News Items

Intel recently published a paper in which details about a new type of computer memory were shared. The new type of CPU memory, called Speculative-Access Protected Memory (SAPM), was designed to protect against Spectre, Meltdown, Zombieload, and other speculative execution side-channel attacks. Speculative execution side-channel attacks refer to vulnerabilities deriving from the prediction of future instructions by high-performance microprocessors. Misspeculations leave traces of information behind that could be exploited via side-channels by hackers to gain access to sensitive data stored in memory. A team of researchers at Intel STORM (Strategic Offensive Research and Mitigation) have proposed the replacement of the current CPU memory system with SAPM. SAPM will work as an alternative to existing hardware and software-level mitigations. This article continues to discuss speculative side-channel attacks as well as the new SAPM memory type proposed by Intel to protect against such attacks.

ZDNet reports "Intel Proposes New Sapm Memory Type to Protect Against Spectre-Like Attacks"

A new study conducted by researchers from Michigan State University explores the characteristics and gender-specific behaviors that lead kids to juvenile hacking. Research has focused on the scope and threat posed by hacking. However, there is a lack of understanding surrounding the background factors, social connections, and personality traits that lead to a path of hacking. Thomas Holt, lead author and MSU cybercrime expert in the School of Criminal Justice, determined the predictors for hacking by examining responses from 50,000 teens. Predictors include low self-control, negative peer-associations, and obsession with playing computer games. It was also discovered that there is a difference in predictors between boys and girls. This article continues to discuss the predictors of juvenile hacking, the differences in predictors based on gender, and how parents can encourage their kids to use their skills in a positive way.

Homeland Security News Wire reports "How Kids Get into Hacking"

Significant advancements have been made in machine learning (ML) as this technology has helped in detecting cancer and predicting personal traits. ML technology has also enabled self-driving cars and highly accurate facial recognition. However, ML models remain vulnerable to attacks in which adversarial examples are used to cause the models to make mistakes. Adversarial examples are inputs designed by an attacker to cause a ML model to produce incorrect output, which can pose a threat to the safety of users in the case of self-driving cars. According to privacy-focused researchers at the Rochester Institute of Technology and Duke University, there is a bright side to adversarial examples in that such inputs can be used to protect data and defend the privacy of users. This article continues to discuss ML applications, the use of adversarial examples to disrupt the success of ML models, Facebook's Cambridge Analytic incident, the never-ending cat-and-mouse game of predicting and protecting private user data, and research surrounding the use of adversarial examples to protect data.

Wired reports "Blind Spots in AI Just Might Help Protect Your Privacy"

Magecart is composed of multiple sophisticated hacking groups aimed at stealing credit card numbers through the performance of web-based card-skimming attacks. Security researchers from IBM's X-Force Incident Response and Intelligence Services team have discovered the testing of malicious scripts by Magecart Group 5 (MG5) to inject into websites via commercial routers in order to steal payment details. Previous Magecart attacks largely focused on injecting credit-card skimmers into checkout pages to steal payment details. High-profile brands that have been targeted by Magecart include British Airways, TicketMaster, and Newegg. This article continues to discuss the new tactics being used by one Magecart group to pilfer payment card information and the X-Force team's advice for website owners on how to protect their users from such attacks.

CSO Online reports "Magecart Web Skimming Group Targets Public Hotspots and Mobile Users"

In recent years, there have been a lot of ransomware infections, which have forced healthcare organizations across the U.S. to confront their security weaknesses. Yet largely missing from the equation has been a reliable and thorough set of public data on healthcare ransomware incidents that tracks things like payouts, the number of victims, and strains of malware. There is a new push to create an open source data set with information pertaining to rasnomware attacks on healthcare organizations. This dataset will have to be updated daily, since healthcare organizations are affected by ransomware frequently.

Cyberscoop reports: "As Health Sector Grapples With Ransomware, a Search for Better Incident Data"

A security researcher created a tool called the O.MG cable, which is a modified Apple lightning cable capable of hacking a computer remotely. In addition to performing the normal functions of an Apple cable such as charging phones and transferring data, the O.MG cable enables hackers to remotely hijack a victim's computer, run payloads, and more. According to the security researcher behind this creation, the tool will be mass produced. Once the tool is ready, it will be sold via the penetration testing hardware website, Hak5. This article continues to discuss the capabilities of the O.MG cable as well as the mass production and distribution of this tool.

Motherboard reports "Legit-Looking iPhone Lightning Cables That Hack You Will Be Mass Produced and Sold"

A new flaw has been discovered. The flaw enables bypassing the security protections present in most Apple mobile devices. While the vulnerability can't be patched, an attacker would need physical access to exploit it. The exploit, targets a flaw in the bootrom, also known as "SecureROM". "SecureROM" is code on a read-only memory chip that iOS loads during startup. Numerous models of iPhones have the flaw, ranging from the iPhone 4s with A5 chip, to the newer iPhone 8 and iPhone X, which has an A11 chip. The flaw is also present on other devices that run iOS, such as iPads, watches and Apple's TV products. Devices using Apple's A12 and later chips are not vulnerable.

Bank Info Security reports: "Apple iOS Has Permanent Bootrom Vulnerability"

A flaw has been discovered in ICAO 9303, the security standard of biometric e-passports. An electronic passport has an embedded chip that contains biometric information used to authenticate the identity of the passport bearer. The flaw discovered by researchers at the University of Luxembourg could allow attackers to access data on the e-passport through the use of non-authorized equipment. In addition to identifying passport holders, attackers can keep track of their movements. As ICAO 9303 is a widely-used standard for most passports today, this security vulnerability could have a significant impact on privacy globally. This article continues to discuss ICAO 9303 and the flaw contained by this standard, in addition to the limits and implications of the flaw.

Homeland Security News Wire reports "Privacy Flaw Found in E-Passports"

A new bill, titled the DHS Cyber Hunt and Incident Response Teams Act, has been approved by the U.S. Senate. The aim of the bill is to help government agencies and private-sector companies protect themselves against ransomware attacks. Recent ransomware attacks on local governments and schools prompted the proposal and approval of this bill. The DHS Cyber Hunt and Incident Response Teams Act would require the Department of Homeland Security (DHS) to develop incident response teams tasked with providing assistance to organizations in the event that they experience a cyberattack such as a ransomware attack. The incident response teams would be responsible for restoring infrastructure, mitigating against cyber threats, identifying cybersecurity risks, and more. This article continues to discuss the goal and requirements of the bill, along with recent ransomware attacks faced by cities and schools.

Threatpost reports "Senate Passes Bill Aimed At Combating Ransomware Attacks"

Over a year has passed, since the introduction of the General Data Protection Regulation (GDPR). During a new study, it has been discovered that only 28% of companies have successfully achieved GDPR compliance. Only 30% of organizations are "close to" complete compliance but still actively resolving pending issues. Compliance of GDPR was highest with companies in the US (35%), followed by the UK and Germany (both on 33%), and lowest in Spanish, Italian, (both on 21%) and Swedish companies (18%).

Help Net Security reports: "Companies Vastly Overestimating Their GDPR Readiness, Only 28% Achieving Compliance"

Health services in Wyoming have been disrupted as a result of a ransomware attack. The ransomware attack affected the computer systems of Campbell County Health (CCH), which includes the Campbell County Memorial Hospital, Campbell County Medical Group, Legacy Living and Rehabilitation long-term center, and Powder River Surgery Center. Surgeries have been cancelled along with appointments in the cancer center's radiation oncology department because of the attack. The hospital has also needed to triage patients and then transfer them to alternative care facilities. This article continues to discuss the ransomware attack that affected CCH's 1,500 computers, the impact that this attack has had on health services, and CCH's response to this incident.

Infosecurity Magazine reports "Ransomware Attack Disrupts Wyoming Health Services"

Delivery service DoorDash have been affected by a data breach that affected the information of 4.9 million users, delivery workers, and restaurants. The breach was announced by DoorDash Thursday afternoon. The breach occurred on May 4 and affects people who started using the app before April 5, 2018. The unauthorized third party was able to gain access to users' profile information, including names, email addresses, delivery addresses, order history, and phone numbers. They were also able to obtain the last four digits of some consumers' credit cards, but not full card numbers or CVVs. For some delivery workers and restaurants, the unauthorized third party accessed the last four digits of bank account numbers. DoorDash says that users of the app need to change their passwords ASAP.

Entrepreneur reports: Hackers Stole the Data of 4.9 million DoorDash Users. Here's How to Tell If You Were Affected.

A research team has found an SMS-based hacking technique that actively is being exploited by a spyware vendor to track individual phone users. The attack is being dubbed "Simjacker," and has ramifications for more than 1 billion mobile phones worldwide. The attack relies on malicious text messages, hackers infect target phones to retrieve location information and other data. The attack leverages SIM cards, a circuit that stores customers' international mobile subscriber information in a way that isn't restricted to a single phone platform.

CyberScoop reports: "Meet 'Simjacker,' a Nasty Mobile Vulnerability Researchers say Puts 1 Billion Phones at Risk"

Researchers with the Symantec Attack Investigation Team recently discovered a new hacking group, called Tortoiseshell, which has infected 11 IT providers. According to researchers, the previously undocumented group uses custom and off-the-shelf hacking tools in the launch of their attacks. The planning and implementation of attacks by the Tortoiseshell group indicates that this group is highly skilled and well-resourced. Tortoiseshell has been successful in gaining domain level access to two of the 11 IT providers' networks, allowing connected machines to be controlled by the group. This article continues to discuss the tools, operations, targets, and impact of the Tortoiseshell hacking group.

Ars Technica reports "Advanced Hackers Are Infecting IT Providers in Hopes of Hitting Their Customers"

A misconfiguration in a Google Calendar function that allows Google to index calendars, raises serious privacy concerns. It was discovered that over 8,000 Google calendars were publicly accessible and searchable using the Google engine that could allow anyone to not only access sensitive details saved to them, but also add new events with maliciously crafted information or links. Any calendar designated as "public" for sharing were indexed by Google and then were able to be viewed by anyone making a Google search query, without the calendar link being shared with them.

Bank Info Security reports: "Google Calendar Privacy Concerns Raised"

Instagram's contact importer feature contained a vulnerability that could have allowed malicious actors to access account details and phone numbers using a brute-force algorithm and a network of bots. The information gathered through the exploitation of this security flaw could have also allowed malicious actors to build a database of users, which would be used for future attack campaigns. The vulnerability has now been repaired by Instagram's parent company Facebook. This article continues to discuss how the vulnerability could have been abused by attackers and Facebook's response to this issue.

SC Media reports "Instagram Fixed After Researcher Finds Way to Link Account Info to PII"

Sandia National Laboratory's High-fidelity Adaptive Deception and Emulation System (HADES) applies deceptive cybersecurity tactics to defend systems against hackers. HADES lures hackers into a simulated virtual environment in which defenders can track the hackers' movements as well as observe the tools and techniques used in an attack. The valuable insight gained while using HADES can help defenders develop better approaches to protecting a network and preventing future cyberattacks. This article continues to discuss how HADES can help security defenders and the three components that were merged together in order to create the HADES platform.

NextGov reports "How Hackers Get Stuck In HADES"

Bank of America Merchant Services released a report, which discusses how data breaches impact small businesses and how SMBs handle problems related to such incidents. A survey of consumers and small businesses found that 21 percent of SMBs experienced a data breach within the last 24 months, up from 17 percent two years ago. In addition, 30 percent of consumers stated that they would not return to a small business again if the business experienced a data breach. The top three methods used by SMBs to protect themselves from data breaches include updating point-of-sale (POS) equipment, implementing industry security standards, and training employees. This article continues to discuss key findings of the survey in relation to how small businesses are affected by data breaches and the various methods of protection used by SMBs.

TechRepublic reports "How Data Breaches Are Hurting Small Businesses"

It has been discovered that a hacking group with suspected ties to Iran is continuing a campaign of targeting dozens of schools and universities with phishing emails to obtain credentials and then attempt to access and steal intellectual property. The hacking group is known as "Cobalt Dickens" and "Secret Librarian". In July and August, this hacking group targeted 60 universities and colleges in the U.S., U.K., Australia, Canada, Hong Kong and Switzerland. The group has been targeting universities during the past two years, and have sent phishing emails to over 380 colleges. Some of the individuals of this group were arrested, however they are still trying to steal intellectual properties from universities.

Bank Info Security: "Iranian Hacking Group Continues Targeting Universities"

Researchers at Trend Micro have discovered the vulnerability of internet-connected gas pumps to IoT-based attacks. According to Trend Micro's recent report, titled Internet of Things in the Cybercrime Underground, step-by-step tutorials on how to hack gas pumps have been seen being shared in dark web forums. In addition, researchers have seen requests in these forums for information pertaining to the hacking of smart meters, which are devices used by electric utility companies to track and record the consumption of energy. This article continues to discuss key findings surrounding the cybercrime underground in relation to the tools and services that are being offered, as well as the conversations being conducted by cybercriminals.

CISOMAG reports "Attackers Are Targeting Internet-Connected Gas Stations: Researchers"

It has been discovered that Wikipedia was affected by a DDoS attack that lasted for almost three days. The DDoS attack was an an old-style volumetric flood, designed to overwhelm the company's web servers with bogus HTTP traffic. During the attack Wikipedia quickly became unavailable in Europe, Africa, and the Middle East, before later slowing or stopping for users in other parts of the world such as the US and Asia. DDoS takedowns have become somewhat less frequent these days, because all sites that consider themselves targets employ mitigation companies to defend themselves. The Wikipedia attack is a warning that the people who carry out these attacks have not given up on trying, and that if one is not prepared for a DDoS attack, one might still occur.

Naked Security reports: "Wikipedia Fights off Huge DDoS Attack"

It has been discovered that more than 99 percent of cyberattacks rely on human interaction to work. This makes individual users the last line of defense. In order to significantly reduce human risks, organizations need a holistic people-centric cybersecurity approach that includes effective security awareness training, and layered defenses that provide visibility into their most attacked users.

Help Net Security reports: "More Than 99% of Cyberattacks Rely on Human Interaction"