Hello <<First Name>>, and welcome to this issue of the Science of Security and Privacy - Reviews & Outreach (R&O)! Its purpose is to highlight some of the exciting research, news, and events that impact our technical community. All presented materials are available on or through the Virtual Organization portal.
Spotlight on Lablet Research -
Foundations of Cyber-Physical Systems Resilience

Lablet: Vanderbilt University

The goal of this project is to develop the principles and methods for designing and analyzing resilient Cyber-Physical Systems (CPS) architectures that deliver required service in the face of compromised components. A fundamental challenge is understanding the basic tenets of CPS resilience and how they can be used in developing resilient architectures. CPS are ubiquitous in critical application domains, which necessitates that systems demonstrate resiliency under cyber-attacks. The researchers’ proposed approach integrates redundancy, diversity, and hardening methods for designing both passive resilience methods that are inherently robust against attacks and active resilience methods that allow responding to attacks.

As CPS becomes more prevalent in critical application domains, ensuring security and resilience in the face of cyber-attacks is becoming an issue of paramount importance. Cyber-attacks against critical infrastructures, smart water-distribution, and transportation systems, for example, pose serious threats to public health and safety. Owing to the severity of these threats, a variety of security techniques are available. However, no single technique can address the whole spectrum of cyber-attacks that may be launched by a determined and resourceful attacker. In light of this, the research team, led by Principal Investigator (PI) Xenefon Koutsoukos, adopted a multi-pronged approach for designing secure and resilient CPS, which integrates redundancy, diversity, and hardening techniques for designing either passive resilience methods that are inherently robust against attacks and active resilience methods that allow responding to attacks. They also introduced a framework for quantifying cyber-security risks and optimizing the system design by determining security investments in redundancy, diversity, and hardening. To demonstrate the applicability of the framework, they used a modeling and simulation integration platform for experimentation and evaluation of resilient CPS using CPS application domains such as power, transportation, and water distribution systems.

Adversaries may cause significant damage to smart infrastructure using malicious attacks. To detect and mitigate malicious attacks before they can cause physical damage to smart infrastructure, operators can deploy Anomaly Detection Systems (ADS), which can alarm operators to suspicious activities. However, detection thresholds of ADS need to be configured properly, as an oversensitive detector raises a prohibitively large number of false alarms, while an undersensitive detector may miss actual attacks. Using a game-theoretic approach, researchers formulated the problem of computing optimal detection thresholds, which minimize both the number of false alarms and the probability of missing actual attacks as a two-player Stackelberg security game.

The research team seeks to improve the structural robustness in networks using the notions of diversity and trustiness. Diversity means that nodes in a network are of different types and have...  more ► 
SoS Musings -
Critical Infrastructure Cybersecurity

According to the U.S. Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA), there are 16 critical infrastructure sectors, which include chemical plants, energy, communications, critical manufacturing, emergency services, dams, transportation, information technology, healthcare, and more. These infrastructure sectors are deemed critical due to the necessity and sensitivity of their assets, systems, and networks. Security, national economic security, public health, and safety would be significantly weakened if such elements of a critical infrastructure sector were disabled or destroyed by malicious hackers. Claroty, a cybersecurity company focused on developing security solutions for industrial control networks, released a report in March, titled "The Global State of Industrial Cybersecurity," which reveals that there is a higher level of concern among IT security professionals across the U.S., UK, Germany, France, and Australia, about cyberattacks on critical infrastructure than an enterprise breach. Over 70 percent of the 1,000 participants in Claroty's survey believe that cyberattacks on critical infrastructure are more likely to inflict more damage than a data breach experienced by a company. A major cyberattack on U.S. critical infrastructure could lead to significant consequences. Research conducted by Lloyd's of London and the University of Cambridge's Center for Risk Studies found that if the electric grid in fifteen states and Washington, D.C. were to be taken down by hackers, it would result in power outages for 93 million people. Such an incident would lead to increases in mortality rates, a decline in trade, poor water supply, and the damage of transport networks. A cyberattack of such a scale on critical infrastructure could cost the U.S. economy $243 billion to $1 trillion. As cyberattacks on critical infrastructure have the potential to impact people's health and well-being as well as economic security, it is essential to explore the vulnerabilities and threats faced by such infrastructure and improve efforts to address them.

The different critical infrastructure components face threats and contain vulnerabilities that call for the continued development and research of security solutions. Operational Technology (OT) encompasses the hardware and software used to monitor and control the performance of physical devices, processes, and infrastructure. Industrial Control System (ICS) is the main component of OT that refers to the various kinds of control systems and related tools, including devices, systems, networks, and controls, used in the operation or automation of industrial processes. SCADA (Supervisory Control and Data Acquisition) is a subset of ICS, which refers to systems of software and hardware-based components that enable industrial organizations to locally control industrial processes, monitor real-time data, log events, and directly interact with devices such as sensors via Human-Machine Interface (HMI) software. SCADA systems help to support industrial organizations' efficiency, decision-making, and communication of systems problems to reduce downtime. Several critical infrastructure and SCADA/ICS cybersecurity vulnerabilities and threats exist due in part to the lack of basic security controls for OT systems. According to Check Point Software Technologies, a leading cybersecurity solutions provider for governments and corporate enterprises globally, the most common vulnerabilities include the use of legacy software, default configuration, poor remote access policies, policies and procedures, and lack of encryption. The top threats are distributed denial-of-service attacks, web application attacks, malware, command injection and parameter manipulation, and lack of network segmentation. Other top cyber threats that critical infrastructure firms must be aware of are the growing use of vulnerable Internet of Things (IoT) devices that hackers could use to infiltrate critical infrastructure networks, the lack of security in the design of OT, and the inability to identify all devices connected to an OT network as well as the security flaws these devices possess. The recent growth in remote workers due to COVID-19 increases the risk of cyberattacks on critical infrastructure, as there are employees who must now...  more ► 
CoR&Onavirus Tracing -
Developing Privacy-Protective Technologies

Contact tracing has been an important tool in fighting the spread of infectious disease. In the past, such tracing was a labor-intensive process of personal interviews and no small amount of intrusion about the infected persons and exposed persons with whom they interacted. With the ubiquity and technical capability of modern devices, a technological approach has begun that will accelerate tracing and which is privacy-sensitive.

In an April 20, 2020 publication, Johannes Abeler, et al. discuss the importance of developing such privacy-protective contact tracing as an essential tool for public health officials and local communities to fight the spread of novel diseases such as COVID-19 using digital apps. "Scientists have … [an] approach to keeping the epidemic in check: app-based contact tracing. Several apps are currently in development (e.g., in the United Kingdom, by a pan-European initiative, and in a joint Google and Apple venture, or have already been launched (e.g., in Singapore)."

As with all health care information in the U.S., the data collected in such apps is subject to the Health Information Privacy Protection Act (HIPPA). CDC has prepared preliminary criteria for the evaluation of digital contact tracing tools for COVID-19. They include key concepts such as the need to trace and monitor contacts of infected people and notify them of their exposure; using data to support the quarantine of contacts and help ensure the safe, sustainable and effective quarantine of contacts to prevent additional transmission; expand staffing resources--contact tracing in the U.S. will require the establishment of large cadres of contact tracers; and the use of digital tools to expand reach and efficacy of contact tracers.

CDC also says digital contact tracing tools vary in purpose, features, and complexity, but they can add value to traditional contact tracing efforts by conducting a landscape analysis and evaluation of existing contact tracing tools; generating preliminary recommendations for tracing in areas with limited introduction of COVID-19; and coordinating with public health agencies, healthcare organizations, academic institutions, non-profit organizations, and private companies to maximize contact tracing effectiveness. Digital tools can also improve data management; reduce the burden on public health staff by allowing electronic self-reporting; use location data to identify community contacts unknown to the case to look at possible exposure. Various public health entities may have different contact tracing challenges, making a one-size-fits-all solution unlikely.

Research efforts are underway at several universities to develop tracing tools. A not-for-profit volunteer group,, compiles data to inform the public, health leaders, and government leaders on the value of testing and tracing and how to implement it. Google and Apple announced a joint effort to enable the use of Bluetooth technology to help governments and health agencies reduce the spread of the virus, with user privacy and security central to the design.

Cornell researchers report on several approaches, including the Singaporean government's mobile phone app, TraceTogether, that is designed to assist health officials in tracking down exposures after an infected individual is identified. The TraceTogether app uses short-distance Bluetooth signaling between devices to detect users in close proximity. The data are then stored on the individual user's device and sent to the ministry of health to supplement contact tracing efforts. This app does not collect...  more ► 
Cyber Scene -
Cyber Offense and Defense: The U.S. Election 3D Chessboard

Coming to terms with the magnitude of cyber's role in the 2020 election and how it will be impacted by the COVID-19 pandemic is daunting. "De-globalizing" as the U.S. and other nations such as the U.K. have tried to do recently is difficult if not unfeasible.

As for a framework to clarify this conundrum, Cyber Scene proposes the analogy of Joseph Nye, the "soft power guy," to provide a visual framework for U.S. election vulnerabilities under the pandemic. Although not a cyber expert, Dr. Nye has experience across U.S. government sectors and academia: head of the National Intelligence Council, Deputy Undersecretary of State for Security Assistance, Deputy Assistant Secretary of Defense for International Security Affairs, and Dean of Harvard's - Kennedy School.

In 1994, he posited his theory of the world functioning as a 3D chessboard: the three strata, through which events passed, were foreign policy, economics, and military issues. Building on his model, Cyber Scene offers that a pandemic exceeds the definition of an event. Rather, let us consider it as the black - and red - chessboard squares; cyber serves as the connections that move decision-making of world leaders--kings, queens, autocrats, presidents and other nation-state and technology leaders; bishops, other religious organizations as well as radicalized quasi-religious entities; knights as military leaders, and the less prestigious pawns--all the rest of us. Cyber permeates all our lives as it enables movement--across the board and across essential segments of everyday life. The global aspect of this board can also be confirmed by Thomas Friedman's dissection and country sourcing of his computer components, as discussed in his initial version of "The World is Flat." So we have Dr. Nye's 3D model with "cyber-pandemic characteristics."

With this graphic image as our framework, let's examine the June 2020 status of U.S. election security threats--direct and indirect, foreign and domestic, intentional and unintended. The intensity and mutation of these threats multiply under the COVID-19 pandemic closing in on us. As we hunker down we are all trying to determine our next move (or vote) on the board, be we kings or pawns. Cyber is the path to the objective and success.

On 7 June, New York Times (NYT) reporters David Sanger, Nicole Perlroth and Matthew Rosenberg opine in "Amid Pandemic and Upheaval, New Cyber Risks to the Presidential Election" that as America attempts to secure the health and safety of U.S. voters by expanding remote voting, largely Vote-By-Mail (VBM), and other measures to protect those working the polls and those going to them, an ugly vulnerability is identified. The authors believe that the pandemic "...could open up new opportunities to hack the vote--for President Vladimir V. Putin of Russia, but also others hoping to disrupt, influence or profit from the election." They dismiss the claim that the problem could be fraud, noting that Stanford and other research concludes that voting by mail might increase voting for both parties, with no advantage to either, and that five U.S. states that have being using and tracking VBM for many years found little fraud.

Rather, the concern regards online voting systems created quickly by many states in light of the pandemic, as well as existing online voter registration systems. The former were considered by the Department of Homeland Security (DHS) as "high risk" and the latter assortment of state registration systems among "chief targets of Russian hackers in 2016." These attacks were viewed by American officials as...  more ► 
Cybersecurity Snapshots -
Is Online Voting a Good Idea?

Government officials have expressed mounting concerns for how the coronavirus could diminish voter turnout during the 2020 presidential election. Officials have expressed interest in allowing internet voting as an alternative toson ballot casting in the upcoming presidential election in November. The concept of internet voting has been around since the 1990s. A handful of states including Delaware, West Virginia, and New Jersey, have introduced an internet voting pilot program. Many individuals in the computer science community see online voting as a slippery slope towards a looming security risk.

David Dill, a computer science professor at Stanford University, is against the idea of piloting online voting in the next presidential election. He believes that there is no way to ensure that devices and apps are free of malware that might influence a voter's choices. Dill also says that a hacker from an adversarial foreign government could theoretically hack their way into these systems and change or manipulate votes. Barbara Simons a former president of the Association for Computing Machinery has been a long-time critic of internet voting and overly mechanized voting systems. She believes that voting over the internet is too risky, and if voters are not able to vote in person due to COVID-19 in November, then Vote-By-Mail (VBM)is the safest way for voters to cast their ballots. The FBI, EAC, NIST, and the Department of Homeland Security's CISA have released a warning against the wholesale embrace of internet voting. They stated that there are some effective risk management controls to enable electronic ballot delivery and marking, but electronic ballot return technologies are high-risk even with controls in place.

Google recently announced that earlier this month, on June 4th, an Advanced Persistent Threat (APT) group targeted Joseph Biden's campaign staff with phishing attempts. The group behind the attacks is called APT31, also known as Zirconium. Zirconium is a Chinese state-sponsored hacking group that has been active since early 2016. Historically this group has targeted foreign companies to steal intellectual property but has also targeted diplomatic entities in the past. The adversaries did not appear to compromise the campaign's security. Analysts believe that China's primary motive for breaking into a campaign is to collect intelligence, such as Biden's proposals for U.S. policy on China. The adversaries could, later on, use the stolen information to interfere in the campaign itself.

In a new survey conducted by Vanfi, 485 IT security professionals attending the RSA Conference 2020 were surveyed about election infrastructure cybersecurity. Almost three-quarters of the cybersecurity professionals believe that - local governments cannot defend election infrastructure against cyberattacks from foreign and domestic threat actors. Most of the IT security professionals surveyed thought that the spread of malicious information was...  more ► 
Pub Crawl summarizes, by hard problems, sets of publications that have been peer reviewed and presented at SoS conferences or referenced in current work. The topics are chosen for their usefulness for current researchers. Select the topic name to view its description and links to the publications.
  Blackhole Attack 2018
  Blackhole Attack 2019
  Differential Privacy 2019
  Digital Signatures 2019
  DNA Cryptography 2019
  Dynamical Systems 2019
  Edge Detection and Security 2019
  Efficient Encryption 2019
   more ► 
Forward R&O Forward R&O
Share R&O Share R&O
Follow SoS Follow SoS
SoS Intern Program - Accepting Applications

The National Security Agency (NSA) Science of Security (SoS) & Privacy Lablets Summer Internship Program is for undergraduate and graduate students currently enrolled at U.S. universities and colleges. The program provides an opportunity for exceptional science, technology, engineering, and math (STEM) students to work directly with NSA SoS Champions on mission-critical hard problems and experience the excitement of the NSA research community first-hand.

Over the course of the summer, the students participating in this program will work on SoS five hard problems.

Symposium on the Science of Security (HotSoS)

HoTSoS is a research event centered on the Science of Security, which aims to address the fundamental problems of security in a principled manner.

The University of Kansas will virtually host the seventh annual HoTSoS event on September 22-24, 2020HotSoS brings together researchers from diverse disciplines to promote advancement of work related to the science of security. 

In the News
List of selected articles from recent SoS-VO postings with links to the entries on SoS-VO site.

"Malware Opens RDP Backdoor Into Windows Systems"

"Android Security Vulnerabilities Differ by Country, Say Researchers"

"Florida Tech Student Finds Privacy Flaws in Connected Security and Doorbell Cameras"

"Qatar: 'Huge' Security Weakness in COVID-19 Contact-Tracing App"

"External Threats Outpace Insider-Related Breaches in Healthcare"

"External Attacks on Cloud Accounts Grew 630 Percent From January to April"

"Vulnerability Disclosures Drop in Q1 for First Time in a Decade"

"NSA Warns About Sandworm APT Exploiting Exim Flaw"

"Tel Aviv University and IDC Herzliya Researchers Thwart Large-Scale Cyberattack Threat"

"IoT Labels Will Help Consumers Figure out Which Devices Are Spying on Them"

"New Android Malware Channels Malicious Activity Through Accessibility Services"

"41% of Organizations Have Not Taken Any Steps to Expand Secure Access For The Remote Workforce"

"Revealed: Advanced Java-Based Ransomware PonyFinal"

"Education App Reveals Users' Sensitive Information, Research Finds"

"New Technique Improves Effectiveness of Timing Channel Attacks"

"GitHub Uncovers Malicious 'Octopus Scanner' Targeting Developers"

"Evidence Suggests That the U.S. Loses Hundreds of Billions to Cybercrime"

"Security Remains a Major Concern For Enterprise IoT Integration"

"Most Chrome Security Bugs Rooted in Faulty Memory Code"

"Enterprise Mobile Phishing Attacks Skyrocket Amidst Pandemic"

"Hackers Sell 80K Stolen Credit Card Details on Dark Web"

"This Bot Hunts Software Bugs for the Pentagon"

"Amtrak Breached, Some Customers’ Logins And PII Potentially Exposed"

"VMware Flaw Allows Takeover of Multiple Private Clouds"

"Cyber Commission: Expand Connected Device Security Bill Beyond Federal Procurement Realm"

"New Ransomware Trends Spotted: Auctioning Stolen Files, Cybergangs Joining Forces"

"Most Active Ransomware Strains Targeting Enterprise Networks"

"Malicious Android Apps Double in Q1 as Lockdown Users Are Targeted"

"Botnet Blasts WordPress Sites With Configuration Download Attacks"

"Cyber LEAP Act Aims for Innovations Through Cybersecurity Grand Challenges"

"IT Services Giant Conduent Suffers Ransomware Attack, Data Breach"

"New 'Tycoon' Ransomware Strain Targets Windows, Linux"

"Critical Vulnerability Could Have Allowed Hackers to Disrupt Traffic Lights"

"As States Explore Online Voting, New Report Warns of 'Severe Risk'"

"Honda Global Operations Halted by Ransomware Attack"

"41% of UK Workers Haven’t Received Adequate Cybersecurity Training"

"DARPA Stress Tests its Hardware-Centric Security Approach"

"Dark Basin Hack-For-Hire Group Targeted Thousands Over 7 Years"

"DHS CISA: Threat Actors Targeting Unpatched Microsoft Windows Flaw"

"NASA Hit By 366% Rise In Cybersecurity Incidents After Budget Cuts"

"Alarm Sounded Over Security Risks in Online Voting System"

"'Thanos' Ransomware Weaponizes Research Tool Against Microsoft Windows Users"

"Nintendo Now Says 300,000 Accounts Breached by Hackers"

"CyberGraph: Mapping Cyber Threats to Prevent the Next Attack"

"Average Cost of DNS Attacks Hovering Around $924,000"

"Here's How Phishing and Malware Attacks Are Evolving"

"Hackers Plan to Use Stolen Cryptocurrency Exchange Data for SIM Swapping"

"Two New Intel CPU Flaws Make It Easy for Hackers to Extract Sensitive Data"

"Bad Habits And Risky Behaviors Put Corporate Data at Risk"

"RiskIQ Analyzes Millions of Internet Observations to Map the Enterprise Attack Surface"

"Platform Empowers Users to Control Their Personal Data"

"The FBI Expects a Surge of Mobile Banking Threats"

"Cyber Attack Forces Aussie Beer Giant Lion to Shut Operations"

"Billions of Devices Affected by UPnP Vulnerability"

"Over 100,000 Security Cameras in U.K. Are Hackable"

"'Lamphone' Hack Uses Lightbulb Vibrations to Eavesdrop on Homes"

"Targeting U.S. Banks, Qbot Trojan Evolves With New Evasion Techniques"

"Stalkerware Detection Rates Are Improving Across Antivirus Products"

"Critical Flaws in Embedded TCP/IP Library Impact Millions of IoT Devices Across Industries"

"U Nevada-Reno's programs Designated Center of Academic Excellence in Cyber Defense (CAE-CD)"

"LinkedIn 'Job Offers' Targeted Aerospace, Military Firms With Malware"

"Companies Still Struggle With SOC Staff Shortages, Security Skills Gap"

"AWS Said it Mitigated a 2.3 Tbps DDoS Attack, The Largest Ever"

"Pentagon Wants to Scale Up Its Device Security Program"

"Cybercriminals Unleash Diverse Wave of Attacks on COVID-19 Vaccine Researchers"

"China-Backed Hackers Target Biden Campaign in Early Sign of 2020 Election Interference"

"Data Security in Website Tracking"

"Intel's Tiger Lake Processors Will Feature On-Chip Malware Protections"

"Half of Mobile Banking Apps are Vulnerable to Fraud Data Theft"

"Netgear Zero-Day Allows Full Takeover of Dozens of Router Models"

"Majority of COVID-19 Contact Tracing Apps Lack Adequate Security"

"Malicious Chrome Extensions Used in Global Surveillance Campaign"

"Privacy and Security Concerns Related to Patient Data in The Cloud"

"Hack Brief: Anonymous Stole and Leaked a Megatrove of Police Documents"

"Philadelphia-Area Health System Says It 'Isolated' a Malware Attack"

"Scam Uses Elon Musk's Name to Trick People Out of US$2 Million in Bitcoin"

"New WastedLocker Ransomware Demands Payments of Millions of USD"

"Adding Noise for Completely Secure Communication"

"How Much Control Are People Willing to Grant to a Personal Privacy Assistant?"

"Sodinokibi Ransomware Gang Targets POS Software"

"3 Key Ways to Bolster Healthcare Cybersecurity With MFA, Training"

"Report Finds Two-Thirds of Malware Is Encrypted, Invisible Without HTTPS Inspection"

"Two-Year Data Breach at Florida Senior Care Provider"

"Duration of Application DDoS Attacks Increasing, Some go on For Days"

"Can Tracking Hardware-Level Activity Protect Children's Online Privacy?"

"Online Trackers Follow Health Site Visitors"

"Sony Launches PlayStation Bug Bounty Program on HackerOne"

"Expanding Access to Cyber Research Tools"

"Cybercriminals Are Using IM Platforms as Marketplaces"

This is a sample of some of the news items that are on the SoS site.  more ►  are available. 

Upcoming Events

ElevateIT: TOLA Technology Summit 2020
Jul 10, Online

Summer 2020 SoS Lablet Quarterly at CMU
Jul 15-16, Pittsburgh, PA

Virtual Cybersecurity Summit: Breach Prevention
July 21-23, Online

2020 Fourth World Conference on Smart Trends in Systems Security and Sustainablity (WorldS4)
Jul 27-28, Online

The 7th IEEE International Conference on Cyber Security and Cloud Computing (IEEE CSCloud 2020)
Aug 1-3, New York, NY

29th Usenix Security Symposium
Aug 12-14, Online

International Cryptographic Module Conference (ICMC20)
Aug 25-28, Bethesda, MD

Ai4/Cybersecurity Conference
Sep 1-2, Las Vegas, NV

The 15th International Conference on Critical Information Infrastructures Security 2020
Sep 2-3, Bristol, UK

2020 IEEE European Symposium on Security and Privacy (EuroS&P)
Sep 7-11, Online

2020 Billington CyberSecurity Summit
Sep 8-9, Online

AI & ML for the Smart Grid 2020
Sep 8-10, Online

Techno Security & Digital Forensics Conference
Sep 14-17, Myrtle Beach, SC

Critical National Infrastructure Summit
Sep 15-17, Washington, DC

Securing Federal Identity 2020
Sep 16-17, Arlington, VA

 more ► 
Produced by
Cyber Pack Ventures, Inc. 5850 Waterloo Road Suite 140 Columbia, MD 21045 USA

You are receiving this email because you are a member of the SoS-VO website, have participated in an SoS event, or have opted into the SoS mailing list. Want to change how you receive these emails? You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp