News Items

The financially-motivated, advanced persistent (APT) hacking group, FIN7, has stolen an estimate of $1 billion over the years by stealing payment card data from hotels, fast-food restaurants, and other organizations around the world. In recent months, the group has made changes to its hacking tools and techniques, resulting in an increase in data breaches and the pilfering of more money. The US government-funded organization, MITRE, is now trying to decrease FIN7 hacks by assessing software vendors' ability to block attacks similar to that of the FIN7 group. The results of this assessment will be made public, which will pressure vendors to improve their efforts to secure their products against different attack techniques. This article continues to discuss the FIN7 hacking group and MITRE's security validation efforts aimed at decreasing attacks by hacking groups.

CyberScoop reports "Can Software Vendors Block a Notorious Criminal Group's Attacks? MITRE Wants to Find Out"

A major security breach has been discovered that has hit MGM Resorts. Researchers found personal details of guests on a hacking forum this week. The stolen data belonged to regular tourists, celebrities, tech CEOs, and government officials. The leaked files contained personal details of 10,683,188 former hotel guests. The information includes full names, home addresses, phone numbers, emails, and dates of birth. MGM Resorts believes that no financial information, payment cards, or passwords were involved with the breach.

Digital Trends reports: "Hackers Expose Personal Details of 10 million MGM Hotel Guests"

Winter 2020 Lablet Quarterly Meeting

Engineers at Rice University have developed a technique that can significantly increase the security of the Internet of Things (IoT). The method introduced by Kaiyuan Yang, an assistant professor of electrical and computer engineering at Rice's Brown School of Engineering, and graduate student Yan He, is hardware centered and aimed at defending against new types of attacks specifically created to compromise IoT and mobile systems. The engineers built energy-efficient and low-cost circuits that would make these systems 14,000 times more secure than existing protective technologies and techniques. Such advancements are essential as the adoption of IoT devices continues to grow. Other recent studies have shown that vulnerable IoT devices could allow attackers to access an entire network. This article continues to discuss the Rice team's technique to bolster IoT security and Rice University's previous breakthrough in the protection of IoT devices.

Rice University reports "Rice Boosts 'Internet of Things' Security -- Again"

A US gas pipeline operator has been hit with ransomware, encrypting data on its information technology (IT) and operational technology (OT) networks. The ransomware impacted human-machine interfaces (HMIs), data historians, and polling servers. As a result, the affected natural gas compression facility temporarily shut down. According to an advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), the cyberattack appeared to have started with a spearphishing attack. Failure to implement effective network segmentation increased the success of the attack. CISA has advised asset owner-operators across all critical infrastructure sectors to learn from the mistakes discovered in the investigation of this incident. Operators are also encouraged to implement mitigations such as using multi-factor authentication for remote access to networks, adding cybersecurity to safety training programs, and more, in order to avoid falling victim to such attacks. This article continues to discuss the cyberattack on the US gas pipeline, what mitigations should be applied by asset owner-operators in all sectors, and current efforts to help pipeline operators bolster their cybersecurity posture.

Help Net Security reports "US Gas Pipeline Shut Down Due to Ransomware"

Researchers from Eclypsium, have discovered new firmware vulnerabilities in Wi-Fi adapters, USB hubs, trackpads, and cameras that are putting millions of peripheral devices in danger of a range of cyberattacks. Most of the vulnerabilities found are caused by a lack of proper code-signing verification and authentication for firmware updates. The lack of proper code signing verification can allow adversaries to conduct remote code execution, denial of service, and more. The researchers found that TouchPad and TrackPoint firmware in Lenovo Laptops, HP Wide Vision FHD camera firmware in HP laptops, and the Wi-Fi adapter on Dell XPS laptops all lacked secure firmware update mechanisms with proper code-signing.

Threatpost reports: "Lenovo, HP, Dell Peripherals Face Unpatched Firmware Bugs"

The 5G mobile communication standard will bring improvements regarding speed, latency, and network capacity. However, as with any other new technology, 5G networks are expected to be abused by threat actors. The potential security vulnerabilities associated with 5G networks must be evaluated and addressed before the widespread implementation of 5G technology. A report on EU-wide coordinated risk assessment of 5G network security highlights the possible effects of 5G deployment, which include increased sensitivity of network equipment, a higher number of entry points for attackers, and a wider talent gap. This article continues to discuss the current state of 5G deployment, why supplier monopoly is considered a significant risk, and other possible security effects of 5G network deployment.

CISOMAG reports "5G Networks Present New Risks and Security Challenges"

Due to the improper security of an Amazon Web Services (AWS) S3 bucket, approximately 900,000 documents were leaked from NextMotion, a France-based technology company that provides imaging and patient management services for 170 plastic surgery clinics globally in 35 countries. The unsecured S3 bucket exposed patients' personally identifiable information (PII), photos, videos, dermatological treatments, and consultation documents. Researchers stressed the danger of leaking this type of data as it could be used by malicious actors to perform a variety of scams, fraud, and online attacks. This article continues to discuss the exposure of plastic surgery patients' photos, videos, and PII resulting from an unsecured database.

Bleeping Computer reports "Plastic Surgery Patient Photos, Info Exposed by Leaky Database"

A team of researchers from King Abdullah University of Science and Technology, the University of St. Andrews, and the Center for Unconventional Processes of Sciences claims to have demonstrated a "perfect secrecy cryptography system" that is resistant to future attacks by quantum computers. Much research on achieving perfect secrecy in cryptography has focussed on using quantum key distribution (QKD) systems. These systems use particles of light known as photons to encode data in quantum bits, which are transmitted to a sender and receiver in the form of an encryption key. However, the deployment of QKD systems would require companies and governments to invest a considerable amount of money into new quantum communication channels. The new perfect secrecy cryptography technique described in the journal, Nature Communications, is said to function using existing optical communication infrastructure. This article continues to discuss how the new method of achieving perfect secrecy in cryptography works, the skepticism about this approach, and other attempts at achieving perfect secrecy using QKD systems.

IEEE Spectrum reports "New Cryptography Method Promising Perfect Secrecy Is Met With Skepticism"

A formal risk framework aimed at improving the development of secure machine learning (ML) systems has been developed by researchers at the Berryville Institute of Machine Learning (BIML). The BIML researchers conducted an architectural risk analysis of ML systems, concentrating on highlighting the issues that engineers and developers need to consider in the design of ML systems. BIML researchers' architectural analysis delved into the different components of a typical ML system, including raw data, dataset assembly, and learning algorithms. The data security risks associated with each of the components, such as data poisoning, subtle nudges to an online learning system, and more, were identified and ranked. The identification, ranking, and categorization of these risks can help engineers and developers figure out what security controls need to be implemented to mitigate those risks. This article continues to discuss BIML's architectural risk analysis of ML systems and the importance of securing data when using such systems.

Dark Reading reports "Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems"

Amazon, U.K.-based OneWeb, and other companies are racing to put thousands of satellites in space. These satellites are expected to improve environmental monitoring, global navigation systems, and access to the internet in remote areas of the world. However, commercial satellites are vulnerable to cyberattacks due to the complexity of their supply chains, layers of stakeholders, and lack of cybersecurity standards and regulations. If hackers were to hijack these satellites, they could perform malicious activities such as disable functions, deny access to services, spoof signals, and more. Hackers could cause steerable satellites to crash into each other. Such attacks pose a threat to critical infrastructure, including electric grids, water networks, and transportation systems. This article continues to discuss the launch of new commercial satellites to space, how these satellites could improve everyday life, the vulnerability of these satellites to hacking, notable attacks on satellites over the years, and the need to develop cybersecurity standards for satellites.

Homeland Security News Wire reports "Hackers Could Shut Down Satellites - or Turn Them into Weapons"

Researchers at Huazhong University of Science and Technology did a study on the security of electroencephalography (EEG)-based brain-computer interfaces (BCIs). Breakthroughs in machine learning (ML) have led to the advancement of BCI spellers, which allow people to use their brain activity to control their computers. Much research on developing BCI classifiers has focussed on increasing speed and reliability instead of examining the security vulnerabilities they may have. Recent studies have shown that that ML algorithms such as those used in computer vision, speech recognition, and more, are vulnerable to a variety of attacks. These attacks could lead to misclassification or the production of incorrect output. In this study, researchers examined P300 BCI spellers, which are used in clinics to assess or detect disorders of consciousness. They discovered that adversarial attacks on BCI spellers could result in usability issues, misdiagnoses, and other consequences, posing a threat to the well-being of patients. Researchers hope that this research will help inform the development of better techniques for securing BCIs. This article continues to discuss the goal and key findings of the study on EEG-based BCI security.

TechXplore reports "Study Unveils Security Vulnerabilities in EEG-Based Brain-Computer Interfaces"

In a new survey conducted by DomainTools and Ponenom Institue, they found that many companies (77 percent) continue to use or plan to use automation in IT in the next three years. 51 percent of IT respondents believe that automation will decrease headcount in the IT security function, and 37 percent of IT employees believe that automation will cause them to lose their jobs. Overall, 74 percent of the participants agreed that automation enables IT security staff to focus on more severe vulnerabilities and overall network security. 74 percent of the participants say that automation is not capable of specific tasks done by IT security staff. The participants also believe that automation delivers productivity benefits such as reducing false positives and/or false negatives (43 percent), increasing the speed of analyzing threats (42 percent), and prioritizing threats and vulnerabilities (39 percent). The researchers also discovered that participants think that the most common activities likely to be replaced by automation in the next three years are log analysis (68 percent), threat hunting (60 percent), and DevOps (37 percent).

Help Net Security reports: "Security Pros Anticipate Automation Will Reduce IT Security Headcount, but not Replace Human Expertise"

Researchers from the University at Buffalo School of Management did a study to find out which personality traits led people to become black, white or gray hat hackers. The researchers surveyed 439 college sophomores and juniors in computer science and management to learn about their personality traits. Scales were then developed to determine the three different types of hacking hats and measure how each person perceives the consequences and opportunities associated with participating in criminal activities. The findings of the study suggest that security compliance will remain a challenge for businesses and organizations. This article continues to discuss the differences between black, white, and gray hat hackers, as well as how the study was done by researchers, what the research findings suggest, and what organizations can do to reduce or prevent security breaches.

University at Buffalo reports "Inside the Mind of a Hacker"

Researchers have discovered an unsecured database belonging to cosmetic giant Estee Lauder, which exposed over 440 million company records. The database, is hosted on the company's Microsoft Azure cloud platform. Since discovering the unsecure database, the company has secured, and password protected the database. It is not clear how long the database was exposed or if anyone accessed any of the data. The researchers discovered the database on January 31st. The unsecured data on the database included: user emails stored in plain text, including internal email addresses from the @estee.com domain; Numerous internal IT logs, including production, audit, error, content management system and middleware reports; References to reports and other internal documents; References to IP address, ports, pathways, and storage used within the company.

Bank Info Security reports: "Unsecured Estee Lauder Database Exposed 440 Million Records"

According to the recently released Malwarebytes Lab 2020 State of Malware Report, the volume, sophistication, and diversity of cyberattacks against businesses is increasing. Some of the key findings shared in the report include a 98 percent increase in threats faced by the medical sector, the number of malware threat detections on Mac surpassing that of Windows, and a 463 percent increase in adware. The report also highlights the significant rise in the use of hacking tools to manually infect business via misconfigured ports or unpatched vulnerabilities. This article continues to discuss the essential findings of the report regarding the growing frequency and complexity of cyberattacks and threats against businesses.

HealthITSecurity reports "Hackers Increasing Complex Attacks with Hack Tools, Ransomware"

Researchers from Tamagawa University in Japan demonstrated a method to secure wireless transmissions, which involves the use of random quantum noise. Although previous studies revealed the effectiveness of using artificial random noise to prevent interference with secure data transmission, this type of noise is not truly random. The researchers will present their method at the Optical Fiber Communication Conference and Exhibition (OFC) in March 2020. Their proposed cipher system successfully encrypted and decrypted plain text data in two different ways, while maintaining strong signal quality and protection against transmission interception. As new applications emerge in the era of 5G and 6G, such advancements in security are essential. This article continues to discuss the new cipher system for quantum noise encryption and decryption applications, the research behind this system, and the importance of randomness in cryptography.

Business Wire reports "Quantum Noise Generation Allows For Secure Wireless Transmissions"

Researchers at Ben-Gurion University (BGU) of the Negev have demonstrated a new way to extract data from air-gapped computers, which involves altering the pixel density of these computers' LCDs. Air-gapped computers refer to systems isolated from the internet due to its containment of highly sensitive information. Other methods of stealing data from air-gapped computers that have been discovered by BGU researchers, involve using speakers, blinking LEDs in PCs, infrared lights in surveillance cameras, and computer fans. In a recently published paper, the researchers described a covert optical channel that can be detected by cameras, but not users. The idea is to transmit the information by changing a screen's brightness in a sequential pattern. A camera would be used to capture the compromised computer's screen. This article continues to discuss the method discovered by BGU researchers that can be used to covertly transmit data from an air-gapped computer, the limitations of this technique, and other methods developed by researchers to communicate with such computers.

Naked Security reports "Researchers Transmit Data Covertly by Altering Screen Brightness"

Healthcare continues to be a common target for cybercriminals, as indicated by the increased frequency of data breaches and ransomware attacks faced by healthcare organizations. According to Black Book Market Research, data breach breaches cost the healthcare sector an estimate of $4 billion in 2019. The CyberMed Summit is a conference that gathers physicians, security researchers, medical device manufacturers, healthcare administrators, and policymakers to discuss cybersecurity problems faced by the healthcare industry and how these problems could be addressed. Raising awareness among patients about the cybersecurity of medical devices was a major topic of discussion at the 2019 summit. This article continues to discuss the increased targeting of the healthcare industry by cybercriminals, the significant impact that cyberattacks on medical devices could have on patients, the CyberMed Summit, and the "last mile" awareness problem discussed at last year's summit.

Ars Technica reports "Why Is the Healthcare Industry Still So Bad at Cybersecurity?"

Corvus, a provider of AI-driven commercial insurance products, conducted research released new research that highlights the increasing vulnerability of governments to cyberattacks. According to a report from Corvus, three factors make governments soft targets for cybercriminals. These factors include larger attack surfaces, lack in the use of basic email authentication schemes, and higher rates of internal hosting. Researchers stress that the combination of these three key factors leaves governments more vulnerable than other organizations. This article continues to discuss the findings of Corvus' report on the security of municipal governments and agencies.

Infosecurity Magazine reports "Governments Are Soft Targets for Cybercriminals"

Google has put out a new security update to address a critical flaw that researchers found in Android's Bluetooth implementation. The flaw allows remote code execution without user interaction. The vulnerability is called CVE-2020-002 and affects devices running Android Oreo (8.0 and 8.1) and Pie (9.0). Two-thirds of Android devices in use have this flaw, which is why it is rated critical. No user interaction is needed to exploit the flaw, an adversary only needs to know the Bluetooth MAC address of the target, and can use the flaw to obtain personal data or distribute malware.

WeLiveSecurity reports: "Critical Bluetooth Bug Leaves Android Users Open to Attack"

Researchers have discovered and analyzed a malware program that can spread the Emotet Trojan to nearby wireless networks and compromise computers on them. Emotet is one of the most versatile malware threats currently used. The researchers found that after the malware infects a computer that has Wi-Fi capability, it then uses the wlanAPI interface to discover any Wi-Fi networks in the area. If the Wi-Fi networks found require passwords to join, then the malware will try to guess the possible passwords, and if it guesses the passwords correctly, then it will connect to the Wi-Fi network. Once Emotet is on the Wi-Fi network, it will then scan all other computers connected to the same network for any Windows computers that have file sharing enabled. The malware then retrieves a list of all user accounts on those computers discovered and attempts to guess the passwords to those accounts as well as the Administrator account. If the malware can guess the correct passwords, then the malware copies itself to that computer and installs itself by running a remote command on the other computer.

Help Net Security reports: "Emotet Can Spread to Poorly Secured Wi-Fi Networks And Computers on Them"

Travelers are urged to avoid using publicly available USB power charging stations because they may be infected with dangerous malware. The Los Angeles County District Attorney's Office recently pointed out the use of publicly accessible USB charging ports or cables at shopping centers, hotels, fast-food restaurants, and on public transport, by cybercriminals to perform malicious activities. In a USB Charger Scam, called "juice jacking," cybercriminals are loading malware onto the charging stations or cables in public areas to infect unsuspecting users' devices. The malware can then allow attackers to steal personal data, delete data, spy on users' activities, or disable phones. Such activities can leave victims vulnerable to identity theft, financial fraud, and more. This article continues to discuss how the juice jacking attack works, how users can tell if they experienced this attack, in addition to how users can protect themselves from such attacks or respond if they have been juice jacked.

TechXplore reports "Charging Your Phone Using a Public USB Port? Beware of 'Juice Jacking'"

In 2016, security researchers demonstrated the use of a drone to hack Philips Hue smart light bulbs from the outside of a building. Today, security researchers from Check Point conducted another test on Philips Hue models. They discovered that the same vulnerability used to demonstrate that attack four years ago was never fully addressed as the researchers recently exploited it to hack into a home's computer network. According to researchers, the exploitation of this vulnerability requires patience because it involves uploading a malicious over-the-air update to a Philips Hue Hub and trying to get the owner to reset and re-add the bulb to the network by altering its color and brightness. Although Philips issued a patch to fix the problem, researchers say other brands of smart home systems may also be affected by the same vulnerability stemming from the Zigbee communications protocol. This article continues to discuss the technique used in 2016 to hack Philips Hue smart light bulbs, researchers' recent use of this technique to infiltrate a home network, and how the same protocol flaw may impact other smart home brands.

The Verge reports "Your Philips Hue Light Bulbs Can Still Be Hacked -- And Until Recently, Compromise Your Network"