News Items

Sridhar Muppidi, IBM Security Systems' chief technology officer for identity and access management solutions, emphasizes the importance of advancement beyond two-factor authentication (2FA) as it not the ultimate solution for the verification of identities. Enterprises are encouraged to improve upon their authentication processes through the utilization of alternative methods. This article further discusses how 2FA could be exploited by attackers, alternative authentication methods, a recent development in 2FA, and ways in which companies should improve verification methods.

Security Intelligence reports "Enterprises Must Evolve Beyond Two-Factor Authentication to Secure Verification"

According to Saurabh Harit, researcher at Spirent SecurityLabs, vulnerabilities within devices such as the IV infusion pump and the digital smart pen could lead to an extensive data breach upon exploitation by hackers. Research conducted on the security of digital smart pens and the IV infusion pump used in healthcare organizations to prescribe and administer medication, reveals the processes at which flaws within such devices could be exploited by hackers, as well as the information that could be exposed. This article further discusses the uses of these devices, how such devices could be attacked in order to gain access to sensitive patient information, and how perpetrators can use this information.

Dark Reading reports "Hacked IV Pumps and Digital Smart Pens Can Lead to Data Breaches"

Research being led by Purdue University in collaboration with Sandia National Laboratories aims to improve upon the cybersecurity of large-scale systems such as power grids, autonomous military defense networks, industrial control systems, consumer credit report agencies, and more, by using a concept of game theory, which is the Nash Equilibrium. Understanding of vulnerabilities that emerge within large-scale interconnected systems as well as the implementation of security into the design of such systems will be enhanced through this research. In addition, the complexities of human decision making when dealing with security risks will also be explored. This article further discusses the goals, parts, and support of this project, along with the decision-making processes that surround the implementation of cybersecurity.

Phys.org reports "Game Theory Harnessed for Cybersecurity of Large-Scale Nets"

According to the Q3 GTIC Quarterly Threat Intelligence Report released by NTT Security, a majority of insider threats stem from accidental or negligent activities. Organizations can be at significant risk due to insider threats without being aware. This article further discusses insider threats faced by organizations, the potential consequences of not having a cybersecurity plan in place to mitigate such threats, and other key findings of the report.

Help Net Security reports "75% of Insider Breaches Are Accidental"

Radio-frequency identification (RFID) is a technology that is commonly exploited by malicious criminals as it used for payment and access control in consumer and business operations. Malicious actors seek to capitalize on RFID attacks by accessing areas in which there is acquirable property. This article further discusses the uses of RFID, specific cases of RFID attacks, media coverage of RFID attacks, RFID hacks, and best practices for mitigating RFID attacks.

Security Intelligence reports "Traveling This Holiday Season? Beware of RFID Attacks"

Researchers at the New York University Tandon School of Engineering have introduced a new method that could be used to inexpensively provide maximum security against hacking. This method uses a new class of Cryptographic primitives made of nanomaterial that was grown by researchers in multiple layers. The highest possible level of structural randomness is achieved by nanomaterial, which is essential in the creation of security primitives as randomness allows such primitives to perform encryption and physically provide security for computer hardware and data. This article further discusses the details of this new nanoscale security method and the predicted future of nanomaterial-based security primitives.

IBT reports "New Nanoscale Security Method May Be The Best Hacking Prevention"

Uber has recently admitted that it faced a massive data breach in late 2016, which exposed personally identifiable information belonging to 56 million users and 600,000 drivers. Information exposed by this breach includes names, email addresses, phone numbers, and license numbers. This article further discusses the details of this breach in relation to how it occurred, information that was exposed, the actions taken by Uber in response to this breach, and the bug bounty program launched by Uber to discover other vulnerabilities.

eWeek reports "Uber Admits It Hid Massive Data Breach of 57M Users and Drivers"

In the latest issue of Science Advances, researchers at Duke University, The Ohio State University, and Oak Ridge National Laboratory, have announced a new breakthrough in quantum computing in which they have significantly increased the speed of quantum key distribution (QKD) transmission. QKD uses particles of light known as photons to encode data in quantum bits, which are transmitted to a sender and receiver in the form of an encryption key. This article further discusses the increased speed of QKD transmission by researchers, the concept of QKD, and its contribution to cybersecurity.

TechRepublic reports "How Quantum Computing Could Create Unbreakable Encryption and Save the Future of Cybersecurity"

Dear Colleagues,

It is my pleasure to invite you to the upcoming Workshop on Modeling and Simulation of Cyber-Physical Energy Systems!

http://www.palensky.org/mscpes/2018

After Berkeley, Berlin, Seattle, Vienna, and Pittsburgh, we are this time in beautiful Porto, Portugal, again co-located with the annual Cyber-Physical Systems Week.

Full paper submission deadline is 4th February 2018. Accepted and presented papers will be submitted to IEEE Xplore digital library.

CERT/CC has recently revealed a flaw in the Windows operating system, affecting users of Windows 8, 8.1, and 10. The flaw is based in a feature known as ASLR (address space layout randomization), which helps prevent attacks such as code-reuse and return-oriented programming attacks that may allow attackers to take control of a device. This article discusses ASLR, how it works in Windows, and how administrators can fix the problem using existing Windows software while waiting for a security patch.

GovInfo Security reports "Windows 10 Security Feature Broken, CERT/CC Warns"

Critical flaws have been discovered within the Intel Management Engine (ME), Intel Trusted Execution Engine (TXE), and Server Platform Services (SPS). The ME is a subsystem that runs independently within the Intel chipset, which enables management functions such as administering updates, troubleshooting, and more to be done remotely by administrators. The exploitation of vulnerabilities within the ME poses significant threats as this subsystem has access and command over the main system processors. This article further discusses the concerns that have been surrounding ME, as well as the significant threats and potential level of impact posed by these newly disclosed flaws.

Wired reports "Intel Chip Flaws Leave Millions of Devices Exposed"

Security researchers have demonstrated ways in which data could be extracted from air-gapped computer systems through the development of covert channels. These channels are characterized into 4 different types, which include electromagnetic, acoustic, thermal, and optical. This article further discusses how hackers could abuse these channels to steal data, the insecurity of light-emitting diodes (LEDs), and other related research.

ZDNet reports "Four Methods Hackers Use to Steal Data from Air-Gapped Computers"

An annual report released by Bugcrowd titled, "Inside the Mind of a Hacker 2.0", shares findings in relation to the bug hunting community. The report reveals that there has been a considerable increase of participants in bug bounty programs from 2016. Another finding reveals a significant increase of younger bug hunters ranging from ages 18 to 29, most of which have earned some form of higher education. This article further discusses the findings shared within this report in pertinence to the demographics and motives of the bug hunting community, along with the importance of increased cybersecurity talent.

SD Times report "Bugcrowd: Young Cybersecurity Professionals Are Turning to Bug Hunting"

Researchers at Sandia National Laboratories will conduct a study funded by the U.S. Department of Defense, in which the physical and mental responses of hackers are measured as they perform attacks. In the study, hackers will wear body monitoring equipment to measure their heart rate and other biological responses as they compete to compromise computers within a simulated network. The goal of this study is to determine the most secure configurations by discovering the level of difficulty faced by hackers in the infiltration of certain hardware and software, as well as how they cope with the challenge. This article further discusses the goal of the study, the body monitoring technology that would be used in this study, as well as the support behind this research.

GCN reports "What Makes Hackers Tick?"

An annual U.K. cybersecurity competition aims to help address the severe workforce shortage within the cybersecurity job market by raising awareness and encouraging the pursuance of careers in the cybersecurity field. The Cyber Security Challenge U.K., provides a series of games in which participants can assess their cybersecurity skills. Players who achieve high scores are invited to participate in regional competitions. Top performers within the regional competitions are asked to further participate in a masterclass and a team-based competition. As finalists show promise in successfully applying their skills, they are usually hired into cybersecurity jobs following the completion of the challenge. This article further discusses the details of the competition in pertinence to its goals, support, development, practices, and results.

Bloomberg reports "Companies Turn to War Games to Spot Scarce Cybersecurity Talent"

Industry experts have emphasized six essential steps that organizations should take in order to improve upon the sharing of threat intelligence. Organizations must understand their event data before sharing, optimize the use of event data intelligence through the utilization of proper tools, exchange data with peers with the use of a system in which the relation of event data to other organizations can be viewed before sharing, and more. This article further discusses ways in which organizations can efficiently share threat intelligence.

Dark Reading reports "6 Steps for Sharing Threat Intelligence"

Phishing remains one of the most prominent and successful attacks, targeting users in a variety of ways designed to gain access to their online credentials such as login information, credit card data and more. Researchers at both University of California Berkley and Google have written a research paper comparing the amount of account information on the black market with the tools available to gain account information in a time period from March 2016 to March 2017. The end result provided shows that phishing still presents a greater risk above keyloggers and data breaches. This article further discusses the data analysis given by Google and UC Berkley, and the overall risk it presents to users.

Threatpost reports "Phishing Biggest Threat to Google Account Security"

SoS Musings #8

Need for Scientifically Backed Security

Ransomware has significantly grown in strength and frequency as shown by the recent widespread outbreaks of WannaCry and Petya attacks. In order for enterprises to become better prepared in the battle against ransomware, they must be aware of the different types of ransomware that can be launched by attackers. This article further discusses five types of ransomware including encrypting ransomware, non-encrpyting ransomware, leakware, mobile ransomware, and wiper ransomware, along with the future of ransomware.

Help Net Security reports "Rise and Evolution of Ransomware Attacks"

Security researchers have discovered a vulnerability, which can be exploited by attackers to gain access to millions of user conversations and SMS messages sent by applications that use the Twilio service. The "Eavesdropper" vulnerability arises from the presence of API credentials that have been hardcoded into these applications by developers. These credentials can be extracted by attackers to access call records, audio recordings, text messages, and more. This article further discusses the discovery of this vulnerability, the cause of this flaw, and types of applications that have been affected.

Bleeping Computer reports "'Eavesdropper' Vulnerability Exposes Millions of Private Conversations"

Security researchers at Bkav, an information security firm based in Vietnam, claim to have defeated the facial-recognition system used to authenticate users of Apple's newest iPhone. Researchers have carefully crafted a mask with the use of 3D printing, 2D images, makeup, and handmade silicon to trick the Face ID feature offered by iPhone X. This article further discusses the creation of the mask, the likelihood of this threat, and what the results of this research indicates about the current state of biometric security.

infoRisk Today reports "Hackers Claim to Defeat iPhone X 'Face ID' Authentication"

Authentication is a major part of our everyday lives as we use various forms of identification such as driver's licenses, ID cards, passwords, passcodes, and more to prove our identities offline and online. Although the process of authentication is becoming easier through the use of fingerprint readers, facial recognition systems, and other forms of biometric authentication technologies, there are still challenges pertaining to the digital authentication of an analog human's identity. This article further discusses three main ways of proving the identity of an individual human being, the potential impacts of digital authentication on security, and future complications associated with advanced authentication.

Homeland Security News Wire reports "The Challenge of Authenticating Real Humans in a Digital World"

Cyberattacks are expected to become significantly more devastating for companies in the coming year. As companies are increasingly taking action to defend against cyberattacks, attackers are expected to take on more volatile methods of launching such attacks in order to receive higher profits. This article further discusses the expected increase in the destructiveness of cyberattacks, tactics that are predicted to be used more by cyber criminals, and ways in which companies can prepare to prevent these highly destructive forms of attacks.

Help Net Security reports "Extortion-Based Cyber Attacks: the Next Evolution in Profit-Motivated Attack Strategies"

Self-driving cars operate through the use of deep learning systems. Deep learning is a form of machine learning that uses layers of artificial neurons in an attempt to mimic the processing and merging of information performed by the human brain. Although this technology has improved significantly in the development of intelligence, increased automation of tasks still raise concerns pertaining to safety, security, and ethics. A tool by the name of DeepXplore has been developed by researchers at Columbia and Leigh universities to perform automatic error-checking of neurons within deep learning neural networks used by self-driving cars to uncover deficient reasoning by clusters of neurons, malware masqueraded as harmless code in anti-virus software, and more. This article further discusses the concerns surrounding deep learning systems, the DeepXplore tool, and other methods of debugging the neural networks in self-driving cars.

EurekAlert! reports "Researchers Unveil Tool to Debug 'Black Box' Deep Learning Algorithms"