Information Security, SSAE 16, ISO 27001, CISA, Cert-IN
Anything under the umbrella of IT Security, Computer Security, IT Controls
The security researcher from New Delhi, Karan Saini, has reported about the bug which allows criminals to bypass two-factor authentication Uber security flaw is related to the account authentication when the user logs in. 2FA requires a person not only to submit the username and password but also enter the unique code which is sent to his/her phone.
Read the Full Article here: >Computer Security News
In four months the EU General Data Protection Regulation (GDPR) comes into force, and companies are racing against time to comply with the new rules (and avoid being brutally fined if they fail).
One of the things that the regulation mandates is that EU citizens must be able to get access to their personal data held by companies and information about how these personal data are being processed.
With that in mind, Facebook is getting ready to roll out a new global privacy center, through which users will be able to tweak core privacy settings for Facebook. This should make it easier for users to manage their data, i.e., make informed choices about their privacy.
“Our apps have long been focused on giving people transparency and control and this gives us a very good foundation to meet all the requirements of the GDPR and to spur us on to continue investing in products and in educational tools to protect privacy,” Sandberg said at a Facebook event in Brussels on Tuesday.
Microsoft has already added a new Activity History page to the Microsoft Privacy Dashboard. Through this page, users can see what data are saved with their Microsoft account, as well as to adjust privacy settings on their device or browser.
In the coming months, users will be given the ability to view and manage media consumption data, product and service activity, export any of the data they see on the dashboard and delete specific items. (GDPR also mandates data portability and right to erasure of personal data).
The Windows Diagnostic Data Viewer, currently available only to Windows Insiders, is set to be introduced to the broader Windows user base with the release of Windows 10 Redstone 4 in March or April.
Through this tool, Windows users will be able to see and search all Windows diagnostic data that’s in the Microsoft cloud related to their specific device.
This will include:
Read the Full Article here: >Help Net Security – News
Read the Full Article here: >Schneier on Security: Cybercrime Paper
Google’s parent company Alphabet has announced its entry into the lucrative enterprise cybersecurity market through Chronicle, a company started in early 2016 as a project at X, Alphabet’s “moonshot factory.”
Chronicle has now “graduated” to the status of an independent company within Alphabet, and is lead by Stephen Gillett, formerly an executive-in-residence at Google Ventures and Chief Operating Officer of Symantec.
VirusTotal, a malware intelligence service acquired by Google in 2012, will be become a part of the new company, but Chronicle will also offer a new product.
They are still tight-lipped about it, but what we know so far is that they are developing a cybersecurity intelligence and analytics platform. The platform’s task will be to help enterprises quickly and easily manage and understand massive amounts of their own security-related data so that they can stop cyber attacks before they do any damage.
“At large companies, it’s not uncommon for IT systems to generate tens of thousands of security alerts a day. Security teams can usually filter these down to about a few thousand they think are worth investigating — but in a day’s work, they’re lucky if they can review a few hundred of them. Conversely, many investigations are hampered by the gaps in available information, simply because the cost of storing all the relevant data is increasing far faster than a typical organization’s budget,” Gillett noted in a blog post.
Chronicle’s cloud-based platform will run on Alphabet’s powerful and scalable server infrastructure, will offer advanced search capabilities, and will leverage machine learning to find patterns in vast volumes of data that aren’t easily spotted by humans.
According to Gillett, a number of Fortune 500 companies are already testing a preview release of the platform.
He also pointed out that, while the company is part of Alphabet, they will have their own contracts and data policies with their customers.
Read the Full Article here: >Help Net Security – News
As the explosive growth of IoT tech continues; businesses, vendors and consumers all have to confront the issue that the world is more connected than ever before, with potentially gigantic consequences. The central problem with IoT security is that there is no central problem – IoT is a more complicated stack than traditional IT infrastructure and is much more likely to be made up of hardware and software from different sources.
Read the Full Article here: >Computer Security News
The PCI Security Standards Council has announced a new PCI Security Standard for software-based PIN entry on commercial off-the-shelf (COTS) devices such as smartphones and tablets.
Stores that offer customers the possibility to purchase things with their payment card usually have a hardware terminal and PIN entry device. But this can be too pricey an option for small merchants in markets that require EMV chip-and-PIN acceptance.
A cheaper option is to get a cost-efficient card reader and connect it to a smartphone or tablet equipped with a secure PIN entry application.
But securing the PIN and account data is of crucial importance, and that’s why the PCI Council has developed this new standard.
The SPoC Standard actually consists of two documents: the Security Requirements and the Test Requirements.
The former document has already been published, and is aimed at entities developing PIN CVM (cardholder verification method) applications, evaluator labs, assessors and organizations managing and deploying PIN CVM solutions.
The Test Requirements, scheduled to be published next month, provide validation mechanisms for payment security laboratories to evaluate the security of software-based PIN Entry solutions.
Solutions that pass the tests will be listed on the PCI SSC website for merchant use.
There are several:
“For the SPoC Standard, we have introduced the requirement for a back-end monitoring system for additional external security controls such as attestation (to ensure the security mechanisms are intact and operational), detection (to notify when anomalies are present) and response (controls to alert and take action) to address anomalies,” adds PCI SSC Chief Technology Officer Troy Leach.
“More and more businesses are now accepting payments with smartphones, tablets and other COTS devices, especially within the small business community. The PCI SSC Software-Based PIN Entry Solution listing will provide these merchants with a resource for selecting PIN entry solutions that have been evaluated and tested by payment security laboratories, and their customers will benefit by having the best available protection for their payment data.”
Read the Full Article here: >Help Net Security – News
Today’s attacks are spreading faster, evolving quicker, and evading even the most widely used security solutions. But that doesn’t mean you can’t fight back. Get practical recommendations for preventing and mitigating the latest attacks with this free checklist.
Get actionable suggestions on how to:
Read the Full Article here: >Help Net Security – News
A critical remote code execution vulnerability has been reported in
—a popular web application framework that powers thousands of widely-used desktop applications including Skype, Signal, WordPress and Slack—that allows for remote code execution.
Electron is an open-source framework that is based on Node.js and Chromium Engine and allows app developers to build cross-platform native desktop applications for Windows, macOS and Linux, without knowledge of programming languages used for each platform.
The vulnerability, assigned as the number CVE-2018-1000006, affects only those apps that run on Microsoft Windows and register themselves as the default handler for a protocol like myapp://.
"Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron’s app.setAsDefaultProtocolClient API," Electron says in an advisory published Monday.
The Electron team has also confirmed that applications designed for Apple’s macOS and Linux are not vulnerable to this issue, and neither those (including for Windows) that do not register themselves as the default handler for a protocol like myapp://.
The Electron developers have already released two new versions of their framework, i.e. 1.8.2-beta.4, 1.7.11, and 1.6.16 to address this critical vulnerability.
"If for some reason you are unable to upgrade your Electron version, you can append—as the last argument when calling app.setAsDefaultProtocolClient, which prevents Chromium from parsing further options," the company says.
End users can do nothing about this vulnerability; instead, developers using Electron JS framework have to upgrade their applications immediately to protect their user base.
Much details of the remote code execution vulnerability have not been disclosed yet, neither the advisory named any of the vulnerable apps (that make themselves the default protocol handler) for security reason.
We will update you as soon as any details about the flaw come out.
Read the Full Article here: >The Hacker News [ THN ]
A critical remote code execution vulnerability has been reported in
—a popular web application framework that powers thousands of widely-used desktop applications including Skype, Signal, WordPress and Slack—that allows for remote code execution.
Electron is an open-source framework that is based on Node.js and Chromium Engine and allows app developers to build cross-platform native desktop applications for Windows, macOS and Linux, without knowledge of programming languages used for each platform.
The vulnerability, assigned as the number CVE-2018-1000006, affects only those apps that run on Microsoft Windows and register themselves as the default handler for a protocol like myapp://.
“Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron’s app.setAsDefaultProtocolClient API,” Electron says in an advisory published Monday.
The Electron team has also confirmed that applications designed for Apple’s macOS and Linux are not vulnerable to this issue, and neither those (including for Windows) that do not register themselves as the default handler for a protocol like myapp://.
The Electron developers have already released two new versions of their framework, i.e. 1.8.2-beta.4, 1.7.11, and 1.6.16 to address this critical vulnerability.
“If for some reason you are unable to upgrade your Electron version, you can append—as the last argument when calling app.setAsDefaultProtocolClient, which prevents Chromium from parsing further options,” the company says.
End users can do nothing about this vulnerability; instead, developers using Electron JS framework have to upgrade their applications immediately to protect their user base.
Much details of the remote code execution vulnerability have not been disclosed yet, neither the advisory named any of the vulnerable apps (that make themselves the default protocol handler) for security reason.
We will update you as soon as any details about the flaw come out.
Read the Full Article here: >The Hacker News [ THN ]
A critical remote code execution vulnerability has been reported in
—a popular web application framework that powers thousands of widely-used desktop applications including Skype, Signal, WordPress and Slack—that allows for remote code execution.
Electron is an open-source framework that is based on Node.js and Chromium Engine and allows app developers to build cross-platform native desktop applications for Windows, macOS and Linux, without knowledge of programming languages used for each platform.
The vulnerability, assigned as the number CVE-2018-1000006, affects only those apps that run on Microsoft Windows and register themselves as the default handler for a protocol like myapp://.
“Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron’s app.setAsDefaultProtocolClient API,” Electron says in an advisory published Monday.
The Electron team has also confirmed that applications designed for Apple’s macOS and Linux are not vulnerable to this issue, and neither those (including for Windows) that do not register themselves as the default handler for a protocol like myapp://.
The Electron developers have already released two new versions of their framework, i.e. 1.8.2-beta.4, 1.7.11, and 1.6.16 to address this critical vulnerability.
“If for some reason you are unable to upgrade your Electron version, you can append—as the last argument when calling app.setAsDefaultProtocolClient, which prevents Chromium from parsing further options,” the company says.
End users can do nothing about this vulnerability; instead, developers using Electron JS framework have to upgrade their applications immediately to protect their user base.
Much details of the remote code execution vulnerability have not been disclosed yet, neither the advisory named any of the vulnerable apps (that make themselves the default protocol handler) for security reason.
We will update you as soon as any details about the flaw come out.
Read the Full Article here: >The Hacker News [ THN ]
maqp • January 25, 2018 5:50 PM
@Afrin, (and Moxie)
“If someone hacks the WhatsApp server, they can obviously alter the group membership.”
This “duh, obviously the proprietary app using Signal protocol has a problem where Signal spec differs from the original open source library in a way that gives the server ability to add contacts that can eavesdrop on communication” is so obvious. How could I have assumed anything different after Moxie said WhatsApp uses same protocol as Signal.
“All group members will see that the attacker has joined. There is no way to suppress this message.”
Moxie misses the fact that some group chats consist of communities where not everyone knows each other. While such groups do have different expectation of privacy for messages, that’s no reason not to have security from nation states. And it’s not impossible to join it without anyone noticing, especially since attacker can forge to each user a message about who added them. Nobody’s going to tell everyone to be quiet and interrogate the new buddy of buddy. Very few actually care about what they share in group if they don’t know them IRL. It’s easy not to think about those contacts.
“I think it would be better if the server didn’t have metadata visibility into group membership, but that’s a largely unsolved problem”
Metadata about who’s in the group isn’t the problem here. Ability to add members to group is.
“In contrast, Telegram does no encryption at all for group messages”
True. But this is also whataboutism. We should not tolerate Durov’s “Signal is funded by US governemnt” accusations, and we shouldn’t accept pointing fingers from Moxie’s side when discussing this issue. This was a screw-up from WhatsApp developers, not Moxie, and I don’t understand why he would stand behind their backs.
“There’s no way to publish an academic paper about that, though, because there’s no attack to describe, because there’s no encryption to begin with.”
It was only this week Tinder made the headlines for not using any encryption at all. Also, there was no attack to describe in Signal yet somehow they managed to publish a formal Signal audit. It probably didn’t make the headlines back in 2016 but is even today extremely valuable proof of security. Audit that makes note of Telegram’s crappy TLS group messaging would not only convince some users, it could also be used as a source in debates, and there’s a chance it could make headlines. One big issue with Telegram currently is it’s outdated evaluations. It’s not clear to what protocol versions audits apply to or what attacks, like the infamous 64-bit precomputation MITM attack, still apply to the client.
“don’t build security into your products, because that makes you a target for researchers, even if you make the right decisions, and regardless of whether their research is practically important or not”
There’s nothing overly impractical about this attack. We consider Telegram’s encryption broken when all it lacks semantic security (IND-CCA). All this means is you can edit ciphertext without changing to what it decrypts into. That’s no different from messing with imaginary ECC bundled into ciphertext. So, why don’t we consider a protocol (implementation) broken when there’s a good chance several end-to-end encrypted messages might leak to adversary when they are able to join the conversation.
It’s true it’s hard to write stories about Telegram that raise eyebrows, especially with media fixated on Durov as a celebrity. But if enough experts agree on how Durov’s claims about distributed cross-jurisdictional encrypted cloud storage are full of shit, it might change things.
“It’s much more effective to be Telegram: just leave cryptography out of everything, except for your marketing.”
This sums my feelings about Telegram exactly. Everything they do could work on Signal protocol. But it’s too easy to beat the competition for ignorant user-base with invisible insecurity that enables much faster message delivery and feature development.