Cyber Risk News
Combining three random words is more effective than using complex combinations for passwords, says the National Cyber Security Council (NCSC).
An NCSC blog post dated August 9 explains how this train of thought or “think random” helps to “keep the bad guys out.” The post follows on from a previous one from nearly five years ago, “Three random words or #thinkrandom.”
According to the post, enforcing “complex requirements” for passwords is a poor defense against guessing attacks. This is because “minds struggle to remember random character strings,” and, being human, we use “predictable patterns” to meet the required criteria.
Cyber hackers are all too familiar with this and use it to make their attacks more effective. According to Verizon, compromised passwords are responsible for 81 percent of hacking-related data breaches.
“Counter-intuitively, the enforcement of these complexity requirements results in the creation of more predictable passwords,” says the NCSC post. “Faced with making yet another password with specific requirements, users fall back on variations of something they already know and use, falsely believing it to be strong because it satisfies password strength meters (and is accepted by online services).”
The NCSC also advises that the “continued low uptake of password managers to store and generate passwords” leads to this predictability. It has encouraged organizations and people to use them for a while.
“Passwords generated from three random words help users to create unique passwords that are strong enough for many purposes, and can be remembered much more easily,” explains the NCSC blog post. “This is also good for those who aren’t aware of password managers, or are reluctant to use them.”
The NCSC says that the three random word theory is effective because of the length, impact, novelty and usability.
For some, the NCSC appreciates that this tactic might be a concern due to previous behavior patterns. However, it advises that people adopt the “think random” technique and respond to search algorithm optimization, weaker passwords and poor password recall.
“We do appreciate that some system owners may have concerns using the three random words technique over others,” says the NCSC. “It may not be necessary across all organizations.
“However, if you’re not using 'three random words' for any of the following reasons, then you may want to consider adopting it.”
According to Nordpass’ 'Top 200 most common passwords of the year 2020', the top passwords are “123456”, “123456789” and “picture1”.
Autonomous farming equipment that can be controlled remotely now helps to feed humanity. But what if that farming equipment were hacked?
On August 8, at the DEF CON 29 conference, an Australian researcher known only as 'Sick Codes' detailed what he referred to as a "tractor load of vulnerabilities" that, if exploited by an attacker, would have dire consequences for the global food supply chain. The researcher explained that modern farming equipment is increasingly being automated, with the equipment being controlled from a centralized console that could have access to many different farms.
The researcher detailed a litany of disastrous potential things that can happen if an attacker were able to gain access to the connected farms. For example, a hacker could direct chemical treatments to be over-sprayed, turning fertile land into infertile land that can't be used for generations. With a denial of service attack, the ability for a farmer to plant seeds at a critical time can be impacted, preventing the farmer from growing crops. Another large risk would come from the fact that an attacker could gain control of a farming device like a tractor and send it to the wrong location or even drive it off the farm onto a highway.
"What we consider downtime in a website for five minutes, might be the difference between a tractor driving auto track going offline, while the tractor keeps driving, hits a tree, or injures someone," Sick Codes said.
The Vulnerabilities of the Connected Farm
The researcher noted that nearly every single farm today is connected with a variety of different technologies, including cellular with 4G and 5G, as well as Wi-Fi and GPS. Farming equipment also now increasingly makes use of the LoRa protocol, as well as NTRIP, which helps to provide accurate positioning.
In the case of farming equipment vendor John Deere, Sick Codes noted that information and control can be handled remotely via the John Deere Operations Center, which he and his colleagues were able to hack into.
There were multiple vulnerabilities that the researcher was able to discover, including what he referred to as a basic username enumeration issue. With that vulnerability, he was easily able to identify user names of equipment owners. There was also a Cross Site Scripting (XSS) vulnerability that enabled the researcher to get even more information.
"Obviously XSS is a really basic vulnerability, but what it does show you is that they're not taking into consideration basic vulnerabilities," the researcher said.
As it turns out, the XSS was only the least of the problems. Sick Codes detailed how he was able get access to a remote system that essentially gave him control of some connected farming devices that the John Deere Operations Center had access to.
"We could literally do whatever the heck we wanted with anything we wanted on the John Deere Operations Center, period," he said.
The researcher noted that all the vulnerability information was disclosed to John Deere, which wasn't immediately responsive. The researcher then also got the U.S government's Cybersecurity and Infrastructure Security Agency (CISA) involved, which helped to get the issues remediated.
John Deere wasn't the only farming equipment vendor where the researcher found issues. Case IH was also found to be lacking by Sick Codes. The researcher was able to learn that Case IH was using a publicly accessible Java Melody server, which provided visibility and control into equipment actions.
"We could just browse the Java Melody server for your sessions and it was all publicly accessible, which is ridiculous," the researcher said.
The researcher noted that though it took some time, eventually he was able to get in contact with Case IH, and the vendor fixed the reported issues.
DoS usually is an acronym that refers to Denial of Service, but according to researcher Joseph Gaby, it can also stand for Denial of Shopping.
On August 8, at the DEF CON 29 conference, Gabay outlined his research into how physical shopping cart immobilization systems work, and how they can potentially be abused by hackers. He noted that there is some pretty cool technology that most people take for granted every time they go shopping that is embedded in physical shopping carts.
Gabay explained that what physical shopping cart immobilization systems provide is a way for a retailer to prevent the theft of the shopping cart. The way it typically works is when the shopping cart is taken outside of an approved boundary, usually a parking lot, one of the wheels will lock itself using an internal mechanism, restricting the ability to take the cart any farther.
"A bunch of very smart people spent a lot of time and money designing a system to prevent people from doing something that they didn't want them to do," Gabay said. "This is a technical challenge, and for me, I was curious to see whether or not I could overcome it and dissect it."
Discovering How Shopping Cart Immobilization Works
The technology that Gabay looked at comes from Gatekeeper Systems and involves several components.
There is a buried wire around the perimeter of the parking lot that sends out a signal. When the cart crosses over this signal, it senses it and uses an internal mechanism to lock up the wheel. Gabay said that store employees have a remote so that they can unlock it and bring it back into service.
Gabay noted that in the U.S. any consumer product that is going out into public that has radio frequency (RF) systems has to be approved by the Federal Communications Commission (FCC). As it turns out, as part of the approval process there is testing and report data that needs to be submitted, which are then searchable in a public database. Using that publicly available information, Gabay was able to learn what frequencies the shopping cart security system was using, which included both the 2.4 GhZ and 7.8 KHz ranges.
Gabay detailed how he built a small antenna and then took it to a parking lot where he knew the system was in place to capture some signals. The Gatekeeper system also has a device known as a CartKey, which a retail store employee can use to unlock a shopping cart that has gone outside the store perimeter. Gabay said he simply went onto eBay and bought a CartKey and then scanned the signals coming from it that were used to unlock a shopping cart.
How to Unlock a Physical Shopping Cart
By comparing the lock and unlock signals and decoding them, Gabay discovered that the unlock signal is just the inverse of the lock signal.
In order to unlock or lock a cart, all he had to do was execute what is known as a replay attack. Gabay explained that a replay attack is when a hacker captures a signal and replays it back, trying to mimic the original device.
"There's lots of ways to protect against this with various authentication schemes or incrementing a number for the signal sent to the shopping cart wheels," Gabay said. "They don't implement any of this; it's the same signal all the time, which is very good for us."
Replaying the captured signals could be executed with a phone's speaker, though that works only at a very short range. Gabay noted that it would be difficult to expand the range for the replay, given the frequencies that the system uses.
"It's likely that Gatekeeper Systems did this on purpose, so you either don't accidentally lock a whole bunch of carts or have people like us go out there and lock a whole bunch of carts all at once with nobody knowing what's going on," Gabay said.
Practically, Gabay doesn't suspect that there is all that much risk to his physical shopping cart attack research. He noted that it's possible to lock or unlock carts within a few feet, but that's about it. He concluded by suggesting that hackers don't actually use his research to go disrupt shopping carts by locking them.
"The only person whose day you'll make worse is the random grocery store employee who has to go around unlocking carts, and that's just not cool," he said.
There may be little if any argument about the vast impact that social media platforms have on the lives of hundreds of millions of people around the world. Social media has also had a profound influence on elections.
In a session at the DEF CON 29 conference on August 7, Sebastian Bay, a researcher at the Swedish Defence Research Agency (FOI), outlined how social media platforms are failing at limiting the risk of false information dissemination, via inadequate security policies that aim to remove fake accounts. In Bay's view, the failure to block some of the false information should be considered as a critical component of election security.
Bay explained that there are basically two related types of issue that could lead to false information. There is the issue of content itself, and then the issue of inauthentic behavior, which is about bots and other automated mechanisms designed to appear as real human activity.
In Bay's view, the major social media platforms have made concerted efforts in recent years regarding election-related content. That said, he noted that it is tricky to develop clear policies for inauthentic behavior and other forms of social media manipulation. To be clear, Bay emphasized that inauthentic behavior is not permitted by the social media companies, though it continues to occur.
"The European Union has long underscored the need for social media companies to intensify and demonstrate effective methods to close fake accounts," Bay said.
The social media companies do in fact report to the European Commission about the number of fake accounts that have been closed, and it's a huge problem that Bay said is measured in the billions.
For 300 Euros Anyone Can Buy Influence
Underlying the continued challenge of fake accounts is a whole industry that provides
manipulation services for hire, including the infrastructure needed for manipulation services to work.
Bay noted that the infrastructure ranges from fake SIM cards to services used to generate and maintain fake accounts. While Bay's agency initially referred to the market for fake accounts as a 'black market,' the reality is that much of the activity is happening in the open.
"It's extremely easy to find, and the openness of this industry is still today quite striking," he said. "We see that the larger social media manipulation service providers fearlessly promote their services on their own websites, mobile app stores and on the social media platforms themselves."
Bay's agency has conducted multiple experiments to see how easy it is to buy fake accounts and influence. In both 2019 and 2020, for the small sum of 300 euros, he was able to buy up to 335,000 fake engagements, across different social media providers. The activity was all also reported afterward to the social media companies, with little impact.
"Our conclusion last year was that Facebook, Instagram, Twitter, YouTube and TikTok are still failing to sufficiently combat inauthentic behavior on their platforms, enabling the widespread false information dissemination on their platforms," Bay stated pointedly.
The same type of research is currently being conducted by Bay and his team in 2021, and he sees little change. Overall, he noted that Twitter is still the industry leader when it comes to countering abuse of their system. Facebook is making progress but still has work to do, and TikTok doesn't seem to be moving forward much.
"Social media cyber-security equals election security, because we're seeing that the spread of misinformation undermines the will and ability of voters to vote on Election Day," Bay said. "We're seeing that the intentional manipulation of political conversations on social media platforms is happening online, and some of it also happens using technical manipulation, and that can be prevented with additional cybersecurity from the social media companies."
If a computer science student has a scheduling conflict and wants to attend two different classes that occur at the same time, what should that student do?
In a session at the DEF CON 29 conference on August 7, Ph.D. student Vivek Nair outlined a scenario where a hack of the attendance system could, in fact, enable him, or anyone else, to be in two places at the same time. Nair explained that many schools use an RFID-based attendance system known as an iClicker to track whether or not a student is present. The system includes a base station for each classroom or lecture hall, and then each student is required to carry a device, which can also be used to answer multiple-choice questions.
Nair noted that in the popular Harry Potter fiction series there is a magical device known as a Time Turner, which is used to help enable a student to be in two classes at the same time, via time travel.
"Without the luxury of magic, what is the next best thing?" Nair asked. "It is, of course, hacking."
Building a Time Turner to Exploit a Modern University
In his talk, Nair outlined how the RFID-based system was reverse engineered so he could learn how it works. With that knowledge, he realized that there was no encryption on the device transmissions and it could be possible to mimic a real device.
"It is hard to overstate how vulnerable the system is, and it's even more shocking that this exact model is currently used at over 1,100 universities, and in nearly 100,000 classrooms," Nair said.
Nair said that a clone device could be built using a low-cost Arduino electronics platform. He noted that the Arduino is a low-power technology that could be powered with a small battery.
By placing the custom Arduino-based Time Turner in a classroom, it could potentially mimic the actions of a legitimate device. That means it could enable a student to claim to be physically in a class that they aren't actually in.
Going a step further, Nair demonstrated how the custom Time Turner could also respond to polling quiz questions that a teacher might ask. The system is aware of all the other answers coming into the main base station in the classroom and can be set to automatically select the most common answer to submit, on behalf of the absent student.
"If I were more nefarious, what I could do is try to change the votes of my classmates," Nair said. "A vulnerability that allows me to change someone else's answer on the polling system is a major oversight."
Going a step further, he noted that if he were even more nefarious still, the Time Turner could be used to launch a denial of service attack, flooding the classroom's base station with hundreds of votes per second. That would quickly overwhelm the host device, eventually causing it to crash and making it impossible for legitimate students to submit answers.
Lack of Authentication
The big problem with the attendance system has to do with authentication.
Nair explained that the way the attendance system works is the student's device is just broadcasting its presence over a radio signal without any real authentication. He emphasized that the system lacked confidentially, integrity, and availability.
"With regards to confidentiality, there was none to speak of, as I demonstrated when we were able to listen to other students’ answers," Nair said.
Nair suggested that vendors should implement the use of encryption in transit to help provide some confidentiality. He also recommends the use of a Physically Unclonable Function (PUF) for the student device, which would restrict the ability of an attacker to build their own device with an Arduino.
No attack type has been as impactful as ransomware in 2021.
According to a panel of experts at the DEF CON 29 conference, the rising notoriety and impact of ransomware in 2021 has accelerated the need for both government and the private sector to act—though there was no clear consensus on the panel on exactly what actions should be taken.
Chris Painter, co-chair of the Ransomware Task Force, commented that after the ransomware attack against the city of Atlanta in 2018, more awareness could or should have been raised to help limit future impact. That didn't quite happen, and in 2021, the Colonial Pipeline, Kaseya and JBS meat-processing attacks, among so many others, have further raised the profile of ransomware in the public consciousness. Painter suggested that organizations need to further harden their own defenses to limit potential attackers.
Security researcher Robert Graham, however, doesn't necessarily think that hardening defenses is the best approach.
"The way you secure a bank is not by locking the front door; the bank has to be open for business and you have to have people come in," Graham said. "It's the same thing with networks."
Graham argued that it is unrealistic for organizations to always patch everything. In his view, if they did that, the network will be down basically all the time. The same is true about email phishing, where users are told not to click on things, which Graham argued is counter-intuitive as users are always clicking on things, and it's hard for a regular user to distinguish between a legitimate email and one that is not.
Cyber Insurance is Not the Answer Either
The panel also debated the role of insurance in ransomware. While having the financial ability to recover from an attack is good, it's not a solution.
Lawyer Elizabeth Wharton commented that insurance is just money and doesn't actually fix the ransomware problem. Wharton was a senior assistant city attorney for Atlanta when that city faced its ransomware incident.
"I think building in resiliency so that when your system starts burning, you can kick right into the playbook, have a plan and know who to call—that's important," she said.
To Pay, or Not to Pay
A primary question with ransomware is whether or not victims should pay the ransom.
Painter noted that the Ransomware Task Force did look at the issue of ransom payment but couldn't agree on a formal recommendation. For some organizations, paying might well be the fastest way to recover, especially when they don't have enough staff. Though ideally, in his view, the best approach is to provide better tools to organizations of all sizes to better protect themselves and limit risk.
Wharton commented that she has seen smaller counties in economically depressed areas get hit by ransomware. Those smaller local governments typically have small budgets and maybe one person responsible for keeping IT systems online. The choice for those types of group is to pay the ransom, or to not be able to provide services to their constituents. She noted that of course they should have planned better, but reality is that they just need to get back online.
Awareness is Not Enough
A key topic of discussion on the panel was how the awareness of ransomware is a good thing that should help drive better security.
Graham argued that awareness of ransomware is not the problem. Graham noted that lots of organizations have backups of their data, which is often cited as a best practice for ransomware recovery. The problem is that organizations have not looked at how the ransomware got into their systems in the first place and what they were able to do. So for example, if ransomware infected an organization and got control of a Windows domain controller that was connected to the backup server, the backups would also be encrypted by the ransomware.
"So the approach to ransomware is that we're aware, but we're not actually aware of the details," Graham said.
Amazon's Kindle e-reader is a popular device that has been on the market since 2007, with approximately 100 million Kindles in use around the world today.
The primary purpose of the Kindle is to enable users to read books. Slava Makkaveev, security researcher at Check Point Software Technologies, had another idea, though; he wanted to see if he could load a book that would exploit the Kindle. At the DEF CON 29 conference, Makkaveev outlined the process by which he was able to exploit a Kindle with a malicious eBook that he was able to create.
"Personally, I use Kindle a lot, but I've never heard about a malicious eBook," Makkaveev said. "That was the reason for me to research how to create such a book that could be used to gain root access remotely and take full control of a Kindle device."
Makkaveev noted that typically users connect their Kindle devices to a Wi-Fi network. While Wi-Fi could have potentially been used as an entry point to attack the Kindle, in his view using an eBook to reach the device is much easier and will also enable mass attacks.
There are multiple ways that Kindle users can get books, including directly via Amazon, transferred via USB, or via an email. There are also free online libraries that are open, where it's easy for anyone to upload and download eBooks.
"An attacker can easily upload a malicious book for free access, because no one expects to see malware targeting the Kindle," Makkaveev said. "Most libraries only care about the correctness of the metadata in the uploaded the book, so when downloading an eBook from an online library you can never be sure of its content."
Inside the Kindle
Makkaveev explained that basically the Kindle operating system is the Linux kernel
with a set of native programs, mainly provided by the BusyBox open source framework.
The way that many eBooks are read by the Kindle operating system is as a PDF file. There are many different things that can be embedded within a PDF file, so Makkaveev focused his research on learning how the Kindle actually parses the data to show users. During his research he discovered a pair of vulnerabilities.
The first vulnerability is identified as CVE-2021-30354 and is an integer overflow in the Kindle's JBIG2 decoding algorithm for rendering the words from a PDF file. The overflow could enable an attacker to potentially overwrite specific bits of memory on a Kindle device.
"Now we have remote code execution vulnerability in the context of the PDF reader process," Makkaveev said.
With the first vulnerability it's possible to access special internal files on a Kindle, but an attacker would still be somewhat limited. What Makkaveev wanted was to be able to gain remote root access on a Kindle, free of any restrictions. That's where the second vulnerability comes in, providing a local privilege escalation exploit identified as CVE-2021-30355.
In a brief demo, Makkaveev showed how the whole attack works, where he was able to load a malicious eBook on a Kindle and then take over the device remotely. Once the users click on the book, the malicious payload hidden in the book connects to a remote server, providing the reverse shell that locks the user screen with a window.
"As you can see, we gain the root permissions, so we can do whatever we want," he said.
An attacker could potentially steal a victim's Amazon account, delete books, convert the Kindle into a bot to attack other devices, or simply just brick the device, rendering it useless.
Makkaveev concluded his presentation by noting that he reported the issues to Amazon in February 2021 and they have now been fixed.
Three Disney theme park employees have been arrested in Florida as part of an undercover sting operation to catch sexual predators who target children via the internet.
The suspects are among 17 individuals arrested by the Polk County Sheriff's Office (PCSO) under the Operation Child Protector initiative. The initiative was a joint effort involving detectives from the Auburndale Police Department, Orlando Police Department, Winter Haven Police Department, and Orange County Sheriff’s Office.
From July 27 to August 1, detectives posed as juveniles on social media platforms, mobile apps, and online dating sites to investigate those seeking to lure children into meeting them for unlawful sexual activity.
Most of the suspects were arrested when they turned up to what they allegedly believed was going to be a meeting with a minor that would have a sexual outcome.
One of the suspects, 26-year-old Kenneth Javier Aquino of Orlando, who told deputies he is a lifeguard at Walt Disney World's Animal Kingdom Lodge, turned up to meet a minor for sex wearing his Disney polo shirt, swimming trunks, and a pair of Crocs.
In a statement, the PCSO said: "The suspects communicated with and solicited who they thought were children between the ages of 13 and 14 for sex acts. The suspects showed up to an undercover location in Polk County at separate times to meet who they thought were children, to sexually batter them."
The PCSO alleges that some of the suspects arrested during the sting transmitted pornographic images while grooming and soliciting children online.
The group of suspects, who range in age from 26 to 47 years old, face a total of 49 felony and two misdemeanor charges. All but one of the suspects is from the central Florida area.
Within the group are couple 34-year-old Jonathan McGrew and 29-year-old Savannah Lawrence of Kissimmee, who are accused of soliciting a 13-year-old to come to their apartment and have sex with them.
McGrew and Lawrence, who are further accused of sending a video of themselves having sex to a minor, told deputies that they are custodians at Walt Disney World Hollywood Studios.
An intelligence analyst who illegally obtained classified US government documents on drone warfare and leaked them to a journalist has been sentenced to prison.
Daniel Everette Hale met the reporter in April 2013 while attending an event in a bookstore in Washington DC.
In 2014, while working as a cleared defense contractor at the National Geospatial-Intelligence Agency (NGA), Hale printed six classified documents, all of which were later published by a news outlet.
Hale later printed 36 documents from his Top Secret-clearance computer, including 23 documents unrelated to his work at the NGA, and gave 17 of them to the journalist to publish. Among the 17 were 11 documents marked as Secret or Top Secret.
In 2019, 33-year-old Nashville resident Hale was indicted on five charges relating to the data leak. The news outlet was not identified by prosecutors, but the leaked files described in court records appear to match documents published by the Intercept.
The leaked information exposed the civilian costs of the US military's drone program, which was ramped up to new heights under President Barack Obama. During his presidency, Obama authorized 542 drone strikes that killed an estimated 3,797 people, including 324 civilians.
Hale pleaded guilty on March 31 to retention and transmission of national defense information. He admitted to communicating with the reporter via phone, text message, email and encrypted messaging platform Jabber, and to meeting with the reporter in person on multiple occasions.
Hale served as an enlisted airman in the US Air Force from 2009 to 2013 before receiving language and intelligence training and being assigned to work at the National Security Agency and deployed to Afghanistan as an intelligence analyst.
At his sentencing on July 27, Hale said it “was necessary to dispel the lie that drone warfare keeps us safe, that our lives are worth more than theirs.”
The Reporters Committee for Freedom of the Press said: "Using the Espionage Act in this way to prosecute journalists’ sources as spies chills newsgathering and discourages sources from coming forward with information in the public interest."
A data breach at the University of Kentucky has exposed the personal information of hundreds of thousands of students and staff.
An annual cybersecurity inspection uncovered the breach, which was caused by a vulnerability in a server associated with the university's College of Education database.
News source WDRB reported that more than 355,000 email addresses were exposed in the security incident, with victims located across the world.
"The database is part of a free resource program known as the Digital Driver’s License for training and test-taking used by K-12 schools and colleges in Kentucky and other states," said the University of Kentucky's chief information officer, Brian Nichols, in a statement.
The academic institution said that the names and email addresses included in the database were not limited to students and teachers based in Kentucky. The university revealed that the database also included personal information belonging to students and teachers "in all 50 states and 22 foreign countries."
The university stated: "The database did not contain financial, health or Social Security information, limiting the potential of identity theft of any kind."
University officials said that they have notified the school districts impacted by the data breach and informed the appropriate legal and regulatory authorities.
The university said that it has invested $13m in cybersecurity over the past five years. To prevent a similar incident from occurring, the University of Kentucky's Information Technology Services will be investing an additional $1.5m to fund cybersecurity measures.
Among the measures announced by the university are the addition of multi-factor authentication for all critical systems, including email and VPN, and the creation of a new enterprise chief information security officer (CISO) position.
The university said it will also be "implementing next-generation firewalls at the edge of UK’s systems to mitigate potential security events" and taking steps to ensure that critical severity vulnerabilities affecting internet-facing mission-critical systems are patched rapidly.
A further safety measure that will be rolled out is the automated deprovisioning of accounts for students and employees who have left the university.
The first of these is a new communication safety feature in Apple’s messages app, in which a warning will pop up when a child who is in an iCloud Family receives or attempts to send sexually explicit photos.
Any such images that are received by children be blurred, and a message will come up stating: “may be sensitive.” If the child then taps “view photo,” a different pop-up message will explain that if they choose to view the image, their iCloud Family parent will receive a notification “to make sure you’re OK.” The pop-up will also contain a link to receive additional help. A similar system is in place for sexually explicit photos a child tries to send.
An on-device machine learning system will analyze the image attachments to determine if a photo is sexually explicit. Apple also confirmed that iMessage remains end-to-end encrypted and that it will not have access to any of the messages.
The opt-in feature will be rolled out “later this year to accounts set up as families in iCloud for iOS 15, iPadOS 15, and macOS Monterey,” starting in the US.
The next measure enables Apple to detect child sexual abuse material (CSAM) stored in iCloud photos before reporting them to the National Center for Missing and Exploited Children (NCMEC). New technology in iOS and iPadOS will be used, enabling on-device matching utilizing a database of known CSAM image hashes provided by the NCMEC. This database is then transformed into an unreadable set of hashes securely stored on users’ devices.
Apple explained that the matching process is powered by a cryptographic technology called private set intersection, which determines if there is a match without revealing the result. In addition, there is a different technology, called threshold secret sharing, which aims to safeguard user privacy by ensuring the contents of the safety vouchers cannot be interpreted by Apple unless the iCloud Photos account crosses a threshold of known CSAM content.
Apple stated: “This innovative new technology allows Apple to provide valuable and actionable information to NCMEC and law enforcement regarding the proliferation of known CSAM.”
The third new feature announced is the creation of additional resources in Siri and Search that offer advice to children and parents on staying safe online. Additionally, Apple will be updating Siri and Search to intervene when users perform searches for queries related to CSAM. “These interventions will explain to users that interest in this topic is harmful and problematic, and provide resources from partners to get help with this issue.”
This update will be rolled out later this year “in an update to iOS 15, iPadOS 15, watchOS 8, and macOS Monterey.”
Privacy campaigners have expressed concerns over the use of machine learning in these new features. Chris Hauk, consumer privacy champion at Pixel Privacy, commented: "While I am all for clamping down on child abuse and child pornography, I do have privacy concerns about the use of the technology. A machine learning system such as this could crank out false positives, leading to unwarranted issues for innocent citizens. Such technology could be abused if placed in government hands, leading to its use to detect images containing other types of content, such as photos taken at demonstrations and other types of gatherings. This could lead to the government clamping down on users' freedom of expression and used to suppress "unapproved" opinions and activism."
Millions of senior citizens in North America have had their personal information compromised following a breach at senior care review website SeniorAdvisor, according to WizCase.
The researchers, led by Ata Hakcil, discovered a misconfigured Amazon S3 bucket owned by Senior Advisor, a company that displays consumer ratings and reviews for senior care services across the US and Canada.
The misconfigured bucket left over the personal data of more than three million people, labeled “leads,” exposed. This included names, emails, phone numbers and dates contacted. In total, it contained more than one million files and 182GB of data, none of which was encrypted and did not require a password or login credentials to access.
WizCase believes the files are from 2002-2013 based on the contact dates, although the files were timestamped in 2017.
Additionally, the team found around 2000 “scrubbed” reviews in the misconfigured bucket, in which the user’s sensitive information was wiped or redacted. However, the scrubbed reviews contained a lead ID that would enable a malicious actor to trace it back to the person who wrote it as the reviews and lead data were in the same exposed database.
WizCase added that it reached out to SeniorAdvisor about its findings, who confirmed the breach had been secured. Nevertheless, the exposed data could be used to launch scams and phishing attempts, which is especially worrying in this case, given that senior citizens are at higher risk of online fraud than the rest of the population.
“The greatest danger of this breach stems from the specific group of people left vulnerable. SeniorAdvisor is targeted toward senior citizens in or near retirement. In a 2018-2019 report, the FTC noted that people who filed a fraud complaint in the ages of 60-69 lost $600 per scam on average. The amount rose as the age group was older, culminating in $1700 on average per scam for people in the ages of 80-89,” outlined WizCase.
Alejandro Mayorkas, Secretary of the U.S. Department of Homeland Security (DHS), sees the future of cyberspace as being a contest of ideals, between openness and authoritarianism.
Mayorkas delivered his remarks in a keynote at the Black Hat US 2021 hybrid event on August 5. He noted that in recent years the cybersecurity landscape has shifted, with news headlines about data breaches; ransomware attacks disrupting hospitals, schools, food suppliers and pipelines; as well as interference in elections. The events of the last few years, according to Mayorkas, have served to reinforce the importance of cybersecurity, how it is governed and why there is a need for a free and secure cyberspace.
"Although we're no longer fighting for control of land, we are competing for territory that we cannot see," Mayorkas said. "We are competing for the future of cyberspace."
The Competing Visions for the Internet
In Mayorkas' view, in the world today there are two competing visions for the future of the internet.
One vision comes from countries like Russia, China and Iran that want to limit access and maximize control. The other vision comes the United States and its allies, who want to build and protect a free, open and secure internet.
"We must ultimately confront some critical questions like who will build, control and operate the underlying infrastructure of the internet, extending from undersea cables to data centers," Mayorkas said. "How will we protect both privacy and security, online and offline, and how can we better protect ourselves against continuously growing and quickly evolving cyber-threats."
The Role of DHS
In the battle for the future of the internet, Mayorkas emphasized that his agency plays a critical role.
"Every day, the Department of Homeland Security tackles these issues, which are not limited to the great game that exists between democratic and authoritarian governments, as they also include the relationship between government and private- sector entities," Mayorkas said.
Mayorkas explained that the US Secret Service, which is part of DHS, is not only responsible for protecting the president, but is also actively fighting ransomware along with a range of other cyber-enabled crimes. The Transport Safety Authority (TSA) is best known for protecting airport security, and it also maintains regulatory authority over pipelines. That control was essential, following the Colonial Pipeline ransomware attack, enabling the government to take urgent and critical measures. Additionally, he noted that the US Coast Guard, which saves thousands of lives at sea every year, also protects the maritime transportation system against cyber-threats.
The Cybersecurity and Infrastructure Security Agency (CISA), which is now led by Jen Easterly, who delivered the morning keynote at Black Hat, is also part of DHS.
"DHS is a fundamentally a department of partnerships," Mayorkas said. "We're really hard at work, and we have no illusions about the road ahead. There's nothing simple about the cybersecurity challenges we face, and we need your help to get this right."
Mayorkas, much like Easterly, made a pitch for the Black Hat audience to join the government either directly or via partnership to help improve the current status.
"We need you to help us navigate a path that has not yet been mapped," Mayorkas stated emphatically. "What's at stake here is nothing less than the future of the internet, the future of our economy and national security, and the future of our country."
Databases are among the most critical applications for any organization, making them potentially lucrative targets for attackers.
At the Black Hat US 2021 hybrid event on August 5, a team of researchers detailed a new type of attack against databases that could potentially lead to information disclosure and loss. The attack goes by the name DBREACH, which is an acronym for Database Reconnaissance and Exfiltration via Adaptive Compression Heuristics.
Mathew Hogan explained that in modern databases, compression is often paired with encryption in order to reduce storage costs. However, that can potentially be risky as it could lead to exploitation by a class of vulnerabilities known as side-channel attacks.
“With DBREACH, an attacker is able to recover other users’ encrypted content by utilizing a compression side channel," Hogan said. "We believe this is the first compression side-channel attack on a real-world database system."
Over the course of an exhaustive 121-slide presentation, Hogan and his colleagues provided excruciating detail on how a DBREACH attack can work. At its core, DBREACH makes use of some of the same techniques as the CRIME (Compression Ratio Info-leak Made Easy) attack on Transport Layer Security (TLS) that was first disclosed in 2013.
As part of the research, the researchers looked specifically at the MariaDB open source database running with the InnoDB storage engine. Hogan noted that while that was the research team's initial target, the same techniques will likely work on other databases that employ compression and encryption side by side.
According to Hogan, in order for DBREACH to work, an attacker needs the ability to insert and update into a database table, as well as be able to assess the size of a compressed table.
"We believe that this threat model is realistic and achievable," Hogan said. "The update capability can be achieved through a front-end web interface that's backed up by a database table, which is something that's really common in a lot of databases."
Mitigating DBREACH Risk
There are a number of different ways that database users can mitigate the risk for DBREACH.
For one, Hogan suggests that database administrators not use column-level permissions. Additionally, he recommended that organizations monitor database usage patterns for unusual activity. That unusual activity would be similar to Denial of Service (DoS) detection, looking for a single user that is performing an unusually high number of updates.
"The only foolproof method for preventing this attack is to turn off compression," Hogan said.
Hogan added that there is likely to be a performance hit for turning off compression and storage will become more expensive. However, he noted that if the data is very sensitive it might be worth it.
"We believe that this really drives home the point that compression and encryption should be combined very carefully, lest you or your system fall victim to compression side-channel attack," Hogan said.
Passwords are often a weak point in security, which is why approaches like Microsoft Hello that provide a passwordless approach to authentication are becoming increasingly popular.
While the promise of Windows Hello is to enable a more secure experience than regular passwords, it's an approach that could have potentially been bypassed. Speaking at the Black Hat US 2021 hybrid event on August 5, Omer Tsarfati, security researcher at CyberArk, outlined a detailed attack chain by which he was able to bypass Windows Hello.
Tsarfati explained that the challenges of regular passwords are well known. They can often be weak and easily guessable, can fall victim to phishing attacks, and many users will reuse the same password on multiple sites. The basic idea behind passwordless is that there is the use of some alternate form of authentication technology to log on to a system without the need for a password.
Passwordless approaches can make use of biometrics, such as fingerprint scanning or facial recognition. Windows Hello made its debut in Windows 10 and provides Microsoft's implementation of a passwordless model. With Windows Hello, users can make use of facial recognition to get access to a system, among other methods.
Any Image Will Work for Windows Hello
Tsarfati decided that in order to explore how to bypass Windows Hello's facial recognition, he was going to need a standalone camera.
To that end, he got an NXP evaluation board, which can provide camera functionality to a Windows system via a USB plug. The goal for Tsarfati was to have the USB device mimic what a real Windows system camera would provide to Windows Hello, in order to learn what the system is actually processing as its makes a decision to enable access.
During his research, Tsarfati discovered that Windows Hello requires cameras to have an infrared (IR) sensor. The camera needs to be able to transmit both a color picture as well as IR frames in order for Windows Hello to make an authentication decision.
"Windows Hello doesn't really pay attention to anything that you're sending in the color frames," Tsarfati said. "It's only relying on the infrared, I sent frames of SpongeBob and it worked."
SpongeBob SquarePants is a popular American cartoon character. As it turns out, Windows Hello just requires one color image, and it doesn't matter what that image is.
In order to bypass Windows Hello, an attacker would just need a custom USB device that impersonates a camera. That USB device would then need to be able to transmit an IR image, which could potentially be captured from a victim. Tsarfati did not provide much detail on how a potential attacker would go about actually collecting an IR image from a victim, though he did demonstrate with his own IR image how the Windows Hello bypass does in fact work.
Tsarfati and CyberArk responsibly disclosed the issue to Microsoft in March of this year, and the flaw was formally identified as CVE-2021-34466, which Microsoft patched in July.
Jen Easterly has only been on the job as the director of the United States’ Cybersecurity and Infrastructure Agency (CISA) for a few weeks, but she's looking to make a quick impact.
In a keynote at the Black Hat US 2021 hybrid event on August 5, Easterly outlined the goals of CISA and announced a series of new initiatives designed to help enable closer coordination and partnership between the US government and the private sector. The big news was the announcement of the Joint Cyber Defense Collaborative (JCDC) with an initial group of partners that includes CrowdStrike, Palo Alto Networks, FireEye, Microsoft, Google, Amazon Web Services, AT&T, Verizon, and Lumen.
Easterly explained that the JCDC has two initial focus areas, with an effort to combat ransomware and an effort to develop a planning framework to respond to cyber-incidents on cloud providers. The need to bring government and the private sector together is highlighted by the scale of the problem.
"There's a cyber-attack roughly every 40 seconds, and as we all know, ransomware has become a scourge affecting all Americans across society, with attacks against schools, hospitals, municipalities, pipelines, meat packing and all manner of software," Easterly said. "We cannot allow avoidable cyber-disruptions to cost human lives."
CISA's Mission is Clear
CISA's mission statement is pretty simple, according to Easterly.
"We lead the national effort to understand, manage and mitigate risk to our cyber and physical infrastructure," she said. "It's easy to say, but very hard to operationalize the significant consequences for failure."
The vision for CISA is to enable secure and resilient infrastructure for the American people. She emphasized that the only way CISA can achieve its mission is in partnership with others.
"We can't do this alone, because over 80% of critical infrastructure is in private hands, so it has to be an effort where we come together and collectively leverage our imagination, and collaboration, to help secure our cyber ecosystem," Easterly said.
Why Partner with CISA
Perhaps the primary reason why Easterly was at Black Hat was to encourage those in the security industry and private industry to partner with CISA.
So why should any organization choose to work with CISA? Easterly said the first good reason is context.
"We can provide context to what you're seeing on your network," Easterly said. "Given where we are placed, our relationships with the intelligence community, the law enforcement community, industry and the federal government, we capture a holistic view of the threat landscape that we can provide to you to enable your understanding."
Easterly also emphasized that by sharing information and partnering with CISA, early warnings about potential threats can be rapidly disseminated. Additionally, via partnership and efforts like the JCDC, she said, groups can come together to share cyber best practices to defend against the most significant cyber-threats to the nation. For Easterly, it's not about the commonly heard concept of enabling a public–private partnership either.
"My goal is to really help breathe new life into these arguably hackneyed terms and turn the public–private partnership into public–private operational collaboration and information sharing, that is timely and relevant and most importantly, actionable," she said.
In a session at the Black Hat US 2021 hybrid event, researchers from security firm Armis outlined a series of vulnerabilities dubbed PwndPiper that impact pneumatic tube delivery systems used by hospitals around the world.
Pneumatic Tubes (PT) is a technology invented over 200 years ago, according to Ben Seri, VP of research at Armis, and use air pressure to transfer different things. While the technology is old, it has been brought forward to the modern era and is commonly used in hospital settings to deliver specimens and even medicines to different locations within a hospital campus.
Among the vendors that develop pneumatic tube systems for hospitals is Swisslog, which has advanced the technology to connect to the internet and modern networks, and that's where the trouble starts. Seri said that his company's research team was able to discover no less than nine different vulnerabilities in Swisslog's TransLogic Pneumatic Tube System. He noted that the TransLogic system is installed in over 2,300 hospitals in North America and over 3,000 worldwide.
Among the different types of vulnerabilities that Armis discovered were hardcoded passwords, privilege escalation flaws, stack overflows, and a non-secure firmware upgrade mechanism. Adding further insult to injury, Seri noted that all the vulnerabilities could have been triggered via unauthenticated network packets, without any user interaction. While the pneumatic tube network itself is an analog technology, Seri noted that the Swisslog system brings in digital management over internet protocol with a central server. That central server is a Windows device that is often connected to the public internet.
The potential risk of the flaws that the Armis team discovered could be quite dire. An attacker might have been able to take over a pneumatic tube system station and then launch a denial of service attack that would cripple the operations of the hospital. A successful attack could also potentially lead to the leak of personally identifiable information. Seri noted that there even could be the risk of the vulnerabilities’ leading to a ransomware attack.
Will it Run Doom?
As part of the session, Seri and his colleague Barak Hadad, researcher at Armis, showed a demonstration of how the vulnerabilities could be exploited.
"Will it run Doom?" Seri asked. "The short answer is it will."
Doom is a first-person shooter game, and it's not something that should have been able to be installed on the Swisslog system, and yet the Armis researchers were able to do so.
"It's very important to develop robust security mitigations, to safeguard these types of systems," Seri said.
Seri noted that Armis reported all the vulnerabilities to Swisslog and patches are now available that hospitals should implement.
The United States government is teaming up with leaders in technology, cybersecurity and communications to protect the nation's critical infrastructure from cyber-attacks.
Under a new Department of Homeland Security (DHS) initiative named the Joint Cyber Defense Collaborative (JCDC), key players in the tech field will weigh in to defend against cyber-threats such as ransomware.
News of the JCDC was first reported earlier today by The Wall Street Journal. The publication said that the collaboration was launched to "improve defense planning and information sharing."
Companies known to have flocked to the Department's banner include tech leviathans Amazon, Google, and Microsoft, and cyber-warriors CrowdStrike, FireEye, and Palo Alto Networks.
Communications companies AT&T, Lumen Technologies, and Verizon have also answered the Department's figurative call to arms.
Director of the DHS’s Cybersecurity and Infrastructure Security Agency, Jen Easterly, said getting everyone around the table now would make the US better prepared to handle future cyber-offensives.
She said that the creation of the JCDC "will uniquely bring people together in peacetime, so that we can plan for how we’re going to respond in wartime."
The formation of the initiative follows in the digital footsteps of several widely reported cyber-attacks on critical infrastructure in the US in recent months, most notably the ransomware strikes impacting Colonial Pipeline and JBS.
Attacks on critical infrastructure in the US are nothing new, however, with perhaps the earliest incident being the hacking of Marconi's wireless telegraph presentation with Morse code in 1903.
Describing what lessons can be learned from the JBS and Colonial Pipeline incidents, Eric Haseltine, chairman of the board at US Technology Leadership Council, said: "The number one lesson is that there is no such thing as 100% security."
He added: "That's a really important insight from what happened because it should completely change the philosophical point of view on cybersecurity from trying to keep everything out, to assuming that you have been penetrated and proceeding accordingly."
Michael Brown, rear admiral, USN (Retired), and founder and president of Spinnaker Security, said one way to defend critical infrastructure was to make it an unappealing target to attackers.
He said: "Make it costly; make it more expensive either in time or resources for the bad guys to attack you."
A rap artist from Australia has publicly urged his cyber-stalker to "do something constructive with your life."
Alasdair Murray, who performs under the moniker Illy, was subjected to "malicious abuse" every day for a period of nearly two years by the unnamed cyber-stalker.
Melbourne native Murray said the relentless perpetrator created more than 50 different accounts on social media and used them to harass the rapper, his family, his current and former romantic partners, and his friends. The cyber-stalker even targeted 34-year-old Illy's record label.
Illy said that the cyber-stalker would publish lies about the artist online, then use their many social media accounts to make it appear as though multiple people were interacting and giving credence to what had been written.
The hip-hop star's ordeal was revealed in a social media post uploaded by Illy on August 4. In it, he describes the abuse he received as "constant" and "way beyond standard trolling."
Illy stated that his abuser didn't limit their actions to the virtual world, but also made false noise complaints about him to the police.
Receiving malicious direct messages and being subjected to various different forms of abuse on a daily basis for almost two years took its toll on the rapper.
"Having spent a big chunk of my life somewhat in the public eye, I’m usually pretty thick skinned, and accept that copping abuse comes with the territory. But for nearly 2 years I’ve copped constant, sustained, malicious abuse from an individual, way beyond standard trolling," wrote Illy.
He added: "Not responding, especially when it was hurting those closest to me, has been difficult. It started affecting my day to day mentality, and that of those around me.
"Dealing with the damage to self-worth, purpose, and career Covid caused, combined with seeing myself and ppl [sic] I care about subjected to this poison, has been a lot."
Illy said that he will not be pressing charges against his cyber-stalker, who was identified and subsequently visited by authorities.
The rapper said he chose to speak out about the experience "so anyone dealing with similar sh*t knows they don't have to."
The United States Federal Trade Commission is warning Americans to be wary of text messages purporting to be from their state workforce agency.
A red flag is being waved by the FTC following the discovery of an SMS-based phishing campaign targeting recipients of unemployment insurance benefits.
"Identity thieves are targeting millions of people nationwide with scam phishing texts aimed at stealing personal information, unemployment benefits, or both," said Seena Gressin, attorney at the division of consumer and business education at the FTC.
Several malicious texts are being sent out as the part of the campaign. One informs the recipient that they need to "make necessary corrections" to their unemployment insurance (UI) claim. Another tells the target that they need to verify their personal information.
Cyber-criminals are also disseminating a phishing text message designed to trick the recipient into thinking that they need to reactivate their UI benefits account.
A targeted user who clicks on the link in one of these messages will be taken to a fake website impersonating their state workforce agency, which Gressin said "may look very real." Instructions on the site ask the user to enter a slew of personal details, including their login credentials and Social Security number.
"Fraudsters can use the information to file fraudulent UI benefits claims or for other identity theft," warned Gressin.
The FTC published the details of seven different phishing texts currently doing the rounds. One reads "RI-DLT Labor: This is to notify you that your Rhode Island insurance claim account is currently on hold for verification. Please complete your verification by following the instruction link below to activate your account."
Two of the messages share an identical preamble: "We are making some exciting changes to improve your UI and PUA Benefit security features."
Gressin urged anyone who receives a message like this from either their SWA or the National Center for Disaster Fraud to report it via the website ReportFraud.ftc.gov.
"Know that state agencies do not send text messages asking for personal information," said Gressin.
"If you get an unsolicited text or email message that looks like it’s from an SWA, don’t reply or click any link."