Information Security, SSAE 16, ISO 27001, CISA, Cert-IN
Bithumb, ranked the seventh largest cryptocurrency exchange and located in South Korea, has confirmed that it was hacked and that the thieves absconded with approximately $32 million in coins, including the XRP token issued by Ripple.
Read the Full Article here: >Computer Security News
ATM Penetration testing, Hackers have found different approaches to hack into the ATM machines. Programmers are not restricting themselves to physical assaults, for example, money/card catching, skimming, and so forth they are investigating better approaches to hack ATM programming.
An ATM is a machine that empowers the clients to perform keeping money exchange without setting off to the bank.
Utilizing an ATM, a client can pull back or store the money, get to the bank store or credit account, pay the bills, change the stick, redesign the individual data, and so on. Since the ATM machine manages money, it has turned into a high need focus for programmers and burglars.
In this article, we will perceive how do an ATM functions, security arrangements used to secure the ATMs, diverse sorts of infiltration testing to break down ATM security and a portion of the security best practices which can be utilized to evade ATM hack.
Most of the ATMs have 2 input and 4 output. The card reader and keypad are input whereas a screen, receipt printer, cash dispenser, and the speaker are output.
There are for the most part two sorts of ATM’s which vary as indicated by the way they work. They can be called as
1.Rented line ATM
2.Dial-up ATM machines
Any ATM machine needs an information terminal with two data sources and four yield gadgets. Obviously, for this to happen there ought to likewise be the accessibility of a host processor. The host processor is important so that the ATM can interface furthermore speak with the individual asking for the money. The Internet Service Provider (ISP) additionally assumes an essential part in this activity. They go about as the passage to the halfway systems furthermore the bank PC.
Image Credit : HowstuffWorks
A rented line ATM machine has a 4-wire, indicate point committed phone line which assists in associating it with the host processor. These sorts of machines are favored in spots where the client volume is high. They are viewed as top of the line and the working expenses of this sort of a machine is high.
The dial-up ATM machines just has an ordinary telephone line with a modem and a toll free number. As these are typical associations their underlying establishment cost is less and their working costs just turn into a small amount of that of a rented line ATM.
The host is primarily claimed by the bank. It can likewise be claimed by an ISP. On the off chance that the host is possessed by the bank just machines that work for that specific bank will be upheld.
Also Read Undetectable ATM “Shimmers” Hacker’s Latest Tool for Steal your Chip Based Card Details
Security professionals perform advanced penetration tests on automated teller machine (ATM) solutions in the financial sector. In most cases, serious security flaws are identified in the ATM configurations and associated processes.
ATMs test with our ‘Business Penetration Test’ (BPT) methodology, which simulates real attacks on ATM solutions. This includes carefully designed targeted attacks, which combines physical, logical and optionally social engineering attack vectors.
ATM security is often considered a complex area by IT security managers, who tend to focus more on the physical risks and less on the logical weaknesses in the operating system and application layer.
Meanwhile, ATM security is a business area that often lacks holistic security assessments. Our ATM tests are based on this belief, and seek to paint a holistic ) picture of your ATM environment.
Physical controls
Many banks rely heavily on the assumption that physical access to their ATM solutions is effectively restricted. In the meantime repeated, illustrates how little effort is often required to gain unauthorized access to the ATM CPU, which controls the user interface and transaction device.
Logical controls
With physical access to the ATM CPU, authentication mechanisms can be bypassed to gain unauthorized access to the ATM platform.
With this access, an attacker may be able to steal credit card data that is stored in file systems or memory, without ever alerting the bank. Furthermore, experts able to demonstrate, this unauthorized access can be expanded from the ATM to the bank’s network and back-end servers by using the compromised ATM as an attack platform.
ATM solution management processes associated with third party service providers and application development vendors are often the golden key for an attacker, and can be included in the scope of our test to identify logical weaknesses in trust relationships that an attacker can exploit to compromise an ATM.
ATM ecosystem
An ATM solution and network form a complex ecosystem that consists of different vendors and responsible agents, both internal and external to the banking organization.
Due to the complexity of this ecosystem with its distributed roles and responsibilities that cross organizational boundaries, the areas associated with security risk are often overlooked. The ATM application itself, with its software updates, operating system patches, platform hardening, and networks, is often vulnerable to attacks.
These attacks are not necessarily sophisticated and often not included in standard penetration tests.
Security Best Practices to be followed for ATM
The banks can implement security best practices to reduce the attack surface for the attacker. This section can be categories into three categories:
1.Protection against physical attacks:
2 . Protection against logical attacks:
3 . Protection against fraud attacks:
ATM security solutions
Most of the ATMs run on Windows XP and 7. Patching individual ATM is a quite complex process. Since Windows XP is no longer supported by Microsoft, many ATM vendor uses security solution to mitigate the threats related to ATM attacks such as Malware-based attacks, OS-level vulnerabilities. These security solutions allow the ATM application to run in very restrictive environment with limited services and processes in the back end. Two of such security solutions are Mcafee Solidcore and Phoenix Vista ATM.
Mcafee Solidcore:
McAfee Application Control blocks unauthorized executables on servers, corporate desktops, and fixed-function devices. Using a dynamic trust model and innovative security features such as local and global reputation intelligence, real-time behavioral analytics, and auto-immunization of endpoints, it immediately thwarts advanced persistent threats—without requiring labor-intensive list management or signature updates.
Phoenix Vista ATM:
Phoenix Vista ATM is a product of Phoenix Interactive Design Inc .This solution integrates with the ATM application itself. This application works on file integrity check where any modification/tampering with the application related critical file will result in a system shutdown. This disallows any unauthorized program to modify the application specific file.
XFS (extensions for Financial Services) provides a client-server architecture for financial applications on the Microsoft Windows platform, especially peripheral devices such as ATM’s which are unique to the financial industry. It is an international standard promoted by the European Committee for Standardization (known by the acronym CEN, hence CEN/XFS). XFS provides a common API for accessing and manipulating various financial services devices regardless of the manufacturer.
Vista ATM communicates with the XFS layer which gives commands to the hardware like cash dispenser of the ATM to dispense the cash. Any unauthorized modification in XFS files will trigger the Vista ATM application to restart the machine forcefully. The machine restarts 4-5 times, and after that, it goes into maintenance mode which does not allow the user to perform any transaction.
Certificate authority Comodo CA is expanding out of its traditional area to launch a new platform designed to secure Internet of Things devices. Hackers increasingly target IoT devices that have no security embedded and exposed vulnerabilities.
Read the Full Article here: >Computer Security News
Flexera released Vulnerability Review 2018: Top Desktop Apps, part of the annual report series from Secunia Research. This new edition focuses on heavily used desktop applications, which can be easily breached through the Internet.
“Companies are in desperate need to improve patching so they can reduce risk. Ultimately that means creating a smart process,” said Kasper Lindgaard, Senior Director of Research and Security at Flexera. “To do that you have to cut through the noise – not all software updates are security related, and not all security updates are equally critical. Having patching processes, supported by best-in-class technologies, gives you the visibility and intelligence you need to prioritize and act decisively.”
Security professionals need to pay close attention to desktop applications because most vulnerabilities found in these types of apps can be extremely dangerous. Whenever new vulnerabilities are reported, Secunia Research issues Advisories assessing their criticality, attack vector and solution status. This allows desktop admins to identify and prioritize critical security patches. Without such information, operation teams struggle to keep up with a the large amount of patches.
In 2017, 83 percent of the Secunia Advisories covering the top desktop applications were rated “Extremely” or “Highly” critical (compared to only 17 percent when you look at Secunia Advisories across all software applications ranked).
Moreover, desktop applications are extremely vulnerable to attack via the Internet, making them attractive targets. 94 percent of advisories relating to desktop apps could be exploited through the Internet, without any interaction with the user, or the need for them to take any action.
The report also cautions users who incorrectly believe that Microsoft’s automated updates will shield them from vulnerability risk. In fact, the majority of desktop app vulnerabilities occur in non-Microsoft applications. 65 percent of the vulnerabilities reported in the 50 most common desktop applications were found in non-Microsoft apps.
“Organizations can improve security patching in just three steps,” added Lindgaard. “First, arm desktop admins with security Key Performance Indicators to keep security patching a high priority. Second, create an inventory of desktop apps to make installing a patch easier. Finally, put prioritization and sourcing patches on a schedule, so patches are consistently monitored and applied quickly.”
The key takeaway? When armed with vulnerability intelligence, IT professionals can get ahead of security risks with patches for almost all vulnerabilities affecting the most common desktop applications.
Read the Full Article here: >Help Net Security – News
Distil Networks analyzed over 100 million mobile devices on its networks. The findings suggest that sophisticated cybercriminals and bot operators now implement a new technique—leveraging mobile devices – to avoid detection and execute a number of nefarious acts. At this time, 5.8 percent of all mobile devices across six major cellular networks are used in such automated attacks and represent eight percent of all bad bot traffic.
This bad bot traffic is purposefully deployed against any business with a web presence to carry out acts that include web scraping, brute force attacks, competitive data mining, online fraud, account hijacking, data theft, spam and digital ad fraud.
Uncovered by the Distil Research Lab, the data reveals a new method by which perpetrators connect through cellular gateways to target a large variety of websites and apps simultaneously. Cellular gateways handle a huge volume of requests per minute, many of which are legitimate, making it difficult to identify and block criminal ones.
Within some cellular carriers, a single IP address can cater to more than 4,000 devices per day, making cellular traffic an ideal location for bots to remain undetectable. As mobile devices move through different gateways, (based on device owners changing location throughout the day,) bots effectively change identities to make detection even more difficult.
Mobile bots by the numbers:
Mobile is the new frontier for bot operators, as they can perform highly advanced attacks while remaining hidden in plain sight,” said Rami Essaid, chief product and strategy officer at Distil Networks. “Whether inadvertently downloaded through an email attachment, or embedded in a seemingly legitimate app, millions of consumers unknowingly carry malware on their devices that allows cybercriminals to conduct bot attacks, abuse and fraud. We have seen bot operators develop and enhance their techniques throughout the years, but the threat to mobile devices is real and growing, and can have detrimental consequences.
Twitter has given millions of users a way of making their accounts even harder to hack, with the introduction of support for physical keys.
Most Twitter users protect their accounts in the traditional way: username and password. As with any other internet account, such security is vulnerable to a number of threats including phishing or a user unwisely choosing the same password that they use elsewhere on the internet.
This is the primary reason that so many Twitter accounts have been compromised by hackers over the years.
High profile victims have included FC Barcelona, CNN, Burger King, Google CEO Sundar Pichai, Wikipedia’s Jimmy Wales, and Mark Zuckerberg.
One of the most notorious hijackings of a Twitter account occurred in 2013, when the Syrian Electronic Army managed to gain control of Associated Press’s Twitter account and posted a message saying that there had been an explosion at the White House and Barack Obama had been injured.
That bogus report knocked 61 billion dollars (briefly) off the Dow Jones Index.
If you’re sensible you have taken better steps than just a password to protect your Twitter account, and enabled two-step verification in the form of “Login Verification”.That adds an extra hurdle to the login process by asking for a code generated by a third-party app such as Google Authenticator and Authy to be be entered.
For most people, this level of protection is probably enough.
But what if you want to go even further, and wish to ensure an even high level of physical security to your Twitter account?
If that’s you then you’ll be interested to read news inside a blog post detailing Twitter’s latest steps to combat spam and abuse on the site.
Twitter has revealed that you can now use a physical USB security key which supports the universal two-factor (U2F) standard when signing in for login verification.
The small keyfobs require the logging-in user to physically press a button to confirm the identity, and because it will only work on the real Twitter website it provides a high level of protection against phishing sites.
Other websites which support FIDO U2F hardware keys – which are the same size and shape as a typical USB thumb drive – include Google, Facebook, Dropbox, GitHub, and SalesForce.
Cisco has released security updates to address a bucketload of vulnerabilities affecting multiple products, including 24 critical and high-severity flaws found in many of its switches, next generation firewalls and security appliances.
Those vulnerabilities are present in the Cisco NX-OS Software, which enables network automation and programmatical provisioning and configuration of the devices via APIs, and Cisco FXOS (Firepower eXtensible Operating System).
“Successful exploitation of the vulnerabilities could allow an attacker to gain unauthorized access to an affected device, gain elevated privileges for an affected device, execute arbitrary code, execute arbitrary commands, gain access to sensitive information, or cause a denial of service (DoS) condition on an affected device,” the company explained.
They can be exploited via specially crafted packets (HTTP or HTTPS, Cisco Fabric Services, SNMP, IGMP) and messages (Cisco Discovery Protocol and BGP update messages).
Twelve of the vulnerabilities affect both Cisco FXOS Software and Cisco NX-OS Software and the remaining vulnerabilities affect only Cisco NX-OS Software. None of the vulnerabilities affect Cisco IOS Software or Cisco IOS XE Software.
There are no workarounds for the vulnerabilities, so administrators should implement the offered updates.
 |
Virus-free. www.avg.com |
The Wi-Fi Alliance today officially launched
—the next-generation Wi-Fi security standard that promises to eliminate all the known security vulnerabilities and wireless attacks that are up today including the dangerous
.
WPA, or Wi-Fi Protected Access, is a standard designed to authenticate wireless devices using the Advanced Encryption Standard (AES) protocol and is intended to prevent hackers from eavesdropping on your wireless data.
However, in late last year, security researchers uncovered a severe flaw in the current WPA2 protocol, dubbed
(Key Reinstallation Attack), that made it possible for attackers to intercept, decrypt and even manipulate WiFi network traffic.
Although most device manufacturers patched their devices against KRACK attacks, the WiFi Alliance, without much delay, rushed to finalize and launch WPA3 in order to address WPA2’s technical shortcomings from the ground.
will replace the existing WPA2 that has been around for at least 15 years and widely used by billions of devices every day.
The new security protocol provides some big improvements for Wi-Fi enabled devices in terms of configuration, authentication, and encryption enhancements, making it harder for hackers to hack your Wi-Fi or eavesdrop on your network.
On Monday, the Wi-Fi Alliance launched two flavors of latest security protocol—WPA3-Personal and WPA3-Enterprise—for personal, enterprise, and IoT wireless networks.
Here are some key features provided by the new protocol:
WPA3 provides enhanced protection against offline brute-force dictionary attacks, making it harder for hackers to crack your WiFi password—even if you choose less complex passwords—by using commonly used passwords over and over again.
WPA3 leverages SAE (Simultaneous Authentication of Equals) handshake to offer forward secrecy, a security feature that prevents attackers from decrypting old captured traffic even if they ever learn the password of a network.
WPA3 strengthens user privacy in open networks through individualized data encryption, a feature that encrypts the wireless traffic between your device and the Wi-Fi access point to mitigate the risk of Man-in-the-Middle (MitM) attacks. To prevent such passive attacks, WPA3 could add support for Opportunistic Wireless Encryption (OWE).
Using WPA3 Enterprise, critical Wi-Fi networks handling sensitive information (such as government, , and industrial organizations), can protect their Wi-Fi connections with 192-bit encryption.
Alongside WPA3, the WiFi Alliance has also
a new feature, called
Wi-Fi Easy Connect
, that simplifies the process of pairing smart home gadgets (without any screen or display) to your router.
Wi-Fi Easy Connect is a replacement for Wi-Fi Protected Setup (WPS), which has been considered insecure.
With the support for Easy Connect, you will be able to pair your smart gadget with the router by simply scanning a QR code with your smartphone to have the Wi-Fi credentials automatically sent to the new smart device.
It should be noted that both WPA3 and Wi-Fi Easy Connect will not hit the mainstream right away. In fact, it is going to be a many-years-long process that will require new routers and smart gadgets to support WPA3.
Therefore, WPA2 will not stop working any time soon, and devices with WPA3 support will still be able to connect with devices that use WPA2 for the working of your gadgets, but WPA3 support will eventually become mandatory as adoption grows.
WPA3 is set to roll out later this year and is expected to hit mass adoption in late 2019, when it eventually become a requirement for devices to be considered Wi-Fi certified, according to the WiFi Alliance.
Read the Full Article here: >The Hacker News [ THN ]
Mobile security researchers have discovered unprotected Firebase databases of thousands of iOS and Android mobile applications that are exposing over 100 million data records, including plain text passwords, user IDs, location, and in some cases, financial records such as banking and cryptocurrency transactions.
Google’s Firebase service is one of the most popular back-end development platforms for mobile and web applications that offers developers a cloud-based database, which stores data in JSON format and synced it in the real-time with all connected clients.
Researchers from mobile security firm Appthority discovered that many app developers’ fail to properly secure their back-end Firebase endpoints with firewalls and authentication, leaving hundreds of gigabytes of sensitive data of their customers publicly accessible to anyone.
Since Firebase offers app developers an API server, as shown below, to access their databases hosted with the service, attackers can gain access to unprotected data by just adding “/.json” with a blank database name at the end of the hostname.
Sample API URL:
https://<Firebase project name>.firebaseio.com/<database.json>
Payload to Access:
Data https://<Firebase project name>.firebaseio.com/.json
To find the extent of this issue, researchers scanned over 2.7 million apps and found that more than 3,000 apps—2,446 Android and 600 iOS apps—were leaking a whole 2,300 databases with more than 100 million records, making it a giant breach of over 113 gigabytes of data.
The vulnerable Android apps alone were downloaded more than 620 million times.
Affected apps belong to multiple categories such as telecommunication, cryptocurrency, finance, postal services, ride-sharing companies, educational institutions, hotels, productivity, health, fitness, tools and more.
Researchers also provided a brief analysis, given below, of the obtained data they had downloaded from vulnerable applications.
All this is happening at the first place because Google Firebase service does not secure user data by default, requiring developers to explicitly implement
on all database rows and tables to protect their databases from unauthorized access.
“The only security feature available to developers is authentication and rule-based authorization,” the researchers explain. What’s worse? There are no “third-party tools available to provide encryption for it.”
Researchers claimed they had already contacted Google and provided a list of all vulnerable app databases, and also contacted a few app developers helping them to patch this issue.
Read the Full Article here: >The Hacker News [ THN ]
Google just announced its plan to introduce a new anti-spoofing feature for its Android operating system that makes its biometric authentication mechanisms more secure than ever.
Biometric authentications, like the fingerprint, IRIS, or face recognition technologies, smoothen the process of unlocking devices and applications by making it notably faster and secure.
Although biometric systems also have some pitfalls that are not hidden from anyone, as it has been proven multiple times in the past that most biometric scanners are vulnerable to spoofing attacks, and in most cases fooling them is quite easy.
Google announced today a better model to improve biometric security, which will be available from Android P, allowing mobile app developers to integrate an enhanced mechanism within their apps to keep users’ data safe.
Currently, the Android biometric authentication system uses two metrics—False Accept Rate (FAR) and False Reject Rate (FRR)—in combination with machine learning techniques to measure accuracy and precision of the user’s input.
In brief, ‘False Accept Rate’ defines how often the biometric model accidentally classifies an incorrect input as belonging to the targeted user, while ‘False Reject Rate’ records how often a biometric model accidentally classifies the user’s biometric as incorrect.
However, Google says none of the given metrics is capable enough to precisely identify if biometric data entered by a user is an attempt by an attacker to make unauthorized access using any spoofing or impostor attack.
In an attempt to resolve this issue, in addition to FAR and FRR, Google has now introduced two new metrics—Spoof Accept Rate (SAR) and Imposter Accept Rate (IAR)—that explicitly account for an attacker in the threat model.
“As their names suggest, these metrics measure how easily an attacker can bypass a biometric authentication scheme,” Vishwath Mohan, a security engineer with Google Android team, says.
“Spoofing refers to the use of a known-good recording (e.g., replaying a voice recording or using a face or fingerprint picture), while impostor acceptance means a successful mimicking of another user’s biometric (e.g., trying to sound or look like a target user).”
Based upon user’s biometric input, the values of SAR/IAR metrics define if it is a “strong biometric” (for values lower than or equal to 7%), or a “weak biometric” authentication (for values higher than 7%).
While unlocking your device or an application, if these values fall under weak biometric, Android P will enforce strict authentication policies on users, as given below:
Besides this, Google will also offer a new easy-to-use BiometricPrompt API that developers can use to set up a robust authentication mechanism in their apps to ensure maximum security of their users by completely blocking weak biometric authentication detected by two newly added metrics.
“BiometricPrompt only exposes strong modalities, so developers can be assured of a consistent level of security across all devices their application runs on,” Mohan said.
“A support library is also provided for devices running Android O and earlier, allowing applications to utilize the advantages of this API across more devices.”
The new feature would positively prevent unauthorized access to devices from thieves, spies and law enforcement agencies as well by locking it down to cripple known methods to bypass biometric scanners.
Read the Full Article here: >The Hacker News [ THN ]