Certificate authority Comodo CA is expanding out of its traditional area to launch a new platform designed to secure Internet of Things devices. Hackers increasingly target IoT devices that have no security embedded and exposed vulnerabilities.
Read the Full Article here: >Computer Security News
Flexera released Vulnerability Review 2018: Top Desktop Apps, part of the annual report series from Secunia Research. This new edition focuses on heavily used desktop applications, which can be easily breached through the Internet.
“Companies are in desperate need to improve patching so they can reduce risk. Ultimately that means creating a smart process,” said Kasper Lindgaard, Senior Director of Research and Security at Flexera. “To do that you have to cut through the noise – not all software updates are security related, and not all security updates are equally critical. Having patching processes, supported by best-in-class technologies, gives you the visibility and intelligence you need to prioritize and act decisively.”
Security professionals need to pay close attention to desktop applications because most vulnerabilities found in these types of apps can be extremely dangerous. Whenever new vulnerabilities are reported, Secunia Research issues Advisories assessing their criticality, attack vector and solution status. This allows desktop admins to identify and prioritize critical security patches. Without such information, operation teams struggle to keep up with a the large amount of patches.
In 2017, 83 percent of the Secunia Advisories covering the top desktop applications were rated “Extremely” or “Highly” critical (compared to only 17 percent when you look at Secunia Advisories across all software applications ranked).
Moreover, desktop applications are extremely vulnerable to attack via the Internet, making them attractive targets. 94 percent of advisories relating to desktop apps could be exploited through the Internet, without any interaction with the user, or the need for them to take any action.
The report also cautions users who incorrectly believe that Microsoft’s automated updates will shield them from vulnerability risk. In fact, the majority of desktop app vulnerabilities occur in non-Microsoft applications. 65 percent of the vulnerabilities reported in the 50 most common desktop applications were found in non-Microsoft apps.
“Organizations can improve security patching in just three steps,” added Lindgaard. “First, arm desktop admins with security Key Performance Indicators to keep security patching a high priority. Second, create an inventory of desktop apps to make installing a patch easier. Finally, put prioritization and sourcing patches on a schedule, so patches are consistently monitored and applied quickly.”
The key takeaway? When armed with vulnerability intelligence, IT professionals can get ahead of security risks with patches for almost all vulnerabilities affecting the most common desktop applications.
Read the Full Article here: >Help Net Security – News
Distil Networks analyzed over 100 million mobile devices on its networks. The findings suggest that sophisticated cybercriminals and bot operators now implement a new technique—leveraging mobile devices – to avoid detection and execute a number of nefarious acts. At this time, 5.8 percent of all mobile devices across six major cellular networks are used in such automated attacks and represent eight percent of all bad bot traffic.
This bad bot traffic is purposefully deployed against any business with a web presence to carry out acts that include web scraping, brute force attacks, competitive data mining, online fraud, account hijacking, data theft, spam and digital ad fraud.
Uncovered by the Distil Research Lab, the data reveals a new method by which perpetrators connect through cellular gateways to target a large variety of websites and apps simultaneously. Cellular gateways handle a huge volume of requests per minute, many of which are legitimate, making it difficult to identify and block criminal ones.
Within some cellular carriers, a single IP address can cater to more than 4,000 devices per day, making cellular traffic an ideal location for bots to remain undetectable. As mobile devices move through different gateways, (based on device owners changing location throughout the day,) bots effectively change identities to make detection even more difficult.
Mobile bots by the numbers:
Mobile is the new frontier for bot operators, as they can perform highly advanced attacks while remaining hidden in plain sight,” said Rami Essaid, chief product and strategy officer at Distil Networks. “Whether inadvertently downloaded through an email attachment, or embedded in a seemingly legitimate app, millions of consumers unknowingly carry malware on their devices that allows cybercriminals to conduct bot attacks, abuse and fraud. We have seen bot operators develop and enhance their techniques throughout the years, but the threat to mobile devices is real and growing, and can have detrimental consequences.
Twitter has given millions of users a way of making their accounts even harder to hack, with the introduction of support for physical keys.
Most Twitter users protect their accounts in the traditional way: username and password. As with any other internet account, such security is vulnerable to a number of threats including phishing or a user unwisely choosing the same password that they use elsewhere on the internet.
This is the primary reason that so many Twitter accounts have been compromised by hackers over the years.
High profile victims have included FC Barcelona, CNN, Burger King, Google CEO Sundar Pichai, Wikipedia’s Jimmy Wales, and Mark Zuckerberg.
One of the most notorious hijackings of a Twitter account occurred in 2013, when the Syrian Electronic Army managed to gain control of Associated Press’s Twitter account and posted a message saying that there had been an explosion at the White House and Barack Obama had been injured.
That bogus report knocked 61 billion dollars (briefly) off the Dow Jones Index.
If you’re sensible you have taken better steps than just a password to protect your Twitter account, and enabled two-step verification in the form of “Login Verification”.That adds an extra hurdle to the login process by asking for a code generated by a third-party app such as Google Authenticator and Authy to be be entered.
For most people, this level of protection is probably enough.
But what if you want to go even further, and wish to ensure an even high level of physical security to your Twitter account?
If that’s you then you’ll be interested to read news inside a blog post detailing Twitter’s latest steps to combat spam and abuse on the site.
Twitter has revealed that you can now use a physical USB security key which supports the universal two-factor (U2F) standard when signing in for login verification.
The small keyfobs require the logging-in user to physically press a button to confirm the identity, and because it will only work on the real Twitter website it provides a high level of protection against phishing sites.
Other websites which support FIDO U2F hardware keys – which are the same size and shape as a typical USB thumb drive – include Google, Facebook, Dropbox, GitHub, and SalesForce.
Cisco has released security updates to address a bucketload of vulnerabilities affecting multiple products, including 24 critical and high-severity flaws found in many of its switches, next generation firewalls and security appliances.
Those vulnerabilities are present in the Cisco NX-OS Software, which enables network automation and programmatical provisioning and configuration of the devices via APIs, and Cisco FXOS (Firepower eXtensible Operating System).
“Successful exploitation of the vulnerabilities could allow an attacker to gain unauthorized access to an affected device, gain elevated privileges for an affected device, execute arbitrary code, execute arbitrary commands, gain access to sensitive information, or cause a denial of service (DoS) condition on an affected device,” the company explained.
They can be exploited via specially crafted packets (HTTP or HTTPS, Cisco Fabric Services, SNMP, IGMP) and messages (Cisco Discovery Protocol and BGP update messages).
Twelve of the vulnerabilities affect both Cisco FXOS Software and Cisco NX-OS Software and the remaining vulnerabilities affect only Cisco NX-OS Software. None of the vulnerabilities affect Cisco IOS Software or Cisco IOS XE Software.
There are no workarounds for the vulnerabilities, so administrators should implement the offered updates.
 |
Virus-free. www.avg.com |
The Wi-Fi Alliance today officially launched
—the next-generation Wi-Fi security standard that promises to eliminate all the known security vulnerabilities and wireless attacks that are up today including the dangerous
.
WPA, or Wi-Fi Protected Access, is a standard designed to authenticate wireless devices using the Advanced Encryption Standard (AES) protocol and is intended to prevent hackers from eavesdropping on your wireless data.
However, in late last year, security researchers uncovered a severe flaw in the current WPA2 protocol, dubbed
(Key Reinstallation Attack), that made it possible for attackers to intercept, decrypt and even manipulate WiFi network traffic.
Although most device manufacturers patched their devices against KRACK attacks, the WiFi Alliance, without much delay, rushed to finalize and launch WPA3 in order to address WPA2’s technical shortcomings from the ground.
will replace the existing WPA2 that has been around for at least 15 years and widely used by billions of devices every day.
The new security protocol provides some big improvements for Wi-Fi enabled devices in terms of configuration, authentication, and encryption enhancements, making it harder for hackers to hack your Wi-Fi or eavesdrop on your network.
On Monday, the Wi-Fi Alliance launched two flavors of latest security protocol—WPA3-Personal and WPA3-Enterprise—for personal, enterprise, and IoT wireless networks.
Here are some key features provided by the new protocol:
WPA3 provides enhanced protection against offline brute-force dictionary attacks, making it harder for hackers to crack your WiFi password—even if you choose less complex passwords—by using commonly used passwords over and over again.
WPA3 leverages SAE (Simultaneous Authentication of Equals) handshake to offer forward secrecy, a security feature that prevents attackers from decrypting old captured traffic even if they ever learn the password of a network.
WPA3 strengthens user privacy in open networks through individualized data encryption, a feature that encrypts the wireless traffic between your device and the Wi-Fi access point to mitigate the risk of Man-in-the-Middle (MitM) attacks. To prevent such passive attacks, WPA3 could add support for Opportunistic Wireless Encryption (OWE).
Using WPA3 Enterprise, critical Wi-Fi networks handling sensitive information (such as government, , and industrial organizations), can protect their Wi-Fi connections with 192-bit encryption.
Alongside WPA3, the WiFi Alliance has also
a new feature, called
Wi-Fi Easy Connect
, that simplifies the process of pairing smart home gadgets (without any screen or display) to your router.
Wi-Fi Easy Connect is a replacement for Wi-Fi Protected Setup (WPS), which has been considered insecure.
With the support for Easy Connect, you will be able to pair your smart gadget with the router by simply scanning a QR code with your smartphone to have the Wi-Fi credentials automatically sent to the new smart device.
It should be noted that both WPA3 and Wi-Fi Easy Connect will not hit the mainstream right away. In fact, it is going to be a many-years-long process that will require new routers and smart gadgets to support WPA3.
Therefore, WPA2 will not stop working any time soon, and devices with WPA3 support will still be able to connect with devices that use WPA2 for the working of your gadgets, but WPA3 support will eventually become mandatory as adoption grows.
WPA3 is set to roll out later this year and is expected to hit mass adoption in late 2019, when it eventually become a requirement for devices to be considered Wi-Fi certified, according to the WiFi Alliance.
Read the Full Article here: >The Hacker News [ THN ]
Mobile security researchers have discovered unprotected Firebase databases of thousands of iOS and Android mobile applications that are exposing over 100 million data records, including plain text passwords, user IDs, location, and in some cases, financial records such as banking and cryptocurrency transactions.
Google’s Firebase service is one of the most popular back-end development platforms for mobile and web applications that offers developers a cloud-based database, which stores data in JSON format and synced it in the real-time with all connected clients.
Researchers from mobile security firm Appthority discovered that many app developers’ fail to properly secure their back-end Firebase endpoints with firewalls and authentication, leaving hundreds of gigabytes of sensitive data of their customers publicly accessible to anyone.
Since Firebase offers app developers an API server, as shown below, to access their databases hosted with the service, attackers can gain access to unprotected data by just adding “/.json” with a blank database name at the end of the hostname.
Sample API URL:
https://<Firebase project name>.firebaseio.com/<database.json>
Payload to Access:
Data https://<Firebase project name>.firebaseio.com/.json
To find the extent of this issue, researchers scanned over 2.7 million apps and found that more than 3,000 apps—2,446 Android and 600 iOS apps—were leaking a whole 2,300 databases with more than 100 million records, making it a giant breach of over 113 gigabytes of data.
The vulnerable Android apps alone were downloaded more than 620 million times.
Affected apps belong to multiple categories such as telecommunication, cryptocurrency, finance, postal services, ride-sharing companies, educational institutions, hotels, productivity, health, fitness, tools and more.
Researchers also provided a brief analysis, given below, of the obtained data they had downloaded from vulnerable applications.
All this is happening at the first place because Google Firebase service does not secure user data by default, requiring developers to explicitly implement
on all database rows and tables to protect their databases from unauthorized access.
“The only security feature available to developers is authentication and rule-based authorization,” the researchers explain. What’s worse? There are no “third-party tools available to provide encryption for it.”
Researchers claimed they had already contacted Google and provided a list of all vulnerable app databases, and also contacted a few app developers helping them to patch this issue.
Read the Full Article here: >The Hacker News [ THN ]
Google just announced its plan to introduce a new anti-spoofing feature for its Android operating system that makes its biometric authentication mechanisms more secure than ever.
Biometric authentications, like the fingerprint, IRIS, or face recognition technologies, smoothen the process of unlocking devices and applications by making it notably faster and secure.
Although biometric systems also have some pitfalls that are not hidden from anyone, as it has been proven multiple times in the past that most biometric scanners are vulnerable to spoofing attacks, and in most cases fooling them is quite easy.
Google announced today a better model to improve biometric security, which will be available from Android P, allowing mobile app developers to integrate an enhanced mechanism within their apps to keep users’ data safe.
Currently, the Android biometric authentication system uses two metrics—False Accept Rate (FAR) and False Reject Rate (FRR)—in combination with machine learning techniques to measure accuracy and precision of the user’s input.
In brief, ‘False Accept Rate’ defines how often the biometric model accidentally classifies an incorrect input as belonging to the targeted user, while ‘False Reject Rate’ records how often a biometric model accidentally classifies the user’s biometric as incorrect.
However, Google says none of the given metrics is capable enough to precisely identify if biometric data entered by a user is an attempt by an attacker to make unauthorized access using any spoofing or impostor attack.
In an attempt to resolve this issue, in addition to FAR and FRR, Google has now introduced two new metrics—Spoof Accept Rate (SAR) and Imposter Accept Rate (IAR)—that explicitly account for an attacker in the threat model.
“As their names suggest, these metrics measure how easily an attacker can bypass a biometric authentication scheme,” Vishwath Mohan, a security engineer with Google Android team, says.
“Spoofing refers to the use of a known-good recording (e.g., replaying a voice recording or using a face or fingerprint picture), while impostor acceptance means a successful mimicking of another user’s biometric (e.g., trying to sound or look like a target user).”
Based upon user’s biometric input, the values of SAR/IAR metrics define if it is a “strong biometric” (for values lower than or equal to 7%), or a “weak biometric” authentication (for values higher than 7%).
While unlocking your device or an application, if these values fall under weak biometric, Android P will enforce strict authentication policies on users, as given below:
Besides this, Google will also offer a new easy-to-use BiometricPrompt API that developers can use to set up a robust authentication mechanism in their apps to ensure maximum security of their users by completely blocking weak biometric authentication detected by two newly added metrics.
“BiometricPrompt only exposes strong modalities, so developers can be assured of a consistent level of security across all devices their application runs on,” Mohan said.
“A support library is also provided for devices running Android O and earlier, allowing applications to utilize the advantages of this API across more devices.”
The new feature would positively prevent unauthorized access to devices from thieves, spies and law enforcement agencies as well by locking it down to cripple known methods to bypass biometric scanners.
Read the Full Article here: >The Hacker News [ THN ]
The global shipping industry is vulnerable to a range of hacks, including one that can send multi-million dollar vessels on a collision course for disaster, according researchers. Worse, the flaws are trivial to execute and easy to mitigate against, according to a report by Pen Test Partners.
“Ship security is in its infancy – most of these types of issues were fixed years ago in mainstream IT systems,” said Pen Test Partners researcher Ken Munro, in a report on the findings released this week. “The advent of always-on satellite connections has exposed shipping to hacking attacks. Vessel owners and operators need to address these issues quickly, or more shipping security incidents will occur. What we’ve only seen in the movies will quickly become reality.”
As part of its report, Pen Test Partners also released a number of proof-of-concept (PoC) attacks where it demonstrated multiple techniques for disrupting the shipboard navigation systems. “We’ve broken new ground by linking satcom terminal version details to live GPS position data,” according to the report.
Munro said that the PoC flaws are the tip of the iceberg. Many more worse issues were uncovered. He said other bugs would be shared privately with vendors.
Forcing Ships Off-Course
In one of the PoCs shared in the report, researchers noted that the electronic charts that are used to navigate, called Electronic Chart Display and Information System (ECDIS), are a ripe target for hackers. They said the ECDIS is not difficult to hack and manipulate once an attacker breaches the vessel’s network. And that’s fairly simple to achieve because of an abundance of outdated OS and poorly protected configuration interfaces, researchers said.
“We tested over 20 different ECDIS units and found all sorts of crazy security flaws,” Munro said. “Most ran old operating systems, including one popular in the military that still runs Windows NT.”
As hackable as it is, all too often, the ECDIS is left in charge of steering the ship, researchers said.
“[ECDIS] can slave directly to the autopilot – most modern vessels are in ‘track control’ mode most of the time, where they follow the ECDIS course,” Munro explained. “Hack the ECDIS and you may be able to crash the ship, particularly in fog. Younger crews get ‘screen-fixated’ all too often, believing the electronic screens instead of looking out of the window.”
In one PoC example, once an adversary gained access to the shipboard IT infrastructure, a hacker could fool the ECDIS into thinking that the GPS receiver was in a different location on board. That would effectively spoof the ship’s navigational systems to believe the ship was in a different place on the water. The system could then automatically “correct” the course, thus sending the ship off into the wrong direction.
The team was also able to expand the perceived GPS footprint to make the ECDIS think the ship was a kilometer wide, wreaking havoc with anti-collision systems. The AIS transceiver, responsible for collision alerts, uses ECDIS data to not only send out the ship’s location to other vessels if there’s a perceived danger, but also for receiving the same data back. By tricking the system into thinking a collision is imminent, other ships could alter their own courses, jamming up shipping lanes.
“Other ships’ AIS will alert the ship’s captain to a collision scenario,” Hunt said. “It would be a brave captain indeed to continue down a busy, narrow shipping lane whilst the collision alarms are sounding.”
The implications here are profound: “Block the English Channel and you may start to affect our supply chain,” Hunt added.
The researchers also found that it’s possible to hack the systems used to control the steering gear, engines, ballast pumps and more. These communicate using NMEA 0183 messages, which are sent in plaintext, with no message authentication, encryption or validation.
“All we need to do is man-in-the-middle and modify the data,” Hunt said. “This isn’t GPS-spoofing, which is well known and easy to detect, this is injecting small errors to slowly and insidiously force a ship off course.”
Real-World Implications
Barry Greene, principal architect at Akamai, said that a range of actors could make very good use of these kinds of attacks.
“It can be used (and most likely is being used) to track state intelligence interest,” he told Threatpost. “Criminal threat actors would look for ways to ‘monetize.’ If there is money, they will find a way to exploit. Corporate intelligence threat actors would (and most likely are) using these exploits to track competition. Activist threat actors would use it to track illegal shipping: banned animal products, weapons and human trafficking.”
He added that there are other, less obvious consequences.
“The ugly part is logical consequences that are not being considered,” he told us. “Think about the current pirate situation in several parts of the world. These pirates can use this information for their intelligence. What would be the response when someone gets killed in the Straits of Malacca by pirates who are using these exploits to target their hits?”
Further illustrating the real-world implications, Pen Test Partners has managed to link version details for ships’ satcom terminals to live GPS position data, to establish a clickable map where vulnerable ships can be highlighted with their real-time position (it’s not updated however, thus ensuring it remains out of date and useless to hackers).
All Back to Password Hygiene
In order to carry any of the above attack scenarios out, threat actors would need to gain access to the vessel networks in the first place. Unfortunately, that proves to be fair simple as well, given that satcom terminals on ships are available on the public internet. Many have default credentials, Hunt explained, admin/1234 being the most common. And failing to set a strong administrative password opens the door to a raft of security issues.
“It’s an easy way to hijack the satellite communications and take admin rights on the terminal on board,” explained Munro.
Looking into a Cobham (Thrane & Thrane) Fleet One satellite terminal, Munro found a number of exploitable flaws. For starters, the admin interfaces communicate via insecure telnet and HTTP. They also lack firmware signing, making it possible to edit the entire web application running on the terminal. There is also no rollback protection for the firmware, so a hacker could elevate privilege by installing an older, more vulnerable firmware version. Lastly, the administrator interface passwords are embedded in the configurations, hashed with unsalted MD5.
All of these flaws (again, easily fixed with a strong password) offer routes into the vessel’s network; and, thanks to a general lack of network segregation on board most ships, attackers can likely easily pivot to the navigation system, Munro pointed out.
Mitigation
Like all sectors, getting serious about the risk to their industry should be on the to-do list of vendors and shipping companies alike. However, that’s easier said than done.
“Hopefully, these findings will encourage action, but the reality is that most people who need to know about this risk within the shipping/container/port industry may not hear about this report,” said Greene. “They live in their own specialized community…There is a whole industry built around the shipping industry who never thinks about security. They are thinking, ‘how do I build this function to manage the container lift during the time it is pulling the container off the ship.’”
A good place to start, he added, is for shipping companies to pull in vendors for meaningful security conversations. “Their security interest would wake up the vendor to put security on the top of their list,” Greene explained, adding that shipping companies should make use of their existing resources.
“Their number one security talent is the specialist within their organizations,” he said. “They know their industry. They know their business. CxOs should take those teams, pull them off to the side for a couple of days and have them ‘think like hackers.’ They will come back with a list of security priorities that would be better tuned to the shipping/container/port industry.”
Read the Full Article here: >threatpost – The First Stop for Security News
Copenhagen’s bike network was rendered useless in a cyber attack over the weekend in which the hacker was able to completely wipe the network’s database. Officials claim that the attack happened some time between 4 May and 5 May, and meant that people were not able to hire bikes from the Bycyklen system – similar to London’s ‘Santander Hire’ bike hire system, except that the bikes have built-in electric motors.
Read the Full Article here: >Computer Security News
