News Items

SoS Musings #4

Really?

The previous Musings (#3) asked what additional knowledge and techniques might be useful in building security science. At the time of this writing there has been no responses to the survey. REALLY?

Officials of the Institute for Cybersecurity at Regent University has announced the development of an advanced cyber range training facility that will be dedicated to helping students attain high-level cybersecurity skills and knowledge through hands-on training programs. Regent's Cyber Range will also offer training programs to enterprises, consultancies, government, and military organizations. This training center is expected to address the severe skill shortage within the field of cybersecurity. This article further discusses the development of Regent's new training center and what it will offer, along with the skill shortage within the cybersecurity career field.

GSN reports "Regent University to build cyber training facility at its Virginia Beach campus"

A new contest ran by Kaggle, which is a platform for data science competitions, will allow researchers to battle each other with AI algorithms. This competition was created in an effort to encourage learning and understanding of protecting machine-learning systems against cyberattacks. The contest will contain three challenges, which involve confusing a machine-learning system into improper function, forcing a system to perform incorrect classification, and developing highly powerful defenses. This article further discusses the growing importance of machine learning, potential impacts posed by attacks on machine-learning systems, the challenge of studying adversarial machine learning, along with the goals of this competition.

MIT Technology Review reports "AI Fight Club Could Help Save Us from a Future of Super-Smart Cyberattacks"

According to Gartner, AI technologies are expected to be widely implemented into nearly all new software products and services by 2020. As the hype surrounding AI continues to grow, software vendors are increasingly becoming more interested in offering this technology with their products. However, most vendors seem to have placed attention onto the development and marketing of AI rather than the needs, uses, and business values associated with the technology. This article further discusses fear brought upon by AI and three issues in which technology providers must know how to respond to in order to successfully take advantage of AI technology opportunities.

Help Net Security reports "AI technologies will be in almost every new software product by 2020"

Recent incidents of massive data breaches call for comprehensive use of data encryption. IBM has unveiled IBM Z, a mainframe computer that will perform extensive encryption within an enterprise as it aims to constantly encrypt all data connected to any applications, cloud services, and databases. IBM Z will feature faster encryption, greater scalability, automatic encryption of data and code, protection against tampering during runtime and installation, along with many other capabilities. IBM has also announced the utilization of IBM Z by its new blockchain cloud data centers. This article further discusses reasons for the lack of extensive encryption in the past, statistics pertaining to recent data breaches, along with the development and capabilities of IBM Z.

VentureBeat reports "IBM Z mainframe brings end-to-end encryption to all your data"

Recent incidents of data exposure due to improperly configured databases and cloud repositories highlight the dangers of misconfiguration brought upon by human error. Even though mistakes made by companies may be small, they could still have massive impacts on the security of many consumers' and users' data. According to security researchers, misconfigurations and poor defaults invite a new kind of online criminal behavior. However, there are two ways that could potentially reduce the number of these mistakes. This article further discusses the impacts posed by human error in relation to misconfiguration and two ways that could help reduce the frequency of such mistakes.

Wired reports "Blame Human Error for WWE and Verizon's Massive Data Exposure"

Android malware by the name of "GhostCtrl", which is a variant of Omni RAT malware, has been launched to target Android, Mac, Windows, and Linux systems in order to snoop on victims' activity and steal sensitive data such as SMS records, contacts, phone numbers, browser bookmarks, searches, and more. GhostCtrl can also perform a number of malicious activities in the manipulation of compromised devices, including control Wi-Fi state, delete files, download files, and much more. Researchers have also revealed that GhostCtrl consists of three versions. This article further discusses the capabilities and processes of GhostCtrl, other discoveries made about this malware, along with some suggestions from researchers on how to prevent devices from being infected by this malware.

IBT UK reports "What is GhostCtrl? Android malware 'possesses' devices to spy, steal and do its bidding"

Security researchers have discovered a new bug, which has been dubbed, "Devil's Ivy". This bug was discovered within an open source software library by the name of gSOAP during the examination of an IoT camera manufactured by Axis. Canon, Cisco, Hitachi and many other members of the electronics industry consortium, ONVIF, also use gSOAP, therefore are at risk of their products being exploited of the same vulnerability. Researchers warn that this vulnerability could be exploited to allow hackers to remotely access and control vulnerable IoT devices of every type. This article further discusses how this vulnerability was discovered by researchers, how this vulnerability performs if exploited, how far-reaching this vulnerability might be, manufacturers' reaction to this discovery, and the importance of ensuring the security of IoT devices.

Motherboard reports "Nasty Bug Left Thousands of Internet of Things Devices Open to Hackers"

Researchers from Kyoto University have demonstrated Vector Stream Cipher's (VSC) strength as revealed in a sequence of papers that have been published in IEEE Transactions on Information Forensics and Security and IEICE Nonlinear Theory and Its Applications. This demonstration offers definitive proof of the security of VSC as researchers have conducted many tests, including evaluations on the lock's randomness. This article discusses what was done by researchers to prove the strength of VSC as well as what was discovered from the research of this cipher.

Phys.org reports "Researchers prove the security of the Vector Stream Cipher"

The SANS Institute recently surveyed professionals within the Industrial Control Systems (ICS) security field to collect information and get a better understanding of their mindsets towards the security of their systems in regards to threats, attacks, and defense approaches. This research revealed that security is a major concern for ICS as the top three biggest threats expressed by respondents include devices connected to networks, internal threats deriving from accidents, and external threats such as hacktivism. This article further discusses the findings of this survey including currently implemented security measures and the most requested technologies and solutions by industrial control security practitioners

We Live Security reports "Industrial control security practitioners worry about threats ... for a reason"

John Ventura, practice manager for applied research at Optiv, will be demonstrating a more effective method to performing intrusion prevention at Black Hat USA. This method includes the placement of situations where attackers can accidentally expose themselves to detection based on their strongly dependent use of commonly utilized attack tools and techniques. As part of the demonstration, Ventura will present how design vulnerabilities contained by popular hacking tools could be exploited by defenders in order to perform intrusion prevention. This article further discusses how Ventura plans to demonstrate this approach to intrusion prevention.

Dark Reading reports "How Active Intrusion Detection Can Seek and Block Attacks"

Enterprises are frequently bombarded with phishing and spear phishing emails. While most companies have implemented security measures such as antivirus systems and spam filters to combat such attacks, these security methods are still insufficient in preventing the vast range of deception or social engineering tactics. Business Email Compromise (BEC) poses a great threat to companies as attackers could perform digital impersonation to carry out malicious activities. This article further discusses the insufficiency of common security solutions implemented by businesses, ways in which BEC scams could be detected, along with possible solutions to preventing and stopping such scams.

Help Net Security reports "BEC scams: How to avoid them and how to fight back"

Verizon has faced a massive breach as 6 million customer accounts have been exposed. Data that has been exposed include names, addresses, phone numbers, customer PIN codes, and more. Researcher from the cyber risk team at UpGuard, Chris Vickery, discovered the exposure of data, which was stored within an unsecure Amazon Web Services Simple Storage (S3) bucket managed by one of Verizon's partners, NICE Systems. This article further discusses the details of this breach in regards to how Verizon has responded, how this breach occurred and was discovered, the importance of ensuring that services are securely configured, along with how the compromised data could possibly be used by scammers.

InfoRiskToday reports "Verizon Breach: 6 Million Customer Accounts Exposed"

Distil Networks has developed a new solution to preventing access to API servers from bots, which will be provided through Bot Defense for Mobile App APIs. Attacks such as brute force, online fraud, compromise of accounts, and many others, often arise from the access of API servers by bots. Therefore, this solution aims to determine whether attempted access to API servers is coming from a person via a verified browser or mobile device. This article further discusses the capabilities of this solution.

BetaNews reports "New solution prevents bots from accessing API servers"

According to a report from Aberdeen Group, improving upon the speed of detecting and responding to cyberattacks, significantly reduces the impact on the availability of enterprise computing infrastructure. This report also reveals rates in which organizations are now transitioning from traditional computing environments to primarily mobile infrastructures. The complexity of a dynamic infrastructure is also noted, emphasizing the need for new security implementations. This article further discusses the findings of this report and what security approach needs to be implemented in order to ensure the security of increasingly complex computing infrastructures.

Infosecurity Magazine reports "Enterprise Complexity Requires New Security Approaches"

The Navarro Security Group of Florida faced an incident in which a former employee decided to inflict major damages to the company after his departure. With malicious intent to destroy the company that he used to work for, Jonathan Eubanks infiltrated the company's operations manager's computer, networked printer, payroll app, and website. Eubanks then went on to inflict further damages by deleting important files, sending derogatory emails to former colleagues, and redirecting traffic from the company's website. This article further discusses the details of these malicious activities and what tools were used by Eubanks to perform them.

CSO reports "Insider wreaks havoc on company--after he resigns"

Approximately 1,900 of Avanti Markets' self-service kiosk vending machines have been hacked using a version of point-of-sale (POS) malware called Poseidon. In the outbreak of this malware, sensitive information has been stolen including users' names on payment cards, credit card numbers, debit card numbers, users' email addresses, and more. This article further discusses the details of this attack in regards to what information has been compromised, how long the malware outbreak has lasted, the investigation of this attack, how Avanti Markets is handling this incident, the implementation of end-to-end encryption onto kiosks, and other incidents of POS malware.

Data Breach Today reports "Self-Service Kiosk Maker Avanti Markets Hacked"

The approval of the Encrypted Media Extensions (EME) specification by W3C's director, Tim Berners-Lee, has sparked concerns and debates in pertinence to the security and privacy of users. Philippe Le Hegaret, project management lead for the W3C, has stated that the specification stands as a better alternative than other platforms in addressing security, privacy, and accessibility for users as it fully utilizes the web browser instead of relying on a plugin to enable the playback of protected content. However, the allowance for Digital Restrictions Management (DRM) by EME, still ignites great concerns for the security and privacy of users. This article further discusses the reason behind the approval of EME, implications of DRM on users, and what actions are being taken against EME and DRM.

SD Times reports "DRM concerns arise as W3C's Tim Berners-Lee approves the EME specification"

Energy companies are being targeted by hackers using a new attack method, which applies a new twist onto the popular phishing tactic, according to researchers at Talos Intelligence. The process of phishing usually consists of the creation and distribution of legitimate-looking emails to victims in order to perform other forms of attacks upon the execution of embedded coded within those emails' attachments. However, researchers have discovered that new phishing campaigns targeting power companies can run without the embedment of malicious code within attachments. This article further discusses how this attack differs from the usual phishing tactic and other findings by researchers.

ZDNet reports "Hackers are using this new attack method to target power companies"

Two-factor authentication (2FA) is usually overlooked by businesses when deciding upon which security measures to implement, however this option is becoming increasingly more essential. The implementation of 2FA increases security of businesses' online services in the event that access credentials are stolen or leaked. This article further discusses the benefits of 2FA, why only using passwords as a form of authentication is insufficient for security, and the cost of implementing 2FA within a business.

We Live Security reports "Two-factor authentication: An underutilized security measure in businesses"

Two researchers from China have discovered the possibility of decrypting satellite phone communications that use GMR-2 cipher for encryption. The GMR-2 is a stream cipher that consists of a process in which keystreams are generated and ciphertexts are attained by the XOR of generated keystreams with plaintexts. In order to resist a plaintext attack, the encryption-key from the keystream must be protected by increasing the complexity of deriving it with an inversion attack. The researchers were able to perform an inversion attack against GMR-2, which allowed the real-time decryption of targeted communications. This article further discusses the GMR-2 cipher, how researchers made their discovery, and what other research concluded about GMR-2 cipher.

Help Net Security reports "Satellite phone communications can be decrypted in near real-time"

Interpol encourages the improvement of information-sharing between government, law enforcement, businesses, and cybersecurity companies as the expanding landscape of cybercrime calls on the collaboration of such entities and groups to combat cyber threats. President of Interpol, Meng Hongwei, emphasizes the importance of collaboration among government and law enforcement officials, along with many others to handle cyber threats. This article further discusses the benefits of partnership in approaching cybercrime as well as the benefits of information-sharing between and within organizations.

Computer Weekly reports "Collaboration is key to combating cyber crime"

As indicated by the Global Cybersecurity Index (GCI), recently published by the International Telecommunication Union (ITU), there is much need for a global upgrade on cybersecurity. As revealed by the survey of 134 countries, Singapore was rated the "most committed" to cybersecurity. The survey also noted that the lack of a global cybersecurity standard is a major issue as half of the countries that have participated in this survey do not have cybersecurity strategies in place. This article further discusses what this survey focused on and other findings.

CNET reports "UN finds cybersecurity is a struggle worldwide"