During a breach, hackers often raid lists of users’ credentials if they can find them. Sometimes it’s their main goal; other times it’s just a part of a larger data haul. These credentials can then be used for a number of malicious scenarios, including breaking into the systems of affiliated businesses. In more basic cases, attackers may simply guess a user’s password, or use a tool to run through thousands of options.

Please click below to listen to IEEE Senior Member Kevin Du speak on cybersecurity and compromised credentials.

During the holiday season of 2013, 40 million credit card numbers and 70 million addresses, phone numbers, and other pieces of personal information were stolen from a major retailer’s servers. Hackers had almost two weeks to harvest the data.

The intruders gained access to the retailer’s system by using stolen credentials from a third-party vendor. While the vendor’s connection to the servers was only for billing and contracts, intruders were able to exploit holes that ultimately allowed them into siloed customer data.

Please click below to listen to IEEE Senior Member Kevin Du speak on cybersecurity and compromised credentials.

Case Url   |   Outlook

With so much personal data already compromised, two-factor authentication is a widely suggested option. Some variants include using cell phone location as an automatic second factor. Another idea is issuing a Common Access Card (CAC) to every citizen, like government employees use.

Please click below to listen to IEEE Senior Member Kevin Du speak on cybersecurity and compromised credentials.

XSS is an injection attack carried out on websites that accept input, but don’t properly separate data and executable code before the input is delivered back to the user’s browser. Since browsers can’t tell valid markup from attacker-controlled markup, attackers can either inject malicious code into the user’s system or extract the user’s data.

Please click below to listen to IEEE Senior Member Kevin Curran discuss the cybersecurity issue of cross-site scripting.

Implemented using JavaScript, an XSS vulnerability on an online auction website allowed attackers to inject their own malicious form page via an iframe. This made the malicious URL look like it was a legitimate page hosted on the site. As users logged into what they thought was their account, their credentials could be captured in plain text. This flaw persisted for months, and it’s unclear how many users were affected.

Please click below to listen to IEEE Senior Member Kevin Curran discuss the cybersecurity issue of cross-site scripting.

Case Url   |   Outlook

XSS vulnerabilities can be avoided by adopting the convention that all HTML markup must be produced by APIs and libraries that guarantee correct, context-specific encoding of data inserted into HTML markup. In many cases, developers just use HTML templating systems to generate HTML markup.

Please click below to listen to IEEE Senior Member Kevin Curran discuss the cybersecurity issue of cross-site scripting.

Data stored on servers is a common target in (and motivation for) many attacks. The sensitivity of the data determines how potentially damaging it is to an organization – names, addresses, credit card numbers, health information, trade secrets and intellectual property are constantly sought after.

Please click below to listen to IEEE Senior Member Zhen Wen speak on cybersecurity and data breaches.

Please click below to listen to IEEE Senior Member Zhen Wen speak on cybersecurity and data breaches.

Case Url   |   Outlook

More advanced data breach incident reporting – like detailed criteria for characterizing and grouping incidents – would help to clarify the probability and impact of specific types of data breaches.

Please click below to listen to IEEE Senior Member Kevin Curran speak on cybersecurity and data breaches.

Mobilizing thousands of unique IP addresses as zombie agents, attackers can overwhelm servers and disrupt their ability to function. Traditional methods include infecting computers with controlling malware while newer versions involve unsecured IoT devices and cloud services.

Please click below to listen to IEEE Senior Member Sven Dietrich speak on cybersecurity and DDoS attacks.

A large Domain Name System (DNS) provider suffered a three-wave distributed denial of service attack last fall. The attack was orchestrated using a weapon called the Mirai botnet, which mobilized IoT devices including digital cameras. Because of the lack of security on these devices, Mirai was able to send traffic from over 100,000 endpoints, making it twice as large as the next-closest attack on record.

Since the DNS provides a distributed directory for the internet, it’s essential to its functionality. While Twitter, Netflix, and Reddit didn’t suffer direct DDoS attacks on that day, the DNS provider’s collapse prevented their sites from functioning, making for an extremely widespread denial of service.

Please click below to listen to IEEE Senior Member Sven Dietrich speak on cybersecurity and DDoS attacks.

Case Url   |   Outlook

Since IoT device manufacturers aren’t protecting consumers, experts are asking government regulators to step in. Ideas include minimum security standards, interoperability standards, software updates and patches, and placing code in escrow so problems can be managed if a company goes out of business.

Please click below to listen to IEEE Senior Member Sven Dietrich speak on cybersecurity and DDoS attacks.

Drones are still very much a developing technology. As a result, they present a number of different security risks. There are many instances of them being hacked, even from long distances, but they’re also a potential vehicle for hackers to intercept or disrupt corporate communications via unsecured Wi-Fi® and Bluetooth® signals.

Please click below to listen to IEEE Senior Member Paul Kostek speak on cybersecurity and drones.

Connected light bulbs and their linking systems have been the target of lots of experimental hacking. Recently, hackers were able to bypass the built-in safeguards against remote access. They then extracted the key that the manufacturer uses to encrypt and authenticate new firmware. By installing malicious firmware, the hackers were able to make effects like constant flickering or blackouts permanent.

What’s more, the attack is a worm, and can jump from connected device to connected device through the air. One infected bulb could potentially knock out lights in an entire city. And the worm can be delivered by drone – researchers were able to turn the lights on and off from one flying 350 meters away (roughly a quarter mile).

Please click below to listen to IEEE Senior Member Paul Kostek speak on cybersecurity and drones.

Case Url   |   Outlook

A group of California drone developers have recently announced they’re creating a drone that is optimized for one single purpose: finding nearby malicious drones, and causing them to crash.

Please click below to listen to IEEE Senior Member Paul Kostek speak on cybersecurity and drones.

Despite an organization’s best effort to mitigate threats, the prospect of a rogue employee is ever-present. Current or former employees, system administrators, contractors or business partners can compromise the system for revenge or personal gain. In fairness, it is easy to misconstrue a bungling attempt to perform a routine job as “malicious” insider activity. But almost one-third are actually devious.

Please click below to listen to IEEE Senior Member Zhen Wen speak on cybersecurity and malicious insiders.

At several hospitals in East China’s Shandong Province, the personal information of over 200,000 children who had been processed for receiving vaccinations was leaked. Cell phone numbers and home addresses of parents were taken by the attackers. The data was then offered for sale online for $4,900 USD. The data was obtained in part through unauthorized access, and in part by malicious insiders who collaborated with the attackers. Parents remain worried about the potential ramifications, and in particular, a heightened risk that their children might be kidnapped.

Please click below to listen to IEEE Senior Member Zhen Wen speak on cybersecurity and malicious insiders.

Case Url   |   Outlook

Since malicious employees will always be a possibility, reducing risk falls on smart tech practices. One method is simply to reduce the number of insiders. A second is to expand the dimensions of the data, making it larger than the number of insiders.

Malware refers to malicious software intended to infiltrate and damage computers and networks. It comes in a variety of forms, and can be delivered in a number of ways. At its most extreme, malware can be used to erase all data on any machine that runs it.

Please click below to listen to IEEE Life Senior Member Raul Colcher speak on malware. Please note: the audio is in Portuguese but an English translation can be found here.

After stealing troves of data from a major motion picture company during a breach, attackers unleashed wiper malware on their way out. The variety they used destroys all data on the Windows machines it infects, then spreads itself via network file shares to attack Windows servers. It also erases the software instructions that tell computers how to operate.

Most PC malware comes wrapped in an executable “dropper” that installs it and its supporting files. That was the case with this attack, too. After spear phishing their way in, the attackers went undetected for long enough to analyze the network and hardcode the names of the company’s servers into the malware.

Please click below to listen to IEEE Life Senior Member Raul Colcher speak on malware. Please note: the audio is in Portuguese but an English translation can be found here.

Case Url   |   Outlook

All malware consumes power. A company in Virginia has found that the heat signature of malware’s power usage is very different from a chip’s standard operations. They’ve built a unit that sits outside the CPU and sniffs the chip’s electromagnetic leakage for power consumption patterns indicating abnormal behavior.

Please click below to listen to IEEE Life Senior Member Raul Colcher speak on malware. Please note: the audio is in Portuguese but an English translation can be found here.

Ransomware is a specific type of malware that locks or damages a victim’s device, then demands a ransom payment to decrypt it and disappear. Victims are then forced to decide whether to pay the price, negotiate, or wait it out. With a lack of security in the IoT, “jackware” may become the next frontier of ransomware, where IoT-connected devices can be locked for ransom.

Please click below to listen to IEEE Senior Member Kevin Curran discuss the cybersecurity issue of ransomware.

A ransomware attack shut down a hospital in Los Angeles for almost two weeks, forcing staff to use pen and paper for record-keeping. Hackers encrypted all of the hospital’s computers and demanded over $3 million USD in Bitcoin. Though patient information and hospital records weren’t compromised, the hospital relented and paid $17,000 USD to regain access to its computers.

While paying the ransom is typically viewed as a bad practice (there’s no guarantee of getting files back and it encourages similar attacks), organizations are sometimes advised to pay the sum in order to get back to business, or in the case of a hospital, continue to provide advanced care.

Please click below to listen to IEEE Senior Member Kevin Curran discuss the cybersecurity issue of ransomware.

Case Url   |   Outlook

In healthcare, few steps have been taken to solve the problem. Hospitals haven’t made cybersecurity a priority in their budgets – an expert estimated that hospitals spend two percent of their budget on IT, and that security might be 10 percent of that sliver.

Please click below to listen to IEEE Senior Member Kevin Curran discuss the cybersecurity issue of ransomware.

Spear phishing is a time-tested form of attack that is centered on sending bogus emails that look authentic but actually direct the recipient to a fake website that steals confidential information, like usernames and passwords to access finances.

Please click below to listen to IEEE Senior Member Sven Dietrich speak on cybersecurity and spear phishing.

Over the past year, a number of human rights organizations, labor unions, and journalists associated with the 2022 World Cup were targeted in a phishing campaign run out of Qatar. The attacker(s) created a fictional rights activist named Safeena Malik on Facebook, Google, LinkedIn, and Twitter, harvesting details from real accounts.

Targets received emails and social media messages from “Safeena” asking them to look at documents on Qatari human rights or offering forged requests to talk on Google Hangouts. The Hangouts links went to phishing sites crafted specifically for the targets, showing their Google avatar as part of a page mimicking a Google account login. The document links, after capturing their credentials, forwarded them to a real Google Docs document to reduce suspicion.

Please click below to listen to IEEE Senior Member Sven Dietrich speak on cybersecurity and spear phishing.

Case Url   |   Outlook

Advanced email filters can help eliminate much of the human error that has allowed spear phishing scams to persist. These filters can detect stories, phrases, and contexts typical of phishing emails. If an email triggers one of these detectors, it would be blocked or quarantined.  

Please click below to listen to IEEE Senior Member Sven Dietrich speak on cybersecurity and spear phishing.