source: reuters.com

Shippers, retailers and restaurants are experimenting with robots, drones and self-driving cars in a bid to use automation to drive down the high cost of delivering gadgets, groceries and even cups of coffee the “last mile” to consumer doorsteps.

FedEx is teaming up with DEKA Development & Research Corp, whose founder Dean Kamen invented the Segway stand-up scooter and iBot stair-climbing wheelchair, for its project. The delivery company said the robots could become part of its SameDay service that operates in 1,900 cities around the world.

 

The battery-powered robots look like coolers on wheels. Cameras and software help them detect and avoid obstacles as they roam sidewalks and roadways at a top speed of 10 miles (16 km) per hour.

The project must win approval in test cities, including the shipper’s hometown of Memphis, and the first deliveries will be between FedEx office stores.

On average, more than 60 percent of merchants’ customers live within three miles of a store location. FedEx said it is working with its partners, which also include AutoZone Inc and Target Corp, to determine if autonomous delivery to them is a viable option for fast, cheap deliveries.

 

The “last mile” to the home accounts for 50 percent or more of total package delivery costs. Restaurants pay third-party delivery companies like Uber Eats, DoorDash and GrubHub commissions of 10-30 percent per order.

Investors and companies are pouring millions of dollars into projects aimed at lowering those costs and overcoming regulatory hurdles. For safety reasons, many states want autonomous vehicles to have humans as emergency backup drivers.

 source: thecipherbrief.com

U.S. officials recently detailed an offensive cyber operation undertaken by U.S. Cyber Command to The Washington Post, revealing how the military blocked Internet access to St. Petersburg’s Internet Research Agency on the day of the U.S. midterm elections last year.

“The operation marked the first muscle-flexing by U.S. Cyber Command, with Intelligence from the National Security Agency, under new authorities it was granted by President Trump and Congress last year to bolster offensive capabilities,” writes the Post’s Ellen Nakashima.

Military offensive cyber operations were just one of the important global issues that we discussed recently with Cipher Brief Expert Dr. James Miller, former Under Secretary of Defense for Policy from 2012-2014.

In a Cipher Brief Exclusive, we asked Dr. Miller to outline his biggest concerns when it comes to future global cyber challenges.  Dr. Miller has spoken in the past at the International Conference on Cyber Engagement, being held this year on April 23, and hosted by Catherine Lotrionte and the Atlantic Council. 

Status of Military Operations in Cyberspace – Cyber Deterrence and Military Offensive Operations

Miller: I’m focused on the status of military operations in cyberspace, both on a day-to-day basis, and including issues related to cyber deterrence. The Defense Science Board has done some work on that topic, and Cyber Command has laid out their new vision to achieve, and maintain, cyberspace superiority.

The discussion has changed over the last few months, and I think our allies and partners as well as our potential adversaries, would welcome a continued conversation on that topic. The United States needs to listen to our allies and partners, as well as the perspective of our potential adversaries, in understanding what that competition looks like, where the potential for escalation is and so forth.

International Norms

Miller: Something I’ve discussed a lot with Catherine Lotrionte, and something that she has focused on quite a bit during her past conferences, has been on the issue of international norms.

Again, there have been some interesting recent developments.  The UN GGE (Group of Governmental Experts) did some good work several years ago. This past December, they adopted a resolution focused on advancing responsible state behavior in cyberspace.   We also have the Paris Call for Trust and Security in Cyberspace, and there are additional works that have been underway by some of our allies and partners.  I’ve been thinking about those norms both for governments and for the private sector and how they interact.  On that thought, an extension of the Paris call is the Cybersecurity Tech Accord, where the private sector is beginning to assert, in some pretty strong ways, what it will and won’t do.  This is both a challenge and an opportunity for the United States.

Working with Allies and Partners on Cyber Defense

Miller:  The topic of where we are right now in working with our allies and partners in cyber really intersects with the previous two issues.

There have been important recent developments including the last NATO summit with the opening of the Cyber Operations Center.  If you think about this in the NATO context, for decades there were two pillars of NATO security; the conventional deterrent and the nuclear deterrent. Less than a decade ago, missile defense was added as a key component, and now cyber over the past six to eight years has begun to work its way in to the defense strategy. Starting with the Cooperative Cyber Defense Center of Excellence in Tallinn, Estonia. And now it’s the Cyber Operations Center, which basically says, “Although NATO doesn’t have offensive cyber capabilities, nations can bring them in.”

 source: securityweek.com

We’ve all heard the proverb: Give a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime. Well now, threat actors don’t even have to exert the effort to phish to land business email accounts. 

According to an alert published earlier this year by the FBI, Business Email Compromise (BEC) and Email Account Compromise (EAC) have caused $12 billion in losses since October 2013. Traditionally, social engineering and intrusion techniques have been the most common ways to gain access to business email accounts and dupe individuals to wire funds to an attacker-controlled account. These methods play out as follows:

1. Social engineering and email spoofing: Attackers will use social engineering to pose as a colleague or business partner and send fake requests for information or the transfer of funds. These emails can be quite convincing as the attacker makes a significant effort to identify an appropriate victim and register a fake domain, so that at first glance the email appears to belong to a colleague or supplier. 

2. Account takeover: Here, attackers use information-stealing malware and key loggers to gain access to and hijack a corporate email account, which they then use to make fraudulent requests to colleagues, accounting departments and suppliers. They can also alter mailbox rules so that the victim’s email messages are forwarded to the attacker, or emails sent by the attacker are deleted from the list of sent emails. 

These techniques have served threat actors well for quite some time. But now we are seeing new, more expeditious methods emerge to gain access to business email accounts. Compromised credentials being offered on criminal forums, exposed through third-party compromises, or vulnerable through misconfigured backups and file sharing services, make the opportunity to profit from BEC easier than ever. Email inboxes are also being used not just to request wire transfers, but to steal financially-sensitive information stored within these accounts or to request information from other employees. With declining barriers to entry for BEC, and more ways to monetize this type of fraud, we can expect the losses to continue to rise and perhaps even accelerate in the near term.

Here’s how these alternative methods work:

 source: darkreading.com

Researchers investigate malicious apps designed to intercept calls to legitimate numbers, making voice phishing attacks harder to detect.

What if social engineers, instead of calling victims with voice phishing attacks, intercepted phone calls their victims make to legitimate phone numbers? Malicious apps let cybercriminals do just that – a tactic that puts a subtle twist on traditional voice phishing.

Min-Chang Jang, manager at Korea Financial Security Institute and Korea University, began investigating these apps in September 2017 when he received a report of an app impersonating a financial firm. Analysis revealed a phone interception feature in the app, which intrigued him.

That's how Jang discovered a new type of voice phishing crime, which combines traditional voice phishing with malicious apps to trick unsuspecting callers into chatting with cybercriminals.

Here's how they work: An attacker must first convince a victim to download an app. The attacker may send a link to the victim, enticing the person with something like a low-interest loan, and prompt him to install the app for it. If the target takes the bait and later calls a financial company for loan consultation, the call is intercepted and connected to the attacker.

"The victims believe that they are talking to a financial company employee, but they aren't," Jang says. It's unlikely victims will know a scam is taking place, he says. Most of these attacks mimic apps from financial firms.

Unfortunately, when Jang and his research team first discovered malicious apps with the interception feature, they didn't have access to a live malicious app distribution server because it had already been closed by the time they received victim reports. In April 2018, Jang found a live distribution server – a pivotal point for their research into malicious phishing apps.