source: darkreading.com

Researchers investigate malicious apps designed to intercept calls to legitimate numbers, making voice phishing attacks harder to detect.

What if social engineers, instead of calling victims with voice phishing attacks, intercepted phone calls their victims make to legitimate phone numbers? Malicious apps let cybercriminals do just that – a tactic that puts a subtle twist on traditional voice phishing.

Min-Chang Jang, manager at Korea Financial Security Institute and Korea University, began investigating these apps in September 2017 when he received a report of an app impersonating a financial firm. Analysis revealed a phone interception feature in the app, which intrigued him.

That's how Jang discovered a new type of voice phishing crime, which combines traditional voice phishing with malicious apps to trick unsuspecting callers into chatting with cybercriminals.

Here's how they work: An attacker must first convince a victim to download an app. The attacker may send a link to the victim, enticing the person with something like a low-interest loan, and prompt him to install the app for it. If the target takes the bait and later calls a financial company for loan consultation, the call is intercepted and connected to the attacker.

"The victims believe that they are talking to a financial company employee, but they aren't," Jang says. It's unlikely victims will know a scam is taking place, he says. Most of these attacks mimic apps from financial firms.

Unfortunately, when Jang and his research team first discovered malicious apps with the interception feature, they didn't have access to a live malicious app distribution server because it had already been closed by the time they received victim reports. In April 2018, Jang found a live distribution server – a pivotal point for their research into malicious phishing apps.

 source: technewsworld.com

AT&T, T-Mobile and Sprint have sold access to subscribers' real-time location data to aggregators, which in turn have sold it to about 250 bounty huntersand related businesses, Motherboard reported Wednesday.

In some cases, the data allowed users to track individuals to their specific locations inside a building.

Some companies made thousands of location requests to data brokers; one company made more than 18,000 such requests in just over a year.

The news, which sparked widespread outrage, prompted a range of responses, including the following:

  • letter from 15 United States senators to the U.S. Federal Trade Commission (FTC) and U.S. Federal Communications Commission (FCC) demanding action;
  • A tweet from FCC Commissioner Jessica Rosenworcel saying that the agency needs to investigate the issue; and
  • Promises from the carriers that they either have ceased the practice or planned to do so shortly.

"What's in it for the carriers is money," remarked Michael Jude, program manager at Stratecast/Frost & Sullivan.

There are legitimate uses for such data, he told TechNewsWorld. For example, Google Maps uses location data to search for nearby locations such as cafes or restaurants, "so there are social goods that derive from allowing your location to be shared."

 source: wired.com

THE WORLD’S INTERNET infrastructure has no central authority. To keep it working, everyone needs to rely on everyone else. As a result, the global patchwork of undersea cablessatellites, and other technologies that connect the world often ignores the national borders on a map. To stay online, many countries must rely on equipment outside their own confines and control.

Nation-states periodically attempt to exert greater authority over their own portions of the internet, which can lead to shutdowns. Last month, for example, the government of the Democratic Republic of Congo turned off its internet during a highly contested presidential election. Now Russia, too, wants to test whether it can disconnect itself from the rest of the world, local media reported last week. But Russia is much larger than the DRC, and it has significantly more sophisticated infrastructure. Cutting itself off would be an onerous task that could have myriad unintended consequences. If anything, the whole project illustrates just how entangled—and strong—the global internet has become.

“What we have seen so far is that it tends to be much harder to turn off the internet, once you built a resilient internet infrastructure, than you’d think,” says Andrew Sullivan, CEO of Internet Society, a nonprofit that promotes the open development of the internet.

 

According to local news reports, Russia’s disconnection test is part of a new law parliament proposed in December, which would require the country’s internet providers to ensure the independence of Runet, or Russia’s internet. The regulation would mandate that Russian ISPs have the technical means to disconnect from the rest of the world and reroute internet traffic through exchange points managed by Roskomnadzor, Russia’s telecommunications and media regulator. The country reportedly wants to test Runet’s independence by April 1, though no official date has been set and the new regulation has yet to pass. Roskomnadzor did not respond to a request for comment.

The internet was invented in the United States, and US companies now control a significant portion of the infrastructure that powers it. It’s possible that Russia simply wants to gain more autonomy over Runet, but Russian president Vladimir Putin could also be seeking to beef up his cyberwar capabilities or to further censor the online information available to his citizens. While its motives are fuzzy, what’s clear is that Russia has been preparing for greater internet independence for years. In fact, it first proposed disconnecting from the global net back in 2014.

 source: darpa.mil

Today, machine learning (ML) is coming into its own, ready to serve mankind in a diverse array of applications – from highly efficient manufacturing, medicine and massive information analysis to self-driving transportation, and beyond. However, if misapplied, misused or subverted, ML holds the potential for great harm – this is the double-edged sword of machine learning.

“Over the last decade, researchers have focused on realizing practical ML capable of accomplishing real-world tasks and making them more efficient,” said Dr. Hava Siegelmann, program manager in DARPA’s Information Innovation Office (I2O). “We’re already benefitting from that work, and rapidly incorporating ML into a number of enterprises. But, in a very real way, we’ve rushed ahead, paying little attention to vulnerabilities inherent in ML platforms – particularly in terms of altering, corrupting or deceiving these systems.”

In a commonly cited example, ML used by a self-driving car was tricked by visual alterations to a stop sign. While a human viewing the altered sign would have no difficulty interpreting its meaning, the ML erroneously interpreted the stop sign as a 45 mph speed limit posting. In a real-world attack like this, the self-driving car would accelerate through the stop sign, potentially causing a disastrous outcome. This is just one of many recently discovered attacks applicable to virtually any ML application.

To get ahead of this acute safety challenge, DARPA created the Guaranteeing AI Robustness against Deception (GARD) program. GARD aims to develop a new generation of defenses against adversarial deception attacks on ML models. Current defense efforts were designed to protect against specific, pre-defined adversarial attacks and, remained vulnerable to attacks outside their design parameters when tested. GARD seeks to approach ML defense differently – by developing broad-based defenses that address the numerous possible attacks in a given scenario.

“There is a critical need for ML defense as the technology is increasingly incorporated into some of our most critical infrastructure. The GARD program seeks to prevent the chaos that could ensue in the near future when attack methodologies, now in their infancy, have matured to a more destructive level. We must ensure ML is safe and incapable of being deceived,” stated Siegelmann.