Information Security, SSAE 16, ISO 27001, CISA, Cert-IN
A criminal gang recently found an effective way to spread malware that drains online bank accounts. According to a blog post published Monday, they bundled the malicious executable inside a file that installed a legitimate administrative tool available for download.
via https://ift.tt/2a4DnGp
Union Bank of India Ltd said on Friday one of the bank’s offshore accounts was breached in a cyber attack but the money trail was traced and the movement of funds was blocked. "There is no loss caused to the bank," said the bank in a press release, adding that it had informed the authorities and it was taking steps to plug any gaps and strengthen its security systems.
via https://ift.tt/2a3RrOI
SMS messaging for two-factor authentication might become a thing of the past. A U.S. federal agency is discouraging its use.
via https://ift.tt/2aK4J3N
A U.S. government agency said the end is nigh for SMS-based two-factor authentication, citing a lack of security around the feature.
The latest draft version of the Digital Authentication Guideline issued this week by the U.S. National Institute for Standards and Technology (NIST) said the practice would soon be discouraged.
The Digital Authentication Guideline sets the rules that all authentication software eventually follows.
Acknowledging there’s a risk that SMS messages can be intercepted or redirected, NIST is encouraging any service considering adopting two-factor authentication in the future to “consider alternative authenticators.”
In the document, NIST claims that services need to verify the phone number it sends codes to belongs to a legitimate network and not a VoIP service, before stating the method may be discouraged in future releases.
“If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service.”
“Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and may no longer be allowed in future releases of this guidance,” the document reads.
The document does support biometrics, at least in limited use, for authentication. As long as biometrics is used alongside another authentication factor, it’s permissible, NIST claims. Biometric authentication on its own can have false match rates, can be spoofed, and “do not provide confidence in the authentication of the subscriber by themselves.”
NIST has stressed the document is a public preview, meaning the processes aren’t in play yet and are still subject to comment. NIST will seek comments for roughly two weeks and follow it up by a 2-3 week period for editors to review those comments.
The agency is seeking comment on SP 800-63-3 via GitHub. While the platform may seem like an unorthodox choice, NIST said it considers the site a robust forum for drafting the document and is encouraging substantive technical and procedural comments. NIST first called on the public to help the agency map out the guideline when it previewed it on GitHub initially, in May.
Several services have already begun moving away from two-factor authentication. Facebook uses something called Code Generator as part of its login approvals feature. When a user turns it on, they’re asked for a special security code, which changes every thirty seconds, upon logging in. Google has a similar function, Google Authenticator, that supplies users with a six- to eight-digit one-time password. Companies such as Authy and Duo specialize in solutions as well.
Two-factor authentication has become almost ubiquitous over the last several years. The functionality, which allows services to send users a code to enter, along with a password, as an added layer of security has been adopted across multiple industries. Companies such as Apple, Dropbox, Snapchat, Evernote, and Twitter have adopted two-factor authentication to combat account takeovers and compromises.
Still, 2FA is no silver bullet; attackers and researchers alike have poked holes in the method, mainly via man in the middle attacks. Two years ago, researchers from Duo found a way to bypass the mechanism used in PayPal and transfer money from a victim’s account to any recipient they chose. Vulnerabilities have also surfaced in plugins offered by WordPress, Google, and Instagram that enabled hackers to bypass two-factor authentication.
via https://ift.tt/29ZUTxz
Infection Monkey, a tool designed to test the resiliency of modern data centers against cyber attacks, was developed as an open source tool by GuardiCore’s research group.
“Traditional testing tools are no longer able to effectively detect vulnerabilities in today’s data center networks as they cannot continuously exploit the weakest link and propagate in-depth, resulting in a very partial view of network vulnerabilities,” said Pavel Gurvich, CEO of GuardiCore.
Infection Monkey is a self-propagating testing tool that is able to identify and visualize the path of least resistance in the data center network. It scans the network, checking for open ports and fingerprinting machines using multiple network protocols.
After detecting accessible machines, it attempts to attack every single machine using methods such as intelligent password guessing and safe exploits. It does this by leveraging available data on systems it has breached, such as stolen credentials, to automatically spread and infect other machines, clearly highlighting all vulnerable systems in its path.
Infection Monkey provides detailed information about the specific vulnerability exploited and the effect vulnerable segments can have on the entire network, giving security teams the insights they need to make informed decisions and enforce tighter security policies. It is designed to be 100 percent safe, with no reconnaissance or propagation features that can impact server or network stability.
GuardiCore’s research group leader Ofri Ziv will present “Unleash the Infection Monkey: A Modern Alternative to Pen-Tests” at Black Hat USA 2016 on August 3. During his session Ziv will discuss the shortcomings of current approaches and address how Infection Monkey can be of value to today’s security teams, provide a glimpse of the tool running in an unsecured environment and offer use cases for real-world security testing scenarios.
via https://ift.tt/2a1kqGJ
Compact OS is a new command line tool that Microsoft introduced in the Windows 10 operating system in an effort to reduce the system’s disk footprint.
Probably the biggest change to previous versions of Windows in this regard is that Windows 10 does not need recovery images anymore, as the operating system will use existing files for that instead.
Compact OS is a new compression mechanism which takes files of the operating system and puts them in a (hidden) compressed container.
There is a lot that you can do with Compact OS, especially when it comes to optimizing and deploying images.
What’s probably most interesting from an end-user’s perspective is that you may change from a non-compacted to a compacted OS on a running system.
If you do that, you may free up several Gigabytes of storage on the hard drive because of it. Mileage may vary but I have yet to come upon a system where the Compact OS operation would not free up at least 2 Gigabytes of space.
2 Gigabytes may not be much depending on available hard drive space. Running the operation makes sense if Windows is installed on a partition with little hard drive space, or a Solid State Drive that is low on space.
All commands are run from an elevated command prompt.
Before you do any compacting, you may want to determine the current state of OS binaries to find out whether the OS is already compressed.
Run the following command to determine that:
The command line tool returns information about the state. This includes how many files are compressed or not compressed, the compression ratio, and how many bytes of data are stored in the compressed container.
If the compression ratio is 1,0 to 1 or close to that, then the OS is not compressed.
Compression may impact performance under certain circumstances but it should not be noticeable on most systems.
Please note that you can go back to an uncompressed state at any point in time if you notice issues after compressing the OS. Also, to be on the safe side, it is recommended to back up important data before you continue.
Run the following command to compress OS binaries:
The operation may take several minutes to complete (on some systems 20 or more minutes). The amount of space you save depends on a number of factors. A test on the latest Insider Build installation of Windows 10 saved more than 2 Gigabyte of disk space after the compression.
To revert the change later on, run the following command to uncompress the data:
The operation does not take as long as the compression usually. Windows will occupy more disk space afterwards though so keep that in mind.
Now Read: Run Disk Cleanup to free up lots of space on Windows 10
Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.
The post Free up Windows 10 Disk Space with Compact OS appeared first on gHacks Technology News.
via https://ift.tt/2aflWjN
A former Google engineer, whose speech recognition software is used in more than a billion Android smartphones, has launched a company that uses blockchain technology to build a new operating system for banks.
Paul Taylor, a Cambridge University academic with an expertise in artificial intelligence, speech synthesis and machine learning, started working on the system, called Vault OS, two years ago in a basement in London’s Shoreditch district, known for being a tech start-up hub.
via https://ift.tt/29F0kio
Microsoft’s concept of universal apps that run seamlessly across computers, tablets, and phones are a hallmark of the company’s newest operating system. The problem is most people don’t know which apps they should be using. With the Windows App Store growing all the time, there are plenty of ways to try out the new feature. Here are the best Windows 10 universal apps that are actually worth installing on your desktop.
Fresh Paint is a fun, natural art program that you can use to doodle during five minutes of downtime or use to make something more serious. It’s not the most advanced graphic animation app you’ve ever seen, but there are plenty of brushes and tools to play around with.
Colors and materials mix together intelligently (the app started out as a research project), and it comes with a few ‘tutorial’ images you can use to hone your skills. You can import images from disk or start from scratch and everything syncs seamlessly to OneDrive.
For something a little more advanced, there’s Autodesk Sketchbook. You get a whole host of brushes, canvas styles and colors to play around with, and if you put in the time and the effort then some truly professional results are possible.
Of course (as is the case with Fresh Paint), you’re going to get a lot more from the app if you’re using a tablet or a touchscreen computer, but even with a mouse and keyboard this is powerful software. You get a 15-day trial of the Pro version free of charge.
If you prefer your Facebook experience in a native app rather than in a web browser, check out the Facebook app for Windows 10. Why would you do this? It seems to be slightly faster, and it’s certainly cleaner—it also works well if you’re using Windows 10 on a touchscreen.
All of the usual Facebook goodies are here (though Messenger is a separate app), and you can get at the same settings, feeds, events, groups, apps and saved pages accessible on the web. The left-hand pane is customizable, so you can pick your favorite shortcuts.
Like Facebook, Plex works fine in the browser, but the Windows 10 app gives you access to a desktop-ready program so you don’t have to keep your Chrome tabs open all the time. However, it’s only really the paid-for version of Plex that makes this app worth installing.
If you don’t want to pay you can only play local files, browse media files on the server, and control other devices through the app. To play your content over the web, you’ll need to stump up for a Plex Pass subscription ($4.99 a month) or pay a one-time fee of $4.99.
As fantastic as the standard version of this program is, it’s not the most user-friendly media player, and VLC Media Player for Windows 10 is much easier on the eye. The app handles all of your local media files as well as physical discs and network streams.
Get the app watching your media folders and all of your music, movies and photos pop up as thumbnails. There are some advanced tweaks hidden away as well, for playback speed and audio and subtitle delay, and you’ve got a full suite of keyboard shortcut controls too.
Few Windows 10 apps make as good use of your big desktop (or laptop) monitor as Flipboard. It’s been around a while, so you probably know the ins and outs of the app, and this universal Windows 10 shows off all its best features.
Saving and curating stories of interest to you is straightforward and, of course, the recognizable Windows tile approach suits Flipboard very well. Tapping through on a story reveals the full webpage edition of the article, but you never have to leave the app.
At this stage in its evolution, it feels a little odd that Uber is stuck on mobile devices and doesn’t have much of a web interface to speak of, but Uber for Windows 10 fills the gap and lets you get at the taxi-hailing service from your desktop, laptop, or tablet.
Unlike the main Uber website, you can’t review previous journeys or make detailed changes to your account profile, but you can see a map of available drivers and book a ride, as well as edit payment information (which is much easier to do on a larger screen).
There isn’t a wonderful selection of games on the Windows 10 Store but Lara Croft Go is well worth your time and money (it’ll set you back $4.99). As with the Android and iOS versions, the first-person adventure game is transformed into a more sedate 3D puzzler.
That doesn’t mean the game is any less engaging though—the levels are beautifully designed and the learning curve is judged just right, so you should find yourself challenged without feeling the need to hurl the keyboard out of the window in frustration.
Photoshop is the best image editing application out there, but it’s way beyond what most people are going to need, and for the rest of us there’s Adobe Photoshop Express. You get all of the basic editing tools in a fresh-looking interface as well as some fun filters on top.
For the most part, the app feels very much like a blown-up version of Instagram. It includes some quick fix tools including red eye adjustments and a reduce noise filter (available as an extra in-app purchase). Everything syncs nearly with your Adobe ID, if you have one.
You may be more than happy with your web Netflix experience, but the Netflix universal app for Windows 10 is a slick and neatly designed alternative. Your categories are a click away on the left-hand menu rather than in a pop-up window in the Windows 10 app.
There are a few quirks, and the settings screen is disappointingly sparse (and you can’t edit your Netflix profiles either), but you know that if Netflix ever decides to offer offline downloads, they’re going to go be a big part of this Windows 10 application.
via https://ift.tt/29oIK6h
To make the configuration of routers easier, hardware vendors instruct users to browse to a domain name rather than numeric IP addresses.
Networking equipment vendor TP-LINK uses either
tplinklogin.net
or
tplinkextender.net
for its routers configuration. Although users can also access their router administration panel through local IP address (i.e. 192.168.1.1).
The first domain offered by the company is used to configure TP-LINK routers and the second is used for TP-LINK Wi-Fi extenders.
TP-Link has reportedly "
forgotten
" to renew both domains that are used to configure its routers and access administrative panels of its devices.
Both domains have now been re-registered using an anonymous registration service by an unknown entity and are being offered for sale online at
US$2.5 Million
each.
This latest TP-Link oversight, which was first
by Cybermoon CEO Amitay Dan, could lead its users to potential problems.
However, it seems like TP-Link is not at all interested in buying back those domains, as Dan
that the hardware vendor is updating its manuals to remove the domain name references altogether.
In recent years, the hardware vendor has started replacing its tplinklogin.net domain with tplinkwifi.net domain, which is currently under its control. So, there is no direct threat to TP-Link users.
But unfortunately, the tplinklogin.net and tplinkextender.net usually came printed on the back of the devices. So, users accessing this domain on devices could end up on a domain under a third-party’s control.
If malicious actors get their hands on these domains, they could use them to distribute malware, serve phishing pages instructing users to "download new firmware to your router," and request device or social media credentials from users before redirecting them to the router’s local admin panel IP.
Users are advised to avoid accessing their TP-Link routers using the tplinklogin.net domain; instead, use local IP address.
Dan has also recommended Internet Service Providers (ISPs) to block the affected domain names in order to prevent its customers from being hijacked.
via https://ift.tt/29wYeod
As your day-to-day apparel and accessories are turning into networked mobile electronic devices that attach to your body like smartwatch or fitness band, the threat to our personal data these devices collect has risen exponentially.
A recent study from Binghamton University also suggests your smartwatch or fitness tracker is not as secure as you think – and it could be used to steal your ATM PIN code.
The risk lies in the motion sensors used by these wearable devices. The sensors also collect information about your hand movements among other data, making it possible for
“attackers to reproduce the trajectories”
of your hand and
“recover secret key entries.”
In the paper,
“
Friend or Foe?: Your Wearable Devices Reveal Your Personal PIN,”
computer scientists from the Stevens Institute of Technology and Binghamton University used a computer algorithm that can guess your password and PIN with about 80% success rate on the first attempt, and over 90% of the time with 3 tries.
Researchers say their “
Backward PIN-Sequence Inference
” algorithm can be used to capture anything a person type on any keyboard – from automatic teller machine or ATM keypads to mobile keypads – through infected smartwatches, even if the person makes the slight hand movements while entering PINs.
“The team was able to record millimeter-level information of fine-grained hand movements from accelerometers, gyroscopes and magnetometers inside the wearable technologies regardless of a hand’s pose,” reports Phys.org.
Although the researchers do not name specific wearable devices that are vulnerable, they note that attackers can record information about your hand movements…
…either directly by infecting your wearable device with malware or remotely by intercepting the Bluetooth connection that links your wearable device to your phone.
The team says it doesn’t have any robust solution to prevent this attack but recommends manufacturers and developers to confuse attackers by inserting
“a certain type of noise data”
that would allow the device to be still used for fitness tracking, but not for guessing keystrokes.
Another way is to take a low-tech approach – Always enter your passwords or PINs with the hand that is not having a wearable device with the highly sophisticated motion tracker.
via https://ift.tt/29zohdi