Security & Privacy

AI for cyber, you need to know the network, says Darktrace


There is a shortage of talent, and personalisation in the new mantra. Everyone who works in tech knows this. But it is not just a problem for legitimate business, it is a problem for cyber criminals too, how do they address the staff shortage? You may not have too much sympathy for them, but they can relax, take it easy, for they have a friend in AI for cyber. And that makes them formidable indeed.

Predictions: AI Fuzzing and Machine Learning Poisoning - Security Boulevard


For many criminal organizations, attack techniques are evaluated not only in terms of their effectiveness, but in the overhead required to develop, modify, and implement them. To maximize revenue, for example, they are responding to digital transformation by adopting mainstream strategies, such as agile development to more efficiently produce and refine their attack software, and reducing risk and exposure to increase profitability. Knowing this, one defensive response is to make changes to people, processes, and technologies that impact the economic model of the attacker. For example, adopting new technologies and strategies such as machine learning and automation to harden the attack surface by updating and patching systems or identifying threats forces criminals to shift attack methods and accelerate their own development efforts. In an effort to adapt to the increased use of machine learning and automation on the part of their targets, we predict that the cybercriminal community is likely to adopt the following strategies, which the cybersecurity industry as a whole will need to closely follow.

Gift ideas? Perhaps check Mozilla's gadget security, creepiness ratings before you buy


Before buying connected toys and gadgets for the holiday season this year, it could be worth first checking Mozilla's 2018 edition'Privacy Not Included' buyers' guide. The guide offers an assessment of the privacy and security qualities of 70 different products, ranging from connected teddy bears, to smart speakers, games consoles, and smart home gadgets. Products can be rated by the public on a spectrum from'a little creepy' to'very creepy'. Mozilla's researchers have also assessed whether each product uses encryption, how easy the privacy policy is to read, how security updates are handled, and whether the maker addresses security vulnerabilities. Mozilla also adds a'Meets Our Minimum Security Standards' stamp to a page if the product has met its minimum security standards for IoT products.

AI can create fake fingerprints that are so realistic they trick scanners

Daily Mail

From unlocking smartphones to authorising payments, fingerprints are widely used to identify people. However, a team of researchers have now managed to accurately copy real fingerprints and created fake ones called'DeepMasterPrints'. Researchers - who created the fake prints using a neural network - were able to mimic more than one in five fingerprints. These new technological developments suggest fingerprint identification could become increasingly less secure. From unlocking smartphones to authorising payments, fingerprints are widely used to identify people.

Fake fingerprints can imitate real ones in biometric systems – research

The Guardian

Researchers have used a neural network to generate artificial fingerprints that work as a "master key" for biometric identification systems and prove fake fingerprints can be created. According to a paper presented at a security conference in Los Angeles, the artificially generated fingerprints, dubbed "DeepMasterPrints" by the researchers from New York University, were able to imitate more than one in five fingerprints in a biometric system that should only have an error rate of one in a thousand. In order to work, the DeepMasterPrints take advantage of two properties of fingerprint-based authentication systems. The first is that, for ergonomic reasons, most fingerprint readers do not read the entire finger at once, instead imaging whichever part of the finger touches the scanner. Crucially, such systems do not blend all the partial images in order to compare the full finger against a full record; instead, they simply compare the partial scan against the partial records.

Mozilla's gift guide ranks gadgets by how secure they are


You can always expect to see a bunch of gift and shopping guides pop up in the weeks, even months, leading to Black Friday and Christmas season. Even Mozilla has released its own take, but instead of making it a list of products to buy, the organization has compiled the most popular gadget gifts and identified which of them are secure and trustworthy. It's called Privacy Not Included, and it will tell you if a particular device can spy on you using its camera, mic and location services. The guide also includes various information about the devices' security features, and those that meet Mozilla's minimum standards are recognized with a badge on their page. Mozilla awarded the badge to 33 products (out of 70), including the Nintendo Switch, Google Home, Amazon Echo speakers, Apple TV/iPad, Sony PS4 and Microsoft XBox One.

4 best practices to combat new IoT security threats at the firmware level


Telepresence robots enable physicians to administer care to patients in remote and rural areas, and extend the reach of healthcare to those who otherwise might go without it. The use of telepresence in healthcare isn't new; it has operated for more than ten years and is an accepted part of medical practice in many care networks. What has changed for telepresence is the emergence of a new set of security vulnerabilities that attack telepresence robots at the firmware level--where standard IT security practices often don't extend. "Robotic telepresence is a next-generation technology that allows a person in one location to replicate himself in another," wrote Dan Regalado, Security Researcher at IoT security provider Zingbox in a 2018 research report. "The remote person can see you, hear you, interact with you, and move all around your location. But what if the person behind the robot is not who you think he is? What if the robot gets compromised, and now the attacker is watching you and your surroundings?"

Alibaba's Tmall and Ford have a vehicle 'vending machine'


Ecommerce giant Alibaba wants to make the process of purchasing a new vehicle as easy as buying a can of Coke, launching an "auto vending machine" to target the largest new car market in the world. The Super Test-Drive Center in Guangzhou was launched earlier this year by Alibaba's Tmall and the Ford Motor Group with the goal to "dramatically" improve the car shopping experience for Chinese consumers. Discussing the initiative with ZDNet at Alibaba's 11.11 Global Shopping Festival in Shanghai on Sunday, company representatives said that the initiative isn't limited to Ford vehicles, and that the likes of Volvo and BMW will soon be on board. To test-drive a car, Alibaba app users will need to have over 700 points on Alibaba's credit-scoring system, Zhima Credit, and be an accredited Alibaba Super Member. Customers can browse and select models they want to test-drive via the app catalogue, and after having their eligibility confirmed, the customer is required to take a photo using the app to allow for biometric authentication.

Flaw in DJI website gave hackers access to user accounts and live feeds from quadcopters

Daily Mail

A worrying vulnerability in DJI drones gave hackers complete access to a user's account without them realizing it. Security researchers from Check Point in March discovered a flaw in DJI's cloud infrastructure that allowed attackers to take over users' accounts and access private data like drone logs with location data, maps, account information and photos or videos taken during flight. However, DJI said it patched the vulnerability in September. A worrying vulnerability in DJI drones gave hackers complete access to a user's account. Users fell prey to the attack by clicking on a malicious link shared through DJI Forum, an online forum the firm runs for user discussions about its products.

A DJI Bug Exposed Drone Photos and User Data


DJI makes some of the most popular quadcopters on the market, but its products have repeatedly drawn scrutiny from the United States government over privacy and security concerns. Most recently, the Department of Defense in May banned the purchase of consumer drones made by a handful of vendors, including DJI. Now DJI has patched a problematic vulnerability in its cloud infrastructure that could have allowed an attacker to take over users' accounts and access private data like photos and videos taken during drone flights, a user's personal account information, and flight logs that include location data. A hacker could have even potentially accessed real-time drone location and a live camera feed during a flight. The security firm Check Point discovered the issue and reported it in March through DJI's bug bounty program.