed different Wi-Fi hacking techniques that attackers have been discovered to use and suggested ways in which the security of a wireless infrastructure can be improved. Rogue AP, ARP spoofing, and Wi-Fi MITM are three of the top exploit kits used to hack Wi-Fi, which have also been examined by researchers. It has been highlighted that hackers and crackers will always find ways to break into a Wi-Fi network even if the network has the latest security measures, firewall protection, and more. This article continues to discuss the fundamental security flaw in all Wi-Fi systems and concerns surrounding the exploit kits used by attackers to break into Wi-Fi.

    Homeland Security News Wire reports "Can Wi-Fi Networks Be Completely Secure?"

  • news

    Visible to the public "How much does the average employee know about data privacy?"

    The 2018 Eye on Privacy report found that 58 percent of employees had never heard of the PCI Standard. PCI Standards are a global set of payment card industry (PCI) guidelines that govern how credit card information is handled. It was also found that 12 percent of employees were unsure if they should report a cybercriminal stealing sensitive client data while at work. Employees within the Technology sector were least likely to identify and prioritize the most sensitive information. For example, 73 percent of those in the tech sector ranked Social Security numbers as most sensitive, compared to 88 percent of employees in all other industries ranking this type of data as most sensitive. The study also found that employees were more comfortable with a mobile device app tracking their device's location, than with an app accessing contact and browser information, being able to take pictures and video, and posting to social media. Theft of login credentials was considered the most serious threat to sensitive data, with disgruntled employees stealing data and phishing emails coming next. The findings give weight to the vital role employees play in a strong data privacy posture and the continuing need for privacy awareness training in protecting sensitive information.

    HELPNETSECURITY reports: "How much does the average employee know about data privacy?"

  • news

    Visible to the public "Further Details on Wipro Phishing Attack Revealed"

    More details have been shared by Flashpoint researchers, Jason Reaves, Joshua Platt, and Allison Nixon, pertaining to a phishing attack recently faced by the Indian IT consultancy firm, Wipro. Researchers have revealed that the perpetrators behind the launch of this phishing attack were able to access over 100 of Wipro's computers. The goal behind the attack appears to be to access gift card and rewards programs. This article continues to discuss the discoveries made by researchers surrounding the phishing attack experienced by Wipro.

    SC Media reports "Further Details on Wipro Phishing Attack Revealed"