STE WILLIAMS

The hotel booking software provider reports an actor stole personal and payment card data of guests from hundreds of properties.

FastBooking, a Paris-based provider of hotel-booking software, is alerting client hotels to a data breach in which an attacker lifted personal information and credit card data from guests of hundreds of properties.

The breach took place on June 14, says FastBooking, which states it works with 4,000 partner hotels in 100 countries. In an email to affected properties, FastBooking says an attacker exploited a vulnerability in a Web application hosted on its server to install malware. The actor used this access to pilfer first and last names, nationalities, physical and email addresses, and booking-related details, such as hotel names and check-in/check-out dates.

For some travelers, payment card data, including name, number, and expiration date, was compromised. It seems the attacker stole different information from different hotels; none of FastBooking’s customers were affected in the same way.

The company is providing affected hotels with templates to inform guests of the attack, as well as templates to notify their national data protection agencies how personal and payment information was exposed, BleepingComputer reports.

Read more details here.

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/hundreds-of-hotels-hit-in-fastbooking-breach/d/d-id/1332162?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Anyone constantly dealing with complex computer systems teetering on the brink of disaster will likely succumb to the cult of cynicism. These four strategies will help you focus on the positive.

Cynics fall into the same category as Marines (if you’re feeling charitable) and cheaters (if you’re not) in that there’s no such thing as an ex-cynic. But I’m doing my best: I’m a recovering cynic.

When I refer to cynicism, I’m not talking about the ancient Greeks. I’m using the modern definition, which I take as immediately assuming the worst of people or situations. Almost anyone who’s been in computer security for any time succumbs to the cult of cynicism. We deal with complex systems teetering on the brink of disaster. We operate in an unceasingly chaotic environment. And often, it seems like organizations fail to implement even the simplest mitigations. It’s easy to become jaded.

It’s also easy to declare “Everything is trash.” But everything’s not trash. Things work, most of the time. That’s not to say we couldn’t do better, or it doesn’t take effort to keep things working, or a random bit flip couldn’t cascade into a disaster. (Curse you, cosmic rays!) My real point, though, is even if things were all trash, being cynical is not productive.

Cynicism is incapacitating. It allows you to absolve yourself of the problem. After all, why bother to help someone if they’re just going to get themselves right back into trouble by being terrible? Why fix a system if it’s irredeemable? How committed can you be to solving a problem if deep down inside you think the situation is hopeless?

Cynicism is contagious. One person on your team has it, then another, and before you know it, the team’s a snarkapalooza, knowing better than everyone else, taking nothing seriously, and safeguarding themselves from the real discomfort of trying to fix things. Even worse, often the most experienced people on your team are the most cynical, which means the junior members see it as a defining feature of successful folks whom they respect. In reality, it’s cargo cult science: all the technically accomplished people are cynical, therefore if I’m cynical, I will become technically accomplished.

Cynicism is corrosive. Having no hope, day after day, leads to a poor environment for mental health. Cynicism saps purpose and agency, two of the most important factors for job (and life) satisfaction. Cynicism makes us feel powerful in the short run but robs us of power in the long run.

Cynicism is self-perpetuating. By assuming the worst in other people, we don’t commit to finding the levers to change the causal factors leading to the situation, thus perpetuating the conditions that lead to cynicism in the first place. Problems don’t get fixed, things don’t get better, and cynicism flourishes, because hey, things never get better! Fear leads to cynicism, cynicism leads to inaction, inaction leads to nihilism. I think Yoda said that.

What can we do? Are we supposed to be simpletons, believing the best of everyone and taking everything presented to us at face value? (If you just thought “nice strawman,” stop it. You’re being cynical!). I suggest skepticism is an appropriate replacement for cynicism.

Most dictionaries will tell you skepticism and cynicism are synonyms. If you dig a bit deeper, though, you’ll find skeptic comes from the Greek root skepsis, meaning inquiry or doubt, whereas cynic comes from the Greek kynikós, meaning doglike. They couldn’t be more different. Skepticism means approaching the world with a critical mindset, applying scientific thought, and using data and logic to refute, modify, or bolster the proposed idea.

Cynicism does none of that. Cynicism is the knee-jerk reaction that the idea is bad because, let’s face it, it’s always bad. Or the person promoting the idea is a weasel, and what are they up to, anyway? Cynicism is as mindless as the relentless optimism it mocks. The only difference is the optimists are at least happy.

Sometimes what seems like cynicism is an analysis based on years of hard-won experience. Even in this case, I recommend taking a second look and if you’re applying your experience in a rational manner, or if you’re letting your feelings get the best of you. There’s a fine line between a justifiable gut reaction and an involuntary fear reflex.

I’m not saying you must necessarily give up all cynicism. But when it becomes your default way of thinking, you’re no longer in a learning mindset. Here are four strategies I’ve been using to combat my own cynicism.

1. I think before I communicate a cynical thought. Does it add to conversation, or does it just make me feel better? Will it create the change I want to create?
2. I give ideas a few minutes before I disagree. Better—give them a day. Get past that first knee-jerk reaction. Everyone has something to teach me. Consider alternative viewpoints.
3. I think in terms of creation, not problem solving. It’s easy to get bogged down solving problems day after day. And the problem with problems is there’s always another one waiting when you finish the one on your plate. We solve problems in service of bringing a larger vision into creation. Don’t lose sight of that vision.
4. I look for the good in things. Build off it. Apply the improv rule “Yes, and.” People react better to positive emotions than negative ones, and I’m more likely to get the change I’m looking for by being kind and empathetic.

I’m doing all these things. And it’s hard. I can’t tell you how many times I’ve typed a snide comment thinking, “Ooh, this one is clever and biting and hilarious,” only to stop, ask if it was making the world a better place, conclude not, and sadly delete it. Moments later, I’ve forgotten about it and maybe have said something constructive instead. If I can do it, so can you. And if you just thought “what a cliched ending,” stop it! You’re being cynical!

Related Content:

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.

Christopher Degni leads the Architect Studio within Akamai’s InfoSec department, where he develops security researchers into architects. When he’s not caught up in management, he likes to think about the systemic forces that shape security and the levers we can use to affect … View Full Bio

Article source: https://www.darkreading.com/cynicism-in-cybersecurity-confessions-of-a-recovering-cynic/a/d-id/1332124?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Beating the unique identifiers that printers can add to documents for security purposes is possible: you just need to add extra dots beyond those that security tools already add. The trick is knowing where to add them.

Many printers can add extra dots to help identify which device printed a document, as it’s handy to know that when they fall into the wrong hands. The technique works: it helped to sink NSA leaker Reality Winner, among others, and has also helped in its original purpose of defeating counterfeiters.

But the technique’s potency may be waning, thanks to a quartet of researchers from the Technical University of Dresden.

Timo Richter, Stephan Escher, Dagmar Schönfeld, and Thorsten Strufe reckon they’ve cracked the challenge of knowing how to anonymise printed documents, and presented their work to the Association of Computer Machinery’s 6th ACM Workshop on Information Hiding and Multimedia Security in Innsbruck, Austria last week.

In this paper, the TU Dresden researchers explain that they tested 1,286 documents printed on machines from 18 manufacturers, creating an extraction algorithm to identify well-known dot-patterns – and at the same time, discovering four previously undiscovered patterns coding at 48, 64, 69, and 98 bits.

Identifying new patterns is important, from a privacy point of view, since as the authors points out, an activist in a dictatorship could easily be unmasked by their printer (unless they happen to use a Brother, Samsung, or Tektronix printer, none of which seemed to carry tracking codes, the researchers said).

Compared to working out an automatic extraction of the dot-codes, obfuscating them was relatively easy.

Anybody can take a scan of the document, and clear “empty” areas in an image editor, but the group’s second technique is more sophisticated. After their algorithm identifies the pattern in use, it takes a mask of all possible dot locations in that pattern, and adds extra dots that conform to the layout, but render the code meaningless.

The group has published toolkit that automates the obfuscation workflow, here. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/06/27/german_researchers_defeat_printer_tracking_dots/

US security company FireEye has denied a claim aired in a new book that it hacked into laptops owned by Chinese military hackers.

It’s common knowledge that prior to its acquisition by FireEye, the security concern Mandiant brought the Chinese operation known as APT1 undone. In its 2013 report, the company attributed espionage against 141 companies in 20 industries to APT in attacks dating back to 2006.

Its report said APT1 operated closely to People’s Liberation Army Unit 61398, and had similar “mission, capabilities, and resources”.

In 2015, responding to many requests from the USA, China arrested a number of hackers over the campaigns.

Mandiant’s kept its methods secret, and that left room for David Sanger, a New York Times correspondent, to make the sensational claim that it was a “hack-back” operation that included spying on the Chinese hackers via Webcams in their compromised laptops. The allegation appears in his new book, The Perfect Weapon.

Not so, says FireEye. The company’s refutation, published here, said “hack-back” techniques weren’t used in Mandiant’s exposure of APT1.

Here’s what the company had to say:

“To state this unequivocally, Mandiant did not employ ‘hack back’ techniques as part of our investigation of APT1, does not ‘hack back’ in our incident response practice, and does not endorse the practice of ‘hacking back’.”

FireEye added that Sanger took part in releasing the original Mandiant report. So how did the author err?

Mandiant says it happened this way: “Included in the evidence we reviewed with Mr. Sanger at the time were videos of APT1 operators interacting with malware command and control servers (a.k.a. ‘hop points’), including the operators’ ‘personal’ web browsing (e.g. checking social media…etc.) on those systems.”

In briefing Sanger, the company said, it showed him this video:

Youtube Video

If you don’t have time to watch the video, here the salient detail from the script:

“This series of videos shows a live APT1 Chinese threat actor conducting computer network espionage activities. We will see him take a variety of actions affecting real victims.”

The company’s contention is that Sanger thought what he was seeing – someone creating a Gmail account, the attacker “dota” logging into one of his Gmail accounts, testing a Gh0st RAT command and control server, using another CC, using the HTRAN connection bouncer, and so on – was captured by “looking over the hacker’s shoulder”.

Its explanation is that the activities in the video were captured not by a hack on APT1 machines, but rather by watching activity from within the networks of APT1 victims – with the victims’ consent.

“All of these videos were made through information obtained via consensual security monitoring on behalf of victim companies that were compromised,” FireEye claimed.

“The videos Mr. Sanger viewed were from Windows Remote Desktop Protocol (RDP) network packet captures (PCAP) of Internet traffic at these victim organisations. Mandiant has never turned on the webcam of an attacker or victim system”. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/06/27/fireeye_we_didnt_hack_back_against_apt1/

Lithuania’s proposal that the European Union create an international cyber-force has been endorsed, and the effort already has seven countries on board.

The baltic country announced yesterday that EU member states have agreed to create “EU Cyber Rapid Response Force” teams, with a declaration of intent signed in Luxembourg yesterday by the EU Foreign Affairs Council.

Minister of National Defence Raimundas Karoblis said international efforts are needed because of the cross-border nature of modern infosec threats (except, of course, he said “cyber”).

As well as Lithuania, which leads the project, participants currently include Croatia, Estonia, France, Finland, the Netherlands, Romania, and Spain. Belgium, Germany, Greece, and Slovenia are observers, and another four countries are expected to sign on by the end of the year.

Karoblis said to take part, countries will need an existing “standing cyber security unit” able to help investigate serious incidents.

In the first phase of the project, participating countries will assess the technical and legal basis of the cyber team operations, and wrangle about project financing.

The second phase, the announcement said, will involve joint exercises, and assess the prospects that members could create mutual cyber defence tools. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/06/27/eu_cyber_force/

You’ve probably heard of Let’s Encrypt, not least because we’ve written about it many times on Naked Security.

Let’s Encrypt is a non-profit project that’s supported and sponsored by a wide range of high-profile internet companies and other non-profits.

The project has a fairly straightforward goal: to help websites make the switch to secure HTTP, better known as HTTPS, the protocol that puts the padlock in your browser.

HTTPS, simply put, is regular HTTP transmitted by means of an underlying network protocol known as Transport Layer Security, commonly known by its abbreviation TLS.

TLS is often still referred to, imprecisely, by its earlier name of SSL, which stood for Secure Sockets Layer. SSL is a backwards-compatible precursor of TLS that is no longer considered secure enough for use. You shouldn’t initiate or accept SSL connections any more – they give a false sense of security to both sender and recipient.

If you run a website that doesn’t ask users to login and doesn’t have any forms on which visitors might fill in personal data, it’s easy to slip into the habit of saying “encryption doesn’t matter.”

The anti-HTTPS excuses typically look like this: I’ve got nothing to hide, the pages I’ve serving up are meant to be public anyway, I never ask for or send out personally identifiable information, and there’s nothing on the site that could be considered incriminating to anyone reading it.

More than confidentiality

But the encryption provided by HTTPS isn’t only about confidentiality – it’s also about integrity and authenticity.

You owe it to your visitors to make them confident that they’re really visiting your site, not an imposter’s clone that’s riddled with scams and bogus content, and that they’re really getting your official files for download, not some modified and malware-tainted alternatives.

Nevertheless, even with the excuses for not using HTTPS swept aside, two primary reasons stood in its way until Let’s Encrypt came along: “going encrypted” took time and it cost money.

You need a TLS security certificate, and a trusted third-party needs to sign it – a process that used to be much more easily said than done.

Let’s Encrypt not only made the process simpler but also waived the fees for issuing signed security certificates, resulting in a huge decrease in the number of holdout websites that refuse to bother with HTTPS at all.

In fact, HTTPS is now prevalent enough that the Chrome browser is about to start shouting at you about any sites that aren’t encrypted, making HTTP into something to avoid altogether.

But what about email?

So much for the web – what about email encryption?

Who’s eavesdropping on your messages?

The good news is that if you use one of the major webmail services, and send email to another major webmail user, your emails are almost certainly cryptographically safe in transit.

The servers of webmail services like Gmail, Outlook.com and Yahoo! all use encryption when talking to each other, as well as when they talk to many other mainstream mail servers out there.

But plenty of non-webmail servers still aren’t bothering with server-to-server mail encryption, or are encrypting in a sub-standard way.

So the Electronic Frontier Foundation (EFF), one of the groups behind the Let’s Encrypt project, has announced a related effort called STARTTLS Everywhere for the world’s email ecosystem.

The word STARTTLS comes from the command used in the STMP email protocol to switch into encrypted mode, and the STARTTLS Everywhere project aims to get everyone not only to use STARTTLS, but also to use it properly.

EFF identified several problems:

1. No support for STARTTLS at all. It’s easy enough not to bother with email encryption – it saves the hassle of acquiring a security certificate in the first place, and many corporate mail servers will still accept your messages anyway, even if they ask you to STARTTLS but you refuse.
2. Insecure TLS certificates. Some mail server administrators have gone to the trouble of creating security certificates, but not of getting them vouched for by a recognised certificate authority such as Let’s Encrypt. These so-called self-signed certificates are perfectly legal, and super-easy to create, but they have a significant weakness: anyone can create a self-signed certificate in anyone else’s name. So, self-signed certificates miss out on one of the most important benefits of STARTTLS in email, namely verifying that you’re delivering your email to the right server in the first place.
3. No downgrade protection. Unlike HTTPS connections from your browser, which start out using TLS and then talk HTTP over the secure-from-the-outset channel, email connections start out unencrypted and “upgrade” themselves to TLS later on after the STARTTLS command is used. An eavesdropper who can alter the unencrypted part of a mail connection can therefore strip out the STARTTLS commands, sneakily turning a connection that was supposed to be encrypted into one that can be snooped on throughout.

EFF plans to solve problems 1 and 2 by extending the Let’s Encrypt system so that email administrators can quickly and easily add TLS support for free.

So the TL;DR version so far is simple: “STARTTLS Everywhere is just Let’s Encrypt for email sysadmins.”

A trickier problem

But problem 3 above is trickier to solve, at least in the short term.

In theory, if the vast majority of email administrators simply refused to send or to accept unencrypted mail connections at all, then the small minority of crypto-deniers remaining would have no choice but to join the encryption club and start doing things properly.

But there are still sufficiently many non-encrypting email servers out there that we still need to support the old-and-insecure ways for convenience.

In practice, therefore, mail servers will be forced to accept unencrypted connections from time to time.

That means they need a reliable way to differentiate between a server that wanted to use encryption but was tricked by an eavesdropper into not doing so, and a server that didn’t care or couldn’t do encryption.

(It’s no use asking an email server if it wants to do secure encryption unless you already have an encrypted channel to validate the answer.)

One posible solution is a draft internet standard called MTA-STS, jointly proposed by experts from Microsoft, Google, Yahoo! and Comcast.

Simply put, MTA-STS allows a mail server to use an HTTPS connection – because secure HTTP is something we already know how to do well – to declare its preference for using email encryption, and thereby to prevent a downgrade attack.

EFF is also helping out by hosting its own database called the STARTTLS Policy List, hosted on its own secure servers, that keeps track of email systems that meet various minimum standards for SMTP encryption.

What to do?

If you run your own mail server, or outsource your mail server to someone else, please take the time to study the EFF’s STARTTLS Everywhere technical document – it’s called a “deep dive” but it’s nevertheless a fairly short read.

We urge you to start doing server-to-server email encryption if you aren’t already, and we encourage you not to cut corners with self-signed certificates: after all, a job worth doing is worth doing well.

As we like to say: Dance like no one’s watching/Encrypt like everyone is.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/574REnLoJHE/

Reality Winner – who leaked to the media a classified NSA file describing Russians fiddling with American election technology – has pled guilty to one count of espionage.

The former NSA contractor had earlier pleaded not guilty in a US federal district court in Georgia, and had hoped a jury would clear her of wrongdoing. Now, she faces up to 63 months behind bars.

Earlier today, Winner admitted in court to being the source of news reports of Kremlin hackers meddling with a maker of voting machine software used in the 2016 White House race. She will be sentenced at a hearing later this year.

“My daughter Reality has decided to change her plea. I believe that this plea is in Reality’s best interest at this time,” Winner’s mother, Billie Winner Davis, said.

“Given the time and circumstances and the nature of the espionage charge I believe that this was the only way that she could receive a fair sentence. I still disagree strongly with the use of the espionage charge against citizens like Reality.”

Billie noted that the espionage charge preventing her daughter from discussing details of the matter with a trial jury, a requirement that could make her defense more difficult.

Winner’s change of plea hardly comes as a surprise given her previous admission to sneaking out, from her workplace, a printed classified government document stashed in her pantyhose, and mailing the dossier to reporters at the Intercept – who gave full scans of the file to the NSA when asking the agency for comment.

Angst in her pants: Alleged US govt leaker Reality Winner stashed docs in her pantyhose

READ MORE

Uncle Sam’s investigators used a document ID number on the Intercept-provided copy to narrow down the source of the leak to six people who had computer access to and had printed off the NSA report. Winner confessed to sending a printout of the classified information to journalists when questioned by the FBI at her home in June last year.

Winner, then 25, was working for Pluribus International, an outsourcer that handled confidential material for Uncle Sam. She told the Feds she printed out the documents after being enraged by her daily exposure to Trump-backed entertainment channel Fox News on TV screens at work.

“I wasn’t trying to be a Snowden or anything … I guess it’s just been hard at work because. And I’ve filed formal complaints about them having Fox News on, you know?” Winner told investigators.

“Just at least, for God’s sake, put Al Jazeera on, or a slideshow with people’s pets. I’ve tried everything to get that changed.”

She also shared the classified document with reporters in hope of bringing to public view NSA claims that Russian intelligence hacked at least one maker of voting software used in 2016’s US elections.

Winner gained notoriety as the first person to be charged under President Donald Trump’s administration with violating the Espionage Act, a 1917 law that criminalizes copying a “writing or note of anything connected with the national defense.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/06/26/reality_winner_guilty/

Companies running Sophos security clients will want to update their software following the disclosure of six privilege escalation flaws in the the security suite.

Sophos says its SafeGuard Enterprise Client, LAN Crypt client and Easy software are all vulnerable to the bugs, which would allow an attacker to run code at System (aka admin) level privileges.

In other words, the software you use to keep your PC from getting pwned can get your pwned.

The bugs, designated CVE-2018-6855, CVE-2018-6857, CVE-2018-6852, CVE-2018-6851, CVE-2018-6856, CVE-2018-6853, and CVE-2018-6854 were discovered in the Sophos driver software and reported to the British company by researchers with security shop Nettitude Labs.

According to the researchers, the flaws would allow an attacker to create an input/output control (IOCTL) that could modify token privileges. This would result in the attacker being able to run commands with system privileges on any PC running versions of Windows prior to Windows 10 v1607 (when exploit mitigation tools were added).

Microsoft downplays alarm over Windows Defender ‘flaw’

READ MORE

“When some conditions are not met, the driver writes an error code (0x2000001A) to user-controlled address. Also, note that all the aforementioned IOCTLs use transfer type METHOD_NEITHER, which means that the I/O manager does not validate any of the supplied pointers and buffer sizes,” Nettitude explains.

“So, even though the driver checks for input/output buffer sizes, it doesn’t validate if the pointers to those buffers are actually valid. So, we can supply a pointer for the output buffer to a kernel address space address, and the error code will be written there.”

In response Sophos has kicked out an update for the vulnerabilities. Users and admins can get the fixes for SafeGuard Enterprise 8.0, 7.0, 6.10. 6.0x, SafeGuard Easy 7.0, 6.10, 6.0x, and SafeGuard LAN Crypt 3.9x.

Sophos is recommending users and admins update their software as soon as possible to get the fixes. The bugs do not affect Sophos Mac antivirus. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/06/26/sophos_safeguard_flaws/

Mozilla’s enthusiasm for Troy Hunt’s Have I Been Pwned? (HIBP) has cranked up a level with the news it plans to integrate its breach checking into a new service called Privacy Monitor.

Once up and running, it will work in a similar way to the HIBP website itself – Firefox users will be able to check whether email addresses associated with online accounts have turned up in breached data know to HIBP.

Additionally:

The site will offer recommendations on what to do in the case of a data breach, and how to help secure all accounts. We are also considering a service to notify people when new breaches include their personal data.

The company will next week start sending out invites to 250,000 mostly US-based Firefox users to test Privacy Monitor for themselves.

The development is no surprise given that Mozilla last year trailed HIBP Firefox alerts, although these only activated when visiting a site that had been breached.

From Hunt’s point of view, the integration marks an important moment for HIPB, which despite its innovation still only reaches a tiny fraction of the 3.1 billion email addresses now in its database.

Wrote Hunt on the partnership:

I’m reaching 0.06% of them via the notification service and not a whole lot more in terms of people coming to the site and doing an ad hoc search (usually 100k – 200k people a day).

Adding Firefox to the fold extends that to the browser’s entire userbase, which numbers at least 170 million installs.

(In a separate announcement, HIBP is also being baked into 1Password, allowing users to search HIBP directly within 1Password, via the “Watchtower” feature.)

However, integrating with Firefox users comes with new demands – preserving privacy – which is why the other half of the Firefox announcement was taken up with how the two will ensure this when people run Privacy Monitor searches.

This will be done through Cloudflare’s implementation of a mathematical principle called k-Anonymity, which is already part of the way HIBP works as a way of ensuring performance but also to protect its API from abuse by cybercriminals.

The trick is to try and submit an email address without the service knowing for sure what it is. It sounds tricky but there is a way. Said Cloudflare in a recent blog:

The key problem in checking passwords against the old Pwned Passwords API lies in how passwords are checked; with users being effectively required to submit unsalted hashes of passwords to identify if the password is breached.

SHA-1 hashes of the email address could be submitted in a secure salted form but that would up the computational demands and slow response times.

In Cloudflare’s k-Anonymity, only the first six characters of the email address hash are sent to HIBP on Firefox’s behalf. The database then generates a list of all hashes it knows of that start with these characters, returning them in a single “bucket” to the client which compares them to a local hash – if it finds a match, then that email address has been leaked.

It’s a small trade-off, but also one that preserves as much privacy as possible without impacting performance.

To avoid the possibility of brute force attacks on the database itself, Firefox Monitor will not store queries or results.

It’s not clear how long Privacy Monitor’s testing phase will last but the company said it will announce its availability for all users in a future blog.

Follow @JohnEDunn
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/U5jp2zlje78/

The Wi-Fi Alliance has taken the wraps off the latest generation of Wi-Fi security, WPA3.

Delivered on Monday, the security protocol brings new and improved authentication and encryption to wireless networks. Both home and enterprise networks stand to benefit from the upgrade.

The revamp includes Simultaneous Authentication of Equals (SAE), a more secure key establishment protocol between devices. The handshaking protocol provides stronger protections against password guessing attempts. WPA3-Personal equates to a “more resilient, password-based authentication even when users choose passwords that fall short of typical complexity recommendations”, the Wi-Fi Alliance said.

WPA3-Enterprise also offers the equivalent of 192-bit cryptographic strength, providing additional protections for networks transmitting sensitive data by offering bigger session key sizes that are harder to crack. Protected Management Frames are designed to hinder de-authentication attacks.

Security experts welcomed the overhaul.

Professor Alan Woodward, a computer scientist at the University of Surrey in England, told The Register:

“The use of the new form of authentication (which is a sort of Diffie Hellman-based system using a password) has been something that we’ve seen in mesh networking before but its use in Wi-Fi does remove one of the more successful attacks where offline attempts could be made to guess passwords. Add to that the extra strength from the new key lengths being introduced and I think we’re seeing a significant step forward.”

The protocol had been proposed a while ago but its official launch means routers shipping with the technology will soon become standard. The Wi-Fi Alliance’s announcement was accompanied by endorsements from a variety of IT giants including Cisco, Intel and Broadcom.

As the Wi-Fi industry transitions to WPA3 security, WPA2 devices will interoperate through a “transitional mode of operation”.

“The success of this will obviously depend on the implementation of the new standard,” Woodward said. “As ever that’s where it most often goes wrong. For example, we need to make sure that we don’t allow systems to be fooled into reverting back to previous standards in order to preserve backward compatibility.

“Although the new standard is a good step forward there will inevitably be a long tail of devices that don’t get updated and hence remain vulnerable. Just think that WEP is still in use by some.”

The Wi-Fi Alliance also introduced Wi-Fi-certified Easy Connect, which makes it easier to connect IoT things (with limited or no display interface) to Wi-Fi networks while maintaining security by using another device, such as a smartphone, to scan a product’s quick response (QR) code. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/06/26/wpa3_wireless_security_revamp/