News Items

  • news

    Visible to the public HoTSoS 2022 Best Undergraduate Poster Award

    HOTSOS 2022 BEST UNDERGRADUATE POSTER AWARD

    Congratulations to Sanjana Cheerla at NCSU for winning the HoTSoS Best Undergraduate Poster Award for their poster Identifying Online Misbehavior.

    Check out the Announcement & Closing Remarks stream here!

  • news

    Visible to the public HoTSoS 2022 Best Poster Award

    HOTSOS 2022 BEST POSTER AWARD

    Congratulations to Samin Yaseer Mahmud & William Enck at NCSU for winning the HoTSoS Best Poster Award for their poster A Study of Security Weakness in Android Payment Service Provider SDKs

    Check out the Announcement & Closing Remarks stream here!

  • news

    Visible to the public Science of Security and Privacy 2022 Annual Report

    The Science of Security and Privacy 2022 Annual Report is now available.

    This report highlights the progress and accomplishments of the Science of Security and Privacy initiative.

  • news

    Visible to the public Paper on One-Way-Functions Wins NSA Paper Competition

    "On One-way Functions and Kolmogorov Complexity" wins the 9th Annual Best Scientific Cybersecurity Paper Competition. This paper was written by Yanyi Liu from Cornell University and Rafael Pass from Cornell Tech.

    An honorable mention award was given to "Retrofitting Fine Grain Isolation in the Firefox Renderer” written by Shravan Narayan, Craig Disselhoen, Tal Garfinkel, Nathan Froyd, Sorin Lerner, Eric Rahm, Hovav Shacham and Deian Stefan.

  • news

    Visible to the public HoTSoS 2022 Call for Papers! Deadline December 17th!

    HoTSoS 2022 Call for Papers! Deadline December 17th!

    The HoT Topics in the Science of Security (HoTSoS) Symposium is now soliciting submissions for the 2022 program. Following the success of the virtual HoTSoS Symposium in 2021, HoTSoS`22 will be a virtual event held the week of April 4th, 2022. In addition to research paper discussions and presentations, the symposium program will also include invited talks and panels.

    We are accepting submissions in the following three categories:

  • news

    Visible to the public Follow @SoS_VO_org on Twitter!

    Follow @SoS_VO_org on Twitter!

    The SoS-VO team is excited to announce that we recently updated the homepage of the website to link to the official Science of Security & Privacy twitter account where we will be making daily announcements about noteworthy news items, upcoming opportunities, and impending deadlines in the SoS community.

  • news

    Visible to the public HoTSoS 2021: Works-in-Progress Co-Chairs

    Meet the HoTSoS 2021 Team:
    Works-in-Progress Co-Chairs

    Kurt Kelville (MIT) and Aron Laszka (University of Houston) are our Works-in-Progress Co-Chairs for the 2021 Symposium. Happy to have these two on the Program Committee Team!

    About the Chairs

  • news

    Visible to the public Take my word for it: Privacy and COVID alert apps can coexist

    BY LORRIE CRANOR, OPINION CONTRIBUTOR -- 11/10/20 09:30 AM EST

    Since the COVID-19 pandemic began, technologists across the country have rushed to develop digital apps for contact tracing and exposure notifications. New York, New Jersey, Pennsylvania, and Delaware have all recently announced the launch of such apps, announcements which generated excitement. But the advent of these tools has also created questions. Chief among them: Do these apps protect privacy?

  • news

    Visible to the public NIST Releases Draft Security Feature Recommendations for IoT Devices

    NIST Releases Draft Security Feature Recommendations for IoT Devices

    "Core Baseline" guide offers practical advice for using everyday items that link to computer networks.

    August 01, 2019

  • news

    Visible to the public Game-theoretic Paper Wins Annual Paper Competition

    The winner of the 6th Annual Best Scientific Cybersecurity Paper Competition is How Shall We Play a Game? A Game-theoretical Model for Cyber-warfare Games by Tiffany Bao, Yan Shoshitaishvili, Ruoyu Wang, Christopher Kruegel, Giovanni Vigna, and David Brumley. These researchers are from Carnegie Mellon University and University of California, Santa Barbara. This paper was originally accepted at 30th IEEE Computer Security Foundations Symposium (CSF '17).

    To learn more visit the competition homepage: https://cps-vo.org/group/sos/papercompetition/pastcompetitions

  • news
  • news

    Visible to the public NSA SoS Lablet Call for Proposals is Open

    The National Security Agency has distributed its BAA (really a request for proposals) for its next generation of SoS Lablets. These lablets include lablets on the 5 Hard Problem areas in Science of Security, on the Science of Privacy and dealing with Cyber Physical Systems. Proposals are due August 21. While the SoS team is not the point of contact for the contracting process, we can aid in directing: https://cps-vo.org/group/SoS/contact

  • news

    Visible to the public "Project Will Make sel4 Cyber Security Technology Usable in More Complex Computer Systems"

    The British government will provide support to UNSW Sydney researchers in the improvement of their world-leading cybersecurity technology aimed at protecting critical computer systems against cyberattacks. The UK's National Cyber Security Centre (NCSC) will fund UNSW Engineering's Trustworthy Systems research group to accelerate the development of its seL4 microkernel technology, the world's most advanced cybersecurity technology. According to Scientia Professor Gernot Heiser, leader of the Trustworthy Systems team that invented the technology, the NCSC has been evaluating seL4 for some time and is currently collaborating with defense industry partners to deploy it in real-world computer systems. The seL4 technology is already in use by the UK government and other countries, in addition to many civilian applications. When built into the core of a computer's operating system, Trustworthy Systems' pioneering seL4 technology provides bullet-proof isolation between computer programs, preventing an affected component from compromising others. The Trustworthy Systems group is also conducting research in collaboration with the United Arab Emirates and the Swiss technology company Neutrality, among others, to deploy the seL4 microkernel in mobile phones, drones, Internet of Things (IoT) devices, and more. This article continues to discuss the support and continued efforts behind the seL4 microkernel technology.

    UNSW Sydney reports "Project Will Make sel4 Cyber Security Technology Usable in More Complex Computer Systems"

  • news

    Visible to the public "Professor Receives Grant as Part of $14 Million Industry Collaboration to Improve Secure Communications"

    The Intelligence Advanced Research Projects Activity (IARPA) has awarded a $14 million contract to fund a collaborative project between BAE Systems and a team of researchers at Virginia Tech in order to meet the growing demand for secure communications research and development. The award aims to create tools for deciphering an ever-increasing number of radio frequency signals to quickly and accurately help secure mission-critical information. The Virginia Tech team will provide expertise in Machine Learning (ML)-based strategies for radio frequency anomaly detection. The team will focus on reservoir computing, a type of computing used to predict a network's activity and occupancy based on observations of a small sample piece of that network. When it comes to secure communications, looking at a small section to predict activity on a larger scale is especially important because analyzing the entire network in a time-sensitive situation would be nearly impossible. As information travels quickly, threats can cause widespread damage in seconds. It is critical to be able to identify a threat as soon as possible in order to prevent damage on a large scale. Signal characterization will also be used by the team to identify the types of signals being sent within the secure communications network. The hope is that the technology developed using these prediction and characterization techniques will improve situational awareness, help target threats, and secure communications against malicious attacks. BAE Systems will provide suggestions and guidance to the team on setting up the experiment. This assistance includes providing a baseline of simulated data before moving on to actual hardware testbed data. The advanced defense technology company will then collaborate with the Virginia Tech team to review the success of the proposed candidate technologies, including how well they work to analyze anomalies and threats, and provide suggestions and feedback based on those test runs. This article continues to discuss the collaborative project aimed at improving secure communications.

    Virginia Tech reports "Professor Receives Grant as Part of $14 Million Industry Collaboration to Improve Secure Communications"

  • news

    Visible to the public "Researchers: Oracle Took 6 Months to Patch 'Mega' Vulnerability Affecting Many Systems"

    Security researchers PeterJson of VNG Corporation and Nguyen Jang of VNPT have published technical details on a critical Fusion Middleware vulnerability that Oracle took six months to patch. Tracked as CVE-2022-21445 (CVSS score of 9.8), the vulnerability is described as a deserialization of untrusted data, which could be exploited to achieve arbitrary code execution. The researchers noted that identified in the ADF Faces component, the issue can be exploited remotely, without authentication. The researchers reported the vulnerability to Oracle in October 2021, and Oracle released a fix as part of its April 2022 Critical Patch Update six months after the initial report. According to the researchers, the pre-authentication RCE issue, which they described as a "mega" vulnerability, impacts all applications that rely on ADF Faces, including Business Intelligence, Enterprise Manager, Identity Management, SOA Suite, WebCenter Portal, Application Testing Suite, and Transportation Management. The researchers also discovered CVE-2022-21497 (CVSS score of 8.1), a server-side request forgery (SSRF) vulnerability that could be chained with CVE-2022-21445 to achieve pre-authentication remote code execution in Oracle Access Manager, a component used for SSO in numerous Oracle online services. The researchers named their attack "The Miracle Exploit" and said that all of Oracle's online systems and cloud services that rely on ADF Faces are impacted. They also noted that any website that uses the ADF Faces framework is vulnerable.

    SecurityWeek reports: "Researchers: Oracle Took 6 Months to Patch 'Mega' Vulnerability Affecting Many Systems"

  • news

    Visible to the public "Teaching Physics to AI Can Allow it to Make New Discoveries All on Its Own"

    Researchers at Duke University have discovered that incorporating known physics into machine learning algorithms can help the enigmatic black boxes attain new levels of transparency and insight into the characteristics of materials. The researchers used a sophisticated machine learning algorithm in one of the first efforts of its type to identify the characteristics of a class of engineered materials known as metamaterials and to predict how they interact with electromagnetic fields. The researchers stated that the algorithm was essentially forced to show its work since it first had to take into account the known physical restrictions of the metamaterial. The researchers noted that this method enabled the algorithm to predict the properties of the metamaterial with high accuracy, more quickly, and with additional insights than earlier approaches. Willie Padilla, professor of electrical and computer engineering at Duke, stated that by incorporating known physics directly into machine learning, the algorithm can find solutions with less training data and in less time. Padilla noted that while this study was mainly a demonstration showing that the approach could recreate known solutions, it also revealed some insights into the inner workings of non-metallic metamaterials that nobody knew before. The results were published in the journal Advanced Optical Materials.

    SciTechDaily reports: "Teaching Physics to AI Can Allow it to Make New Discoveries All on Its Own"

  • news

    Visible to the public "Biden Signs Two Cybersecurity Bills Into Law"

    The Federal Rotational Cyber Workforce Program Act of 2021 and the State and Government Cybersecurity Act of 2021 were signed into law on Tuesday, June 21, 2022, by US President Joe Biden. The Federal Rotational Cyber Workforce Program Act proposes a program under which certain federal employees can be temporarily moved to other agencies in an effort to boost their skills. The State and Local Government Cybersecurity Act of 2021 is meant to improve collaboration between the Department of Homeland Security and state, local, tribal, and territorial governments. The bill requires the National Cybersecurity and Communications Integration Center (NCCIC) to coordinate with the Multi-State Information Sharing and Analysis Center (MS-ISAC) to aid state, local, tribal, and territorial government entities with cybersecurity exercises, training, education, and awareness.

    SecurityWeek reports: "Biden Signs Two Cybersecurity Bills Into Law"

  • news

    Visible to the public "Ransomware Hacker Spotted Using Zero-Day Exploit on Business Phone VoIP Device"

    A vulnerability in a Voice over Internet Protocol (VoIP) business device was used by a hacker to infect a company with ransomware. According to researchers at the security firm Crowdstrike, the hacker exploited a new vulnerability in a Linux-based VoIP appliance from the business phone provider Mitel. Because the VoIP device had few built-in security measures, the ensuing zero-day attack allowed the hacker to access the company's network through it. The goal of the attack was to effectively take control of the Linux-based VoIP equipment so that the hacker could access other areas of the network. Due to security software noticing the suspicious behavior over the victim's network, Crowdstrike was able to identify the hacker's presence. The business also informed Mitel of the previously undiscovered vulnerability, and in April, Mitel distributed a patch to affected clients. The incident highlights the mounting concern that ransomware organizations would employ zero-day vulnerabilities to target additional victims. This article continues to discuss the exploitation of a zero-day flaw in a business VoIP device to spread ransomware.

    PCMag reports "Ransomware Hacker Spotted Using Zero-Day Exploit on Business Phone VoIP Device"

  • news

    Visible to the public "Businesses Risk 'Catastrophic Financial Loss' From Cyberattacks, US Watchdog Warns"

    The Government Accountability Office (GAO) warns that private insurance companies are increasingly declining to cover damages caused by major cyberattacks, leaving American businesses vulnerable to catastrophic financial loss unless another insurance model is introduced. GAO's new report requests that the government assess whether a federal cyber insurance option is required. The report uses threat assessments from the National Security Agency (NSA), the Office of the Director of National Intelligence (ODNI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Justice (DOJ) to quantify the risk of cyberattacks on critical infrastructure, identifying vulnerable technologies that could be attacked as well as a variety of threat actors capable of exploiting them. According to an annual threat assessment by the ODNI, hacking groups linked to Russia, China, Iran, and North Korea, and certain non-state actors such as organized cybercriminal gangs, pose the greatest threat to US infrastructure. The number of cyber incidents is rapidly expanding due to the wide and increasingly skilled variety of individuals ready to target US organizations. Although federal agencies do not have a comprehensive inventory of cybersecurity incidents, there are several key federal and industry sources that show a rise in most types of cyberattacks across the US, including those impacting critical infrastructure, and increasing costs for cyberattacks. There were 26,074 incidents in 2021, with a roughly $2.6 billion total cost. This article continues to discuss the GAO's report on cyber insurance that calls for action to assess potential federal response to catastrophic cyberattacks.

    The Verge reports "Businesses Risk 'Catastrophic Financial Loss' From Cyberattacks, US Watchdog Warns"

  • news

    Visible to the public "Unsecured APIs Could Be Costing Firms $75bn Per Year"

    Security researchers at Imperva discovered that global businesses could be exposing themselves to billions in annual losses because they aren't properly securing their APIs. Imperva teamed up with the Marsh McLennan Cyber Risk Analytics Center to analyze nearly 117,000 unique cybersecurity incidents for their report, Quantifying the Cost of API Insecurity. The researchers found that vulnerable and unsecured APIs cause an estimated 7.5% of cyber events and losses globally, rising to 18-23% in the IT and information sector. Professional services (10-15%) and retail (6-12%) rounded out the top three. The researchers stated that APIs are an increasingly common feature of digital transformation projects, connecting applications, data, and experiences. The researchers estimated that around half of businesses have 50-100 APIs deployed internally or publicly, and some have thousands. The researchers warned that deploying many APIs could unwittingly expand a company's digital attack surface.

    Infosecurity reports: "Unsecured APIs Could Be Costing Firms $75bn Per Year"

  • news

    Visible to the public "$100 Million Worth of Crypto Has Been Stolen in Another Major Hack"

    It has recently been discovered that hackers have stolen $100 million in cryptocurrency from Horizon, a so-called blockchain bridge, in the latest major heist in the world of decentralized finance. Details of the attack are still slim, but Harmony, the developers behind Horizon, said they identified the theft Wednesday morning. Harmony singled out an individual account it believes to be the culprit. The company has begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds. Blockchain bridges play a significant role in the DeFi space, offering users a way of transferring their assets from one blockchain to another. In Horizon's case, users can send tokens from the Ethereum network to Binance Smart Chain. The company noted that the attack did not affect a separate bridge for bitcoin. Bridges have become a prime target for hackers due to vulnerabilities in their underlying code. Jess Symington, research lead at blockchain analysis firm Elliptic stated that bridges "maintain large stores of liquidity," making them a "tempting target for hackers." Harmony has not revealed exactly how the funds were stolen. However, one investor had raised concerns about the security of its Horizon bridge as far back as April. This cyberattack follows a series of notable cyberattacks on other blockchain bridges. The Ronin Network, which supports crypto game Axie Infinity, lost more than $600 million in a security breach that took place in March. Wormhole, another popular bridge, lost over $320 million in a separate hack a month earlier.

    CNBC reports: "$100 Million Worth of Crypto Has Been Stolen in Another Major Hack"

  • news

    Visible to the public "Avos Ransomware Threat Actor Updates Its Attack Arsenal"

    A new Cisco Talos Intelligence Group report reveals new tools used in Avos ransomware attacks. Avos is a ransomware group that has been active since July 2021. The group follows the Ransomware-as-a-Service (RaaS) business model, meaning they provide ransomware services such as automatic builds, data storage, negotiation assistance, automatic decryption tests, and more to various affiliates. AvosLocker currently supports Windows, Linux, and ESXi environments and offers automated configurable builds of the AvosLocker malware. Furthermore, the threat actor provides affiliates with a control panel, a negotiation panel with push and sound notifications, decryption tests, and access to a diverse network of penetration testers, initial access brokers, and other contacts. Avos also offers calling services and Distributed Denial-of-Service (DDoS) attacks, which means they call victims to pressure them to pay the demanded ransom or launch DDoS attacks during the negotiation to add stress to the situation. According to the FBI, AvosLocker has already targeted critical infrastructure in the US, including financial services, manufacturing, and government facilities. Attacks on post-Soviet Union countries are not allowed by the Avos team. On a Russian forum, a user known as "Avos" was seen attempting to recruit penetration testers with experience in Active Directory networks and initial access brokers. This article continues to discuss updates made to the Avos ransomware threat actor's attack arsenal and how to protect against this ransomware.

    TechRepublic reports "Avos Ransomware Threat Actor Updates Its Attack Arsenal"

  • news

    Visible to the public "Apple, Android Phones Targeted By Italian Spyware: Google"

    According to Google's threat analysis team, hacking tools developed in Italy were used to spy on Apple and Android smartphones in Italy and Kazakhstan, shedding light on a thriving spyware industry. Spyware developed by RCS Lab targeted the phones using a combination of tactics, including "drive-by downloads" that occur without the victims' knowledge. Concerns about spyware were heightened last year when media outlets reported that Israeli firm NSO's Pegasus tools were used by governments to spy on opponents, activists, and journalists. Companies like NSO and RCS claim to only sell to customers with legitimate uses for surveillanceware, such as intelligence and law enforcement agencies, according to mobile cybersecurity specialist Lookout. In reality, such tools have frequently been used to spy on business executives, human rights activists, journalists, academics, and government officials under the guise of national security. According to Google's report, the RCS spyware it discovered, dubbed "Hermit," is the same one that Lookout previously reported on. An analysis of Hermit showed it can allow threat actors to gain control of smartphones, record audio, redirect calls, and collect data such as contacts, messages, photos, and location. Google and Lookout say the spyware spreads by getting people to click on links in messages sent to targets. This article continues to discuss the spyware being used to target Apple and Android phones.

    IBT reports "Apple, Android Phones Targeted By Italian Spyware: Google"

  • news

    Visible to the public  "CISA: Log4Shell Exploits Still Being Used to Hack VMware Servers"

    The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning pertaining to threat actors, including state-backed hacking groups, using the Log4Shell Remote Code Execution (RCE) vulnerability to hack VMware Horizon and Unified Access Gateway (UAG) servers. Attackers can remotely exploit Log4Shell on vulnerable servers that are exposed to local or Internet access in order to move laterally across networks until they gain access to internal systems containing sensitive data. Following the disclosure of the Log4Shell flaw in December 2021, multiple threat actors, including state-backed hacking groups from China, Iran, North Korea, and Turkey, as well as several access brokers commonly used by ransomware gangs, began scanning for and exploiting unpatched systems. This article continues to discuss CISA's warning regarding the exploitation of the Log4Shell RCE vulnerability to hack VMware servers.

    Bleeping Computer reports "CISA: Log4Shell Exploits Still Being Used to Hack VMware Servers"

  • news

    Visible to the public "Pair of Brand-New Cybersecurity Bills Become Law"

    The Biden administration continued its efforts to fortify US cyber defenses by signing two bills into law, both with the goal of facilitating the free flow of cybersecurity expertise and resources between federal agencies and down to municipalities in need of resources. The Federal Rotational Cyber Workforce Program Act of 2021, the first piece of cybersecurity legislation, removes the red tape that prevents information technology, cybersecurity, and other related federal workers from providing expertise across multiple agencies. This article continues to discuss the new cybersecurity bills that have now been signed into law and the importance of increasing cybersecurity support for state and local governments.

    Dark Reading reports "Pair of Brand-New Cybersecurity Bills Become Law"

  • news

    Visible to the public "Over 40 Organizations Breached by Conti Ransomware Attacks in a Month"

    The Conti cybercrime group has become highly organized, running one of the most aggressive ransomware operations. As a result, affiliates were able to breach over 40 firms in a month. Security researchers dubbed the hacking operation ARMattack and described it as one of the group's most productive and effective operations. According to Group-IB analysts, one of Conti's "most productive campaigns" took place between November 17 and December 20, 2021. During incident response operations, they discovered the group's month-long hacking campaign. Conti affiliates were able to compromise more than 40 firms in diverse industries across a wide range of geographies during the operation, with an emphasis on American-based businesses. Group-IB has been investigating Conti's "working hours" using information obtained from public sources, such as leaked internal gang communications. Conti members, according to the researchers, have an average daily activity level of 14 hours, excluding the New Year's break, which explains their effectiveness. They also point out that the group operates as a real business, with people assigned to hiring, research and development, managing OSINT jobs, and providing customer support. This article continues to discuss findings surrounding the Conti cybercrime group's activities and operations.

    CyberIntelMag reports "Over 40 Organizations Breached by Conti Ransomware Attacks in a Month"

  • news

    Visible to the public "Cyber Threats Targeting Agriculture Focus of New Cybersecurity Testbed"

    A cybersecurity professor at the University of Nebraska at Omaha (UNO) is leading research aimed at protecting against hackers and cyber criminals who may target Nebraska's agricultural industry and beyond, from farmers in the fields to large-scale agricultural facilities. Combating cyber threats to Nebraska's farmers and agricultural industries starts with identifying vulnerabilities contained by systems and machinery. However, given the size of the machinery involved, researching vulnerabilities can be costly and logistically difficult. Therefore, George Grispos, Ph.D., assistant professor of cybersecurity at UNO, in collaboration with researchers at the University of Nebraska-Lincoln (UNL), built the Security Testbed for Agricultural Vehicles and Environments (STAVE) to shrink agricultural systems down to a more manageable level. As more machinery gains online capabilities such as mapping and automated steering, attackers may target anything from tractors and combines to trailers transporting expensive fertilizers and chemicals. The study provides a framework for future cybersecurity research at a manageable scale, allowing researchers to close any vulnerabilities open for attackers and help keep the state's agricultural workforce moving. STAVE includes electronic components common in farm machinery and consumer electronics such as Raspberry Pi microcomputers. These components are mounted to a board and connected to a laptop, thus allowing Grispos and his colleagues to emulate larger machinery and systems. The researchers hope that STAVE will lead to the discovery of vulnerabilities that can later be patched, as well as the establishment of more testbeds on other machines in the future. This article continues to discuss the newly developed STAVE aimed at helping researchers find and address vulnerabilities in agricultural systems.

    UNOmaha reports "Cyber Threats Targeting Agriculture Focus of New Cybersecurity Testbed"

  • news

    Visible to the public "Access Management Issues May Create Security Holes"

    According to a study by the security vendor strongDM that polled 600 IT, security, and DevOps workers, access restrictions meant to secure corporate systems may have the adverse effect of causing employees to find workarounds and share credentials with co-workers, thus creating potential security vulnerabilities. The study found that in many cases, users will find alternative methods for accessing their containers, cloud services, and other important tools when they do not have access via the managed company channels. The problem stems from a natural conflict related to the pressure that employees face when trying to meet deadlines. While executives and managers press IT administrators to update network services to the most recent versions and to implement secure and well-maintained access protocols, end-users, particularly developers and DevOps teams who rely on stored code and containers, require access to those resources. The survey discovered that end-users need about 15 minutes of access per day to get the data they need for work. Meanwhile, nearly 39 percent of administrators polled said that simply connecting new tools to their existing access management systems takes several days. While new systems are being integrated with access management controls, end-users will still need to meet deadlines and complete projects, meaning they will likely operate outside the management controls. These workarounds could include directly accessing the cloud service or system using their personal credentials or even a shared login. Of those polled, 55 percent said they had seen their teams maintain a backdoor access method, while 53 percent said they shared credentials to important services. This is where major security risks emerge as these credentials are then vulnerable to hackers through account theft, malware, or other common methods. This article continues to discuss key findings from strongDM's study regarding how access management issues can create security vulnerabilities.

    TechTarget reports "Access Management Issues May Create Security Holes"

  • news

    Visible to the public "Amazon’s Plan For Alexa to Mimic Anyone’s Voice Raises Fears it Will be Used For Deepfakes And Scams"

    Amazon is developing new technology for its voice assistant Alexa, which will be able to mimic any human's voice, dead or alive, using less than a minute of recorded audio. At a conference in Las Vegas, Amazon's senior vice president and head scientist Rohit Prasad stated that the feature could be used to help memorialize a deceased family member. Prasad demonstrated the feature at the conference and said, "Alexa, can Grandma finish reading me the Wizard of Oz?" Alexa then confirmed the request with its default, robotic voice, then immediately switched to the grandmother's humanlike, soft, and kind tone. After the demonstration, he stated, "while A.I. can't eliminate that pain of loss, it can definitely make the memories last." However, despite the uplifting emotional nature of the presentation, the new capability quickly received pushback. More than as a means for emotional connection, many people saw voice mimicry as an ideal tool for deepfakes, criminal scams, and other nefarious ends. Damien P. Williams, a Ph.D. researcher in values, algorithms, and bias, stated that scammers might be able to use the new technology for their benefit. Amazon did not release when the new feature will be available.

    Fortune reports: "Amazon's Plan For Alexa to Mimic Anyone's Voice Raises Fears it Will be Used For Deepfakes And Scams"

  • news

    Visible to the public "Researchers Uncover Ways to Break the Encryption of 'MEGA' Cloud Storage Service"

    Researchers at ETH Zurich found a number of critical security vulnerabilities in the MEGA cloud storage service that could allow malicious actors to break the confidentiality and integrity of user data. The researchers explain how MEGA's system does not protect its users against a malicious server, allowing a rogue actor to fully compromise the privacy of the uploaded files. In addition, the integrity of user data is damaged to the extent that an attacker can insert malicious files that pass all authenticity checks of the client. Among the flaws is an RSA Key Recovery Attack, which allows MEGA or a resourceful nation-state adversary in control of its Application Programming Interface (API) infrastructure to recover a user's RSA private key and decrypt the stored content. The recovered RSA key can then be extended to make way for plaintext recovery attacks, framing attacks, integrity attacks, and Guess-and-Purge (GaP) Bleichenbacher attacks. The attacks demonstrate that a motivated party can find and exploit vulnerabilities in real-world cryptographic architectures with disastrous security consequences. This article continues to discuss the ETH Zurich researchers' study on ways to break MEGA's encryption.

    THN reports "Researchers Uncover Ways to Break the Encryption of 'MEGA' Cloud Storage Service"

  • news

    Visible to the public "Google Patches 14 Vulnerabilities With Release of Chrome 103"

    Google recently released Chrome 103 to the stable channel with patches for 14 vulnerabilities, including nine reported by external researchers. The most severe vulnerability is CVE-2022-2156, which is described as a critical-severity use-after-free issue in Base. Leading to arbitrary code execution, corruption of data, or denial of service, use-after-free flaws are triggered when a program frees memory allocation but does not clear the pointer after that. If combined with other security holes, use-after-free bugs can lead to complete system compromise. Researchers noted that they can often be exploited in Chrome to escape the browser's sandbox. Google stated that Chrome 103 resolves three other use-after-free vulnerabilities found by external researchers impacting components such as Interest groups (CVE-2022-2157, high severity), WebApp Provider (CVE-2022-2161, medium severity), and Cast UI and Toolbar (CVE-2022-2163, low severity). Google noted that the latest Chrome update also resolves an externally-reported high-severity type confusion flaw in the V8 JavaScript and WebAssembly engine (CVE-2022-2158), along with four other medium- and low-severity issues.

    SecurityWeek reports: "Google Patches 14 Vulnerabilities With Release of Chrome 103"

  • news

    Visible to the public "Web3 Wallets Targeted by Chinese Hackers; 'SeaFlower' Using Cloned Websites to Trick Crypto Traders"

    A Chinese hacking group has been observed using a low-tech but effective method to steal money from Web3 wallets, which involves distributing altered versions with holes programmed into them. The hackers cloned legitimate wallet distribution sites, tricking users into downloading a compromised version. Confiant researchers discovered and tracked the threat actor's activity, which they describe as a "highly sophisticated" operation. The Chinese hackers primarily target searches for a specific group of Web3 wallets and focus on iOS and Android users. Their success with this approach is mainly due to their attention to detail in cloning the official websites of the Web3 wallets and the wallet code itself. The only difference from the legitimate download process and user experience is the addition of backdoor code that enables them to drain funds from the victim. Confiant dubbed the group "SeaFlower," but their identity remains unknown. However, numerous clues point to China, with Chinese MacOS usernames linked to the group's activity and the backdoor code containing some Chinese commentary. In addition, some frameworks used are common in the Chinese hacking community and originated from Chinese coders. Currently, the hackers are targeting four types of Web3 wallets: Coinbase Wallet, imToken, MetaMask, and Token Pocket. Both the iOS and Android versions of these wallets are targeted by the attackers. The Confiant researchers emphasize that the legitimate versions of these wallets are completely safe and do not contain any vulnerabilities, with the trick being to avoid tainted downloads when looking for them using search engines. This article continues to discuss findings regarding the targeting of Web3 wallets by the SeaFlower hacking group.

    CPO Magazine reports "Web3 Wallets Targeted by Chinese Hackers; 'SeaFlower' Using Cloned Websites to Trick Crypto Traders"

  • news

    Visible to the public "Japanese City Loses Memory Drive With Information on All 460,000 Residents"

    The city of Amagasaki in western Japan recently discovered that it had lost a USB flash drive containing the personal information of its roughly 460,000 residents. The lost data included the residents' names, addresses, and dates of birth, as well as the bank account numbers of welfare-receiving households, among other information. Currently, there is no evidence of data being leaked so far. It was stated that an employee of a company commissioned to assist the city's rollout of COVID-19 relief funds lost a bag that had the flash drive inside after drinking and dining at a restaurant on Tuesday. The employee reported it to the police on Wednesday. According to the city, the data was encrypted and protected with a password. The city claimed they "will thoroughly ensure security management when handling electronic data." The city also stated that it will work to regain its residents' trust by heightening awareness of the importance of protecting personal information.

    The Japan Times reports: "Japanese City Loses Memory Drive With Information on All 460,000 Residents"

  • news

    Visible to the public "Five Ransomware Strains Have Been Linked to Bronze Starlight Activities"

    In an effort to conceal their genuine espionage activities, a group of cyberattackers with probable state support adopted a new loader to disseminate five different types of ransomware. Secureworks' cybersecurity experts released new research on HUI Loader, a malicious tool that criminals have been using since 2015. Loaders are small malicious packages that are designed to remain undetected on a compromised machine. While they frequently lack functionality as standalone malware, they do perform one critical function: they load and execute additional malicious payloads. HUI Loader is a custom DLL loader that can be used by legitimate software programs that have been hijacked and are vulnerable to DLL search order hijacking. When the loader is executed, it will deploy and decrypt a file containing the main malware payload. HUI Loader has previously been used in campaigns by groups such as APT10/Bronze Riverside, which is linked to the Chinese Ministry of State Security (MSS), and Blue Termite. In previous campaigns, the groups used Remote Access Trojans (RATs) such as SodaMaster, PlugX, and QuasarRAT. It appears that the loader has now been adapted to spread ransomware. This article continues to discuss recent findings regarding the use of ransomware to hide cyber spying.

    ZDNet reports "Five Ransomware Strains Have Been Linked to Bronze Starlight Activities"

  • news

    Visible to the public "Apple Game Center is Affected by Critical Parse Server Vulnerability"

    A Parse Server software flaw has led to the discovery of an authentication bypass affecting Apple Game Center. The open-source Parse Server project, which is available on GitHub, offers push notification functionality for iOS, macOS, Android, and tvOS. The software is a backend system compatible with any infrastructure capable of running Node.js, and it may be used independently or in conjunction with already-existing web applications. A bug in Parse Server versions previous to 4.10.11/5.0.0/5.2.2 caused a validation issue in Apple Game Center, according to a security notice issued on June 17. The security flaw has a CVSS severity score of 8.6 and is described as an instance in which the security certificate for Apple Game Center's authentication adaptor is not validated. As a result of the flaw, authentication could be evaded by making a fake certificate accessible via certain Apple domains and providing the URL to that certificate in an authData object. This article continues to discuss the critical Parse Server vulnerability affecting the Apple Game Center.

    CyberIntelMag reports "Apple Game Center is Affected by Critical Parse Server Vulnerability"

  • news

    Visible to the public "US Subsidiary of Automotive Hose Maker Nichirin Hit by Ransomware"

    Recently a US subsidiary of Nichirin, a Japanese company that makes hoses for the automotive industry, was hit by ransomware. The attack was aimed at Nirchirin-Flex USA and was discovered on June 14th. Other Nichirin subsidiaries do not appear to be affected. The full impact of the cyberattack is being investigated, including whether data has been compromised. On its website, Nichirin warned customers about fake emails apparently coming from the company. Currently, no major ransomware group has claimed responsibility for the cyberattack. The cyberattack on Nichirin comes just months after Japanese car parts giant Denso was hit by ransomware. The Pandora ransomware group took credit for that attack, claiming to have stolen 1.4 Tb of data. Darren Williams, CEO of BlackFog, stated that we continue to see threat actors targeting manufacturers in the automotive, infrastructure, and government sectors. More specifically, cybercriminals continue to target organizations with older infrastructure and organizations that lack investment in cyber security in terms of product and personnel. Williams noted that these industries continue to outpace the rest of the market regarding cyberattacks. Williams said that this cyberattack should serve as a reminder that even the smallest contributors to the supply chain must do their part to defend against cyberattacks.

    SecurityWeek reports: "US Subsidiary of Automotive Hose Maker Nichirin Hit by Ransomware"

  • news

    Visible to the public "Sniffing Out Your Identity With Breath Biometrics"

    In collaboration with the University of Tokyo, researchers from Kyushu University's Institute for Materials Chemistry and Engineering have developed an olfactory sensor for biometric authentication using breath. The artificial 'nose' they developed can identify individuals based on their breath. The olfactory sensor system, which is equipped with a 16-channel sensor array capable of detecting various compounds found in a person's breath, has the potential to become another option in the biometric security toolkit. The 'artificial nose,' when combined with Machine Learning (ML), successfully authenticated up to 20 individuals with an average accuracy of more than 97 percent. Biometric authentication is a way to protect valuable assets in this age of information and technology. There is various biometrics that machines can use to identify individuals, ranging from fingerprints, palm prints, voices, and faces to the less common options of ear acoustics and finger veins. These techniques rely on each individual's physical uniqueness, but they are not foolproof as physical characteristics can be copied or damaged by injury. Therefore, human scent has been emerging as a new type of biometric authentication, using a person's unique chemical composition to confirm their identity. This article continues to discuss the new potential odorous option for the biometric security toolkit.

    Science Daily reports "Sniffing Out Your Identity With Breath Biometrics"

  • news

    Visible to the public "A Simple Tool To Make Websites More Secure and Curb Hacking"

    An international team of researchers has created a scanning tool to reduce the vulnerability of websites to hacking and cyberattacks. The black box security assessment prototype, which was tested by engineers in Australia, Pakistan, and the UAE, outperforms existing web scanners that collectively fail to detect the top ten weaknesses in web applications. Cybercrime costs the world nearly $6 trillion in 2021, representing a 300 percent increase in online criminal activity over the previous two years. In addition, data breaches have skyrocketed as a result of cloud-based platforms, malware, and phishing scams, while the rollout of 5G and Internet of Things (IoT) devices has increased connectivity and the vulnerability to attacks. The team highlighted several security vulnerabilities contained by web applications and how these weaknesses are costing organizations. Because of the widespread use of eCommerce, iBanking, and eGovernment sites, web applications have become a prime target for cybercriminals looking to steal personal and corporate information and disrupt business operations. According to the team, they have not found a single scanner that can counter all these vulnerabilities. Their prototype tool is said to cater to all these challenges as a one-stop guide to ensuring 100 percent website security. This article continues to discuss the increase in cybercrime and data breaches and the black box security assessment prototype developed to bolster website security against attacks.

    UniSA reports "A Simple Tool To Make Websites More Secure and Curb Hacking"

  • news

    Visible to the public "Chinese Hackers Target Script Kiddies With Info-stealer Trojan"

    Researchers at Check Point have discovered a new campaign associated with the Chinese "Tropic Trooper" hacking group, which employs a novel loader known as Nimbda and a new variant of the Yahoyah Trojan. The Trojan is included in a greyware tool called 'SMS Bomber,' which is used to launch Denial-of-service (DoS) attacks on phones by flooding them with messages. Such tools are commonly used by novice threat actors who want to launch attacks against websites. According to the researchers, the threat actors also exhibit in-depth cryptographic knowledge, extending the AES specification in a custom implementation. The new Yahoyah variant collects data about the host and sends it to the command-and-control (C2) server. The information collected by Yahoyah includes the local wireless network SSIDs in the victim machine's vicinity, computer name, MAC address, OS version, installed AV products, and presence of WeChat and Tencent files. This article continues to discuss findings surrounding the Tropic Trooper hacking group's new campaign that employs Nimbda and a new variant of the Yahoyah Trojan.

    Bleeping Computer reports "Chinese Hackers Target Script Kiddies With Info-stealer Trojan"

  • news

    Visible to the public "Cloud Email Threats Soar 101% in a Year"

    The number of email-borne cyber threats blocked by Trend Micro surged by triple digits last year, highlighting the continued risk from conventional attack vectors. Trend Micro stopped over 33.6 million such threats reaching customers via cloud-based email in 2021, a 101% increase. This included 16.5 million phishing emails, a 138% year-on-year increase, of which 6.5 million were credential phishing attempts. The company also blocked 3.3 million malicious files in cloud-based emails, including a 134% increase in known threats and a 221% increase in unknown malware. These findings come just as Proofpoint warned in a new report of the continued dangers posed by social engineering and the mistaken assumptions many users make. Proofpoint noted that many users do not realize that threat actors may spend a lot of time and effort building a rapport over email with their victims, especially if they are trying to conduct a business email compromise (BEC) attack. Adversaries may also abuse legitimate services from Google, Microsoft, and other sources to host and distribute malware and credential harvesting portals. Proofpoint noted that OneDrive is the most frequently used, followed by Google Drive, Dropbox, Discord, Firebase, and SendGrid. Proofpoint also warned of a surge in "telephone-oriented attack delivery (TOAD)," which the company claimed to see at least 250,000 times daily.

    Infosecurity reports: "Cloud Email Threats Soar 101% in a Year"

  • news

    Visible to the public "Less Than Half of Organizations Have Open Source Security Policy"

    Security researchers at the Linux Foundation have discovered that over two-fifths (41%) of organizations do not have confidence in their open source security, with only 49% claiming to even have a policy. The study was co-sponsored by Snyk, and findings were compiled from interviews with 550 open source stakeholders and by using Snyk's technology, which scanned over 1.3 billion open-source projects. The researchers stated that the use of open source repositories to accelerate time-to-market is widespread in the developer community but can expose organizations to covert risks if these components contain malware or vulnerabilities. The researchers found that the average application development project contains 49 vulnerabilities spanning 80 direct dependencies. The researchers noted that these challenges are often compounded by the presence of indirect dependencies. Some 40% of all vulnerabilities were found in these transitive dependencies. Worryingly, only 18% of respondents said they are confident in the controls they have in place for their transitive dependencies, and just a quarter said they're even concerned about the security impact of their direct dependencies. The researchers also found that open source teams are struggling to meet a growing requirement to find and patch these bugs: the time taken to fix open source vulnerabilities is almost 20% longer than in proprietary projects. It lengthened from 49 days in 2018 to 110 days last year. The researchers stated that this could be because of staff shortages: 30% of organizations without an open source security policy said that no one on their team is currently addressing open source security directly. The researchers stated that the findings clearly show the risk is real, and the industry must work even more closely together in order to move away from poor open source or software supply chain security practices.

    Infosecurity reports: "Less Than Half of Organizations Have Open Source Security Policy"

  • news

    Visible to the public "Researchers Develop New Approach That Protects 90 Percent Of Stack Memory Data"

    An international Penn State-led team has developed a new and more reliable approach to defending vulnerable data on the stack, which is a memory region responsible for storing computer program data for processes. This vulnerable data could include return addresses and other objects that can be exploited by malicious actors through memory errors to gain access to more data. Despite extensive research into defenses to protect stack objects from memory error exploitation, much stack data remains vulnerable, according to project lead Trent Jaeger, professor of computer science and engineering at the Penn State School of Electrical Engineering and Computer Science. Memory errors are classified into three types: spatial, temporal, and type. Spatial errors allow access to memory outside of the object's allotted space. Temporal errors allow access to memory before or after it was assigned, and type errors enable access by assuming a format other than the actual format of an object. In each case, an adversary may access objects other than those intended by the programmer when programming objects on the stack to access specific data. Recent stack defense methods are said to provide an incomplete view of security by failing to account for memory errors comprehensively and limiting the set of objects that can be protected. Therefore, the team has presented the DATAGUARD system, which improves security by performing a more comprehensive and accurate safety analysis that proves a greater number of stack objects are safe from memory errors while ensuring that no unsafe stack objects are mistakenly classified as safe. DATAGUARD uses static analysis and symbolic execution to validate stack objects free from spatial, type, and temporal memory errors. Jaeger explains that this process involves analyzing the safety of items that point to the objects and generating safety constraints for the objects' safety parameters before validating an object's safe or unsafe status. During tests, DATAGUARD identified and removed 6.3 percent of objects that the Safe Stack technique misclassified as safe, and proved that 65 percent of objects labeled as unsafe by Safe Stack were actually safe. DATAGUARD demonstrates that a more comprehensive and accurate but conservative analysis increases the scope of data protection to over 90 percent of stack objects on average, while also reducing overhead, or the extra run time the system uses to protect safe objects. This article continues to discuss memory errors and the new data security approach developed to protect against such errors while using less system power.

    PSU reports "Researchers Develop New Approach That Protects 90 Percent Of Stack Memory Data"

  • news

    Visible to the public "DOJ Seizes Proxy Service as US, Partners Hit Russian Hackers"

    In a coordinated effort with foreign partners, the Department of Justice took down a Russian hackers' network and domain. The network was responsible for hacks of millions of computers and devices worldwide. The DOJ disruption is the latest crackdown of alleged cybercriminals. The website was a hub where cybercriminals bought and sold stolen personal and financial data.

    The Hill reports "DOJ Seizes Proxy Service as US, Partners Hit Russian Hackers"

  • news

    Visible to the public "Microsoft: Russian Cyber Spying Targets 42 Ukraine Allies"

    Security researchers at Microsoft recently published a report. The researchers found that coinciding with unrelenting cyberattacks against Ukraine, state-backed Russian hackers have engaged in "strategic espionage" against governments, think tanks, businesses, and aid groups in 42 countries supporting Kyiv. The researchers stated that since the start of the war, the Russian targeting (of Ukraine's allies) has been successful 29 percent of the time, with data stolen in at least one-quarter of the successful network intrusions. The researchers noted that nearly two-thirds of the cyberespionage targets involved NATO members. The United States was the prime target and Poland, the main conduit for military assistance flowing to Ukraine, was number 2. In the past two months, Denmark, Norway, Finland, Sweden, and Turkey have seen stepped-up targeting. Surprisingly the researchers stated that Estonia has detected no Russian cyber intrusions since Russia invaded Ukraine on February 24th. Microsoft noted that this could be because of Estonia's adoption of cloud computing, where it's easier to detect intruders. The researchers stated that half of the 128 organizations targeted are government agencies, and 12% are nongovernmental agencies, typically think tanks or humanitarian groups. Other targets include telecommunications, energy, and defense companies. The researchers also assessed Russian disinformation and propaganda aimed at "undermining Western unity and deflecting criticism of Russian military war crimes" and wooing people in nonaligned countries. Using artificial intelligence tools, the researchers said, they estimated that "Russian cyber influence operations successfully increased the spread of Russian propaganda after the war began by 216 percent in Ukraine and 82 percent in the United States."

    Associated Press reports: "Microsoft: Russian Cyber Spying Targets 42 Ukraine Allies"

  • news

    Visible to the public "Cybersecurity Expert Reveals How $13,000 of Fuel Was Stolen From Virginia Gas Station"

    Virginia Beach Police are investigating the hacking of a CITGO gas station pump that resulted in the theft of more than $13,600 worth of gas. Two people have been charged in connection with the crime. According to officers, the individuals used a remote device to hack the pump and steal over 400 gallons of fuel in a few hours. The device enabled them to avoid registering the sale with the computer. Scott Gibson, a cybersecurity expert and professor at ECPI University, says the hackers most likely used a laptop to gain access to the gas station's internal web system. They were likely able to access the system by finding vulnerabilities in the station's Wi-Fi or through an employee opening a phishing email. The investigation revealed that the hackers were receiving payment through CashApp and powering on the pumps through their device. Gibson points out that this type of hacking is highly sophisticated and suggests a bigger team may be behind the incident as somebody had to have created the malware and understood the software. This article continues to discuss findings regarding the recent gas station pump hacking incident.

    WTVR reports "Cybersecurity Expert Reveals How $13,000 of Fuel Was Stolen From Virginia Gas Station"

  • news

    Visible to the public "SMA Technologies Patches Critical Security Issue in Workload Automation Solution"

    Security researchers at the CERT Coordination Center (CERT/CC) at Carnegie Mellon University have discovered a critical vulnerability in the SMA Technologies OpCon UNIX agent resulting in the same SSH key being deployed with all installations. OpCON is aimed at financial institutions and insurance firms and is a cross-platform process automation and orchestration solution that can be used for the management of workloads across business-critical operations. Tracked as CVE-2022-2154, the issue results in the same SSH key being delivered on every installation and subsequent updates. The researchers stated that the SSH public key is added to the root account's authorized_keys file during the agent's installation, and the entry remains there even after the OpCon software has been removed. The researchers noted that the installation files also include a corresponding, unencrypted private key named "sma_id_rsa." An attacker with access to the private key included with the OpCon UNIX agent installation files can gain SSH access as root on affected systems. The researchers stated that the bug impacts version 21.2 and earlier of the OpCon UNIX agent. SMA Technologies, which was informed of the security issue in March, told the researchers that it has already updated the version 21.2 package to remove the vulnerability.

    SecurityWeek reports: "SMA Technologies Patches Critical Security Issue in Workload Automation Solution"

  • news

    Visible to the public "Delivery Firm Yodel Scrambling to Restore Operations Following Cyberattack"

    Delivery services provider Yodel says it is working on restoring operations after falling victim to a disruptive cyberattack. Yodel is one of the largest couriers in the United Kingdom and was initially known as the Home Delivery Network, but it rebranded itself after acquiring the B2B and B2C operations of DHL Express UK. On Tuesday, the company started informing customers of a cyberattack that has impacted some of its systems, but without providing specific details on the assault. The cyberattack caused the company to experience service disruption, order tracking was unavailable, and parcels may arrive later than expected. The company is yet to determine if any customer information might have been impacted in the attack but notes that customer payment information has not been exposed, as Yodel does not process or store such data. Yodel encourages users to be wary of unsolicited and unexpected communications demanding personal information and to avoid clicking on links or opening attachments from suspicious sources. On Wednesday, the company noted that it has restored tracking services and made progress in restoring operations to normal.

    SecurityWeek reports: "Delivery Firm Yodel Scrambling to Restore Operations Following Cyberattack"

  • news

    Visible to the public "DARPA-Funded Study Provides Insights into Blockchain Vulnerabilities"

    Over the last decade, distributed ledger technology, such as blockchains, has become more prevalent in various contexts. The idea is that blockchains operate securely without centralized control and are unsusceptible to change. The Defense Advanced Research Projects Agency's (DARPA) mission is to create and prevent technological surprises, so it set out to understand those security assumptions and determine how decentralized blockchains are. Therefore, the agency commissioned cybersecurity research and consulting firm Trail of Bits to investigate the fundamental properties of blockchains and the cybersecurity risks they pose. The study resulted in a report that provides a holistic analysis available to anyone considering blockchains for critical matters to gain further insight into the potential vulnerabilities within these systems. This article continues to discuss the DARPA-funded study aimed at providing a better understanding of blockchain vulnerabilities.

    DARPA reports "DARPA-Funded Study Provides Insights into Blockchain Vulnerabilities"

  • news

    Visible to the public "New DFSCoerce NTLM Relay Attack Enables Hackers to Perform Windows Domain Takeover"

    Security researcher Filip Dragovic published a new DFSCoerce Windows NTLM relay attack that uses MS-DFSNM (Microsoft's Distributed File System) to take over Windows domains. Dragovic posted on a GitHub page detailing his findings. Microsoft Active Directory Certificate Services (ADCS) is a public key infrastructure (PKI) service typically used to authenticate users, services, and devices on a given Windows domain. The flaw discovered by Dragovic makes it possible to deploy NTLM relay attacks to force a domain controller to authenticate against a malicious NTLM relay under an attacker's control. Dragovic noted that the malicious server would subsequently relay the authentication request to a domain's ADCS via HTTP and obtain a Kerberos ticket-granting ticket (TGT), allowing them to impersonate any device on the network. If the cybercriminal assumed the identity of a domain controller, which usually has elevated privileges, they could execute arbitrary commands. The researchers noted that possible mitigation strategies include enabling protections like Extended Protection for Authentication (EPA), SMB signing, and turning off HTTP on ADCS servers.

    Infosecurity reports: "New DFSCoerce NTLM Relay Attack Enables Hackers to Perform Windows Domain Takeover"

  • news

    Visible to the public "Identity-Related Breaches Hit 84% of US Firms in 2021"

    According to new research conducted by the non-profit Identity Defined Security Alliance (IDSA), the number of security breaches stemming from stolen or compromised identities has reached epidemic proportions. The IDSA polled 500 US identity and security professionals to compile its 2022 Trends in Securing Digital Identities report. The researchers found that 84% of participants had experienced an identity-related breach in the past year, with the vast majority (78%) claiming it had a direct business impact. The researchers stated that part of the problem is the high volumes of identities created daily in the corporate world. Almost all respondents (98%) reported that the number of identities is increasing, primarily driven by cloud adoption, third-party relationships, and machine identities, including bots and IoT devices. The researchers noted that poor security practice is often to blame for incidents. According to the researchers, although half (51%) of respondents said they typically remove access for a former employee within a day, only 26% always do. The researchers stated that employees are often the weakest link in the security chain, even those that should know better. Some 60% of IT/security respondents claimed they engage in risky security behavior. The researchers stated that, fortunately, organizations seem to be getting the message. Nearly all respondents (97%) claimed they're planning to invest in "identity-focused security outcomes," and 94% said identity investments are part of strategic initiatives, including cloud adoption (62%), Zero Trust implementation (51%), and digital transformation initiatives (42%).

    Infosecurity reports: "Identity-Related Breaches Hit 84% of US Firms in 2021"