Know
where your documents originate!
New
'Shadow Attack' can replace content in digitally signed PDF files
Fifteen
out of 28 desktop PDF viewer applications are vulnerable to a new
attack that lets malicious threat actors modify the content of
digitally signed PDF documents.
The
list of vulnerable applications includes Adobe Acrobat Pro, Adobe
Acrobat Reader, Perfect PDF, Foxit Reader, PDFelement, and others,
according to new research [PDF
]
published this week by academics from the Ruhr-University Bochum in
Germany.
Academics
have named this technique of forging documents a Shadow Attack.
The
main idea behind a Shadow Attack is the concept of "view layers"
-- different sets of content that are overlaid on top of each other
inside a PDF document.
A
Shadow Attack is when a threat actor prepares a document with
different layers and sends it to a victim. The victim digitally
signs the document with a benign layer on top, but when the attacker
receives it, they change the visible layer to another one.
Because
the layer was included in the original document that the victim
signed, changing the layer's visibility doesn't break the
cryptographic signature and allows the attacker to use the
legally-binding document for nefarious actions -- such as replacing
the payment recipient or sum in a PDF payment order or altering
contract clauses.
So,
I can’t get there from here?
Garmin
services and production go down after ransomware attack
Smartwatch
and wearables maker Garmin has shut down several of its services on
July 23 to deal with a ransomware attack that has encrypted its
internal network and some production systems.
… The
incident didn't go unnoticed and has caused lots of headaches for the
company's customers, most of which rely on the Garmin Connect service
to sync data about runs and bike rides to Garmin's servers, all of
which went down on Thursday.
But
in addition to consumer wearables and sportswear, flyGarmin has also
been down today. This is Garmin's web service that supports the
company's line of aviation navigational equipment.
Pilots
have told ZDNet today that they haven't been able to download a
version of Garmin's aviation database on their Garmin airplane
navigational systems. Pilots need to run an up-to-date version of
this database on their navigation devices as an FAA requirement.
Furthermore, the Garmin Pilot app, which they use to schedule and
plan flights, was also down today, causing additional headaches.
I
wonder how much they spent on security?
NY
Charges First American Financial for Massive Data Leak
In
May 2019, KrebsOnSecurity broke the news that the website of mortgage
title insurance giant First American Financial Corp. had exposed
approximately 885 million records related to mortgage
deals going back to 2003. On Wednesday, regulators in New York
announced that First American was the target of their first ever
cybersecurity enforcement action in connection with the incident,
charges that could bring steep financial penalties.
… As
first
reported here last year,
First American’s website exposed 16 years worth of digitized
mortgage title insurance records — including bank account numbers
and statements, mortgage and tax records, Social Security numbers,
wire transaction receipts, and drivers license images.
The
documents were available without authentication to anyone with a Web
browser.
According
to a
filing (PDF)
by the New
York State Department of Financial Services (DFS),
the weakness that exposed the documents was first
introduced during an application software update in May 2014 and went
undetected for years.
Worse
still, the DFS found, the vulnerability was discovered in a
penetration test First American conducted on its own in December
2018.
“Remarkably,
Respondent instead allowed
unfettered access to the personal and financial data of millions of
its customers for six more months
until the breach and its serious ramifications were widely publicized
by a nationally recognized cybersecurity industry journalist,” the
DFS explained in a
statement on
the charges.
Reuters
reports
that
the penalties could be significant for First American: The DFS
considers each instance of exposed personal information a separate
violation, and the company faces penalties of up
to $1,000 per violation.
I
would imagine that insurance companies are reluctant to insure
against risks they can’t accurately forecast.
CISOs:
Cyber Insurance Fails to Cover Modern Threats and Remote Workforces
A
large majority of CISOs are seeking additional cyber insurance
coverage because of an increase in vulnerabilities resulting from the
work from home surge.
According
to research by Arceo of 250 CISOs at companies with $250m to $2bn in
annual revenue, over three-quarters (77%) said there are incidents
they need coverage for, but are unable to get it. Also, 88% of
respondents were not completely satisfied with the performance of
their company’s primary insurance brokerage.
However,
96% want additional coverage, as they believe the security practices
followed when working remotely are unlikely to be as stringent as
those at the office, leading to a higher risk of attack. Those CISOs
stated that cloud usage (49%), personal devices usage (45%) and
unvetted apps or platforms (41%) posed the biggest threats during
this work from home period.
What
is “appropriate
transparency”
in this context?
Intelligence
community rolls out guidelines for ethical use of artificial
intelligence
The
U.S. intelligence community (IC) on Thursday rolled out an “ethics
guide” and framework for how intelligence agencies can responsibly
develop and use artificial intelligence (AI) technologies.
Among
the key ethical requirements were shoring up security, respecting
human dignity through complying with existing civil rights and
privacy laws, rooting out bias to ensure AI use is “objective and
equitable,” and ensuring human judgement is incorporated into AI
development and use.
The
IC wrote
in the framework,
which digs into the details of the ethics
guide,
that it was intended to ensure that use of AI technologies matches
“the Intelligence Community’s unique mission purposes,
authorities, and responsibilities for collecting and using data and
AI outputs.”
Download
a copy of the: AI
Principles of Ethics for the IC
Download a copy of the: AI Ethics Framework for the IC
Download a copy of the: AI Ethics Framework for the IC
Future
resource?
New
Journal: AI and Ethics
A
new interdisciplinary academic journal, AI
and Ethics,
aims to “promote informed debate and discussion of the ethical,
regulatory, and policy implications that arise from the development
of AI.”
… The
journal will “focus on how AI techniques, tools, and technologies
are developing, including consideration of where these developments
may lead in the future” and “provide opportunities for academics,
scientists, practitioners, policy makers, and the public to consider
how AI might affect our lives in the future, and what implications,
benefits, and risks might emerge.”
Russia
implements Reagan’s ‘Star Wars’ plan?
The
US says Russia just tested an “anti-satellite weapon” in orbit
The
US Space Command has announced
it’s
found evidence that Russia recently conducted a test of
anti-satellite weapons , albeit one that did not destroy or harm any
objects. SpaceCom claims that on July 15, Russian satellite Kosmos
2543 deployed a new object into its own orbit, similar to a previous
anti-satellite demonstration in 2017.
What
does that mean? A
US SpaceCom spokesperson told MIT Technology Review that Kosmos 2543
had been operating “abnormally close” to a US government
satellite in low Earth orbit, before it maneuvered away and over to
another Russian satellite. Kosmos 2543 then released another object
in proximity to the Russian target satellite. This test, SpaceCom
says, is “inconsistent” with Kosmos 2543’s stated purpose as an
“inspector satellite,” and is actually a demonstration of
anti-satellite weaponry.
No comments:
Post a Comment