News Items

  • news

    Visible to the public Follow @SoS_VO_org on Twitter!

    Follow @SoS_VO_org on Twitter!

    The SoS-VO team is excited to announce that we recently updated the homepage of the website to link to the official Science of Security & Privacy twitter account where we will be making daily announcements about noteworthy news items, upcoming opportunities, and impending deadlines in the SoS community.

  • news

    Visible to the public 9th Annual Best Scientific Cybersecurity Paper Competition


  • news

    Visible to the public HoTSoS 2021: Works-in-Progress Co-Chairs

    Meet the HoTSoS 2021 Team:
    Works-in-Progress Co-Chairs

    Kurt Kelville (MIT) and Aron Laszka (University of Houston) are our Works-in-Progress Co-Chairs for the 2021 Symposium. Happy to have these two on the Program Committee Team!

    About the Chairs

  • news

    Visible to the public NSA and SoS Announce Winner of the 8th Paper Competition

    The National Security Agency and Science of Security annouced that "Spectre Attacks: Exploiting Speculative Execution" as the winner of its 8th Annual Best Cybersecurity Research Paper competition.

    Originally published at the 2019 IEEE Security & Privacy Symposium, the winning paper, in combination with Meltdown, another award-winning paper released earlier by the same researchers, launched a global effort to mitigate critical vulnerabilities in processors.

  • news

    Visible to the public Take my word for it: Privacy and COVID alert apps can coexist


    Since the COVID-19 pandemic began, technologists across the country have rushed to develop digital apps for contact tracing and exposure notifications. New York, New Jersey, Pennsylvania, and Delaware have all recently announced the launch of such apps, announcements which generated excitement. But the advent of these tools has also created questions. Chief among them: Do these apps protect privacy?

  • news

    Visible to the public Science of Security and Privacy 2019 Annual Report

    The Science of Security and Privacy 2019 Annual Report is now available.

    This report highlights the progress and accomplishments of the Science of Security and Privacy initiative.

  • news

    Visible to the public NIST Releases Draft Security Feature Recommendations for IoT Devices

    NIST Releases Draft Security Feature Recommendations for IoT Devices

    "Core Baseline" guide offers practical advice for using everyday items that link to computer networks.

    August 01, 2019

  • news

    Visible to the public Game-theoretic Paper Wins Annual Paper Competition

    The winner of the 6th Annual Best Scientific Cybersecurity Paper Competition is How Shall We Play a Game? A Game-theoretical Model for Cyber-warfare Games by Tiffany Bao, Yan Shoshitaishvili, Ruoyu Wang, Christopher Kruegel, Giovanni Vigna, and David Brumley. These researchers are from Carnegie Mellon University and University of California, Santa Barbara. This paper was originally accepted at 30th IEEE Computer Security Foundations Symposium (CSF '17).

    To learn more visit the competition homepage:

  • news
  • news

    Visible to the public NSA SoS Lablet Call for Proposals is Open

    The National Security Agency has distributed its BAA (really a request for proposals) for its next generation of SoS Lablets. These lablets include lablets on the 5 Hard Problem areas in Science of Security, on the Science of Privacy and dealing with Cyber Physical Systems. Proposals are due August 21. While the SoS team is not the point of contact for the contracting process, we can aid in directing:

  • news

    Visible to the public  "A New and Non-Intrusive Method for Preventing Cyber Attacks on Android Devices"

    Android is the most targeted mobile operating system by malware. Researchers at the Singapore Management University (SMU) have discovered a new way to prevent cyberattacks on Android devices. The method is said to be dynamic, intelligent, and non-intrusive in detecting malware on Android devices. The researchers are leveraging a side-channel for detecting sensitive and unusual behaviors on mobile apps. Their method is convenient as it does not require rooting or gaining privilege control from Android users. Android operating system upgrades do not affect the detection method. The method of detection also does not breach the Personal Data Protection Act of 2012 since it does not extract data in its performance. The research team designed the side-channel monitoring system by taking input from side-channel readings and using artificial intelligence and deep machine learning (ML) to train a deep neural network model to determine if sensitive or uncharacteristic behavior has been exhibited on mobile apps. This approach to monitoring and detection offers researchers a way to dynamically monitor apps' behaviors instead of statically analyzing each app's code. Using this method, stealthy attacks can be detected. Testing of the technique showed that it could detect sensitive behavior, with a 98.5 percent accuracy rate. This article continues to discuss the growing sophistication of cyberattacks, the heavy targeting of the Android operating system by hackers, challenges associated with designing a malware detection system for Android, and the side-channel monitoring solution designed by SMU researchers to protect Android devices from cyberattacks.

    SMU reports "A New and Non-Intrusive Method for Preventing Cyber Attacks on Android Devices"

  • news

    Visible to the public "Hackers Are Finding Ways to Hide Inside Apple's Walled Garden"

    Apple's walled garden refers to the company's tech ecosystem in which devices' features and security are tightly controlled. Most experts agree that the locked-down approach of iOS has solved some significant security problems. However, it has been discovered that this locked-down nature is a double-edged sword in that the most advanced hackers can use the higher barriers to avoid capture. Bill Marczak, a senior researcher at the cybersecurity watchdog Citizen Lab, points out that while Apple's walled garden makes it more difficult for a lot of less-skilled to break iPhones, the 1 percent of hackers with the greatest skill and higher amount of resources who successfully infiltrates the iPhone can end up being protected by Apple's extraordinary defenses. According to Marczak, as Apple continues to improve iPhone's security by investing millions in raising the wall, the best hackers also purchase or develop zero-click exploits that allow them to secretly take over iPhones. These exploits allow attackers to access restricted areas of the phone without showing any sign to the target that they have been compromised. Marczak argues that the iPhone's security barriers can help hackers avoid detection by investigators and prevent further understanding of their malicious behavior. It has been suggested that a framework is created to allow device owners or authorized individuals to have greater forensic abilities to see if a device has been compromised, but this approach could be undermined through social engineering. This article continues to discuss the concept of Apple's walled garden, how this approach can benefit the most sophisticated hackers, and why it is difficult to fix this problem.

    MIT Technology Review reports "Hackers Are Finding Ways to Hide Inside Apple's Walled Garden"

  • news

    Visible to the public "NVIDIA and Harvard Researchers Use AI to Make Genome Analysis Faster And Cheaper"

    Researchers from NVIDIA and Harvard have made an enormous breakthrough in genetic research by developing a deep-learning toolkit that can significantly reduce the time and cost needed to run rare and single-cell experiments. The AtacWorks toolkit can run inference on a whole genome, a process that generally takes a little over two days, in just half an hour. It's able to do so thanks to NVIDIA's Tensor Core GPUs. AtacWorks works with ATAC-seq, a well-established method designed to find open areas in the genome of healthy and diseased cells. These "open areas" are subsections of an individual's DNA used to determine and activate specific functions. This is the part of a person's genome that could give scientists indications on whether a person could have Alzheimer's, heart disease, or cancer. ATAC-seq usually requires the analysis of tens of thousands of cells, but AtacWorks can get the same results using only tens of cells. Researchers also applied AtacWorks to a dataset of stem cells that produce red and white blood cells, subtypes that typically can't be studied using traditional methods. But with AtacWorks, they were able to identify separate parts of the DNA associated with white blood cells and red blood cells, respectively. Researchers' ability to analyze the genome faster and cheaper will go a long way in identifying the specific mutations or biomarkers that could lead to certain diseases. It could even help drug discovery by assisting researchers to figure out how a disease works.

    Engadget reports: "NVIDIA and Harvard Researchers Use AI to Make Genome Analysis Faster And Cheaper"

  • news

    Visible to the public "MITRE Launches Ransomware Support Hub for Hospitals and Health Systems"

    MITRE recently revealed its new Ransomware Resource Center, which is aimed at helping healthcare organizations improve their resilience against ransomware attacks. The center offers tools and strategies for IT and infosec professionals to help combat the growing frequency and sophistication of such cyberattacks. The MITRE Ransomware Resource Center provides an array of resources tailored to specific roles within the healthcare sector, including business managers, technical managers, IT professionals, or cybersecurity practitioners. Its offerings are also tailored around the five stages of the National Institute of Standards and Technology (NIST) Cybersecurity Framework: identify, protect, detect, respond, and recover. MITRE has highlighted a recent report stating that 560 healthcare facilities were hit with ransomware attacks in 2020, along with another report that shows a 45 percent increase in exploitation attempts within the past four months. This article continues to discuss the launch of a ransomware support hub for hospitals and health systems by MITRE, as well as the growing threat of ransomware targeting healthcare and the public health sector.

    Healthcare IT News reports "MITRE Launches Ransomware Support Hub for Hospitals and Health Systems"

  • news

    Visible to the public "At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software"

    At least 30,000 organizations across the United States, including a significant number of small businesses, towns, cities, and local governments, have been hacked by an unusually aggressive Chinese cyber-espionage unit over the past few days. The Chinese cyber-espionage unit is focused on stealing emails from victim organizations. The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total remote control over affected systems. On March 2, Microsoft released emergency security updates to plug four security holes in Exchange Server versions 2013 through 2019 that hackers were actively using to siphon email communications from internet-facing systems running Exchange. In the three days since then, security experts say the same Chinese cyber-espionage group has dramatically stepped up attacks on any vulnerable, unpatched Exchange servers worldwide. In each incident, the intruders have left behind a "web shell," an easy-to-use, password-protected hacking tool that can be accessed over the internet from any browser. The web shell gives the attackers administrative access to the victim's computer servers. Microsoft said the Exchange flaws are being targeted by a previously unidentified Chinese hacking crew it dubbed "Hafnium," and said the group had been conducting targeted attacks on email systems used by a range of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs

    Krebs on Security reports: "At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft's Email Software"

  • news

    Visible to the public "Three New Malware Strains Linked to SolarWinds Hackers"

    Researchers at Microsoft and the cybersecurity firm FireEye have shared details about new pieces of malware believed to be linked to the threat actors behind the SolarWinds supply chain attack. Microsoft is tracking the threat actor behind the SolarWinds attack as "NOBELIUM." The company identified three new malware strains named GoldMax, GoldFinder, and Sibot, supposedly used by the group following the compromise of the targeted organization's network. According to Microsoft, these malware strains have been used to maintain persistence and perform other specific activities. GoldMax was written in the Go programming language and is designed to act as a command-and-control (C2) backdoor, creating scheduled tasks that impersonate system management software for persistence. GoldFinder is described as a custom HTTP tracer tool. Sibot has been described as a dual-purpose malware written in VBScript that allows attackers to download and execute payload from a remote server, and maintain persistence. This article continues to discuss recent findings surrounding the three new malware strains linked to the threat actors behind the SolarWinds attack, as well as the threat groups that have targeted the software company.

    Security Week reports "Three New Malware Strains Linked to SolarWinds Hackers"

  • news

    Visible to the public "US Warns of Fake Unemployment Benefit Websites"

    The United States Justice Department has warned that cyber-criminals are impersonating state workforce agencies (SWAs) to steal Americans' personal data. The fake websites are designed to trick consumers into thinking they are applying for unemployment benefits and disclosing personally identifiable information and other sensitive data. To trick victims into accessing these fake websites, the cyber-criminals have been sending spam text messages and emails purporting to be from an SWA. Contained in the communications is a link to a spoofed SWA website. As of February 2021, there were 10 million unemployed individuals in America. The department advised people not to click on a link in an unsolicited email or text message. The department asks anyone who has received a text message or email claiming to be from an SWA and containing a link or other contact information to report the communication to the National Center for Disaster Fraud (NCDF).

    Infosecurity reports: "US Warns of Fake Unemployment Benefit Websites"

  • news

    Visible to the public "NSA Pushes Zero Trust Principles to Help Prevent Sophisticated Hacks"

    The National Security Agency (NSA) strongly recommends the adoption of a Zero Trust security model for all critical networks within National Security Systems, the Department of Defense's critical networks, and Defense Industrial Base critical networks and systems. NSA recently released a guide that includes examples of how the implementation of Zero Trust could have prevented some of the methods used by attackers to compromise at least nine federal agencies and a hundred companies in the SolarWinds supply chain attack. The attackers' focus on evading detection indicates that such tactics will continue to grow in use and complexity, calling for the consideration of Zero Trust principles. Using a Zero Trust approach, devices themselves would be validated in addition to passwords. Therefore, if an attacker uses a stolen password but the device is unknown, the device will fail authentication and authorization checks, thus resulting in the denial of access and the logging of the malicious activity. The agency also recommends the use of strong multi-factor authentication. This article continues to discuss NSA's recommendation to embrace the Zero Trust security model and how the implementation of this model can help organizations prevent sophisticated hacks.

    NextGov reports "NSA Pushes Zero Trust Principles to Help Prevent Sophisticated Hacks"

  • news

    Visible to the public "Cutting off Stealthy Interlopers: A Framework for Secure Cyber-Physical Systems"

    Researchers from Daegu Gyeongbuk Institute of Science and Technology (DGIST) in Korea conducted a study in which they developed a framework for Cyber-Physical Systems (CPSs). The framework is resilient against a sophisticated type of cyberattack known as the pole-dynamics attack (PDA), which can make the physical system unstable. A PDA attack is performed by connecting to a node in the network of the CPS and then injecting false sensor data. If the sensors of the system's physical elements do not give proper readings, the control signals transmitted by the control algorithm to the physical actuators are incorrect, thus potentially causing them to malfunction and behave dangerously. The researchers adopted a technique called Software-Defined Networking (SDN) to address PDAs. The network of the CPS can be made more dynamic by distributing the relaying of signals via controllable SDN switches. The proposed approach also involves the use of a novel attack-detection algorithm embedded in the SDN switches to alarm the centralized network manager if false sensor data is being injected. This article continues to discuss the new framework developed to help CPSs detect and recover from sophisticated cyberattacks.

    Science Daily reports "Cutting off Stealthy Interlopers: A Framework for Secure Cyber-Physical Systems"

  • news

    Visible to the public "AI Enhanced Design to Counter Threats to Critical Infrastructure and Military Electronics"

    Dr. Basel Halak of the Cyber Security Research Group at the University of Southampton will improve the security of anti-tamper embedded devices in a new Royal Academy of Engineering Industrial Fellowship. Embedded systems have become popular targets for hacking, with smart devices vulnerable to being taken over and controlled by malicious actors. Dr. Halak emphasizes that the compromise of hardware products poses significant threats if they are used in critical infrastructure and military applications. The ever-evolving security threat landscape calls for effective and adaptive defense solutions. This fellowship aims to develop responsive and adaptive defense mechanisms to combat security threats to critical infrastructure and military electronics. The mechanism will be developed using Machine Mearning (ML) algorithms to rapidly detect malicious behaviors exhibited by embedded systems and increase the speed at which a potential attack is stopped. This article continues to discuss the Industrial Fellowship awarded to Dr. Halak to develop a mechanism that will strengthen the security of anti-tamper embedded devices.

    The University of Southampton reports "AI Enhanced Design to Counter Threats to Critical Infrastructure and Military Electronics"

  • news

    Visible to the public "Ransomware Attack on Arizona Optometrist"

    Cyber-criminals successfully hit Cochise Eye and Laser with ransomware in January, encrypting the office's patient scheduling and billing software. The company is located in Sierra Vista, Arizona, and the ransomware attack affects up to 100,000 patients. Patient data stored in the billing software included names, dates of birth, addresses, phone numbers, and in some cases, Social Security numbers. A spokesperson for the office stated that no signs had been found to indicate that any data theft or exfiltration had taken place. The optometrist's office said it planned to increase cybersecurity following the attack. Although no evidence has been found that data was taken, the incident is still considered a breach of protected health information. It has been reported to the HHS' Office for Civil Rights. The eye-care provider advised its patients to place a fraud alert on their credit file and to request and review their credit reports.

    Infosecurity reports: "Ransomware Attack on Arizona Optometrist"

  • news

    Visible to the public "Ransomware Attacks Soared 150% in 2020"

    Researchers at Group-IB have discovered that ransomware surged by 150% in 2020, with the average extortion amount doubling. The average ransom demand stood at $170,000 last year, but groups like Maze, DoppelPaymer, and RagnarLocker averaged between $1 million and $2 million. The average ransomware victim suffered 18 days of outages last year. Maze group (20%), Egregor group (15%), and Conti group (15%) accounted for most of the attacks analyzed by Group-IB. The Ransomware-as-a-Service (RaaS) model accounted for the majority (64%) of attacks studied, and 15 new affiliate programs appeared in 2020. Over half (52%) of attacks investigated by the researchers used publicly accessible RDP servers to gain initial access, followed by phishing (29%) and exploitation of public-facing applications (17%).

    Infosecurity reports: "Ransomware Attacks Soared 150% in 2020"

  • news

    Visible to the public "Researchers Discover That Privacy-Preserving Tools Leave Private Data Unprotected"

    Researchers at the NYU Tandon School of Engineering explored the machine-learning frameworks behind privacy preservation tools used for technologies such as facial expression recognition systems to see how effective such tools are at protecting private data. In a paper titled "Subverting Privacy-Preserving GANs: Hiding Secrets in Sanitized Images," the researchers looked into the possibility of recovering private data from images that had been sanitized by privacy-protecting Generative Adversarial Networks (PP-GANs) and that had passed empirical tests. The team discovered that PP-GAN designs could be subverted to pass privacy checks while enabling secret information to be obtained from sanitized images. The study presents the first comprehensive security analysis of PP-GANs and highlights the inadequacy of existing privacy checks at detecting sensitive information leakage. Using a new steganographic method, the researchers were able to modify an advanced PP-GAN to hide a secret, such as a user ID, from supposedly sanitized images. The adversarial PP-GAN can hide sensitive information in sanitized output images that can pass privacy checks, with a 100 percent rate at recovering secrets. This article continues to discuss findings from the study on the subversion of PP-GANs.

    The NYU Tandon School of Engineering reports "Researchers Discover That Privacy-Preserving Tools Leave Private Data Unprotected"

  • news

    Visible to the public "Telemarketing Biz Exposes 114,000 in Cloud Config Error"

    Security researchers at vpnMentor found an unsecured AWS S3 bucket on December 24 last year. The bucket was traced to Californian business CallX, whose analytics services are used by clients to improve their media buying and inbound marketing. The AWS S3 bucket leaked the personal details of potentially tens of thousands of consumers. The researchers found 114,000 files left publicly accessible in the leaky bucket. Most of the files were audio recordings of phone conversations between CallX clients and their customers. An additional 2000 transcripts of text chats were also viewable. Personally identifiable information (PII) contained in these files included full names, home addresses, phone numbers, and more. Unfortunately, the bucket remains open. VpnMentor has tried to contact CallX with no response. The research team first reached out to the firm on January 3, 2021, and then to AWS on January 6.

    Infosecurity reports: "Telemarketing Biz Exposes 114,000 in Cloud Config Error"

  • news

    Visible to the public "Free Cybersecurity Tool Aims to Help Smaller Businesses Stay Safer Online"

    The U.K.'s National Cyber Security Centre (NCSC) created the Cyber Action Plan tool to help small businesses improve their cybersecurity. The tool offers personalized cybersecurity advice to micro-businesses and sole traders. According to the U.K. government's most recent Cyber Security Breaches Survey, nearly half of micro and small businesses reported cybersecurity breaches or cyberattacks in 2020. Micro businesses and sole traders are invited to take a short questionnaire in order to get a personalized list of actions associated with Cyber Aware behaviors. Cybersecurity guidance for start-ups and other small businesses is more important than ever due to the COVID-19 pandemic. Small businesses have had to figure out how to get online and remain competitive during the pandemic, which has increased their vulnerability to cyber threats. This article continues to discuss how the NCSC's Cyber Action Plan tool will help small businesses strengthen their cybersecurity.

    ZDNet reports "Free Cybersecurity Tool Aims to Help Smaller Businesses Stay Safer Online"

  • news

    Visible to the public "Password Reuse at 60% as 1.5 Billion Combos Discovered Online"

    Researchers at SpyCloud found nearly 1.5 billion breached login combos circulating online last year and billions of records, including personal information (PII). The researchers also found that password reuse and weak hashing algorithms were widespread. In 2020 there were 854 breaches, up a third from 2019, and each data leak leaked on average 5.4 million records. SpyCloud found that 60% of credentials were reused across multiple accounts, exposing victims to credential stuffing and other brute force tactics. Of the 270,000 .gov emails recovered, the researchers found that password reuse was even higher, at 87%. Nearly two million passwords contained "2020," while almost 200,000 featured COVID-related keywords like "corona" and "pandemic." The most common password was "123456," followed by "123456789" and "12345678." "Password" and "111111" also appeared more than 1.2 million times each. The researchers also found that a third (32%) of breached passwords used the weak MD5 algorithm, and 22% used SHA1. Only 17% of passwords were salted.

    Infosecurity reports: "Password Reuse at 60% as 1.5 Billion Combos Discovered Online"

  • news

    Visible to the public "Ryuk Ransomware Updated With 'Worm-Like Capabilities'"

    A report recently released by CERT-FR, the French government's computer emergency readiness team, recently issued a report about a new Ryuk ransomware variant with worm-like capabilities that allow it to spread automatically within the networks it infects. According to CERT-FR, Ryuk now propagates itself from machine to machine within the Windows domain by using scheduled tasks. After the ransomware is launched, it spreads itself on every reachable machine on which Windows Remote Procedure Call (RPC) access is possible. The RPC service supports communication between Windows processes. The addition of worm-like capabilities to Ryuk ransomware indicates that its operators are attempting to improve the automation of their ability to rapidly spread malware from one infected system to multiple systems across a network in order to reduce the "intrusion to infection" time. This article continues to discuss the update of Ryuk ransomware with worm-like capabilities, as well as the history, prevalence, distribution, and human operation of Ryuk.

    BankInfoSecurity reports "Ryuk Ransomware Updated With 'Worm-Like Capabilities'"

  • news

    Visible to the public "Vendor Quickly Patches Serious Vulnerability in NATO-Approved Firewall"

    A patch was released for a critical vulnerability found in a firewall appliance made by Genua, a Germany-based cybersecurity company. The firewall called Genugate is said to be the only firewall in the world to receive a "highly resistant" rating by the German government. According to Genua, its Genugate firewall is also classified as "NATO Restricted." Genua's products have been used by industrial, government, military, and other critical infrastructure organizations. SEC Consult recently revealed that the Genugate firewall is impacted by a critical authentication bypass vulnerability contained by its administration interfaces. Once a threat actor has gained access to an organization's network, they can use the vulnerability to log in to the firewall's administration panel as any user. If an attacker has full admin/root access rights within the admin web interface, they can reconfigure the entire firewall, including the firewall ruleset, email filtering configuration, web application firewall settings, proxy settings, and more. Attackers could modify the firewall's configuration to access otherwise unreachable systems or redirect company traffic to an attacker-controlled proxy server by exploiting this vulnerability. The highly critical security vulnerability seems to affect all versions of the Genugate firewall. This article continues to discuss the use of the Genugate firewall by critical infrastructure organizations, the critical authentication bypass vulnerability affecting the firewall, and what the abuse of this flaw could allow attackers to do.

    Security Week reports "Vendor Quickly Patches Serious Vulnerability in NATO-Approved Firewall"

  • news

    Visible to the public "Did a Weak Password Result in SolarWinds Hack?"

    The investigation of the SolarWinds Orion software supply chain hacking attack continues. The attack on SolarWinds' Orion IT management platform impacted government agencies, critical infrastructure, and private-sector organizations. SolarWinds' top management is now blaming an intern for the use of a significantly weak password, which is believed to be the root cause of the SolarWinds hack. It has been suggested that the password was publicly accessible via a GitHub repository since June 2018, prior to it being addressed in November 2019 after a security researcher reported it. Sudhakar Ramakrishna, the CEO of SolarWinds, confirmed that the password, "solarwinds123," had been in use as early as 2017. This article continues to discuss the use of a weak password believed to be the main cause of the SolarWinds supply chain attack and other recent findings surrounding the hack in relation to its impact and the state-sponsored group behind its execution.

    CISO MAG reports "Did a Weak Password Result in SolarWinds Hack?"

  • news

    Visible to the public "Quarter of Healthcare Apps Contain High Severity Bugs"

    Researchers at Veracode have discovered that about 75% of healthcare applications contain some kind of vulnerability. A quarter of healthcare apps contain high severity flaws. The researchers also found that the healthcare sector fixes 70% of the vulnerabilities found within applications, putting it behind several other industries in terms of total volume addressed. However, the vulnerabilities that are fixed are usually fixed faster than any other sector on average except for retail. Veracode claimed that this is because healthcare apps are often smaller in size, relatively new, and have a lower density of bugs than software in verticals like tech, financial services, manufacturing, and government. Researchers also found that healthcare organizations do a better job than most at handling CRLF injection and cryptography-related bugs. However, the sector is still not scanning apps for issues regularly enough and is the least likely of any vertical to scan for flaws in open source components. The researchers argued that a failure to scan frequently for flaws means many are going unfixed and could be exploited in future attacks. Data breaches in healthcare cost more than any other sector and are estimated at over $7.1 million per incident.

    Infosecurity reports: "Quarter of Healthcare Apps Contain High Severity Bugs"

  • news

    Visible to the public "Flaws Fixed Incorrectly, as Secure Coding Education Lags"

    Research conducted by HackEDU, a provider of interactive cybersecurity training and secure code development courses for software engineers, attributes code fixing failures to a lack of formal training. Based on feedback mostly from security, development, and compliance leaders, more than 50 percent of developers are not trained in secure coding practices. The study involved data from assessments, lessons, challenges, and vulnerability reports from HackEDU customers and students. Vulnerabilities stemming from broken access control and broken object-level authorizations have been proven to be the most challenging to fix, while fixes for command injection and SQL injection vulnerabilities are often discovered to be incorrect. HackEDU emphasizes the importance of educating developers on secure coding practices as it would help ensure these flaws are reduced or eliminated. In order for developers to properly address harder-to-fix vulnerabilities, they must understand the fundamentals. Memorizing syntax or a framework and then applying it as a patch is not enough. This article continues to discuss HackEDU's findings on the lack of formal training in secure coding among developers, the types of vulnerabilities often fixed incorrectly, and the importance of improving education for developers on secure coding practices.

    SC Media reports "Flaws Fixed Incorrectly, as Secure Coding Education Lags"

  • news

    Visible to the public "Data is Most at Risk on Email, With 83% of Organizations Experiencing Email Data Breaches"

    Researchers from Egress conducted a news study where they interviewed 500 IT leaders and 3,000 remote-working employees in the US and UK across vertical sectors, including financial services, healthcare, and legal. The researchers found that 95% of IT leaders believe that company data is at risk on email and that 83 percent of organizations have suffered a data breach via this channel in the last 12 months. The researchers also found that human error was at the root of nearly one-quarter of incidents, with 24% caused by an employee sharing data in error. Most participants (85%) stated that they are sending more emails due to remote working, heightening the risk of an email data breach. Of the participants, 59% of the IT leaders reported an increase in email data leaks since implementing remote working due to the pandemic.

    Help Net Security reports: "Data is Most at Risk on Email, With 83% of Organizations Experiencing Email Data Breaches"

  • news

    Visible to the public "Privacy Issues and Security Risks in Alexa Skills"

    A new study from a team of researchers from Germany's Ruhr-Universitat Bochum, North Carolina State University, and Google suggests that Alexa Skills often have security weaknesses and data protection problems that attackers can exploit to perform malicious activities. These Skills are voice-driven Alexa capabilities. The researchers analyzed more than 90,000 Alexa Skills from the Amazon store across seven countries. They found problems with Skills that create security and privacy risks for users. This article continues to discuss the researchers' discovery of privacy issues and security risks in Alexa Skills, as well as the source of security gaps and data protection problems associated with these Skills.

    Ruhr-Universitat Bochum reports "Privacy Issues and Security Risks in Alexa Skills"

  • news

    Visible to the public "Cybersecurity Researchers Build a Better 'Canary Trap'"

    A canary trap in the performance of espionage is the spread of multiple versions of false documents to hide a secret. The canary trap technique can be used to detect information leaks or create distractions that conceal valuable information. A team of cybersecurity researchers developed a new data protection system called WE-FORGE that uses Artificial Intelligence (AI) to expand upon the canary trap method. The system protects intellectual property such as drug designs and military technologies by producing false documents. WE-FORGE improves upon the canary technique by using natural language processing to automatically generate multiple fake files that are sufficiently similar to the original ones to be believable but different enough to be incorrect. The system also adds randomness to prevent adversaries from identifying real documents. WE-FORGE can create many fake versions of any technical design document, thus making it significantly difficult for adversaries to determine which document is real once they have successfully hacked a system. The use of this technique causes adversaries to waste their time and resources, as well as have lower confidence. This article continues to discuss the concept of canary traps in espionage and how the WE-FORGE data protection system builds on this technique to better deceive would-be attackers.

    Dartmouth College reports "Cybersecurity Researchers Build a Better 'Canary Trap'"

  • news

    Visible to the public "Go Malware Detections Increase 2000%"

    Researchers at an Israeli security firm Intezer have found that new malware written in the Go programming language has spiked by 2000% over the past four years. Go programming language is sometimes referred to as Golang and was first used for malware around nine years ago. Many adversaries choose to use the Go language to create malware because it works across Windows, Linux, and Mac operating systems and is relatively challenging for researchers to reverse engineer. Go was used by Russian state-backed actors to target Eastern European countries with a variant of the Zebrocy malware last year. Kremlin hackers have also used the language to develop the WellMess malware, which targeted COVID-19 vaccine researchers in the UK, Canada, and the US. The researchers stated that traditional anti-virus programs have a hard time identifying Go malware.

    Infosecurity reports: "Go Malware Detections Increase 2000%"

  • news

    Visible to the public "Cyber Workforce Vital to Protecting National Security"

    The US Defense Department's cyber workforce is responsible for defending nearly every system that the government agency uses to safeguard national security. John Marx, the acting principal director for cyber modernization in the office of the undersecretary of defense for research and engineering, discussed the department's cyber missions and workforce talent during Engineers Week (February 21 to 27). According to Marx, the first goal of modernizing cyber capabilities in the Department of Defense (DoD) is to advance its ability to develop and deploy cyber-resilient systems. The second goal is to create a unique capability for highly integrated cyber and electromagnetic spectrum operations. The third goal is to develop an unrivaled cyber and electromagnetic spectrum expertise, supporting the first two goals. In addition to these missions, DoD provides support to critical civilian infrastructures in case of necessity when infrastructure owners request it under authorities such as the Defense Support to Civil Authorities. DoD collaborates closely with other federal agencies and local entities to provide this support. Marx highlighted DoD's continuous search for cyber talent and talent within its workforce. DoD is always seeking individuals who know how software drives complex systems. These individuals are typically computer engineers, software engineers, and electrical engineers. Mechanical, civil, chemical, aerospace, and biomedical engineers are also encouraged to have a strong understanding of the way in which their fields of practice rely on cyber systems. This article continues to discuss DoD's cyber capability modernization goals, the department's search for cyber talent, how engineers can gain more cybersecurity knowledge, and technologies that will improve cybersecurity.

    The Department of Defense reports "Cyber Workforce Vital to Protecting National Security"

  • news

    Visible to the public "Ransomware Gang Hacks Ecuador's Largest Private Bank, Ministry of Finance"

    A hacking group called Hotarus Corp claims to have stolen internal data from Ecuador's Ministry of Finance and Banco Pichincha, the largest private bank in Ecuador. The ransomware gang used a PHP-based ransomware strain called Ronggolawe, also known as AwesomeWare. In the attack against Ecuador's Ministry of Finance, Ronggolawe was used to encrypt the contents of a site that hosts an online course. Following the attack, the threat actors shared a text file containing more than 6,500 login names and hashed password combinations on a hacker forum. The group claims that they stole sensitive ministry information, employee information, emails, and contracts. Banco Pichincha released an official statement confirming that Hotarus Corp hacked its marketing partner, not its internal systems. According to the bank, the attackers used the marketing partner to send phishing emails to customers to steal sensitive information and perform illegitimate transactions. However, the hacking group disputes the bank's statement. They say the attack on the marketing company allowed them to infiltrate the bank's internal systems. Once they gained access to the internal systems, the actors claim that they stole data and executed a ransomware attack. The hacking group claims to have stolen over 30 million customer records and more than 50 thousand sensitive system records. They shared images of the allegedly stolen data as proof of the attack. This article continues to discuss Hotarus Corp's ransomware attacks against two financial organizations and the alleged theft of data.

    Bleeping Computer reports "Ransomware Gang Hacks Ecuador's Largest Private Bank, Ministry of Finance"

  • news

    Visible to the public "USA Third Most Affected by Stalkerware"

    Researchers from the cybersecurity company Kaspersky have found that Russia, Brazil, and the United States of America were most affected by stalkerware last year. The researchers found that 53,870 Kaspersky users were affected globally by malicious surveillance software in 2020. The USA, which was the fourth most impacted country in 2019, moved up to third place in 2020 with 4,745 people affected by stalkerware. The total number of victims globally in 2020 fell by 13,630 compared to 2019. The researchers saw an increase in the number of victims in the second half of 2020 when lockdown restrictions were put in place due to COVID-19. Nidb was the most used stalkerware sample in 2020. This sample is used to sell several different stalkerware products such as iSpyoo, TheTruthSpy, and Copy9. The researchers warn that this malicious software, which enables a remote user to monitor activities on another user's device, "may facilitate intimate partner surveillance, harassment, abuse, stalking, and/or violence."

    Infosecurity reports: "USA Third Most Affected by Stalkerware"

  • news

    Visible to the public "When Cyber Gangs Disregard Ransomware Payments, Victims Can Be Hit Twice"

    The cybersecurity company Coveware released a report revealing that nearly half of the ransomware attacks that it had tracked in the third quarter included threats to leak unencrypted data. However, several of the gangs behind these attacks did not honor their agreement to delete victims' stolen data despite having received ransomware payments. For example, victims of Sodinokibi/REvil ransomware were hit again just a few weeks after paying the ransom for the same data. Such incidents pose the question as to whether victims should pay ransomware attackers. Victims are advised not to pay because there is no guarantee that they will receive a working decryption tool for their data if they give in to the attackers' demand for a ransom payment. Coveware's report also highlights that there is no way to verify whether attackers will delete stolen data. The U.S Department of Treasury's Office of Foreign Assets Control (OFAC) issued an advisory in October 2020, discussing potential sanctions risks associated with sending ransomware payments to cybercriminals. OFAC designated several malicious cyber actors responsible for the creation or distribution of ransomware. Payments to those actors encourage the launch of more ransomware attacks, potentially harming national security and foreign policy. Users and organizations are urged to focus on improving their ability to prevent ransomware infections. This article continues to discuss findings surrounding cyber gangs' dismissal of ransomware payments, the decision to pay ransomware attackers, and how ransomware infections can be prevented.

    Security Intelligence reports "When Cyber Gangs Disregard Ransomware Payments, Victims Can Be Hit Twice"

  • news

    Visible to the public "Mobile Phishing to Steal Government Credentials Increased 67% in 2020"

    According to a new report released by the mobile security firm Lookout, malicious hackers targeting devices belonging to government workers increasingly focused on stealing victims' login credentials instead of delivering malware in 2020. This shift in focus has led to the increased spread and persistence of attacks. The report revealed that more than 70 percent of phishing attacks faced by government organizations aimed to steal login credentials, a 67 percent increase from 2019. The data used to develop this report comes from almost 200 million devices and more than 135 million mobile apps used by the government agencies for which Lookout provides services. Lookout says the shift to remote work due to the COVID-19 pandemic has caused more government entities to consider implementing a "Bring Your Own Device" (BYOD) policy, thus increasing the attack surface for malicious actors. This article continues to discuss the increase in mobile phishing attacks aimed at stealing government credentials, the contributing factors behind this increase, and the different levels of exposure to phishing threats faced by federal, state, and local governments.

    NextGov reports "Mobile Phishing to Steal Government Credentials Increased 67% in 2020"

  • news

    Visible to the public "New 'LazyScripter' Hacking Group Targets Airlines"

    Researchers at the cybersecurity firm Malwarebytes have discovered a new Advanced Persistent Threat (APT) group dubbed LazyScripter. The hacking group targets airlines that use the BSPLink financial settlement software made by the International Air Transport (IATA). LazyScripter's most recent attacks used phishing emails that mimic the IATA ONE ID, a contactless passenger processing tool. According to the researchers, the threat remained unnoticed for about two years. One of the group's earliest attacks targeted individuals seeking to immigrate to Canada. The toolset used by the group for its attacks has evolved over time. Their toolset has included Octopus remote access Trojans (RATs), Remcos RATs, PowerShell Empire, and more. This article continues to discuss the LazyScripter hacking group's targets, methods, and tools.

    Security Week reports "New 'LazyScripter' Hacking Group Targets Airlines"

  • news

    Visible to the public "One Ransomware Victim Every 10 Seconds in 2020"

    Researchers at Check Point discovered that a new organization became a ransomware victim every 10 seconds in 2020, with remote workers experiencing a sharp uptick in threats. The researchers claim that double extortion ransomware, in particular was, on the rise. In Q3 2020, nearly half of all ransomware incidents involved data theft from the targeted organization. According to researchers at Check Point, only 5% of malware attacking global corporate networks was ransomware last year. The most popular was botnet traffic (28%), followed by crypto-miners (21%), information stealers (16%), mobile (15%), and banking malware (14%). Remote Desktop Protocol attacks (RDPs) were the most popular attack vector for ransomware in the first half of the year.

    Infosecurity reports: "One Ransomware Victim Every 10 Seconds in 2020"

  • news

    Visible to the public "The IoT Cybersecurity Improvement Act: A First Step in Bolstering Smart Technology Security"

    Every second, 127 new IoT devices are connected to the web, and experts predict that by 2025, that figure will equate to more than 75 billion connected devices overall. IoT devices are often riddled with security vulnerabilities impacting security and privacy both at a consumer and corporate level. The Internet of Things Cybersecurity Improvement Act of 2020 is the first-of-its-kind legislation that requires the creation of security standards and guidelines for IoT devices used in and purchased by the federal government. It encompasses issues such as secure development, identity management, patching processes, and configuration management. The IoT security bill also calls for guidelines in vulnerability reporting for IoT devices in government networks and those of federal contractors. The researchers stated that as the use of connected devices continues to grow exponentially over time, we must ask ourselves, "is it enough?" While intended for government parties, these new guidelines can provide manufacturers and security vendors with a general roadmap of how to bolster IoT security measures overall, which has been lacking in years past. The researchers stated that the opportunity to expand and enhance IoT security is still present and needed. The bill in its current state addresses only a portion of the larger problem at hand. The security regulations outlined in the statement only apply to IoT technologies used in federal environments, rather than being applicable across all relevant IoT-enabled devices. The researchers stated that providing secure IoT technologies is still the primary responsibility of manufacturers and that end-users must demand more security measures from the companies selling such devices. End-users demanding more security measures will create a ripple effect, sparking proactive action from manufacturers and security vendors to holistically address IoT security concerns from the start, with an all-encompassing set of guidelines required to secure IoT device manufacturing, distribution, and implementation. The researchers stated that only through this domino effect will IoT security move beyond the government and into one's own home and business environments.

    Security Magazine reports: "The IoT Cybersecurity Improvement Act: A First Step in Bolstering Smart Technology Security"

  • news

    Visible to the public SoS Musings #46 - The Battle Against Fileless Malware Attacks Continues

    SoS Musings #46 -

    The Battle Against Fileless Malware Attacks Continues

  • news

    Visible to the public Spotlight on Lablet Research #15 - Reasoning about Accidental and Malicious Misuse via Formal Methods

    Spotlight on Lablet Research #15 -

    Project: Reasoning about Accidental and Malicious Misuse via Formal Methods

  • news

    Visible to the public Cryptomining and Cryptojacking - What Are They?

    Cryptomining and Cryptojacking - What Are They?

  • news

    Visible to the public Cybersecurity Snapshots #15 - Attacks Against the Nation's Water Systems

    Cybersecurity Snapshots #15 -

    Attacks Against the Nation's Water Systems

  • news

    Visible to the public Cyber Scene #53 - Cybersecurity: Under (Mostly) New Management

    Cyber Scene #53 -

    Cybersecurity: Under (Mostly) New Management

  • news

    Visible to the public "Daycare Webcam Service Exposes 12,000 User Accounts"

    NurseryCam, a webcam service used across 40 daycare centers in the U.K. by parents who want to keep a watchful eye on their babies, has shut down following a data breach. The breach exposed the personal data of about 12,000 users to an attacker who said they were trying to improve the service's security. The adversary notified the company on Friday, and the company sent a notice to its users about the incident. The adversary behind the attack told the company that they could get real names, usernames, email addresses, and encrypted passwords for 12,000 accounts. This latest incident comes after users, and infosec professionals gave the company repeated warnings that their internet-of-things (IoT) system's security was deeply flawed.

    Threatpost reports: "Daycare Webcam Service Exposes 12,000 User Accounts"

  • news

    Visible to the public "Microsoft Lures Populate Half of Credential-Swiping Phishing Emails"

    Researchers at Cofense have analyzed millions of emails related to various attacks and found that 57 percent were phishing emails aiming to steal victim usernames and passwords. The remainder of malicious emails were utilized in business email compromise (BEC) attacks or were used for malware delivery. Almost 17 percent of the emails identified as malicious were related to a financial transaction. Nearly half of phishing attacks in 2020 aimed to swipe credentials using Microsoft-related lures - from the Office 365 enterprise service lineup to its Teams collaboration platform. The researchers also found that in 2020 the GuLoader dropper rose as one of the top malware delivery mechanisms in email attacks. The malware, which first appeared in the first quarter and surged during the second quarter of 2020, is used to deliver remote administration tools, keyloggers, credential stealers, and other malware phenotypes.

    Threatpost reports: "Microsoft Lures Populate Half of Credential-Swiping Phishing Emails"