Best Cybersecurity Research Paper Revealed

Read Time:1 Minute, 50 Second

Best Cybersecurity Research Paper Revealed

The National Security Agency has announced the winning entry to its ninth annual Best Cybersecurity Research Paper Competition.

The winning paper was written by Yanyi Liu from Cornell University and Rafael Pass, professor of Computer Science at Cornell Tech. It expounded a theorem that relates the existence of one-way functions (OWFs) to a measurement of the complexity of a string of text. 

“OWFs are vital components of modern symmetric encryptions, digital signatures, authentic schemes and more,” said an NSA spokesperson. 

“Until now, it has been assumed that OWF functions exist even though research shows that they are both necessary and sufficient for much of the security provided by cryptography.”

Titled On One-way Functions and Kolmogorov Complexity, the winning paper was published at the 2020 IEEE (Institute of Electrical and Electronics Engineers) Symposium on Foundations of Computer Science. 

The chief of NSA’s Laboratory for Advanced Cybersecurity Research picked the winning entry in a decision informed by the opinions of 10 distinguished international cybersecurity experts who independently reviewed the top papers among 34 nominations.

“One-way functions are a key underpinning in many modern cryptography systems and were first proposed in 1976 by Whitfield Diffie and Martin Hellman,” said an NSA spokesperson.

“These functions can be efficiently computed but are difficult to reverse, as determining the input based on the output is computationally expensive.”

The NSA gave an honorable mention to another paper, Retrofitting Fine Grain Isolation in the Firefox Renderer, written by Shravan Narayan, Craig Disselhoen, Tal Garfinkel, Nathan Froyd, Sorin Lerner Hovav Shacham and Deian Stefan.

Originally published at the USENIX Security Conference 2020, this paper provides a security solution in the Firefox web browser. The paper also demonstrated that the technology could be applied to other situations.

“NSA congratulates the winners, and recently opened the nomination process for the 10th Annual Best Scientific Cybersecurity Paper Competition on January 15 2022,” said the NSA.

The agency said it will welcome nominations of papers published during 2021 in peer-reviewed journals, magazines, or technical conferences that show “an outstanding contribution to cybersecurity science.”

The nomination period for the 10th annual Best Cybersecurity Research Paper Competition closes on 15 April 2022.

Read More

EyeMed Fined $600k Over Data Breach

Read Time:1 Minute, 49 Second

EyeMed Fined $600k Over Data Breach

An Ohio-based healthcare provider has been fined $600k over a data breach that exposed the records of 2.1 million patients across America. 

Cyber-criminals targeted EyeMed Vision Care in June 2020. Attackers gained access to an EyeMed email account to which EyeMed clients sent sensitive consumer data relating to vision benefits enrollment and coverage.

During the week-long intrusion, threat actors were able to view emails and attachments dating back six years. Contained within those emails and attachments was sensitive information that included consumers’ names, addresses, Social Security numbers and insurance account numbers.

In July 2020, the attackers used the compromised EyeMed account to launch a phishing attack against EyeMed clients. Approximately 2,000 emails were sent asking clients for their EyeMed account login credentials.

The healthcare provider’s IT department became aware of the phishing campaign when they started receiving emails from concerned clients who the attackers had targeted. EyeMed subsequently secured the compromised email account and launched an investigation.

The Office of the Attorney General determined that the affected email account had not been secured with multi-factor authentication at the time of the attack, despite being accessible via a web browser.

It was further determined that EyeMed failed to adequately implement sufficient password management requirements for the enrollment email account and failed to maintain adequate logging of its email accounts.

On Monday, New York Attorney General Letitia James announced that EyeMed had agreed to pay the State of New York $600k to resolve the 2020 data breach.

“New Yorkers should have every assurance that their personal health information will remain private and protected,” said attorney general James. 

“EyeMed betrayed that trust by failing to keep an eye on its own security system, which in turn compromised the personal information of millions of individuals.” 

The data breach impacted 98,632 residents of New York. James said she wanted the agreement to signal New York’s continued commitment to holding companies accountable.

“My office continues to actively monitor the state for any potential violations, and we will continue to do everything in our power to protect New Yorkers and their personal information,” she added.

Read More

EyeMed Fined $600k Over Data Breach

Read Time:1 Minute, 49 Second

EyeMed Fined $600k Over Data Breach

An Ohio-based healthcare provider has been fined $600k over a data breach that exposed the records of 2.1 million patients across America. 

Cyber-criminals targeted EyeMed Vision Care in June 2020. Attackers gained access to an EyeMed email account to which EyeMed clients sent sensitive consumer data relating to vision benefits enrollment and coverage.

During the week-long intrusion, threat actors were able to view emails and attachments dating back six years. Contained within those emails and attachments was sensitive information that included consumers’ names, addresses, Social Security numbers and insurance account numbers.

In July 2020, the attackers used the compromised EyeMed account to launch a phishing attack against EyeMed clients. Approximately 2,000 emails were sent asking clients for their EyeMed account login credentials.

The healthcare provider’s IT department became aware of the phishing campaign when they started receiving emails from concerned clients who the attackers had targeted. EyeMed subsequently secured the compromised email account and launched an investigation.

The Office of the Attorney General determined that the affected email account had not been secured with multi-factor authentication at the time of the attack, despite being accessible via a web browser.

It was further determined that EyeMed failed to adequately implement sufficient password management requirements for the enrollment email account and failed to maintain adequate logging of its email accounts.

On Monday, New York Attorney General Letitia James announced that EyeMed had agreed to pay the State of New York $600k to resolve the 2020 data breach.

“New Yorkers should have every assurance that their personal health information will remain private and protected,” said attorney general James. 

“EyeMed betrayed that trust by failing to keep an eye on its own security system, which in turn compromised the personal information of millions of individuals.” 

The data breach impacted 98,632 residents of New York. James said she wanted the agreement to signal New York’s continued commitment to holding companies accountable.

“My office continues to actively monitor the state for any potential violations, and we will continue to do everything in our power to protect New Yorkers and their personal information,” she added.

Read More

#DataPrivacyWeek: Online Trackers Can Detect 80% of Users’ Browsing History

Read Time:1 Minute, 42 Second

#DataPrivacyWeek: Online Trackers Can Detect 80% of Users’ Browsing History

Online trackers can capture up to 80% of users’ browsing histories, with the practice far more pervasive than previously realized. This is according to Norton Labs’ quarterly Consumer Cyber Safety Pulse Report, which analyzed online advertising trackers from October to December 2021.

It showed that consumers are tracked by an average of 177 different organizations per week while browsing online, raising significant privacy concerns. The researchers noted that the top trackers can view 80% of an average user’s browsing history despite appearing on a smaller number of unique domains.

The study also found that half the tracking organizations encountered by a user in a typical week collect this information within the initial two-hour browsing period. This suggests that even if users clear their browsing history every day, it would only take an average of two hours to re-encounter half of all online trackers.

Darren Shou, head of technology at NortonLifeLock, commented: “While it’s common knowledge that web trackers follow us around the internet, our online privacy researchers were surprised to find that some online trackers know up to 80% of a user’s browsing history. We hope these findings shine a light on online tracking and empower consumers to take back their online privacy.”

The new report also revealed cybercrime and online fraud trends during 2021. The company said it blocked around 3.6 billion cyber-threats worldwide last year, equating to nearly 10 billion per day. This includes 53.9 million phishing attempts, 221 million files threats, 1.4 million mobile threats and 253,063 ransomware attacks.

Additionally, the researchers revealed how cyber-criminals continued to leverage the COVID-19 pandemic to launch scam attacks, as well as consumer interest in popular TV shows. This includes phishing scams disguised as merchandise offers linked to hit shows.

Last year, the UK’s Information Commissioner’s Office (ICO) called on G7 countries to work together to tackle cookie pop-ups and their impact on online users’ privacy.

Read More

#DataPrivacyWeek: Online Trackers Can Detect 80% of Users’ Browsing History

Read Time:1 Minute, 42 Second

#DataPrivacyWeek: Online Trackers Can Detect 80% of Users’ Browsing History

Online trackers can capture up to 80% of users’ browsing histories, with the practice far more pervasive than previously realized. This is according to Norton Labs’ quarterly Consumer Cyber Safety Pulse Report, which analyzed online advertising trackers from October to December 2021.

It showed that consumers are tracked by an average of 177 different organizations per week while browsing online, raising significant privacy concerns. The researchers noted that the top trackers can view 80% of an average user’s browsing history despite appearing on a smaller number of unique domains.

The study also found that half the tracking organizations encountered by a user in a typical week collect this information within the initial two-hour browsing period. This suggests that even if users clear their browsing history every day, it would only take an average of two hours to re-encounter half of all online trackers.

Darren Shou, head of technology at NortonLifeLock, commented: “While it’s common knowledge that web trackers follow us around the internet, our online privacy researchers were surprised to find that some online trackers know up to 80% of a user’s browsing history. We hope these findings shine a light on online tracking and empower consumers to take back their online privacy.”

The new report also revealed cybercrime and online fraud trends during 2021. The company said it blocked around 3.6 billion cyber-threats worldwide last year, equating to nearly 10 billion per day. This includes 53.9 million phishing attempts, 221 million files threats, 1.4 million mobile threats and 253,063 ransomware attacks.

Additionally, the researchers revealed how cyber-criminals continued to leverage the COVID-19 pandemic to launch scam attacks, as well as consumer interest in popular TV shows. This includes phishing scams disguised as merchandise offers linked to hit shows.

Last year, the UK’s Information Commissioner’s Office (ICO) called on G7 countries to work together to tackle cookie pop-ups and their impact on online users’ privacy.

Read More

New DeadBolt Ransomware Targets NAT Devices

Read Time:42 Second

There’s a new ransomware that targets NAT devices made by QNAP:

The attacks started today, January 25th, with QNAP devices suddenly finding their files encrypted and file names appended with a .deadbolt file extension.

Instead of creating ransom notes in each folder on the device, the QNAP device’s login page is hijacked to display a screen stating, “WARNING: Your files have been locked by DeadBolt”….

[…]

BleepingComputer is aware of at least fifteen victims of the new DeadBolt ransomware attack, with no specific region being targeted.

As with all ransomware attacks against QNAP devices, the DeadBolt attacks only affect devices accessible to the Internet.

As the threat actors claim the attack is conducted through a zero-day vulnerability, it is strongly advised that all QNAP users disconnect their devices from the Internet and place them behind a firewall.

Read More

New DeadBolt Ransomware Targets NAT Devices

Read Time:42 Second

There’s a new ransomware that targets NAT devices made by QNAP:

The attacks started today, January 25th, with QNAP devices suddenly finding their files encrypted and file names appended with a .deadbolt file extension.

Instead of creating ransom notes in each folder on the device, the QNAP device’s login page is hijacked to display a screen stating, “WARNING: Your files have been locked by DeadBolt”….

[…]

BleepingComputer is aware of at least fifteen victims of the new DeadBolt ransomware attack, with no specific region being targeted.

As with all ransomware attacks against QNAP devices, the DeadBolt attacks only affect devices accessible to the Internet.

As the threat actors claim the attack is conducted through a zero-day vulnerability, it is strongly advised that all QNAP users disconnect their devices from the Internet and place them behind a firewall.

Read More

Passwords are Like Toothbrushes – Not to Be Shared!!

Read Time:3 Minute, 59 Second

Sometimes, I feel that my brain is full! We are all bombarded with information on so many fronts and quite frankly, I often feel like I don’t have room for much more! A quick scroll on my socials and I’m inundated with news from friends (which I love) plus ads plus multiple news updates. I open my emails, and the same happens! So much information!! So little time! 

So, in the spirit of being brief and not overloading, I’m going to focus on one easy yet powerful way you can make a positive impact on your online safety – how you manage your password. Of course, I could add many more strategies to this list but let’s keep it simple – our brains are full!! 

Why Are Passwords So Important? 

Passwords are the key to everything we do online. Whether we are logging in to our emails, social media platforms, online banking, or favorite shopping websites – your password is your way in. And if you’re anything like me, you probably have multiple passwords. The last time I checked, I had over 100 different passwords stored in my True Key password manager! 

These small codes are so incredibly important because in short, they are the only thing stopping a hacker from accessing your online accounts. In many cases, they are your only defense strategy against a hacker taking over your accounts and creating havoc.  

Fortunately, there are several steps we can take to ensure we nail this password thing and minimize the risk of being hacked. Here are my top five: 

1. Don’t Share Your Passwords – no exceptions!! 

I have been saying to my kids for years: passwords are like toothbrushes – they are NOT to be shared! No exceptions. It doesn’t matter how much you love your best friend or girlfriend, your password is your password. When you are young and donning rose-colored glasses, you often don’t factor in that things can change. Relationships can sour and romance can die. If someone has access to your online accounts and they have hurt feelings then they have an opportunity to create chaos. And we’ve all read the stories… 

2. Use Different Passwords For Each Account 

Yes, I agree – this is a big pain! But it is probably one of the best ways of protecting yourself and here’s why. If you use the same password for each of your online accounts and your account is hacked then the hacker has access to all of your online accounts: your social media platforms, your banking, your entire life!  

3. Turn On 2 Factor Authentication Where Possible 

It will add another step to your login process but choosing 2-factor authentication (or multi-factor authentication) is another small yet powerful way to keep your password secure by adding another layer of protection to your passwords. In most cases, the additional factor is a code or a token sent to your mobile phone. Sometimes, a separate app can also be used to generate a code or token that will confirm it is really you trying to log in! 

4. Create Long and Complex Passwords 

Some experts believe length is more important than complexity but I say embrace both! If you can create a complex 16 character password that includes lower and upper case letters, numbers and symbols then you are doing very well! I am personally a fan of the crazy, nonsensical sentence. For example – GrassisRed&Blue7 – silly, nonsensical but memorable. I believe it’s all about making them hard to guess but easy to remember. And remember to NEVER use information in your passwords that other people might know about you or that is also included in your social media accounts eg your kids’ or pet’s names. 

5. Use A Password Manager 

I am sure my longevity has improved dramatically since using a password manager! Password managers, or vaults, are an absolute no-brainer. Not only do they store your passwords securely across your chosen devices, but they also help you create complex passwords that no human could even contemplate. I have it installed on both my laptop and my phone and it works seamlessly between both devices. It’s time to throw away your little black book of passwords, people! You’ll never look back once this whole password management process is automated. 

So, if you’re feeling a little overwhelmed at where to start with your digital safety this New Year then I implore you to make this one small change. Nailing your password strategy is without doubt one of the best ways of shoring up your online safety!  

Happy New Year!! 

Alex xx 

The post Passwords are Like Toothbrushes – Not to Be Shared!! appeared first on McAfee Blog.

Read More

Passwords are Like Toothbrushes – Not to Be Shared!!

Read Time:3 Minute, 59 Second

Sometimes, I feel that my brain is full! We are all bombarded with information on so many fronts and quite frankly, I often feel like I don’t have room for much more! A quick scroll on my socials and I’m inundated with news from friends (which I love) plus ads plus multiple news updates. I open my emails, and the same happens! So much information!! So little time! 

So, in the spirit of being brief and not overloading, I’m going to focus on one easy yet powerful way you can make a positive impact on your online safety – how you manage your password. Of course, I could add many more strategies to this list but let’s keep it simple – our brains are full!! 

Why Are Passwords So Important? 

Passwords are the key to everything we do online. Whether we are logging in to our emails, social media platforms, online banking, or favorite shopping websites – your password is your way in. And if you’re anything like me, you probably have multiple passwords. The last time I checked, I had over 100 different passwords stored in my True Key password manager! 

These small codes are so incredibly important because in short, they are the only thing stopping a hacker from accessing your online accounts. In many cases, they are your only defense strategy against a hacker taking over your accounts and creating havoc.  

Fortunately, there are several steps we can take to ensure we nail this password thing and minimize the risk of being hacked. Here are my top five: 

1. Don’t Share Your Passwords – no exceptions!! 

I have been saying to my kids for years: passwords are like toothbrushes – they are NOT to be shared! No exceptions. It doesn’t matter how much you love your best friend or girlfriend, your password is your password. When you are young and donning rose-colored glasses, you often don’t factor in that things can change. Relationships can sour and romance can die. If someone has access to your online accounts and they have hurt feelings then they have an opportunity to create chaos. And we’ve all read the stories… 

2. Use Different Passwords For Each Account 

Yes, I agree – this is a big pain! But it is probably one of the best ways of protecting yourself and here’s why. If you use the same password for each of your online accounts and your account is hacked then the hacker has access to all of your online accounts: your social media platforms, your banking, your entire life!  

3. Turn On 2 Factor Authentication Where Possible 

It will add another step to your login process but choosing 2-factor authentication (or multi-factor authentication) is another small yet powerful way to keep your password secure by adding another layer of protection to your passwords. In most cases, the additional factor is a code or a token sent to your mobile phone. Sometimes, a separate app can also be used to generate a code or token that will confirm it is really you trying to log in! 

4. Create Long and Complex Passwords 

Some experts believe length is more important than complexity but I say embrace both! If you can create a complex 16 character password that includes lower and upper case letters, numbers and symbols then you are doing very well! I am personally a fan of the crazy, nonsensical sentence. For example – GrassisRed&Blue7 – silly, nonsensical but memorable. I believe it’s all about making them hard to guess but easy to remember. And remember to NEVER use information in your passwords that other people might know about you or that is also included in your social media accounts eg your kids’ or pet’s names. 

5. Use A Password Manager 

I am sure my longevity has improved dramatically since using a password manager! Password managers, or vaults, are an absolute no-brainer. Not only do they store your passwords securely across your chosen devices, but they also help you create complex passwords that no human could even contemplate. I have it installed on both my laptop and my phone and it works seamlessly between both devices. It’s time to throw away your little black book of passwords, people! You’ll never look back once this whole password management process is automated. 

So, if you’re feeling a little overwhelmed at where to start with your digital safety this New Year then I implore you to make this one small change. Nailing your password strategy is without doubt one of the best ways of shoring up your online safety!  

Happy New Year!! 

Alex xx 

The post Passwords are Like Toothbrushes – Not to Be Shared!! appeared first on McAfee Blog.

Read More

Serious PwnKit flaw in default Linux installations requires urgent patching

Read Time:34 Second

Security researchers have found a privilege escalation vulnerability in pkexec, a tool that’s present by default on many Linux installations. The flaw, called PwnKit, could allow attackers to easily gain root privileges on systems if they have access to a regular user without administrative privileges.

Researchers from security firm Qualys who discovered and reported the vulnerability were able to confirm it is exploitable in default configurations on some of the most popular Linux distributions including Ubuntu, Debian, Fedora and CentOS. They believe others are likely impacted as well, since the vulnerable code has existed in pkexec since the tool’s first version, over 12 years ago.

To read this article in full, please click here

Read More