News Items

Consumers' privacy has been invaded yet again as discovered by independent researchers led by Noam Rotem. The researchers discovered an unsecured databased stored on the cloud in which the details of more than 80 million U.S. households are exposed. The exposed database includes information such as names, ages, genders, income levels, and marital status. The owner of the database has not been identified by researchers yet. This incident further highlights issues in relation to cloud data storage. This article continues to discuss the unsecured database, the information that has been exposed by this database, the research behind this discovery, and other discoveries pertaining to organizations' unsecured databases.

CNET reports "Exposed Database Reveals Details on Over 80 Million Us Households"

Using a new technique developed by researchers from North Carolina State University and the University of Texas at Austin, malware can be detected in embedded systems. Embedded systems in voice-activated virtual assistants, industrial control systems such as those used in power plants, and more, can be targeted by a type of malware that abuses a system's architectural design, called micro-architectural malware, for the purpose of hijacking these systems or stealing sensitive data. This article continues to discuss micro-architectural attacks against embedded systems and the power-monitoring technique developed by researchers to detect such attacks.

NC State News report "New Technique Uses Power Anomalies to ID Malware in Embedded Systems"

The increased connectivity of industrial control systems has made such systems more vulnerable to cyberattacks, which could have serious implications in regard to the security and well-being of the communities that rely on them. According to IBM's X-Force Red, which offers penetration testing and vulnerability management programs, the number of vulnerabilities contained by ICS environments has increased by 83 percent from 2011 to 2018. This article continues to discuss the reason behind the increase in ICS vulnerabilities, concerns surrounding the security of ICS environments, and possible solutions to ICS security problems.

IBM Security Intelligence reports "Industrial Control Systems Security: To Test or Not to Test?"

The HoloClean tool detects bad data and corrects errors prior to processing the data. The new system also can automatically generate bad examples, without tainting source data. This process allows the system to learn to identify and correct errors on its own. Once HoloClean is trained, it can independently differentiate between errors and correct data, and determine the most likely value for missing data if an error exists.

University of Waterloo reports: "Researchers Develop AI Tool Better Able to Identify Bad Data"

Security researchers at the University of Chicago are developing methods to defend against backdoor attacks in artificial neural network security systems. One technique that will be presented by researchers at the 2019 IEEE Symposium on Security and Privacy in San Francisco involves the scanning of machine learning (ML) systems for signs of a sleeper cell, which is a group of spies or terrorists that secretly remain inactive in a targeted environment until given instructions to act. The use of this technique also allows the owner of the system to trap potential infiltrators. This article continues to discuss the possible hiding of backdoors in AI-based security systems due to the black box nature of AI and the research behind the defense method designed to close backdoors in neural networks.

TechXplore reports "Computer Scientists Design Way to Close 'Backdoors' in AI-Based Security Systems"

Researchers from the Catholic University in Leuven (KU Leuven) have developed a method that could be used to make humans invisible to AI-powered surveillance camera systems. The method involves the printing and strategic placement of 2D images on to shirt, bags, and other objects. Wearing clothing, bags, and other objects with these images would allow a person to become invisible to camera surveillance systems that use machine learning (ML) algorithms to detect humans in live video feeds. This article continues to discuss the research behind this method and other studies in relation to the tricking of image classification and object detection systems.

ZDNet reports "Academics Hide Humans from Surveillance Cameras with 2D Prints"

The growing frequency and sophistication of cyberattacks calls for the increase in cybersecurity professionals. A study conducted by researchers at Bournemouth University suggests the filling of the cybersecurity workforce gap with hackers. Findings of this study highlight that the majority of people in hacking communities attempt to hack systems in order to find and fix flaws before they are exploited by malicious hackers. This article continues to discuss the growth of cybersecurity incidents and the employment of hackers to fill the cybersecurity workforce gap in addition to myths and perceptions associated with hacking.

The Conversation reports "There's a Massive Cybersecurity Job Gap - We Should Fill It by Employing Hackers"

Devices such as smartphones, security cameras, and speakers, will soon rely more on artificial intelligence to increase the speed at which speech and images are processed. A compression technique, called quantization, reduces the size of deep learning models in order to lessen computation and energy costs. However, compressed AI models have been found to be more vulnerable to adversarial attacks that could cause models to misclassify altered images. MIT and IBM researchers have developed a technique to improve the security of compressed AI models against such attacks. This article continues to discuss findings of a new study conducted by MIT and IBM researchers in relation to the vulnerability of compressed deep learning models to adversarial attacks and the technique developed to reduce this vulnerability.

MIT News report "Improving Security as Artificial Intelligence Moves to Smartphones"

LinkedIn used eight unsecured databases which held approximately 60 million records of LinkedIn user information. The unsecured data contained: LinkedIn profile information, including IDs, profile URLs, work history, education history, location, listed skills, other social profiles, the last time the profile was updated, and email address when the LinkedIn account was created. LinkedIn investigated the issue and concluded that a third-party company exposed a set of data aggregated from LinkedIn public profiles, as well as other, non-LinkedIn sources. LinkedIn has no indication that there has been a breach. Amazon, who was hosting the databases was notified, and as of April 15, 2019, the databases were secured and were no longer accessible via the internet.

Infosecurity reports: "LinkedIn Data Found in Unsecured Databases"

In order for enterprises to more effectively mitigate cybersecurity weaknesses, a security culture must be fostered within the workplace through the use of tools, training, and other technology aids. Enterprise security culture is an essential part of risk management. There are three questions that security and technology leaders should consider in the pursuit towards an enhanced security culture, which touch on how employees value security, why employees should care about security, and leadership. This article continues to discuss the importance of improving enterprise security culture and three questions that security leaders need to consider in the assessment of this culture within their organizations.

GovTech reports "Security Culture Questions to Consider"

Microsoft has been affected by a data breach involving attackers leveraging a customer support account to access customers' email information. Microsoft-managed email services such as @Outlook.com, @MSN.com and @Hotmail.com were affected by the breach. Microsoft notified users that hackers may have been able to access information about their accounts including: their email address, email subject lines, and frequent contacts. Microsoft reports that the contents of any messages or attachments were not able to be seen. This breach has been occurring from January 1 through March 28 of this year, but could have been occurring for six months. Once the breach was discovered, Microsoft immediately disabled the compromised credentials, prohibiting their use for any further unauthorized access.

CyberScoop reports: "Microsoft email breach gave hackers access to account information for months"

DevOps is a set of practices that have been increasingly adopted by organizations to increase the speed at which software is developed and delivered. However, organizations are encouraged to adopt DevSecOps in which security is considered at every stage of the software delivery lifecycle. This article continues to discuss the adoption of DevOps by organizations, how organizations can transition from DevOps to DevSecOps, the challenges posed by cloud computing, and the adoption of tools that provide real-time visibility into potential attacks at the application layer.

Help Net Security "DevSecOps: Fast Development Without Sacrificing Safety"

Confidant, an IT security firm, recently published a blog post in which the details of a malvertising campaign, dubbed eGobbler, are presented. According to researchers, eGobbler, abused a vulnerability in Chrome for iOS. Through the exploitation of this vulnerability, hackers were able to push fake advertisements to 500 million user sessions as well as hijack sessions. This article continues to discuss the eGobbler malvertising campaign in relation to its targets, techniques, and discovery by researchers, along with the need to create an industry safeguard against malvertising.

SC Media reports "Malvertising Campaign Abducts Half a Billion Chrome on iOS Sessions to Push Fake Ads"

A greater amount of companies are starting to use cloud services. Organizations spent $178 billion on public cloud services last year, and the amount of money spent on public cloud services is expected to grow to $236 billion by 2020. Global spending on cloud security is set to grow nearly 18% to reach $12.7 billion by 2023, with protection for public cloud deployments prioritized over the coming years. Since more and more companies are using cloud services, it is becoming more important to protect mission critical systems and sensitive data on the cloud.

Infosecurity reports: "Cloud Security Spending Set to Top $12bn by 2023"

A breakthrough in quantum key distribution (QKD) has been made by a team of researchers from the National University of Singapore (NUS) and Singtel, Asia's leading communications group. QKD differs from traditional encryption in that it is uses the laws of physics to protect the transport of keys between communicating parties. The new method demonstrated by researchers to bolster QKD, shows that QKD can be used over commercial fiber networks. This article continues to discuss the concept of QKD, the new technique developed by researchers to advance QKD, and what this advancement in QKD indicates.

ZDNet reports "Researchers in Singapore Demonstrate New Quantum Key Distribution Technique over Singtel's Fibre Network"

In todays world new malware and zero-day attacks are reasonably rare and are vastly outnumbered by reconfigured malware and the regular return of old attacks. It is important to be prepared for the new attacks, however it is also very important to not to forget about old attacks, since they happen more regularly.

DARKReading reports: "New Attacks (and Old Attacks Made New)"

Researchers at Pen Test Partners have uncovered vulnerabilities contained by a popular Australian smartwatch for kids, called TicTocTrack. Parents can track the location of their children via the smartwatch. According to researchers, the vulnerabilities discovered in the watch could be exploited by hackers to perform malicious activities such as track the location of children, spoof locations, call children, and more. This article continues to discuss where these security flaws stem from, what their exploitation could allow attackers to do, and the response to the discovery of these vulnerabilities.

Threatpost reports "TicTocTrack Smartwatch Flaws Can Be Abused to Track Kids"

Every business no matter how big or small relies on computers and digitalization to perform their basic functions. If a company is breached, then it can cost a lot of money for the company to fix and mitigate the affect of the attacks. Every company, no matter how big or small, should take cybersecurity seriously. Many cybercrimes are result of human error, usually an employee causes the breach of information, so business owners should generate awareness and educate staff around security best practices. A business should also have a cyber security and disaster recovery strategy.

BuisnessMattersMagazine reports: "Cyber security - should your business be worried?"

The Department of Homeland Security (DHS) recently issued an alert to the public pertaining to the presence of a vulnerability in virtual private network (VPN) applications made by Cisco, F5 Networks, Palo Alto Networks, and Pulse Secure. According to the warning released by DHS, the exploitation of this vulnerability could allow hackers to access other applications running on a VPN connection. This article continues to discuss the security flaw in relation to where it comes from, which VPN apps it affects, what it could allow hackers to do, along with VPN vendors' responses to this vulnerability.

CyberScoop reports "DHS Alerts Industry to Insecure Enterprise VPN Apps"

In support of closing the cybersecurity workforce gap, the Girl Scouts launched a program aimed at strengthening the cybersecurity skills of young girls. Within the first six months of the program, 44,000 cybersecurity badges were earned by girls in kindergarten through fifth grade. The program encourages girls to explore career paths in the field of cybersecurity and other STEM fields. The cybersecurity skills of young girls should be cultivated in order to diversify and increase the number of skilled cyber professionals in the cybersecurity workforce. This article continues to discuss the importance of addressing the cybersecurity workforce shortage, the cybersecurity curriculum launched by the Girl Scouts, and how others can get involved in this initiative.

Security Boulevard reports "The Cybersecurity Workforce Shortage Is a Big Problem. You Can Help Girl Scouts Solve It."

Security researchers at Doctor Web discovered the compromise of the popular video editing website, VSDC, by hackers. Download links on the VSDC website were hijacked in order to infect the video editing website with a banking Trojan (Win32.Bolik.2) and information stealer (Trojan.PWS.Stealer). One Trojan steals information from browsers, messengers, and more. This article continues to discuss the hacking of VSDC to distribute banking Trojans, and past discoveries surrounding the insufficient security of the VSDC website.

Computing reports "Popular Video and Sound Editing Website VSDC Hacked to Propagate Banking Trojans"

New research conducted by Symantec reveals the leakage of detailed guest booking data by the majority of hotels to third-party advertisers, social media websites, and more. This data includes information such as names, addresses, mobile phone numbers, passport numbers, and more. These are the findings of tests performed by Symantec on more than 1,500 hotels located in 54 countries. This article continues to discuss the findings of this study in relation to the leakage of guest booking info by hotel websites, along with the privacy and compliance risks associated with the leakage of this info.

Dark Reading reports "Majority of Hotel Websites Leak Guest Booking Info"

Wi-Fi Protected Access 3 (WPA3) isn't as secure as it was proclaimed to be as researchers have uncovered critical design flaws in the Wi-Fi security and authentication standard. According to researchers, WPA3 is vulnerable to the same attacks that WPA2 is susceptible to. WPA3 was supposed to be a major improvement over WPA2 through the performance of an encryption process, called the Dragonfly handshake. Dragonfly handshakes were expected to be harder to crack than the traditional four-way handshake used by WPA2 to generate session keys. However, researchers have discovered design flaws in the WPA3 standard's Dragonfly key exchange that could allow attackers to recover Wi-Fi passwords and enter networks. This article continues to discuss the security enhancements that WPA3 was supposed to offer and the discovery of vulnerabilities in this standard, along with the Wi-Fi Alliance's response to these findings.

Gizmodo reports "New Super-Secure Wi-Fi Is Actually Full of Security Holes"