Connect with us

Tech

Security experts warn Hafnium attacks are “highly reckless” and “dangerous”

Published

on

Security experts warn Hafnium attacks are "highly reckless" and "dangerous"


While President Joe Biden contemplates retaliating against the Russian hackers whose attack on another software company, SolarWinds, became public in December, the Hafnium hack has become an enormous free-for-all, and its consequences could be even worse. As experts sprint to close the holes opened up by the Chinese hacking, officials say the American government is focused closely on what happens next to thousands of newly vulnerable servers—and how to respond to China.

“The gates are wide open to any bad actor that wants to do anything to your Exchange server and the rest of your network,” says Sean Koessel, vice president at Volexity, the cybersecurity firm that helped discover the hacking activity. “The best case is espionage—somebody who just wants to steal your data. The worst case is ransomware getting in and deploying it across the entire network.”

The distinction between the two attacks is not just about technical details, or even which country committed them. Although 18,000 companies downloaded the compromised SolarWinds software, the number of genuine targets was just a fraction that size. Hafnium, meanwhile, was far more indiscriminate.

“Both started out as espionage campaigns, but the difference really is how they were conducted,”  says Dmitri Alperovitch, chairman at the Silverado Policy Accelerator. “The Russian SolarWinds campaign was very carefully done, where the Russians went after the targets they cared about and they shut down access everywhere else, so that neither they nor anyone else could get into those targets that were not of interest.” 

“Contrast that with the Chinese campaign,” he says. 

“On February 27, they realize the patch is going to come out, and they literally scan the world to compromise everyone. They left web shells that can now enable others to get into those networks, potentially even ransomware actors. That’s why it’s highly reckless, dangerous, and needs to be responded to.”

Exploitation en masse

The beginning of the Hafnium campaign was “very under the radar,” says Koessel.

The hacking was missed by most security checks: it was only spotted when Volexity noticed strange and specific internet traffic requests to the company’s customers who were running their own Microsoft Exchange email servers. 

A month-long investigation showed that four rare zero-day exploits were being used to steal entire mailboxes—potentially devastating for the individuals and companies involved, but at this point there were few victims, and the damage was relatively limited. Volexity worked with Microsoft for weeks to fix the vulnerabilities, but Koessel says he saw a major change at the end of February. Not only did the number of victims start to rise, but there was also an increase in the number of hacking groups.

It’s not clear how multiple government hacking groups became aware of the zero-day vulnerabilities before Microsoft made any public announcement. So why did the extent of the exploitation explode? Perhaps, some suggest, the hackers may have realized their time was almost up. If they did know a patch was coming, how did they find out? 

“I think it is very uncommon to see so many different [advanced hacking] groups having access to the exploit for a vulnerability while the details are not public,” says Matthieu Faou, who leads research into the Exchange hacks for ESET. “There are two major possibilities,” he says. Either “the details of the vulnerabilities were somehow leaked to the threat actors,” or another vulnerability research team working for the threat actors “independently discovered the same set of vulnerabilities.”

Tech

Why mixing vaccines could help boost immunity

Published

on

Why mixing vaccines could help boost immunity


We should soon have a better idea. A handful of trials are now under way to test the power of vaccine combinations, with the first results due in later this month. If these mixed regimens prove safe and effective, countries will be able to keep the vaccine rollout moving even if supplies of one vaccine dwindle because of manufacturing delays, unforeseen shortages, or safety concerns. 

But there’s another, more exciting prospect that could be a vital part of our strategy in the future: mixing vaccines might lead to broader immunity and hamper the virus’s attempts to evade our immune systems. Eventually, a mix-and-match approach might be the best way to protect ourselves.

Mixing on trial 

The covid-19 vaccines currently in use protect against the virus in slightly different ways. Most target the coronavirus’s spike protein, which it uses to gain entry to our cells. But some deliver the instructions for making the protein in the form of messenger RNA (Pfizer, Moderna). Some deliver the spike protein itself (Novavax). Some use another harmless virus to ferry in the instructions for making it, like a Trojan horse (Johnson & Johnson, Oxford-AstraZeneca, Sputnik V). Some offer up whole inactivated virus (Sinopharm, Sinovac). 

In a study published in March, researchers from the National Institutes for Food and Drug Control in China tested combinations of four different covid-19 vaccines in mice, and found that some did improve immune response. When they first gave the rodents a vaccine that relies on a harmless cold virus to smuggle in the instructions and then a second dose of a different type of vaccine, they saw higher antibody levels and a better T-cell response. But when they reversed the order, giving the viral vaccine second, they did not see an improvement. 

Why combining shots might improve efficacy is a bit of a mystery, says Shan Lu, a physician and vaccine researcher at the University of Massachusetts Medical School who pioneered this mixing strategy. “The mechanism we can explain partially, but we don’t fully understand.” Different vaccines present the same information in slightly different ways. Those differences might awaken different parts of the immune system or sharpen the immune response. This strategy might also make immunity last longer.  

Whether those results translate to humans remains to be seen. Researchers at Oxford University have launched a human trial to test just how mixing might work. The study, called Com-CoV, offers participants a first shot of Pfizer or Oxford-AstraZeneca. For their second dose, they will either get the same vaccine or a shot of Moderna or Novavax. The first results should be available in the coming weeks. 

Other studies are under way as well. In Spain, where Oxford-AstraZeneca is now being given only to people over 60, researchers plan to recruit 600 people to test whether a first dose of the shot can be paired with a second dose from Pfizer. According to reporting in El País, about a million people received the first dose of the vaccine but aren’t old enough to receive the second dose. Health officials are waiting for the results of this study before issuing recommendations for this group, but it’s not clear whether any participants have yet been recruited. 

Late last year Oxford-AstraZeneca announced that it would partner with Russia’s Gamaleya Institute, which developed Sputnik V vaccine, to test how the two shots work in combination. The trial was supposed to launch in March and provide interim results in May, but it’s not clear whether it has actually begun. And Chinese officials have hinted that they’ll explore mixing vaccines to boost the efficacy of their shots. 

The biggest gains might come from mixing vaccines that have lower efficacies. The mRNA vaccines from Pfizer and Moderna provide excellent protection. “I don’t think there’s reason to mess with that,” says Donna Farber, an immunologist at Columbia University. But mixing might improve protection for some of the vaccines that have reported lower levels of protection, like Oxford-AstraZeneca and Johnson & Johnson, as well as some of the Chinese vaccines. Many of these vaccines work quite well, but mixing might help them work even better. 

Continue Reading

Tech

The US’s online language gaps are an urgent problem for Asian-Americans

Published

on

The US’s online language gaps are an urgent problem for Asian-Americans


Chen says that while content moderation policies from Facebook, Twitter, and others succeeded in filtering out some of the most obvious English-language disinformation, the system often misses such content when it’s in other languages. That work instead had to be done by volunteers like her team, who looked for disinformation and were trained to defuse it and minimize its spread. “Those mechanisms meant to catch certain words and stuff don’t necessarily catch that dis- and misinformation when it’s in a different language,” she says.

Google’s translation services and technologies such as Translatotron and real-time translation headphones use artificial intelligence to convert between languages. But Xiong finds these tools inadequate for Hmong, a deeply complex language where context is incredibly important. “I think we’ve become really complacent and dependent on advanced systems like Google,” she says. “They claim to be ‘language accessible,’ and then I read it and it says something totally different.” 

(A Google spokesperson admitted that smaller languages “pose a more difficult translation task” but said that the company has “invested in research that particularly benefits low-resource language translations,” using machine learning and community feedback.)

All the way down

The challenges of language online go beyond the US—and down, quite literally, to the underlying code. Yudhanjaya Wijeratne is a researcher and data scientist at the Sri Lankan think tank LIRNEasia. In 2018, he started tracking bot networks whose activity on social media encouraged violence against Muslims: in February and March of that year, a string of riots by Sinhalese Buddhists targeted Muslims and mosques in the cities of Ampara and Kandy. His team documented “the hunting logic” of the bots, catalogued hundreds of thousands of Sinhalese social media posts, and took the findings to Twitter and Facebook. “They’d say all sorts of nice and well-meaning things–basically canned statements,” he says. (In a statement, Twitter says it uses human review and automated systems to “apply our rules impartially for all people in the service, regardless of background, ideology, or placement on the political spectrum.”)

When contacted by MIT Technology Review, a Facebook spokesperson said the company commissioned an independent human rights assessment of the platform’s role in the violence in Sri Lanka, which was published in May 2020, and made changes in the wake of the attacks, including hiring dozens of Sinhala and Tamil-speaking content moderators. “We deployed proactive hate speech detection technology in Sinhala to help us more quickly and effectively identify potentially violating content,” they said.

“What I can do with three lines of code in Python in English literally took me two years of looking at 28 million words of Sinhala”

Yudhanjaya Wijeratne, LIRNEasia

When the bot behavior continued, Wijeratne grew skeptical of the platitudes. He decided to look at the code libraries and software tools the companies were using, and found that the mechanisms to monitor hate speech in most non-English languages had not yet been built. 

“Much of the research, in fact, for a lot of languages like ours has simply not been done yet,” Wijeratne says. “What I can do with three lines of code in Python in English literally took me two years of looking at 28 million words of Sinhala to build the core corpuses, to build the core tools, and then get things up to that level where I could potentially do that level of text analysis.”

After suicide bombers targeted churches in Colombo, the Sri Lankan capital, in April 2019, Wijeratne built a tool to analyze hate speech and misinformation in Sinhala and Tamil. The system, called Watchdog, is a free mobile application that aggregates news and attaches warnings to false stories. The warnings come from volunteers who are trained in fact-checking. 

Wijeratne stresses that this work goes far beyond translation. 

“Many of the algorithms that we take for granted that are often cited in research, in particular in natural-language processing, show excellent results for English,” he says. “And yet many identical algorithms, even used on languages that are only a few degrees of difference apart—whether they’re West German or from the Romance tree of languages—may return completely different results.” 

Natural-language processing is the basis of automated content moderation systems. Wijeratne published a paper in 2019 that examined the discrepancies between their accuracy in different languages. He argues that the more computational resources that exist for a language, like data sets and web pages, the better the algorithms can work. Languages from poorer countries or communities are disadvantaged.

“If you’re building, say, the Empire State Building for English, you have the blueprints. You have the materials,” he says. “You have everything on hand and all you have to do is put this stuff together. For every other language, you don’t have the blueprints.

“You have no idea where the concrete is going to come from. You don’t have steel and you don’t have the workers, either. So you’re going to be sitting there tapping away one brick at a time and hoping that maybe your grandson or your granddaughter might complete the project.”

Deep-seated issues

The movement to provide those blueprints is known as language justice, and it is not new. The American Bar Association describes language justice as a “framework” that preserves people’s rights “to communicate, understand, and be understood in the language in which they prefer and feel most articulate and powerful.” 

Continue Reading

Tech

We reviewed three at-home covid-19 tests. Here’s what happened

Published

on

shipping Abbott tests


As a result, I don’t think home tests are as useful as some have hoped. If used at scale to screen for covid, they could send millions of anxious people in search of lab tests and medical care they don’t need.

Still relevant?

As the covid-19 pandemic spread around the globe last year, economists and scientists called for massive expansion of testing and contact tracing in the US, to find and isolate infected people. But the number of daily tests in the US has never much exceeded 2 million, according to the Covid Tracking Project, and most of those were done in labs or on special instruments.

Home tests will now be manufactured in the tens of millions, say their makers, but some experts aren’t sure how much they will matter at this point. “The real value of these tests was six months ago,” says Amitabh Chandra, a professor at Harvard University’s Kennedy School. “I think that the move to over-the-counter is great, but it has limited value in a world where vaccines become more widely available.” Vaccination credentials could be more important for travel and dining than test results are.

Companies selling the tests say they are still a relevant strategy for getting back to normal, especially given that kids aren’t getting vaccinated yet. For employers who want to keep an office or factory open, they say, self-directed consumer tests might be a good option. A spokesperson for Abbott told me that they might also help people “start thinking about coordinating more covid-conscious bridal showers, baby showers, or birthday parties.”

The UK government started giving away covid antigen tests for free, by mail and on street corners, on April 9, saying it wants people “to get in the habit” of testing themselves twice a week as social distancing restrictions are eased. Along with vaccines, free tests are part of that nation’s plan to quash the virus. Later, though, a leaked government memo said health officials were privately worried about a tsunami of false positives.

In the US, there’s no still no national campaign around home tests or subsidy for them, and as an out-of-pocket expense, they are still too expensive for most people to use with any frequency. That may be for the best, given my experience.

Types of tests

The three tests we tried included two antigen tests, BinaxNow from Abbott Laboratories and a kit from Ellume, as well as one molecular test, called Lucira. In general, molecular tests, which detect the genes of the coronavirus, are more reliable than antigen tests, which sense the presence of the virus’s outer shell.

Everything you need is in one box, except in the case of the Ellume test, which must be paired with an app. Overall, the Lucira test had the best combination of advertised accuracy and simplicity, but it was also the most expensive at $55.

We didn’t try Quidel QuickVue, another antigen test, or a molecular test from Cue Health. Those tests, while authorized for home use, are not being sold directly to the public yet.

After trying all the tests, I am not planning to invest in using them regularly. I work from home and don’t socialize, so I don’t really need to. Instead, I plan to keep at least one test in my cupboard so that if I do feel sick, or lose my sense of smell, I will be able to quickly find out whether it’s covid-19. The ability to test at home might become more important next winter when cold and flu season returns.

ABBOTT LABS

BinaxNow by Abbott

Time required: about 20 minutes
Price: $23.99 for two
Availability: At some CVS stores starting in April. Abbott says it is making tens of millions of BinaxNow tests per month.
Accuracy: 84.6% for detecting covid-19 infections, 98.5% for correctly identifying covid-19 negatives

This is the at-home version of the fast, 15-minute test the White House was using last year to screen staff and visitors. It’s an antigen test, meaning that it examines a sample from a nasal swab to detect a protein in the shell of the virus. It went on sale in the US last week, and I was able to buy a two-test kit at CVS for $23.99 plus tax.

The technology used is called a “lateral flow immunoassay.” In simple terms, that means it works like a pregnancy test. It’s basically a paper card with a test strip. As the sample flows through it, it hits antibodies that stick to the virus protein and then to a colored marker. If the virus is present, a pink bar appears on the strip.

I found the test fairly easy to perform. You use an eye dropper to dispense six drops of chemical into a small hole in the card; then you insert a swab after you’ve run it around in both nostrils. Rotate the swab counterclockwise, fold the card to bring the test strip in contact with the swab, and that’s it. Fifteen minutes later, a positive result will show up as a faint pink line.

The drawback of the test is that there’s room for two different kinds of user error. It’s hard to see the drops come out of the dropper, and using too few could cause a false negative. So could swabbing your nose incorrectly. Unlike the other tests, this one can’t tell if you’ve made a mistake.

And besides the prospect of user error, the test itself has issues with accuracy. BinaxNow is the cheapest test out there, but it’s also the most likely to be wrong, missing about one in seven real infections. Abbott cautions that results “should be treated as presumptive” and “do not rule out SARS-Cov-2.”

But a buyer won’t find the accuracy rate without digging into the fine print. The company also buries a crucial requirement imposed by regulators: to compensate for the lower accuracy, you are supposed to use both tests in the kit, at least 36 hours apart. I doubt a casual buyer will realize that. The two-test requirement is barely mentioned in the instructions.

Continue Reading

Copyright © 2020 Diliput News.