Posted on

Identity and personal data theft account for 64% of all data breaches

Data breaches increased 15% in the first six months of 2016 compared to the last six months of 2015, according to Gemalto.

Breach Level Index

Worldwide, there were 974 reported data breaches and more than 554 million compromised data records in the first half of 2016, compared to 844 data breaches and 424 million compromised data records in the previous six months. In addition, 52% percent of the data breaches in the first half of this year did not disclose the number of compromised records at the time they were reported.

Breach Level Index

The Breach Level Index is a global database that tracks data breaches and measures their severity based on multiple dimensions, including the number of records compromised, the type of data, the source of the breach, how the data was used, and whether or not the data was encrypted. By assigning a severity score to each breach, the Breach Level Index provides a comparative list of breaches, distinguishing data breaches that are a not serious versus those that are truly impactful.

According to the Breach Level Index, more than 4.8 billion data records have been exposed since 2013 when the index began benchmarking publicly disclosed data breaches. For the first six months of 2016, identity theft was the leading type of data breach, accounting for 64% of all data breaches, up from 53% in the previous six months. Malicious outsiders were the leading source of data breaches, accounting for 69% of breaches, up from 56% in the previous six months.

“Over the past twelve months hackers have continued to go after both low hanging fruit and unprotected sensitive personal data that can be used to steal identities,” said Jason Hart, VP and CTO for Data Protection at Gemalto. “The theft of user names and account affiliation may be irritating for consumers, but the failure of organizations to protect sensitive personal information and identities is a growing problem that will have implications for consumer confidence in the digital services and companies they entrust with their personal data.”

Healthcare data breaches increase 25%

Across industries, the healthcare industry accounted for 27% of data breaches and saw its number of data breaches increase 25% compared to the previous six months. However, healthcare represented just 5% of compromised data records versus 12% in the previous six months.

Government accounted for 14% of all data breaches, which was the same as the previous six months, but represented 57% of compromised records.

Financial services companies accounted for 12% of all data breaches, a 4% decline compared to previous six months, but accounted for just 2% of compromised data records.

Retail accounted for 11% of data breaches, and declined 6% versus the previous six months, and accounted for 3% of compromised data records.

Education accounted for 11% of data breaches and represented less than one percent of all compromised records. All other industries represented 16% of data breaches and 16% of compromised data records.

In terms of top three geographic regions for reported data breaches, 79% were in North America, 9% were in Europe, and 8% were in Asia-Pacific.

Breach Level Index

Not all data breaches are equal

As data breaches continue to grow in frequency and size, it is becoming more difficult for consumers, government regulatory agencies and companies to distinguish between nuisance data breaches and truly impactful mega breaches,” said Jason Hart, VP and CTO for Data Protection at Gemalto. “News reports fail to make these distinctions, but they are important to understand because each have different consequences. A breach involving 100 million user names is not as severe as a breach of one million accounts with social security numbers and other personally identifiable information that are used for financial gain.”

“In this increasingly digital world, companies, organizations and governments are storing greater and greater amounts of data that has varying levels of sensitivity. At the same time, it is clear that data breaches are going to happen and that companies need to shift from a total reliance on breach prevention to strategies that help them secure the breach. That is why more focus needs to be understanding what really constitutes sensitive data, where it is stored, and using the best means to defend it. At the end of the day, the best way to protect data is to kill it. That means ensuring user credentials are secured with strong authentication and sensitive data is protected with encryption so it is useless to the thieves.”

via https://ift.tt/2cqENwH

Posted on

Chinese researchers hijack Tesla cars from afar

Tesla car owners are urged to update their car’s firmware to the latest version available, as it fixes security vulnerabilities that can be exploited remotely to take control of the car’s brakes and other, less critical components.

The vulnerabilities were discovered by researchers from Tencent’s Keen Security Lab, and responsibly disclosed to Tesla. The company’s Product Security Team confirmed them, and implemented fixes in the latest version of the firmware.

Tencent’s researchers understandably didn’t reveal details about the flaws, but have provided a video demonstration of the attacks:

VIDEO

They have managed to remotely open various Tesla cars’ sunroof, turn on the blinkers, move the car seat, and open doors, all while the cars were in parking mode. But they have also managed to control windshield wipers, fold the side rearview mirrors, open the trunk, and manipulate the brakes from 12 miles away.

“As far as we know, this is the first case of remote attack which compromises CAN Bus to achieve remote controls on Tesla cars. We have verified the attack vector on multiple varieties of Tesla Model S. It is reasonable to assume that other Tesla models are affected,” they noted.

“The issue demonstrated is only triggered when the web browser is used (web browser functionality not enabled in Australia). Our realistic estimate is that the risk to our customers was very low, but this did not stop us from responding quickly,” a Tesla spokesperson told ZDNet.

The software update fixing the flaws has already been deployed over-the-air, so details about them should soon be revealed.

via https://ift.tt/2cro7F6

Posted on

BBQSQL – Blind SQL Injection Framework

BBQSQL is a blind SQL injection framework written in Python. It is extremely useful when attacking tricky SQL injection vulnerabilities. BBQSQL is also a semi-automatic tool, allowing quite a bit of customization for those hard to trigger SQL injection findings. The tool is built to be database agnostic and is extremely versatile. It also has an intuitive UI to make setting up attacks much easier. Python gevent is also implemented, making BBQSQL extremely fast.

BBQSQL - Blind SQL Injection Framework

Blind SQL injection can be a pain to exploit. When the available tools work they work well, but when they don’t you have to write something custom. This is time-consuming and tedious. BBQSQL can help you address those issues.

Features

The most important thing to note about BBQSQL is that it doesn’t care about the data or database, whilst most SQL Injection tools are built with specific databases or languages in mind.

  • Exploits Blind SQL Injection Vulnerabilities
  • Semi-Automatic
  • Database Agnostic
  • Versatile
  • Utilises Two Search Techniques (binary_search & frequency_search)
  • Concurrent HTTP requests
  • Config Import/Export
  • Custom Hooks
  • Fast

Usage

Similar to other SQL Injection tools you must provide certain request information for the tool to work, for BBSQL this is:

  • URL
  • HTTP Method
  • Headers
  • Cookies
  • Encoding methods
  • Redirect behavior
  • Files
  • HTTP Auth
  • Proxies

Then specify where the injection is going and what syntax we are injecting.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

root@darknet:~# bbqsql

    _______   _______    ______    ______    ______   __      

   |       \ |       \  /      \  /      \  /      \ |  \      

   | $$$$$$$\| $$$$$$$\|  $$$$$$\|  $$$$$$\|  $$$$$$\| $$      

   | $$__/ $$| $$__/ $$| $$  | $$| $$___\$$| $$  | $$| $$      

   | $$    $$| $$    $$| $$  | $$ \$$    \ | $$  | $$| $$      

   | $$$$$$$\| $$$$$$$\| $$ _| $$ _\$$$$$$\| $$ _| $$| $$      

   | $$__/ $$| $$__/ $$| $$/ \ $$|  \__| $$| $$/ \ $$| $$_____

   | $$    $$| $$    $$ \$$ $$ $$ \$$    $$ \$$ $$ $$| $$     \

    \$$$$$$$  \$$$$$$$   \$$$$$$\  \$$$$$$   \$$$$$$\ \$$$$$$$$

                     \$$$                \$$$

 

                   _.()._

                .‘         ‘.

               / ‘or ‘1‘=’1  \

               |‘-…___…-‘|

                \    ‘=’    /

                 `‘._____.’`

                  /   |   \

                 /.‘|’.\

              []/‘-.__|__.-‘\[]

                      |

                     []

 

    BBQSQL injection toolkit (bbqsql)        

    Lead Development: Ben Toews(mastahyeti)        

    Development: Scott Behrens(arbit)        

    Menu modified from code for Social Engineering Toolkit (SET) by: David Kennedy (ReL1K)    

    SET is located at: https://https://ift.tt/2d5nDTV

    Version: 1.0              

    

    The 5 Ss of BBQ:

    Sauce, Spice, Smoke, Sizzle, and SQLi

    

 

 

Select from the menu:

 

   1) Setup HTTP Parameters

   2) Setup BBQSQL Options

   3) Export Config

   4) Import Config

   5) Run Exploit

   6) Help, Credits, and About

 

  99) Exit the bbqsql injection toolkit

 

bbqsql>

HTTP Parameters

BBQSQL has many https parameters you can configure when setting up your attack. At a minimum you must provide the URL, where you want the injection query to run, and the method. The following options can be set:

  • files
  • headers
  • cookies
  • url
  • allow_redirects
  • proxies
  • data
  • method
  • auth

You specify where you want the injection query to be inserted by using the template ${injection}. Without the injection template the tool wont know where to insert the query.

You can download BBQSQL here:

bbqsql-v1.1.zip

Or read more here.

via https://ift.tt/2d5meg6

Posted on

324,000 Financial Records with CVV Numbers Stolen From A Payment Gateway

Around 324,000 users have likely had their payment records stolen either from payment processor

BlueSnap

or its customer

Regpack

; however, neither of the company has admitted a data breach.

BlueSnap is a payment provider which allows websites to take payments from customers by offering merchant facilities, whereas RegPack is a global online enrollment platform that uses BlueSnap to process the financial transactions for its online enrollments.

The data breach was initially reported on July 10, when a hacker published a link on Twitter, pointing to a file containing roughly 324,000 records allegedly stolen from Waltham, Massachusetts-based BlueSnap.

The tweet has since been deleted, but Australian security expert Troy Hunt took a copy of it for later review to analyze the data and after analyzing, he discovered that the leaked payment records are most likely legitimate.

Payment Card Data Including CVV Codes Leaked

The data contains users’ details registred between 10 March 2014 to 20 May 2016 and includes names, email addresses, physical addresses, phone numbers, IP addresses, last four digits of credit card numbers, even CVV codes, and invoice data containing details of purchases.

According to Hunt, who owns ‘

Have I Been Pwned

‘ breach notification service, some evidence like file names containing ‘BlueSnap’ and ‘Plimus’ in it suggests that the data comes from BlueSnap.

Plimus is the original name of BlueSnap, which was rebranded after private equity firm Great Hill Partners acquired it for $115Million in 2011.

However, since April 2013, Regpack has been using BlueSnap’s payment platform, it could be possible that the stolen data has come from Regpack.

“We have got 899 totally separate consumers of the Regpack service…who send their data direct to Regpack who pass payment data onto BlueSnap for processing,” Hunt explained in a blog post

“Unless I am missing a fundamental piece of the workflow… it looks like accountability almost certainly lies with one of these two parties.”

Whatever the source is, but the primary concern here is that more than 320,000 stolen users financial information is floating around the web.

Although the payment data does not contain full credit card numbers, as Hunt stressed, cyber criminals can still misuse the compromised information, particularly the CVV codes that are highly valuable payment data, which can be used to conduct “card not present” transactions.

Also, the last four digit of any user’s credit card number can also be used for identity verification that’s very useful in conducting social engineering attacks.

Hunt contacted BlueSnap as well as Regpack, but they both denied suffering a data breach. He has also loaded as many as 105,000 email addresses into

Have I Been Pwned

, so you can search for your address on the site to check whether you are impacted by the breach.

via https://ift.tt/2cTuPXt

Posted on

PunkSPIDER – A Web Vulnerability Search Engine

PunkSPIDER is a global-reaching web vulnerability search engine aimed at web applications. The goal is to allow the user to determine vulnerabilities in websites across the Internet quickly, easily, and intuitively. Please use PunkSPIDER responsibly.

PunkSPIDER - A Web Vulnerability Search Engine

In simple terms, that means the authors have created a security scanner and the required architecture that can execute a large number of web application vulnerability scans: all at the same time. The tool, or rather arsenal, works off an Apache Hadoop cluster and can handle tens of thousands of scans.

How Can I See if a Website I Use is Vulnerable?

Searching for a specific website is easy! If you know the URL of your site you can simply type the URL in the search box (without https or https) and find your website. Once there you will be presented with the number of vulnerabilities present on the site.

Let’s try an example together, let’s say you’re looking to check if our the New York Times website https://www.nytimes.com is vulnerable. You could type in www.nytimes.com in the search bar, and you should receive a result back that looks like the following:

www.nytimes.com

Scanned: 20140518T12:30:55.000055Z

bsqli:0 | sqli:0 | xss:0 | trav:0 | mxi:0 | osci:0 | xpathi:0 | Overall Risk:0

The first line gives you the domain of the result. The timestamp field on line 2 is the time that the site was added to our system. Below that is the interesting part, the total number of vulnerabilities found on the website. If you’re non-technical, you can ignore almost every part of that and just look at the Overall Risk field – this will tell you the risk of visiting a website.

As a rule of thumb anything with an Overall Risk of 1 should make you very wary, anything with an Overall Risk of greater than 1 you should stay away from entirely.

What Types of Vulnerabilities does PunkSPIDER Map?

Check it out here:

https://ift.tt/1EVyh7U

via https://ift.tt/2c7q5fF

Posted on

Security Frameworks Based Auditing with Nessus

How many security frameworks or compliance standards does IT need? If you ask compliance professionals, the answer would be, “Oh, just one more.” If you ask any IT professional, the most likely answer would be, “Oh gosh, not one more!” And yet organizations have been inundated with compliance standards; and it’s not always clear how well they comply or how good their internal processes are when stacked up against industry-wide accepted standards.

In general, security standards all attempt to do very similar things. Namely, wrapping some sort of structure around processes and helping to define a baseline posture. Some standards take a general and all-encompassing road, while others attempt to focus on a particular technical area or business sector. Because of this, a natural and significant overlap emerges.

Security standards all attempt to do very similar things … Because of this, a natural and significant overlap emerges

For example, take asset inventory recommendations. Many standards have a section devoted to inventory management, which has been well documented by experienced professionals as a key first step in assessing risk. NIST 800-53 defines some of this in section CM-8, CSC in CSC-1, the NIST Cybersecurity Framework (CSF) uses ID.AM-1, and so on. In fact, the overlap is so common that CSF includes a whole section devoted to which standards each of its controls map to.

The overlap may seem initially like a weakness, but quickly proves to be the opposite. If you look at the overlap as redundancy-not-wastefulness the strength of this overlap comes into focus. The redundant items across standards begin to take on the tone of a common language, and from there the small differences between industries or departments become manageable edge cases and outliers.

Compliance standards and Tenable audit files

The majority of the Nessus® compliance audit files and the checks within can be traced directly back to a benchmark or other source document such as a DISA STIG (Defense Information Systems Agency, Security Technical Implementation Guide) or CIS (Center for Internet Security) guide. These source documents lay out the items that should be tested and the specific values that have been deemed acceptable. These source documents didn’t just appear out of nowhere; in most cases, they grew from an attempt to turn the general structures in one (or more) of the security standards into actionable items.

For example, here’s a check from the CIS Windows 7 Configuration Benchmark:

1.1.1 Enforce password history

which in turn maps directly to NIST 800-53 control IA-5, PCI-DSS item 8.2.5 and CSF section PR.AC-1 and many others as you can see in the example below. There are countless such examples throughout the audit files.

<custom_item>
  type    	: PASSWORD_POLICY
  description : "1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'"
    see_also : "https://ift.tt/2cHmEwR;
  reference : "800-53|IA-5,HIPAA|164.308(a)(5)(ii)(D),PCI-DSSv3.1|8.2.5,800-171|3.5.10,800-171|3.5.7,800-171|3.5.8,800-171|3.5.9,CSF|PR.AC-1,ISO/IEC-27001|A.9.4.3"
  value_type  : POLICY_DWORD
  value_data  : [24..MAX]
  password_policy : ENFORCE_PASSWORD_HISTORY
</custom_item>

Cross-references in Nessus audit files

Over the last few months, Tenable has invested time in adding extensive compliance cross-references across all the audit files, in both Nessus and SecurityCenter™. So for example, if you run a CIS Benchmark Compliance scan as part of your normal process, you will also be collecting information in relation to NIST 800-53, CIS CSC and ISO 27001 at the same time. All of these results are immediately available, attached to each check result when your scan has completed, and then you can run more specific SecurityCenter dashboards for the relevant standards.

Standards cross-referenced in Nessus audits

Currently, Tenable has also added cross-references to Nessus audits for many different standards, ranging from general ones like NIST 800-53 and ISO 27001 to industry-specific standards like NERC CIP. Keep in mind though, that not every audit item maps to every other standard. Only those items that are specifically related to a given control within a standard have been assigned a cross-reference.

Here’s a short list of standards for which cross-references have been added:

Benefits to end users

Even if your specific environment is only concerned with one or two security standards, having the ability to communicate outward to partners or outside organizations will often pay dividends. The cross-reference enables you to communicate internally in terms that different audiences find useful. The cross-reference gives you the ability to speak in terms of PCI to compliance teams, NIST 800-53 to technical and security groups, and ISO 27001 to policy makers and executives. 

Here’s a sample SecurityCenter NIST 800-53 Dashboard using the 800-53 cross-references:

NIST 800-53 Dashboard

Wrap-up

While working with standards isn’t likely to replace a good movie or book as your first choice for a lazy weekend, if we take a step back and forget all the times that standards have been misused as an insurmountable roadblock, you might see something interesting that can improve your security posture.

via https://ift.tt/2cEj4Cb

Posted on

Massive Data Breach Exposes 6.6 Million Plaintext Passwords from Ad Company

Another Day, Another Data Breach! And this time, it’s worse than any recent data breaches.

Why?

Because the data breach has exposed plaintext passwords, usernames, email addresses, and a large trove of other personal information of more than 6.6 Million ClixSense users.

ClixSense, a website that claims to pay users for viewing advertisements and completing online surveys, is the latest victim to join the list of “

Mega-Breaches

” revealed in recent months, including

LinkedIn

,

MySpace

,

VK.com

,

Tumblr

, and

Dropbox

.

Hackers are Selling Plaintext Passwords and Complete Website Source Code

More than 2.2 Million people have already had their personal and sensitive data posted to PasteBin over the weekend. The hackers who dumped the data has put another 4.4 Million accounts up for sale.

In addition to un-hashed passwords and email addresses, the dump database includes first and last names, dates of birth, sex, home addresses, IP addresses, payment histories, and other banking details of Millions of users.

Troy Hunt, operator of

Have I Been Pwned

? breach notification service, verified the authenticity of the data taken from ClixSense.

Besides giving away 4.4 Million accounts to the highest bidder, the hackers are also offering social security numbers of compromised users, along with the complete source code of the ClixSense website and “70,000 emails” from the company’s internal email server, according to a Pastebin message advertising the stolen database.

PasteBin has since removed the post as well as the sample of the compromised database that contained user account information.

Here’s How Hackers Hacked ClixSence:

ClixSense

admitted

the data breach and said some unknown hackers were able to get access to its main database through an old server which the firm was no longer using, but at the time, still networked to its main database server.

After gaining access, the hacker was able “to copy most, if not all” of the ClixSense users table, ran SQL code to change account names to “hacked account,” deleted several forum posts, as well as set account balances of users to $0.00.

While talking to

Ars Technica

, ClixSense owner Jim Grago admitted that the database contained entries for roughly 6.6 Million accounts and that the company became aware of the breach on September 4 and managed to regain control of their DNS over the weekend.

“This all started last Sunday, September 4th about 5 am EST when my lead developer called me and said ClixSense was redirecting to a gay porn site. The hackers were able to take over our DNS and setup the redirection,” Grago wrote.
“On Monday (Labor day) they were able to hack into our hosting provider and turned off all of our servers, hacked into our Microsoft Exchange server and changed the passwords on all of our email accounts. On Tuesday they were able to gain access to a server that was directly connected to our database server and get a copy of our users table.”

Change Your Passwords and Security Questions Now

Users are strongly advised to change their passwords for ClixSence account immediately, and it would also be a good idea to reset passwords for all of your other online services, especially those using the same passwords.

Since ClixSense uses a large trove of personal information on its users, make sure you change your security questions, if it uses any of the information you provided to ClixSense, such as your address, date of birth, or other identifying information.

Moreover, I recommend you to use a

good password manager

to create strong and complex passwords for your different online accounts, and it will remember all of them on your behalf.

I have listed some of the

best password managers

that could help you understand the importance of password manager and choose one according to your requirement.

via https://ift.tt/2cNjnbk

Posted on

PCI Council wants more robust security controls for payment devices

The PCI Council has updated its payment device standard to enable stronger protections for cardholder data, which includes the PIN and the cardholder data (on magnetic stripe or the chip of an EMV card) stored on the card or on a mobile device.

payment devices

Specifically, version 5.0 of the PCI PIN Transaction Security (PTS) Point-of-Interaction (POI) Modular Security Requirements emphasizes more robust security controls for payment devices to prevent physical tampering and the insertion of malware that can compromise card data during payment transactions.

The updates are designed to stay one step ahead of criminals who continue to develop new ways to steal credit and debit card data from cash machines, in-store and unattended terminals and mobile devices used for payment transactions. Payment devices that directly consume magnetic stripe information from customers remain a top target for data theft, according to the 2016 Data Breach Investigation Report from Verizon.

“Criminals constantly attempt to break security controls to find ways to exploit data. We continue to see innovative skimming devices and new attack methods that put cardholder data at risk for fraud,” said PCI Security Standards Council CTO Troy Leach. “Security must continue to evolve to defend against these threats. The newest PCI standard for payment devices recognizes this challenge by requiring protections against advancements in attack techniques.”

A summary of PCI PTS POI Modular Security Requirements version 5.0 updates are available here.

Vendors can begin using PCI PTS POI Modular Security Requirements version 5.0 now for payment device evaluations. Version 4.1 will retire in September 2017 for evaluations of new payment devices.

“With EMV chip the industry is improving protections against skimming and other attacks to reduce fraud,” added PCI Security Standards Council General Manager Stephen Orfei. “But no technology is bulletproof. In this ongoing battle against criminal attacks, we must continue to adapt the way we secure payments. With the latest PCI device standard, PCI is driving the evolution of global industry data security standards that protect payment transactions now and in the future.”

via https://ift.tt/2cStf71

Posted on

New MySQL Zero Days — Hacking Website Databases

Two critical zero-day vulnerabilities have been discovered in the world’s 2nd most popular database management software MySQL that could allow an attacker to take full control over the database.

Polish security researcher Dawid Golunski has discovered two zero-days, CVE-2016-6662 and CVE-2016-6663, that affect all currently supported MySQL versions as well as its forked such as MariaDB and PerconaDB.

Golunski further went on to publish details and a

proof-of-concept exploit

code for CVE-2016-6662 after informing Oracle of both issues, along with vendors of MariaDB and PerconaDB.

Both MariaDB and PerconaDB had fixed the vulnerabilities, but Oracle had not.

The vulnerability (CVE-2016-6662) can be exploited by hackers to inject malicious settings into MySQL configuration files or create their own malicious ones.

Exploitation Vector?

The above flaw could be exploited either via SQL Injection or by hackers with authenticated access to MySQL database (via a network connection or web interfaces like phpMyAdmin).

“A successful exploitation [of CVE-2016-6662] could allow attackers to execute arbitrary code with root privileges which would then allow them to fully compromise the server on which an affected version of MySQL is running,” Golunski explained in an advisory published today.

This could result in complete compromise of the server running the affected MySQL version.

The researcher also warned that the vulnerability could be exploited even if SELinux or AppArmor Linux kernel security module is enabled with default active policies for MySQL service on the major Linux distributions.

The flaw actually resides in the mysqld_safe script that is used as a wrapper by many MySQL default packages or installations to start the MySQL service process.

The mysqld_safe wrapper script is executed as root, and the primary mysqld process drops its privilege level to MySQL user, Golunski examined.

“If an attacker managed to inject a path to their malicious library within the config, they would be able to preload an arbitrary library and thus execute arbitrary code with root privileges when MySQL service is restarted (manually, via a system update, package update, system reboot, etc.)”

The researcher will soon release details and full exploit code for CVE-2016-6663, the flaw that allows low-privileged attackers to make exploitation trivial.

Golunski reported the zero-day flaws to Oracle on July 29 and other affected vendors on July 29.

While Oracle acknowledged and triaged the report, scheduling the next Oracle CPUs for October 18, 2016, MariaDB and PerconaDB patched their versions of the database software before the end of August.

Since more than 40 days have passed and the two vendors released the patches to fix the issues, Golunski said he decided to go public with the details of the zero-days.

via https://ift.tt/2clFaHA

Posted on

The Limits of SMS for 2-Factor Authentication

A recent ping from a reader reminded me that I’ve been meaning to blog about the security limitations of using cell phone text messages for two-factor authentication online. The reader’s daughter had received a text message claiming to be from Google, warning that her Gmail account had been locked because someone in India had tried to access her account. The young woman was advised to expect a 6-digit verification code to be sent to her and to reply to the scammer’s message with that code.

2faMark Cobb, a computer technician in Reno, Nev., said had his daughter fallen for the ruse, her Gmail account would indeed have been completely compromised, and she really would have been locked out of her account because the crooks would have changed her password straight away.

Cobb’s daughter received the scam text message because she’d enabled 2-factor authentication on her Gmail account, selecting the option to have Google request that she enter a 6-digit code texted to her cell phone each time it detects a login from an unknown computer or location (in practice, the code is to be entered on the Gmail site, not sent in any kind of texted or emailed reply).

In this case, the thieves already had her password — most likely because she re-used it on some other site that got hacked. Cobb says he and his daughter believe her mobile number and password may have been exposed as part of the 2012 breach at LinkedIn.

In any case, the crooks were priming her to expect a code and to repeat it back to them because that code was the only thing standing in the way of their seizing control over her account. And they could control when Google would send the code to her phone because Google would do this as soon as they tried to log in using her username and password. Indeed, the timing aspect of this attack helps make it more believable to the target.

This is a fairly clever — if not novel — attack, and it’s one I’d wager would likely fool a decent percentage of users who have enabled text messages as a form of two-factor authentication. Certainly, text messaging is far from the strongest form of 2-factor authentication, but it is better than allowing a login with nothing more than a username and password, as this scam illustrates.

Nevertheless, text messaging codes to users isn’t the safest way to do two-factor authentication, even if some entities — like the U.S. Social Security Administration and Sony’s Playstation network — are just getting around to offering two-factor via SMS.

But don’t take my word for it. That’s according to the National Institute of Standards and Technology (NIST), which recently issued new proposed digital authentication guidelines urging organizations to favor other forms of two-factor — such as time-base one-time passwords generated by mobile apps — over text messaging. By the way, NIST is seeking feedback on these recommendations.

If anyone’s interested, Sophos’s Naked Security blog has a very readable breakdown of what’s new in the NIST guidelines. Among my favorite highlights is this broad directive: Favor the user.

“To begin with, make your password policies user friendly and put the burden on the verifier when possible,” Sophos’s Chester Wisniewski writes. “In other words, we need to stop asking users to do things that aren’t actually improving security.” Like expiring passwords and making users change them frequently, for example.

Okay, so the geeks-in-chief are saying it’s time to move away from texting as a form of 2-factor authentication. And, of course, they’re right, because text messages are a lot like email, in that it’s difficult to tell who really sent the message, and the message itself is sent in plain text — i.e. is readable by anyone who happens to be lurking in the middle.

But security experts and many technology enthusiasts have a tendency to think that everyone should see the world through the lens of security, whereas most mere mortal users just want to get on with their lives and are perfectly content to use the same password across multiple sites — regardless of how many times they’re told not to do so.

Google's new push-based two-factor authentication system. Image: Google.

Google’s new push-based two-factor authentication system. Image: Google.

Indeed, while many more companies now offer some form of two-factor authentication than did two or three years ago — consumer adoption of this core security feature remains seriously lacking. For example, the head of security at Dropbox recently told KrebsOnSecurity that less than one percent of its user base of 500 million registered users had chosen to turn on 2-factor authentication for their accounts. And Dropbox isn’t exactly a Johnny-come-lately to the 2-factor party: It has been offering 2-factor logins for a full four years now.

I doubt Dropbox is somehow an aberration in this regard, and it seems likely that other services also suffer from single-digit two-factor adoption rates. But if more consumers haven’t enabled two-factor options, it’s probably because a) it’s still optional and b) it still demands too much caring and understanding from the user about what’s going on and how these security systems can be subverted.

Personally, I favor app-based time-based one-time password (TOTP) systems like Google Authenticator, which continuously auto-generates a unique code via a mobile-based app.

Google recently went a step further along the lines of where I’d like to see two-factor headed across the board, by debuting a new “push” authentication system that generates a prompt on the user’s mobile device that users need to tap to approve login requests. This is very similar to another push-based two-factor system I’ve long used and trusted — from Duo Security [full disclosure: Duo is an advertiser on this site].

For a comprehensive breakdown of which online services offer two-factor authentication and of what type, check out twofactorauth.org. And bear in mind that even if text-based authentication is all that’s offered, that’s still better than nothing. What’s more, it’s still probably more security than the majority of the planet has protecting their accounts.

Tags: , , , , , , , , ,


This entry was posted on Wednesday, September 7th, 2016 at 9:29 pm and is filed under Other.
You can follow any comments to this entry through the RSS 2.0 feed.

You can skip to the end and leave a comment. Pinging is currently not allowed.

via https://ift.tt/2bV8Mhy