Information Security, SSAE 16, ISO 27001, CISA, Cert-IN
Bithumb, ranked the seventh largest cryptocurrency exchange and located in South Korea, has confirmed that it was hacked and that the thieves absconded with approximately $32 million in coins, including the XRP token issued by Ripple.
Read the Full Article here: >Computer Security News
Certificate authority Comodo CA is expanding out of its traditional area to launch a new platform designed to secure Internet of Things devices. Hackers increasingly target IoT devices that have no security embedded and exposed vulnerabilities.
Read the Full Article here: >Computer Security News
Flexera released Vulnerability Review 2018: Top Desktop Apps, part of the annual report series from Secunia Research. This new edition focuses on heavily used desktop applications, which can be easily breached through the Internet.
“Companies are in desperate need to improve patching so they can reduce risk. Ultimately that means creating a smart process,” said Kasper Lindgaard, Senior Director of Research and Security at Flexera. “To do that you have to cut through the noise – not all software updates are security related, and not all security updates are equally critical. Having patching processes, supported by best-in-class technologies, gives you the visibility and intelligence you need to prioritize and act decisively.”
Security professionals need to pay close attention to desktop applications because most vulnerabilities found in these types of apps can be extremely dangerous. Whenever new vulnerabilities are reported, Secunia Research issues Advisories assessing their criticality, attack vector and solution status. This allows desktop admins to identify and prioritize critical security patches. Without such information, operation teams struggle to keep up with a the large amount of patches.
In 2017, 83 percent of the Secunia Advisories covering the top desktop applications were rated “Extremely” or “Highly” critical (compared to only 17 percent when you look at Secunia Advisories across all software applications ranked).
Moreover, desktop applications are extremely vulnerable to attack via the Internet, making them attractive targets. 94 percent of advisories relating to desktop apps could be exploited through the Internet, without any interaction with the user, or the need for them to take any action.
The report also cautions users who incorrectly believe that Microsoft’s automated updates will shield them from vulnerability risk. In fact, the majority of desktop app vulnerabilities occur in non-Microsoft applications. 65 percent of the vulnerabilities reported in the 50 most common desktop applications were found in non-Microsoft apps.
“Organizations can improve security patching in just three steps,” added Lindgaard. “First, arm desktop admins with security Key Performance Indicators to keep security patching a high priority. Second, create an inventory of desktop apps to make installing a patch easier. Finally, put prioritization and sourcing patches on a schedule, so patches are consistently monitored and applied quickly.”
The key takeaway? When armed with vulnerability intelligence, IT professionals can get ahead of security risks with patches for almost all vulnerabilities affecting the most common desktop applications.
Read the Full Article here: >Help Net Security – News
The Wi-Fi Alliance today officially launched
—the next-generation Wi-Fi security standard that promises to eliminate all the known security vulnerabilities and wireless attacks that are up today including the dangerous
.
WPA, or Wi-Fi Protected Access, is a standard designed to authenticate wireless devices using the Advanced Encryption Standard (AES) protocol and is intended to prevent hackers from eavesdropping on your wireless data.
However, in late last year, security researchers uncovered a severe flaw in the current WPA2 protocol, dubbed
(Key Reinstallation Attack), that made it possible for attackers to intercept, decrypt and even manipulate WiFi network traffic.
Although most device manufacturers patched their devices against KRACK attacks, the WiFi Alliance, without much delay, rushed to finalize and launch WPA3 in order to address WPA2’s technical shortcomings from the ground.
will replace the existing WPA2 that has been around for at least 15 years and widely used by billions of devices every day.
The new security protocol provides some big improvements for Wi-Fi enabled devices in terms of configuration, authentication, and encryption enhancements, making it harder for hackers to hack your Wi-Fi or eavesdrop on your network.
On Monday, the Wi-Fi Alliance launched two flavors of latest security protocol—WPA3-Personal and WPA3-Enterprise—for personal, enterprise, and IoT wireless networks.
Here are some key features provided by the new protocol:
WPA3 provides enhanced protection against offline brute-force dictionary attacks, making it harder for hackers to crack your WiFi password—even if you choose less complex passwords—by using commonly used passwords over and over again.
WPA3 leverages SAE (Simultaneous Authentication of Equals) handshake to offer forward secrecy, a security feature that prevents attackers from decrypting old captured traffic even if they ever learn the password of a network.
WPA3 strengthens user privacy in open networks through individualized data encryption, a feature that encrypts the wireless traffic between your device and the Wi-Fi access point to mitigate the risk of Man-in-the-Middle (MitM) attacks. To prevent such passive attacks, WPA3 could add support for Opportunistic Wireless Encryption (OWE).
Using WPA3 Enterprise, critical Wi-Fi networks handling sensitive information (such as government, , and industrial organizations), can protect their Wi-Fi connections with 192-bit encryption.
Alongside WPA3, the WiFi Alliance has also
a new feature, called
Wi-Fi Easy Connect
, that simplifies the process of pairing smart home gadgets (without any screen or display) to your router.
Wi-Fi Easy Connect is a replacement for Wi-Fi Protected Setup (WPS), which has been considered insecure.
With the support for Easy Connect, you will be able to pair your smart gadget with the router by simply scanning a QR code with your smartphone to have the Wi-Fi credentials automatically sent to the new smart device.
It should be noted that both WPA3 and Wi-Fi Easy Connect will not hit the mainstream right away. In fact, it is going to be a many-years-long process that will require new routers and smart gadgets to support WPA3.
Therefore, WPA2 will not stop working any time soon, and devices with WPA3 support will still be able to connect with devices that use WPA2 for the working of your gadgets, but WPA3 support will eventually become mandatory as adoption grows.
WPA3 is set to roll out later this year and is expected to hit mass adoption in late 2019, when it eventually become a requirement for devices to be considered Wi-Fi certified, according to the WiFi Alliance.
Read the Full Article here: >The Hacker News [ THN ]
Mobile security researchers have discovered unprotected Firebase databases of thousands of iOS and Android mobile applications that are exposing over 100 million data records, including plain text passwords, user IDs, location, and in some cases, financial records such as banking and cryptocurrency transactions.
Google’s Firebase service is one of the most popular back-end development platforms for mobile and web applications that offers developers a cloud-based database, which stores data in JSON format and synced it in the real-time with all connected clients.
Researchers from mobile security firm Appthority discovered that many app developers’ fail to properly secure their back-end Firebase endpoints with firewalls and authentication, leaving hundreds of gigabytes of sensitive data of their customers publicly accessible to anyone.
Since Firebase offers app developers an API server, as shown below, to access their databases hosted with the service, attackers can gain access to unprotected data by just adding “/.json” with a blank database name at the end of the hostname.
Sample API URL:
https://<Firebase project name>.firebaseio.com/<database.json>
Payload to Access:
Data https://<Firebase project name>.firebaseio.com/.json
To find the extent of this issue, researchers scanned over 2.7 million apps and found that more than 3,000 apps—2,446 Android and 600 iOS apps—were leaking a whole 2,300 databases with more than 100 million records, making it a giant breach of over 113 gigabytes of data.
The vulnerable Android apps alone were downloaded more than 620 million times.
Affected apps belong to multiple categories such as telecommunication, cryptocurrency, finance, postal services, ride-sharing companies, educational institutions, hotels, productivity, health, fitness, tools and more.
Researchers also provided a brief analysis, given below, of the obtained data they had downloaded from vulnerable applications.
All this is happening at the first place because Google Firebase service does not secure user data by default, requiring developers to explicitly implement
on all database rows and tables to protect their databases from unauthorized access.
“The only security feature available to developers is authentication and rule-based authorization,” the researchers explain. What’s worse? There are no “third-party tools available to provide encryption for it.”
Researchers claimed they had already contacted Google and provided a list of all vulnerable app databases, and also contacted a few app developers helping them to patch this issue.
Read the Full Article here: >The Hacker News [ THN ]
Google just announced its plan to introduce a new anti-spoofing feature for its Android operating system that makes its biometric authentication mechanisms more secure than ever.
Biometric authentications, like the fingerprint, IRIS, or face recognition technologies, smoothen the process of unlocking devices and applications by making it notably faster and secure.
Although biometric systems also have some pitfalls that are not hidden from anyone, as it has been proven multiple times in the past that most biometric scanners are vulnerable to spoofing attacks, and in most cases fooling them is quite easy.
Google announced today a better model to improve biometric security, which will be available from Android P, allowing mobile app developers to integrate an enhanced mechanism within their apps to keep users’ data safe.
Currently, the Android biometric authentication system uses two metrics—False Accept Rate (FAR) and False Reject Rate (FRR)—in combination with machine learning techniques to measure accuracy and precision of the user’s input.
In brief, ‘False Accept Rate’ defines how often the biometric model accidentally classifies an incorrect input as belonging to the targeted user, while ‘False Reject Rate’ records how often a biometric model accidentally classifies the user’s biometric as incorrect.
However, Google says none of the given metrics is capable enough to precisely identify if biometric data entered by a user is an attempt by an attacker to make unauthorized access using any spoofing or impostor attack.
In an attempt to resolve this issue, in addition to FAR and FRR, Google has now introduced two new metrics—Spoof Accept Rate (SAR) and Imposter Accept Rate (IAR)—that explicitly account for an attacker in the threat model.
“As their names suggest, these metrics measure how easily an attacker can bypass a biometric authentication scheme,” Vishwath Mohan, a security engineer with Google Android team, says.
“Spoofing refers to the use of a known-good recording (e.g., replaying a voice recording or using a face or fingerprint picture), while impostor acceptance means a successful mimicking of another user’s biometric (e.g., trying to sound or look like a target user).”
Based upon user’s biometric input, the values of SAR/IAR metrics define if it is a “strong biometric” (for values lower than or equal to 7%), or a “weak biometric” authentication (for values higher than 7%).
While unlocking your device or an application, if these values fall under weak biometric, Android P will enforce strict authentication policies on users, as given below:
Besides this, Google will also offer a new easy-to-use BiometricPrompt API that developers can use to set up a robust authentication mechanism in their apps to ensure maximum security of their users by completely blocking weak biometric authentication detected by two newly added metrics.
“BiometricPrompt only exposes strong modalities, so developers can be assured of a consistent level of security across all devices their application runs on,” Mohan said.
“A support library is also provided for devices running Android O and earlier, allowing applications to utilize the advantages of this API across more devices.”
The new feature would positively prevent unauthorized access to devices from thieves, spies and law enforcement agencies as well by locking it down to cripple known methods to bypass biometric scanners.
Read the Full Article here: >The Hacker News [ THN ]
The global shipping industry is vulnerable to a range of hacks, including one that can send multi-million dollar vessels on a collision course for disaster, according researchers. Worse, the flaws are trivial to execute and easy to mitigate against, according to a report by Pen Test Partners.
“Ship security is in its infancy – most of these types of issues were fixed years ago in mainstream IT systems,” said Pen Test Partners researcher Ken Munro, in a report on the findings released this week. “The advent of always-on satellite connections has exposed shipping to hacking attacks. Vessel owners and operators need to address these issues quickly, or more shipping security incidents will occur. What we’ve only seen in the movies will quickly become reality.”
As part of its report, Pen Test Partners also released a number of proof-of-concept (PoC) attacks where it demonstrated multiple techniques for disrupting the shipboard navigation systems. “We’ve broken new ground by linking satcom terminal version details to live GPS position data,” according to the report.
Munro said that the PoC flaws are the tip of the iceberg. Many more worse issues were uncovered. He said other bugs would be shared privately with vendors.
Forcing Ships Off-Course
In one of the PoCs shared in the report, researchers noted that the electronic charts that are used to navigate, called Electronic Chart Display and Information System (ECDIS), are a ripe target for hackers. They said the ECDIS is not difficult to hack and manipulate once an attacker breaches the vessel’s network. And that’s fairly simple to achieve because of an abundance of outdated OS and poorly protected configuration interfaces, researchers said.
“We tested over 20 different ECDIS units and found all sorts of crazy security flaws,” Munro said. “Most ran old operating systems, including one popular in the military that still runs Windows NT.”
As hackable as it is, all too often, the ECDIS is left in charge of steering the ship, researchers said.
“[ECDIS] can slave directly to the autopilot – most modern vessels are in ‘track control’ mode most of the time, where they follow the ECDIS course,” Munro explained. “Hack the ECDIS and you may be able to crash the ship, particularly in fog. Younger crews get ‘screen-fixated’ all too often, believing the electronic screens instead of looking out of the window.”
In one PoC example, once an adversary gained access to the shipboard IT infrastructure, a hacker could fool the ECDIS into thinking that the GPS receiver was in a different location on board. That would effectively spoof the ship’s navigational systems to believe the ship was in a different place on the water. The system could then automatically “correct” the course, thus sending the ship off into the wrong direction.
The team was also able to expand the perceived GPS footprint to make the ECDIS think the ship was a kilometer wide, wreaking havoc with anti-collision systems. The AIS transceiver, responsible for collision alerts, uses ECDIS data to not only send out the ship’s location to other vessels if there’s a perceived danger, but also for receiving the same data back. By tricking the system into thinking a collision is imminent, other ships could alter their own courses, jamming up shipping lanes.
“Other ships’ AIS will alert the ship’s captain to a collision scenario,” Hunt said. “It would be a brave captain indeed to continue down a busy, narrow shipping lane whilst the collision alarms are sounding.”
The implications here are profound: “Block the English Channel and you may start to affect our supply chain,” Hunt added.
The researchers also found that it’s possible to hack the systems used to control the steering gear, engines, ballast pumps and more. These communicate using NMEA 0183 messages, which are sent in plaintext, with no message authentication, encryption or validation.
“All we need to do is man-in-the-middle and modify the data,” Hunt said. “This isn’t GPS-spoofing, which is well known and easy to detect, this is injecting small errors to slowly and insidiously force a ship off course.”
Real-World Implications
Barry Greene, principal architect at Akamai, said that a range of actors could make very good use of these kinds of attacks.
“It can be used (and most likely is being used) to track state intelligence interest,” he told Threatpost. “Criminal threat actors would look for ways to ‘monetize.’ If there is money, they will find a way to exploit. Corporate intelligence threat actors would (and most likely are) using these exploits to track competition. Activist threat actors would use it to track illegal shipping: banned animal products, weapons and human trafficking.”
He added that there are other, less obvious consequences.
“The ugly part is logical consequences that are not being considered,” he told us. “Think about the current pirate situation in several parts of the world. These pirates can use this information for their intelligence. What would be the response when someone gets killed in the Straits of Malacca by pirates who are using these exploits to target their hits?”
Further illustrating the real-world implications, Pen Test Partners has managed to link version details for ships’ satcom terminals to live GPS position data, to establish a clickable map where vulnerable ships can be highlighted with their real-time position (it’s not updated however, thus ensuring it remains out of date and useless to hackers).
All Back to Password Hygiene
In order to carry any of the above attack scenarios out, threat actors would need to gain access to the vessel networks in the first place. Unfortunately, that proves to be fair simple as well, given that satcom terminals on ships are available on the public internet. Many have default credentials, Hunt explained, admin/1234 being the most common. And failing to set a strong administrative password opens the door to a raft of security issues.
“It’s an easy way to hijack the satellite communications and take admin rights on the terminal on board,” explained Munro.
Looking into a Cobham (Thrane & Thrane) Fleet One satellite terminal, Munro found a number of exploitable flaws. For starters, the admin interfaces communicate via insecure telnet and HTTP. They also lack firmware signing, making it possible to edit the entire web application running on the terminal. There is also no rollback protection for the firmware, so a hacker could elevate privilege by installing an older, more vulnerable firmware version. Lastly, the administrator interface passwords are embedded in the configurations, hashed with unsalted MD5.
All of these flaws (again, easily fixed with a strong password) offer routes into the vessel’s network; and, thanks to a general lack of network segregation on board most ships, attackers can likely easily pivot to the navigation system, Munro pointed out.
Mitigation
Like all sectors, getting serious about the risk to their industry should be on the to-do list of vendors and shipping companies alike. However, that’s easier said than done.
“Hopefully, these findings will encourage action, but the reality is that most people who need to know about this risk within the shipping/container/port industry may not hear about this report,” said Greene. “They live in their own specialized community…There is a whole industry built around the shipping industry who never thinks about security. They are thinking, ‘how do I build this function to manage the container lift during the time it is pulling the container off the ship.’”
A good place to start, he added, is for shipping companies to pull in vendors for meaningful security conversations. “Their security interest would wake up the vendor to put security on the top of their list,” Greene explained, adding that shipping companies should make use of their existing resources.
“Their number one security talent is the specialist within their organizations,” he said. “They know their industry. They know their business. CxOs should take those teams, pull them off to the side for a couple of days and have them ‘think like hackers.’ They will come back with a list of security priorities that would be better tuned to the shipping/container/port industry.”
Read the Full Article here: >threatpost – The First Stop for Security News
Copenhagen’s bike network was rendered useless in a cyber attack over the weekend in which the hacker was able to completely wipe the network’s database. Officials claim that the attack happened some time between 4 May and 5 May, and meant that people were not able to hire bikes from the Bycyklen system – similar to London’s ‘Santander Hire’ bike hire system, except that the bikes have built-in electric motors.
Read the Full Article here: >Computer Security News
A 5-minute high-definition music video can easily take up a space of more than 45 megabytes but an mp3 file of the same length, say, at a bitrate of 128 kbps, may just consume 5 megabytes of mobile storage, that is 9 times lesser.
If your mobile storage is running out due to keeping many video files, it’s time to convert them into audio to save space when you just want to play or share music files without needing videos.
To do that, many converters are available for you but Video to MP3 Converter offered by AccountLab is one of the most popular with more than 10 million downloads from the Google Play Store.
The Converter is very easy to use for average users with a slider to adjust the sound quality without bothering the terms of VBR and CBR. For more demanding users, it provides a selection of various bitrates for sound encoding in advanced mode.
As a bonus, the app also incorporates a video cutter and an audio cutter, both are easy to operate.
The app available on Android devices is free to download and use with supporting ads Read More
Read the Full Article here: >Gizmos Freeware Reviews
About 301,580 consumers reported cyber-fraud and malware attacks to the FBI’s Internet Crime Complaint Center (IC3) last year – with reported losses exceeding a whopping $1.4 billion.
The year’s haul of reports brings the overall total of complaints since the IC3 began recording such things to 4 million.
Top threats for the year include well-worn trends like whaling, phishing and ransomware, but also tech support fraud, confidence games involving romance themes, non-payment scams and also straightforward extortion.
Notable Stats
Whaling, a.k.a. business email compromise, made up the bulk of the complaints for the department, with 15,690 individuals affected and accounting for adjusted losses of more than $675 million. In these cases, criminals masquerade as company executives to request a change in account information for wire transfers in order to siphon off money to their own accounts, or to request for personally identifiable information or W-2 form data for employees. In 2017, the real estate sector was in particular heavily targeted, IC3 said.
Tech-support fraud, where criminals pose as a variety of different security, customer or technical support reps offering to resolve any number of (non-existent) issues, took the crown for growth. Reported incidents spiked to 10,949 complaints and claimed losses reached nearly $15 million, which represents a staggering 90 percent increase from 2016. IC3 received complaints from victims in 85 different countries.
There are of course many variations of this scam, but IC3 said that the bad actors are now changing up their tactics to use phishing emails with malicious links or fraudulent account charges to lure their victims. They’re also offering new “services,” such as income tax assistance, GPS help, printer support, cable company updates or support for virtual currency exchanges. In some variations, criminals are posing as government agents, who (oh the irony!) offer to recover losses related to tech support fraud schemes; or, they may request financial assistance with “apprehending” criminals.
Other stats of note for 2017 include the fact that the IC3 received 1,783 complaints identified as ransomware last year, with adjusted losses of over $2.3 million. It also received 14,938 extortion-related complaints, with adjusted losses of over $15 million.
When it comes to demographics, older Americans seem to be more targeted: There were 49,523 complaints from victims over the age of 60 with adjusted losses in excess of $342 million.
Fraud Gets Elaborate
The IC3 also uncovered a few “long-cons” that indicate the lengths to which fraudsters will go to scam their marks. Consider the case of an international investment scheme involving the impersonation of Branch Banking & Trust (BB&T) and JPMorgan Chase executives, the fabrication of U.S. government documents, the creation of fraudulent investment agreements in the name of the banks, and the purchase of luxury vehicles to launder the proceeds of the scheme. It resulted in losses of more than $7 million from victims in more than 20 countries.
In this case, West African operators essentially duped unwitting victims into believing they would receive millions of dollars of investment funding as part of joint ventures with BB&T or Chase. They set about spoofing bank domains and recruiting U.S. citizens to pose as bank “representatives” at in-person meetings with the victims; and fake U.S. government documents were used to convince the victims that the government was sponsoring the investment agreements. The victims were then asked to pay tens of thousands of dollars (often hundreds of thousands of dollars) to U.S.-based bank accounts on the belief that such payments were necessary to effectuate their investment agreements.
The scam was partially broken up by FBI Houston as a result of the mounting number of complaints and forensic data. Only about $200,000 of the cash has been recouped.
Read the Full Article here: >threatpost – The First Stop for Security News