STE WILLIAMS

When is a password not a password?

Never. It’s always a password.

No matter what you call it – password, passcode, passphrase, secret, PIN, login or Jeff – and no matter if it is numeric or alphanumeric, under the hood it’s the same. The same rules apply on how you choose it and how you store it.

Since Friday we’ve been advising the 143 million people who have been affected by the giant Equifax data breach to put a freeze on their credit files.

Frozen credit files can’t be accessed by creditors, which should stop thieves who stole your identity during the breach from taking out a line of credit in your name. Of course it stops you from taking out credit too but unlike the crooks, you can unfreeze your credit files if you need to.

It’s far from a perfect solution – freezing and unfreezing isn’t slick – but short of changing your SSN and date of birth it’s probably your best protection.

What stops the thieves from unfreezing your credit files is a PIN that you know and they don’t. Equifax chooses your PIN and gives it to you when you freeze your credit files.

Like all PINs, they’re just passwords by another name and the normal rules for choosing passwords apply: the PIN should be long, chosen at random and difficult to guess.

No matter how much a hacker knows about a person or system creating a password, that knowledge shouldn’t help. Likewise, knowing a password shouldn’t reveal anything about the system that created it or make guessing another one any easier.

That’s why we advise that your passwords shouldn’t be a child’s birthday, a pet’s name or your favourite sports team, and why you shouldn’t pick passwords according to a sequence or pattern.

In this case, however, you don’t get to choose: Equifax does it for you, so the normal rules about choosing passwords apply to them rather than to you.

Not PINs at all

Unfortunately Equifax PINs aren’t chosen at random, they are simply the date and time at which you performed your freeze.

If you froze your data on Friday night after watching our Facebook Live about the Equifax breach at, let’s say, 5pm, your PIN would be 0908171700.

The timestamp uses the format MMDDyyHHmm where two characters are used to represent each of: month (01 to 12), day of the month (01 to 31), year, hours since midnight (00 to 23) and minutes (00 to 59).

It seems that this isn’t some hurriedly put together, post-breach workaround either, as journalist and data nerd Tony Webster pointed out on Twitter:

Screenshot of when you’re assigned an Equifax security freeze PIN. It’s just a timestamp of when you made the freeze: MMDDYYHHMM. pic.twitter.com/xna8aaQ2b3

— Tony Webster (@webster) September 9, 2017

The PINs are 10 digits long. If Equifax chose numeric PINs at random the crooks would have a one in ten billion chance of guessing the right number on the first go (that still wouldn’t count as a strong password by the way, but it’s not bad).

By using dates Equifax have slashed the odds on a successful guess.

Even if the system used a randomly-generated timestamp and turned it into a PIN, the system would be flawed.

There are only 365 days in most years, so the MMDD digits don’t deliver 10,000 different possibilities (0000 to 9999) as you might expect, and there are only 1440 minutes in a day, which slashes the range of possible values that HHmm can take.

Even if Equifax picked years from anywhere in the last century, the MMDDyyHHmm format would give just 365 × 100 × 1440 variations for a total of just over 50 million different PINs, rather than the 10 billion variations you might reasonably expect the security of the system to be based upon.

Of course, it’s much, much worse than that, because Equifax uses the time of your freeze application to lock in your PIN.

At the time of writing, the breach announcement happened about three days ago – and there are fewer than 5000 minutes in three days.

If you froze your credit files since the announcement, the odds of guessing your PIN correctly aren’t one in ten billion, they’re better than one in 5000.

If we assume that you didn’t freeze your credit files while you were asleep, and that you took at least a few hours to get round to applying for a freeze after hearing the news and deciding what to do, then the odds of guessing the PIN are even better still (better for the crooks, I mean; worse for you).

And that’s not the worst of it.

Because of the way the PIN-generating algorithm works, any timestamped logs of your activity on the Equifax systems that are related to your freeze (computers tend to generate a lot of timestamped logs) are effectively improperly secured copies of your PIN.

In other words, any PIN that’s generated like this just isn’t a PIN.

Our own Paul Ducklin put it this way:

The P in PIN is for Personal. It is by definition not a PIN if anyone else but you can figure it out by any method better than blind luck – for example by predicting it or retrieving it from a database.

Banks, he points out, don’t do it this way.

That is why banks issue ATM cards for which the PIN:

• Is chosen by you privately when the card is encoded at the bank, or
• Is generated randomly and printed using a tamperproof mailer that is sent to you separately from the card.

The PIN itself is not stored by the bank in plaintext form.

Equifax’s system ought to work that way. After all, those “freeze PINs” are essentially Equifax’s digits-only equivalent of, say, your Facebook or your email password.

Sadly, none of this comes as much of a surprise. As Forbes reports, Equifax have struggled with creating secure PINs before. In 2016 the company had to fix a serious flaw in the way it generated PINs issued to client employees:

[the PINs] consisted of the last four digits of an individual’s social security number and their four-digit year of birth

 

What next?

Unfortunately there is nothing you can do about this, it’s all on Equifax. Freezing your credit files remains your best course of action but you should know that the freeze is not as well protected as it should be.

The question is, what will Equifax do next? We think it needs to:

• Acknowledge that its PINs are not fit for purpose and fix them.
• Ensure that PIN entry is “rate limited” to prevent online guessing attacks.
• Promise to tell you if your PIN is hit by a guessing attack.

We’d also like to see Equifax commit to implementing the “right to deletion” of your data that GDPR will enshrine in Europe next year, even if US laws do not require it.

Remember, Equifax CEO Rick Smith said in a his announcement about the breach that Equifax “will not be defined by this incident, but by how we respond“.

Follow @NakedSecurity
Follow @MarkStockley

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/GWyaYxW6X68/

People have been banging the drum for years, but perhaps now the massive Equifax breach will force the issue to the forefront: it’s way, way past time to dump social security numbers (SSNs) as a national ID in the United States, as SSNs are a terrible way to identify or authenticate yourself. Here’s why.

You can’t change them if they are compromised

This tweet by @SarahJamieLewis sums up the issue quite nicely:

Don’t forget to change your name, date of birth, home address and social security number regularly.

— Sarah Jamie Lewis (@SarahJamieLewis) September 7, 2017

When your identity is stolen, the onus is on you, the victim, to spend hours tracking down fraudulent activity against your social security number and to remain vigilant to flag anything else that might appear.

Unlike a credit card number, where you can simply notify the company to stop activity on your old credit card and to generate you a new number, once your SSN has been breached, you’re still stuck with using it. You might be given some free credit monitoring and advice on how to freeze your credit, but aside from that, you are pretty much on your own to bear the brunt of the damage with little defensive recourse, which is why hackers love getting their hands on them.

Adding to the problem is that SSNs are so tied to lines of credit in the US through credit bureaus such as Equifax, and all a hacker needs is some basic information (often easily found online, if not already made public) and an SSN, and they can cause serious long-term damage to their victim, making it nigh-impossible for them to take out loans, apply for credit cards, get a mortgage or insurance. Little to no additional authentication is needed to cause significant pain, and it just shouldn’t be that easy.

Too many businesses and services require it

The SSN became the de-facto national ID number simply by chance and not by design. The Social Security Administration (SSA) maintains that you need to hand over your SSN to employers and financial institutions – and not to anyone else, but this has been largely ignored.

The original purpose of the SSN was to track employment-related information, including your overall income and how much you’ve contributed to the US Social Security Administration. In the 1970s, the SSN became inextricably tied to overall US finances and US citizenship when regulations were put in place requiring banks and lenders to track the SSNs of their applicants.

That started the ball rolling for the SSN to become inextricably tied to almost any major transaction or event in an American citizen’s life: passport applications, military service, filing taxes, receiving federal benefits such as Medicare, even blood donations and school lunch programs.

As time rolled on, the number of transactions requiring an SSN just to function in American society snowballed, simply because the SSN was the most convenient option for tracking and verifying American citizenship and identity.

Some businesses have found out the hard way that if you are going to be asking for even a partial social security number, you have to be prepared to protect it, and have moved away from asking for it. Still, as we’ve now seen with Equifax, even if your business is to wheel and deal with SSNs, securing them is no easy feat.

They can be cracked or reverse engineered

As an identifier, it’s been proven that guessing a social security number is pretty trivial. After all, the social security number wasn’t meant to be secure in the first place — it was only after 2011 that its first three digits weren’t tied to your location of birth. This was an attempt to help secure the SSNs from being randomly guessed, but it’s too little to late.

As an authenticator, the problem of SSNs being unchangeable rears its ugly head again. Many services may ask for the last four digits of your social security number to prove you are who you say you are. According to Javelin Research, 80% of the top 25 banks and 96% of credit card issuers in 2014 allowed their customers (or imposters) to authenticate with an SSN.

In essense, this is a four-digit password that you are forced to re-use over and over, flying directly in the face of advice to use complex and unique passwords.

The Social Security Number issue is thorny, especially as it relates to privacy and the supposed need (or not) for some kind of national identifier in the US — a controversial topic to say the least.

Whether or not the Equihack spurs a bigger conversation about reducing the SSNs ubiquity remains to be seen. But as long as businesses that have no need to access a social security number keep asking for it, we’re going to see more and more data breaches with the SSNs of millions compromised again and again.

And even for businesses that do really need your social security number – including credit bureaus like Equifax – clearly there’s a lot more that needs to be done by these businesses and the government to mitigate the damage that can be done to citizens when their SSNs are compromised.

Follow @NakedSecurity
Follow @mvarmazis

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/CnztgYvngCg/

Your daily round-up of some of the other stories in the news

Uber said on Friday that it is “co-operating” with an FBI investigation into its “Hell” programme to track drivers with the rival ride-hailing company Lyft.

The Wall Street Journal reported on Friday that the FBI’s New York office is investigating if the now-defunct programme, which allegedly created fake accounts with Lyft and tricked them into thinking customers were seeking rides, was using software to illegally interfere with its competitors. The programme meant that Uber could see where Lyft drivers were and what prices were being charged for the rides.

The programme was also allegedly used to check up on drivers who worked for both companies. The news of the FBI probe comes as Uber’s new chief executive, Dara Khosowshahi, took over the company earlier this week after its embattled founder, Travis Kalanick, left the company amid a storm of allegations about toxic working practices and endemic sexism.

A lawsuit over the alleged “Hell” programme brought by a Lyft driver, Michael Gonzalez, claiming that Uber used “intercepted” communications to gain information about drivers working for the rival company, was dismissed in August by a judge after Uber claimed that Gonzalez hadn’t made a proper case.

The FBI investigation is apparently looking at whether Uber’s “Hell” scheme constituted unauthorised access to computers. Gonzalez’s lawyers say they plan to refile his suit later this month with an amended complaint.

Samsung promises up to $200k for bugs

Samsung, which came under fire earlier this week for not having fixed its less than spectacular facial recognition feature for the new Galaxy Note 8, has joined the ranks of technology companies offering bug bounty programmes.

The new scheme, its Mobile Security Rewards Program, will pay up to $200,000 to users spotting and reporting issues not just in its current devices, but in a range of hardware, encompassing some 38 phones, phablets and tablets released from 2016 onwards.

The scheme joins the bug bounty programme for its smart TVs, some of which were found to have a flaw leaving them open to hackers, and covers not only device firmware but also software, including its Bixby digital assistant and Samsung Pay.

‘Humpty Dumpty’ hackers jailed

Two more Russian hackers have joined the leader of the “Humpty Dumpty” group behind bars after a Moscow court sentenced Konstantin Teplyakov and Aleksandr Filinov to three years each in jail.

The group, known as Shaltai-Boltai – Russian for Humpty Dumpty – were believed to be behind the high-profile hacks of senior Russian figures, including compromising the Twitter account of Dmitry Medvedev, the prime minister.

Their jailing comes after the July sentencing of Vladimir Anikeev, the leader of the group, who was sent to jail for two years.

The group’s activities were originally a “politically oriented project in opposition to the Kremlin”, another member of the group told the BBC back in February.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/duf9aoBHK3U/

Mexican VAT refund site MoneyBack exposed sensitive customer information online as a result of a misconfigured database.

A CouchDB database featuring half a million customers’ passport details, credit card numbers, travel tickets and more was left publicly accessible, security firm Kromtech reports. More than 400GB of sensitive information could be either downloaded or viewed because of a lack of access controls before the system was recently secured.

The data includes 455,038 scanned documents, including 88,623 unique passport numbers, related to people who were claiming a tax refund for goods purchased south of the border. Passports identified included those held by citizens of the US, Canada, Argentina, Colombia, Italy, and many more. Data from 2016 and 2017 featured in the exposure.

Kromtech discovered a misconfigured CouchDB that allowed public access to the data during a routine security audit.

El Reg approached MoneyBack for comment but we’re yet to hear back. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/08/mexican_vat_refund_site_breach/

Less than 24 hours after credit monitors Equifax revealed it had lost the personal data of more than 130 million Americans, two class action suits have been filed.

The suits, separately filed in the Portland, Oregon and North Georgia US District Courts, accuse the credit reporting company of negligence and violations of the US Fair Credit Reporting Act.

Both reference yesterday’s disclosure from Equifax that it managed to lose personally identifiable information like social security and credit card numbers when an outside attacker was able to slurp data through a vulnerable web application.

Now, lawyers are lining up to make sure that those who have been exposed in the leak can claim a share of the payout.

The Oregon complaint [PDF] will reportedly seek as much as $70bn in damages for residents of that state alone.

“The exact number of aggrieved consumers in Oregon can be determined based on Equifax’s consumer database, estimated at 2,860,000 consumers – about half the population of Oregon,” attorneys representing the class argue.

Stand up who HASN’T been hit in the Equifax mega-hack – whoa, whoa, sit down everyone

READ MORE

Meanwhile, the complaint in North Georgia [PDF] has the potential to be even bigger, as the district is home to Equifax’s main headquarters in Atlanta. That suit seeks damages not only for negligence, but also for violations of federal and state credit reporting laws.

“Equifax had the resources to prevent a breach, but neglected to adequately invest in data security, despite the growing number of well-publicized data breaches,” the complaint reads.

“Had Equifax remedied the deficiencies in its data security systems, followed security guidelines, and adopted security measures recommended by experts in the field, Equifax would have prevented the Data Breach and, ultimately, the theft of its customers’ PII.”

And if you’re convinced things can’t get any worse for Equifax, well, just go and check the fine print on the site they have set up to let Americans check if their details were exposed in the leak. The Terms and Conditions would bar users from suing the company.

That caught the attention of New York Attorney General John Schneiderman.

This language is unacceptable and unenforceable. My staff has already contacted @Equifax to demand that they remove it. https://t.co/vT0x7f5Xhc

— Eric Schneiderman (@AGSchneiderman) September 8, 2017

Wall Street isn’t particularly thrilled with Equifax either. As of mid-day Friday, the company’s stock was down nearly 14 per cent. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/08/lawyers_line_up_to_sue_equifax/

A design flaw within the Windows kernel that could stop antivirus software from recognizing malware isn’t going to be fixed, Microsoft has said.

The issue, spotted this week by enSilo security researcher Omri Misgav, lies within the system call PsSetLoadImageNotifyRoutine, which has been part of Microsoft’s operating system since Windows 2000 and is still active in the latest builds.

Antivirus tools use PsSetLoadImageNotifyRoutine to check if malicious code has been loaded into memory, but Misgav found that a cunning attacker could use poor coding behind the API to smuggle malware past scanners.

“During research into the Windows kernel, we came across an interesting issue with PsSetLoadImageNotifyRoutine which, as its name implies, notifies of module loading,” he said in a blog post.

“The thing is, after registering a notification routine for loaded PE images with the kernel, the callback may receive invalid image names. After digging into the matter, what started as a seemingly random issue proved to originate from a coding error in the Windows kernel itself.”

Essentially, malware can use the above API to trick the OS into giving malware scanners other files – such as benign executables – to inspect rather than their own malicious code. This would allow software nasties to evade antivirus packages.

After enSilo notified Microsoft about the issue nothing happened. When Redmond’s techies did get in contact, they said that they weren’t concerned about the issue – a view also reflected in a statement to The Register:

“Our engineers reviewed the information and determined this does not pose a security threat and we do not plan to address it with a security update.”

Crack on, malware writers. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/08/microsoft_says_it_wont_fix_kernel_flaw_its_not_a_security_issue_apparently/

The team behind Scotiabank’s Digital Banking Unit isn’t impressing some customers, after forgetting to renew the security certificates for their own website.

The DBU was set up last year to sell “world class digital solutions” to electronic banking customers around the world. But Jason Coulls, CTO of food safety testing company Tellspec and a former banking software developer, tipped off The Register that the bank’s hipster factory certificates had expired nearly five months ago.

“Tuesday next week is the five month anniversary of the certificate expiring and no one has noticed,” he said. “This from a group supposed to showcase how smart the bank’s IT people are. The irony is strong in this one.”

Classy move

Coulls said he tried to warn the team that their SSL certificates were out of order, but has received no response from them. Then again, that appears to be par for the course for the Canadian bank.

In 2016 he spotted that the bank’s mobile app had some rather unusual features – notably that the programmers had laden the code with f‑bombs. He informed the bank in April and got no response, so let the regulators know. Scotiabank fixed the code within 24 hours.

The latter incident was particularly concerning, because under banking law – specifically PCI compliance rule 16.3.4 – banks are required to inspect their code carefully to make sure it is secure. It seems as though the DBU isn’t the only group asleep at the switch.

The Register asked Scotiabank for a comment but no one was available at the time of publication. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/08/scotiabank_security_whiz_kids_screw_up_security_certs/

Updated US big box retailer Best Buy has pulled from its shelves Kaspersky Lab’s PC security software amid fears of Kremlin spies using the antivirus tool to snoop on Americans.

Despite there being no concrete evidence to indicate that the security software is a threat, the retail chain is ending its long relationship with Kaspersky, a Best Buy spokesperson confirmed to The Register on Friday. As to the reasoning, the store chain just said that it doesn’t comment on contracts with specific vendors.

“Kaspersky Lab and Best Buy have suspended their relationship at this time; however, the relationship may be re-evaluated in the future,” the Russian biz told The Register today.

“Kaspersky Lab has enjoyed a decade-long partnership with Best Buy and its customer base, and Kaspersky Lab will continue to offer its industry-leading cybersecurity solutions to consumers through its website and other retailers.”

The news caps off a lousy week for Kaspersky. On Monday US Senator Jeanne Shaheen (D-NH) introduced an amendment to the National Defense Authorization Act that would ban Kaspersky software from any federal computer, following on from her earlier ban on the software being used by the Department of Defense.

“Because Kaspersky’s servers are in Russia, sensitive United States data is constantly cycled through a hostile country,” she said in an op-ed supporting the amendment.

Please, pleeeease let me ban Kaspersky Lab from US govt PCs – senator

READ MORE

“Under Russian laws and according to Kaspersky Lab’s certification by the FSB, the company is required to assist the spy agency in its operations, and the FSB can assign agency officers to work at the company. Russian law requires telecommunications service providers such as Kaspersky Lab to install communications interception equipment that allows the FSB to monitor all of a company’s data transmissions.”

What she didn’t add is that under the terms of the Patriot Act and other legislation pushed through as part of The War Against Terror (TWAT), American software companies are under similar obligations if the government comes knocking at their doors.

Indeed, the CIA’s investment arm In-Q-Tel even funds security startups. FireEye, Interset, ArcSight and Silver Tail Systems all got funding from the intelligence agency.

But why let the facts get in the way of a good bit of publicity? Bashing Kaspersky is very much the game de jour at the moment. The FBI has been giving classified briefings to politicians warning them about the software and conducting nocturnal visits to Kaspersky staffers’ homes. Those of us without security clearance are being told to trust them and steer clear of the nasty Russian code, m’kay.

Eugene Kasperky, the eccentric founder of the firm that bears his name, has repeatedly and vehemently denied that there are any backdoors in his software that the FSB can use. He has offered the source code up for inspection by the US government, but no one’s taking him up on it.

All this technology bashing has had another effect, however. It appears to have given Vladimir Putin ideas about doing exactly the same thing – a move that could be very costly for some technology companies.

At a meeting of technology executives in the Perm region, Putin told them that they should aim to be using only Russian software. Currently about 30 per cent of the software used by Russian business is home grown, and Putin told them that had to change – the government might penalize some companies if they don’t.

“In terms of security, there are things of critical importance for the state, that are essential to support certain industries and regions,” he said, the state mouthpiece RT reports.

“You shouldn’t offer IBM [products], or foreign software. We won’t be able to take it because of too many risks.” ®

Updated to add

Best Buy has confirmed that customers who bought Kaspersky software can have it removed by the retailer’s Geek Squad techies, who may also check it for child abuse images.

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/08/best_buy_yanks_kaspersky_software/

Updates as of 2017-09-08:

Various security experts have advised people to place a security freeze on their credit files with Equifax. Sophos CTO Joe Levy agrees. In fact, he believes reporting agencies should make the process easier:

After this incident, it’s time for the reporting agencies to step up and make freezing and thawing effortless. How about an app that operates like today’s easy-to-use push notification multi-factor authentication systems? I’d forgo my participation in the coming class-action suit if they would instead agree to that.

The general thinking is that a freeze is better than the typical credit monitoring companies offer after a breach. As Brian Krebs of KrebsOnSecurity has noted in the past, credit monitoring services do little if anything to stop thieves from stealing your identity. A security freeze, on the other hand, blocks creditors from looking at your file in order to, as Krebs put it, “grant that phony new line of credit to ID thieves.”

It’s a case of prevention being better than the cure. Levy put it this way:

Credit monitoring is useful in the way an intrusion detection system is useful, but their evolutionary descendants, intrusion prevention systems, provide more practical value. It’s time the monitoring agencies evolve in similar fashion.

There is a site for those who want to initiate a freeze with Equifax.

***

Original story:

To understand how bad the data breach at Equifax is, consider this: the US has a population of approximately 324m people. The credit services provider says its breach may have affected up to 143m Americans: nearly half the population is potentially involved.

The company said in a statement that cybercriminals “exploited a US website application vulnerability” to access certain files:

Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.

What kinds of customer data did the culprits access? Names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers, according to Equifax chairman and CEO Richard Smith. In addition, he said, credit card numbers for approximately 209,000 US consumers and certain dispute documents with personal identifying information for approximately 182,000 US consumers were accessed.

And there’s more. Smith said:

As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps.

Many questions

There are a lot of questions surrounding this breach. Bloomberg reports that three Equifax senior executives sold shares worth almost $1.8m in the days after the company discovered the breach – but before Thursday’s disclosure. That’s bound to fuel anger from customers who will want to know why.

Equifax will also have to explain what it means by a “website application vulnerability.” Were the hackers exploiting a 0-day vulnerability in server software or one which was known, and for which there was a patch? Or was it perhaps something as simple as a SQL injection vulnerability in the website — the same type of vulnerability that compromised TalkTalk.

Speculation also abounds that the compromised data was stored in plain text, though at the time of writing it remained unclear if that was the case.

Defensive measures

Details of what exactly happened will become clearer in the coming days and weeks. For now, customers need to know what they can do to protect themselves. To that end, we suggest the following:

• Equifax says people can click a link on its website to see if they’ve potentially been impacted by submitting their last name and the last six digits of their Social Security number. Furthermore, those affected will be given a date to enroll in free ID theft protection and credit monitoring services.

• Change your password and other secret credentials.

• If you used the same password on other accounts, change those passwords, too. 

• Make all new passwords different and difficult to guess. Cybercriminals are now using tools that sniff out passwords reused on other, more valuable sites to make their work easier and to make the stolen passwords and other hacked data more lucrative on the dark web.
• Include upper- and lower-case letters, numbers and symbols to make passwords harder to crack – refer to the Sophos  How to Pick a Proper Password video for creating stronger passwords.
• Be careful with your security questions: information such as your mother’s real maiden name is easy to track down. You don’t have to give the actual answer to the question: “what’s your favorite food?” – you only have to give an answer that you will remember.
• Use two-factor authentication wherever possible.

We’ll update this article as more details become available.

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/k-DoanI2rKo/

Word from Apple, ahead of the big rollout of iPhone 8 and iOS11 on September 12, is that its voice assistant Siri is going to sound more like a person and less like a robot.

Great for the user experience. But based on a report published just last week by a team of researchers at Zhejiang University in China, perhaps Apple should have spent more of its time on what Siri hears instead of what users hear.

Because they demonstrated that Siri – along with every other voice assistant (VA) they tested – will respond to commands that don’t come from a human – that are not only outside the human vocal range, but are also inaudible to humans.

Which means your dog could probably hear it. But it also means an attacker could give your VA a command, and you won’t know about it.

In the report, titled, “Dolphin Attack: Inaudible Voice Commands”, the researchers said they were able to validate it on Siri, Google Now, Samsung S Voice, Huawei HiVoice, Cortana and Amazon’s Alexa. Using ultrasonic voice commands at frequencies of more than 20 kHz, they got the VAs to

• Visit a malicious website, “which can launch a drive-by-download attack or exploit a device with 0-day lnerabilities”.
• Spy on the user by initiating outgoing video/phone calls, therefore getting access to the image/sound of device surroundings.
• Inject fake information, by instructing the device, “to send fake text messages and emails, to publish fake online posts, to add fake events to a calendar, etc”.
• Impose a denial of service, through a command to turn on the airplane mode, disconnecting all wireless communications.
• Conceal attacks by dimming the screen and lowering the volume of the device.
• “Tested attacks include launching Facetime on iPhones, playing music on an Amazon Echo and manipulating the navigation system in an Audi automobile,” the team wrote, which means an attacker could change the destination on your GPS.

There are limits – significant limits – on the capability of launching an attack. It can’t be done remotely, from miles away like the famous 2015 hack of a Jeep Cherokee by Charlie Miller and Chris Valasek. While it only takes about $3 worth of hardware added to a smartphone, it would require being anywhere from a few feet to inches from a potential victim. So an attacker likely can’t tell Alexa to unlock your back door if he’s not already in your house.

In a public place, however – a crowded subway for one – it wouldn’t be difficult to get very close to other devices.

But another barrier is that on smartphones, the screen would have to be already unlocked for most ultrasound commands to work. Siri will make a phone call to somebody in a user’s contact list without the screen being unlocked, but it won’t do most sensitive things like open a website, open third-party apps, conduct a financial transaction or send text messages.

Obviously, that barrier is removed if somebody is doing something on their phone, since that means they’ve unlocked it, but if Siri got a surreptitious, ultrasound command from an attacker, the intended victim would likely be looking at the phone, and see that something unusual was happening.

The researchers did offer suggestions to defend against DolphinAttack, including modifying the microphone so it doesn’t respond to anything outside of the human vocal range.

But some experts say voice recognition software actually needs those inaudible higher frequencies to analyze what a person is saying – that they are a part of human speech that is inaudible to the human ear but not to a computer. Gadi Amit, founder of NewDealDesign, told Fast Code Design that making VA technology ignore ultrasound frequencies might cause “a negative effect that lowers the comprehension score of the whole system”.

Then again, if Apple and others are able to make their VAs sound more like a human, perhaps they can configure them to recognize when a command is coming from something other than a human.

Or, a security conscious user with an iPhone could simply go to Settings and disallow the “Hey Siri” option, which would then require pressing the Home button to issue a command.

Apple declined to comment on the report, while Amazon said in response:

We take privacy and security very seriously at Amazon and are reviewing the paper issued by the researchers.

For now, it appears this is more of a demonstration of potential risk than an imminent security disaster – the researchers are due to present their paper in a couple of months at the ACM Conference on Computer and Communications Security. But, as is the case with just about every kind of hacking technology, it is likely to improve. So it would be wise for VA developers and designers to get out ahead of that potentially malicious progress with some security progress of their own.

Follow @NakedSecurity
Follow @tarmerding2

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/4UddDzC7tlE/