source: sciencedaily.com

As self-driving cars continue to develop, there will be plenty of data amassed through cars' navigational technologies. Questions regarding privacy, ownership, cybersecurity and public safety arise, as heavily guarded mapping data is collected and leveraged by companies. The geospatial data can be used to draw new maps identifying the spaces where we live and travel. That information is currently housed in technological and corporate black boxes. Given the social relevance and impacts of such information, these black boxes require greater transparency, according to a Dartmouth study posted in Cartographic Perspectives.

As autonomous cars strive to make sense of the world around them, they collect massive amounts of data, including traffic and congestion patterns, where pedestrians cross the street, which houses and businesses have Wi-Fi, and other details, which could be monetized. While companies may have intellectual property and other economic interests in protecting geospatial data, local governments, private citizens and other actors also have a vested interest in using that data to inform decisions on managing traffic, urban planning, allocating public funds and other projects, all of which may be of public interest.

"Self-driving cars have the potential to transform our transportation network and society at large. This carries enormous consequences given that the data and tec

 source: wired.com

AT ITS ANNUAL worldwide threat assessment hearing on Tuesday, top national security officials gave the Senate Intelligence Committee a rundown from top intelligence officials of the dangers the United States will face in 2019 and beyond. The adversaries were familiar, with ChinaRussiaNorth Korea, and Iran mentioned alongside evolving situations like Brexit and the power struggle in Venezuela. But if any common theme emerged, it's the number of assessments the officials shared that seem to directly contradict positions touted by the Trump administration.

That tension hinted at another threat, one that didn't come up directly in Tuesday's hearing but appeared prominently in a report last week from director of national intelligence Dan Coats: That various recent actions by the United States may be undermining its own security.

That report, the "National Intelligence Strategy," usually has both a public and classified version. But this year, ODNI elected to create only one public document in an effort, Coats said in remarks announcing the report, to promote transparency about intelligence community activities and goals. While similar in many ways to the Worldwide Threat Assessment ODNI released alongside Tuesday's Senate hearing, last week's NIS took more direct aim at the abstract, yet fundamental threat of a shifting geopolitical order.

"Traditional adversaries will continue attempts to gain and assert influence, taking advantage of changing conditions in the international environment—including the weakening of the post-WWII international order and dominance of Western democratic ideals, increasingly isolationist tendencies in the West, and shifts in the global economy," last week's report said.

This simple statement can also be read as a bombshell, articulating a trend that most politicians would be wary of admitting publicly. That isolationism stems in large part from Trump; his trade war with China has caused ripples in the global economy. But in Tuesday's Senate testimony, intelligence officials including Coats, NSA director Paul Nakasone, CIA director Gina Haspel, and FBI director Christopher Wray brought none of that up directly.

 

"ISIS very likely will continue to pursue external attacks from Iraq and Syria against regional and Western adversaries."

DAN COATS, DIRECTOR OF NATIONAL INTELLIGENCE

The hearing instead focused on questions from senators about anti-terrorism efforts, nuclear proliferation, infrastructure hacking, and foreign intelligence and counter-intelligence-gathering. The discussion also touched on questions about defending big data and information-gathering risks from digital manipulations like "deepfakes,"compelling videos created by machine-learning programs that seem to depict something that didn't actually happen.

 source: threatpost.com

Researchers show how rogue web applications can be used to attack vulnerable browser extensions in a hack that gives adversaries access to private user data.

Researchers have added another reason to be suspicious of web browser extensions. According to a recently published academic report, various Chrome, Firefox and Opera browser extensions can be compromised by an adversary that can steal sensitive browser data and plant arbitrary files on targeted systems.

“We identified a good number of extensions that can be exploited by web applications to benefit from their privileged capabilities,” wrote Université Côte d’Azur researcher Dolière Francis Somé, in an academic paper titled Empowering Web Applications with Browser Extensions (PDF).

A web application is a client-server computer program that a computing device runs in a web browser – such as an online form or browser-based word processor. That’s separate from a browser extension – a small software add-on for customizing a web browser with something like an ad-blocker or a web-clipping tool.

“[Browser extensions] have access to sensitive user information, including browsing history, bookmarks, credentials (cookies) and list of installed extensions,” Somé pointed out. “They have access to a permanent storage in which they can store data as long as they are installed in the user’s browser. They can trigger the download of arbitrary files and save them on the user’s device.”

That access is unique to web applications, which are subject to what are called a Same Origin Policy (SOP) that bars an app from reading and writing user data between domains. The research, however, demonstrates how a specially crafted web application can bypass SOP protections by exploiting privileged browser extensions.

 source: securityintelligence.com

University of Maryland researchers warn that with limited resources, threat actors could launch a successful cyberattack on Google’s bot-detecting reCaptcha service.

In an academic paper detailing their findings, the researchers discuss how they created a tool called unCaptcha, which uses audio files in conjunction with artificial intelligence (AI) technologies such as speech-to-text software to bypass the Google security mechanism.

Over more than 450 tests, the unCaptcha tool defeated reCaptcha with 85 percent accuracy in 5.42 seconds, on average. This study proved that threat actors could potentially break into web-based services, pursue automated account creation and more.

How Researchers Got Around reCaptcha

Online users will recognize reCaptcha as a small box that appears on many websites when signing up or logging in to digital services. Website visitors are typically asked to solve a challenge to prove they’re human, whether it’s typing in letters next to a distorted rendering of the letters, answering a question or clicking on images.

In this case, the University of Maryland researchers took advantage of the fact that Google’s system offers an audio version of its challenges for those who may be visually impaired. The attack method involved navigating to Google’s reCaptcha demo site, finding the audio challenge and downloading it, then putting it through a speech-to-text engine. After an answer had been parsed, it could be typed in and submitted.

While Google initially responded by creating a new version of reCaptcha, the researchers did the same thing with unCaptcha and were even more successful. In an interview with BleepingComputer, one of the researchers said the new version had a success rate of around 91 percent after more than 600 attempts.

Securing the Web Without CAPTCHAs

The research paper recommends a number of possible countermeasures to a tool such as unCaptcha, including broadening the sound bytes of reCaptcha audio challenges and adding distortion. CAPTCHAs are far from the only option available to protect digital services, however.

IBM Security experts, for example, discussed the promise of managed identity and access management (IAM), which allows organizations to not only protect online services with additional layers of security, but also have a third party deal with operational chores such as patching and resolving upcoming incidents. If a group of academics can automate attacks on CAPTCHA systems this successfully, it may be time for security leaders and their teams to look for something more sophisticated.