STE WILLIAMS

In January, Apple’s App Store gave the heave-ho to Facebook’s snoopy Research VPN (virtual private network) app.

Now we know how many users Facebook Research got personal and sensitive device data from: 187,000, according to a letter sent by Facebook to Senator Richard Blumenthal and obtained by TechCrunch. That’s 31,000 US users – 4,300 of whom are teenagers – and with the rest being from India.

The now-defunct Research app used its access to get what security researcher Will Strafach called “nearly limitless access.” That includes web browsing histories, encrypted messages and mobile app activity of not just the volunteer users but also, potentially, data from their friends.

It was kicked from the App Store for violating Apple’s Developer Enterprise Program License Agreement by installing a root certificate. Something that’s supposed to be limited to “for use by your employees”.

Facebook pushed back at the negative coverage it received following the eviction, pointing out that it wasn’t the snoopiness of the app that saw it discarded, and that users were well aware they were being snooped on:

…there was nothing ‘secret’ about this; it was literally called the Facebook Research App. It wasn’t ‘spying’ as all of the people who signed up to participate went through a clear on-boarding process asking for their permission and were paid to participate.

The data was used for competitive analysis. Facebook used an earlier version of VPN app, Onavo, to track its competition and scope out new product categories. Private, internal emails from Facebook staff that were published in December 2018 revealed that Facebook had relied on the Onavo data when it decided to purchase WhatsApp, for example. The company also used the Onavo data to track usage of its rivals and to block some of them – including Vine, Ticketmaster, and Airbiquity – from accessing its friends data firehose API.

Onavo, banned from Apple’s App Store in August 2018 for its privacy-violating ways, has been recycled multiple times.

Following the Onavo backlash, since at least mid-2018, the company started calling Facebook Research “Project Atlas.” It had yet another similar program called “Project Kodiak.”

And as TechCrunch reports, just this week, the research app has resurfaced yet again as “Study”. It’s yet another pay-for-market-research app, but this one’s only available on Google Play – no surprise there, since both Onavo and Research got kicked out of the App Store. It’s available by invitation to approved users who’ve been invited to the Facebook Study program. TechCrunch reports that Facebook is pledging to be more transparent about how it collects user data.

Facebook has also promised to not snoop on user IDs, passwords or any of participants’ content, including photos, videos or messages. It’s not saying how much participants will be paid – they got $20 for going along with the Research app – but Facebook does say that it won’t sell participants’ info to third parties, use it to target ads or add it to their account or the behavior profiles the company keeps on each user.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/2xeBm6WLlJk/

Hey, iOS users. Got a spare Android phone lying around? Now, you can use it as a secure access key for online services.

In April, Google announced that it was making secure access keys available on its Android phones. These software-based keys are based on the FIDO2 standard, which is a community attempt by several industry players to make secure logins easier.

Instead of having to remember a password when logging into a website, you can use a digital key stored on a piece of suitable hardware. Google and other vendors offer small hardware dongles that connect either via a computer’s USB port, or via Bluetooth. Your browser reads the digital key from the device and sends it to the website to prove that you’re legit.

Letting users store this digital key in their Android phones turns it into a secure access device that requires you to be in physical control of your phone to authenticate to a site on your computer. By using the Bluetooth connection in their phones, they can authenticate themselves when logging into Google services.

These phone-based keys also stop phishers from mounting man-in-the-middle attacks. The phone stores the key against the URL of the website it’s trying to access so it isn’t available to the wrong (phishy) URL.

The key-on-a-phone feature already worked with Google Chrome on the ChromeOS, macOS, and Windows 10 platforms. Now, Google has opened it up to iOS as well. It had to tweak things a little because the Chrome browser on iOS uses a different, Apple-mandated browser engine called WebKit rather than Chrome’s default Blink engine.

Instead of using Chrome on iOS, Google uses Smart Lock. This iOS app lets you sign into your Google account if you have a security key.

The service makes Google even more secure for iOS users, but the catch for now is that it only works with Google services. To make Bluetooth access between the Android phone and the user’s computer as seamless as possible, Google introduced a new technology that eliminates the need to pair the computer and the phone via Bluetooth.

The fast Bluetooth connection technology makes for quick, seamless access, but it hasn’t been standardized yet. The company has submitted it to the FIDO Alliance, but standardization will take time. Google product manager Christiaan Brand hopes that:

Once that is standardized, then we’ll see other websites and other browsers can implement this same thing and also allow that for their website.

An Android-based security key might be a handy tool for iOS users who made the switch but still have their old Android phone lying around, or perhaps people who use different phones in their work and personal lives.

The alternative to using your Android phone is to just buy an NFC-enabled key for the iPhone. Google’s key uses Bluetooth and has had problems recently. Yubikey’s uses NFC, and the company is also working on a version that plugs into the Lightning port on iOS devices.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/hsr8DdJ3Z3Q/

Users of Evernote’s Web Clipper extension for Google Chrome should check it has been updated to the latest version after a security company published details of a dangerous security flaw.

Discovered by Guardio in May, ‘dangerous’ in this context means that anyone using it in its unpatched state is at risk not only of a compromise of their Evernote account but, potentially, of third-party accounts (email, social media, banking) they have open at the same time.

Identified as CVE-2019-12592, it is a Universal Cross-Site Scripting (UXSS) flaw caused by a “logical coding error” that breaks the browser’s domain isolation protection.

From the description offered, exploiting it would require several steps, the first of which would be luring the user to a malicious or compromised website.

The attack would then load iFrame tags targeting specific services, hijacking Evernote to inject payloads into all iFrames:

Injected payload is customized for each targeted website, able to steal cookies, credentials, private information, perform actions as the user and more.

To demonstrate the danger, Guardio developed a proof-of-concept to show that it was possible to exploit the vulnerability to steal user data under real-world conditions.

Who is – and isn’t – affected?

Only the 4.6 million users of the Chrome extension need update (as far as we know, users of the Firefox, Opera, and Edge equivalents are unaffected).

You’ll know you’re one of those if Chrome says the installed Evernote Web Clipper is earlier than the patched version, 7.11.1, released on 31 May 2019.

Chrome should have updated to this automatically, but a manual update can be carried out by accessing the extensions panel (chrome://extensions) and engaging the developer slider on the right-hand side. That causes the extensions ‘update’ button to appear.

Commendably, Evernote fixed and shipped the patched version only three days after being told about it, which is exactly what companies should do in these circumstances.

Extension risks

Web clipping extensions are a wonderful invention for anyone who wants to store screenshots, or save and annotate web content, in this case storing it in their Evernote account.

However, doing this requires permissions, which is where the increased risk comes in. As Guardio says:

This vulnerability is a testament to the importance of treating browser extensions with extra care and only installing extensions from trusted sources.

And that’s before factoring in the possibility of malicious extensions that are found on Google’s Chrome Web Store more often than they should be.

As with Evernote, legitimate extensions have also had their weaknesses, such as the one affecting Grammarly in 2018.

We’d recommend installing as few extensions as possible and, most critical of all, checking the permissions they ask for, not only on Chrome but on any browser.

On Chrome this is done via Extensions Details, while on Firefox permissions are listed when the user clicks the ‘Add to Firefox’ button. For Opera, it’s Extensions Information.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/uLU8n86Im9k/

One month after Microsoft disclosed the flaw, nearly 1 million systems remain unpatched, and Internet scans looking for vulnerable systems have begun increasing.

The BlueKeep RDP vulnerability continues to be a ticking time bomb one month after Microsoft publicly disclosed the flaw.

New research from security vendor BitSight shows that close to 1 million systems with RDP exposed to the Internet remain unpatched and vulnerable to attacks.

Another report from Check Point Research this week notes a recent increase in scanning attempts for the flaw from multiple countries, which the company sees as a sign that some threat actors are conducting reconnaissance in preparation for an attack.

Multiple reports of proof-of-concept code becoming available for the flaw have also surfaced in recent weeks, adding to concerns that BlueKeep could soon be used to launch attacks similar in scale to the WannaCry and NotPetya outbreaks of 2017.

“It’s surprising that organizations haven’t been more efficient and diligent in patching this vulnerability, particularly given the ominous nature of the warning from both Microsoft and the NSA,” says Jake Olcott, vice president at BitSight. It’s hard to say what exactly might explain the lack of initiative, but poor visibility over deployed systems could be one reason, he says.

The most valuable piece one can take away from the report is the importance of examining an organization’s vulnerabilities across the ecosystem, he says. “Too frequently, organizations are diligent when examining their own internal mechanisms but fail to audit risks within third-party systems along the supply chain, from contractors and vendors,” Olcott says.

BlueKeep (CVE-2019-0708) is a critical remote code execution bug in the Remote Desktop Services Protocol in older and legacy versions of Windows, including Windows 7, Windows XP, Windows Visa, and Windows Server 2008. Microsoft has described the flaw as giving attackers a way to gain complete control over a vulnerable system and to install programs, view, change, or modify data and create new accounts with full user rights. The bug does not require an attacker to be authenticated or for the user to take any action in order to be exploited.

“In other words, the vulnerability is ‘wormable,'” the company said in an blog that urged companies to patch vulnerable systems quickly. “Any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.”

Microsoft considers the threat posed by BlueKeep to be so severe it issued patches even for Windows versions that it no longer supports but is widely used around the world. In an advisory last month, the NSA warned that it was “only a matter of time” before remote exploitation tools become available for BlueKeep and threat actors begin including the exploits in ransomware and exploit kits.

According to BitSight, a scan for externally observable systems with RDP showed that 972, 829 vulnerable systems still remain unpatched nearly a month after BlueKeep was first disclosed. Most of the unpatched systems are located either in China or the US. Other countries with a significant number of vulnerable systems include Germany, Brazil, Russia, France, and Great Britain.

The organizations that appear most vulnerable to the threat — based on the presence of at least one vulnerable system on their networks — include those in the telecommunications, education, and technology sectors, BitSight’s scanning data shows. At the other end of the spectrum, organizations in the insurance, finance, legal, and healthcare industries appear to have made the most progress in patching BlueKeep or in having other mitigations against it.

In many ways, the threat associated with BlueKeep is similar to the threat posed by the EternalBlue bug that was exploited in the 2017 WannaCry campaign, BitSight says. The one difference is that a reliable exploit for EternalBlue became available almost as soon as the bug was disclosed.

In BlueKeep’s case, there is no sign yet that an exploit has become publicly available. But there are reports of several proof-of-exploit-code being built by reverse-engineering the Microsoft patch.

Whether BlueKeep will result in attacks similar to those enabled by EternalBlue depends on how the exploit is delivered, Olcott says. “If it’s exploited within enough vulnerable systems, it certainly could be as impactful as EternalBlue,” he says. “A lot of that impact depends on the delivery method of the exploit — such as a worm — and how many devices it can impact at one time.”

Related Content:

• Microsoft Urges Businesses to Patch ‘BlueKeep’ Flaw
• NSA Issues Advisory for ‘BlueKeep’ Vulnerability
• GoldBrute Botnet Brute-Forcing 1.5M RDP Servers
• Demystifying the Dark Web: What You Need to Know

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/bluekeep-rdp-vulnerability-a-ticking-time-bomb/d/d-id/1334967?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

New analysis shows widespread DNS protection could save organizations as much as $200 billion in losses every year.

DNS protection could prevent approximately one-third of the total losses due to cybercrime – which translates into billions of dollars potentially saved.

According to “The Economic Value of DNS Security,” a new report published by the Global Cyber Alliance (GCA), DNS firewalls could annually prevent between $19 billion and $37 billion in losses in the US and between $150 billion and $200 billion in losses globally. GCA used data about cybercrime losses from the Council of Economic Advisors and the Center for Strategic and Internation Studies as the basis for its GCA’s estimates of how much DNS protection, such as a DNS firewall, could save the economy.

“The benefit from using a DNS firewall or protective DNS so exceeds the cost that it’s something everyone should look at,” says Philip Reitinger, GCA president and CEO. In many cases, he says, the DNS protection service or DNS firewall will be available at no cost to purchase or license.

But could any cost, no matter how small, be offset by the difficulty in deploying or managing the protection? Not likely. “In most cases, it will be extremely easy to do. There’s no new software here,” Reitinger says. When it comes to protecting endpoints, it could be as simple as changing the address used for DNS resolution in the computer’s network settings. And for some companies, the adoption will be only slightly more difficult.

The only real difficulty, Reitinger says, comes if the firewall begins generating false-positives, blocking traffic to destinations that serve a legitimate business purpose. Should that happen, firewall rules will need to be manually overridden. “If you see people trying to going out to various services, you get to write the rules that allow or block the destination in spite of the firewall,” he says.

One legitimate point of concern is the data on DNS traffic that the protection provider might collect, Reitinger adds. Knowing about an organization’s traffic patterns provides a great deal of information about the organization itself, he says. In this case, asking serious questions of the provider before signing a contract or changing a resolution server address can prevent privacy concerns in the future.

Related Content:

• Website Attack Attempts Rose by 69% in 2018
• How a Nigerian ISP Accidentally Hijacked the Internet
• Nation-State Hacker Group Hijacking DNS to Redirect Email, Web Traffic
• Ongoing DNS Hijack Attack Hits Consumer Modems and Routers
• 7 Recent Wins Against Cybercrime

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/network-and-perimeter-security/dns-firewalls-could-prevent-billions-in-losses-to-cybercrime/d/d-id/1334965?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The development follows speculation and concern among security experts that the attack group would expand its scope to the power grid.

The attackers behind the epic Triton/Trisis attack that in 2017 targeted and shut down a physical safety instrumentation system at a petrochemical plant in Saudi Arabia now have been discovered probing the networks of dozens of US and Asia-Pacific electric utilities.

Industrial-control system (ICS) security firm Dragos, which calls the attack group XENOTIME, says the attackers actually began scanning electric utility networks in the US and Asia-Pacific regions in late 2018 using similar tools and methods the attackers have used in targeting oil and gas companies in the Middle East and North America.

The findings follow speculation and concern among security experts that the Triton group would expand its scope into the power grid. To date, the only publicly known successful attack was that of the Saudi Arabian plant in 2017. In that attack, the Triton/Trisis malware was discovered embedded in a Schneider Electric customer’s safety system controller. The attack could have been catastrophic, but an apparent misstep by the attackers inadvertently shut down the Schneider Triconex Emergency Shut Down (ESD) system.

Dragos said in a report published today that there’s no evidence at this point that XENOTIME could actually wage a cyberattack that would result in “a prolonged disruptive or destructive event on electric utility operations,” but that the hacking group’s newly discovered activity around power grid providers is concerning. 

“XENOTIME, the most dangerous cyberthreat in the world, provides a prime example of threat proliferation in ICS. What was once considered an ‘oil and gas threat’ is now an electric threat, too,” says Sergio Caltagirone, vice president of threat intelligence at Dragos. “Dragos expects this overlapping targeting will continue across sectors, from power, to water, to manufacturing, and more.”

FireEye Mandiant earlier this year revealed that it discovered the Triton/Trisis attack code installed at an industrial organization, marking the first publicly revealed attack by the Triton/Trisis group since the original incident at the Saudia Arabian plant. FireEye analysts found a set of custom Triton/Trisis tools tied to this second victim’s organization and the attackers inside the victim’s corporate IT network. They declined to reveal the identity of the victim organization.

Meanwhile, the Triton/XENOTIME group in 2018 also compromised several ICS vendors, raising concerns of them waging supply chain-style attacks.

Related Content:

• Industrial Safety Systems in the Bullseye
• TRITON Attacker Disrupts ICS Operations, While Botching Attempt to Cause Physical Damage
• First Malware Designed Solely for Electric Grids Caused 2016 Ukraine Outage
• Lessons From The Ukraine Electric Grid Hack

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/perimeter/triton-attackers-seen-scanning-us-power-grid-networks/d/d-id/1334968?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

No organization can prioritize and mitigate hundreds of risks effectively. The secret lies in carefully filtering out the risks, policies, and processes that waste precious time and resources.

In security, what we don’t look at, don’t listen to, don’t evaluate, and don’t act upon may actually be more important than what we do. This may sound counterintuitive at first, but I assure you that it is not. The truth is that too often the cybersecurity noise level — all the data points constantly bombarding us — creates a sensory overload that impedes our ability to think clearly and act. Here are 10 places where you can start to filter out the noise.

1. Risk: Risk is everywhere you look in life, and security is no different. When looking to assess, prioritize, and mitigate risk, security leaders are bombarded by one potential risk after another. No organization can prioritize and mitigate hundreds of risks effectively. The secret lies in focusing on the risks you don’t consider, rather than the ones you do. Think about which risks will cause the greatest impact and damage to the business. Those are the ones you need to prioritize. The rest will have to wait for another time.

2. Threat landscape: Security vendors love to talk about the threat landscape. Scare tactics around the capabilities of nation-state and criminal attackers abound. Unfortunately, this chatter seldom comes with a mapping to what’s relevant to the organization hearing it. Are there real threats to information security out there? Absolutely. Are they all relevant to your business? No. Understanding which threats are the most pertinent to you is the first step toward filtering out all that noise.

3. Intelligence: Every security organization wants to stay on top of what’s coming next. In theory, tailored intelligence is a great way to accomplish this. In practice, however, intelligence is more broad-brush strokes than tailored. Is some of what you’re reading relevant to your business? Possibly. But don’t expect to take one-size-fits-all intelligence and use it to reduce risk.

4. Policy: I’ve seen many different policies over the course of my career, some better than others. There are many topics that need to be covered in any policy, but wherever possible, focus on the minimal set of points necessary. Otherwise, the policy runs the risk of becoming so cumbersome and complex that no one ends up following it. If you want your users to abide by your policies, help them do so by filtering out the noise ahead of time. Don’t make them struggle to piece together the relevant parts of a lengthy, verbose policy.

5. Process: A good security process is extremely valuable. Regardless of the task at hand, process brings order to the chaos and minimizes the redundancy, inefficiency, and human error resulting from lack of process. On the other hand, a bad security process can have exactly the opposite effect. Processes should help and improve the security function. In order to do so, they need to be precise, accurate, and efficient. If they aren’t, they should be improved by filtering out the noise and boiling them down to their essence.

6. Item du jour: It’s far too easy to get distracted by every new security fad that comes our way. Once in a while, an item du jour becomes something that needs to be on our radar. But most of the time, fads come and go and seldom improve our security posture. Worse, they can pull us away from the important activities that do.

7. Logging: Many of us don’t know exactly what logs and event data we will or will not need when crunch time comes. As a result, we collect everything we can get our hands on. We fill up our available storage, shortening retention and impeding performance, although we may never need 80% of what we’re collecting. When it comes to logs and event data, noise is the rule, rather than the exception. Filtering out the noise and reducing collection and retention to that which is necessary for security operations and incident response goes a long way toward helping a program grow and mature.

8. Alerting: If you aren’t familiar with the term “alert cannon,” you should be. Most security organizations contend with noisy, imprecise rule logic that produces an exorbitant number of false positives. The result is a cannon of alerts that can bury even the largest security teams in noise. Developing precise, high fidelity, low noise alerting designed to incisively root out activity indicative of the prioritized risks is the right way to filter out all of that unhelpful noise.

9. Incidents: With noisy alerting comes a huge volume of incidents immediately opened and closed as false positives. While this may seem innocuous enough, it has two main negative effects. First, the time security team members sink into dealing with these ghost incidents is far too precious to be spent on such a valueless activity. Second, when looking to compute and report metrics on the state of security operations, these ghost incidents dominate and skew the numbers. That makes it difficult to see past the noise and into any meaningful information.

10. Vendor fatigue: The information security market may just be one of the most crowded, confusing, and noisiest markets out there. I’m not expecting the situation to improve any time soon. As a result, security teams must filter the noise streaming at them continuously from their vendors. How? While there is no one way to eliminate or even reduce this noise, there are steps an organization can take to help make sense of it all. That journey begins by prioritizing the risks to the business and mapping out a plan to mitigate them. Only then can gaps in the security posture be identified. With a finite and concrete list of gaps, a security organization can seek out the right people, process, and technology to fill those gaps, rather than trying to sift through a barrage of incoming sales pitches.

Related Content:

• The Fine Line of Feedback: 6 Tips for Talking to Security Pros
• Security Lessons from My Game Closet
• Solving Security: Repetition or Redundancy?

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO – Emerging Technologies at FireEye and as Chief Security Officer for … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/sensory-overload-filtering-out-cybersecuritys-noise/a/d-id/1334907?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Akamai Edge World Players of games like Fortnite and Minecraft have emerged as juicy targets for cybercriminals.

It might sound ridiculous, but stealing and reselling weapon skins, loot boxes and entire levelled-up accounts can bring in big money. Last year, a particular rifle skin in CS:GO went for 60,000 real American dollars. A Legacy Ethereal Flames Wardog in Dota 2 was once sold for $38,000. The Playerunknown Set in PUBG currently retails for $271, and a competitive Hearthstone card set will set you back $200-$300.

Akamai’s latest State of the Internet report focused on gaming as a microcosm of security issues. It found that attacks against game accounts were increasing, emerging as one of the easiest ways to make a quick buck.

Law enforcement will most likely ignore a complaint about a theft of a pair of digital gloves – no matter how cool they might look…

“We realised that over 17 months, we have seen 55 billion credential abuse attempts – 12 billion of that was against gaming customers,” Martin McKeay, security advocate at Akamai and author of the report, told El Reg at the company’s annual shindig in Las Vegas.

Most of the attacks against this particular user group came from Russia. Most popular target? Gamers in the US.

Cybercrims are targeting the group because they are usually lax with their security practices, and law enforcement will most likely ignore a complaint about a theft of a pair of digital gloves – no matter how cool they might look. “Right now they are going to go – virtual currency, virtual items, it’s just not important enough,” McKeay said. “That means it’s a relatively low risk, high return.”

Interestingly, crooks are not usually interested in bank details – even though payment information is normally attached to any game account.

“There is a lot of competition to do fraud, on the criminal side, that already has a solution from the point of view of the financial institutions,” McKeay said. “They are aware of attempts at fraud, they know how to detect them, they know how to defend against them so you are dealing with a twofold problem of known defences that are good and effective, and a lot of competition.

“By going into gaming, you’d have very little competition, you’d have what is basically a green field. Going where defences are a lot less understood.”

Stolen virtual items are often sold on internet forums – which means no defences of any kind, period.

Another reason is the fact that credential abuse is really cheap. According to McKeay, Snipr, a popular tool used for “credential stuffing” – checking hundreds of compromised credentials to see which ones will work – costs around $20.

Snipr has a logo, a helpdesk, a development lifecycle, and offers performance guarantees. The primary reason credential stuffing is so effective is people tend to reuse their passwords. Once one of the target’s accounts has been compromised, all are compromised.

“You can get a dirty list where there are these huge groups of user names and passwords, but they haven’t been checked – or you can pay more and you can get a list that people have already gone out and done credential abuse with, and found out that yes, on Fortnite, this user name and this password works to log in and doesn’t require two-factor authentication,” McKeay explained.

“You can go on the black market and you can buy these – and that means that there are multiple ways for criminals to make money off this.”

According to Akamai, particularly valuable targets include Fortnite, Minecraft, Clash of Clans, Runesape, CS:GO, NBA 2019, League of Legends, Hearthstone, Dota 2, PUBG, and more recently, Apex Legends. Steam and Origin accounts are also in very high demand. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/06/14/online_video_games_a_new_cybercrime_battleground/

Yubico is recalling one of its YubiKey lines after the authentication dongles were found to have a security weakness.

The vendor said the firmware in the FIPS Series of YubiKey widgets, aimed mainly at US government use, were prone to a reduced-randomness condition that could make their cryptographic operations easier to crack in some cases, particularly when the USB-based token is first powered up. That could be exploited by a miscreant to potentially authenticate as someone else.

“An issue exists in the YubiKey FIPS Series devices with firmware version 4.4.2 or 4.4.4 (there is no released firmware version 4.4.3) where random values leveraged in some YubiKey FIPS applications contain reduced randomness for the first operations performed after YubiKey FIPS power-up,” Yubico said in announcing the recall today.

“The buffer holding random values contains some predictable content left over from the FIPS power-up self-tests which could affect cryptographic operations which require random data until the predictable content is exhausted.”

Specifically, the recall covers the YubiKey FIPS, Nano FIPS, C FIPS, and C Nano FIPS models. The vulnerability was found to only exist in the FIPS Series of devices, so other YubiKey dongles are not affected by this particular blunder.

Newer devices running version 4.4.5 of the firmware are protected and will not need to be replaced: the security shortcoming is present in firmware versions 4.4.2 and 4.4.4.

“To safeguard the security of our customers, Yubico has been conducting an active key replacement program for affected FIPS devices (versions 4.4.2 and 4.4.4) since the issue was discovered and recertification was achieved,” Yubico says.

“At the time of this advisory, we estimate that the majority of affected YubiKey FIPS Series devices have been replaced, or are in process of replacement with updated, fixed versions of the devices.”

Customers who have purchased their dongles directly from Yubico or its sales channel should have already heard from the company about getting a replacement sent out.

Those who bought their hardware from a reseller, or received it from their IT department, should get in touch with those people about having their drives swapped out. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/06/13/yubi_key_bug/

Belgium’s Asco has shut down manufacturing around the world, including the US, in response to a major cybersecurity event, but what happened isn’t clear.

A cyberattack has shut down international production at Asco, a company in Zaventem, Belgium, that is a significant supplier of parts to airline manufacturers around the world. According to the company, it has shut down all manufacturing operations in Belgium, Germany, Canada, and the US, sending more than 1,000 of their 1,400 global workers home.

While many reports are calling the attack ransomware, Asco has not released information about the incident other than to confirm the effects and report that law enforcement has been notified.

Larry Trowell, principal security consultant at Synopsys, counsels patience before leaping to conclusions about the attack. “The short and sweet of it is that we don’t yet know what has happened,” he says. “Looking at the most recent articles, there’s no proof that it was in fact a ransomware attack. Since the police and local officials were called, it may be malware or even a direct attack.”

What is known is that an event large enough to require full shutdown of all manufacturing capabilities is taking place. Elisa Costante, senior director of industrial and operational technology (OT) research for Forescout, explains, “OT devices ranging from PLCs to sensors that were previously air-gapped are becoming connected to networks by the minute. This convergence of IT with OT networks offers substantial benefits but is also providing cyberattackers a greater opportunity to affect the physical world and impact the bottom line of the business and safety of operations and employees.”

Trowell agrees, saying, “Factories may be slow to isolate and protect against this sort of distributed attack.”

This is a developing story, and Dark Reading will continue to cover it.

For more, read here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/cyberattack-hits-aircraft-parts-manufacturer/d/d-id/1334964?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple