News Items

  • news

    Visible to the public Follow @SoS_VO_org on Twitter!

    Follow @SoS_VO_org on Twitter!

    The SoS-VO team is excited to announce that we recently updated the homepage of the website to link to the official Science of Security & Privacy twitter account where we will be making daily announcements about noteworthy news items, upcoming opportunities, and impending deadlines in the SoS community.

  • news

    Visible to the public HoTSoS 2021: Works-in-Progress Co-Chairs

    Meet the HoTSoS 2021 Team:
    Works-in-Progress Co-Chairs

    Kurt Kelville (MIT) and Aron Laszka (University of Houston) are our Works-in-Progress Co-Chairs for the 2021 Symposium. Happy to have these two on the Program Committee Team!

    About the Chairs

  • news

    Visible to the public Take my word for it: Privacy and COVID alert apps can coexist


    Since the COVID-19 pandemic began, technologists across the country have rushed to develop digital apps for contact tracing and exposure notifications. New York, New Jersey, Pennsylvania, and Delaware have all recently announced the launch of such apps, announcements which generated excitement. But the advent of these tools has also created questions. Chief among them: Do these apps protect privacy?

  • news

    Visible to the public NIST Releases Draft Security Feature Recommendations for IoT Devices

    NIST Releases Draft Security Feature Recommendations for IoT Devices

    "Core Baseline" guide offers practical advice for using everyday items that link to computer networks.

    August 01, 2019

  • news

    Visible to the public Game-theoretic Paper Wins Annual Paper Competition

    The winner of the 6th Annual Best Scientific Cybersecurity Paper Competition is How Shall We Play a Game? A Game-theoretical Model for Cyber-warfare Games by Tiffany Bao, Yan Shoshitaishvili, Ruoyu Wang, Christopher Kruegel, Giovanni Vigna, and David Brumley. These researchers are from Carnegie Mellon University and University of California, Santa Barbara. This paper was originally accepted at 30th IEEE Computer Security Foundations Symposium (CSF '17).

    To learn more visit the competition homepage:

  • news
  • news

    Visible to the public NSA SoS Lablet Call for Proposals is Open

    The National Security Agency has distributed its BAA (really a request for proposals) for its next generation of SoS Lablets. These lablets include lablets on the 5 Hard Problem areas in Science of Security, on the Science of Privacy and dealing with Cyber Physical Systems. Proposals are due August 21. While the SoS team is not the point of contact for the contracting process, we can aid in directing:

  • news

    Visible to the public "Artificial Intelligence Could Accelerate Breach Notification Time, Expert Says"

    Dr. Frederic Lemieux, faculty director and professor of the practice for applied intelligence at Georgetown University, has brought further attention to the use of Artificial Intelligence (AI) in cybersecurity to increase the speed of data breach notifications. Lemieux suggested that increasingly efficient pattern recognition is helping companies detect anomalies in large pools of data. AI is helping to point out possible security issues to human analysts, such as an employee logging on to sensitive networks at odd hours, an email attachment including malicious data, and other unusual behaviors. Cybersecurity costs are prohibitive, and companies are experiencing situations where the average cost of a data breach is about $8 million in the US. The time to discover a data breach can go up to 28 days, with the average number of days for containment being 80, thus increasing the appeal for AI solutions. Security professionals are also using AI tools for asset inventories to help highlight areas of a company that are vulnerable to digital threats. This article continues to discuss how AI tools are helping security professionals improve the cybersecurity of their companies.

    CyberScoop reports "Artificial Intelligence Could Accelerate Breach Notification Time, Expert Says"

  • news

    Visible to the public "NIST Previews Post-Quantum Cryptography Challenges"

    The National Institute of Standards and Technology's (NIST) National Cybersecurity Center of Excellence (NCCoE) has released the final version of a white paper titled "Getting Ready for Post-Quantum Cryptography: Exploring Challenges Associated with Adopting and Using Post-Quantum Cryptographic Algorithms." The purpose of this paper is to help organizations prepare for post-quantum cryptography. NIST has been working with researchers to develop cryptographic algorithms that can withstand the privacy and security threats that quantum computers will present. The paper emphasizes that the transition from today's standards to the new post-quantum public-key standards will likely be more challenging than the introduction of new classical cryptographic algorithms. As there is still a lack of implementation planning, it may take decades before the community replaces most of the vulnerable public-key systems being used today. It will not be easy to replace currently used encryption standards with quantum-resistant ones as some quantum-resistant candidate algorithms involve enormous signature sizes, require excessive processing, and use significantly large public or private keys. These factors would make it challenging to implement the solution widely. NIST emphasizes the need for various post-quantum algorithms in order to overcome sensitivity to large signature sizes and other implementation constraints. This article continues to discuss NIST's key points surrounding post-quantum cryptography challenges and how to overcome them.

    GCN reports "NIST Previews Post-Quantum Cryptography Challenges"

  • news

    Visible to the public "Energy Department Leading White House Interagency Response to Pipeline Attack"

    The White House has formed an interagency task force in response to the ransomware attack on Colonial Pipeline Company, which transports 45% of the US East Coast's supply of diesel, gasoline, and jet fuel. According to the FBI, the attack was executed by the cybercriminal ransomware group called DarkSide. The interagency team includes the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the Department of Transportation (DOT), the Department of Defense (DOD), and other agencies, with the Department of Energy (DOE) as the lead agency for incidence response in this case. The Transportation Security Administration (TSA) has oversight over pipeline cybersecurity. Colonial Pipeline Company has said that its operations team is currently working to develop a restart plan for its pipeline system. This article continues to discuss the interagency response to the pipeline attack, Colonial's response to the attack, and the FBI's suggestion to companies not to pay ransoms demanded by cybercriminals.

    NextGov reports "Energy Department Leading White House Interagency Response to Pipeline Attack"

  • news

    Visible to the public "Scientists Will Protect the Smart City from Cyber Threats"

    St. Petersburg is participating in the development of a Smart City program that will provide new services to increase citizens' safety. This system depends on digital services. The environment adapts to the needs of humanity through the use of Internet of Things (IoT) systems. Therefore, cyberattacks against this infrastructure could pose a significant danger. Specialists at Peter the Great St. Petersburg Polytechnic University (SPbPU) developed a methodology for assessing cyber risks in a Smart City's intelligent system. They tested the methodology on the "smart crossroads" test bench, which is a component of the smart transport system of a Smart City. The scientists pointed out that cybercriminals' goals are to disrupt large enterprises and urban infrastructure and to intercept the control over them. Using wireless links, attackers can remotely infiltrate a target subnet or a group of devices, intercept traffic, launch denial-of-service (DoS) attacks, and hijack IoT devices to create botnets. The methodology developed by SPbPU researchers can be used to analyze cybersecurity risks, identify threats, calculate risks, and analyze the resulting risk values. It is based on a quantitative approach and is said to be easily computable. This article continues to discuss the Smart City program, potential cyberattacks against digital infrastructures in a Smart City, and the methodology developed by SPbPU researchers to assess cyber risks in the intelligent systems of a Smart City.

    EurekAlert! reports "Scientists Will Protect the Smart City from Cyber Threats"

  • news

    Visible to the public "Amazon: We Blocked 10 Billion Bad Listings in 2020"

    Amazon claims to have blocked billions of "bad" listings before they went live on its e-commerce platform last year in a bid to prevent rampant counterfeiting on the site. Amazon also thwarted over six million attempts to create new selling accounts during 2020, up from the 2.5 million reported in 2019. The e-commerce giant claimed that fewer than 0.01% of products sold on the platform received a counterfeit-related complaint from a customer, but the problem is serious. Only 6% of attempted new seller account registrations passed Amazon's verifications processes. Last year the company claimed to have seized and destroyed more than two million products sent to its fulfillment centers after detecting last minute that the products were counterfeit. Amazon has invested over $700 million in 2020 and employed more than 10,000 people to fight fraud and abuse on the platform. Counterfeit items aren't the only challenge facing Amazon. A mass scheme to pay consumers for fake reviews has recently emerged. E-commerce fraud is expected to surge by 18% from 2020 to top $20 billion globally by the end of this year as scammers continue to target shoppers driven online by the pandemic.

    Infosecurity reports: "Amazon: We Blocked 10 Billion Bad Listings in 2020"

  • news

    Visible to the public "200K Veterans’ Medical Records Likely Stolen by Ransomware Gang"

    A cybersecurity researcher named Jeremiah Fowler found an exposed database sitting exposed online without even basic password protection on April 18th. The database was filled with the medical records of nearly 200,000 U.S. military veterans. The database was exposed online by a vendor working for United Valor which is a Veterans Administration. The exposed data included patient names, birth dates, medical information, contact information, doctor information, and appointment times. All of this data could be used in socially engineered attacks, Fowler explained. The database also exposed unencrypted passwords and billing details. Fowler stated that the database was set to open and visible in any browser (publicly accessible), and anyone could edit, download or even delete data without administrative credentials. The researcher also found evidence that ransomware attackers might have exfiltrated the data. The dataset also contained a ransomware message titled "read_me" that claimed all of the records were downloaded, and they would be leaked unless 0.15 Bitcoin ($8,148) was paid.

    Threatpost reports: "200K Veterans' Medical Records Likely Stolen by Ransomware Gang"

  • news

    Visible to the public "Making Bitcoin More Secure"

    Guan-Hua Tu, an assistant professor in the College of Engineering at Michigan State University (MSU), and his team are developing ways to protect popular bitcoin applications used for cryptocurrency management. Tu and his team are finding vulnerabilities in these apps that could leave a user's money and personal information at risk of theft by cybercriminals. They are also raising awareness about these vulnerabilities to help users better protect themselves and developing an app aimed at addressing those vulnerabilities. Users are encouraged not to use smartphone wallet apps developed by untrusted developers and to manage their bitcoin using a computer instead of a smartphone. The researchers developed the Spartan app, which is designed to run simultaneously on the same phone as a wallet and monitor for intrusions. The app alerts users when an attack occurs and provides remedies based on the type of attack. For example, the app can add noise to outgoing Bitcoin messages to prevent an attacker from retrieving accurate information. The team is developing the app for Android phones and plans to make it available for download in the Google Play app store. This article continues to discuss the vulnerabilities found in bitcoin wallet apps, the attacks made possible by these vulnerabilities, the Spartan app designed to protect against those attacks, and how users can protect themselves from the security flaws of a smartphone bitcoin wallet app.

    MSU Today reports "Making Bitcoin More Secure"

  • news

    Visible to the public "University Cancels Exams After Cyber-Attack"

    Rensselaer Polytechnic Institute (RPI) was forced to shut down most of their computer network after unauthorized access was detected on Friday. Student assessments, research, and other academic activities have been impacted. All final examinations, term papers, and project reports that were due between May 8th and May 10th have been canceled. Rensselaer Polytechnic Institute, which has around 7,900 students, is a private university situated in Troy, New York. Information Technology and Web Science are among the academic disciplines taught at the institute. RPI did not share any further details of the incident, such as what information may have been accessed. The institute has also not shared when its network will be up and running again. The university is currently making modifications to grading policies to accommodate for the disruption caused by the cyberattack.

    Infosecurity reports: "University Cancels Exams After Cyber-Attack"

  • news

    Visible to the public "An Ambitious Plan to Tackle Ransomware Faces Long Odds"

    A public-private partnership has been formed in support of developing a coordinated response to ransomware attacks. A comprehensive framework, supervised by the Institute for Security and Technology's (IST) Ransomware Task Force (RTF), proposes the use of a more aggressive public-private response to ransomware instead of the traditional piecemeal approach. Members of the task force include Amazon Web Services, Cisco, Microsoft, the Federal Bureau of Investigation (FBI), the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA), and the United Kingdom National Crime Agency (NCA). The framework includes recommendations from cybersecurity firms, incident responders, nonprofits, government agencies, and academics. It also calls on organizations in the public and private sector to increase efforts towards improving defenses, developing response plans, regulating cryptocurrencies, and strengthening and expanding international law enforcement collaboration. The report outlines the threat posed by ransomware actors and actions that could minimize the threat. It delves into how the US could work out diplomatic relationships to involve more countries in ransomware response, and engage those that have served as safe havens for ransomware groups. This article continues to discuss the purpose and recommendations of the RTF report, along with questions surrounding the new framework aimed at tackling ransomware in a coordinated manner.

    Wired reports "An Ambitious Plan to Tackle Ransomware Faces Long Odds"

  • news

    Visible to the public "An Uncrackable Combination of Invisible Ink and Artificial Intelligence"

    Although electronic records continue to advance, paper is still a common method of preserving data. Invisible ink can be used to hide classified economic, commercial, or military information, but many popular inks have toxic compounds or can be seen with predictable methods like chemicals, light, or heat. Carbon nanoparticles, which are low in toxicity, can be invisible under ambient lighting but can create vibrant images when exposed to ultraviolet (UV) light. Advances in Artificial Intelligence (AI) models can ensure that messages can only be deciphered on properly trained computers. A team of researchers trained an AI model to identify and decrypt symbols printed in a fluorescent carbon nanoparticle ink that reveal hidden messages when exposed to UV light. They taught the AI model, made up of multiple algorithms, to recognize the symbols illuminated by UV light and decode them through the use of a special code book. Then they tested whether the AI model can decode messages printed using a combination of regular red ink and the UV fluorescent ink. The AI model read the regular ink symbols as "STOP," with 100% accuracy. When a UV light illuminated the writing, the invisible ink showed the desired message "BEGIN." According to the researchers, since these algorithms can notice modifications in symbols, this approach has the potential to encrypt messages securely using hundreds of different unpredictable symbols. This article continues to discuss the approach to improving paper information recording and security protection using invisible ink and AI.

    Science Daily reports "An Uncrackable Combination of Invisible Ink and Artificial Intelligence"

  • news

    Visible to the public "Ransomware Takes Down East Coast Fuel Pipeline"

    After a ransomware attack that knocked offline the country's largest fuel pipeline, the US government has been forced to issue emergency legislation. The government legislation put in place is designed to relax rules restricting the transportation of fuel by road. Colonial Pipeline confirmed over the weekend that it had suffered a severe cyber attack. The attack was launched by the Russian-speaking DarkSide group, who claim to have also stolen 100GB of data in a classic "double extortion" play. Colonial Pipeline stated that they proactively took specific systems offline to quickly contain the threat after learning of the attack. Their mainlines (Lines 1, 2, 3, and 4) remain offline. Some smaller lateral lines between terminals and delivery points are now operational. Researchers suggest that if the outage persists, there are likely to be shortages and price rises across the 12 states the pipeline travels through and beyond. It is estimated that the pipeline carries 2.5 million barrels a day, representing nearly half of the East Coast's supply of diesel, gasoline, and jet fuel.

    Infosecurity reports: "Ransomware Takes Down East Coast Fuel Pipeline"

  • news

    Visible to the public "US Physics Laboratory Exposed Documents, Credentials"

    A group of security researchers found weaknesses at the Fermilab physics laboratory in the US that could lead to the exposure of documents, proprietary applications, project details, and more. Fermilab is a particle accelerator and physics laboratory in Batavia, Illinois, and is a part of the US Department of Energy (DOE). The lab has remediated the security issues that were unintentionally exposing a lot of information. One database they discovered allowed them to have unauthenticated access to over 5,700 documents and more than 50,000 file entries. They used Amass to enumerate Fermilab's subdomains. They also used dirsearch and Nmap for discovering open ports and enumerating services. These probes revealed multiple entry points. One of the entry points led into the lab's IT ticketing system, which revealed 4,500 trouble tickets. A malicious actor could gather project names, configuration data, and communication information by viewing the ticketing system. The researchers also found that part of a web application exposed names, emails, user IDs, security workgroups, assigned login groups, and documents. It was emphasized that Fermilab's security issues could have made its network and equipment targets for a ransomware attack. This article continues to discuss the discovery of Fermilab's security issues and the lab's quick response to the researchers' findings.

    Data Breach Today reports "US Physics Laboratory Exposed Documents, Credentials"

  • news

    Visible to the public "Closing Network Pathways to Sensitive Data to Help Secure Medical Devices"

    The Cybersecurity and Infrastructure Security Agency (CISA) released ICS Medical Advisory (ICSMA-21-084-01) that covers a specific vulnerability discovered in the Philips Gemini PET/CT family of scanners. These scanners store patient data in detachable media without access control. Legacy medical devices like this line of PET/CT scanners heighten the problem of unsecured Protected Health Information (PHI) storage. Due to the irregularity and, in some cases, lack of support for operating systems, many of the vulnerabilities impacting these devices are difficult or impossible to remediate. However, it would be significantly capital intensive for organizations to do a mass replacement of older devices. Therefore, a different approach must be taken to address PHI availability and future remediation requirements. Many healthcare networks are flat or segmented by department, creating issues when entire departments are hit with ransomware attacks in which malware is spread laterally and infects all devices in a large segment. Edge micro-segmentation is the recommended approach for medical device security, which fills healthcare networks with endpoints that are each on their own protected segment. This new network architecture design also applies security to traffic as it enters and exits a micro-segment. The adoption of this approach would prevent the direct exposure of medical devices within a network and the lateral spread of malware. This article continues to discuss the challenges faced in protecting healthcare networks from security threats, the expansion of the attack surface by flat and minimally segmented networks, and how edge micro-segmentation improves medical device security.

    Homeland Security Today reports "Closing Network Pathways to Sensitive Data to Help Secure Medical Devices"

  • news

    Visible to the public "CaptureRx Data Breach Impacts Healthcare Providers"

    At least three American healthcare providers have suffered a data breach after a cyber-attack on an administrative services company in Texas. CaptureRx, which is based in San Antonio, fell victim to a ransomware attack on February 6. On February 19, an investigation into the attack determined that certain files had been accessed without authorization. Cybercriminals exfiltrated files containing the personal health information (PHI) of more than 24,000 individuals during the attack. CaptureRx serves the Mohawk Valley Health System affiliate Faxton St. Luke's Healthcare in New York, Thrifty Drug Stores (Thrifty White), and Gifford Health Care of Randolph, Vermont, among others. A review of the attack, completed on March 19, determined that the security breach impacted 17,655 patients of Faxton St. Luke's Healthcare and a further 6,777 patients at Gifford Health Care. The number of Thrifty Drug Store patients affected by the attack has not yet been determined. CaptureRx is currently unclear how many of its healthcare provider clients have been affected by the attack. Nor has the company finished its final tally of how many individuals had their PHI exposed because of the incident. Data exposed and stolen by the ransomware attackers included names, dates of birth, prescription information, and, for a limited number of patients, medical record numbers.

    Infosecurity reports: "CaptureRx Data Breach Impacts Healthcare Providers"

  • news

    Visible to the public "#COVID19 Researchers Lose a Week's Work to Ryuk Ransomware"

    According to security researchers at Sophos, an organization involved in COVID-19 research lost a week's worth of critical data after a Ryuk attack that used a stolen password. The problem was traced back to one of the university students that the European research institute collaborates with as part of its outreach programs. That student obtained what they thought was a 'crack' version of a data visualization tool they needed, except that it contained information-stealing malware. The malware harvested keystrokes, stealing browser, cookies, clipboard data, and, it transpired, the student's log-ins for the research institute. Thirteen days later, a remote desktop protocol (RDP) connection was registered on the institute's network using the student's credentials, the researchers stated. Although the unnamed biomolecular specialist had backups, they were not fully up-to-date, meaning that a week's worth of vital research was lost. The firm also suffered a significant operational cost as all computer and server files had to be rebuilt from the ground-up before data could be restored. The researchers stated that it is unlikely that the operators behind the 'pirated software' malware are the same as those who launched the Ryuk attack.

    Infosecurity reports: "#COVID19 Researchers Lose a Week's Work to Ryuk Ransomware"

  • news

    Visible to the public "Millions of Older Broadband Routers Have These Security Flaws, Warn Researchers"

    A new investigation conducted by the consumer watchdog Which? in collaboration with security researchers, discovered the vulnerability of millions of old broadband routers used in the UK to hacking. Which? identified 13 older routers commonly used by consumers in the UK and found that nine of them do not meet modern security standards. The consumer watchdog estimated that up to 7.5 million users in the UK might be impacted. The vulnerable routers give attackers an opportunity to spy on users as they browse the Internet or redirect them to malicious websites. Some of the router models have not been updated since 2018 or, in some cases, since 2016. Sky's SR101 and SR102, the Virgin Media Super Hub and Super Hub 2, and TalkTalk's HG523a, HG635, and HG533 have been highlighted for their lack of updates. EE's Brightbox 2 has been discovered to contain a vulnerability that could allow a hacker to take full control of the device. In addition to a lack of regular updates, many of the older routers were found to come with weak, easily guessable default passwords. In an effort to increase the implementation of security in the design of devices, the UK's Department for Digital, Culture, Media, and Sport announced a new law that will prohibit manufacturers from using default passwords. The law will also require manufacturers to tell customers how long their devices will receive security updates as well as provide a public point of contact for security vulnerability disclosure. This article continues to discuss flaws found in older routers that are still commonly used by consumers in the UK and efforts to better protect consumers from cyberattacks.

    ZDNet reports "Millions of Older Broadband Routers Have These Security Flaws, Warn Researchers"

  • news

    Visible to the public "Counterfit: Open-Source Tool for Testing the Security of AI Systems"

    Microsoft has decided to open-source a tool it developed to test the security of its own Artificial Intelligence (AI) systems and assess them for vulnerabilities. The tool named Counterfit will help organizations verify the robustness, reliability, and trustworthiness of the AI algorithms that they use. Counterfit started out as a set of attack scripts written to target individual models. Microsoft then transformed Counterfit into an automation tool that can attack multiple AI systems at scale. Counterfit is a command-line tool that organizations can install and use locally or in a cloud. Security professionals can use it to perform a penetration test and conduct red teaming operations on AI systems. They can also use it to scan the systems for vulnerabilities and log attacks against a target model. The tool also works on AI models using different types of data, including text, images, and generic input. This article continues to discuss the purpose, capabilities, and applications of the Counterfit tool.

    Help Net Security reports "Counterfit: Open-Source Tool for Testing the Security of AI Systems"

  • news

    Visible to the public "US Organizations Targeted by New Cybercrime Group With Sophisticated Malware"

    A new financially motivated threat actor has targeted a number of organizations in the US and other countries using sophisticated malware. FireEye tracks the threat actor as UNC2529, which has used a sizable command-and-control (C&C) infrastructure, custom lures, and three sophisticated malware families. FireEye says the group is experienced and well resourced. The cybersecurity firm's incident response unit Mandiant observed two attack waves in December 2020, with the first wave having targeted 28 organizations. The next wave of attacks is suspected of having targeted at least 22 organizations. Approximately 70 percent of the group's victims were in the US. Organizations that UNC2529 has targeted include those in the health, education, retail, military and aerospace, engineering and manufacturing, government, transportation, utilities, and financial sectors. The group also targeted organizations in the EMEA region, Asia, and Australia. The attacks involved three new pieces of malware tracked by FireEye as DOUBLEDRAG, DOUBLEDROP, and DOUBLEBACK. They start with a phishing email containing a link to a malicious or compromised website that delivers a piece of malware. FireEye also revealed that the threat actor largely used obfuscation and fileless malware in order to avoid detection and deliver a well-coded, extensible backdoor. This article continues to discuss the targets, tools, and techniques of the new cybercrime gang UNC2529.

    Security Week reports "US Organizations Targeted by New Cybercrime Group With Sophisticated Malware"

  • news

    Visible to the public "DDoS Attack Knocks Belgian Government Websites Offline"

    Many government websites and services in Belgium were knocked offline on Tuesday after Belnet, the internet service provider (ISP) for the country's public sector, was hit by a massive distributed denial-of-service (DDoS) attack. Belnet stated that the attack started on Tuesday morning and affected all of the approximately 200 institutions and organizations that use the company's services. Public offices, universities, and research institutes were all left partially or entirely without internet access, and their websites were all but inaccessible. They also stated that there is no indication that cybercriminals have infiltrated any network. Everything indicates that the attack was aimed solely at saturating the Belnet network. Researchers noted that DDoS onslaughts that involve overwhelming a target with traffic from many devices corralled into a botnet are often unleashed to extort money from the targets or as a cover for other attacks. DDoS attacks cost organizations millions in lost revenue, not to speak of reputational damage. The attacks in Belgium may, in a way, be seen as a worrying testimony to the scale of the cyberthreat faced by governments worldwide. The effects of the attack were also felt by online reservation systems for COVID-19 vaccinations.

    WeLiveSecurity reports: "DDoS Attack Knocks Belgian Government Websites Offline"

  • news

    Visible to the public "Researcher Claims Peloton APIs Exposed All Users Data"

    Security researchers from the Pen Test Partners have discovered several issues with the software used by exercise equipment maker Peloton, which may have leaked sensitive customer information to unauthenticated users. The researchers stated that the mobile, web application and back-end APIs had several endpoints that revealed users' information to authenticated and unauthenticated users. Among the potentially exposed data were user and instructor IDs, group membership, location, workout stats, gender, age, and whether users are in the studio or not. The researchers believe that a full investigation should be conducted by Peloton to improve their security, especially now that famous individuals are openly using this service. The security researchers also found that the security flaws were so bad that they leaked information even for users in privacy mode.

    Infosecurity reports: "Researcher Claims Peloton APIs Exposed All Users Data"

  • news

    Visible to the public "Rust-Based Buer Malware Variant Emerges"

    The cybercriminals behind the Buer malware loader are using a new variant called RustyBuer. According to researchers with Proofpoint, the variant is rewritten in the Rust programming language to evade detection and increase the effectiveness of the threat actors' attack chain. RustyBuer is considered unusual as it is not common to see malware rewritten in a completely different way. Rust is growing in popularity due to its increased efficiency, ease of use, and broad range of features. Buer is a downloader used as a foothold in compromised networks to distribute additional malicious payloads. The loader is available for purchase on underground marketplaces through a malware-as-a-service (MaaS) payment model. The new variant presents challenges for signature-based detections because they are based on the malware's behavior when it is executed in a sandbox environment. The researchers have emphasized that malware written in C and malware written in Rust will behave differently in a sandbox environment, forcing researchers to make adjustments in order to see all C2 communications. Researchers found RustyBuer and the previous variant of Buer written in C being distributed in early April. They were observed being delivered in a series of spear-phishing emails and have targeted more than 200 organizations across over 50 verticals so far. These emails appear to be shipping notices from DHL Support, an international courier and package delivery company. They claim to contain international information about a shipping order and ask victims to download a file. The attached malicious Microsoft Word or Excel documents drop the malware variant using macros once clicked. The macros leverage an Application Bypass to dodge detection by endpoint security mechanisms. This article continues to discuss the emergence of a new Rust-based Buer malware variant and the history of the Buer malware downloader.

    Decipher reports "Rust-Based Buer Malware Variant Emerges"

  • news

    Visible to the public "UNICC and Group-IB Take Down 134 Fake Websites Impersonating WHO"

    Group-IB and the United Nations International Computing Centre (UNICC) took down a massive spam campaign involving 134 fraudulent websites. The fake websites were discovered impersonating the World Health Organization (WHO) on World Health Day, encouraging users to take a fake survey with a promise of a cash prize. Once a user answers the questions, they were prompted to share the link to the survey with their WhatsApp contacts. The scammers added fake Facebook comments about receiving the gift prize to make it look more authentic. They also customized content based on the victim's geolocation, user agent, and language settings. Upon further investigation, the researchers found that the scammer collective called DarkPath Scammers is likely behind the campaign. This group is known to have at least 500 other scam and phishing resources impersonating over 50 well-known international brands. The scammers stopped using the WHO branding across their entire network after the takedown by UNICC and Group-IB. This article continues to discuss the takedown of the scam campaign in which 134 fraudulent websites were found impersonating WHO.

    CISO MAG reports "UNICC and Group-IB Take Down 134 Fake Websites Impersonating WHO"

  • news

    Visible to the public "Misconfigs and Unpatched Bugs Top Cloud Native Security Incidents"

    Researchers from Snyk conducted a new survey and discovered that over half of organizations had suffered a security incident due to misconfiguration or a known vulnerability in their cloud native applications. The adoption of cloud native techniques is soaring, with over 78% of production workloads now deployed as containers or serverless applications. However, this comes with its own risks. Many developers (60%) have had increased security concerns since going cloud native, the researchers found. Misconfiguration (45%) and known unpatched bugs (38%) were the most commonly experienced security incidents among the participants surveyed. Misconfiguration (58%) and insecure APIs (52%) topped the list of respondents' concerns. The researchers also found that developers are becoming increasingly invested in matters of cybersecurity. Less than 10% of respondents in security roles thought developers were responsible for the security of their cloud native environment and applications. However, 36% of developers claimed that they were.

    Infosecurity reports: "Misconfigs and Unpatched Bugs Top Cloud Native Security Incidents"

  • news

    Visible to the public "Panda Stealer Targets Crypto Wallets"

    A new information stealer called Panda Stealer is going after cryptocurrency wallets and credentials for applications including NordVPN, Telegram, Discord, and Steam. Panda Stealer uses spam emails and the same hard-to-detect fileless distribution method deployed by a recent Phobos ransomware campaign discovered by researchers at Morphisec. The attack campaign primarily targets users in Australia, Germany, Japan, and the United States. Trend Micro discovered Panda Stealer at the start of April. Threat researchers have identified two infection chains being used by the campaign. In one, an .XLSM attachment contains macros that download a loader. Then, the loader downloads and executes the main stealer. The other infection chain involves an attached .XLS file containing an Excel formula that utilizes a PowerShell command to access, a Pastebin alternative that accesses a second encrypted PowerShell command. Once installed, Panda Stealer can collect details like private keys and records of past transactions from its victim's various digital currency wallets, including Dash, Bytecoin, Litecoin, and Ethereum. Other cards up Panda's sleeve are the ability to take screenshots of the infected computer and the power to exfiltrate data from browsers, like cookies, passwords, and cards.

    Infosecurity reports: "Panda Stealer Targets Crypto Wallets"

  • news

    Visible to the public "PHP Composer Flaw That Could Affect Millions of Sites Patched"

    A patch has been released for a critical vulnerability in PHP Composer, a tool used for the management and installment of software dependencies in the PHP ecosystem. According to the security researchers at SonarSource, who discovered the flaw, it could leave millions of websites at risk for abuse. Composer is used to make the update process easier and ensure that applications work across different environments and versions. The vulnerability was found in Packagist, which Composer uses to manage PHP package requests. Attackers could cause Composer to download the wrong source code through the exploitation of this vulnerability, potentially leading to the planting of a backdoor on the server running Composer. The vulnerability stems from how Packagist downloads source code from different open-source software libraries to Composer, which allowed the researchers to execute arbitrary systems commands through the server. This article continues to discuss the potential exploitation and impact of the PHP package manager flaw, as well as the importance of securing the Software Development Life Cycle (SDLC).

    BankInfoSecurity reports "PHP Composer Flaw That Could Affect Millions of Sites Patched"

  • news

    Visible to the public HotSoS 2021 Summary Report

    Hot Topics in the Science of Security (HotSoS) 2021

  • news

    Visible to the public "Zero-Knowledge Proofs in Vulnerability Disclosure"

    Cybersecurity researchers and software security analysts face several challenges in the disclosure process for software vulnerabilities. They are faced with an ethics versus efficacy dilemma in the realm of security bug reporting and sharing. Publicly revealing a vulnerability may get attention from the program's developers, thus resulting in a faster response. However, the public disclosure of a vulnerability could lead to legal repercussions for the security researcher. Public disclosure could also allow malicious actors to exploit the vulnerability before it is patched or fixed. On the other hand, sharing a vulnerability directly with the software maker is ethically sound but may not incite action as software makers are often hesitant or unwilling to engage with external security researchers. In addition, vulnerabilities directly disclosed to software makers often go overlooked. The Defense Advanced Research Projects Agency's (DARPA) Securing Information for Encrypted Verification and Evaluation (SIEVE) program aims to develop solutions to this problem using Zero-Knowledge Proofs (ZKPs), which are mathematically verifiable problem statements that can be applied to reason about software or systems. These proofs can be used publicly without revealing sensitive information. SIEVE focuses on the development of computer science theory and software that can enhance the expressivity of problem statements for which ZKPs are constructed while also making it easier to use the cryptographic method. In regard to vulnerability disclosure, ZKPs could allow a vulnerability researcher (the prover) to convince a software maker (the verifier) that they have information such as a bug or an exploit without having to disclose how they uncovered the information or revealing so much information that they ruin their chances of being rewarded. This article continues to discuss the challenges faced in vulnerability disclosure and the SIEVE program's exploration of using ZKPs in the vulnerability disclosure process.

    Homeland Security News Wire reports "Zero-Knowledge Proofs in Vulnerability Disclosure"

  • news

    Visible to the public "New Protocol Makes Bitcoin Transactions More Secure and Faster Than Lightning"

    In collaboration with researchers at the IMDEA Software Institute and the Purdue University, the security and privacy research unit at TU Wien analyzed problems associated with Bitcoin transactions such as possible fraud, users' discovery of each other's confidential information, and the occurrence of delays. Then they developed a protocol that improves the speed and security of cryptocurrencies like Bitcoin. This article continues to discuss the current problems with Bitcoin transactions and how the new protocol developed at TU Wien addresses these issues.

    TU Wien reports "New Protocol Makes Bitcoin Transactions More Secure and Faster Than Lightning"

  • news

    Visible to the public "Algorithms Improve How We Protect Our Data"

    Scientists at the Daegu Gyeongbuk Institute of Science and Technology (DGIST) in Korea have developed algorithms to more efficiently measure how difficult it would be for an attacker to guess cryptographic systems' secret keys. Their approach could make it less computationally complex to validate encryption security. Random numbers are imperative for generating cryptographic information. Randomness is vital for securing cryptographic systems. Scientists often use min-entropy, a metric that helps estimate and validate how well a source generates random numbers used to encrypt data. Data with low entropy is easier to decipher, while data with high entropy is significantly harder to decode. However, the min-entropy for some types of sources is difficult to estimate accurately, resulting in underestimations. The DGIST scientists developed an offline algorithm that estimates min-entropy based on a whole data set. They also developed an online estimator that only requires limited data samples. Evaluations have shown that their algorithms can estimate min-entropy 500 times faster than the current standard algorithm while also preserving the accuracy of estimations. This article continues to discuss the importance of randomness for the security of cryptographic systems, the concept of min-entropy, and the algorithms developed by DGIST scientists to better estimate the security level of encrypted data.

    DGIST reports "Algorithms Improve How We Protect Our Data"

  • news

    Visible to the public "Pulse Secure Patches Critical Zero-Day Flaw"

    Pulse Secure has patched a critical zero-day vulnerability that multiple APT groups were exploiting to target US defense companies, among other entities. The new security update fixes CVE-2021-22893, a critical authentication bypass vulnerability in the Pulse Connect Secure VPN product, which has a CVSS score of 10.0. The vulnerability was being exploited in combination with bugs from 2019 and 2020, patched by the vendor but not applied by some organizations, to bypass multi-factor authentication on the product. This allowed attackers to deploy webshells for persistence and perform surveillance activities. Researchers had tracked 12 malware families to the exploitation of the vulnerability, and at least one state-sponsored attack group, APT5. Reports of these attacks first started to appear around two weeks ago, with both the US Cybersecurity and Infrastructure Security Agency (CISA) and the UK's National Cyber Security Centre (NCSC) issuing warnings to organizations.

    Infosecurity reports: "Pulse Secure Patches Critical Zero-Day Flaw"

  • news

    Visible to the public "Third Parties Caused Data Breaches at 51% of Organizations"

    Researchers from Ponemon Institute and third-party remote access provider SecureLink conducted a new study and published their findings in a report titled "A Crisis in Third-party Remote Access Security." The researchers stated that organizations expose their networks to non-compliance and security risks by not taking action to reduce third-party access risk. The researchers found that almost half (44%) of organizations have experienced a security breach within the last 12 months. Of those organizations, three-quarters (74%) said that the breach had occurred because too much privileged access had been given to third parties. The researchers also found that organizations are not doing the necessary security checks before sharing data access with third parties. Just over half (51%) of organizations said they had not been assessing all third parties' security and privacy practices before granting them access to sensitive and confidential information. Other key findings were that 54% of organizations do not have a comprehensive inventory of all third parties with access to their network, and 65% of organizations have not identified the third parties with access to their organization's most sensitive data.

    Infosecurity reports: "Third Parties Caused Data Breaches at 51% of Organizations"

  • news

    Visible to the public "Computer Scientists Discover New Vulnerability Affecting Computers Globally"

    Since the discovery of the original Spectre vulnerability, computer scientists from industry and academia have developed software patches and hardware defenses to protect the most vulnerable points in the speculative execution process without sacrificing too much computing performance. However, a team of computer science researchers at the University of Virginia School of Engineering and Applied Science (SEAS) discovered a method that breaks all defenses developed against the exploitation of the Spectre vulnerability. The new vulnerability impacts billions of computers and other devices globally. The researchers found a new way for hackers to exploit micro-op cache, which increases computing speed by storing simple commands and enabling the processor to quickly fetch them early in the speculative execution process. Micro-op caches have been present in Intel computers manufactured since 2011. According to the researchers, hackers can steal data when a processer fetches commands from the micro-op cache. All current Spectre defenses are made ineffective by the team's new attacks because they protect the processor in the later state of speculative execution. Two variants of the researchers' attacks can steal information from Intel and AMD accessed speculatively. The team has shown how a malicious actor can smuggle sensitive information via the micro-op cache by using it as a covert channel. They say this new vulnerability will be significantly more difficult to fix as it will take a much greater performance penalty than the previous Spectre attacks. Patches that disable the micro-op cache or stop speculative execution on legacy hardware would reduce the effectiveness of critical performance innovations in the majority of modern Intel and AMD processors. This article continues to discuss the Spectre vulnerability and the newly discovered Spectre variants.

    Science Daily reports "Computer Scientists Discover New Vulnerability Affecting Computers Globally"

  • news

    Visible to the public "Researchers Find Bugs Using Single-Codebase Inconsistencies"

    A research team at Northeastern University finds code defects and some vulnerabilities by detecting inconsistent programming in which programmers use different code snippets to implement the same functions. The researchers used Machine Learning (ML) to find bugs by identifying code snippets that implement the same functionality and then comparing the code to find inconsistencies. The project, titled "Functionally-similar yet Inconsistent Code Snippets" (FICS), discovered 22 new and unique bugs by analyzing QEMU, OpenSSL, and three other open-source projects. This research aims not to replace other forms of static analysis but to provide another way for developers to analyze their code and find potential bugs. Other approaches to static analysis are required to have already encountered an issue or be given a rule in order to recognize a pattern. The ML techniques used in this research find functionally similar code that is implemented differently or inconsistently rather than matches to know vulnerability patterns. The team used two types of unsupervised clustering, which refers to the organization of data with similar features into groupings by the ML system. They transformed code into functional constructs to cluster parts of a program's code based on their functionality. Then they compared code in the same clusters and applied ML to group them based on implementation. If a code snippet makes up most implementations in a particular functional cluster, then it is considered the correct coding method. This article continues to discuss the aim, techniques, and capabilities of the FICS system, as well as the problem of false positives faced by this system.

    Dark Reading reports "Researchers Find Bugs Using Single-Codebase Inconsistencies"

  • news

    Visible to the public "What Can Hackers Do with Your Mobile Number?"

    Hackers and cybercriminals can do a lot of damage using mobile phone numbers. Using mobile phone numbers, malicious actors could execute SIM swapping attacks, conduct surveillance, and gain access to an individual's online profiles such as Facebook, Twitter, WhatsApp, and Gmail. In a SIM swapping attack, a hacker uses an individual's exposed phone number to call the victim's mobile phone provider. The hacker impersonates the victim and requests to port-out the phone number to a different carrier or a new SIM card. Once the port-out is complete, the phone number activates on the attacker's SIM card, allowing them to send and receive messages, as well as make calls as the victim. Phone companies' solution to this issue is to offer PIN codes that a phone owner must provide before they can switch devices. However, this solution has been proven ineffective as hackers can bribe phone company employees to get the codes. This article continues to discuss some malicious activities that hackers can perform through the use of mobile phone numbers.

    The Conversation reports "What Can Hackers Do with Your Mobile Number?"

  • news

    Visible to the public "Deepfake Attacks Are About to Surge, Experts Warn"

    Security researchers from Recorded Future have found that new deepfake products and services are cropping up across the Dark Web. Cybercriminals are increasingly sharing, developing, and deploying deepfake technologies to bypass biometric security protections and in crimes including blackmail, identity theft, social engineering-based attacks, and more, experts warn. The researchers stated that the drastic uptick in deepfake technology and service offerings across the Dark Web is the first sign a new wave of fraud is just about to crash in. Within the next few years, the researchers believe that both criminal and nation-state threat actors involved in disinformation and influence operations will likely gravitate towards deepfakes, as online media consumption shifts more into "seeing is believing."

    Threatpost reports: "Deepfake Attacks Are About to Surge, Experts Warn"

  • news

    Visible to the public "Paleo Lifestyle Site Found Leaking PII on 70,000 Users"

    Security researchers at vpnMentor have discovered a misconfigured AWS S3 bucket leaking personal information on 70,000 customers of a popular paleolithic lifestyle site. The researchers found the 290MB trove on February 4 and traced it back to Paleohacks, a US health and lifestyle brand that offers content and resources about the paleo diet. The company has been notified but has ignored every attempt the researchers made to help them close the vulnerability. The AWS S3 bucket is still not fixed and is still leaking information. The exposed PII includes full names, usernames, dates of birth, email and IP addresses, hashed passwords, employer details, location, and more. Also exposed are password reset tokens for some subscription account holders. The passwords were protected by the bcrypt hashing algorithm (a sophisticated form of password encryption). Still, a hacker could easily use the tokens to reset a person's password, gain access, and lock the original user out of their account, stated the researchers.

    Infosecurity reports: "Paleo Lifestyle Site Found Leaking PII on 70,000 Users"

  • news

    Visible to the public "Programs within Military Intel Agencies in the US and UK Show Growing Commitment to Neurodiversity"

    Embracing neurodiversity could serve as an advantage to the cybersecurity field and help fill the cybersecurity workforce gap. The term "neurodiversity" covers conditions, including autistic spectrum disorders, ADHD, dyslexia, OCD, and other conditions within the neuro-diverse spectra. The National Institute of Standards and Technology's (NIST) 2021 Federal Workforce Summit highlighted the progress of a new Neurodiverse Federal Workforce pilot program at the National Geospatial-Intelligence Agency (NGA). The non-profit agency "Made by Dyslexia" also highlighted how the UK's signals intelligence and information assurance agency actively recruits neurodiverse individuals. The Neurodiverse Federal Workforce pilot program is a collaborative project between the NGA, the R&D non-profit Mitre, and Melwood, a non-profit that helps people with disabilities find employment. Made by Dyslexia strives to develop research, training, and awareness programs to increase understanding of dyslexia, and to create free resources for teachers to level to the playing field. Both the Federal Workforce Summit and Made by Dyslexia showed how neurodiverse people interested in cybersecurity are finding new opportunities to use their unique skills and ways of thinking in the government workforce. They also emphasized the importance of security and cyber teams taking the lead on neurodiversity rather than relying on the HR department to provide instruction. Organizations are encouraged to actively recruit neurodiverse individuals and embrace their unique strengths, as well as to provide training to managers and managers on how to create environments in which neurodiverse people can thrive. Organizations looking to hire more cybersecurity professionals should not overlook the unique talents of those with neurodiverse conditions but instead improve efforts to utilize these talents, alter workplace cultures, and change recruitment processes for such individuals. This article continues to discuss the Neurodiverse Federal Workforce pilot program, the GCHQ's recruitment of dyslexic individuals as spies, and what neurodiverse individuals can offer cybersecurity and intelligence organizations.

    SC Media reports "Programs within Military Intel Agencies in the US and UK Show Growing Commitment to Neurodiversity"

  • news

    Visible to the public "Experian API Leaks Most Americans’ Credit Scores"

    A security researcher claims that the credit scores of almost every American were exposed through an API tool used by the Experian credit bureau, which he said was left open on a lender site without even basic security protections. Experian, for its part, refuted concerns from the security community that the issue could be systemic. The tool, called the Experian Connect API, allows lenders to automate FICO-score queries. Bill Demirkapi, a sophomore at Rochester Institute of Technology, was shopping for student loans when he found a lender that would check his eligibility with just a name, address, and date of birth. Demirkapi was surprised and decided to take a peek at the code, which showed that a connection to an Experian API was behind the tool. Demirkapi stated that no one should be able to perform an Experian credit check with only publicly available information. Demirkapi also said that Experian should mandate non-public information for promotional inquiries, otherwise an attacker who found a single vulnerability in a vendor could easily abuse Experian's system. Demirkapi was even able to build a command-line tool that let him automate lookups, even after entering all zeros in the fields for date of birth, which he named "Bill's Cool Credit Score Lookup Utility." In addition to raw credit scores, he was able to use the API connection to get "risk factors" from Experian that explained potential flaws in a person's credit history. He ran a credit check for his friend "Bill," which returned the explanation for his mid-700s credit score that he had too many consumer-finance company accounts. Experian said it fixed the unprotected endpoint instance. However, some researchers are concerned that other exposed Experian APIs might be out there, sitting unprotected, just waiting to be exploited by cybercriminals.

    Threatpost reports: "Experian API Leaks Most Americans' Credit Scores"

  • news

    Visible to the public "Data Breach Impacts 1 in 4 Wyomingites"

    Wyoming's Department of Health (WDH) has recently announced the accidental exposure of personal health information belonging to more than a quarter of people living in Wyoming on The data breach occurred when fifty-three files containing laboratory test results were "inappropriately handled" by an employee. WDH detected the breach on March 10. An investigation into the incident revealed that the health information of approximately 164,021 Wyoming residents and others could have been exposed as early as November 5, 2020. Data in the leaked files included the results of tests for influenza and COVID-19 performed across the United States between January 2020 and March 2021. One file containing breath alcohol test results was also exposed. Along with the test results were patients' names, ID numbers, addresses, dates of birth, and dates of when tests had been carried out.

    Infosecurity reports: "Data Breach Impacts 1 in 4 Wyomingites"

  • news

    Visible to the public "Watch A Tesla Have Its Doors Hacked Open By A Drone"

    Ralf-Philipp Weinmann, CEO of Kunnamon, and Benedikt Schmotzle of Comsecuris demonstrated the use of a drone carrying a Wi-Fi dongle to hack and open a Tesla's doors remotely. The remote hack requires no interaction from anyone inside the car. According to the researchers, their hack could lead to the compromise of parked cars and the hijacking of their infotainment systems over Wi-Fi. Using the TBONE hack, an attacker could unlock the doors and trunk, change steering and acceleration modes, and more. The researchers' attacks targeted a component called ConnMan, which can be accessed over Wi-Fi and used to manage network connections. ConnMan contains two flaws that allowed them to run commands on the Tesla's infotainment system. The vulnerable ConnMan component is also used in other cars. This article continues to discuss the demonstrated drone hack of a Tesla and other studies in which Tesla has been the target of cybersecurity researchers' hacks.

    Forbes report "Watch A Tesla Have Its Doors Hacked Open By A Drone"

  • news

    Visible to the public "BIND Vulnerabilities Expose DNS Servers to Remote Attacks"

    The Internet Systems Consortium (ISC) released updates for the BIND DNS software, patching vulnerabilities that could allow threat actors to perform denial-of-service (DoS) attacks and remote code execution. One of the flaws earned a CVSS score of 8.1. It is a buffer overflow that can lead to a server crash and remote code execution. According to ISC, only servers using a specific feature with non-default configurations are vulnerable to attacks. However, ISC suggested that these types of servers may be common. The US Cybersecurity and Infrastructure Security Agency (CISA) warned organizations about this vulnerability and urged them to apply the necessary updates or workarounds. Another recently disclosed high-severity vulnerability can be exploited remotely to cause the BIND name server (named) process to terminate because of a failed assertion check. The exploitation of this vulnerability could result in a DoS condition. This article continues to discuss the BIND flaws that leave DNS servers vulnerable to remote attacks.

    Security Week reports "BIND Vulnerabilities Expose DNS Servers to Remote Attacks"

  • news

    Visible to the public "Emotet Group Harvested Over 4.3 Million Victim Emails"

    Researchers have discovered that the threat actors behind the notorious Emotet botnet managed to collect over four million victim email addresses over the past few years. In all, 4,324,770 email addresses were found from a wide range of countries and domains. The email addresses were found from two separate databases that belonged to Emotet. One of the databases contained email credentials stored by Emotet for sending spam via victims' mail providers. The other database had web credentials harvested from browsers that held them to expedite subsequent logins.

    Infosecurity reports: "Emotet Group Harvested Over 4.3 Million Victim Emails"

  • news

    Visible to the public Pub Crawl #49

    Pub_Crawl_web.jpgPub Crawl summarizes, by hard problems, sets of publications that have been peer reviewed and presented at SoS conferences or referenced in current work. The topics are chosen for their usefulness for current researchers.