News Items

The COVID-19 pandemic has amplified the cybersecurity challenges faced by school districts across the United States. Before the coronavirus crisis, school districts had already been experiencing cybersecurity shortcomings because of the lack of dedicated funding and the shortage of skilled security professionals to assess and enhance cybersecurity defenses. These insufficiencies have resulted in system setup errors and poor patch management that leave schools and their students vulnerable to hackers and scams. The shift to online learning has intensified these risks. Millions of teachers and students must now use chat software, lesson portals, digital message boards, and other online tools, which could be used as attack vectors if they are not set up with proper authentication and controls. Attackers can also abuse the tools used for accessing school networks remotely, including virtual private networks (VPNs) and the Remote Desktop Protocol (RDP), to infiltrate systems. This article continues to discuss the cybersecurity challenges facing school districts, the amplification of these challenges by the pandemic, vulnerabilities discovered in different school systems, and current K-12 digital security incident-reporting.

Wired reports "Schools Already Struggled with Cybersecurity. Then Came COVID-19"

JSOF security researchers recently discovered a series of vulnerabilities, dubbed "Ripple20", that impact connected devices in the enterprise, industrial, and healthcare industries. The Ripple20 vulnerabilities were found in a low-level TCP/IP software library, which many IoT device manufacturers build directly into their devices or integrate via embedded third-party components. These flaws could enable denial-of-service (DoS) attacks, information disclosure, remote code execution, and other malicious activities. Infusion pumps were among the devices confirmed to be vulnerable. The exploitation of Ripple20 vulnerabilities in infusion pumps, poses a significant threat to safety as these devices deliver doses of medicine directly to patients. This article continues to discuss the potential impact of Ripple20, the growing concern about the security of connected medical devices, and what hospitals can do to protect their medical devices.

Dark Reading reports "Ripple20 Threatens Increasingly Connected Medical Devices"

Philips, a leading health technology solutions company, recently reported vulnerabilities discovered in its ultrasound medical devices to the U.S. Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA). According to an official statement from CISA, the vulnerabilities were found in Ultrasound ClearVue, Ultrasound CX, Ultrasound EPIQ/Affiniti, Ultrasound Sparq, and Ultrasound Xperius devices. Attackers can view or alter information by exploiting the security flaws discovered in these devices. CISA recommends that healthcare organizations implement physical security measures, apply defense-in-depth strategies, disable unnecessary accounts, and more, to prevent the abuse of the vulnerabilities. This article continues to discuss the security flaws identified in ultrasound medical devices and Philips' response to the flaws, as well as preventative measures recommended by CISA and other research that highlight the vulnerability of medical devices to cyberattacks.

CISO MAG reports "Philips Release Patches for Vulnerabilities Affecting its Medical Devices"

There have been massive advancements in perimeter and endpoint defenses, but email remains a cybersecurity risk for many companies. Almost 90 percent of email attacks manipulate sender identity to fool recipients and initiate social engineering attacks. Phishing attacks are increasingly mutating quickly and continuously shift tactics and lures. Adversaries have learned how to get through email security at all three defensive layers currently in use by most organizations: the gateway, the mail client, and the end-user. For organizations to protect themselves from email attacks, companies need to start validating sender identities. For this to be effective, sender identity solutions will need to address all three types of identity-based attacks: open-signup attacks, untrusted-domain attacks, and domain-spoofing attacks.

Threatpost reports: "Email Sender Identity is Key to Solving the Phishing Crisis"

Researchers from the Tokyo University of Science (TUS) have developed a new single sign-on (SSO) algorithm that prevents the disclosure of a user's identity and personal information to third parties. SSO systems provide users the option to access different services and applications, using a single set of credentials (username and password). For example, one may log onto a website using their Facebook or Gmail login credentials. However, SSO systems are third party systems often managed by Big Tech companies who have been reported to collect personal information without users' permission for purposes such as targeted advertising. This article discusses the advantages of SSO systems, the concerns surrounding these systems, and TUS researchers' proposed cryptographic scheme to hide sensitive information from third parties when accessing services via SSO systems.

The Tokyo University of Science reports "No Keys to the Kingdom: New Single Sign-On Algorithm Provides Superior Privacy"

Malwarebytes recently reported malicious code insertion inside the Exchangeable Image File Format (EXIF) data of a favicon by hackers. A favicon is a small image used by web browsers to show a graphical representation of a website. Hackers are hiding scripts in favicon images' EXIF data to evade detection and steal credit card information. This attack is considered a variant of a Magecart attack. Such attacks have been performed against Macy's, British Airways, Tupperware, and other widely popular companies. According to Malwarebytes, credit cards stolen through the execution of Magecart attacks are being sold or used to make fraudulent purchases on the dark web market. This article continues to discuss the use of favicon metadata to hide credit card-stealing scripts and other techniques applied by Magecart hackers to circumvent detection.

Bleeping Computer reports "Hackers Hide Credit Card Stealing Script in Favicon Metadata"

US Cyber Command is warning that foreign state-sponsored hacking groups will likely try to exploit a significant security bug disclosed today in PAN-OS. PAN-OS is the operating system running on firewalls and enterprise VPN appliances from Palo Alto Networks. The vulnerability is an authentication bypass that allows adversaries to access a device without valid credentials. Once exploited, the bug allows hackers to change PAN-OS settings and features. The bug could be used to disable firewalls or VPN access-control policies, effectively disabling the entire PAN-OS devices. The vulnerability was given a 10/10 CVSSv3 score meaning the vulnerability is both easy to exploit as it doesn't require advanced technical skills, and it's remotely exploitable via the internet, without requiring attackers to gain an initial foothold on the attacked device.

ZDNet reports: "US Cyber Command Says Foreign Hackers Will Most Likely Exploit New PAN-OS Security Bug"

Researchers at Snyk have discovered that new vulnerabilities in open source packages are down 20 percent compared to last year, suggesting that the security of open source containers and packages are heading in a positive direction. Cross-site scripting vulnerabilities were the most commonly found by the researchers. They also found that SQL Injection vulnerabilities are decreasing prevalence in most ecosystems, but have increased over the last three years in PHP packages.

Help Net Security reports: "New Vulnerabilities in Open Source Packages Down 20% Compared to Last Year"

Cybersecurity Snapshots #7 -

Is Online Voting a Good Idea?

Pub Crawl summarizes, by hard problems, sets of publications that have been peer reviewed and presented at SoS conferences or referenced in current work. The topics are chosen for their usefulness for current researchers.

Cybersecurity research software developed by Sandia National Laboratories, called minimega, can now be accessed by faculty and students at Purdue University. This is the first time Sandia has partnered with an academic community to make its software fully accessible to an institution for teaching or research regardless of association with the Labs. Minimega is an open-source emulation platform aimed at improving cybersecurity research to discover security threats faced by various systems and develop new solutions for protecting the systems against such threats. The platform allows users to set up a simulated, virtual network to analyze computer networks and distributed systems. Users can study cybersecurity, resiliency, what-if-scenarios, as well as participate in red-teaming assessments. This article continues to discuss minimega's availability and future expansion, as well as why it is an advancement in cybersecurity research.

Sandia National Laboratories report "Expanding Access to Cyber Research Tools"

Researchers at Cornell Tech conducted a study to explore whether the types of websites people are visiting affect how third-party trackers follow them around the internet. The study found that Internet trackers are more likely to follow those who visit WebMD.com, mayoclinic.org, and other popular health sites. Health sites' third-party trackers were observed to be more persistent at following page visitors than trackers in other types of websites, despite being smaller in number. According to researchers, browsing data based on sensitive health information is appealing to advertisers because it allows them to learn a lot about a user and manipulate them into clicking on ads related to their health problems. One researcher pointed out that tracking a user from a health site to a news site violates privacy under the theory of contextual integrity. This article continues to discuss the performance, purpose, and key findings of the study on whether social contexts affect third-party trackers.

Cornell Chronicle reports "Online Trackers Follow Health Site Visitors"

Researchers at WatchGuard discovered that 67 percent of all malware in Q1 of 2020 was delivered via encrypted HTTPS connections. They also found that 72 percent of encrypted malware was classified as zero day, which means they would have evaded signature-based antivirus protection. These findings show that without HTTPS inspection of encrypted traffic, and advanced behavior-based threat detection and response, companies are missing about two-thirds of incoming threats. Five of the top ten domains distributing malware in Q1 of 2020 were hosted or controlled by Monero cryptominers.

Help Net Security reports: "Most Malware in Q1 2020 Was Delivered Via Encrypted HTTPS Connections"

Cano Health, a Florida senior care provider, experienced a prolonged security breach that went unnoticed for two years. Further investigation of the breach revealed that threat actors compromised three employee email accounts. Patients' personal information, such as their Social Security numbers, financial account numbers, government identification numbers, dates of birth, and more, may have been accessed in the compromise of these email accounts. This article continues to discuss the discovery and potential impact of the two-year data breach, as well as Cano Health's response to the incident.

Infosecurity Magazine reports "Two-Year Data Breach at Florida Senior Care Provider"

The healthcare sector continues to face a growing range of cyber threats during the COVID-19 pandemic as telework and telework increases. Security researchers and federal agencies have reported surges in cyberattacks against cloud services, remote platforms, and mobile devices. Healthcare organizations are encouraged to implement multi-factor authentication, enhance employee awareness and training, improve patch management, and conduct asset inventories to strengthen their cybersecurity. This article continues to discuss hackers' increased targeting of the healthcare sector and what organizations should do to bolster healthcare cybersecurity.

HealthITSecurity reports "3 Key Ways to Bolster Healthcare Cybersecurity With MFA, Training"

Twitter, on May 20th, discovered that billing information of businesses who use Twitter's advertising and analytics platform was being stored in the browser's cache. The personal data stored in the browser's cache included email addresses, phone numbers, and the last four digits of clients' credit card numbers. Twitter says that there is no evidence that clients' billing information was compromised. It is not clear how many businesses have been affected, and Twitter has since fixed the problem.

BBC reports: "Twitter Apologises for Business Data Breach"

The use of quantum computers by hackers poses a threat to the security of current communications systems. Quantum computers' quantum-mechanical properties will allow them to perform calculations much faster than today's computers. The speed at which quantum computers will calculate will deem current encryption algorithms obsolete. Therefore, researchers are working to develop new encryption methods that involve the principles of quantum mechanics. A team of physicists has set up the theoretical foundation for a communication protocol that ensures privacy and security. The protocol offers protection against hackers in possession of quantum computers through the addition of artificial noise. This article continues to discuss how the new protocol guarantees secure communication.

Science Daily reports "Adding Noise for Completely Secure Communication"

Cryptocurrency giveaway scams have been around for a few years now. Cybersecurity firm Adaptiv has discovered that fraudsters are now name-dropping Musk (the founder of Tesla and SpaceX) into the bitcoin address itself, which has tricked victims out of more than $2 million worth of bitcoin over that past two months. The adversaries incorporate a custom element or word into the bitcoin address itself, for example, "1MuskSEYstWetqTFn5Au4m4GFg7xJaNVN2" or "1ELonMUskSEYstWetqTFn5Au4m4GFg7xJaNVN2". The adversaries ask people to send digital cash to a bitcoin address under the promise of doubling the sum as part of a giveaway. The researchers discovered 67 bitcoin addresses with the word "Musk" in them. One of the ways these giveaway scams are organized is through hijacked YouTube accounts with many followers.

WeLiveSecurity reports: "Scam Uses Elon Musk's Name to Trick People Out of US$2 Million in Bitcoin"

On Friday of last week, a leak-focused activist group known as Distributed Denial of Secrets (DDoSSecrets) published a 269-gigabyte collection of police data that was supposedly stolen by Anonymous, which is a hacking group. The data includes emails, audio, video, and intelligence documents, with over a million files in total. The data comprised includes information from 200 state, local, and federal agencies. The National Fusion Center Association made a statement saying that much of the data belonged to law enforcement "fusion centers" across the US. The "fusion centers" act as information-sharing hubs for federal, state, and local agencies.

Wired reports: "Hack Brief: Anonymous Stole and Leaked a Megatrove of Police Documents"

The cybersecurity firm, Awake Security, released a report on the discovery of 111 malicious or fake Chrome extensions created to collect sensitive user data from users across the world in different industry segments. The primary link between these malicious extensions is that they use GalComm domains for attacker command and control or loader pages. The extensions contain code that allows them to take screenshots, harvest credential tokens, grab user keystrokes, read the clipboard, and more. According to researchers, the extensions were found on the networks of organizations in financial services, oil, media, healthcare, retail, government, and other sectors. This article continues to discuss recent findings surrounding the malicious chrome extensions used in a massive global surveillance campaign.

Security Week reports "Malicious Chrome Extensions Used in Global Surveillance Campaign"

A recent report by Gaurdsqaure reveals that most government COVID-19 contact tracing apps from the U.S. and other countries around the world lack adequate security, leaving the apps vulnerable to hacking. This discovery comes from the assessment of 17 government entity-built Android mobile contact tracing apps launched in 17 different countries. The American Civil Liberties Union, Congress, and the Electronic Frontier Foundation have all highlighted the potential threats such apps pose to privacy and security. According to Gaurdsqaure's report, most of the apps analyzed by researchers, do not include string encryption, emulator detection, resource encryption, class encryption, some level of name obfuscation, or other security hardening technique. This article continues to discuss key findings regarding the security of COVID-19 contact tracing apps, the potential impact of security flaws in these apps, and the importance of using a layered security approach in the development of mobile apps.

HealthITSecurity reports "Majority of COVID-19 Contact Tracing Apps Lack Adequate Security"

According to a recent study by Positive Technologies, more than half of mobile banking applications are vulnerable to fraud and data theft because of easily exploitable security flaws. The company's security experts examined 14 banking apps. The findings of the investigation revealed that most of the banking apps fail to prevent unauthorized access to a user's data, and all of the apps contain coding errors. The security flaws found in the banking apps could allow attackers to execute brute-force attacks, distribute banking Trojans, and more. This article continues to discuss the security vulnerabilities found in banking apps, the attacks that could be performed by exploiting these flaws, and the FBI's warning about the increased use of fake mobile banking apps.

CISO MAG reports "Half of Mobile Banking Apps are Vulnerable to Fraud Data Theft"

Companies use tracking services to collect data for targeted advertising. These tracking services collect troves of data, including what websites were accessed by users, the times they visited the websites, and location information. Due to the sensitivity of such information, many tracking service providers generalize datasets to anonymize the data for secure data protection. Generalization refers to the reduction of a dataset's level of detail so that it is impossible to identify individuals. Computer scientists from the Karlsruhe Institute of Technology and Technical University of Dresden did a study on the effectiveness of dataset generalization in securing web tracking data. This article continues to discuss the types of data collected by tracking services, the use of generalization by tracking companies to protect data, how researchers tested the effectiveness of this method, and what observations were made by researchers during this study.

KIT reports "Data Security in Website Tracking"

Organizations working to develop a COVID-19 vaccine have been experiencing an increase in government-led attacks. A variety of attacks on COVID-19 research teams and facilities aim to steal information about potential vaccines. Google released a report highlighting the rise in government-executed cyberattacks against healthcare organizations engaged in efforts to find a cure. The World Health Organization (WHO) and the Centers for Disease Control and Prevention (CDC) are seeing a significant increase in attacks from South Korea and South America. Such organizations are encouraged to utilize Artificial Intelligence (AI) and automation, as well as operate in a zero-trust environment to strengthen their cybersecurity. This article continues to discuss the targeting of COVID-19 vaccine research organizations by cybercriminals, the impact of cyberattacks on vaccine development, and what companies should do to protect their COVID-19-related research.

TechRepublic reports "Cybercriminals Unleash Diverse Wave of Attacks on COVID-19 Vaccine Researchers"