News Items

Hackers continue to sharpen their skills in the execution of social engineering attacks, resulting in the increased success rate at which they bypass two-factor authentication (2FA) and hijack accounts. SMS-based 2FA remains popular among financial institutions, email services, social networks, online marketplaces, and other service providers due to its convenience and ease of implementation. However, this form of 2FA is not secure because of SIM-jacking, also known as SIM-swapping, which refers to the performance of social engineering to trick mobile carriers into transferring control over a legitimate user's mobile account to threat actors. SIM-jacking can allow attackers to obtain the SMS 2FA code delivered to a victim's registered cellphone number. Security experts propose the use of a more secure version of 2FA, called device-aware 2FA, to avoid such attacks. Device-aware 2FA would not allow require a user to prove they have access to the phone number associated with the account but also the associated phone. This article continues to discuss how attackers are defeating conventional SMS-based 2FA through SIM-jacking, how device-aware 2FA can help prevent such attacks and methods for recognizing devices.

Dark Reading reports "How Device-Aware 2FA Can Defeat Social Engineering Attacks"

Artificial intelligence (AI) is increasingly growing in implementation by organizations. Security professionals expect large organizations of all types to find AI-based tools necessary for the protection of their assets from cyberattacks by the end of 2020. Although using AI in cybersecurity operations is not a foolproof solution, this advanced technology can be beneficial to organizations in several different ways. Professionals within organizations' security operations (SOCs) can use AI to reduce the rising risks and costs associated with data breaches. As state-sponsored cyberattacks against organizations continue to grow in frequency and sophistication, SOCs are embracing AI technology more to assist in the detection and containment of such threats. AI-based cybersecurity tools can also allow organizations to perform better even with smaller SOC teams. This article continues to discuss why the use of AI by organizations in cybersecurity operations is growing.

Security Intelligence reports "Why 2020 Will Be the Year Artificial Intelligence Stops Being Optional for Security"

In a new study on the world's biggest airports, a security company ImmuniWeb found that almost all of them had an alarming lack of systems in place to protect their websites, mobile applications, and public clouds. 66 of the top 100 airports had highly confidential data like IDs, financial records, or plaintext passwords for production systems located on the dark web. 87 percent of the airports had some sensitive or internal data exposed at various public code repositories, such as GitHub or BitBucket. Amongst them, 59 airports were identified with 227 code leakages of critical risk. The researchers also discovered that More than 70 of the 325 exposures found are of a "critical or high risk," indicating a severe breach. Nearly 90% of the airports have data leaks on public code repositories, and 503 of the 3,184 leaks are of a critical or high risk that could potentially lead to a breach. Three percent of airports studied have unprotected public clouds with sensitive data available.

TechRepublic reports: "97 of the World's 100 Largest Airports Have Massive Cybersecurity Risks"

Researchers at the University of Michigan did a new study on the security of voting machines. Findings suggest that people are less likely to notice if a hacker compromised a machine because many of them do not check whether the printout of their ballot is correct. Based on an experiment in which 241 human subjects participated in a realistic polling place environment, researchers found that most voters missed errors and neglected to review their printed ballots. The study further ignites concerns about the vulnerability of voting machines to hacking and post-election audits. Eddie Perez, the global director for technology development at the Open Source Election Technology Institute, emphasized the importance of this research as it examined voter behavior regarding the use of ballot-making devices (BMDs) and how such behavior can impact election integrity. This article continues to discuss the use of BMDs and key findings from the study of how voters behave with these devices.

MIT Technology Review reports "New 'Secure' Voting Machines Are Still Vulnerable--Because of Voters"

In a new study, researchers surveyed 671 IT security professionals responsible for managing and reducing their organization's endpoint security risk. The researchers found that 68% of IT security professionals say their company experienced one or more endpoint attacks that compromised data assets or IT infrastructure in 2019, an increase from 54% of respondents in 2017. Of successful endpoint attacks, 80% were new or unknown, zero-day attacks. Researchers expect the number of zero-day attacks to continue to increase in frequency.

Help Net Security reports: "80% of Successful Breaches Are From Zero-Day Exploits"

The Electronic Frontier Foundation (EFF) conducted an investigation of the Ring doorbell app for Android and found that it contains a number of third-party trackers that share customers' personally identifiable information (PII). According to EFF, there are four main analytics and marketing companies that receive information, including names, private IP addresses, mobile network carriers, and sensor data from these trackers. These companies can combine this information to identify a user's device, posing a threat to the security and privacy of customers. Trackers can spy on what users are doing as well as the time at which they are doing certain activities. This article continues to discuss key findings of the EFF's investigation of the Ring doorbell app, the methodology used to perform this investigation, and how the sharing of sensitive data by third-parties can impact customers.

EFF reports "Ring Doorbell App Packed with Third-Party Trackers"

The first all-optical "stealth" encryption technology has been introduced by Ben-Gurion University of the Negev's (BGU) technology-transfer company, BGN Technologies. The optical end-to-end solution will significantly improve upon the security and privacy of highly sensitive cloud-computing and data center network transmission. Researchers stressed that intensive computing power could be used to break the code of digital encryption technology. Therefore, the researchers developed an end-to-end solution that uses optical equipment instead of digital technology to provide encryption, transmission, decryption, and detection. This article continues to discuss the first all-optical stealth encryption technology developed by BGU researchers in relation to its capabilities and process, as well as the weaknesses of digital encryption technology.

EurekAlert! reports "Researchers Introduce the First All-Optical, Stealth Data Encryption Technology"

The University of Southern California (USC) is making an effort to bolster election cybersecurity through its nonpartisan and independent 50-state election cybersecurity training initiative. Training is provided in each state to participants via daylong workshops. These workshops are created to help increase knowledge and awareness among state and local election officials, and campaign officials about how they can strengthen defenses against cyberattacks. Academics and non-governmental organizations are also welcome to participate in this initiative. Increasing understanding regarding crisis management approaches as well as the protection of campaigns against misinformation and disinformation is also the goal of these workshops. This article continues to discuss the election security initiative led by the USC Annenberg Center on Communication Leadership & Policy pertaining to its structure, goals, and support.

Homeland Security News Wire reports "USC Kicks Off 50-State Election Cybersecurity Trainings"

In 2019 deepfakes became a major emerging cyber threat. Deepfakes is a machine learning model that can create realistic yet fake or manipulated audio and video. Researchers have mostly thought about Deepfake technology potentially being used to spread misinformation campaigns and cause mass manipulation fueled through social media, especially in the realm of politics. Researchers believe that deepfakes in 2020 are going to be a real threat to organizations. Researchers believe that Deepfakes can supercharge BEC attacks in 2020. Currently, the security industry has no appliances, email filters, or any technology to defend against deepfakes. Researches say the best way for organizations to protect themselves from falling for deepfakes is through the education of employees.

Help Net Security reports: "2020: A Year of Deepfakes and Deep Deception"

IOActive researchers discovered that LoRaWAN (Long Range Wide Area Networking ), the widely adopted device protocol within the realms of the Internet of Things (IoT), contains serious security vulnerabilities. According to researchers, the exploitation of these security flaws, as well as the improper implementation of the protocol, could allow attackers to easily obtain LoRaWAN encryption keys to perform denial-of-service (DoS) attacks and deliver false data. In addition, there is currently no way for an organization to know if their LoRaWAN network is experiencing an attack or if bad actors have obtained an encryption key to the network. As the LoRaWAN protocol is said to have built-encryption, organizations are blindly trusting it, not considering the cybersecurity vulnerabilities and implementation issues that can leave LoRaWAN networks susceptible to hacking. This article continues to discuss the widespread adoption of the LoRaWAN protocol, the trust that organizations have in this protocol, the security layers defined by LoRaWAN, the problems associated with this security architecture, and what hackers can do once they have encryption keys to LoRaWAN networks.

Threatpost reports "LoRaWAN Encryption Keys Easy to Crack, Jeopardizing Security of IoT Networks"

The ransomware attack that took Baltimore City's services offline prompted the construction of a new law by Maryland legislators, which is aimed at addressing the threat of these attacks. The proposed bill, Senate Bill 3, would prohibit a person from knowingly possessing ransomware on their computer. However, the law is raising serious concerns among security researchers within the state of Maryland due to its unclear language that states the criminalization of unauthorized access to a computer or computer network. The bill would also prohibit the intentional performance of activities in which a network, computer, or software is disrupted or caused to malfunction. As the bill does not contain research exclusions for these provisions, its enforcement would impede upon academic and independent security researchers' efforts to find, disclose, and fix security vulnerabilities. This article continues to discuss the goal of Senate Bill 3, how the unclear language used in the bill could impact security research and vulnerability disclosure, along with other concerns surrounding this bill.

Ars Technica reports "Maryland Bill Would Outlaw Ransomware, Keep Researchers From Reporting Bugs"

Cybersecurity Snapshots #2 -

Ransomware Is Not Only a Headache but Can Also Kill

SoS Musings #33 -

Put the Brakes on Deepfakes

The use of micromobility vehicles such as e-scooters is rising, which is welcomed as these vehicles help to reduce traffic congestion. However, computer science experts at the University of Texas at San Antonio conducted research in which they examined the security and privacy risks posed by e-scooters as well as the software services and applications used by such vehicles. According to experts, the identified vulnerabilities and attack surfaces in the micromobility ecosystem could be exploited by hackers to perform several different attacks on users, involving eavesdropping, spoofing GPS systems, inferring private data, remotely controlling vehicles, and more. Vendors can face denial-of-service attacks and the exposure of data. This article continues to discuss the weak points discovered in the micromobility ecosystem that could be exploited by hackers and what the exploitation of these vulnerabilities could allow malicious adversaries to do.

Science Daily reports "Security Risk for E-Scooters and Riders"

Pub Crawl summarizes, by hard problems, sets of publications that have been peer reviewed and presented at SoS conferences or referenced in current work. The topics are chosen for their usefulness for current researchers.

Researchers discovered that more than 250 million customer service and support records were exposed by Microsoft over two days in December 2019 due to a server misconfiguration. The records included logs of exchanges between Microsoft's customer support and its customers, spanning a 14- year period from 2005 to 2019. Most of the sensitive personally identifiable information was redacted, but there were still some things that were in plain-text form. These records included IP addresses, locations, internal notes which were marked "confidential", customer email addresses, descriptions of customer service support claims and cases, Microsoft support agent emails, case numbers, resolutions, and remarks. The researchers notified Microsoft immediately when found. Microsoft then immediately secured the data and started an investigation within two days of being notified. Microsoft has detected no malicious use of the leaky servers that the records were on.

WeLiveSecurity reports: "Microsoft Exposed 250 Million Customer Support Records"

Teserakt, a Swiss firm specialized in cryptography, recently introduced a type of cryptographic implant named E4, which is aimed at providing end-to-end encryption for Internet of Things (IoT) devices. E4 would be integrated into IoT manufacturers' servers to support consistent protection as IoT data traverse the web. The implementation of E4 will ensure the encryption of data transmitted between IoT devices and their manufacturers. However, IoT developers need to keep in mind that E4 only touches on one component of data protection, not the security of the IoT devices themselves or the protection of a manufacturers' servers from being compromised. Security still needs to be considered in the design and management of IoT devices and their servers. This article continues to discuss the aim and development of Teserakt's E4, as well as the need for larger services to continue their efforts toward enhancing encryption for peripherals and IoT devices.

Wired reports "An Open Source Effort to Encrypt the Internet of Things"

Studies conducted by Cleotilde Gonzalez, a professor in Social and Decision Sciences at Carnegie Mellon and her colleagues, delve deeper into the use of deception in cybersecurity. Using deception in cyber defense operations could help prevent the performance of malicious adversarial activities. Cyber deception reduces the exposure and theft of valuable information. The technique allows defenders to detect, investigate, and lead attackers away from sensitive information when they enter a targeted network or system. Although cyber deception is not a new concept, Gonzalez and her team approach the method through the lens of cognitive science. Their studies propose using defense algorithms that take advantage of attackers' cognitive biases to increase the effectiveness of cyber deception. This article continues to discuss the concept of cyber deception and cognitive science-based strategic techniques that can be used to deceive attackers effectively.

CyLab reports "Cybercriminals: Things Are About to Get a Lot More Confusing for You"

Several cybersecurity-related bills have been passed by the House or the Senate and are likely to be candidates for further action. CSO Online gives an overview of these bills, which include the Cybersecurity Vulnerability Remediation Act, Hack Your State Department Act, National Cybersecurity Preparedness Consortium Act, and IoT Cybersecurity Improvement Act. There are also a number of hot topic cybersecurity issues gaining focus in the proposal of new legislation and the 2020 Congressional debate such as election security, ransomware attacks, supply chain threats, and more. This article continues to discuss the cybersecurity bills passed by the House and the Senate, security-related formal bills that have been introduced in either House or Senate committees, as well as the hot cybersecurity topics this year.

CSO Online reports "2020 Outlook for Cybersecurity Legislation"

Right before the start of the new year, a data breach faced by LifeLabs, one of Canada's major lab diagnostic and testing services, impacted 15 million Canadians. Data exposed in this breach included names, addresses, emails, login passwords, lab test results, and more. These incidents continue to result in the loss of trust and the reluctance to share health data with such services, which could impact healthcare for consumers and research advancements in personalized healthcare. A recent focus group study conducted by the blockchain research cluster at the University of British Columbia, Blockchain@UBC, found that some Canadians are willing to turn to blockchain technology to address the threats of frequent data breaches and unauthorized secondary uses of their data. The use of blockchains can allow consumers to manage their data as well as how the information is shared. This article continues to discuss the LifeLabs data breach, the societal costs of such data breaches, the use of blockchain technology to protect health data, and challenges to using this technology for health data management.

TechXplore reports "How Blockchain Could Prevent Future Data Breaches"

Hong Kong will enforce stronger privacy laws similar to that of the European Union's General Protection Regulation (GDPR), which aims to ensure the protection of personal data belonging to EU residents by enforcing a standard upon any companies that manage this data. A significant breach faced by Cathay Pacific Airways, the flag carrier of Hong Kong, prompted the need to apply stricter penalties for data protection failures. This article continues to discuss the proposed amendments to the regional government's Personal Data (Privacy) Ordinance and the Cathay Pacific Data breach that exposed personal data belonging to 9.4 million passengers.

Infosecurity Magazine reports "Hong Kong Looks to GDPR as it Strengthens Privacy Laws"

A researcher has discovered a collection of over 70,000 photographs harvested from the dating app Tinder on several undisclosed websites. The data found also contained around 16,000 unique Tinder user IDs. The images are available for free. The researcher believes that the reason the adversary collected the pictures and posted the pictures on the undisclosed sites, was so that hackers could create fake online accounts using the images found to lure unsuspecting victims into scams.

Naked Security reports: "What do Online File Sharers Want With 70,000 Tinder Images?"

The FBI, with support from the UK's National Crime Agency, the Dutch National Police Corp, the German Bundeskriminalamtt, and the Police Service of Northern Ireland, took down a site called WeLeakInfo, that was used by cybercriminals to sell stolen personal data to subscribers. The malicious webpage sold plaintext passwords belonging to other people, with subscription fees ranging from $2 to $70, depending on the amount of time chosen to have access to the stolen data provided by the site. The personal data, searchable on the site, was said to be from 10,000 data breaches. Using the WeLeakInfo website, cybercriminals could have accessed data from a collection of 12 billion records, containing information such as names, email addresses, usernames, and phone numbers in addition to passwords to online services. This article continues to discuss what the WeLeakInfo website was used for, as well as the investigation and takedown of the site.

Security Week reports "FBI Takes Down Site Selling Subscriptions to Stolen Data"

Security researchers at PhishLabs further emphasized that SIM swap attacks are making SMS two-factor authentication (2FA) obsolete. A SIM swapping attack refers to the performance of social engineering to trick mobile carriers into transferring control over a legitimate user's mobile account to threat actors. In a blog post, the researchers highlighted a recent Princeton study in which 50 attempts were made to port a stolen number to a SIM card via North American prepaid telecom companies. The study found that in most cases, only one question asked by customer service needed to be answered correctly to authenticate successfully, despite failure to answer previous authentication questions. The success of such attacks can lead to the hijacking of victims' bank accounts. Researchers call for the use of device-based 2FA instead of number-based 2FA to reduce the threat of these attacks. This article continues to discuss SIM swap attacks and how organizations can protect themselves from these attacks.

SC Media reports "SIM Swap Attacks Making Two-Factor Authentication via Smartphones Obsolete"