News Items

  • news

    Visible to the public NSA and SoS Announce Winner of the 8th Paper Competition

    The National Security Agency and Science of Security annouced that "Spectre Attacks: Exploiting Speculative Execution" as the winner of its 8th Annual Best Cybersecurity Research Paper competition.

    Originally published at the 2019 IEEE Security & Privacy Symposium, the winning paper, in combination with Meltdown, another award-winning paper released earlier by the same researchers, launched a global effort to mitigate critical vulnerabilities in processors.

  • news

    Visible to the public Take my word for it: Privacy and COVID alert apps can coexist

    BY LORRIE CRANOR, OPINION CONTRIBUTOR -- 11/10/20 09:30 AM EST

    Since the COVID-19 pandemic began, technologists across the country have rushed to develop digital apps for contact tracing and exposure notifications. New York, New Jersey, Pennsylvania, and Delaware have all recently announced the launch of such apps, announcements which generated excitement. But the advent of these tools has also created questions. Chief among them: Do these apps protect privacy?

  • news

    Visible to the public Science of Security and Privacy 2019 Annual Report

    The Science of Security and Privacy 2019 Annual Report is now available.

    This report highlights the progress and accomplishments of the Science of Security and Privacy initiative.

  • news

    Visible to the public NIST Releases Draft Security Feature Recommendations for IoT Devices

    NIST Releases Draft Security Feature Recommendations for IoT Devices

    "Core Baseline" guide offers practical advice for using everyday items that link to computer networks.

    August 01, 2019

  • news

    Visible to the public Game-theoretic Paper Wins Annual Paper Competition

    The winner of the 6th Annual Best Scientific Cybersecurity Paper Competition is How Shall We Play a Game? A Game-theoretical Model for Cyber-warfare Games by Tiffany Bao, Yan Shoshitaishvili, Ruoyu Wang, Christopher Kruegel, Giovanni Vigna, and David Brumley. These researchers are from Carnegie Mellon University and University of California, Santa Barbara. This paper was originally accepted at 30th IEEE Computer Security Foundations Symposium (CSF '17).

    To learn more visit the competition homepage: https://cps-vo.org/group/sos/papercompetition/pastcompetitions

  • news

    Visible to the public NSA SoS Lablet Call for Proposals is Open

    The National Security Agency has distributed its BAA (really a request for proposals) for its next generation of SoS Lablets. These lablets include lablets on the 5 Hard Problem areas in Science of Security, on the Science of Privacy and dealing with Cyber Physical Systems. Proposals are due August 21. While the SoS team is not the point of contact for the contracting process, we can aid in directing: https://cps-vo.org/group/SoS/contact

  • news

    Visible to the public "The Internet's Most Notorious Botnet Has an Alarming New Trick"

    A team of researchers from the security firms AdvIntel and Eclypsium has announced that a new component of the TrickBot trojan now gives hackers the ability to plant a backdoor in a computer's Unified Extensible Firmware Interface (UEFI). Planting malware in the firmware would allow TrickBot to circumvent most antivirus detection and software updates, as well as to resist operating system reinstalls or the replacement of storage devices. This technique, dubbed TrickBoot, could corrupt a computer's firmware to the point where its motherboard would have to be replaced. This article continues to discuss the persistence of TrickBot, the new firmware-focused feature of TrickBot, what companies should do to avoid falling victim to TrickBot, and what the TrickBoot technique means for firmware hacking.

    Wired reports "The Internet's Most Notorious Botnet Has an Alarming New Trick"

  • news

    Visible to the public "Phishing Ploy Targets COVID-19 Vaccine Distribution Effort"

    IBM security researchers detected a phishing campaign aimed at collecting vital information about the World Health Organization's efforts surrounding the distribution of the COVID-19 vaccine to developing countries. The threat actors behind the campaign, as well as its success, remain unknown. According to Nick Rossmann, the IBM team's global threat intelligence lead, the motive behind the operation could be to gather information on the entire refrigeration process, including how the vaccines will be shipped and stored. Other motives may be to undermine the legitimacy of the vaccine or launch destructive attacks. This article continues to discuss the phishing campaign's targets, operations, and possible goals, in addition to the FBI's efforts to protect vaccine development and delivery from cyber threats and more traditional human-centric espionage by adversaries.

    AP News report "Phishing Ploy Targets COVID-19 Vaccine Distribution Effort"

  • news

    Visible to the public "Turla’s ‘Crutch’ Backdoor Leverages Dropbox in Espionage Attacks"

    Researchers have found a previously undocumented backdoor, and document stealer, which is being used by the Russian-speaking Turla advanced persistent threat espionage group. The researchers are calling the malware "Crutch." The malware can bypass security measures by abusing legitimate tools, including the file-sharing service Dropbox, to hide behind normal network traffic. The Crutch toolset has been designed to exfiltrate sensitive documents and other files to Dropbox accounts, which Turla operators control.

    Threatpost reports: "Turla's 'Crutch' Backdoor Leverages Dropbox in Espionage Attacks"

  • news

    Visible to the public "Which Security Practices Lead to Best Security Outcomes?"

    According to a recent Cisco report, a proactive technology refresh and a well-integrated technology stack are two security practices most likely than others to help organizations create a security culture, manage top risk, prevent security incidents, and more. Cisco polled more than 4,800 active IT security and privacy professionals from 25 different countries. Findings suggest that the recruitment and retention of security talent have improved through a well-integrated technology stack. The factors contributing to a strong security culture include proper equipment, a sound security strategy, timely incident response, and accurate threat detection. This article continues to discuss key findings from the Cisco report on the factors that contribute to the overall success of an organization's security program.

    Help Net Security reports "Which Security Practices Lead to Best Security Outcomes?"

  • news

    Visible to the public "New Graph-Based Statistical Method Detects Threats To Vehicular Communications Networks"

    Researchers at the University of Maryland, Baltimore County (UMBC) and the University of Michigan-Dearborn worked together to develop a technique for detecting breaches in the security of vehicular communications networks. The Controller Area Network (CAN) is the most popular intra-vehicular communications network in the automobile industry as it is simple to use. However, the simplicity of this network that makes it appealing for consumers and manufacturers increases the risk of security incidents. Using the CAN, it is possible to remotely control a vehicle from other devices, making it both a feature and a major security concern. A malicious actor can take over the network and send new commands to the vehicle that could disable brakes or cause engine failure, posing a significant threat to consumers' safety. The method developed by the researchers to eradicate these possible threats involves the creation of graph-based anomaly detection techniques. This article continues to discuss the new graph-based statistical method designed to detect intruders or threats to vehicular communications networks and the importance of addressing the vulnerabilities associated with these networks.

    ScienMag reports "New Graph-Based Statistical Method Detects Threats To Vehicular Communications Networks"

  • news

    Visible to the public "Half of Docker Hub Images Feature Critical Flaws"

    Researchers at Prevasio scanned all four million images hosted at Docker Hub, the world's most popular repository service for Linux-based containers. They found that over half of the publicly available Docker Hub container images contain at least one critical vulnerability. Additionally, over 6000 were rated potentially harmful or malicious. Of these, the largest number (44%) were coin miners, followed by malicious npm packages (23%), hacking tools (20%), and Windows malware (6%).

    Infosecurity reports: "Half of Docker Hub Images Feature Critical Flaws"

  • news

    Visible to the public "Google Researcher Demonstrates iPhone Exploit With Wi-Fi Takeover"

    A security researcher with Google's Project Zero discovered a vulnerability that could have allowed hackers to take over a person's iPhone without having to trick victims into clicking any malicious links or downloading malware. The exploitation of this vulnerability only requires that the hacker is within Wi-Fi range of a person's phone. Ian Beer, the Google researcher who discovered this vulnerability, demonstrated the use of a Raspberry Pi and off-the-shelf Wi-Fi adapters to steal photos from an iPhone in a different room within a few minutes. Beer also showed how the same vulnerability allowed him to repeatedly reboot more than 20 iPhones simultaneously. This article continues to discuss Beer's demonstrated exploitation of the iPhone vulnerability, from where the vulnerability stems, the patch released to address it, and other discovered iOS vulnerabilities.

    CNET reports "Google Researcher Demonstrates iPhone Exploit With Wi-Fi Takeover"

  • news

    Visible to the public "Malicious NPM Packages Used to Install njRAT Remote Access Trojan"

    The open-source security firm Sonatype found malicious NPM packages that install the njRAT remote access trojan. NPM, short for Node Package Manager, is a packet manager for the JavaScript programming language. Using njRAT, a threat actor can get full remote access to a victim's computer to perform malicious activities such as modifying the Windows Registry, deleting files, logging keystrokes, stealing passwords, killing processes, taking screenshots, executing commands, and more. This article continues to discuss the installation of the njRAT remote access trojan via NPM packages, the malicious activities that threat actors can perform using njRAT, and other findings surrounding the use of NPM packages to install malware.

    BleepingComputer reports "Malicious NPM Packages Used to Install njRAT Remote Access Trojan"

  • news

    Visible to the public "Driven by Ransomware, Cyber Claims Rise in Number & Value"

    The insurance company Allianz recently released a report highlighting cyberattacks and security incidents as the top business risk for companies and the rise in cyber insurance claims. According to the firm's "Trend in Cyber Risk" report, the number of insurance claims increased by 27% in the first nine months of 2020, with 39% of companies now considering cyber incidents as the most important risk. The major factors behind the growth in claims are the expansion of the cyber insurance market and the growing cost of cybercrime to companies. The growing commercialization of hacking tools has also contributed to the increase in ransomware claims. There has been an increase in the distribution of high-end hacking tools for sale among cybercriminals to execute ransomware attacks. The insurer Coalition has also seen a surge in ransomware claims as the firm's 2020 "Cyber Insurance Claims Report" revealed that ransomware attacks made up over 40% of policyholder claims. This article continues to discuss the rise in cyber insurance claims, growth in ransomware claims, and how companies can avoid most of the attacks that lead to claims.

    Dark Reading reports "Driven by Ransomware, Cyber Claims Rise in Number & Value"

  • news

    Visible to the public "Electronic Medical Records Cracked Open by OpenClinic Bugs"

    Researchers at Bishop Fox have discovered four vulnerabilities in the OpenClinic application used for sharing electronic medical records. Its latest version is 0.8.2 and was released in 2016. According to researchers, the four bugs involve missing authentication, insecure file upload, cross-site scripting (XSS), and path-traversal. The most concerning flaw found would allow a remote, unauthenticated attacker to read patients' personal health information (PHI) from the application.

    Threatpost reports: "Electronic Medical Records Cracked Open by OpenClinic Bugs"

  • news

    Visible to the public "Cyber-Attack Exposes Data of 295,000 Colorado Springs Patients"

    AspenPointe, a nonprofit mental health and behavioral health services provider based in Colorado Springs, Colorado, experienced a cyberattack in September 2020 that resulted in the exposure of protected health information (PHI) on more than 295,000 patients. Due to the attack, the healthcare provider had to take its systems offline, which disrupted operations for several days. An investigation of the incident revealed that cybercriminals accessed patient data, including full names, dates of birth, driver's license numbers, bank account information, Social Security numbers, diagnosis codes, admission dates, and more. AspenPointe is now notifying patients about the cyberattack and offering those affected 12 months of complimentary identity theft protection services and a $1M insurance reimbursement policy. This article continues to discuss the impact of the AspenPointe data breach and the healthcare provider's response to this incident.

    Infosecurity Magazine reports "Cyber-Attack Exposes Data of 295,000 Colorado Springs Patients"

  • news

    Visible to the public "Magecart Attack Convincingly Hijacks PayPal Transactions at Checkout"

    Researchers have recently discovered that the Magecart gang has come up with a new credit-card skimming technique for hijacking PayPal transactions during checkout just in time for the Christmas holiday shopping season. The technique uses postMessage to inject convincing PayPal iframes into the checkout process of an online purchase. Once the victim enters and submits payment info, the skimmer exfiltrates the data to apptegmaker.com, a domain registered in October 2020 and connected to tawktalk.com. The latter was seen used in previous Magecart group attacks. The skimmer then clicks the order button behind the malicious iframe and sends the victim back to the legitimate checkout page to complete the transaction.

    Threatpost reports: "Magecart Attack Convincingly Hijacks PayPal Transactions at Checkout"

  • news

    Visible to the public "MacOS Backdoor Appears to Be Update of Tool Previously Used by Vietnam-Linked Group"

    According to Trend Micro researchers, the hacking group dubbed APT32 or OceanLotus appears to be using an updated version of a tool that can infiltrate macOS computers. The malicious software comes as a .zip file that uses a Microsoft Word Icon. It is designed to circumvent detection by antivirus software. When the malware is activated, it works as a backdoor for other payloads capable of pulling data from the infected machine. This discovery indicates that APT32 is continuing to update its tactics in the launch of espionage campaigns against Southeast Asia. The group was recently discovered to have used fake news sites to spy on users, infect their machines with malware, and use the Google Play Store to distribute spyware apps. This article continues to discuss APT32's macOS backdoor and other recent discoveries surrounding the hacking group.

    CyberScoop reports "MacOS Backdoor Appears to Be Update of Tool Previously Used by Vietnam-Linked Group"

  • news

    Visible to the public "Security Flaw Could Allow Hackers to Trick Lab Scientists Into Making Viruses"

    Cybersecurity researchers from the Ben-Gurion University of the Negev demonstrated an end-to-end attack that can change data on a bioengineer's computer. As this cyberattack could meddle with DNA orders, it could lead to the development of toxins and viruses. According to the researchers, this attack works by infecting a researcher's computer with a Trojan Horse. When that researcher orders synthetic DNA, the malware then obfuscates the order to appear legitimate to the DNA shop's security software. The DNA shop fills the order, and the obfuscated DNA sub-strings go undetected by the researcher's security software. The use of this method allowed researchers to bypass security for 16 out of 50 orders they used to test the technique. This research emphasizes the importance of developing methods that can detect these types of adapted envelope attacks as it is impossible for humans to check each DNA sequence. This article continues to discuss the attack demonstrated by researchers to trick lab scientists into creating viruses and how this issue could be addressed.

    TNW reports "Security Flaw Could Allow Hackers to Trick Lab Scientists Into Making Viruses"

  • news

    Visible to the public "TurkeyBombing Puts New Twist on Zoom Abuse"

    Cybercriminals have targeted victims with phishing emails hoping that many families would be using Zoom to call family and friends over the Thanksgiving weekend. The major phishing campaign is aimed at stealing Microsoft credentials. Threat actors already stole nearly 4,000 credentials before the holiday was even over, according to researchers. The email states, "You received a video conference invitation," and included a link to review the malicious invitation. If a victim takes the bait, the phishing page records the victims' email addresses, passwords, IP addresses, and geographic location. If it is determined the credentials successfully allow access to a privileged account, the adversaries attempt to breach the account via Internet Message Access Protocol (IMAP) credential verification.

    Threatpost reports: "TurkeyBombing Puts New Twist on Zoom Abuse"

  • news

    Visible to the public "Security Researcher Accidentally Discovers Windows 7 and Windows Server 2008 Zero-Day"

    A security researcher accidentally discovered a zero-day vulnerability that affects the Windows 7 and Windows Server 2008 R2 operating system while working on a Windows security tool. The vulnerability stems from two misconfigured registry keys for the RPC Endpoint Mapper and DNSCache service, which are part of Windows systems. According to the researcher who found the vulnerability, an attacker can modify the registry keys to activate a sub-key that is usually used by the Windows Performance Monitoring mechanism. On Windows 7 and Windows Server 2008, performance subkeys allow developers to load custom DLLs that run with SYSTEM-level privileges. This article continues to discuss the discovery, potential exploitation, and disclosure of the zero-day vulnerability impacting Windows 7 and Windows Server 2008 R2.

    ZDNet reports "Security Researcher Accidentally Discovers Windows 7 and Windows Server 2008 Zero-Day"

  • news

    Visible to the public "Automation to Shape Cybersecurity Activities in 2021"

    WatchGuard predicts that automation will shape cybersecurity attack and defense activities in 2021. According to the global leader in network security and intelligence, manual techniques will be replaced by automation tools to launch spear-phishing campaigns. Automation tools will help cybercriminals gather victim-specific data from social media sites and company websites. On the other hand, automation is expected to help cloud service providers, including Amazon, Google, and Microsoft, prevent cybercriminals from abusing their services to execute attacks. As we continue to face the COVID-19 crisis, automated spear-phishing attacks are also expected to exploit fears stemming from the pandemic, political issues, and the economy. This article continues to discuss how automation will change cybercriminal and cybersecurity activities, as well as the expected increase in the abuse of Virtual Private Networks (VPNs) and Remote Desktop Protocol (RDP) solutions, targeting of security gaps in legacy endpoints, and the importance of using Multi-Factor Authentication (MFA).

    Help Net Security reports "Automation to Shape Cybersecurity Activities in 2021"

  • news

    Visible to the public "Web Application Attacks Increases 8x in H1 2020"

    According to a report from the cloud security provider CDNetworks, the number of Distributed Denial-of-Service (DDoS), web application, and botnet attacks increased significantly in the first half of 2020 compared to that of 2019. The "State of the Web Security for H1 2020" report revealed that web application attacks increased by 800%. More than 4 billion web application attacks were blocked in H1 2020, which is said to be eight times higher than the number blocked in H1 2019. There has been a 147.63% year-on-year increase in DDoS attacks. The use of Artificial Intelligence and Machine Learning to find and exploit new vulnerabilities contained by company networks and systems was also highlighted. The report also brings further attention to the shift in attacks towards media, public services, education, and other sites that are profiting under COVID-19. This article continues to discuss the increase in cyberattacks in the first half of 2020, the use of AI and ML in the execution of attacks, and the change in targets.

    CISO MAG reports "Web Application Attacks Increases 8x in H1 2020"

  • news

    Visible to the public "Up to 350,000 Spotify Accounts Hacked in Credential Stuffing Attacks"

    Researchers at vpnMetro have recently found an unsecured internet-facing database containing over 380 million individual records, including login credentials leveraged to break into 300,000 to 350,000 Spotify accounts. The exposed records were stored on an unsecured Elasticsearch server and included various sensitive information such as people's usernames and passwords, email addresses, and countries of residence. The exposed database belonged to a 3rd party that was using it to store Spotify login credentials. These credentials were most likely obtained illegally or potentially leaked from other sources that were repurposed for credential stuffing attacks against Spotify.

    WeLiveSecurity reports: "Up to 350,000 Spotify Accounts Hacked in Credential Stuffing Attacks"

  • news

    Visible to the public "85% of Cyber Espionage Is State-Affiliated, Only 4% Tied To Organized Crime"

    Verizon's 2020 Cyber Espionage Report pulls information from other annual reports, including seven years of the Verizon Data Breach Investigations Report (DBIR) and fourteen years of research from the Verizon Threat Research Advisory Center (VTRAC). According to the Cyber Espionage Report, 85% of cyber espionage incidents come from state-affiliated groups, while only 4% are from organized crime. The public sector (government agencies) remains the top target of cyber espionage, followed by manufacturing. Phishing and malware backdoors are also the most common point of entry for such activity. This article continues to discuss key findings shared by Verizon's 2020 Cyber Espionage Report in relation to threat actors, targets, common points of entry, discovery, time to discovery, and the difficulty in detecting patterns of cyber espionage.

    CPO Magazine reports "85% of Cyber Espionage Is State-Affiliated, Only 4% Tied To Organized Crime"

  • news

    Visible to the public "Baltimore County Schools Forced to Cancel Classes Following Ransomware Attack"

    A ransomware attack disabled the Baltimore County Public School system's entire network. The attack occurred on the network Tuesday night. The form of ransomware used was not disclosed, but some researchers believe it is Ryuk ransomware. The group behind the attack demanded a ransom payment, and classes were canceled on Wednesday due to the attack. State auditors had just recently conducted an audit of the Baltimore County Public School System and found that the network was not being adequately secured and that sensitive personal information was not properly safeguarded, among other issues.

    SiliconANGLE: "Baltimore County Schools Forced to Cancel Classes Following Ransomware Attack"

  • news

    Visible to the public "FBI Warns of Spoofed FBI-Related Domains"

    The Federal Bureau of Investigation (FBI) has issued an alert to the public about the registration of domains designed to spoof legitimate FBI-related websites. The agency also warns of the use of spoofed email accounts to trick victims into revealing sensitive information. Spoofed domains and email accounts can be used to spread misinformation and malware, as well as collect usernames, passwords, email addresses, and personally identifiable information. Users are encouraged to ensure that websites and email addresses are correctly spelled, keep their operating systems and applications up to date, and to use anti-malware software. The FBI also advises users to never enable macros on documents received via email unless the file has been scanned with an anti-virus application. This article continues to discuss the FBI's warning about the surge in spoofed FBI-related domains, how users can protect themselves, and the various reasons as to why adversaries spoof law enforcement or government websites.

    Security Week reports "FBI Warns of Spoofed FBI-Related Domains"

  • news

    Visible to the public "Around 18,000 Fraudulent Sites Are Created Daily"

    Researchers at Bolster have discovered that in Q2 of 2020, there was an alarming, rapid increase of new phishing and fraudulent sites being created. The researchers detected 1.7 million phishing and scam websites, which is a 13.3% increase from Q1 2020. Phishing and scam websites continued to increase in Q2 and peaked in June 2020 with a total of 745,000 sites detected. On average, there were more than 18,000 fraudulent sites created each day.

    Help Net Security reports: "Around 18,000 Fraudulent Sites Are Created Daily"

  • news

    Visible to the public "Security Researchers Sound Alarm on Smart Doorbells"

    Researchers from the security company NCC Group and the UK consumer organization Which? analyzed 11 video doorbells sold on Amazon and eBay and discovered high-risk vulnerabilities in all of the devices. One of the vulnerabilities shared among them was the practice of sending data, including Wi-Fi names, passwords, photos, email, video, and location information back to the manufacturer. Another security can allow an attacker to steal the network password, thus enabling them to hack into the doorbell, router, and other devices connected to the user's network. This article continues to discuss the vulnerabilities found in the 11 smart doorbells, what the exploitation of these vulnerabilities could allow attackers to do, and the growing threat posed by insecure Internet of Things (IoT) devices to Internet security.

    Dark Reading reports "Security Researchers Sound Alarm on Smart Doorbells"

  • news

    Visible to the public "Organizations Should Use Psychology to Promote Secure Behavior Among Staff"

    The Information Security Forum (ISF) encourages organizations to improve employees' security behavior through the use of psychology. The group's report titled Human-Centered Security: Positively Influencing Security Behavior guides organizations on the development of psychological techniques to get employees to engage in more secure behaviors. Human-centered security programs help organizations better understand employees and create initiatives aimed at changing behaviors that would lead to a decrease in security incidents relating to human errors and acts of negligence. As the shift to remote working during the COVID-19 pandemic has increased the risk of individual errors that result in security incidents, it is important to promote secure behavior. This article continues to discuss the ISF's report aimed at establishing more secure behaviors among employees.

    Infosecurity Magazine reports "Organizations Should Use Psychology to Promote Secure Behavior Among Staff"

  • news

    Visible to the public "Baidu Apps in Google Play Leak Sensitive Data"

    Researchers at Palo Alto Unit 42 discovered that multiple Android mobile apps found in Google Play, including Baidu Search Box and Baidu Maps, leak data that could be used to track users, even if they switch devices. The apps in question expose a range of information, including: Phone model; screen resolution; phone MAC address; wireless carrier; network (Wi-Fi, 2G, 3G, 4G, 5G); Android ID; International Mobile Subscriber Identity (IMSI); and International Mobile Equipment Identity (IMEI). Adversaries could use the information to track users across devices, disable phone service, or intercept messages and phone calls. The applications in question have each been downloaded millions of times.

    Threatpost reports: "Baidu Apps in Google Play Leak Sensitive Data"

  • news

    Visible to the public SoS Musings #43 - Crowdsourcing Security with Bug Bounty Programs

    SoS Musings #43 -

    Crowdsourcing Security with Bug Bounty Programs

  • news

    Visible to the public Cybersecurity Snapshots #12 - Open Source Code: Is It Secure?

    Cybersecurity Snapshots #12 -

    Open Source Code: Is It Secure?

  • news

    Visible to the public Cyber Scene #50 - The Post-Election Cyber World

    Cyber Scene #50 -

    The Post-Election Cyber World

  • news

    Visible to the public CMU launches new privacy engineering options

    CMU launches new privacy engineering options

    Two new options make it easier for working professionals to receive privacy engineering training

    Daniel Tkacik

    NOV 23, 2020

    As new privacy regulations like the General Data Protection Regulation and the California Consumer Privacy Act require companies to improve the way they handle user privacy, more and more working professionals are seeking formal training in privacy engineering.

  • news

    Visible to the public Automated Security

    Automated Security

  • news

    Visible to the public "Good Heavens! 10M Impacted in Pray.com Data Exposure"

    Researchers at vpnMenotor found several open, publicly accessible cloud databases (Amazon Web Service S3 Buckets) belonging to Pray.com. Pray.com is an application that has been downloaded by more than 1 million people on Google Play and ranks as the #24 lifestyle app in the Apple App Store. The unsecure databases included 1.9 million files, about 262 GB worth of data. One of the buckets included 80,000 files containing various personal identifiable information for tens of millions of people, and not just of users of Pray.com.

    Threatpost reports: "Good Heavens! 10M Impacted in Pray.com Data Exposure"

  • news

    Visible to the public "Cyber Criminals Leveraging AI to Carry Out Malicious Attacks, Warns Europol"

    A new report from Europol, the United Nations Interregional Crime and Justice Research Institute (UNICRI), and Trend Micro, brings further attention to cybercriminals' use of Artificial Intelligence (AI) in their attacks. AI-as-a-Service (AIaaS) will allow less-skilled cybercriminals to use AI to execute attacks. The Crime-as-a-Service (CaaS) business model will also allow low-skilled criminals to obtain tools, services, and new technologies like AI to enhance the effectiveness and scale of their attacks. Researchers have found that hackers can use AI to guess passwords, solve CAPTCHAs, and more. This article continues to discuss the different uses of AI by cybercriminals.

    Teiss reports "Cyber Criminals Leveraging AI to Carry Out Malicious Attacks, Warns Europol"

  • news

    Visible to the public "Facebook Messenger Bug Allows Spying on Android Users"

    A security researcher at Google Project Zero discovered a vulnerability in the Android version of Facebook Messenger that could allow attackers to spy on users and potentially identify their surroundings without them knowing. The vulnerability existed in the application's implementation of WebRTC. The researcher notified Facebook, and recently Facebook has patched the significant flaw.

    Threatpost report: "Facebook Messenger Bug Allows Spying on Android Users"

  • news

    Visible to the public Spotlight on Lablet Research #12 - Operationalizing Contextual Integrity

    Spotlight on Lablet Research #12 -

    Project: Operationalizing Contextual Integrity

  • news

    Visible to the public "Disaster Apps Share Personal Data in Violation of Their Privacy Policies"

    Madelyn Sanfilippo, a professor in the School of Information Sciences at the University of Illinois at Urbana-Champaign, and a team of experts examined 15 popular disaster apps. These apps fell into five categories: government agency apps, general weather apps, third-party apps operated by government partners, third-party apps misrepresented as government apps, and third-party apps specific to certain types of emergencies such as hurricanes. They tracked the personal data sent by these apps and examined if they followed government regulations and their own privacy policies. It was discovered that many of the apps are incompliant with their own privacy policies. According to the researchers, many of them capture location data by default when opened and do not specify the third parties that may access personal data. This article continues to discuss findings from the study surrounding the violation of privacy policies by disaster apps.

    The Illinois News Bureau reports "Disaster Apps Share Personal Data in Violation of Their Privacy Policies"

  • news

    Visible to the public "Cisco Webex Bugs Allow Attackers to Join Meetings as Ghost Users"

    Security researchers from IBM discovered three vulnerabilities in the Cisco Webex video conferencing app. When combined, these vulnerabilities can allow an attacker to join a Webex meeting with full access to audio, video, chats, and screen sharing while invisible to other participants. The exploitation of these vulnerabilities could also allow an attacker to remain in the Webex meeting as a ghost user even after they are kicked out. As attackers join meetings as ghost users, they can gather information about meeting participants such as their names, email addresses, and IP addresses. According to the IBM researchers, these vulnerabilities derive from the handshake process that occurs when new Webex meetings are established. The researchers were able to demonstrate the abuse of these bugs on macOS, Windows, and the iOS versions of Cisco Webex Meetings applications. This article continues to discuss the Cisco Webex bugs regarding where they come from and what their exploitation could allow attackers to do.

    ZDNet reports "Cisco Webex Bugs Allow Attackers to Join Meetings as Ghost Users"

  • news

    Visible to the public "IoT Cybersecurity Improvement Act Passed, Heads to President’s Desk"

    The IoT Cybersecurity Improvement act recently got the stamp of approval by the U.S. Senate and requires that federal procurement and use of IoT devices must conform to basic security requirements. The act mandates that NIST must issue standards-based guidelines for the minimum security of IoT devices owned by the federal government. Federal agencies must also implement a vulnerability-disclosure policy for IoT devices, and they cannot procure devices that do not meet the security guidelines.

    Threatpost reports: "IoT Cybersecurity Improvement Act Passed, Heads to President's Desk"

  • news

    Visible to the public "The Role of Drones in 5G Network Security"

    5G is the fifth generation of wireless technology expected to offer faster speeds, lower latency, increased bandwidth, and other benefits. However, the advancements provided by 5G will be accompanied by new security challenges. Giovanni Geraci, a researcher with the Pompeu Fabra University's (UPF) Department of Information and Communication Technologies, along with researchers at Mississippi State University (MSU), conducted a study on the use of Unmanned Aerial Vehicles (UAVs) to improve the security of 5G networks against attacks involving eavesdropping, interference, and identify theft. Their study shows how the diversity and 3D mobility of UAVs can be used to strengthen the security of advanced wireless networks against such attacks through prevention, detection, and recovery. This article continues to discuss the introduction of 5G networks, the support provided by UAVs, and the study on how UAVs can be used to improve the security of these networks.

    UPF reports "The Role of Drones in 5G Network Security"

  • news

    Visible to the public "Could Your Vacuum be Listening to You?"

    A team of researchers at the University of Maryland (UMD) captured speech, music, and other sounds by gathering information from a popular vacuum robot's laser-based navigation system and applying techniques in signal processing and deep learning. This study brings attention to the possibility of manipulating devices that use Light Detection and Ranging (LIDAR) technology to collect sound, even though the devices do not have a microphone. This article continues to discuss the experiments conducted by the UMD researchers to demonstrate that popular robotic household vacuum cleaners can be hacked to record speech and music remotely.

    The University of Maryland reports "Could Your Vacuum be Listening to You?"

  • news

    Visible to the public "50% of Advanced Phishing Attacks Evade Leading Secure Email Gateways"

    New research from IRONSCALES reveals that nearly 50% of all advanced phishing attempts such as spear-phishing and social engineering attacks evade Secure Email Gateways (SEGs). Hackers are turning to more complex methods that exploit human nature. Researchers used a breach and attack simulation tool called the IRONSCALES Emulator to examine how effective Microsoft ATP and other leading SEGs are stopping advanced email threats. This article continues to discuss the use of social engineering tactics in phishing attacks, the assessment of leading SEGs, and the increased targeting of the healthcare sector by such attacks.

    HealthITSecurity reports "50% of Advanced Phishing Attacks Evade Leading Secure Email Gateways"

  • news

    Visible to the public "US Holiday Shoppers Fear Cyber-Scams"

    McAfee commissioned 3Gem to survey 1,000 adults over the age of 18 in the US between October 8 and October 13, 2020. The results of McAfee's "2020 Holiday Season: State of Today's Digital e-Shopper" survey indicate that 36% of American consumers plan on buying gifts online this year despite most consumers knowing that cyber scams are more prevalent during the holiday season. Since the COVID-19 crisis hit, 49% of Americans have been doing more online shopping. The survey also found differences in the level of concern across different age groups. Those that are 65 or older expressed more concern about the increase in cyber threats due to COVID-19 than those between the ages of 18 and 24. As Americans plan to do more online shopping this holiday season, there needs to be more awareness about potential cyber scams and strategies for protecting themselves from them. This article continues to discuss the expected growth in online shopping this holiday season and concerns about the prevalence of cyber scams during that time of the year.

    Infosecurity Magazine reports "US Holiday Shoppers Fear Cyber-Scams"

  • news

    Visible to the public "ThreatList: Pharma Mobile Phishing Attacks Turn to Malware"

    Adversaries are using mobile phishing attacks to target pharmaceutical companies more frequently since the beginning of COVID-19 and have shifted their focus from credential theft to malware delivery. New research shows that 77 percent of pharmaceutical mobile phishing attempts in the third quarter of 2020 sought to deliver malware on victims' systems. There has been a 106 percent increase in malware delivery in mobile phishing, turning to spyware, remote access functionality, and more to access COVID-19 research data from pharmaceutical companies.

    Threatpost reports: "ThreatList: Pharma Mobile Phishing Attacks Turn to Malware"