Hello <<First Name>>, and welcome to this issue of the Science of Security and Privacy - Reviews & Outreach (R&O)! Its purpose is to highlight some of the exciting research, news, and events that impact our technical community. All presented materials are available on or through the Virtual Organization portal.
Spotlight on Lablet Research -
Automated Synthesis Framework for Network Security and Resilience

Lablet: University of Illinois at Urbana-Champaign
Participating Sub-Lablet: Illinois Institute of Technology

This project proposes to develop the analysis methodology needed to support scientific reasoning about the resilience and security of networks, with a particular focus on network control and information/data flow. The core of this vision is an Automated Synthesis Framework (ASF), which will automatically derive network state and repairs from a set of specified correctness requirements and security policies. ASF consists of a set of techniques for performing and integrating security and resilience analyses applied at different layers (i.e., data forwarding, network control, programming language, and application software) in a real-time and automated fashion. The ASF approach is exciting because developing it adds to the theoretical underpinnings of SoS, while using it supports the practice of SoS.

This project is led by Principal Investigator (PI) Matt Caesar and Co-PI Dong Jin. As has been the case since the start of the project, the technology developed as a result of the research is transferred to industry through interactions with Veriflow, a startup company commercializing verification technology that came out of the project's SoS Lablet funding. In September 2019, Veriflow was sold to VMWare, and the technology is slated to be incorporated into VMWare NSX, a very widely used virtualization platform in industry. Collaborations with VMWare continue by incorporating the project platform with NSX, targeting deployment of verification technology to distributed cloud environments, and integration of real-time traffic data into analysis.

In continuing the researchers' investigation of automated synthesis of network control to preserve desired security policies and network invariants, they have designed a list of approximately 30 important and useful invariants to showcase the functionality of the system, as well as to test it in practical use. They have completed the development of parsing infrastructure and performed...  more ► 
SoS Musings -
Put the Brakes on Deepfakes

Deepfakes--fake, realistic-looking images, text, and video generated using a Machine Learning (ML) model called a Generative Adversarial Network (GAN)--are one of the top cybersecurity threats to look out for in 2020. Security experts expect to see a rise in deepfakes in 2020 as a result of the increased implementation of biometrics used in technologies to identify and authenticate individuals, such as smartphones and airport boarding gates, among others. Advancements in deepfakes will pose new security challenges as cybercriminals will use such forms of fake media to masquerade as legitimate persons to steal money or other critical assets. Deepfakes can also be used to spread disinformation across social media platforms, undermine political candidates and perform other activities that involve fraud. Deepfake technology will strengthen social engineering attacks since cybercriminals will not need to perform special hacking skills to execute attacks as they can use deepfakes to impersonate high-level users and trick others into revealing sensitive information that could be used to gain access to protected systems. According to researchers at McAfee, accurate facial recognition will be more challenging to achieve because of deepfakes, adding to the growing list of problems faced by this type of biometrics system. A report released by Forrester Research, “Predictions 2020: Cybersecurity,” highlights that the costs associated with deepfake attacks will be more than $250 million in 2020. Studies on the creation and malicious application of deepfakes will help push the development of techniques and tools to help combat deepfake attacks in the future.

Recent incidents and studies have shown what threat actors can do through the use of AI-generated deepfakes and the manipulation of images. Engineers at Facebook demonstrated that it is possible to clone an individual's voice, using their ML system, named MelNet. With the MelNet system, the engineers generated audio clips of what seems to be Microsoft founder Bill Gates saying a series of harmless phrases. According to researchers, MelNet was trained on a 452-hour dataset consisting of TED talks and audiobooks. Deepfake voice attacks are already a significant threat to the business realm, as indicated by recent incidents in which threat actors used AI-generated audio to impersonate CEOs to steal millions of dollars. According to an article posted by Axios, Symantec observed three successful deepfake audio attacks against private companies, each of which impersonated a CEO to request money transfers. According to Symantec, in all attacks, scammers used an AI program to mimic the voices of the targeted CEOs. The program, similar to that of MelNet, was trained using speech from phone calls, YouTube videos such as TED talks, and other media that contained audio of the CEOs' voices. In the case of AI-generated images, Zao is one deepfake face-swapping app that quickly gained considerable popularity as it allows users to replace the faces of their favorite characters in TV shows or movies with theirs by uploading a single photograph. One user shared an example of how advanced the app is, showing a video of their face superimposed onto Leonardo Dicaprio in the Titanic, which was generated in under 8 seconds using a picture as small as a thumbnail. Another indication of the progression of deepfakes is a site, called “This Person Does Not Exist” that continuously generates images of realistic-looking human faces using Nvidia’s GAN, named StyleGAN. Using such techniques, one can masquerade as journalists on social media with AI-generated profile pictures to press for personal information from users, such as in the case of “Maisy Kinsley,” a supposed “senior journalist at Bloomberg.” These studies, incidents, and technologies, which highlight deepfake capabilities, bring further attention to the increased risk posed by uploading photos and videos of one's likeness online where anyone can access and use them for malicious purposes.

Security researchers, as well as social media platforms, are being encouraged to continue their efforts to fight deepfakes of all formats. A team of researchers at the University of Oregon is studying...  more ► 
Cyber Scene -
Nations (Not Totally) United On Cybersecurity

The United Nations--Not Cyber Scene's Usual Suspect

The United Nations (UN) has spoken loudly, twice in the last few weeks, on cybersecurity. Both the UN Secretary-General (UNSG) himself as well as the UN Human Rights Council representing the voice of world authority have addressed the future impact of cybersecurity as well as monumental past transgressions just confirmed by the UNCHR.

Cyberspace: The Not-So-Cold War

UN Secretary-General Antonio Gutteres spoke at great length and detail on US-China's tech divisiveness related to cyberspace and its worse-than-cold-war status in a discussion with Wired's Editor in Chief Nicholas Thompson recently, with the full interview and video published on 15 January. The UNSG covered a wide swath of global issues, including the high-level panel the UN created for digital cooperation. The panel’s objective is to bring nations at loggerheads together under UN auspices. The UNSG believes that technology can promote democracy but also addresses dangerous aspects--unintended or sometimes intended consequences. He believes that access to the internet should be a right, but that technologies should not be used as instruments of political control.

WhatsApp if Money Can't Buy You...Privacy?

Crown Prince versus Google King

Business Insider's Isobel Asher Hamilton reported on 22 January that US human rights investigators "...just backed bombshell claims that Saudi Crown Prince Mohammed bin Salman (MBS) most likely hacked Jeff Bezos' phone." The UN Council on Human Rights (UNCHR) Office of the Commissioner formally stated that UNCHR was gravely concerned about the hack. In the words of the UN itself: "The two experts – who were appointed by the Human Rights Council - recently became aware of a 2019 forensic analysis of Mr. Bezos' iPhone that assessed with "medium to high confidence" that his phone was infiltrated on 1 May 2018 via an MP4 video file sent from a WhatsApp account utilized personally by Mohammed bin Salman, the Crown Prince of the Kingdom of Saudi Arabia. "The UN statement goes on to argue for increased and immediate investigation and control by the US and other "relevant authorities" regarding MBS's efforts to target perceived opponents.

California is setting off its own state-wide privacy scramble while awaiting national or international support. Fortune's Jeff John Roberts reports that a new 2020 law, California Consumer Privacy Act (CCPA) requires businesses to reveal to consumers what they have collected on them, and to delete it all upon the request of the consumer. Mr. Roberts notes that advertisements by behemoths such as Walmart would no longer be able to be tailored for a particular consumer. Google also would lose income from advertisers who are charged more for ads specific to individual consumers. A nonpartisan report projected upfront costs of $55 billion to the advertisers with this law taking hold; nearly two dozen other states are considering implementing similar laws. Meanwhile, Mr. Roberts notes that "unusual bipartisan agreement to pass such a law" at the national level may not be stalled until after the November 2020 elections because, as Brookings Institution expert Cameron Kerry notes, the lack of privacy for the children and grandchildren of US legislators is making this issue personal.

Blame Game, Revisited

The issue of Russia generously ascribing to Ukraine credit for the Burisma hack continues to play front and center. The New York Times reported on 13 January new evidence of a Kremlin hand in the attack of a Burisma subsidiary in Ukraine which keeps the issue linked not only to cybersecurity concerns generally but...  more ► 
Ransomware Is Not Only a Headache but Can Also Kill

Ransomware is becoming more of a problem among all organizations and needs to be considered a significant concern. Ransomware is very costly for organizations to fix. In May 2019, the city of Baltimore’s IT systems were kept hostage by adversaries because of a ransomware attack. The adversaries demanded 100,000 dollars in bitcoin. The governor of Baltimore did not pay the ransom, and the attack ultimately cost the city more than 18 million dollars.

Researchers believe that the number of ransomware attacks will increase. Researchers especially believe that small businesses are going to be a primary target for cybercriminals because of their fewer investments in their cybersecurity infrastructure. Researchers expect that a new organization will be affected by a ransomware attack every 11 seconds as soon as 2021.

Ransomware attacks on healthcare organizations, especially hospitals, are becoming more prevalent, and this is putting patients’ lives in danger. A new study discovered that the time for a patient suffering a heart attack to get from the emergency room to the electrocardiogram (EKG) room, increased as much as 2.7 minutes after a ransomware attack. The lag in time also remained as high as 2 minutes even after four years after the organization was affected by ransomware. Researchers found that there are as many as 36 additional deaths per 10,000 heart attacks annually at the hospitals that have been affected by ransomware. This year alone...  more ► 

Pub Crawl summarizes, by hard problems, sets of publications that have been peer reviewed and presented at SoS conferences or referenced in current work. The topics are chosen for their usefulness for current researchers. Select the topic name to view its description and links to the publications.
  6LowPAN 2019
  Acoustic Coupling 2019
  Actuator Security 2019
  Differential Privacy 2018
  Digital Signatures 2019
  DNA Cryptography 2018
  Efficient Encryption 2018
  Encryption Audits 2019
   more ► 
Forward R&O Forward R&O
Share R&O Share R&O
Follow SoS Follow SoS
Human Factors and Ergonomics Society (HFES) - Call for Papers

The HFES is looking for submissions of research and practice related to the human and cybersecurity! HFES is interested in building a broad community between human and cyber experts. The HFES society has added a CyberTechnical Group which will be accepting papers and awarding a cash award for Best paper at their Annual Meeting. In addition, they have added a cybersecurity focus at their pre-conference "ErgoX" event this year, ErgoX CYBER.

Participate at the 64th Annual Meeting of HFES by submitting a proposal for consideration of presentation.

In the News
List of selected articles from recent SoS-VO postings with links to the entries on SoS-VO site.

"Planning for 2020? Here Are 3 Cybersecurity Trends to Look Out For"

"Automotive Cybersecurity Incidents Doubled in 2019, up 605% Since 2016"

"Is the Inability to Baseline Systems Crippling Cybersecurity Progress and Oversight?"

"DHS, GSA Propose Centralized Vulnerability Disclosure Program"

"The Psychology of Ransomware"

"DHS Tells U.S. Organizations to Camp Down on Cybersecurity in Wake of Soleimani Killing"

"Smartphone Analysis & Stats: Personal Use Leaves Work Smartphones Hackable"

"New Standards Set to Reshape Future of Email Security"

"TikTok Riddled With Security Flaws"

"Facebook Moves to Detect and Remove Deepfake Videos"

"Attackers Invent New Evasion Techniques to Conceal Web Skimmer Activity"

"These Hacking Groups Are Eyeing Power Grids, Says Security Company"

"U.S. Monitoring Cyberspace for Signs of Iranian Aggression"

"Connected Cars Moving Targets for Hackers"

"What Students Think About University Data Security"

"A Billion Medical Images Are Exposed Online, As Doctors Ignore Warnings"

"A Case For Establishing a Common Weakness Enumeration for Hardware Security"

"Exploit Fully Breaks SHA-1, Lowers the Attack Bar"

"2020 Forecast: Attackers Will Target Non-Traditional Systems"

"How to Implement a 'Threat Model' To Beef up Your Organization's Security"

"Lawmakers Ask FCC to Protect Consumers from Phone Hijackers"

"'Cable Haunt' Vulnerability Exposes 200 Million Modem Cables to MITM Attacks"

"Apps are Sharing More of Your Data With Ad Industry Than You May Think"

"Detecting and Mitigating Network Attacks With a Multi-Prong Approach"

"Software Detects Backdoor Attacks on Facial Recognition"

"SIM Swap Attacks Making Two-Factor Authentication via Smartphones Obsolete"

"Homomorphic Encryption Improves Cloud Security"

"FBI Takes Down Site Selling Subscriptions to Stolen Data"

"Cybercrime: Internet Erodes Teenage Impulse Controls"

"Hong Kong Looks to GDPR as it Strengthens Privacy Laws"

"How Blockchain Could Prevent Future Data Breaches"

"Data Breach Exposes Personal Information on Cannabis Users"

"2020 Outlook for Cybersecurity Legislation"

"Cybercriminals: Things Are About to Get a Lot More Confusing for You"

"An Open Source Effort to Encrypt the Internet of Things"

"Some Hackers Take the Ransom and Run"

"Microsoft Exposed 250 Million Customer Support Records"

"NSA Highlights SoS Lablet at UIUC"

"Security Risk for E-Scooters and Riders"

This is a sample of some of the news items that are on the SoS site.  more ►  are available.
Upcoming Events

MANUSEC Europe 2020
Feb 4-5, Munich, Germany

PrivSec London
Feb 4-5, London, UK

CPX 360 2020
Feb 4-6, Vienna, Austria

Suits and Spooks
Feb 6-7, Washington, DC

San Francisco Cyber Risk Insights Conference
Feb 11-12, San Francisco, CA

Feb 15, Sterling, VA

Texas A&M University System Technology Summit
Feb 16-18, Galveston, TX

The Open-Source Intelligence Summit
Feb 18-24, Alexandria, VA

The Stanford Blockchain Conference 2020
Feb 19-21, Stanford, CA

3rd International Intelligent Human Systems Integration: Integrating People and Intelligent Systems
Feb 19-21, Modena, Italy

The Human Hacking Conference
Feb 20-22, Lake Buena Vista, FL

2020 27th Annual Network and Distributed System Security Symposium
Feb 23-26, San Diego, CA

Payments Summit 2020
Feb 24-27, Salt Lake City, UT

RSA Conference 2020
Feb 24-28, San Francisco, CA

17th USENIX Symposium on Networked Systems Design and Implementation
Feb 25-27, Santa Clara, CA

6th International Conference on Information Systems Security and Privacy
Feb 25-27, Valletta, Malta

Workshop on Applying AI in the Fight Against Modern Slavery
Mar 3-4, Washington, DC

29th National HIPAA Summit 2020
Mar 3-5, Arlington, VA

2020 Student Symposium in Cybersecurity Policy
Mar 6-7, Medford, MA

IAPP Data Protection Intensive: UK 2020
Mar 9-12, London, UK

The 2020 HIMSS Global Health Conference & Exhibition
Mar 9-13, Orlando, FL

Women in CyberSecurity (WiCyS) Conference
Mar 12-14, Denver, CO

15th International Conference on Cyber Warfare and Security
Mar 12-13, Norfolk, VA

The 10th ACM Conference on Data and Application Security and Privacy
Mar 16-18, New Orleans, LA

Cybersecurity & Cloud Expo Global 2020
Mar 17-18, London, UK

London Cyber Risk Insights Conference
Mar 17, London, UK

IoT Tech Expo Global 2020
Mar 17-18, London, UK

Mar 18-19, Heidelberg, Germany

Fraud Summit: New York
Mar 18, New York, NY

DFRWS (Digital Forensic Research Workshop)
Mar 25-27, Oxford, UK

InfoSec World
Mar 30 - Apr 1, Lake Buena Vista, FL

E-Crime and Cybersecurity France 2020
Apr 1, Paris, France

Know Identity Conference
Apr 5-8, Las Vegas, NV

17th International Conference on Information Technology : New Generations (ITNG 2020)
Apr 5-8, Las Vegas, NV

 more ► 
Produced by
Cyber Pack Ventures, Inc. 5850 Waterloo Road Suite 140 Columbia, MD 21045 USA

You are receiving this email because you are a member of the SoS-VO website, have participated in an SoS event, or have opted into the SoS mailing list. Want to change how you receive these emails? You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp