Security News

By running a survey on whether infosec bods think the Common Vulnerability Scoring System is a useful tool for assessing security flaws, Dr Zinaida Benenson of Friedrich-Alexander Universität Erlangen-Nürnberg's IT Security Infrastructure Lab in Germany hopes to further the infosec world's understanding of how reliable the system really is. While the survey hopes to gain up to 300 respondents, Benenson was coy about precisely what she's hoping to prove or disprove, but she did drop The Register a hint about the current state of CVSS scoring.

In a paper titled "Real-World ADS-B signal recognition based on Radio Frequency Fingerprinting," three Chinese researchers describe what they said was a method of identifying unique transmitters fitted to aircraft - regardless of what identity code the equipment is broadcasting. ADS-B transmitters work by broadcasting the aircraft's GPS location along with a unique identifier, issued by the registering country's authorities.

Voatz, the maker of a blockchain-based mobile election voting app pilloried for poor security earlier this year, has urged the US Supreme Court not to change the 1986 Computer Fraud and Abuse Act, a law that critics say inhibits security research because it's overly broad. The app maker filed an amicus brief [PDF] on Thursday in Van Buren v. United States in support of the US government, which seeks to uphold the 2017 conviction of former Georgia police officer Nathan Van Buren under the CFAA. Van Buren was convicted of violating the CFAA for conducting a computer search for a license plate number. Coincidentally, its app was slammed in February by computer scientists for a variety of security flaws.

The paper presents "SpiKey, a novel attack that utilizes a smartphone microphone to capture the sound of key insertion/withdrawal to infer the shape of the key, i.e., cut depths that form the 'secret' of the key, solely by the captured acoustic signal." The researchers explained that there will be more than one "Candidate keys" rather than a single one that fits the pattern, but that in the case of the particular six-pin key analysed, "SpiKey guarantees reducing more than 94 per cent of keys to less than 10 candidate keys" with three candidates being "The most frequent case".

Some of the boffins who in 2018 disclosed the data-leaking speculative-execution flaws known as Spectre and Meltdown today contend that attempts to extinguish the Foreshadow variant have missed the mark. In a paper slated to be distributed through ArXiv today, Martin Schwarzl, Thomas Schuster, and Daniel Gruss with Graz University of Technology, and Michael Schwarz, with the Helmholtz Center for Information Security, reveal the computer science world has misunderstood the microarchitectural flaw that enables Foreshadow, which can be exploited by malware or a rogue user on a vulnerable system to extract data from supposedly protected areas of memory - such as Intel SGX enclaves, and operating-system kernel and hypervisor addresses.

Infosec pros and hackers regularly abuse cloud service providers to conduct reconnaissance and attacks, despite efforts by cloud providers to limit such activity. Of the 75 security professionals and hackers they spoke with as a part of a larger examination of attacker psychology, more than 93 per cent admitted to abusing cloud services to create attack environments and launch attacks.

ESA's mission operations centre in Germany has got back to doing interplanetary science after a short stand-down due to COVID-19. At least as normal as operations get for Cluster, now over 20 years into a two-year mission, and the veteran Mars Express spacecraft.

AMD processors sold between 2011 and 2019 are vulnerable to two side-channel attacks that can extract kernel data and secrets, according to a new research paper. In a paper [PDF] titled, "Take A Way: Exploring the Security Implications of AMD's Cache Way Predictors," six boffins - Moritz Lipp, Vedad Hadžić, Michael Schwarz, and Daniel Gruss, Clémentine Maurice, and Arthur Perais - explain how they reverse-engineered AMD's L1D cache way predictor to expose sensitive data in memory.

Only a week after the mobile app meltdown in Iowa's Democratic Caucus, computer scientists at MIT have revealed their analysis of the Voatz app used in West Virginia's 2018 midterm election. They claim the Android app is vulnerable to attacks that could undermine election integrity in the US state.

Uni brains pitch smart math for speeding up establishment of circuits in anonymizing onion network Academics in Germany say they've found a way to make Tor and similar onion networks more...