Friday, July 24, 2020


Know where your documents originate!
New 'Shadow Attack' can replace content in digitally signed PDF files
Fifteen out of 28 desktop PDF viewer applications are vulnerable to a new attack that lets malicious threat actors modify the content of digitally signed PDF documents.
The list of vulnerable applications includes Adobe Acrobat Pro, Adobe Acrobat Reader, Perfect PDF, Foxit Reader, PDFelement, and others, according to new research [PDF ] published this week by academics from the Ruhr-University Bochum in Germany.
Academics have named this technique of forging documents a Shadow Attack.
The main idea behind a Shadow Attack is the concept of "view layers" -- different sets of content that are overlaid on top of each other inside a PDF document.
A Shadow Attack is when a threat actor prepares a document with different layers and sends it to a victim. The victim digitally signs the document with a benign layer on top, but when the attacker receives it, they change the visible layer to another one.
Because the layer was included in the original document that the victim signed, changing the layer's visibility doesn't break the cryptographic signature and allows the attacker to use the legally-binding document for nefarious actions -- such as replacing the payment recipient or sum in a PDF payment order or altering contract clauses.




So, I can’t get there from here?
Garmin services and production go down after ransomware attack
Smartwatch and wearables maker Garmin has shut down several of its services on July 23 to deal with a ransomware attack that has encrypted its internal network and some production systems.
The incident didn't go unnoticed and has caused lots of headaches for the company's customers, most of which rely on the Garmin Connect service to sync data about runs and bike rides to Garmin's servers, all of which went down on Thursday.
But in addition to consumer wearables and sportswear, flyGarmin has also been down today. This is Garmin's web service that supports the company's line of aviation navigational equipment.
Pilots have told ZDNet today that they haven't been able to download a version of Garmin's aviation database on their Garmin airplane navigational systems. Pilots need to run an up-to-date version of this database on their navigation devices as an FAA requirement. Furthermore, the Garmin Pilot app, which they use to schedule and plan flights, was also down today, causing additional headaches.




I wonder how much they spent on security?
NY Charges First American Financial for Massive Data Leak
In May 2019, KrebsOnSecurity broke the news that the website of mortgage title insurance giant First American Financial Corp. had exposed approximately 885 million records related to mortgage deals going back to 2003. On Wednesday, regulators in New York announced that First American was the target of their first ever cybersecurity enforcement action in connection with the incident, charges that could bring steep financial penalties.
As first reported here last year, First American’s website exposed 16 years worth of digitized mortgage title insurance records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images.
The documents were available without authentication to anyone with a Web browser.
According to a filing (PDF) by the New York State Department of Financial Services (DFS), the weakness that exposed the documents was first introduced during an application software update in May 2014 and went undetected for years.
Worse still, the DFS found, the vulnerability was discovered in a penetration test First American conducted on its own in December 2018.
Remarkably, Respondent instead allowed unfettered access to the personal and financial data of millions of its customers for six more months until the breach and its serious ramifications were widely publicized by a nationally recognized cybersecurity industry journalist,” the DFS explained in a statement on the charges.
Reuters reports that the penalties could be significant for First American: The DFS considers each instance of exposed personal information a separate violation, and the company faces penalties of up to $1,000 per violation.




I would imagine that insurance companies are reluctant to insure against risks they can’t accurately forecast.
CISOs: Cyber Insurance Fails to Cover Modern Threats and Remote Workforces
A large majority of CISOs are seeking additional cyber insurance coverage because of an increase in vulnerabilities resulting from the work from home surge.
According to research by Arceo of 250 CISOs at companies with $250m to $2bn in annual revenue, over three-quarters (77%) said there are incidents they need coverage for, but are unable to get it. Also, 88% of respondents were not completely satisfied with the performance of their company’s primary insurance brokerage.
However, 96% want additional coverage, as they believe the security practices followed when working remotely are unlikely to be as stringent as those at the office, leading to a higher risk of attack. Those CISOs stated that cloud usage (49%), personal devices usage (45%) and unvetted apps or platforms (41%) posed the biggest threats during this work from home period.




What is “appropriate transparency” in this context?
Intelligence community rolls out guidelines for ethical use of artificial intelligence
The U.S. intelligence community (IC) on Thursday rolled out an “ethics guide” and framework for how intelligence agencies can responsibly develop and use artificial intelligence (AI) technologies.
Among the key ethical requirements were shoring up security, respecting human dignity through complying with existing civil rights and privacy laws, rooting out bias to ensure AI use is “objective and equitable,” and ensuring human judgement is incorporated into AI development and use.
The IC wrote in the framework, which digs into the details of the ethics guide, that it was intended to ensure that use of AI technologies matches “the Intelligence Community’s unique mission purposes, authorities, and responsibilities for collecting and using data and AI outputs.”
Download a copy of the: AI Principles of Ethics for the IC
Download a copy of the: AI Ethics Framework for the IC




Future resource?
New Journal: AI and Ethics
A new interdisciplinary academic journal, AI and Ethics, aims to “promote informed debate and discussion of the ethical, regulatory, and policy implications that arise from the development of AI.”
The journal will “focus on how AI techniques, tools, and technologies are developing, including consideration of where these developments may lead in the future” and “provide opportunities for academics, scientists, practitioners, policy makers, and the public to consider how AI might affect our lives in the future, and what implications, benefits, and risks might emerge.”




Russia implements Reagan’s ‘Star Wars’ plan?
The US says Russia just tested an “anti-satellite weapon” in orbit
The US Space Command has announced it’s found evidence that Russia recently conducted a test of anti-satellite weapons , albeit one that did not destroy or harm any objects. SpaceCom claims that on July 15, Russian satellite Kosmos 2543 deployed a new object into its own orbit, similar to a previous anti-satellite demonstration in 2017.
What does that mean? A US SpaceCom spokesperson told MIT Technology Review that Kosmos 2543 had been operating “abnormally close” to a US government satellite in low Earth orbit, before it maneuvered away and over to another Russian satellite. Kosmos 2543 then released another object in proximity to the Russian target satellite. This test, SpaceCom says, is “inconsistent” with Kosmos 2543’s stated purpose as an “inspector satellite,” and is actually a demonstration of anti-satellite weaponry.



No comments: