Copy
Hello <<First Name>>, and welcome to this issue of the Science of Security and Privacy - Reviews & Outreach (R&O)! Its purpose is to highlight some of the exciting research, news, and events that impact our technical community. All presented materials are available on or through the Virtual Organization portal.
IN THIS ISSUE:
Summer Internship at
NSA in Science of Security

The National Security Agency is currently taking applications for internships in the summer 2020 for its Summer Program in Science of Security. Applications are being accepted until October 15, 2019. The National Security Agency (NSA) Science of Security (SoS) & Privacy Lablets Summer Internship Program is for undergraduate and graduate students currently enrolled at U.S. universities and colleges. The program provides an opportunity for exceptional science, technology, engineering, and math (STEM) students to work directly with NSA SoS Champions on mission-critical hard problems and experience the excitement of the NSA research community first-hand.
 
SoS Musings -
Ransomware Nightmare  

Ransomware attacks remain a significant threat to government agencies, financial institutions, schools, businesses, and individuals, calling for continued research and advancements surrounding the prevention of such attacks. Ransomware is a type of malware that encrypts files and demands the payment of a ransom in order to decrypt the files. It has been discovered that ransomware is often delivered through actions initiated by users such as clicking on malicious email attachments and URLs as well as malvertising and drive-by-downloads. The McAfee Labs Threats Report for August 2019 highlighted an increase in ransomware attacks by 118% in the first quarter of 2019. In addition, security researchers have observed the use of more powerful malware and the adoption of new attack techniques by cybercriminals in the launch of ransomware attacks. According to Malwarebytes’ quarterly report, titled Cybercrime Tactics and Techniques: Ransomware Retrospect, there has been a 365% increase from Q2 2018 to Q2 2019 in the detectionof ransomware targeting businesses, while there has been a decline in ransomware attacks targeting individual consumers as it is suspected that cybercriminals are seeking gain more profit by targeting higher value targets. More than 50% of Malwarebytes’ ransomware detections account for attacks against machines located in the U.S. Organizations and security professionals are encouraged to continue their efforts to fighting ransomware attacks.

In the development of techniques towards preventing ransomware attacks, it is important for security professionals to examine past and current ransomware attacks. There are six ransomware attacks that have made the biggest impact within the last five years, which include Teslacrypt, SimpleLocker, WannaCry, NotPetya, SamSam, and Ryuk. From 2015 to 2016, TeslaCrypt ransomware largely targeted the gaming community in that it encrypted ancillary files such as saved games, user profiles, and more, associated with 40 popular video games, including Call of Duty and World of Warcraft, as well as PDF documents, photos, iTunes files, and Word documents. A $500 Bitcoin ransom payment was demanded of TeslaCrypt victims in order to decrypt these files and if there were a delay in payment, the ransom increased to $1,000. In 2014, SimpleLocker emerged as the first Android-based ransomware, encrypting SD card files, including images, documents, and videos, and demanding the payment of 260 Ukrainian Hryvnia worth $21, in order to decrypt of these files. WannaCry ransomware arrived in 2017, infecting thousands of computers in more than 100 countries at a rapid rate and impacting the operations of over 100,000 businesses. Following closely behind WannaCry, was NotPetya ransomware, which was initially reported as a variant of Petya, a strain of ransomware that emerged in early 2016, demanding that victims pay to recover their files. NotPetya was discovered to be purely destructive in that it kept computers’ master boot records and master file tables encrypted despite the payment of the demanded ransom. Multinational companies, including Danish business conglomerate Maersk, pharmaceutical company Merck, FedEx’s European subsidiary TNT Express, food producer Mondelez, and more, were impacted by NotPetya. Since 2016, SamSam ransomware and its variants have been targeting organizations with a significantly low tolerance for downtime, such as those within the public-facing civil sector or the healthcare sector. These types of organizations are attractive targets for the hackers behind SamSam as they rely on real-time data and networked systems, thus the longer it takes to pay the ransom for the decryption of such data and systems, the more damage could occur. Ryuk is another of strain ransomware that has been active since August 2018, impacting more than 100 U.S. businesses, most of which have been logistics companies,technology firms, and small municipalities. The FBI recently issued a flash alert in which it is stated that Ryuk is capable of deleting files related to its intrusion, stealing credentials, establishing persistence in the registry, and more. The newest Ryuk ransomware instructs victims to contact the attackers via one of several email addresses to find out how much the ransom is and which Bitcoin wallet must be used to pay the ransom. The trends in ransomware strains and incidents must be further explored.

Recent incidents indicate the rise in ransomware attacks on municipalities, educational institutions, and healthcare organizations. A ransomware attack on Johannesburg's electric utility, City Power, left some of the city's residents without power and impacted residents' ability to purchase electricity, upload invoices, and access the electricity provider's website. Baltimore City suffered a ransomware attack, which disrupted city government emails, the processing of calls at the city's 311 call center, 911 services, and more. Over 20 municipalities in Texas have recently been hit with ransomware, affecting computer systems, city businesses, and financial operations. Other municipalities that have fallen victim to ransomware attacks include Key Biscayne, Lake City, Riviera Beach. Louisiana Governor John Bel Edwards, declared a state of emergency in response to ransomware attacks on three Louisiana public school districts - Sabine, Morehouse and City of Monroe - which resulted in the loss of data stored on servers, the disabling of some technology systems, and the takedown of office phone systems. Grays Harbor Community Hospital in Aberdeen Washington just faced a ransomware attack that has resulted in the encryption of more than 85,000 patients' health data by attackers contingent on the payment of a ransom. Although much of this data was recovered, there are parts of the electronic medical record that are still encrypted and inaccessible by the hospital and Holston Medical Group. Such incidents call for the development of solutions.

As ransomware remains a major threat...  more ► 
Cyber Scene -
Cybersecurity's Changing Face

US Attorney General (AG) William Barr presents his view of cybersecurity as the largest game changer in his nearly 30-year bookend tenures as AG (Bush 41 and Trump) at a Fordham University conference sponsored by the NY FBI Field Office. He poignantly notes that in the "vast and expanding digital infrastructure" that we depend on, we are challenged by "...making our virtual world more secure...but not at the expense of making us more vulnerable in the real world." One particular example is encryption to defend against cyber attacks while still retaining the ability to lawfully respond to criminal activity. He boils it down to balancing a citizen's and the general public's interests, as intended by the Fourth Amendment. He lays forth Supreme Court case history, the issue of "going dark," and suggestions from the UK's GCHQ for mitigating encryption challenges as well as examples of other nations which are moving on to establish statutory frameworks to better create a balanced way forward.

Another lead attorney, NSA General Counsel (GC) Glenn Gerstell in his 10 September NYT op-ed, underscores concern about technology "upending our entire national security infrastructure." He writes of the US Intelligence Community in its entirety and expands to include partners such as the Five Eyes community (US, UK, Australia, Canada and New Zealand) and other like-minded countries as warfare morphs increasingly into digitized expressions. The GC had earlier served on the president's National Infrastructure Advisory Council, where infrastructure includes digital bridges derived from the imperative to embrace the future and plan for a "whole of government" + partners solution.

Moving from the (attorney) general to the specific--Army General, NSA Director and Cyber Command Commander Paul Nakasone--NYT intelligence experts David Sanger and Julian E. Barnes look on 23 September at the context of possible cyber attacks against Iran. The Pentagon has held for several years that a cyberattack may be viewed as an act of war. The possibility of spiraling retaliations, digital and tactile, could ensue. General Nakasone has reportedly informed the White House that a "cyberscenario is no magic bullet" for deterring Iranian aggression. As noted above by GC Gerstell, such a scenario would not only engage the whole of government but would have broad-reaching international implications.

For those curious as to how inching into a cyberwar without a magic bullet, or perhaps a clear end state and means to get there could play out in an era of denial of service (hospitals, electricity, water supply) , captured ships(recent history), or boots on the ground, aural learners might appreciate Episode 84 of the "Dead Prussian Podcast" military strategy series, the Prussian being the revered military strategist Carl von Clausewitz. In this broadcast aired on 20 September, the host discusses a recently published book on "The Day After" the cessation of combat. The author, Lieutenant Colonel Brendan R. Gallagher, a serving US Army battalion commander ("Princeton Ranger" on Twitter), analyzes the last 20 years of US military engagement regarding success or failure. This is viewed from the existence or absence of clearly articulated goals paired with a strategy, working backwards, to get there. An inconsistent tension underlines these wars: choosing "enduring democracy" or “bring the troops home now," but not both. He argues that the decision to go to war needs to be reached after this strategy is determined, the means to execute it to the desired end state with obstacles identified and mitigated, and teed up by the National Security Council apparatus for whole of government engagement. This approach may be applied to cyberwarfare as well as 21st Century sea/land/air combat.

Cybermetrics, Anyone?

Former DHS Deputy Assistant Secretary for Policy and Senior Chertoff Group Advisor Paul Rosenzweig writes in Lawfare that cybersecurity is similar to (well, you know...): "we know it when we see it" but struggle to define or measure it. This impacts on our ability to judiciously make "tradeoffs, cost-benefit assessments, and (address) issues of practicality and scalability." He opines that measuring cybersecurity is foundational for policy, law, and business decision-making. He notes that "trust us" is no longer a rational response, particularly in the current environment of "tech-lash." Granted, there have certainly been improvements but how much, how fast, how effective are they? Some are considered "secret sauce" not openly disclosed, so transparency and accountability are left wanting. Or is the "quest for good cybersecurity metrics a phantasm?" The answers to cost, value and benefit are unknown if this exceedingly elusive quest for metrics remains unresolved. Science and art seem to be inextricably linked for those seeking a solution.

Up Hill Toward Intelligent Decisions

In the wake Director Mueller's headline-monopolizing Congressional testimony in late July, a reflection of extremely encouraging bipartisan unity also occurred at that time: the move forward in Congress of the Intelligence Authorization Act for FY 2018, 2019 and 2020. This provides a means of resolving some of the challenges noted by AG Barr, GC Gerstell, and lawyer Rosenzweig above. The HPSCI approved the bill and moved it forward. The House added a few amendments, "overwhelmingly passed" in a bipartisan show of strength: 397-31 (92% yea, 7% nay, 1% not voting).

The SSCI had approved it unanimously on 14 May, but recommended a full Senate vote. With strong votes in the full Senate. For cyber practitioners reading this Cyber Scene, the act not only specifically calls out Russian cyber threats relating to election interference and creating a task force within the ODNI to protect the US tech supply chain, but also, notably, "...enhancing career path flexibility and benefits for cybersecurity experts working within the Intelligence Community."

Distrust and Verify

In the US

With attempts to measure, balance, and fund the future cyber developments as noted above, interaction between the tech giants and the Hill continues to accelerate. This includes discussion about regulation. The US Department of Justice (DOJ) decided to open an antitrust review regarding tech giant competition and market power, which ups the game. On the one hand, the 10 August Economist posits that the big tech firms are solidly ensconced. The article notes that not only are these firms exceedingly successful, they also pour vast bullish proceeds into innovation and advertizing for their customers. These customers, however, are more concerned than in the past about big tech's negative impact on society. DOJ is not alone. Kevin Roose, in the 12 August NYT criticizes the tech leadership for swapping hoodies for flag pins to woo Congress by "conspicuous patriotism." This approach from tech leadership may not yet be successful: on 9 Sep the NYT published charts on "16 Ways that Facebook, Google, Apple and Amazon are in Government Cross Hairs." The leading, detailed offenses across the board, as denoted by tech company and the particular agency or committee that was in the mix, were privacy and antitrust infractions.

Foreign Relations Trick or Treat: Cybersecurity Month and Leif Erikson Day

In the shadow of this year's DHS designated Cybersecurity Month, NYT Adam Satariano reports from Copenhagen on 3 September that Big Tech is so powerful and so global as to merit collective superpower status there. He notes that in 2017, Denmark acknowledged that such a superpower required diplomatic treatment and named a career diplomat, Casper Klynge, as Ambassador to the Tech Industry. His war experience involves Kosovo and Afghanistan (two of the wars discussed in the above-cited podcast) and also harkens to the classic Clausewitzian definition of war as "the continuation of politics by other means." A case could be made relying on the diplomatic tool of statecraft to avert cyberwarfare or tech-bashing. The future may offer the readership an opportunity to weigh whether diplomacy or Congressional regulation is more effective. On a lighter note, there have been unconfirmed rumors that this Viking nation, whose early explorer discovered the new world, may be considering a "Make Denmark Great Again" agenda by repossessing New England. (N.B. This is unrelated to the self-designated "Great Dane," the prescient and late Victor Borge.) Minnesota may also be in the mix. The Danes appear to be disinclined to sell Greenland. The 9 October traditional US presidential proclamation on Leif Erikson Day, should it occur this year, may shed some light on the future of US-Danish partnership.

Near and Far

As facial recognition improves by leaps and bounds, its applications and countermeasures do so as well. The Economist 15 August "Face off" scans across San Francisco, CA, through the UK and Hong Kong tech developers and academics who are moving full-frame ahead, so to speak, in perfecting AI-based techniques and expanding face-recognition applications. Some US cities disallow their use as an affront to privacy. Protesters in Hong Kong have hidden their faces or pointed hand-held lasers at cameras. Although face recognition is broadly used in UK surveillance, some members of parliament have called for a ban on police use. How good is it? The US National Institute of Standards and Technology (NIST) says that as of 2018, face-recognition technology was over 99% accurate. The article goes on to analyze academic research across the globe, summing up that there are still loopholes. Sunglasses, anyone?

For those who deem these countermeasures insufficient...  more ► 
Pub Crawl summarizes, by hard problems, sets of publications that have been peer reviewed and presented at SoS conferences or referenced in current work. The topics are chosen for their usefulness for current researchers. Select the topic name to view its description and links to the publications.
 
HARD PROBLEMS TOPICS
 
 
 
   Control Theory and Security 2018
 
 
 
   Covert Channels 2018
 
 
 
   Cross Layer Security 2018
  Cryptology 2018
 
  Cyber Dependencies 2018
 
 
 
   Decomposition 2018
 
 
 
 
   Deep Packet Inspection
 
 
   Deep Video 2018
   more ► 
Forward R&O
Share R&O
Follow SoS
Summer 2019 Lablet Quarterly meeting focuses on Cyber-Physical Systems




The Summer 2019 Science of Security and Privacy (SoS) Quarterly Lablet meeting was held at the University of Kansas (KU) in Lawrence, Kansas on 9-10 July 2019. This quarterly meeting focused on Cyber-Physical Systems. 
In the News
List of selected articles from recent SoS-VO postings with links to the entries on SoS-VO site.

"Why 72% of People Still Recycle Passwords"
 
"Hackers Used Password Spraying to Breach Citrix, Investigation Confirms"
 
"Robinhood Admits to Storing Some Passwords in Cleartext"
 
"Researchers Reveal That Anonymized Data Is Easy To Reverse Engineer"
 
"Mobile Banking Malware Surges in 2019"
 
"NSA Launches New Unit to Tackle Foreign Threat"
 
"Damaging Insider Threats Rise to New Highs in the past Year"
 
"U.S. Warns of 5G Wireless Network Security Risks"
 
"Security Firm Releases Flawed Blockchain into the Wild to Help Educate Hackers"
 
"As Ransomware Rages, Debate Heats up on Response"
 
"Capital One Breach: Info on 106 Million Customers Compromised, Hacker Arrested"
 
"Researchers Hack Surveillance Systems to Show Fake Video Feed"
 
"U.S. Issues Hacking Security Alert for Small Planes"
 
"Google Researchers Disclose Vulnerabilities for 'Interactionless' iOS Attacks"
 
"New to Autonomous Security"
 
"Tech Companies Not Doing Enough to Protect Users from Phishing Scams"
 
"Capital One Breach Also Hit Other Major Companies, Say Researchers"
 
"One Million Bank Phone Calls Found in Exposed Server"
 
"Teenage Hackers Are Offered a Second Chance Under European Experiment"
 
"How to Reduce the Risk Posed by Vulnerable Mobile Apps"
 
"Hacking Connected Cars to Gridlock Whole Cities"
 
"Cyberattacks Against Industrial Targets Have Doubled Over the Last 6 Months"
 
"New Dragonblood Vulnerabilities Found in Wi-Fi WPA3 Standard"
 
"New Tool Could Reduce Security Analysts' Workloads by Automating Data Triage"
 
"Connected Cars Could be a Threat to National Security, Group Claims"
 
"From State-Sponsored Attackers to Common Cybercriminals: Destructive Attacks on the Rise"
 
"New Windows Malware can Also Brute-Force WordPress Websites"
 
"A Model Hospital Where the Devices Get Hacked—on Purpose"
 
"New SWAPGS Side-Channel Attack Bypasses Spectre and Meltdown Defenses"
 
"U.S. Utility Firms Hit by State-Sponsored Spear-Phishing Attack"
 
"Researchers Show Vulnerabilities in Facial Recognition"
 
"Tablet for Kids Had Flaws That Exposed Info, Location"
 
"Yet Another Hacking Group Is Targeting Oil and Gas Companies"
 
"Attackers’ Growing use of Anti-Analysis, Evasion Tactics Pose a Challenge to Enterprises"
 
"Security Researchers Find That DSLR Cameras Are Vulnerable to Ransomware Attack"
 
"More Than 2 Million AT&T Phones Illegally Unlocked by Bribed Insiders"
 
"Hacking One of the World's Most Secure Industrial Programmable Logic Controllers (PLC)"
 
"These Legit-Looking iPhone Lightning Cables Will Hijack Your Computer"
 
"Hackers Can Turn Everyday Speakers Into Acoustic Cyberweapons"
 
"New Vulnerability Risk Model Promises More-Efficient Security"
 
"Biometrics of One Million People Discovered on Publicly Accessible Database"
 
"British Airways Check-In Flaw Exposes Personal Data"
 
"Link Between Personality Type and Vulnerabilities to Cybercrime"
 
"Attackers Could Be Listening to What You Type"
 
"Serious Flaws in Six Printer Brands Discovered, Fixed"
 
"New Vulnerability Found in Internet-Connected Building Automation Devices"
 
"Organizations Fail to Remediate App Security Vulnerabilities"
 
"Electric Car Charging Stations May Be Portals for Power Grid Cyberattacks"
 
"Data Breaches Increased 54% in 2019 so Far"
 
"New Tools to Minimize Risks in Shared, Augmented-Reality Environments"
 
"Cisco Releases New Security Tool to Identify Vulnerabilities in Connected Cars"
 
"Router Guest Networks Lack Adequate Security, According to Researchers at Ben-Gurion University"
 
"A Major Cyber Attack Could Be Just as Deadly as Nuclear Weapons"
 
"Over Half of Social Media Logins Are Fraudulent"
 
"Stolen Fingerprints Could Spell the End of Biometric Security
 
"Smartphone Apps May Connect to Vulnerable Backend Cloud Servers"
 
"Hackers Could Steal a Tesla Model S by Cloning Its Key Fob—Again"
 
"App Allows Inspectors to Find Gas Pump Skimmers Faster"
 
"Websites Have Been Quietly Hacking iPhones for Years, Says Google"
 
"Fileless Attacks Designed to Disguise Malicious Activity up 265%"
 
"Integrating EMM & APP Vetting Solutions for Maximum Security"
 
"Keeping High-Performance Computers Cybersecure"
 
"Website Rates Security of Internet-Connected Devices"
 
"Security Hole Opens a Billion Android Users to Advanced SMS Phishing Attacks"
 
"The Pentagon Is Exploring New Ways to Isolate Its Networks"
 
"Is Personality the Missing Piece of Security Awareness Training?"
 
"Security Flaws in GPS Trackers Are Leaking Location of 600k Kids and Seniors"
 
"UW Colleges, Offices Share Three-Year NSF Grant to Make 'Internet of Things' More Secure"
 
"New Technique Makes Passwords 14M Percent Harder to Crack, Nonprofit Claims"
 
"How the United States Is Developing Post-Quantum Cryptography"
 
"Five Tips for Educating Your Employees on Cyber Security"
 
"Bots Might Prove Harder to Detect in 2020 Elections"
 
"Google Is Open-Sourcing a Tool for Data Scientists to Help Protect Private Information"
 
"More Than 99% of Cyberattacks Rely on Human Interaction"
 
"Aviation Security Is Taking Off—And Taking After Car Security"
 
"Attackers Are Targeting Internet-Connected Gas Stations: Researchers"
 
"Should Social Media Organizations Be Subject to Strict Privacy Regulation?"
 
"How Hackers Get Stuck In HADES"
 
"Researchers Invent Cryptocurrency Wallet That Eliminates 'Entire Classes' of Vulnerabilities"
 
"What to Expect From the NSA’s New Cyber Directorate"
 

This is a sample of some of the news items that are on the SoS site.  more ►  are available.
Upcoming Events

2019 4th International Conference on Computing, Communications and Security (ICCCS)
Oct 10-12, Rome, Italy

EuroCACS/CSX Conference
Oct 16-18, Geneva, Switzerland​

The 2019 ACM Internet Measurement Conference
Oct 21-23, Amsterdam, Netherlands​

2019 Sixth International Conference on Internet of Things: Systems, Management and Security (IOTSMS)
Oct 22-25, Granada, Spain​

Information Security Forum's 30th Annual World Congress
Oct 26-29, Dublin, Ireland​

10th Conference on Decision and Game Theory for Security
Oct 30 - Nov 1, Stockholm, Sweden​

Resilience Week 2019 Symposium
Nov 4-7, San Antonio, TX​

BSides Charleston
Nov8-9, Charleston, SC​

2019 IEEE International Conference on Industrial Internet (ICII)
Nov 11-12, Orlando, FL​

2019 ACM Conference on Computer and Communications Security
Nov 11-15, London, UK​

CLEAR Cyber Leaders Conference
Nov 12-13, Sioux Falls, SD​

QuBit Conference
Nov 14, Sofia, Bulgaria​

FS-ISAC Fall Summit
Nov 17-20, Washington, DC

Infosecurity ISACA North America Expo and Conference
Nov 20-21, New York City, NY​

2019 12th CMI Conference on Cybersecurity and Privacy (CMI)
Nov 28-29, Copenhagen, Denmark​

 more ► 
Produced by
Cyber Pack Ventures, Inc. 5850 Waterloo Road Suite 140 Columbia, MD 21045 USA

You are receiving this email because you are a member of the SoS-VO website, have participated in an SoS event, or have opted into the SoS mailing list. Want to change how you receive these emails? You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp