News Items

Industrial robots have been used to support product manufacturing, productivity, and safety. Though there has not been a wave of cyberattacks against industrial robots that we know of, such robots are expected to become a more attractive target for hackers as the costs of such technology decrease and number of robots increases. Researchers have already demonstrated proof-of-concept (POC) attacks on well-known robots in which ransomware was executed. As cyberattacks on robots in industrial environments can impact the operation of businesses and the physical safety of workers, it is important that the security of such technology is improved through further research and developments. This article continues to discuss the growing use of robots in industrial environments, challenges associated with industrial robots, the cybersecurity risks raised by these robots, and the importance of designing robots with security in mind.

Security Week reports "Industrial Robotics - Are You Increasing Your Cybersecurity Risk?"

Despite the increased use of implementation of bugs that might affect the security of physical security keys, Google argues that physical security keys are still the strongest protection against phishing currently available. On-device prompts and SMS codes are also extremely successful at blocking account hijacking attacks that are caused by automated bots and bulk phishing attacks. On-device prompts and SMS codes still can be bypassed by attackers with some level of skill that focus on targeting specific users. Knowledge-based challenges (recovery phone number, last sign-in location, etc.) are fantastic at stopping bots, but are not very good at preventing bulk phishing and targeted attacks. In the event of a suspicious sign-in attempt, Google's risk analysis engine selects the strongest challenge that an account's legitimate owner should ideally be able to solve. Google's research has shown that simply adding a recovery phone number to one's Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks. Google is urging medium to low risk users to choose strong and unique passwords, set up a recovery phone number or email address and to set up two-factor authentication to decrease likelihood of successful attacks. Google has also urged high-risk users to start using Advanced Protection Program, which requires the use of a physical keys, and limits full access to users' Gmail and Drive to specific apps, and also adds extra steps to the account recovery process. If these procedures are followed, then attacks will be much less likely to be successful.

HELPNETSECURITY reports: "How effective are login challenges at preventing Google account takeovers?"

Bluetooth security vulnerabilities arise on account of the protocol's complexity. The documentation for the Bluetooth standard is significantly longer and more comprehensive than the material provided for other wireless protocols, making it increasingly complex and difficult for manufacturers to handle. According to Ken Kolderup, vice president of marketing at the Bluetooth Special Interest Group (SIG), the standard's documentation is extensive because it defines a radio frequency for the standard and covers components of hardware, applications, and more, in order to ensure that interoperability between Bluetooth devices is enabled. This article continues to discuss vulnerabilities associated with the Bluetooth standard, the complexity of the Bluetooth standard, recent discoveries in relation to Bluetooth implementation and configuration issues, and how the Bluetooth SIG plans to help improve to the security of Bluetooth implementations.

Wired reports "Bluetooth's Complexity Has Become a Security Risk"

The National Commission on Military, National, and Public Service, is considering modernizing the Selective Service System (SSS) to include the possible conscription of those that are highly skilled in cybersecurity. One of the goals of this modification is to recruit and promote cybersecurity experts that are of greater age with a lot of experience, thus focusing on experts that are 30 or older. This article continues to discuss the possible compulsory enlistment of cybersecurity experts to serve in the military and civil service, current Selective Service rules, changing the shape of the military with cybersecurity professionals, and the increased deployment of more experienced security practitioners by the U.S. Army Cyber Command.

CSO Online reports "Will the U.S. Government Draft Cybersecurity Professionals?"

Cyberattacks continue to rise as a result of human error, the growing complexity of technology, and the increasing sophistication of attack methods. It is important that methods for encouraging good cybersecurity behaviors continue to be explored and developed. A circuit board, called the Adafruit Circuit Playground, can be used to nudge end users into following proper cybersecurity practices. This article continues to discuss privacy fatigue, the exploitation of users' busyness to launch attacks, approaches to breaking bad cybersecurity habits, and the idea behind the Adafruit Circuit Playground.

Phys.org reports "How to Break Our Bad Online Security Habits - with a Flashing Cyber Nudge"

An independent security researcher, named Sanyam Jain, discovered an unsecured Elasticsearch database, which exposed personal information belonging to 8 million people who have responded to online surveys, entered sweepstakes, and requested free product samples. The information exposed by this database included full names, home addresses, email addresses, IP addresses, phone numbers, and more. A performance-based marketing company, named Ifficient, was found to be the owner of the database. This article continues to discuss the discovery of the unsecured database, what information was exposed, and Ifficient's response to this discovery.

Bleeping Computer reports "Unsecured Survey Database Exposes Info of 8 Million People"

In addition to the growing advancement of malware development, cybercriminals are also increasing the complexity of the ways in which they evade detection. According to researchers at Akamai, attackers have been observed to be increasing their use of a TLS tampering technique, called cipher stunting, which masks malicious bot activity as live human traffic on the web, thus allowing detection attempts to be evaded. This article continues to discuss the concept, increased performance, and targets of cipher stunting.

Threatpost reports "Billions of Malicious Bot Attacks Take to Cipher-Stunting to Hide"

Widely-used cloud platforms, such as Office 365 from Microsoft or G-Suite from Google are often administered by IT professionals tasked with all aspects of configuration; security is not their primary focus. Most Software as a Service (SaaS), have default settings that are tuned to empower end-users with full control over collaboration and data access. The default setting are usually configured to easy access and usability instead of better security. Users of SaaS should look at the default settings and change them to be focus more on security. Improving configuration management in SaaS applications can minimize the risk of data loss, phishing campaigns and can help prevent breaches.

InfoSecurity reports: "Before Blaming Hackers, Check Your Configurations"

Security researchers at Red Balloon have discovered two vulnerabilities in the Cisco 1001-X series router. Cisco's 1001-X routers are used for connectivity at stock exchanges, local malls, corporate offices, and more. The exploitation of these security flaws could allow hackers to steal the data that passes through the routers. These bugs are significant in that they enable hackers to remotely gain root access to routers and circumvent the security protection, Trust Anchor, which has been built into most of Cisco's enterprise devices since 2013. According to researchers, the techniques used to bypass Trust Anchor could be used by attackers to infiltrate the networks in which these devices are connected. This article continues to discuss the vulnerabilities and the potential impact that these flaws could have on institutions, along with some concerns surrounding the mitigation of the vulnerabilities and the research conducted behind these discoveries.

Wired reports "A Cisco Router Bug Has Massive Global Implications"

In a study that was conducted, employees were found to be aware of the risks associated with inadequate USB drive security. It was found that while 91 percent of respondents claimed that encrypted USB drives should be mandatory, 58 percent of respondents confirmed that they regularly use non-encrypted USB drives. Although 64 percent of organizations have a policy outlining acceptable use of USB devices, 64 percent of respondents said their employees use USB drives without obtaining advance permission to do so. It was also discovered that nearly half of the respondents lost a USB drive without notifying appropriate authorities about the incident. It is important that employers implement strict security policies to defend against the shortcuts employees will take. Beyond policies and procedures, organizations should reinforce that their employees use encrypted USB drives that require a unique PIN to make information on USB drives more secure.

HELPNETSECURITY reports: "Employees are aware of USB drive security risks, but don't follow best practices"

Flaws in the design of smart home Internet of Things (IoT) devices have been discovered by researchers at North Carolina University. The discovery of these design flaws is shared in a paper, titled Blinded and Confused: Uncovering Systemic Flaws in Device Telemetry for Smart-Home Internet of Things. According to researchers, the exploitation of these design flaws could lead to the prevention of security information sharing by smart home IoT devices to homeowners. Notifications pertaining to security problems such as break-ins can be blocked by attackers. This article continues to discuss the design flaws in smart home IoT devices that have been identified by researchers, the suppression attacks that can be performed through the abuse of the flaws, and potential solutions for addressing these vulnerabilities.

Science Daily reports "Design Flaws Create Security Vulnerabilities for 'Smart Home' Internet-of-Things Devices"

Security vulnerabilities have been discovered in a popular GPS tracker used to monitor children, track vehicles, and send alerts pertaining to elderly patients. The white-label location tracker is manufactured in China and is sold by companies, including Pebble by HoIP Telecom, OwnFone Footprint, SureSafeGo, and more. According to cybersecurity researchers from Fidus Information Security, these flaws could be exploited by attackers to retrieve information about a user's real-time location, secretly listen in on users, or completely disable the device. This article continues to discuss the GPS tracker, the security flaws that it has been discovered to contain, how attackers can exploit these vulnerabilities, and how this problem could be addressed.

TechCrunch reports "Flaws in a Popular GPS Tracker Leak Real-Time Locations and Can Remotely Activate Its Microphone"

The European Union's General Protection Regulation (GDPR) went into effect on May 25, 2018. The purpose of the GDPR is to ensure the protection of personal data belonging to EU residents by enforcing a standard upon any companies that manage this data. The GDPR has a far-reaching impact as any company that conducts business with EU citizens are expected to comply with this regulation, pressuring organizations to improve their efforts in regard to privacy and security. There are ways in which U.S. organizations have benefited from GDPR in that this regulation has pushed organizations to improve their incident response strategies, make great efforts to strengthen Internet of Things (IoT) security, and prepare for U.S. data privacy regulations. This article continues to discuss GDPR and how U.S. organizations have benefited from the regulation, along with the GDPR's next steps.

Help Net Security reports "Three Ways GDPR Benefits US Companies"

Great advancements have been made in machine learning in regard to image recognition as this technology can now identify objects in photographs as well as generate authentic-looking fake images. However, the machine learning algorithms used by image recognition systems are still vulnerable to attacks that could lead to the misclassification of images. Researchers continue to explore the problem of adversarial examples, which could be used by attackers to cause a machine learning classifier to misidentify an image. This article continues to discuss the concept and new research behind adversarial examples.

Wired reports "Artificial Intelligence May Not 'Hallucinate' After All"

A team of scientists conducted a study to see if a person's location offline affects how they behave online in regard to privacy. The study also explores changes in online privacy behavior resulting from the presence of a virtual private network (VPN) logo, the provision of terms and conditions by the wireless provider, and more. The study was conducted by observing the online behavior of participants from Amazon Mechanical Turk in four different types of physical locations, including a coffee shop, a university, an Airbnb, and home. Scientists observed unethical behavior, ethical behavior, and the disclosure of private information online. This article continues to discuss the purpose and findings of this study.

Tech Explorist reports "Study Finds Wi-Fi Location Affects Online Privacy Behavior"

There is a dramatic increase in IoT-related data breaches specifically due to an unsecured IoT device or application since 2017. It has jumped from 15 percent to 26 percent, and the results might actually be greater, because most organizations are not aware of every unsecured IoT device or application in their environment or from third party vendors. Most organizations surveyed have no centralized accountability to address or manage IoT risks. Less than half of company board members approve programs intended to reduce third party risk and only 21 percent of board members are highly engaged in security practices and understand third party and cybersecurity risks in general. Companies will have too take all risks, including IoT risks seriously if they want to lessen the chances of a breach occurring.

HELPNETSECURITY reports: "The IoT threat landscape is expanding rapidly, yet few companies are addressing third party risk factors"

F1/10 is a high-performance autonomous racing car that is 1/10th the size of a real car and can reach a top speed of 50mph. It carries a full suite of sensors; the perception, control and networking software stacks that make it autonomous. Out of the box, F1/10 can map an environment, plan a path in it, and follow that path while avoiding obstacles. If you needed to augment the capabilities of the car to enable the research (e.g.

A study conducted at Rutgers University-New Brunswick brings further attention to flaws in the metrics used to measure the performance of user login systems. In addition to highlighting these flaws, the study proposes a solution towards measuring the success of authentication systems. According to researchers, the solution involves combining the strengths of popular metrics from other fields with a metric that is rarely used. The proposed method can be used by researchers, government agencies, the public, and more, to increase the success of their authentication systems. This article continues to discuss the study done by Rutgers engineers and the novel solution they have proposed.

Homeland Security News Wire reports "Flaws in Metrics for User Login Systems"

The UK government is considering establishing an IoT security labelling scheme, which will help inform consumers about how secure IoT products are. The consultation suggests three security requirements laid out by the UK government's "Secure by Design" Code of Practice, which calls for the building of cybersecurity measures in the design phase of IoT products. Manufacturers of IoT devices would be required to ensure that IoT device passwords are highly unique and unable to be reset to factory default passwords. This article continues to discuss the IoT security labelling consultation and concerns surrounding the proposed IoT security legislation.

CBR reports "Industry Warns of Flaws as Gov't Proposes Mandatory IoT Security Labelling"

The White House released an Executive Order on America's Cybersecurity Workforce. It call this workforce a national asset. It calls for the government to enhance mobility of the workforce to move between public and private employment. It call for development of skills and that the government must recognize and reward the highest-performing cybersecurity workers.

It calls for the creation of an annual cybersecurity competition for federal civilian and military members. The first competition is to be held in 2019.

For the order and additional details:

The Government Accountability Office (GAO) urges the Census Bureau to improve upon its cybersecurity. The public will be allowed to respond to the 2020 Decennial Census via the internet. In addition, field-based enumerators will be allowed to use applications on mobile devices to gather survey data from households. Personally identifiable information such as names, birth dates, living situations, and more, will be more susceptible to being digitally hacked as a result of these changes. This article continues to discuss how the 2020 Decennial Census will be conducted, the security risks that will be introduced by changes made to the collection of data, and recommendations for the Bureau in relation to the improvement of its posture against security risks.

Nextgov reports "GAO Flags New Cybersecurity Issues for Upcoming Census"

The 2018 Eye on Privacy report found that 58 percent of employees had never heard of the PCI Standard. PCI Standards are a global set of payment card industry (PCI) guidelines that govern how credit card information is handled. It was also found that 12 percent of employees were unsure if they should report a cybercriminal stealing sensitive client data while at work. Employees within the Technology sector were least likely to identify and prioritize the most sensitive information. For example, 73 percent of those in the tech sector ranked Social Security numbers as most sensitive, compared to 88 percent of employees in all other industries ranking this type of data as most sensitive. The study also found that employees were more comfortable with a mobile device app tracking their device's location, than with an app accessing contact and browser information, being able to take pictures and video, and posting to social media. Theft of login credentials was considered the most serious threat to sensitive data, with disgruntled employees stealing data and phishing emails coming next. The findings give weight to the vital role employees play in a strong data privacy posture and the continuing need for privacy awareness training in protecting sensitive information.

HELPNETSECURITY reports: "How much does the average employee know about data privacy?"

More than two million Internet of Things (IoT) devices, including IP security cameras, baby monitors, and smart doorbells, have been discovered to be vulnerable to being hijacked by attackers. Through the take over of these devices, attackers would be able to spy on their owners. According to the security engineer, named Paul Marrapese, who discovered the flaws that would allow over two million IoT devices to be hijacked, these vulnerabilities derive from the peer-to-peer (P2P) communication technology used by all of these IoT devices, called iLnkP2P. This article continues to discuss the vulnerabilities, how IoT device users can find out if they are affected by these vulnerabilities, and what they should do if they are impacted, as well as past discoveries of security issues in surveillance cameras.

Threatpost reports "2 Million IoT Devices Vulnerable to Complete Takeover"

According to a recent Internet of Things (IoT) security report completed by F-Secure, many users and companies who use IoT devices, lack good password security or do not use passwords at all to protect the devices. Also many users and companies have unpatched vulnerabilities in software on their IoT devices. Week or no password security and unpatched vulnerabilities in software contributes to about 87 percent of all IoT attacks. It is important for businesses and users of Internet of Things devices to have strong password security, and should keep the software up to date so that the unpatched vulnerabilities on the devices are fixed. This will make Internet of Things devices more secure from attacks.

ADTMAG reports: "Flaws Left Unpatched, Unstopped Malware Contribute to Growing IoT Attacks"