Hello <<First Name>>, and welcome to this issue of the Science of Security and Privacy - Reviews & Outreach (R&O)! Its purpose is to highlight some of the exciting research, news, and events that impact our technical community. All presented materials are available on or through the Virtual Organization portal.
HotSoS 2019

The sixth annual Symposium and Bootcamp on the Science of Security (HoTSoS) was held April 2-3, 2019 at Vanderbilt University in Nashville, Tennessee. HoTSoS is a research event centered on the Science of Security, which aims to address the fundamental problems of security in a principled manner. Researchers from diverse disciplines came together to promote advancement of work related to the science of security. The conference was a mix of invited talks, panels, tutorials, and refereed papers soon to be published by ACM. Participants included a broad mix from academia, commerce and government.

Summaries of keynotes and papers presented at HotSoS 2019 have been provided. Rebecca Wright (Barnard College and Rutgers University), Kevin Hamlen (University of Texas at Dallas) and Trent Jaeger (The Pennsylvania State University) were keynote speakers. Papers were presented on subjects that included a distributed hospital recording and replay system; observability in cyber physical systems; a game theoretical model for cyber-warfare games; cyberdeception; situated information flow theory; attestation management; and browser fingerprinting. These papers are published in an ACM conference proceeding. Citations and DOIs are given with the descriptions.
Cyber Scene -
$5 Billion here, $5 Billion there...Facebook is Fine (d)

On 24 July, the Federal Trade Commission (FTC) delivered its 50-page plan to take Facebook to task for transgressions regarding improper use of personal identifying information (PII) of its users. This record fine had been anticipated at least since a July 12 article by Cecilia Kang as the FTC was awaiting a green light from the Department of Justice (DOJ). The DOJ usually approves FTC settlements. The core of this settlement on privacy was related to whether Facebook violated its agreement in 2011 with the FTC to refrain from deceiving users over how their PII was used and shared. The settlement is exponentially greater than the next largest one: $22M with Google in 2012, but a criticism Mark Zuckerberg seems to be taking to heart without significant danger to his company, as reported by NYT reporters Mike Isaac and Natasha Singer. A second settlement with the Securities and Exchange Commission (SEC) of $100M was also announced on 24 July - this from the perspective of misleading investors. This leaves a third potential settlement, with the FTC, still outstanding related to anti-trust actions creating an unlevel playing field. The FTC vote of 3-2 on the $5B settlement was not unanimous because the two "nay" votes believed that the reprimand was not strong enough.

Regarding mitigation plans, Wired on 24 July reports in "The FTC wants more privacy, less Zuckerberg at Facebook", that the CEO must certify annually and personally that the company is in compliance with the changes to Facebook's structure and privacy protection.

Facing the Nation

As for the view from across the Pond, The Economist in "Volte-Face" notes on 18 July that the series of testimonies from this social network to "...behave better from now on." has a familiar a ring. However, in the margins of testimony regarding the launch of cryptocurrency Libra, US Members of Congress and David Marcus from Facebook who heads up Libra all appeared to be better prepared, per the Economist, with Mr. Marcus now "asking for permission rather than forgiveness." It also notes that this points to a change in which "Facebook works with governments rather than around them" which appeals to its investors. The article includes a handy chart of US and EU tech companies' operating profits entitled "Fine and Dandy." Facebook is highly unlikely to risk debt prison.

This however leads to more regulation in the US and Europe, which spills over into other cyber-and facial-recognition issues. The Economist of 13 July addresses Congressional and Supreme Court views on facial recognition aspects of privacy. Two US towns banned the use of facial recognition by their local police, whereas one Congressman on the House Homeland Security Committee believes that someone in the public domain should have no expectation of privacy. 

The Supreme Court disagreed, with Chief Justice Roberts holding that the Court's view of the Fourth Amendment indicates that "individuals have a reasonable expectation of privacy in the whole of their physical movements." Ergo, no non-consensual GPS tracking.

Can You See Yourself?

Wired's Brian Barrett penned an article on 17 July entitled "Think Faceapp is Scary? Wait Till You Hear About Facebook" in which he looks at the Faceapp ability to let you see what you will look like when you are old and grey. He reminds the reader that the product is of Russian descent and retains the right to use photos forever. But " least Faceapp didn't access your GPS or SIM card." And it stated that it doesn't upload all your photos to the cloud. Barrett casts this as good news in comparison to transgressions of Facebook, Life360, TikTok (a Chinese app) and other apps that are worse. However, he undercuts his own argument a bit by ending with a note that Faceapp does send data to DoubleClick (the Google ad company) and Facebook. He adds as a final caution for users to focus on broader awareness, recognize the value of one's personal data, and think twice about who, with your consent, gets your data.

For graphic learners, the NYT's Cade Metz on 13 July analyzes the "quiet hording" of millions of faces drawn from the web with a stunning photo of the Microsoft MS Celeb database with over 10 million photos of 100,000 (mostly famous) people. Facebook and Google are credited with not distributing their massive photo databases, and Microsoft and Stanford University's Brainwash have removed theirs as Duke and other innovators also struggle to conduct research while respecting privacy. We are back to the beginning regarding police being denied facial recognition access by two US towns: the FBI is mentioned by the author as having used this data for years.

Congress United, Microscopes in Hand

This ever-growing challenge of balance continues to drive regulators. It particularly draws politicians of opposite polarities together with respect to the Big Tech FAANGs. NYT's Steve Lohr, Mike Isaac and Nathaniel Popper in the 17 July "Reprimands of Big Tech Cross Aisle" look at senators and congressmen of considerable status such as Senators Ted Cruz (R-TX) and Sherrod Brown (D-OH) who join forces, if only on cyber security or anti-trust issues related to regulating Big Tech. 

Who's Watching? Mueller Time

For those returning from an isolated African jungle safari, on 24 July former FBI Director Robert Mueller testified before the House Judiciary Committee on obstruction of justice and the House Permanent Select Committee on Intelligence (HPSCI) on Russian election interference. The former hearing did not directly address cyber issues; Mr. Mueller was "by the book" with no surprises, and the Members of both parties expressed their admiration for the witness's service and then launched into somewhat politicized blasts, despite Chairman Jerrold Nadler's (D-NY) attempts to rein them in and direct them to complete their comments within the allotted time. Some "questions" gave Mr. Mueller no time to respond. This behavior is not unusual on the Hill. In contrast, the HPSCI was markedly civil, in part likely due to Mr. Mueller as a former FBI director having appeared before the HPSCI many of his nearly 90 times before Congress. Chairman Adam Schiff (D-CA) had a less contentious three hours, with Ranking Member Devin Nunez (R-CA) being a slight exception. What was also, conversely, exceptional was the questioning of Member Will Hurd (R-TX) who commended Mr. Mueller and his work, and did so with no "howevers." More expectedly, Member Eric Swalwell (D-CA) asked about cyber attacks and countermeasures used against the US during the 2016 elections. He also queried whether encryption and other technologies deployed against the elections hampered US defenses. Mr. Mueller acknowledged that they did, and that they continue "as we sit here." He added that these attacks were also involving additional actors beyond Russia. When asked about who should be in charge of this now, Mr. Mueller asked Congress to do its part to strengthen the connectivity across the Intelligence Community (IC), as was initiated post-9/11. 

Interestingly, NYT intelligence reporter ...  more ► 

SoS Musings - The Dark Web

The threat landscape faced by organizations has been significantly expanded by an elusive part of the World Wide Web known as the dark web. The term “dark web” refers to the collection of websites and networks that cannot be accessed via regular search engines such as Google and Yahoo. Access to the dark web requires the use of special tools and software, including peer-to-peer (P2P) browsers or the Onion Router (Tor). The dark web is often used as the grounds for a marketplace of illicit services and tools since this part of the internet provides anonymity through encryption. Some examples of crimes that can be committed via the use of the dark web include extortion, sex trafficking, terrorism, selling illegal drugs, and hiring assassins. In pertinence to the realm of cybercrime, the dark web allows cybercriminals to collaborate with each other, purchase or sell stolen credentials to online accounts, advertise hacking tools, and more. The dark web has made many headlines in recent years and raised concern about cybercriminal activity.
Researchers and law enforcement have made many discoveries surrounding the dark web. A report published by Deloitte, titled “Black Market Ecosystem: Estimating the Cost of ‘Pwnership’” emphasizes that cybercriminals do not need a high level of technical expertise to carry out cybercriminal operations as they can purchase tools and services on the dark web to conduct such operations for them, increasing the chances of cybercrime. A study conducted by researchers from Georgia State University and the University of Surrey revealed the availability of Secure Sockets Layer (SSL) and Transport Layer Security (TSL) certificates in the dark web, which are packaged with crimeware to enable the delivery of machine identities to cybercriminals. These machine identities can then be used to spoof websites, intercept encrypted traffic, steal sensitive data, and perform other attacks. Cybercriminals have automated social engineering services available to them in the dark web as discovered by security researchers. Security researchers also discovered an automated phone calling service being offered to cybercriminals in the dark web for $250 per month that allows them to deceive victims into giving them their credit card pins or other sensitive information. This service was expected to garner much attention from cybercriminals as the stolen credit card and debit card numbers often exchanged between them within the dark web would be useless without victims’ ATM pins if the aim was just to steal cash. A traffic distribution system (TDS), called BlackTDS, was also discovered being offered on the dark web as a service that would allow low-skilled cybercriminals to execute malicious sophisticated drive-by attacks. According to researchers, BlackTDS, would simply the launch of large-scale malware campaigns by performing social engineering, redirecting victims to exploit kits, and preventing the detection of such attacks by researchers and sandboxes. Recent observations made by researchers at IBM X-Force have brought further attention to the increasing shift of the dark web marketplace towards cybercrime services such as malware-as-a-service (MaaS) and infrastructure-as-a-service (IaaS) in which prepackaged malware and access to compromised devices are sold to threat actors. The dark web must continue to be examined for changes in available products and services, as well as shifts in business approaches. 
As the dark web provides ...  more ► 
Pub Crawl summarizes, by hard problems, sets of publications that have been peer reviewed and presented at SoS conferences or referenced in current work. The topics are chosen for their usefulness for current researchers. Select the topic name to view its description and links to the publications.
  Malware Analysis 2018
  SCADA Systems Security 2018 
  Scalable Security 2018
  Scalable Verification 2018
  SDN Security 2018
  Security Audits 2018
  Security Heuristics 2018
  Security Metrics 2018
   more ► 
Forward R&O
Share R&O
Follow SoS
In the News
List of selected articles from recent SoS-VO postings with links to the entries on SoS-VO site.

"Facebook’s Libra: Cryptocurrencies in the Mainstream or a Hacker’s Paradise?"
"Report on Cognitive Security Market, Trend, Segmentation and Forecast 2026"
"Google Turns to Retro Cryptography to Keep Data Sets Private"
"Three Quarters of Mobile Apps Have This Security Vulnerability Which Could Put Your Personal Data at Risk"
"Healthcare Overconfident in Privacy Maturity, As Breach Rate Rises"
"New Research Reveals a Surprising World of IoT"
"LTE Flaws Let Hackers 'Easily' Spoof Presidential Alerts"
"A Malware Can Bypass '2FA' In ‘Android’ Phones, Researchers Found"
"Researchers Develop 'Vaccine' Against Attacks on Machine Learning"
"Hackers Hit over a Dozen Mobile Carriers and Could Shut down Networks, Researchers Find"
"Security of iOS and Android Mobile Apps 'Roughly Equivalent'"
"Top Roadblocks to Securing Web Applications"
"Bill Advances to Create Vulnerability Disclosure for Federal Internet of Things"
"iOS Devices Compromised Again"
"Disruptive by Design: Intelligence Fusion Inoculates Against Cyber Threats"
"Managing IoT Privacy, Cybersecurity Guidance Released by NIST"
"The History of Cellular Network Security Doesn’t Bode Well for 5G"
"How Hackers Infiltrate Open Source Projects"
"Keeping Children Safe in the 'Internet of Things' Age"
"Personalized Medicine Software Vulnerability Uncovered by Sandia Researchers"
"Facebook Abused to Spread Remote Access Trojans Since 2014"
"Cyberwarfare in Space: Satellites at Risk of Hacker Attacks"
"Security Flaws in a Popular Smart Home Hub Let Hackers Unlock Front Doors"
"Ransomware Hits Georgia Courts As Municipal Attacks Spread"
"Automated Cryptocode Generator Is Helping Secure the Web"
"To Benefit from DevOps Implementation, Security and Dev Teams Must Communicate Better"
"Phishing Attacks Incorporate QR Codes to Help Evade URL Analysis"
"More Than 1,000 Android Apps Harvest Data Even After You Deny Permissions"
"PGP Ecosystem Targeted in ‘Poisoning’ Attacks"
"Researchers Hack VR Worlds"
"YouTube’s Policy on Hacking Videos Makes Everyone Less Safe"
"Researchers Find Worrying Security Vulnerability in GE Healthcare Anesthesia Machines"
"Coast Guard Warns Shipping Firms of Maritime Cyberattacks"
“More Than 2 Million Cyber Incidents in 2018 Created $45 Billion in Losses”
"Research Shows Humans Are Attacking Artificial Intelligence Systems"
"Researchers Detail Privacy-Related Legal, Ethical Challenges With Satellite Data"
"Cybersecurity Training Study Reveals Phishing Identification and Data Protection Are the Top Problem Areas for End Users"
"Academics Steal Data From Air-Gapped Systems via a Keyboard’s LEDs"
"Dutch Researchers Are Developing Quantum Technology to Secure Your Bank Account"
"WhatsApp, Telegram Had Security Flaws That Let Hackers Change What You See"
"How can Attackers Abuse Artificial Intelligence?"
"Hack Brief: A Card-Skimming Hacker Group Hit 17K Domains—and Counting"
"Supply Chains May Pose Weakest Security Link"
"Software Developers Face Secure Coding Challenges"
"Bluetooth LE’s Anti-Tracking Technology Beaten"
"$4.6 Million Award Creates Program to Train Cybersecurity Professionals"
"Companies with Zero-Trust Network Security Move Toward Biometric Authentication"
"Microsoft Notified 10,000 Victims of Nation-State Attacks"
"To Foil Hackers, This Chip Can Change Its Code in the Blink of an Eye"
"Researchers Trick AI-Based Antivirus into Accepting Malicious Files"
"Multi-Stage Attack Techniques Are Making Network Defense Difficult"
"Tackling Emerging Cyber-Social Threats"
"Researchers Build Transistor-Like Gate for Quantum Information Processing -- with Qudits"
"Phishing Scheme Targets Amex Cardholders"
"U.K. Government Urges Organizations to Defend Against DNS Hijacking"
"What Is Post-Quantum Cryptography?"
"Your Android’s Accelerometer Could Be Used to Eavesdrop on Your Calls"
"Average Data Breach Cost has Risen to $3.92 Million"
"At Least 62 Colleges Were Exploited by a Software Vulnerability"

This is a sample of some of the news items that are on the SoS site.  more ►  are available.
Upcoming Events

Security Awareness Summit and Training 2019
Aug 5-14, San Diego, CA

BSides Las Vegas
Aug 6-7, Las Vegas, NV

SciSec 2019
Aug 9-11, Nanjing, China

SOUPS 2019
Aug 11-13, Santa Clara, CA

28th USENIX Security Symposium
Aug 14-16, Santa Clara, CA

Crypto 2019
Aug 18-22, Santa Barbara, CA

2019 IEEE Information Theory Workshop (ITW)
Aug 25-28, Visby, Sweden

The 14th International Conference on Availability, Reliability and Security
Aug 26-29, Canterbury, UK

Aug 26-30, Tallinn, Estonia

6th Conference on the Engineering of Computer Based Systems (ECBS)
Sep 2-3, Bucharest, Romania

DerbyCon 9.0
Sep 6-8, Louisville, KY

2019 IEEE/AIAA 38th Digital Avionics Systems Conference (DASC)
Sep 8-12, San Diego, CA

Oil & Gas Cybersecurity Summit and Training 2019
Sep 16-22, Houston, TX

RAID 2019
Sep 23-25, Beijing, China

2019 IEEE Secure Development (SecDev)
Sep 25-27, McLean, VA

Cyber Security X Chicago
Sep 25-26, Chicago, IL

Digital Forensics & Incident Responce Prague Summit and Training 2019
Sep 30 - Oct 5, Prague, Czech Republic

Threat Hunting & Incident Response Summit and Training 2019
Sep 30 - Oct 7, New Orleans, LA

 more ► 
Produced by
Cyber Pack Ventures, Inc. 5850 Waterloo Road Suite 140 Columbia, MD 21045 USA

You are receiving this email because you are a member of the SoS-VO website, have participated in an SoS event, or have opted into the SoS mailing list. Want to change how you receive these emails? You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp