Read Time:5 Second
Telco giant AT&T will pay the FCC $13m to resolve a cloud breach investigation
Category Archives: News
CISA Issues Advice to Help Eliminate XSS Bugs
Read Time:5 Second
The US Cybersecurity and Infrastructure Security Agency is trying to eradicate cross-site scripting vulnerabilities
The AI Fix #16: GPT-4o1, AI time travelers, and where’s my driverless car?
Read Time:36 Second
In episode 16 of The AI Fix, Mark and Graham meet GPT-4o1 and ask if it knows how many cousins Alice’s sister has, a top cop wants AI injected into his colleagues “like heroin”, Mark finds an AI that might actually be able to help with that, and our hosts start a conspiracy theory about an AI that stops you believing in conspiracy theories.
Graham peers into his crystal ball and discover’s Reddit’s bargain basement John Connor, and Mark is tired of waiting for the “tens of millions” of driverless cars we were promised.
All this and much more is discussed in the latest edition of “The AI Fix” podcast by Graham Cluley and Mark Stockley.
US Looks to Align Security Across Government
Read Time:5 Second
CISA project will align cybersecurity polices across the Federal Civilian Executive Branch of US government
Remotely Exploding Pagers
Read Time:27 Second
Wow.
It seems they all exploded simultaneously, which means they were triggered.
Were they each tampered with physically, or did someone figure out how to trigger a thermal runaway remotely? Supply chain attack? Malicious code update, or natural vulnerability?
I have no idea, but I expect we will all learn over the next few days.
EDITED TO ADD: I’m reading nine killed and 2,800 injured. That’s a lot of collateral damage. (I haven’t seen a good number as to the number of pagers yet.)
ICO Acts Against Sky Betting and Gaming Over Cookies
Read Time:5 Second
Online gambling site, Sky Betting and Gaming, found to have “unlawfully” processed data through advertising cookies
Most Cyber Leaders Fear AI-Generated Code Will Increase Security Risks
Read Time:6 Second
83% of organizations use AI to generate code despite rising concerns from security leaders, found a Venafi survey
Singapore Launches Accelerator for International Cybersecurity Startups
Read Time:7 Second
The CyberBoost: Catalyse is supported by the Cyber Security Agency of Singapore, the National University of Singapore and UK-based innovation hub Plexal
Python Developers Targeted with Malware During Fake Job Interviews
Read Time:39 Second
Interesting social engineering attack: luring potential job applicants with fake recruiting pitches, trying to convince them to download malware. From a news article
These particular attacks from North Korean state-funded hacking team Lazarus Group are new, but the overall malware campaign against the Python development community has been running since at least August of 2023, when a number of popular open source Python tools were maliciously duplicated with added malware. Now, though, there are also attacks involving “coding tests” that only exist to get the end user to install hidden malware on their system (cleverly hidden with Base64 encoding) that allows remote execution once present. The capacity for exploitation at that point is pretty much unlimited, due to the flexibility of Python and how it interacts with the underlying OS.
Physical Security In The Age Of Digital: Access Control System Vulnerabilities
Read Time:3 Minute, 40 Second
The content of this post is solely the responsibility of the author. LevelBlue does not adopt or endorse any of the views, positions, or information provided by the author in this article.
Access control systems are the physical form of the layers of data, credential and identity controls underpinning the systems relied on every day. Yet, they can be an afterthought; even the most high-profile breaches of physical security systems can take years to rectify. Security Week highlights the vulnerabilities affecting Nice Linear, a widely used proprietary system in the world of smart homes. Over 2,500 individual vulnerabilities flagged in 2019 alone.
What this showed is that, in an age of vigilance concerning digitally stored data and privacy concerns, the interface between physical and digital security can be neglected. It is crucial for access control system managers to identify this and take a proactive approach to security assurance. Starting at the most basic level – physical devices – provides a smart route forward.
Quality physical credentials
At the external interface of any access control system is the physical credential which allows the user to access the system. This seems simple in operation, but the struggle to maintain good quality physical access systems is one that continues to dominate security professional time. Take, for instance, skimming, which is a very obvious and day-to-day instance of physical devices being misused to access digital systems. According to the FBI, the scale of the skimming challenge is huge, with over $1 billion lost every year.
Consider the basics of the physical access of a system: a device, such as a wearable or RFID card. Banks update the quality of their cards regularly, and access control managers should consider this too. Deploying the right base product to devices and cards, and investing in the right product with effective security features from the outset, ensures that devices cannot be cloned and that there is absolute assurance in the access tool.
Moving into data
Access devices increasingly use a range of second-layer authentication methods to bring in extra layers of security assurance. These are effective, but security professionals from across the discipline know that more systems means more opportunities for exploits. A recent Hacker News article laid bare this risk; one security provider focusing on biometrics was exposed to 24 different vulnerabilities, which analysts described as “alarmingly diverse”.
Moving into complex datasets, such as those holding biometrics, requires a greater level of assurance again to ensure that control systems are effective. According to Hacker News, the key is in siloing data. Each new security system should not be merely embedded in the old, but provided with its own network segment and its own set of credentials. Rather than the likes of biometrics being used to simply access systems, as RFID or numerical PINs do, it should be an additional system, isolated, communicating with the other layers of security.
Tackling the AI challenge
Artificial intelligence (AI) could be a transformative technology in the field of access control systems. There is a potential to deploy these cutting-edge technologies to provide a level of physical security assurance, whether it be in greater facial recognition, biometric identification, or simply through robust defence of older-style credentials. According to Access Professionals, artificial intelligence could, theoretically, entirely automate access control systems, providing automated and fine control over who has access where, and what credentials they require.
However, just as AI brings many benefits, so too does it bring risks. In a review of the types of AI attacks starting to be identified by analysts, AquaSec noted two key types of note to access control system managers; poisoning, and abuse. In each of these types, malicious actors will provide intentionally misleading data to a system in order to corrupt the algorithms underpinning the AI system, leading to erroneous results. Attacks of this manner are necessarily a slowburn, but, due to the automation of the system, can take time for systems analysts to identify. Whilst not yet a pressing problem in access control systems, this is a threat that is posed to all machine-learning led tools.
As with all security matters, the key principle is vigilance. Attempts to breach physical controls can be as simple as a physical attack, but, increasingly, sophisticated tools are undermining the digital technology behind them. Being cognizant to the risk, and investing in carefully deployed measures, is crucial.