Subject: Wyze Security Cameras Contained Vulnerabilties That Weren’t Fully Fixed for Three Years
Source: Consumer Reports
Cybersecurity firm Bitdefender published a report (PDF) this week detailing three security vulnerabilities it found in Wyze security cameras, leading to a flurry of criticism around both the cybersecurity firm and the manufacturer. While Wyze finished patching the vulnerabilities in January 2022, both Bitdefender and Wyze have been criticized for their handling of the findings, as Bitdefender initially alerted Wyze to the vulnerabilities three years ago in March 2019. Besides making security software, Bitdefender has a research arm that tests products for vulnerabilities.
The first vulnerability allows hackers to bypass the account login process and access users’ cameras. The second allows hackers to run their own software code on exposed cameras. And the third allows hackers to access saved footage on cameras that use an SD card (Wyze also offers cloud video storage).
According to Wyze’s public statement on the findings, all of the vulnerabilities would require hackers to have access to the home’s WiFi network.
” … We strongly suggest that our customers no longer use EOL products as security and other critical updates are no longer provided, and we continue to urge Wyze Cam V1 owners to discontinue the use of these products.”
Subject: Blockchain can power up government processes, GAO says
Blockchain is useful for some applications but limited or even problematic for others,” according to GAO’s technology assessment on blockchain. “For example, because of its tamper resistance, it may be useful for applications involving many participants who do not necessarily trust each other. But it may be overly complex for a few trusted users, where traditional spreadsheets and databases may be more helpful. Blockchain may also present security and privacy challenges and can be energy-intensive.”Areas with potential include voting, organizational structure and ID management. In fact, some states have said that using a blockchain-based voting system would enhance remote-voting security and election audibility. West Virginia was the first to experiment with it in 2018. Last year, a bill was introduced in Alaska proposing to adopt the technology in its voting security system….
One in four employees lost their job after making a mistake that compromised their company’s security, according to new research from email security company Tessian.The second edition of the report provides an updated look at the factors causing employees to make security mistakes at work, and the growing severity of consequences that follow them.
The report found that more people are falling for advanced and sophisticated attacks. In 2022, 52% of employees fell for phishing emails that impersonated a senior executive at the company — up from 41% in 2020 — and one-third were tricked by an SMS phishing (smishing) message. These data points validate some findings released in the annual FBI IC3 report last week, which found that phishing and Business Email Compromise scams are growing in sophistication and are far more pervasive than any other online threat.
To counter these mistakes, business and IT leaders must forego the expectations that employees will make the right decision 100% of the time.
[report is 24 pages …] https://www.tessian.com/resources/psychology-of-human-error-2022/
In an adversarial AI attack, AI is used to manipulate or deceive another AI system maliciously. Most AI programs learn, adapt and evolve through behavioral learning. This leaves them vulnerable to exploitation because it creates space for anyone to teach an AI algorithm malicious actions, ultimately leading to adversarial results. Cybercriminals and threat actors can exploit this vulnerability for malicious purposes and intent.
Although most adversarial attacks have so far been performed by researchers and within labs, they are a growing matter of concern. The occurrence of an adversarial attack on AI or a machine learning algorithm highlights a deep crack in the AI mechanism. The presence of such vulnerabilities within AI systems can stunt AI growth and development and become a significant security risk for people using AI-integrated systems. Therefore, to fully utilize the potential of AI systems and algorithms, it is crucial to understand and mitigate adversarial AI attacks.
The basic parallels of an adversarial attack are fundamentally the same: manipulating an AI algorithm or an ML model to produce malicious results. However, an adversarial attack typically entails the two following things:
- Poisoning: the ML model is fed with inaccurate or misinterpreted data to dupe it into making an erroneous prediction
- Contaminating: the ML model is fed with maliciously designed data to deceive an already trained model into conducting malicious actions and predictions.
In 2018, an Office of the Director of National Security report highlighted several Adversarial Machine learning threats. Amidst the threats listed in the report, one of the most pressing concerns was the potential that these attacks had in compromising computer vision algorithms.
Therefore, while considering these examples and researches, it is easy to identify the impact of adversarial AI attacks on the cyber threat landscape…
The State Department’s new cybersecurity bureau formally launched on Monday in an effort to make digital rights issues an intrinsic part of US foreign policy at a time when Russia and China are increasingly trying to put their own authoritarian stamp on the internet.
An unknown threat actor has targeted the email marketing company in a sophisticated scheme to phish physical cryptocurrency wallets. MailChimp, the well-known email marketing company, has been hacked. Cybercriminals infiltrated the company’s systems at some point last month, stealing information on over 100 users. The criminals then repurposed the stolen data to phish users of the popular crypto wallet Trezor Hardware.
The attack, which MailChimp staff became aware of on March 26, involved an unknown threat actor getting its hands on internal tools used by the company’s customer support staff for account administration. When reached for comment by Gizmodo, a MailChimp representative provided a statement from Siobhan Smyth, Mailchimp’s chief information security officer, further explaining the breach.
“The incident was propagated by an external actor who conducted a successful social engineering attack on Mailchimp employees, resulting in employee credentials being compromised,” said Smyth. The hacker or hackers then used its access to the company to get its hands on subscriber data. “Based on our investigation, we believe that about 300 Mailchimp accounts were viewed and audience data was exported from 102 of those accounts,” Smyth said.
“As a result of the security incident, we’ve received reports of the malicious actor using the information they obtained from user accounts to send phishing campaigns to their contacts,” he said. The attack appears to have been designed to nab information on people in the crypto and finance industries, Smyth added.
Subject: Security equipment rebates aim to boost community safety
To promote safety through increased visibility, Chicago Mayor Lori E. Lightfoot, police officials and community leaders announced a rebate program that will reimburse residents and business owners for some of the costs for surveillance cameras and other security equipment.
The rebate program is open to anyone who lives or operates a business in the city and is part of a wider announcement of city-led initiatives designed to increase visibility in Chicago’s neighborhoods. Lightfoot noted a disparity in security technologies between the city’s more affluent neighborhoods and the communities “with a long history of violent crime,” the Chicago Sun-Times reported.
To be eligible for rebates, residents and business owners must register their cameras with the Chicago Police Department. The city states that the police will not have direct access to camera systems and will need to contact camera owners to request footage. Furthermore, community members are at no point required to provide footage to the department.
Source: The Conversation US
The invasion took place just weeks before the national cybersecurity competition was to be held for students from the program’s 14 participating universities. I believe that the training that the faculty and students received in protecting critical infrastructure helped reduce the impact of Russian cyberattacks. The most obvious sign of this resilience is the success Ukraine has had in keeping its internet on despite Russian bombs, sabotage and cyberattacks.
National cyber defense starts with governments and organizations evaluating risks and increasing their capacity to meet the latest cybersecurity threats. After President Biden’s warning, Neuberger recommended that organizations take five steps: adopt multifactor password authentication, keep software patches up-to-date, back up data, run drills and cooperate with government cybersecurity agencies.
Small and large organizations in the U.S. concerned about cyberattacks should seek a strong relationship with a wide-range of federal agencies responsible for cybersecurity. Recent regulations require firms to disclose information on cyberattacks to their networks. But organizations should turn to cybersecurity authorities before experiencing a cyberrattack.
U.S. government agencies offer best practices for training staff, including the use of tabletop and simulated attack exercises. As Ukrainians have learned, tomorrow’s cyberattacks can only be countered by preparing today.
Combining real Social Security numbers with mismatched or phony names to create new synthetic identities allowed swindlers to bilk the federal government out of nearly $1 million from the Paycheck Protection Program.
They combined real Social Security numbers with mismatched or phony names to create new identities, according to investigators. Prosecutors began the investigation in 2018 and charged them with 108 counts of illegal financial activity, mostly borrowing huge amounts of money they never intended to pay back, according to investigators.
The scheme was so fruitful that in May 2020, according to prosecutors, Arena apparently did it again.
Synthetic identity fraud schemes have proliferated in the past few years, becoming the largest form of identity theft in the nation, according to the financial company FiVerity, which in a report last year put the losses at an estimated $20 billion in 2020. About five years ago, the Federal Reserve estimated the losses at $6 billion.
With tax filing season in full swing, the IRS is warning taxpayers to look out for documents pertaining to unemployment benefits they never received. Those documents may indicate someone else filed for unemployment insurance using their information.
In addition, he said, consumers who have had their Social Security numbers stolen can be affected, even years later, when they apply for credit. Most of the synthetic identity schemes steal Social Security numbers from people who aren’t using credit, such as children, recent immigrants or lower-income older adults who may not have credit cards.
Source: How QR codes work and what makes them dangerous – a computer scientist explains
Among the many changes brought about by the pandemic is the widespread use of QR codes, graphical representations of digital data that can be printed and later scanned by a smartphone or other device.QR codes have a wide range of uses that help people avoid contact with objects and close interactions with other people, including for sharing restaurant menus, email list sign-ups, car and home sales information, and checking in and out of medical and professional appointments.
QR codes are a close cousin of the bar codes on product packaging that cashiers scan with infrared scanners to let the checkout computer know what products are being purchased.
Bar codes store information along one axis, horizontally. QR codes store information in both vertical and horizontal axes, which allows them to hold significantly more data. That extra amount of data is what makes QR codes so versatile.
The three-hour outage prevented more than 95,000 clinician users from accessing and updating patient medical data.The electronic health record system used to manage patient data for the Defense Department, Coast Guard and a few Veterans Affairs Department medical centers went offline nationwide for almost three hours Wednesday, preventing clinicians from updating and, for a time, accessing medical records.
Three Oracle databases underpinning those systems went down shortly after 5 p.m. ET, preventing access to all electronic medical records at 66 DOD sites, 109 Coast Guard sites and 3 VA sites, a program official confirmed to Nextgov.
“Affected clinicians were unable to log into EHRM applications or retrieve EHRM data to legacy applications,” according to an IT ticket detailing the issue obtained by Nextgov.
All told, more than 95,000 users were affected by the outage. The EHRM program official said there was no evidence that any patients were harmed due to the outage.
The official also noted that while the main EHR was down, the system failed over to a backup “read-only” system, through which clinicians could review patient data but could not update that information.
Google has added a new privacy tool aimed at Chrome users called the Privacy Guide. According to Google, the guide is “a step-by-step guided tour of some existing privacy and security controls in Chrome” that lets Chrome users adjust all their important settings from a centralized location.
Adding a few hand-holding precautions is a move reminiscent of Apple’s decision to reconfigure their privacy settings a few years ago: Google’s working to help the average user gain a better understanding of how to remain secure and keep their data private in the modern age.