The deadly Ebola outbreak sweeping across three countries in West Africa is likely to last 12 to 18 months more, much longer than anticipated, and could infect hundreds of thousands of people before it is brought under control, say scientists mapping its spread for the federal government.
“We hope we’re wrong,” said Bryan Lewis, an epidemiologist at the Virginia Bioinformatics Institute at Virginia Tech.
Both the time the model says it will take to control the epidemic and the number of cases it forecasts far exceed estimates by the World Health Organization, which said last month that it hoped to control the outbreak within nine months and predicted 20,000 total cases by that time. The organization is sticking by its estimates, a W.H.O. spokesman said Friday.
But researchers at various universities say that at the virus’s present rate of growth, there could easily be close to 20,000 cases in one month, not in nine. Some of the United States’ leading epidemiologists, with long experience in tracking diseases such as influenza, have been creating computer models of the Ebola epidemic at the request of the National Institutes of Health and the Defense Department.
The Centers for Disease Control and Prevention declined to comment on the projections. A spokesman, Tom Skinner, said the agency was doing its own modeling and hoped to publish the results soon. But the C.D.C. director, Dr. Thomas R. Frieden, has warned repeatedly that the epidemic is worsening, and on Sept. 2 described it as “spiraling out of control.”
While previous outbreaks have been largely confined to rural areas, the current epidemic, the largest ever, has reached densely populated, impoverished cities — including Monrovia, the capital of Liberia — gravely complicating efforts to control the spread of the disease. Alessandro Vespignani, a professor of computational sciences at Northeastern University who has been involved in the computer modeling of Ebola’s spread, said that if the case count reaches hundreds of thousands, “there will be little we can do.”
What worries public health officials most is that the epidemic has begun to grow exponentially in Liberia. In the most recent week reported, Liberia had nearly 400 new cases, almost double the number reported the week before. Another grave concern, the W.H.O. said, is “evidence of substantial underreporting of cases and deaths.” The organization reported on Friday that the number of Ebola cases as of Sept. 7 was 4,366, including 2,218 deaths.
The scientists who produced the models cautioned that their dire predictions were based on the virus’s current uncontrolled spread and said the picture could improve if public health efforts started to work. Because conditions could change, for better or for worse, the researchers also warned that their forecasts became shakier the farther into the future they went.
Dr. Lewis, the Virginia Tech epidemiologist, said that a group of scientists collaborating on Ebola modeling as part of an N.I.H.-sponsored project called Midas, short for Models of Infectious Disease Agent Study, had come to a consensus on the projected 12- to 18-month duration and very high case count.
Another Midas participant, Jeffrey L. Shaman, an associate professor of environmental health sciences at the Columbia University Mailman School of Public Health, agreed.
“Ebola has a simple trajectory because it’s growing exponentially,” Dr. Shaman said.
Lone Simonsen, a research professor of global health at George Washington University who was not involved in the modeling, said the W.H.O. estimates seemed conservative and the higher projections more reasonable.
“The final death toll may be far higher than any of those estimates unless an effective vaccine or therapy becomes available on a large scale or many more hospital beds are supplied,” she said in an email.
Dr. Vespignani said that the W.H.O. figures would be reasonable if there were an effective campaign to stop the epidemic now, but that there is not.
The modeling estimates are based on the observed growth rate of cases and on factors like how many people each patient infects. The researchers use the past data to make projections. They can test their methods by, for instance, taking the figures from June, plugging them into the model to predict the number of cases in July, and then comparing the results with what actually happened in July.
Dr. Shaman’s research team created a model that estimated the number of cases through Oct. 12, with different predictions based on whether control of the epidemic stays about the same, improves or gets worse. If control stays the same, according to the model, the case count by Oct. 12 will be 18,406. If control improves, it will be 7,861. If control worsens, it will soar to 54,895.
Before this epidemic, the largest Ebola outbreak was in Uganda from 2000 to 2001, and it involved only 425 cases. Scientists say the current epidemic surged out of control because it began near the borders of three countries where people traveled a lot, and they carried the disease to densely populated city slums. In addition, the weak health systems in these poor countries were not equipped to handle the disease, and much of the international response has been slow and disorganized.
But questions have also been raised about whether there could be something different about this strain of Ebola that makes it more contagious than previous ones.
Researchers are doubtful, but Thomas W. Geisbert, an Ebola expert at the University of Texas Medical Branch in Galveston, said it was important to keep an open mind about the possibility. During vaccine tests expected to start next month in monkeys, he said, he and his colleagues will monitor infected animals to see if they develop unusually high virus levels early in the disease that might amplify its infectiousness.
Some scientists have also suggested that as the outbreak continues and the virus spreads from person to person, it will have more opportunities to mutate and perhaps become even more dangerous or contagious. But Stuart T. Nichol, chief of the C.D.C.’s Viral Special Pathogens Branch, said that so far, researchers monitoring the mutations had seen no such changes.
Article from New York Times
It has been widely reported that hackers were able to access celebrities’ private accounts. How were they able to do this?
This story is still developing, and the details behind the attack are still not clear. However, there are several theories, including the targeted attacks against cloud service user names, passwords, and security questions that has been used in similar breaches in the past, as well as the use of malicious wireless access points at the Emmy Awards show. Another theory, which Apple denies was involved in the leak, is the exploitation of a recently discovered iCloud/Find My iPhone vulnerability that allowed non-rate-limited password guessing. Any of these methods could have been used to gain access to an initial set of celebrity cloud accounts, from which an attacker could gain further information (e.g., account details for other celebrities from compromised contact lists) in order to compromise more accounts.
The reason that access to the cloud services provided the attackers access to such sensitive data is because modern mobile devices, including phones, generally upload pictures and other media to the cloud provider. These devices are often configured to perform this automatically, which can be problematic in the case of data such as this.
Is the average smartphone and cloud user vulnerable to such an attack? What precautions can people take to better protect sensitive information that might be stored on mobile devices or in the cloud such as passwords and financial information?
In principle, yes, the average user is vulnerable to similar attacks—that is, if you choose to upload data you wouldn’t want the world to see to the cloud. The best way to prevent this sort of leak is to not upload sensitive data in the first place, and to disable automatic synchronization of all documents, pictures, and other media to the cloud. Once someone gains access to your data and copies it away, there is no mechanism available to “unleak” that data. Furthermore, even if users request the cloud provider to delete uploaded data, it often persists regardless (e.g., on content delivery networks and other caches). Finally, cloud providers also create offline backups of data that are difficult to purge, and any entity with a subpoena could potentially gain access to these.
The second avenue to protect yourself is to make it more difficult for attackers to access your account without your permission. This involves using a strong, hard-to-guess password, and enabling two-factor authentication. Two-factor authentication simply requires that you provide two forms of proof that you are who you say you are (e.g., a password and a security code from a mobile application), and is one of the most effective ways of shutting out attackers.
What are some of the most recent cybersecurity advances being made at Northeastern and elsewhere? Will this hack affect future security measures?
There are really too many advances in cybersecurity to list here, but security researchers have long warned about the potential risks of cloud storage. While certainly convenient, one does lose a large degree of control over the uploaded data, and a centralized cloud provider is a juicy target for adversaries. There is a large amount of interest in researching ways to secure the cloud, with approaches varying from making authentication to cloud accounts both stronger and less of a burden on users, to transparent encryption schemes that prevent attackers—and even the cloud provider—from accessing your data, to fully homomorphic encryption, which would allow cloud providers to somewhat counter-intuitively compute or “use” your data without being able to “see” it.
While this hack will no doubt further spur the work of security researchers, one hopes for other outcomes as a result of this attack, including a greater recognition amongst users of the risks associated with the cloud, and the permanence of your data in modern society.
Lean operations and a lack of technical staff make non-governmental organizations a prime, and relatively soft, target for well-funded adversaries, according to an academic study of a four-year campaign targeting one such group.
In a paper to be delivered at the USENIX Security Conference next week, six academic researchers analyzed nearly 1,500 suspicious e-mail messages targeting the World Uyghur Congress (WUC). The team found that, while the malware managed to reliably evade detection by many antivirus programs, the attacks were relatively unsophisticated, using known vulnerabilities that had already been patched. The social engineering tactics, however, were very targeted and convincing, with the majority written in the native language, referring to events of interest to the NGO and appearing to come from known contacts, said Engin Kirda, a professor of computer science at Northeastern University and a co-author of the paper.
“You read about sophisticated attacks, but the malware that we analyzed was pretty standard,” Kirda said. “It was not some ground breaking obfuscation or malware.”
Kirda collaborated with three researchers from the Max Planck Institute for Software Systems and two others from the National University of Singapore on the project. The research underscores that attackers only use the level of technical sophistication necessary to complete their operation, Kirda said.
Unfortunately, non-governmental organizations tend to be vulnerable to attack. The WUC, which advocates on issues involving the Uyghur Euroasian minority of 10 million people in China, used older versions of Windows, relied on antivirus software, and lacked the technical sophistication found in many enterprises. The group is funded, in part, by the US-based National Endowment for Democracy.
“The lack of resources is always a problem,” Kirda said. “Our aim should be to create technology that will trickle down to people and protect them more completely.”
Almost half the attacks used a real organizational event, such as a conference, as a lure to convince a target to open the attachments. Of the nearly 1,500 e-mails analyzed by the researchers, nearly 1,176 contained malicious attachments, mainly Office documents. The e-mails targeted more than 700 people at 108 different organizations through carbon-copied recipients, including the Australian Uyghur Association, Radio Free Asia, and NASA Jet Propulsion Laboratory.
Unlike the trend in opportunistic attacks, which generally target vulnerabilities in Java browser plugins, the WUC’s attackers started the campaign in 2009 by attaching PDF files with exploits that would compromise systems through Adobe’s Acrobat. Soon after, however, the attackers switched to using Microsoft Office documents, which constituted the vector for the lion’s share of attacks analyzed by the researchers.
The WUC has suffered a number of disruptive attacks in the past five years, including a two-week denial-of-service attack on its website in 2011 and a flood of phone calls and more than 15,000 spam messages in a single week.
About a quarter of the attacks matched the signatures of other operations attributed to nation-state actors, Kirda said. Despite some of the attacks being more than four years old, no antivirus program detected all the malware.
Organizations that believe they could be targeted by such attacks should take more concrete steps to protect themselves. Upgrading systems to more modern operating systems and regularly patching those systems can help immensely, Kirda said.
“Make sure you have all the updates; make sure you use a browser that is not standard; and pursue more training—talk about the threat,” he said.
Article from Arstechnica.com