News Items

Aleksejs Kuprins, a security researcher from the cybersecurity threat intelligence firm, CSIS, discovered the infection of 24 Android apps available on the Google Play Store with a new Android malware, called Joker. These apps were collectively downloaded more than 472,000 times. The Joker malware has been discovered to be capable of stealing SMS messages, generating fake clicks through covert interactions with advertisement websites, adding infected victims to premium service subscriptions, and more. This article continues to discuss the Joker malware in relation to its capabilities, targets, and impact.

SC Media reports "Holy Cybercrime, Batman! Joker Malware Commits Ad Fraud, Data Theft"

A new study conducted by a team of researchers shows that bots are getting better at copying human behaviors, which makes it harder for them to be detected. The researchers examined 250,000 social media users who took part in discussions surrounding the 2016 and 2018 U.S. elections, and detected more than 30,000 bots. Despite the efforts of social media companies to mitigate automated accounts, these bots have continued to evolve. The behavior of these bots continues to change in order to mimic the ways in which humans engage with each other in the discussion of a topic on social media. Findings of the study further highlights the continuous battle between bots and detection algorithms, and the importance of increasing efforts to improve bot detection methods. This article continues to discuss the performance and findings of the study on the evolution and detection of artificial intelligence-enabled social media bots.

EurekAlert! reports "Bots Might Prove Harder to Detect in 2020 Elections"

Quantum computers are expected to be capable of cracking currently used encryption algorithms, including those used by governments and corporations, which poses a significant threat to the privacy and security of sensitive data. Although quantum computers are not expected to be capable of rendering modern cryptography standards obsolete within the next ten years, the U.S. National Institute of Standards and Technology (NIST) is already making an effort towards the development of post-quantum cryptographic methods. NIST has initiated the Post-Quantum Cryptography Standardization Process to find new quantum-resistant standards. This article continues to discuss the second phase of NIST's Post-Quantum Cryptography Standardization Process, the categories in which new quantum-resistant algorithms will be placed, the participants of this process, the standardization of new algorithms, and when quantum computing is predicted to be capable of cracking modern cryptography standards.

IEEE Spectrum reports "How the United States Is Developing Post-Quantum Cryptography"

In March of 2019, a British CEO thought he had gotten a call from the CEO of his business's parent company, which is based in Germany. The caller had an "urgent" request: and demanded that the British CEO transfer $243,000 to a Hungarian supplier within the hour. He complied and made the transfer because the voice sounded exactly like the CEO of the other company and even had a German accent. After farther studies into this attack, researchers found that artificial intelligence- (AI)-based software was used to create a convincing imitation of the German CEO's voice. The scammers called another 2 times after the first call. The second time the attacker lied about the money having been reimbursed to the British company (hoping that the CEO would send it again and the attacker could double their money), and then the third time, the attacker asked for another payment, using the same fake voice. The British CEO had grown skeptical by the second call and he didn't comply with the repeated demand for money.

Naked Security reports: "Scammers Deepfake CEO's Voice to Talk Underling Into $243,000 Transfer"

The UW College of Built Environments, College of Arts & Sciences and Jackson School of International Studies as well as UW Facilities and UW Information Technology will work together to improve the security of Internet of Things (IoT) devices with financial support from the National Science Foundation. The research team will further explore how organizational policies and procedures impact the way in which different agencies within an organization work together to maintain the security of IoT devices and institutional systems. This article continues to discuss the three-year research project aimed at strengthening IoT security.

UW News report "UW Colleges, Offices Share Three-Year NSF Grant to Make 'Internet of Things' More Secure"

Researchers at the security firm, Avast, found security vulnerabilities in 30 GPS tracker models manufactured by Shenzhen i365 Tech, which are designed for kids, seniors, and pets. According to researchers, these vulnerabilities could be exploited by attackers to leak a user's location information, access device microphones to eavesdrop on conversations, spoof information, and more, posing a significant threat to the security and privacy of users. The vulnerability of these 30 GPS tracker models to such attacks derive from an insecure infrastructure in which there is a lack of encryption. In addition to the discovery of vulnerable GPS trackers, the researchers also discovered 50 vulnerable mobile applications. Consumers are encouraged to do research on a smart device's built-in security protocols prior to purchasing it. This article continues to discuss the vulnerabilities found in GPS trackers, the disclosure of this security flaws to Shenzhen i365 Tech, other discoveries of vulnerabilities contained by smart devices, and efforts to protect consumer security in regard to Internet of Things (IoT) devices.

CNET reports "Security Flaws in GPS Trackers Are Leaking Location of 600k Kids and Seniors"

Security awareness training for employees is essential as hackers continue to exploit human factors and use social engineering tactics to execute cyberattacks. A report from ESET and The Myers-Briggs Company highlights the correlation between security-related errors and certain personality types, stressing the importance of taking personality traits into consideration when providing security awareness training to employees. According to The Myers-Briggs Company, personality types could also be used to build more effective security teams. This article continues to discuss the recommended approach to security awareness training.

Security Intelligence reports "Is Personality the Missing Piece of Security Awareness Training?"

A security flaw has been discovered in Samsung, Huawei, LG, Sony and other Android-based phones that leaves users vulnerable to advanced phishing attacks. Researchers found that certain Samsung phones are the most vulnerable to this form of phishing attack, because they do not have an authenticity check for senders of OMA CP messages. Samsung and LG have addressed the problem and have fixed it.

Help Net Security reports: "Security Hole Opens a Billion Android Users to Advanced SMS Phishing Attacks"

The Pacific Northwest National Laboratory's Center for Advanced Technology Evaluation (CENATE) recently sponsored a roundtable, which brought researchers from the realms of computer science and cybersecurity together to explore fundamental research questions and challenges in regard to the cybersecurity of high-performance computers (HPCs). One of the goals of the roundtable was to identify gaps in current research surrounding HPC systems, pertaining to the development of cybersecurity techniques, protection of HPC systems, and more. The security of HPC systems must be bolstered as these systems are an important part of national infrastructure. This article continues to discuss the CENATE-sponsored roundtable in relation to its purpose, goals, and discussion topics, along with the CENATE organizer's next step.

TechXplore reports "Keeping High-Performance Computers Cybersecure"

The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) released a new study, titled Evaluating Mobile App Vetting Integration with Enterprise Mobility Management in the Enterprise. The study describes a continuous approach to mobile app vetting in which the capabilities of enterprise mobility management (EMM) solutions are combined with app vetting tools. It has been recommended that federal agencies adopt this approach in order to improve federal system mobile device and enterprise security. The S&T study also recommends the exploration of nontraditional approaches such as app threat intelligence by federal agencies. This article continues to discuss the study in relation to its purpose and recommendations.

Homeland Security News Wire reports "Integrating EMM & APP Vetting Solutions for Maximum Security"

Cybersecurity vendor, Imperva, recently disclosed information pertaining to the exposure of data belonging to its cloud firewall customers. The number of customers that have been impacted by this data breach has not been specified. The information exposed in the breach includes email addresses, API keys, passwords, and SSL certificates. In response to the incident, Imperva has forced customers to reset their passwords and implemented a 90-day password expiration policy for the Cloud Web Application Firewall (WAF) product. This article continues to discuss the Imperva data breach in regard to its disclosure, impact, and response.

TNW reports "Cybersecurity Vendor That Protects Firms from Data Breaches Hit by Data Breach"

Researchers at the device cybersecurity company, WootCloud, discovered a new internet-of-things (IoT) botnet, called the ARES ABD botnet. The IoT botnet targets Android set-top boxes produced by HiSilicon, Cubetek, Qezy Media, and other vendors. ARES abuses misconfigured Android Debug Bridge (ABD) interfaces on set-top-boxes. An ABD is a command-line tool used to communicate with a device in order to perform installations, debugging, and more. Set-top-boxes compromised by ARES are being used to launch additional attacks such as distributed denial-of-service attacks, cryptomining attacks, brute-force password-cracking attacks, and more, on other devices. This article continues to discuss the ARES ABD Botnet in relation to its impact, targets, and prevention, along with the frequent targeting of other computer IoT devices to build botnets.

Dark Reading reports "New Botnet Targets Android Set-Top Boxes"

Fraudsters use skimmers as a physical means to perform data theft. Skimmers are small devices that can be attached to a gas pump or an ATM's card reader to harvest credit and debit card numbers as users swipe their cards. These devices use Bluetooth to transmit the stolen data. An app to detect skimmers at gas pumps, called Bluetana, has been developed by a team of computer scientists at UC San Diego and the University of Illinois with technical input from the United States Secret Service. Bluetana will not be made available to the general public as it is only intended to be used by state and federal inspectors. Through the use of Bluetana, 42 Bluetooth-based skimmers have been discovered in three U.S. states. This article continues to discuss the Bluetana app, the concept of skimmers, and the need to develop more techniques to detect such tools used by criminals.

Science Daily reports "App Allows Inspectors to Find Gas Pump Skimmers Faster"

McAfee Labs discovered that on average, their were 504 new threats per minute in Q1 2019, and a resurgence of ransomware along with changes in campaign execution and code. They also discovered that 2.2 billion stolen account credentials were made available on the cybercriminal underground, over the course of the quarter. 68 percent of targeted attacks, utilized spear-phishing for initial access,while 77 percent relied upon user actions for campaign execution. Overall, new ransomware samples had increased 118 percent within the first Q1 2019.

Help Net Security reports: "New Ransomware Grows 118% as Cybercriminals Adopt Fresh Tactics and Code Innovations"

In 2018, researchers from Belgium's KU Leuven university discovered a security vulnerability in the Tesla Model S that could allow hackers to create a duplicate of the car's key fob in order to unlock and steal the car. In response to this discovery, Tesla created a new version of its key fob that addressed the vulnerability. However, researchers have recently uncovered another vulnerability, which impacts the new key fobs. The exploitation of this vulnerability could also enable hackers to clone the keys and drive off with the vehicle. This article continues to discuss the new key fob cloning attack against Tesla's Model S cars and other discoveries surrounding the insecurity of keyless entry systems.

Wired reports "Hackers Could Steal a Tesla Model S by Cloning Its Key Fob--Again"

A team of researchers from the Georgia Institute of Technology and Ohio State University has discovered more than 1,000 security flaws in the backend systems used for the top 5,000 apps available in the Google Play Store. These backend systems are used for the delivery of content and advertising to smartphone applications via a network of cloud-based servers. According to researchers, the exploitation of these vulnerabilities enable the infiltration of databases and users' mobile devices by hackers. An automated system, called SkyWalker, has been developed by the researchers to help examine the security of the cloud-based servers that support smartphone apps. This article continues to discuss the discovery of vulnerabilities in backend servers used for smartphone apps and how SkyWalker will help developers bolster the security of their mobile apps.

Georgia Tech reports "Smartphone Apps May Connect to Vulnerable Backend Cloud Servers"

It has been discovered that 53% of all logins on social media sites are fraudulent. The report, analyzed more than 1.2 billion transactions made between April 1, 2019, and June 30, 2019. It was found that 11% of all online transactions, including account registrations, logins and payments, were actually cyber-attacks. It was also found that the attack mix varied across industries, with some spheres more likely to suffer human-driven cyber-attacks, while others were chiefly targeted by bots. The technology industry stood out as heavily targeted by human click-farms and sweatshops, with almost 43% of attacks driven by humans. However, it was the retail industry that saw the highest proportion of human culprits, with a 50/50 split between attacks driven by humans and bot-led assaults.

Infosecurity reports: "Over Half of Social Media Logins Are Fraudulent"

A new study conducted by researchers at Ben-Gurion University brings attention to the vulnerability of routers to cross-router leaks resulting from an attack on either a host or guest network. According to researchers, all of the routers examined in this study were vulnerable to cross-network communication as a result of the use of specially crafted network packets. Researchers have recommended a hardware-based solution to ensure that secure and non-secure network devices are isolated from each other as network separation and network isolation helps to prevent the infiltration of networks and the leakage of information. This article continues to discuss the findings of this study in regard to cross-router data leakage as well as the importance of network separation and network isolation in security.

EurekAlert! reports "Router Guest Networks Lack Adequate Security, According to Researchers at Ben-Gurion University"

Cisco has released an open-source hardware tool, called 4CAN, to be used by automobile security researchers and car manufacturers to discover vulnerabilities in connected cars. While connected cars offer benefits to users, they also introduce significant security risks. Research has highlighted the increased vulnerability of connected cars to being hacked, manipulated, and disabled by hackers. 4CAN helps in the identification of vulnerabilities contained by connected cars' sensors and controls systems. This article continues to discuss CISCO's resources that are dedicated to improving automobile security as well as the recent release of 4CAN.

Cisco Magazine reports "Cisco Releases New Security Tool to Identify Vulnerabilities in Connected Cars"

Augmented reality (AR) is expected to be increasingly used in group activities such as multi-user gaming or collaborating on projects. Therefore, developers need a better approach to addressing the potential security and privacy issues associated with multi-user AR. Augmented reality differs from virtual reality in that users interact with computer-generated content in the real-world environment. Security researchers at the University of Washington have developed a toolkit, called ShareAR, that could be used by developers to implement collaborative and interactive features into AR technology in a way that does not pose a threat to the security and privacy of users. This article continues to discuss the concept of AR, the expected growth in multi-user AR, and how ShareAR can help address the concerns surrounding this technology.

Science Daily reports "New Tools to Minimize Risks in Shared, Augmented-Reality Environments"

A new study conducted by researchers at the New York University Tandon School of Engineering has brought attention to the possible launch of cyberattacks on urban power grids through the exploitation of electric car charging stations. The connection between electric vehicle charging stations and plug-in electric cars is a high-wattage access point that could be abused by hackers to impact the grid. This article continues to discuss how electric car charging stations and electric vehicles could be exploited to execute an attack on a power grid, along with other incidents in which a power grid has been crippled by hackers and the importance of developing a cybersecurity protocol to protect data produced by electric car charging stations.

TechXplore reports "Electric Car Charging Stations May Be Portals for Power Grid Cyberattacks"

A cybersecurity researcher, named Bertin Bervis, recently discovered the vulnerability of critical internet-connected smart building devices to an attack in which sensitive information can be stolen from technicians or engineers who interact with these devices. According to Bervis, the attack involves the exploitation of the Bacnet protocol's properties. Bacnet is a building automation protocol that allows monitoring and setup changes to be performed by technicians and engineers. The protocol also enables a variety of key smart systems to be controlled remotely. This article continues to discuss the vulnerability and what its exploitation could allow attackers to do.

Homeland Security News Wire reports "New Vulnerability Found in Internet-Connected Building Automation Devices"

A new study conducted by researchers from Southern Methodist University's (SMU) Darwin Deason Institute for Cybersecurity has discovered a way in which hackers can determine what a user is typing in order to obtain personal information. According to researchers, acoustic signals produced when users type on a keyboard, could be intercepted and deciphered by hackers through the use of a nearby smartphone. Using this method, researchers were able to detect what people are typing with a 41 percent accuracy rate. Findings of this study emphasize the need for smartphone makers to increase their efforts toward enhanced privacy in regard to smartphone sensors. This article continues to discuss how this study was conducted by researchers, concerns surrounding 'always-on' sensing devices such as the smartphone, and the accuracy with which attackers can detect what a user is typing.

Science Daily reports "Attackers Could Be Listening to What You Type"

British Airways (BA) has been discovered to contain a security flaw in its e-ticketing system. According to security researchers at Wandera, the e-ticketing system used by BA lacks encryption, allowing the exposure of passenger data such as booking details, names, telephone numbers, email addresses, and more. The security flaw could also allow malicious actors to modify a passenger's flight booking details. Security experts call for developers to consider security in the design of such systems. This article continues to discuss the flaw discovered in the BA e-ticketing system, what types of data can be exposed through the exploitation of this flaw, BA's response to this discovery, and the importance of designing such systems with security in mind.

Silicon UK reports "British Airways Check-In Flaw Exposes Personal Data"