News Items

  • news

    Visible to the public We're Surrounded by Billions of Internet-connected Devices. Can We Trust Them?

    BY ADAM PIORE ON 10/24/19 AT 12:24 PM EDT - NEWSWEEK MAGAZINE

    In 2009, just as consumers had begun to buy wifi-enabled thermostats and front-door cams and other early devices that now make up the "Internet of Things," computer scientist Ang Cui had gotten the idea to scan the Web for "trivially vulnerable" embedded devices.

  • news

    Visible to the public "How Voice Assistants Follow Inaudible Commands"

    As the popularity of voice assistants continues to rise, concerns surrounding the security of speech recognition systems grow. Security researchers have discovered that it is possible for attackers to send malicious inaudible voice commands to speech recognition systems over the air. Thorsten Eisenhofer, an IT security researcher at Ruhr University of Bochum, supports the use of the MP3 principle as a countermeasure against such attacks. According to Eisenhofer, speech recognition systems should be combined with an MP3 encoder to delete any ranges that are inaudible to the human ear before they reach the systems. This method would not stop attackers from manipulating audio files, but it would prevent their attacks from being hidden. This article continues to discuss the attacks that have been demonstrated on speech recognition systems and how the security of these systems can be strengthened by using the MP3 principle.

    RUB reports "How Voice Assistants Follow Inaudible Commands"

  • news

    Visible to the public "New Tool Determines Threats to Networked 3D Printers"

    The rise in the use of industrial Internet of Things (IoT) devices has changed the way factories operate in that devices such as networked 3D printers now connect with other machines. In addition, operators can control them remotely, which increases efficiency. However, the increased connectivity of these devices has made them more vulnerable to being hacked. Hackers could execute cyberattacks against networked 3D printers to disrupt their operation or steal designs. Therefore, security researchers at Carnegie Mellon University developed a tool, named Connected 3D Printer Observer (C3PO), to identify vulnerabilities in networked 3D printers as well as the potential paths for attacks on these printers. This article continues to discuss the components of C3PO and how this new tool functions.

    CMU reports "New Tool Determines Threats to Networked 3D Printers"

  • news

    Visible to the public "Blacklisted Apps Increase 20%, Attackers Focus on Tax-Branded Key Terms"

    In a new study it has been found that in Q2 2019 there has been an increase of 20% in blacklisted apps, however the number of blacklisted apps in the Google Play Store decreased by a dramatic 59%. The percentage of blacklisted apps relative to the total number of apps known also increased jumping from 1.95% to 2.1%. 2,554,616 apps that were blacklisted were downloaded a nearly 11% increase in app downloads from Q1. Feral apps proved to be exceptionally dangerous, with a 51% blacklist rate. The research found 4,162,450 total apps matching tax-branded key terms in app stores around the world, with 30% of them, 1,221,070, blacklisted.

    Help Net Security reports: "Blacklisted Apps Increase 20%, Attackers Focus on Tax-Branded Key Terms"

  • news

    Visible to the public Pub Crawl #31

  • news

    Visible to the public SoS Musings #30 - Improving Cybersecurity for Aviation

    SoS Musings #30
    Improving Cybersecurity for Aviation

  • news

    Visible to the public  "Mobile Users Targeted With Malware, Tracked by Advertisers"

    Mobile devices continue to be attractive targets for hackers as they are used everywhere. According to recent reports released by RiskIQ, Blackberry Cylance, and the Media Trust, there has been a significant rise in malicious apps being distributed via third-party app stores and in the tracking of users by advertisers. In addition, nation-state actors have enhanced their attacks on mobile devices. According to RiskIQ, the number of malicious apps that have been blacklisted by the cybersecurity company increased by 20%. Blackberry Cylance reported an advancement in the launch of Android and iOS malware by nation-state actors, including China, Iran, and North Korea. However, app stores have improved their efforts to detect malicious apps. This article continues to discuss key findings of recent reports in regard to the increase in malicious apps, nation-state attacks targeting mobile applications, tracking conducted by advertisers, and what improvements have been made in mobile security.

    Dark Reading reports "Mobile Users Targeted With Malware, Tracked by Advertisers"

  • news

    Visible to the public "Alexa and Google Home Phishing Apps Demonstrated by Researchers"

    SRL researchers built eight so-called "Smart Spies" and put them into app stores. SRL researchers were able to sneak in spyware into the applications, because third-party developers can extend the capabilities of Amazon Alexa - the voice assistant running in its Echo smart speakers - and Google Home through small voice apps, called Skills on Alexa and Actions on Google Home. Those apps they created currently create privacy issues, in that they can be abused to eavesdrop on users or to ask for their passwords. Some of the apps created kept the smart speaker listening after one thought it had gone deaf, and another app they created lied to users about there being an update they needed to install. The application would then vish (voice-phish) away the password the user supposedly needed to speak, so they can get that bogus install. Amazon and Google have been informed of the exploits and have since blocked the spying, phishing apps, and have fixed the exploits.

    Naked Security reports: "Alexa and Google Home Phishing Apps Demonstrated by Researchers"

  • news

    Visible to the public IPv6 Comes of Age Despite Growing Pains

    IPv6 Comes of Age Despite Growing Pains

    Internet Protocol Version 6 is slowly being adopted as the replacement for version 4. Touted as a more secure protocol with increased address space, portability, and greater privacy, research into this and other related protocols has increased, particularly in the context of smart grid, mobile communications, and cloud computing. For the Science of Security community, it is relevant to resiliency, composability, and policy-based governance. But despite improved features, adoption of IPv6 is proceeding at a snail's pace with the possibility it will not be universally deployed for several more decades. One must ask why the reluctance and delay?

  • news

    Visible to the public "New Alliance Aims to Scupper Cyber-attacks on Operational Technology"

    The Operational Technology Cyber Security Alliance (OTCSA) is a new global alliance aimed at improving the security of OT used in critical and industrial infrastructure. OT refers to the hardware and software used to detect or make changes by monitoring and controlling industrial devices. Cyberattacks on this technology could damage productivity, cause ecological disasters, and endanger public safety. The OTCSA will take on a multi-pronged approach to reducing the risk of cyberattacks, which includes bolstering the cyber-physical risk posture of OT environments, providing guidance to OT operators on how to maintain the security of their OT infrastructure, and supporting the implementation of critical infrastructure with a higher level of security. This article continues to discuss the OTCSA's mission, approach, and members.

    Infosecurity Magazine reports "New Alliance Aims to Scupper Cyber-attacks on Operational Technology"

  • news

    Visible to the public Cyber Scene #37 - Letting Justice Prevail Another 230 Years

    Cyber Scene #37 -
    Letting Justice Prevail Another 230 Years

  • news

    Visible to the public "UTSA Study Warns of Security Gaps in Smart Light Bulbs"

    Smart bulbs are expected to be among the most popular gifts this holiday season. However, smart bulbs could have security vulnerabilities that could be exploited by hackers to steal users' personal information. Therefore, researchers at the University of Texas at San Antonio conducted a study on the security vulnerabilities contained by popular smart light bulb brands. According to Murtuza Jadliwala, professor and director of the Science, Privacy, Trust and Ethics in Computing Research Lab in UTSA's Department of Computer Science, smart bulbs have infrared capabilities that could be abused by hackers steal data or spoof other Internet of Things (IoT) devices on the network to which the bulbs are connected. The infrared invisible light produced by the smart bulbs can be used by hackers to send commands that could result in the performance of these malicious activities. This article continues to discuss the increased popularity of smart bulbs, how hackers could use these bulbs to steal information, and recommendations for avoiding such attacks on smart bulbs.

    UTSA reports "UTSA Study Warns of Security Gaps in Smart Light Bulbs"

  • news

    Visible to the public "Facebook Shuts Misleading Accounts Ahead of 2020 Election"

    Facebook has announced that it has removed four networks from its platform. Three networks were connected to Iran and one from Russia. These accounts were found to be spreading misinformation related to the 2020 U.S. presidential election as well as other political events around the world. In addition to the U.S., these four networks were also targeting Facebook users in parts of North Africa as well as Latin America. The Iranian operations were relatively small and exhibited links to previous operations Facebook had already removed. The operations frequently repurposed Iranian state media content and tailored their content for particular countries they targeted around the world. The Russian operation appeared to be better funded and had links to Russia's Internet Research Agency, which has been tied by several investigations to interference in the 2016 U.S. presidential election.

    BankInfoSecurity reports: "Facebook Shuts Misleading Accounts Ahead of 2020 Election"

  • news

    Visible to the public "New Cybersecurity Bills Promote CISOs and Privacy"

    Two new cybersecurity bills, the Cybersecurity Disclosure Act of 2019 and the Mind Your Own Business Act (MYOB) of 2019, are expected to change the U.S. cybersecurity landscape if they become laws. The Cybersecurity Disclosure Act of 2019, proposed by Senator Jack Reed (D-RI), would require companies to disclose whether their board of directors has an adequate amount of cybersecurity expertise. The purpose of the Mind Your Own Business Act of 2019, introduced by Senator Ron Wyden (D-OR), is to strengthen the privacy of consumers by giving them more control over how their data is handled by organizations. The MYOB bill supports the sentencing of executives to prison for misusing Americans' data and lying about such practices to the government. This article continues to discuss the goals and requirements of the new cybersecurity bills, in addition to how the MYOB bill is stronger or weaker than the California Consumer Protection Act (CCPA).

    Security Week reports "New Cybersecurity Bills Promote CISOs and Privacy"

  • news

    Visible to the public "Stripe Targeted by Phishing Campaign"

    There has been a new phishing campaign discovered, targeting a global online payment system called Stripe. The adversaries performed the attack using an email, which resembles an official Stripe email, and sent the email out to Stripe users. The email would say that the "Details associated with account are invalid," and that urgent user intervention is required. The hackers even masked their URL so that even the more careful users would get tricked. When a victim clicked on the link the user was then taken to three websites that look almost identical to the real Stripe page. Each has a data form: one for the email and password, one for bank data and phone number, and the third one is again for username and password. Once the information is entered onto the third data form, the victim will get a "wrong username/password" message and would be redirected to the legitimate site. That way, the user wouldn't suspect a thing.

    ITProPortal reports: "Stripe Targeted by Phishing Campaign"

  • news

    Visible to the public "New Research Center Aims to Make Electronics More Secure"

    The Center for Hardware and Embedded Systems Security and Trust is the National Science Foundation's new research center aimed at protecting electronics and networked systems from being hacked, damaged, and spied on, which will be led by the University of Cincinnati (UC). The National Science Foundation, the U.S. Department of Defense, and industry leaders will work with the center to do research focused on strengthening the security of products against cyberattacks. The center's academic partners include the University of Virginia, the University of Connecticut, the University of Texas at Dallas, the University of California, and Northeastern University. This article continues to discuss the mission, support, and partners of the Center for Hardware and Embedded Systems Security and Trust.

    TechXplore reports "New Research Center Aims to Make Electronics More Secure"

  • news

    Visible to the public "Preventing Cyber Security Attacks Lies in Strategic, Third-Party Investments"

    Findings of a study conducted by Jay Simon and Ayman Omar at the American University's Kogod School of Business suggest that companies are more likely to underinvest in cybersecurity measures when they experience a data breach caused by a third-party supplier. Target, T-Mobile, and the IRS are some examples of entities that have experienced major third-party data breaches. Simon and Ayman call for companies to examine every entity that handles their data. Even if a company has implemented strong cybersecurity practices, the company is still at risk of a data breach due to third-party vendors that have weak security. This article continues to discuss key findings of the study in relation to the investment in cybersecurity measures by companies and the mitigation of risks.

    Science Daily reports "Preventing Cyber Security Attacks Lies in Strategic, Third-Party Investments"

  • news

    Visible to the public "Microsoft Launches Election Security Bug Bounty Program"

    Microsoft launched a bug bounty program for its open-source election software, called ElectionGuard, which is intended to improve the security, transparency, and accessibility of voting. The ElectionGuard is available as a software development kit (SDK). According to Jarek Stanley, a senior program manager at the Microsoft Security Response Center, the program invites security researchers, including full-time cybersecurity professionals, part-time hobbyists, and students, to find high impact vulnerabilities in the ElectionGuard SDK. Researchers are to share newly discovered vulnerabilities with Microsoft under the principle of Coordinated Vulnerability Disclosure. Microsoft's bug bounty program offers rewards, ranging from $500 to $15,000. This article continues to discuss the goals and scope of the ElectionGuard SDK and the bug bounty program launched for this product.

    MeriTalk reports "Microsoft Launches Election Security Bug Bounty Program"

  • news

    Visible to the public "Security Researchers Expose New Alexa and Google Home Vulnerability"

    Security researchers at SRLabs discovered a new vulnerability that impacts Amazon Alexa and Google Home. The exploitation of this vulnerability could allow hackers to secretly listen in on users and execute phishing attacks in which users are asked for their Google account passwords. Researchers developed malicious Alexa skills and Google Home actions that posed as apps for checking horoscopes. According to researchers, there is a flaw in both voice assistants that can allow them to continue listening to users after they have performed their initial commands. Security experts call on Google and Amazon to strengthen their security-vetting processes for third-party apps as hackers can hide malicious code in their software. This article continues to discuss the vulnerability and how researchers demonstrated its exploitation, along with Amazon's response to this discovery.

    The Verge reports "Security Researchers Expose New Alexa and Google Home Vulnerability"

  • news

    Visible to the public "Prevention Better Than Cure at Keeping Young Users From Getting Involved in Cybercrime"

    A new study conducted by researchers from the University of Cambridge and the University of Strathclyde explored the different ways in which law enforcement attempts to prevent young people from engaging in cybercrime to see how effective these methods are. According to the findings of this study, the removal of infrastructure and the launch of highly-targeted messaging campaigns by law enforcement are effective at reducing cyberattacks over a longer period of time as opposed to high-profile arrests and convictions of cybercriminals. Booter services refer to services offered by cybercriminals to those seeking to easily execute denial-of-service (DoS) attacks. These services are often used by gaming site users to attack each other. Researchers looked at how certain law enforcement interventions impacted the volume of DoS attacks. This article continues to discuss how the study was performed by researchers and what the results of this study suggest.

    The University of Cambridge reports "Prevention Better Than Cure at Keeping Young Users From Getting Involved in Cybercrime"

  • news

    Visible to the public "Worm Hits Docker Containers"

    Palo Alto Network's threat intelligence, Unit 42, has reported a crypto-jacking worm, called Graboid, that was found in images on Docker Hub. Researchers believe an attacker leveraged unsecured Docker daemons to deploy and spread the worm. Although researchers have seen other incidents of cryptomining malware being spread as a worm, this is the first time a cryptojacking malware has been spread using Docker application containers. This article continues to discuss the Graboid worm in regard to its distribution, capabilities, and limitations.

    EnterpriseAI reports "Worm Hits Docker Containers"

  • news

    Visible to the public "Security Researcher Publishes Proof-Of-Concept Code for Recent Android Zero-Day"

    Grant Hernandez, a PhD candidate at the Florida Institute of Cyber Security at the University of Florida, recently published proof-of-concept (PoC) code on GitHub for an Android zero-day vulnerability discovered by Google Project Zero security researchers. According to Hernandez, the PoC called Qu1ckR00t, can circumvent Discretionary Access Control (DAC) and Linux Capabilities (CAP). In addition, Security-Enhanced Linux (SELinux), Secure Computing Mode (SECCOMP), and Mandatary Access Control (MAC) can be disabled using the PoC. Attackers can use the PoC to gain full control of an Android device. This article continues to discuss the zero-day vulnerability and the PoC codes shared by researchers for this vulnerability.

    ZDNet reports "Security Researcher Publishes Proof-Of-Concept Code for Recent Android Zero-Day"

  • news

    Visible to the public "Cryptography without Using Secret Keys"

    Researchers from the University of Twente and Einhoven University of Technology have developed a new method that secures data without using secret keys. The cryptographic keys used by most security applications must be kept confidential so that they do not get lost, stolen, or compromised. However, there is no guarantee that these keys cannot be intercepted. The alternative method to securing data proposed by the researchers involves the use of a PUK (Physical Unclonable Key) and the quantum properties of light. This article continues to discuss the use of cryptographic keys and the alternative data security method proposed by researchers that uses a PUK to send secret messages.

    TU/e reports "Cryptography without Using Secret Keys" "Facebook's Bug Bounty Gets Bigger for Third-Party Apps"

  • news

    Visible to the public "Facebook’s Bug Bounty Gets Bigger for Third-Party Apps"

    In an effort to improve Facebook's security and privacy, the social media giant will enhance its bug bounty programs by allowing security researchers to actively search for vulnerabilities in third-party apps and websites that integrate with its platform. Instead of passively observing third-party apps and websites for vulnerabilities, security researchers will be able to test the apps and websites for security flaws. However, they must have permission from the third-party to do so. Allowing security researchers to take on a more active approach will result in the discovery of more vulnerabilities as they would be able to look at the different ways in which a third-party app could be exploited by attackers to abuse a user's data. In addition, those that discover rare security vulnerabilities will be rewarded with a $15,000 bonus. This article continues to discuss the expansion of Facebook's bug bounty programs.

    CNET reports "Facebook's Bug Bounty Gets Bigger for Third-Party Apps"

  • news

    Visible to the public "New Cryptomining Malware Uses WAV Audio Files to Conceal Its Tracks"

    Security researchers from Cylance have discovered the use of a steganography technique in a new campaign aimed at distributing cryptomining malware. Steganography is a technique that can be used by hackers to covertly deliver malware in or by way of formats that conceal the distribution of the malware, such as image files, video files, and other unsuspecting multimedia containers. This technique differs from cryptography by concealing the delivery of malicious data instead of the data itself. Steganography remains an effective method for hackers because most users would not suspect a multimedia container such as a digital image to consist of malware. In this case, researchers found that cybercriminals have been hiding cryptomining malware in WAV files. This article continues to discuss the the steganography technique employed in the new cryptomining campaign.

    TNW reports "New Cryptomining Malware Uses WAV Audio Files to Conceal Its Tracks"

  • news

    Visible to the public "Silent Librarian Retools Phishing Emails to Hook Student Credentials"

    The threat group known as Silent Librarian, TA407, or Cobalt Dickens, has been discovered to be using new tactics in an updated phishing campaign. Silent Librarian targets university students to steal student login credentials. According to researchers at Proofpoint, the group's recent campaign uses shortened URL links in phishing emails to make it increasingly difficult to detect the phishing attempt. These URLs redirect victims to revamped attacker-hosted landing pages that display university-specific banners, consisting of notifications about emergencies or the weather. This article continues to discuss the operations, new tactics, targets, and impact of the Silent Library threat group.

    Threatpost reports "Silent Librarian Retools Phishing Emails to Hook Student Credentials"

  • news

    Visible to the public "A new Mac Malware Dubbed Tarmac has Been Distributed via Malvertising Campaigns"

    It has been discovered that malvertising campaigns are distributing MacOS malware combining both Shlayer and Tarmac malware. The malvertising campaigns have targeted users located in the US, Italy, and Japan. When a user clicks on a malicious ad, the ad then redirects the victim to sites showing popups peddling software updates, mainly Adobe Flash Player updates, that once executed will install first the OSX/Shlayer MacOS malware, which then execute the final payload, the OSX/Tarmac. Tarmac acts as a second-stage payload for the Shlayer infection.

    Cyber Defense Magazine reports: "A new Mac Malware Dubbed Tarmac has Been Distributed via Malvertising Campaigns"

  • news

    Visible to the public "FIN7 Gang Returns With New Malicious Tools"

    The financially-motivated hacking group, FIN7, is back with new malicious tools. FIN7 hackers are known for targeting businesses, including fast-food restaurants, hotels, and casinos for the purpose of stealing payment data such as credit card numbers. They have installed customized malware on point-of-sale (PoS) machines and IT networks using spear-phishing techniques. According to researchers at FireEye, the hacking group is now deploying a new dropper, called Boostwrite, which is capable of circumventing detection by using valid certification. Boostwrite delivers a new payload, called Rdfsniffer, to interfere with remote administrative tools used to fix payment systems and PoS machines. This article continues to discuss the FIN7 hacking group in relation to its newly discovered malicious tools and techniques.

    BankInfoSecurity reports "FIN7 Gang Returns With New Malicious Tools"

  • news

    Visible to the public "Beyond Testing: The Human Element of Application Security"

    According to Veracode's recent State of Software Security (SOSS) report, the analysis of results from more than 700,000 applications scans revealed that 83 percent of the applications contained one or more vulnerabilities. These results call for the improvement of application security with human solutions. In order for an application security program to be effective, the role of the human in the security process must be enhanced. Experts have recommended that developers receive training on secure coding. In addition, organizations are encouraged to establish bug bounty programs and strong vulnerability disclosure policies to allow outside security researchers to find vulnerabilities in their software and properly disclose the security risks that they have discovered. This article continues to discuss the importance of improving application security, secure code training, vulnerability disclosure policies, and bug bounty programs.

    Security Boulevard reports "Beyond Testing: The Human Element of Application Security"

  • news

    Visible to the public "Protecting Smart Machines From Smart Attacks"

    A team of researchers at Princeton University conducted studies on how adversaries can attack machine learning models. As the application of machine learning grows, it is important that we examine the different ways in which this technology can be exploited by attackers to develop countermeasures against them. The researchers demonstrated different adversarial machine learning attacks, which include data poisoning attacks, evasion attacks, and privacy attacks. Data poisoning attacks occur when an adversary inserts bad data into an AI system's training set. Evasion attacks refer to the manipulation of an input so that it appears normal to a human, but can be incorrectly classified by the machine learning model. Privacy attacks are performed when adversaries try to expose sensitive information using data learned by the machine learning model. This article continues to discuss the importance of exploring the vulnerabilities of machine learning technologies and the adversarial machine learning attacks demonstrated by researchers.

    Princeton University reports "Protecting Smart Machines From Smart Attacks"

  • news

    Visible to the public "Fake Mobile app Fraud Tripled in First Half of 2019"

    During a study of Quarter 2 of 2019, RSA Security identified 57,406 total fraud attacks worldwide. Of these, phishing attacks were the most prevalent (37%), followed by fake mobile apps (usually apps posing as those of popular brands). Adversaries using phishing attacks went up by 6 percent between 1st half of 2019 and 2nd half of 2018. Attacks using financial malware and rogue mobile apps have increased significantly between 1st half of 2019 and 2nd half of 2018. Adversaries use of financial malware increased 80 percent and Rogue mobile apps use increased 191 percent.

    Help Net Security reports: "Fake Mobile app Fraud Tripled in First Half of 2019"

  • news

    Visible to the public "How Do We Ensure GNSS Security Against Spoofing?"

    The Global Navigation Satellite System (GNSS) refers to satellite navigation systems that provide positioning, navigation, and timing (PNT) services with global coverage. If the GNSS suffered a major outage for one day, it would cost the U.S. an estimated $1 billion in damage as this system is relied upon for automation, efficiency, and safety. All of the ways in which the GNSS can be exploited by attackers must be further explored in order to improve the security of this system against attacks such as GPS spoofing. GPS spoofing occurs when an attacker interferes with legitimate GPS signals using a radio transmitter that is near a target. In the context of military combat, an adversary could execute GPS spoofing attacks to manipulate GPS receivers, which could lead to the hijacking of autonomous vehicles and robotic devices. This article continues to discuss the concept of GPS/GNSS spoofing, incidents of GPS spoofing, the different types of spoofing, and how receivers can be protected against spoofing attacks.

    GPS World reports "How Do We Ensure GNSS Security Against Spoofing?"

  • news

    Visible to the public "Mathematicians Prove That Flash-Memory 'Fingerprints' of Electronic Devices Are Truly Unique"

    Mathematicians at RUDN University have proven that the defects in flash memory cells can be used as fingerprints for memory chips. This method will strengthen the security of electronic devices against hacks. The growth of devices such as smartphones, fitness bracelets, and memory devices continues to raise concerns about the theft and unauthorized alteration of these devices. Devices can be identified through the use of virtual or physical methods in which unique numbers are hard written into devices and fluctuations of a device's radio frequency act as the identifiers. However, these methods are still subject to tampering in that software can be hacked and interference with radio signals can occur. The new method of physical identification involves the use of microscopic manufacturing defects that result in damaged flash memory cells. As patterns of microdefects are truly unique, they can be used to distinguish one device from another. This article continues to discuss existing device identification methods, the new method of physical identification based on damaged flash memory cells, and how experts from RUDN University verified the effectiveness of this method.

    TechXplore reports "Mathematicians Prove That Flash-Memory 'Fingerprints' of Electronic Devices Are Truly Unique"

  • news

    Visible to the public "AI Development has Major Security, Privacy and Ethical Blind Spots"

    In a new study, it has been discovered that the most serious blind spot during AI development is security. Nearly three-quarters (73%) of respondents in the study, indicated they don't check for security vulnerabilities during model building. More than half (59%) of organizations also don't consider fairness, bias or ethical issues during ML development. It was also found that privacy is similarly neglected, with only 35% checking for issues during model building and deployment. The majority (55%) of developers mitigate against unexpected outcomes or predictions, but this still leaves a large number who don't. Of the respondents, 16% don't check for any risks at all during development.

    Help Net Security reports: "AI Development has Major Security, Privacy and Ethical Blind Spots"

  • news

    Visible to the public "NAU Cyberengineering Team Wins $6M Grant to Develop Computing Solutions to Combat Cyberattacks"

    The U.S. Air Force has awarded a $6.3 million grant to a team of researchers at Northern Arizona University. The grant was given to support the development of novel solutions to the growing sophistication and frequency of cyberattacks as well as the increasing threat posed by cyber warfare. The researchers will explore the possible ways in which hackers can be defeated through the use of new hardware technologies as traditional protection methods such as using virus detection and firewalls have been proven to be insufficient. Key technology modules will be developed by researchers, which will introduce new types of protection in the realms of cryptography, physical unclonable functions, blockchain, and key distribution. This project is expected to help improve the security of power plants, transportation systems, medical devices, and more. This article continues to discuss the support, goals, and structure of the NAU-led research project.

    NAU reports "NAU Cyberengineering Team Wins $6M Grant to Develop Computing Solutions to Combat Cyberattacks"

  • news

    Visible to the public "Group Said to Be Behind Attempted Campaign Hack Has Also Gone After Cybersecurity Researchers"

    The Iranian-linked hacking group that made more than 2,000 attempts to compromise email accounts associated with a U.S. presidential campaign, government officials, journalists, and prominent Iranians that live outside Iran, is also said to be targeting cybersecurity researchers. According to researchers at ClearSky Cyber Security, the group known as Charming Kitten, APT35, or Phosphorus, has been sending phishing emails to them. The hacking group also created a phishing website that appears to belong to ClearSky. In addition, the group built a fake web-mail page aimed at attacking ClearSky's clients. Such efforts have highlighted the extent to which cybercriminals may go to attack cybersecurity researchers when they try to expose hackers' operations. This article continues to discuss the attacks executed by the Iranian hacking group against cybersecurity researchers and other discoveries surrounding the group's latest activities.

    CyberScoop reports "Group Said to Be Behind Attempted Campaign Hack Has Also Gone After Cybersecurity Researchers"

  • news

    Visible to the public "New Data Analysis Approach Could Strengthen the Security of IoT Devices"

    It has been discovered that a multi-pronged data analysis approach can strengthen the security of IoT devices. One of the data analysis techniques the researchers applied during the study was an open-source freely available R statistical suite, which they used to characterize the IoT systems. They also used machine learning solutions to search for patterns in the data that were not apparent using R. The researchers also used the widely available Splunk intrusion detection tool. Using the tools stated above, the researchers identified three IP addresses that were actively trying to break into the Canberra network's devices. The researchers believe that analyzing IoT data using the approach they used, may enable security professionals to identify and manage controls to mitigate risk and analyze incidents as they occur. The researchers also hope that this research will help professionals create protocols on IoT security.

    Help Net Security Reports "New Data Analysis Approach Could Strengthen the Security of IoT Devices"

  • news

    Visible to the public "NIST is Hunting for Tech to Secure the Energy Sector’s Network"

    Efforts are being made by the U.S. National Institute of Standards and Technology's (NIST) National Cybersecurity Center of Excellence (NCCoE) to bolster the security of the Industrial Internet of Things (IIoT) attached to the nation's power grid. Through a program, NCCoE seeks to develop a solution for strengthening IIoT in a distributed energy resource environment. The flow of data from distributed energy resources (DERs), including wind turbines and solar panels, must be secured as these resources increase the vulnerability of the grid to disruption by cyberattackers. This article continues to discuss the focus and goals of the program as well as the increase in DERs, how such resources are introducing more threats to the grid, and other efforts to defend the grid against cyberthreats.

    NextGov reports "NIST is Hunting for Tech to Secure the Energy Sector's Network"

  • news

    Visible to the public "NIST and Microsoft Partner to Improve Enterprise Patching Strategies"

    Microsoft and the U.S. NIST National Cybersecurity Center of Excellence (NCCoE) will team up to help enterprises improve their security patch management strategies. Better patching strategies could have reduced the impact of WannaCry and NotPetya. Following these attacks, Microsoft looked into the challenges faced by customers in regard to security patches. The analysis of these challenges further emphasized the importance of establishing better industry guidance and standards for enterprise patch management. The partnership between Microsoft and the NCCoE will be in support of developing common enterprise management reference architectures, validating implementation instructions in the NCCoE lab, and more. This article continues to discuss the joint project and the importance of improving enterprise patching strategies.

    Security Week reports "NIST and Microsoft Partner to Improve Enterprise Patching Strategies"

  • news

    Visible to the public "BitPaymer Ransomware Attackers Exploit Apple Flaw to Bypass Detection"

    A zero-day flaw in iTunes for Windows and iCloud for Windows has been patched by Apple. The actual bug was contained by Bonjour, a component that comes with iTunes for Windows machines used to deliver updates and help services discover each other. According to researchers at Morphisec, the bug is an unquoted service path, which occurs when a file path to an executable service is not surrounded by quotation marks. The bug has been exploited by attackers to circumvent users' security defenses such as antivirus software and run BitPaymer ransomware, also known as IEncrypt. This article continues to discuss the zero-day flaw that was contained by the Bonjour updater in relation to what type of vulnerability it was, its exploitation by attackers to execute ransomware, and how it was addressed by Apple, in addition to the effectiveness of the exploit.

    SC Media reports "BitPaymer Ransomware Attackers Exploit Apple Flaw to Bypass Detection"

  • news

    Visible to the public "Attackers Hide Behind Trusted Domains, HTTPS"

    A new report from Webroot brings further attention to the use of HTTPS domains to host phishing attacks. Hypertext Transfer Protocol Secure (HTTPS) is the secure version of HTTP that uses the Transport Layer Security (TLS) protocol to secure connections between browsers and web servers in order to prevent the eavesdropping of users' private information, including passwords and web searches. The presence of "https" and a green padlock symbol in a browser's address bar gives users a false sense of security as there is no guarantee that the information encrypted and securely delivered by HTTPS is going to a safe destination. This article continues to discuss the use of trusted domains and HTTPS by attackers in addition to the increased targeting of older operating systems and the rise in malware variants.

    Dark Reading reports "Attackers Hide Behind Trusted Domains, HTTPS"

  • news

    Visible to the public "Combination of Techniques Could Improve Security for IoT Devices"

    A team of researchers at Penn State World Camp have developed an approach consisting of a combination of different techniques to bolster the security of Internet of Things (IoT) devices such a smart TVs, smart speakers, wearables, and home video cameras. According to one researcher, the number of IoT devices in operation will reach 20 billion by 2020, which increases the vulnerability of users to security breaches. The breach of IoT devices could pose a threat to the privacy and safety of users. The approach created by the researchers to identify attacks and maintain the security of IoT systems involves the use of statistical data, machine learning, intrusion detection tools, visualization tools, and more. This article continues to discuss the techniques and tools applied in the team's approach, as well as how this approach will help security professionals strengthen IoT device security.

    EurekAlert! reports "Combination of Techniques Could Improve Security for IoT Devices"

  • news

    Visible to the public "Hackers Bypassing Some Types of 2FA Security FBI Warns"

    It has been discovered by the FBI that some types of two-factor authentication (2FA) security can no longer be guaranteed to keep adversaries out. Their are several methods cyber actors use to circumvent popular multi-factor authentication techniques in order to obtain the one-time passcode and access protected accounts. The most common bypass method is SIM swap fraud, in which the attacker convinces a mobile network (or bribes an employee) to port a target's mobile number, allowing them to receive 2FA security codes sent via SMS text. Using any form of 2FA is still better than relying on a password and username on its own even with some being vulnerable. If one wants to have the strongest possible 2FA security, one will probably have to consider using FIDO2 hardware tokens, a technology that has yet to be undermined by hackers in real-world attacks.

    Naked Security reports: "Hackers Bypassing Some Types of 2FA Security FBI Warns"

  • news

    Visible to the public "Using Machine Learning to Hunt Down Cybercriminals"

    Researchers at MIT and the University of California at San Diego (UCSD) have developed a new machine-learning (ML) system that can be used to prevent IP hacking incidents before they occur by identifying serial IP hijackers. IP hijacking is a type of cyberattack in which cybercriminals exploit a flaw in the routing protocol for the Internet, Border Gateway Protocol (BGP). Through the performance of a BGP hijack, nearby networks can be convinced that a malicious actor's network has the best path to reach a specific IP address. The researchers gathered information from network operator mailing lists and historical BGP data to identify the common traits and behaviors of serial hijackers. Using the collected information, researchers trained their system to identify those traits and behaviors, allowing IP hacking incidents to be predicted in advance. This article continues to discuss the concept of IP hijacking, the ML system developed to detect such attacks before they occur, and the identification of false positives.

    MIT News report "Using Machine Learning to Hunt Down Cybercriminals"

  • news

    Visible to the public "Twitter Admits It Used Two-Factor Phone Numbers and Emails for Serving Targeted Ads"

    Another incident has raised concerns over the misuse of customer data by social media giants. Twitter recently admitted to using phone numbers and email addresses provided by users to enable two-factor authentication on their accounts for targeted advertising. According to a statement released by the company, this issue derived from its advertising system that allows companies to upload their own marketing list, match with Twitter users, and directly target them in their campaigns. This article continues to discuss the incident, the importance of two-factor authentication, a similar incident that was faced by Facebook last year, and other notable security mistakes made by Twitter.

    TechCrunch reports "Twitter Admits It Used Two-Factor Phone Numbers and Emails for Serving Targeted Ads"

  • news

    Visible to the public "A Controversial Plan to Encrypt More of the Internet"

    Google and Mozilla plan to encrypt a fundamental element of the Internet, the Domain Name System (DNS). Security was not considered in the design of DNS, allowing hackers to abuse weaknesses and vulnerabilities in the Internet system through a variety of different attacks such as DNS hijacking. The increase in such attacks has prompted this push to encrypt DNS. Two different methods that apply web encryption to DNS requests, called DNS over HTTPS (DoH) and DNS over TLS (DoT), have already been codified by the Internet Engineering Task Force standards body. This article continues to discuss the concept of DNS, the insecurity of DNS requests, the two protocols aimed at encrypting these requests, and concerns surrounding the encryption of DNS requests among cybersecurity professionals.

    Wired reports "A Controversial Plan to Encrypt More of the Internet"

  • news

    Visible to the public "Majority of IT Departments Leave Major Holes in Their USB Drive Security"

    In a new study, it was found that even though 87% of organizations use USB drives, the majority of IT departments aren't implementing tools to manage USB device usage. Nearly 6 out of 10 organizations (58%) do not use port control / whitelisting software to manage USB device usage. More than a quarter of organizations (26%) do not use software-based encryption, and less than half of organizations (47%) require the deployment of encryption for data stored on the USB drive. An overwhelming 91% of employees that participated in this study thought that encrypted USB drives should be mandatory.

    Help Net Security reports: "Majority of IT Departments Leave Major Holes in Their USB Drive Security"

  • news

    Visible to the public "New Report Outlines IoT Security Vulnerabilities"

    A new Internet of Things (IoT) report released by consulting and research firm, Independent Security Evaluators (ISE), details the presence of IoT security vulnerabilities in 13 popular small office/home office (SOHO) routers and network-attached storage (NAS) devices. The study of these devices resulted in 125 CVEs (Common Vulnerabilities and Exposures). According to the report, all 13 devices that were examined in this research contained one or more web app vulnerabilities. The exploitation of these vulnerabilities could allow attackers to compromise additional network devices, obtain sensitive information transmitted via devices, disable networks, and more. This article continues to discuss key findings of the IoT security report, the impact IoT security vulnerabilities, how these IoT weaknesses can be eliminated, what improvements have been made in IoT security, and the need for IoT device manufacturers to prioritize security.

    CPO Magazine reports "New Report Outlines IoT Security Vulnerabilities"

  • news

    Visible to the public "Wireless Security Institute Established at Idaho National Laboratory to Improve 5G Technology"

    5G is the next generation of wireless technology that is expected to bring improvements in regard to bandwidth, capacity, and reliability. However, the arrival of 5G networks is also expected to introduce new security vulnerabilities. As the implementation of 5G technology continues to increase, data protection technologies and 5G security protocols need to be developed and validated. Idaho National Laboratory (INL) has established the INL Wireless Security Institute to lead research conducted by government, academia, and private industry aimed at making 5G wireless technology more secure and reliable. The INL Wireless Security Institute will work with public and private leaders in the wireless communication field to prioritize security tasks and increase efforts to improve security. This article continues to discuss what it is expected of 5G wireless technology and how the INL Wireless Security Institute will support efforts towards improving this technology.

    INL reports "Wireless Security Institute Established at Idaho National Laboratory to Improve 5G Technology"

  • news

    Visible to the public "Phishing Attempts Increase 400%, Many Malicious URLs Found on Trusted Domains"

    In a news study, it has been discovered that nearly a quarter (24%) of malicious URLs are found to be hosted on trusted domains. This is done, because hackers know trusted domain URLs raise less suspicion among users and are more difficult for security measures to block. It was also discovered that 1 in 50 URLs (1.9%) were found to be malicious, which is high given that nearly a third (33%) of office workers click more than 25 work-related links per day. Nearly a third (29%) of detected phishing web pages use HTTPS as a method to trick users into believing they're on a trusted site via the padlock symbol. Phishing attempts grew rapidly, with a 400% increase in URLs discovered from January to July 2019. The top industries impersonated by phishing include: SaaS/Webmail providers (25%), financial institutions (19%), social media (16%), retail (14%), file hosting (11%), and payment services companies (8%).

    Help Net Security reports: "Phishing Attempts Increase 400%, Many Malicious URLs Found on Trusted Domains"