News Items

If you are traveling this holiday season, the FBI is warning travelers of the dangers of using free WiFi networks while traveling, such as hotels or airports. Connecting to a free WiFi network can allow an adversary to load malware, steal the user's passwords and PINs, or take remote control of the user's contacts and camera. If you do use a public WiFi network, then do not use the network to look or login to anything that could contain sensitive information, for example, like bank accounts.

ZDNet reports: "FBI Warns Against Using Free WiFi Networks While Traveling"

Wawa locations have been affected by a data breach. The breach was discovered on December 10, 2019, contained by December 12, 2019, and has potentially affected all Wawa locations beginning at different points in time after March 4, 2019. The data breach affected credit and debit card numbers, expiration dates, and cardholder names for potentially all purchases made in Wawa locations and at fuel dispensers. No other personal information was accessed, including PIN numbers, credit card CVV2 numbers, and driver's license information.

Business Insider reports: "Wawa Reveals Massive Data Breach"

Security researchers at Sophos have discovered the use of steganography techniques by a hacking group, named MyKingz. Steganography is an ancient practice in which messages are communicated via formats that conceal the delivery of the messages. Cybercriminals have been using steganography techniques to hide malicious data or malware in image files, video clips, audio files, and other unsuspecting formats. The MyKingz group is applying steganography by using a JPEG image of Taylor Swift to hide a malicious EXE file. According to researchers, the group has been targeting Windows systems to execute cryptojacking attacks. This article continues to discuss the concept of steganography, the use of this technique by the MyKingz group, and other notable attacks in which steganography methods were used.

CISOMAG reports "Attackers Using Taylor Swift Image to Hide Malware Payloads"

A study conducted by Steve Furnell, Professor of Information Security and leader of the Centre for Security, Communications and Network Research (CSCAN) at the University of Plymouth, explored the effectiveness of password meters. Password meters are supposed to guide users in the creation of strong passwords to bolster the security of their accounts and personal data. However, the assessment of 16 commonly used passwords meters revealed that the effectiveness among these meters vary as some push for the creation of more complex passwords, while other meters allow significantly weak passwords. In addition to examining the effectiveness of dedicated password meter websites, the study also assessed meters embedded in Dropbox, Reddit, and other common online services, as well as those used by some devices. This article continues to discuss the study and its key findings surrounding password meters.

The University of Plymouth reports "'Inconsistent and Misleading' Password Meters Could Increase Risk of Cyber Attacks"

Financial services firms made up 6 percent of all the breaches in 2019. In total, more than 60% of all leaked records in 2019 were exposed by financial services organizations, partly due to the Capital One mega breach, which compromised more than 100 million records. Despite this outlier, average breaches in financial services companies still tend to be more significant and more detrimental than other sectors' breaches. Hacking and malware remain the primary cause of data breaches in financial services at 74.5%.

Help Net Security reports: "Hacking and Malware Cause 75% of all Data Breaches in the Financial Services Industry"

While smart cars offer unique benefits, they also introduce significant security risks that have the potential to lead to loss of life. As vehicles increase in connectivity to the internet, they become more vulnerable to being hacked, manipulated, and disabled. The presence of vulnerabilities in connected vehicles creates more opportunities for cybercrime. A study conducted by researchers at Michigan State University explores automotive cybersecurity through the lenses of criminal justice theory and social sciences as such aspects are often under-examined. The study calls for automotive and equipment manufacturers to be active guardians in the cybersecurity of smart cars by constantly applying system patching updates, writing new code, and more. Automotive manufacturers need to be as active as smartphone manufacturers in the release of security updates to connected vehicles. This article continues to discuss key findings of the study and suggestions on how to improve automotive cybersecurity.

SciTechDaily reports "Your Car May Be Vulnerable to Cyberattacks - Even the Smartest of Smart Cars Have Issues"

The implementation of biometrics technology such as facial recognition continues to grow. However, researchers from the artificial intelligence company, Kneron, have proved that facial recognition biometrics is not as strong or foolproof as one would think. The researchers were able to fool facial recognition systems applied at banks, airports, and crossing checkpoints, using high-quality 3D masks of another person's face. The 3D mask allowed researchers to bypass these systems and make purchases under the guise of another person. They also displayed a photo of a person's face to trick a self-boarding system as well as a train station system in which facial recognition is used to allow travelers to make payments. This article continues to discuss the demonstrated use of masks and photos to trick facial recognition systems, as well as the concerns raised by such technology.

Engadget reports "Researchers Bypass Airport and Payment Facial Recognition Systems Using Masks"

The 2020 State of Compliance and Security Testing Report released by Synack highlights results from a survey in which 311 North American organizations shared information about their security compliance testing. The results gave insight into the challenges faced by organizations in their efforts to ensure that their business assets comply with security standards. According to the report, the expense of security testing is a major challenge for organizations as they incur costs from test activity, remediation, efficient scaling, false positives, the integration with DevOps processes, and more. Other challenges include scheduling security tests, managing testers, ensuring effective testing, and the time it takes to conduct such tests. The survey also found that most organizations are spending 20 hours or less on security testing, perhaps due to limited budgets and small teams. However, as cyber incidents continue to grow in frequency and complexity, organizations will have to implement continuous security testing solutions that require 1500-2000 hours a year. This article continues to discuss key findings from Synack's report in regard to the common challenges and current trends in security testing.

TechRepublic reports "Organizations Moving Toward More Rigorous Security Testing to Ensure Compliance"

The Sophos Managed Threat Response (MTR) team discovered a sample of Snatch ransomware when they were investigating an organization's network for a ransomware infection. Further analysis of the new strain of Snatch ransomware revealed that it evades security tools by rebooting infected machines in Safe Mode. This technique allows the ransomware to more effectively encrypt victims' files since most security solutions are automatically disabled in Safe Mode. Snatch is just one of a few ransomware strains that have recently adopted such evasive techniques. Samples of ShurLOckr ransomware were discovered by Comodo to be circumventing security screenings performed by Google Drive and Microsoft 365 to infiltrate the cloud and infect users of an organization's cloud platform. This article continues to discuss the Snatch ransomware, the increase in evasive ransomware, and how security professionals can defend against such ransomware.

Security Intelligence reports "Snatch Ransomware Reboots Machines In Safe Mode to Bypass Endpoint Protection"

New Orleans declared a state of emergency following the detection of a cyberattack on its networks. According to the city's head of IT, Kim LaGrue, shortly after the detection of suspicious activity in the city's networks, there was a sharp increase in attempted phishing and ransomware attacks. Once the IT team was sure that the city was being hit with a cyberattack, servers and computers were immediately shut down and a declaration of a state of emergency was filed by city authorities with the Civil District Court. Work is still being done to recover the data that was impacted by the attack. This article continues to discuss the cyberattack faced by New Orleans, how the city responded to this incident, other cities that have recently experienced such attacks, and why there has been an increase in the targeting of government authorities by cybercriminals.

Technology Review reports "New Orleans Has Declared a State of Emergency After a Cyberattack"

A secure data backup system for medical records, called Healthcare Long-term Integrity and Confidentiality Protection System (H-LINCOS), was developed by the National Institute of Information and Communications Technology, Kochi Health Science Center, and other collaborating research teams. The system would be useful if a disaster occurs as it would allow medical records to be cross-referenced and shared between hospitals. The researchers demonstrated the distributed storage of medical records as well as the quick restoring of medical information such as prescription records and allergy information. Secure communication and secret sharing technologies are used to ensure the confidentiality of medical records. These records can also be easily shared and cross-referenced because the system conforms to a standardized data format. This article continues to discuss the importance of H-LINCOS, the demonstration of this system by researchers, and how the system will continue to be improved.

EurekAlert! reports "Secure Data Backup of Medical Records Using Secret Sharing and Secure Communications"

In a new survey, findings prove that IT executives have rising SaaS security fears, and worry about cloud security, proprietary data encryption, as well as the loss of independent control due to access limitations. Nearly all executives surveyed (92 percent) believed that they would require SaaS vendors to provide more tailored and flexible security options in the future. Seventy percent of companies surveyed said they had made at least one security exception for a SaaS vendor. Only 19 percent of respondents said 75 percent or more of their SaaS vendors meet all of their security requirements. Overall, those surveyed said they are troubled by the current level of security and accountability provided by their SaaS vendors. Nearly two-thirds are so concerned that they intend to retire applications that do not provide the level of security control they want. The survey also shows that IT executives not only understand the importance of security as it relates to today's SaaS applications but that they are taking swift and necessary steps to protect their enterprises by retiring these applications as quickly as possible.

Help Net Security reports: "SaaS Security Fears: Is Your Data Exposed To Potential Risk?"

Another incident further raises a concern about the growing use of inadequately secured Internet of Things (IoT) devices. A video recently surfaced online, in which a hacker is heard to talking to a little girl in her bedroom via her family's Ring security camera. This nightmarish event calls for consumers to make more of an effort to secure their smart home devices as Ring has stated that the incident was not the result of a breach or compromise of Ring's security. Ring pointed out that customers often use the same username and password across multiple accounts on different services, increasing the success of credential stuffing attacks. Such attacks refer to the use of stolen account credentials from data breaches to access accounts on other services. The company suggested that users enable two-factor authentication (2FA), increase the complexity of their passwords, and regularly change their passwords. This article continues to discuss the incident in which a hacker accessed a family's Ring camera to talk to a child, what consumers should do to secure such devices and other incidents where children were targeted by hackers.

Silicon UK reports "Hacked Ring Camera Found In Child's Bedroom"

Researchers at AV-TEST have discovered vulnerabilities in the SMA M2 smartwatch, manufactured by Shenzhen Smart Care Technology Ltd. According to researchers, the smartwatch designed for children contains vulnerabilities that could allow hackers to perform malicious activities such as eavesdrop on users, leak personal data, expose GPS position data, and masquerade as a child's parent via messages and phone calls. The exploitation of these vulnerabilities gives potential attackers the ability to track the location of children and access data on their parents' accounts. The personal data that can be accessed by hackers through the abuse of the IoT smartwatch's flaws include names, addresses, ages, and contacts such as relatives. The flaws derive from weak authentication and a lack of encryption. More than 5,000 children and 10,000 parents are impacted by the vulnerability of this smartwatch to hacking. This article continues to discuss the presence of vulnerabilities in the SMA M2 smartwatch, how these security issues can be abused by hackers, SMA's response to this discovery, and findings of security flaws in other popular IoT smartwatches.

Threatpost reports "IoT Smartwatch Exposes Kids' Personal, GPS Data"

A team composed of computer scientists from the University of California San Diego, the French National Center for Scientific Research, the University of Limoges, and the French research institute for digital sciences Inria, has set a new record for cracking the largest encryption key. The team was able to factor an RSA key that has 240 decimal digits and 795 bits. The previous record was made in 2010 in which a key with 232 decimal digits and 768 bits was cracked. The team also computed a discrete logarithm that is 795 bits in size. According to researchers, it took them a total of 35 million core hours to crack RSA-240 and compute the discrete logarithm. The calculation does not pose a threat to computer security as the size of the RSA key broken in this record is much smaller than the size of keys used by modern computers. However, based on Moore's Law, computer scientists expect to be able to crack larger keys as the processing power of computers increases. This article continues to discuss RSA cryptography, the importance of discrete logarithms, and the new record set for cracking encryption keys.

New Scientist reports "Number-Crunchers Set New Record for Cracking Online Encryption Keys"

A vulnerability in the KeyWe smart lock has been discovered by security researchers at F-Secure. KeyWe's smart lock was designed to make it easier for homeowners to lock and unlock their doors by allowing them to do so through the use of an app. However, the vulnerability discovered by researchers could allow hackers to sniff the traffic between the mobile app and the smart lock to recover the secret key needed to unlock the smart lock. One researcher pointed out that the exploitation of this flaw can be performed, using inexpensive network-sniffing devices. The researchers also found that the flaw cannot easily be patched because the firmware used by the current version of the lock can't receive over-the-air updates. This article continues to discuss the smart lock vulnerability, KeyWe's response to this discovery, and the risk posed by IoT devices because of the lack of cybersecurity standards for such devices.

CNET reports "Smart Lock Has a Security Vulnerability That Leaves Homes Open for Attacks"

A U.K.-based penetration testing company Fidus Information Security found more than 752,000 applications for copies of birth certificates on an Amazon Web Services (AWS) storage bucket. The bucket discovered also had 90,400 death certificate applications, but these could not be accessed or downloaded. TechCrunch verified the data by matching names and addresses against public records. An online company that allows users to obtain a copy of their birth and death certificates from U.S. state governments is responsible for the exposed massive cache of applications. The bucket wasn't protected with a password, allowing anyone who knew the easy-to-guess web address access to the data. The applications dated back to late-2017, and the bucket was updating daily. In one week, the company added about 9,000 applications to the bucket. Fidus Information Security and TechCrunch have warned the online company, Amazon, and the local data protection authority of the security lapse.

TechCrunch reports: "Over 750,000 Applications For US Birth Certificate Copies Exposed Online"

A widely-used remote-access hacking tool, called the Imminent Monitor Remote Access Trojan (IM-RAT), was recently taken down by Australian and European law enforcement. The tool had been sold to a little over 14,000 buyers in 124 countries via the black market for about seven years. More than 115,000 different attacks were executed against Palo Alto Networks' customers through the use of IM-RAT. Officials have said that the tool was used by cybercriminals to steal different types of personal data from victims' machines such as photos, passwords, and videos. This article continues to discuss IM-RAT in relation to its widespread distribution, application in the execution of attacks, evolution, creator, and takedown by police.

CyberScoop reports "Australian and European Police Shut Down Access to Popular Criminal Hacking Tool"

Google announced that it had achieved quantum supremacy by performing a specific quantum computation at a greater speed than the best classical computers. IBM contested Google's claim of quantum supremacy, expressing that it had already made this breakthrough with its classical supercomputer having the capability to perform the computation almost at the same speed as Google's latest quantum processor, but with a higher degree of accuracy. However, there are still doubts about quantum computing as Michel Dyakonov, a theoretical physicist at the University of Montpellier in France has stated reasons as to why practical quantum supercomputers will never be built. Random errors, which are unavoidable in any physical system, make the future of quantum computing unlikely. This article continues to discuss what a quantum computer is, the need for noise and error correction in quantum computing, as well as quantum cryptography.

The Conversation reports "A Quantum Computing Future Is Unlikely, Due to Random Hardware Errors"

In a news study, Microsoft has found that 44 million Microsoft Azure AD and Microsoft Services accounts are vulnerable to account hijacking due to users using compromised passwords. Microsoft forced users to change their passwords if they found that the user's password matched the ones that were compromised. Microsoft suggests that users set up Multi-factor authentication to help prevent account hijackings. NIST suggests companies should verify that passwords are not compromised before they are activated. Passwords should also be checked frequently against a dynamic database comprised of known compromised credentials.

Help Net Security reports: "Compromised Passwords Used on 44 Million Microsoft Accounts"

The implementation of biometrics-based security in Apple's iOS such as fingerprint authentication is supposed to add an extra layer to the protection of users' sensitive information. However, this feature is still being improperly used by most people. A study on the use of Apple's biometric fingerprint technology, Touch ID, shows that most users are unaware of this feature's purpose and proper use. In order to use Touch ID, a user must create a PIN or password for additional security validation after the device is restarted or when 48 hours has passed since the device was unlocked. A study conducted by researchers found that most Touch ID users are unaware that they could use passwords instead of PINs. Those that are aware, use easy PINs because they are easier to remember. This article continues to discuss the lack of awareness about the purpose of technologies such as Touch ID, the types of attacks that can be used to reveal passcodes, and studies that have shown that biometric systems are still not completely secure.

NextGov reports "Fingerprint Login Should Be a Secure Defense for Our Data, But Most of Us Don't Use It Properly"

Security researchers have observed an increase in ransomware attacks targeting network-attached storage (NAS) and backup storage devices. Ransomware continues to be a major threat to enterprises, hospitals, and utilities. NAS systems are devices connected to a home or enterprise network that functions as a centralized location for authorized network users to store and recover data. According to security researchers, attackers can circumvent user authentication as a result of vulnerable integrated software in NAS systems, allowing the execution of ransomware attacks on these devices. This article continues to discuss the concept behind ransomware, the increase in ransomware attacks on NAS systems, and other recent findings pertaining to the use of ransomware by cybercriminals.

ZDNet reports "New Ransomware Attacks Target Your NAS Devices, Backup Storage"

Researchers from Visa's Payment Fraud Disruption (PFD) team have found a new JavaScript-based payment card skimmer, dubbed Pipka, which has affected 16 e-commerce websites. Web skimming refers to the injection of malicious scripts into online merchant sites to steal payment card information. Web skimming attacks are usually performed by inserting malicious scripts into checkout pages where users enter their payment card information. Pipka differs from another web skimmer, called Magecart, in that it is customizable, allowing attackers to set the skimmer's targeted form fields from which they want data to be stolen. In addition to other features that sets Pipka apart from Magecart, the new web skimmer is capable of deleting itself from a web page's source code after it has been executed. This article continues to discuss the concept of web skimming, known skimmers such as Magecart, the capabilities of Pipka, and suggested mitigation measures against this attack.

CSO Online reports "Web Payment Card Skimmers Add Anti-Forensics Capabilities"

Florida's Secretary of State, Laurel Lee, recently discussed the insecurity of state and county elections websites with the governor's Cybersecurity Task Force. She stressed the importance of bolstering the security of these websites against hackers as their attacks could alter election results and erode the public's trust in the election process. According to Lee, the Florida Department of State is working to improve the security of those sites, stay up-to-date on cyber threats, and learn about security tactics. The Department of State established the Joint Election Security Initiative (JESI) in which 67 county elections offices are trained to identify vulnerabilities and recognize attacks such as phishing attacks, denial-of-service (DoS) attacks, and more, facing election infrastructure. Lee pointed out that these attacks are often executed through the exploitation of human behavior, further emphasizing the importance of security awareness training. This article continues to discuss the importance of securing election infrastructure and efforts that are being made to improve election security.

GovTech reports "Hackers Could Disrupt Elections by Altering Websites"