STE WILLIAMS

The FIDO Alliance and W3C recently announced a new technology standard that will allow people to log into websites without a password, opting instead for an external authenticator like a security key or a smartphone. This is a major milestone in the gradual move toward password eradication. Passwords provide an awful user experience, and they’re a terrible form of security. But what if your devices were smart enough to recognize you instantly and provide a secure, personalized experience based on trusted information, with no password needed? This technology is called zero login, and it just might solve the password problem forever.

Most of us have used biometrics like fingerprints or facial recognition to unlock a phone, but soon even that may not be necessary. Your behaviors — how you swipe and type, where you are, when you work — are unique to you. New technologies are being developed that can recognize you based on these factors and log you in to all of your applications without you doing anything at all.

Zero login technologies could put identity thieves out of business for good because it would take months and thousands of dollars’ worth of equipment to fool them. There are, however, some downsides that will require new rules and standards to protect user boundaries, information and privacy, for example: 

• How do users know when they’re being monitored?
• How do users know when they’re logged out?
• How well is all this behavioral data being protected?

The Future Is Here 
Zero login may sound futuristic, but it’s already in use. Some banks can see when you’re logging in from a new phone or connecting from a cafe that you’ve never been to before. When the bank sees those red flags, it may ask you to verify your email or phone number to prove it’s really you.

Some large retail companies, including Amazon, are testing ways to authenticate users based on their behavior. How hard do you tap on your phone? How fast do you type? Those things are unique to you and hard for an attacker to guess or duplicate. The motion sensor in your phone can also recognize you from your walk — no one else walks exactly like you do. By combining all this information, your phone can tell when it’s really you and no password required.

Your phone can also detect signals from other devices. It can see your stuff — your car, Fitbit, headphones — and start to get a feel for your normal routines. Those routines provide another safeguard to prove that everything is business as usual.

Any one of these technologies might be easy for an attacker to trick, but fooling all of them is incredibly difficult. They can also tell if someone grabs your unlocked phone without your consent, and either lock it or shut it off entirely. Passwords can’t do that.

Context Matters
Imagine you order a $1 teddy bear from your own phone, charge it to your credit card, and have it shipped to your house. Is that something an attacker would do? Not likely. Today, many applications will ask you for a password even though the chance of a transaction being fraudulent is extremely low. Online stores don’t want to lose sales, and many people second guess that teddy bear purchase when confronted with the added step of a password request.

Zero login technologies pay attention to who you are, but they also pay attention to what you’re trying to do. They’re smart about figuring out what kinds of things normal people do and what kinds of things attackers do. You’ll still have a password, but you’ll probably never be asked to enter it because your phone already recognizes you. In a perfect zero login world, the only person who would ever be asked to enter a password is an attacker.

The Bad and the Ugly
If your phone is collecting all this information about you, how is it being protected? Where is it being sent? Right now, that information isn’t being used most of the time. It’s possible to use that information to enable zero login technologies, but there’s a good way and a bad way. The good way is to have software running locally on your device that sends a “risk score” to the cloud so that smart authentication decisions can be made by the software running there. The bad way is to send all the information about you — behaviors, biometrics, locations — across the Internet and to store it in the cloud. Even if the information is encrypted, it’s still at risk of compromise by attackers. This is why every time you buy a new iPhone, you have to reset the fingerprint. That fingerprint is stored locally on the phone and never sent across the Internet or stored in the cloud.

There are also significant privacy implications if users are logged in to a service without realizing it. While few of us expect total privacy on the Internet, we still want to keep some parts of our lives separate. With passive authentication, we can easily be logged in to all of our accounts, all of the time, without realizing it.

We also need a way to affirmatively end an online session. Companies like Uber are used by some people for personal reasons and other people for professional reasons. If I’m a taxi driver, I might be fine with my employer tracking my location during the day. But when I finish work, I want to know I’m logged out and free to go about my private business.

Someday, we’ll be telling our shocked grandchildren about having to remember hundreds of complex passwords, and they’ll wonder what idiot came up with that idea. We have a better, easier, more secure future at our fingertips — literally. That’s exciting, but we can’t let our excitement overrule people’s privacy, security, and consent. Let’s build these tools the right way the first time.

Related Content:

• SAML Flaw Lets Hackers Assume Users’ Identities
• Why Identity Has Become A Top Concern For CSOs
• Identity Fraud Hits All-Time High in 2017

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Sarah Squire is a Senior Technical Architect at Ping Identity. She is a co-author of NIST Special Publication 800-63C Digital Identity Guidelines, which outline federated authentication standards for all US federal agencies, and is Vice President of IDPro, a nonprofit … View Full Bio

Article source: https://www.darkreading.com/endpoint/zero-login-the-rise-of-invisible-identity/a/d-id/1331531?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

One man from Reno, Nevada has pleaded guilty in federal court for creating more than 8,000 fraudulent online accounts using stolen identities, the US Department of Justice reported today. Kenneth Gilbert Gibson intended to use the accounts to commit a $3.5 million fraud operation.

From 2012 to 2017, Gibson created a scheme to steal the identities of multiple victims from a Reno database and use them to open unauthorized accounts, credit accounts, bank accounts, and prepaid cards. The plan was to use these accounts to send about $3.5M to himself via checks and electronic transfers to approximately 500 bank accounts and prepaid cards.

For the 2013 tax year he also filed a fraudulent federal income tax return, which did not include the taxable income generated from this scheme, which totaled about $1,049,070. Gibson pleaded guilty to one count of wire fraud, one count of mail fraud, one count of filing a false tax return, and one count of aggravated identity theft. Sentencing is set for July 30, 2018.

Read more details here.

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/reno-man-created-8000-fake-online-accounts-via-stolen-identities/d/d-id/1331670?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Uber this week outlined more specific guidlelines for its bug bounty program in the wake of its 2016 data breach that demonstrated gaping holes in its vulnerability disclosure policy.

The ride-sharing company last fall revealed that it had paid two hackers $100,000 to destroy driver and rider data they had stolen from a cloud storage location, and that it had failed to disclose the breach for a year. Since then, the company has been working on retooling its bug bounty program to encourage proper disclosure.

The new policy states, in part: “Don’t extort us. You should never illegally or in bad faith leverage the existence of a vulnerability or access to sensitive or confidential information, such as making extortionate demands or ransom requests or trying to shake us down. In other words, if you find a vulnerability, report it to us with no conditions attached.”

Read more here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/dont-extort-us-uber-clarifies-its-bug-bounty-policy/d/d-id/1331672?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Microsoft, Amazon, and Alphabet are stomping into the security market, ready to shake things up and address the weaknesses they see in today’s tools. Analysts predict the three tech giants will disrupt security the same way they disrupted industries like computing, advertising, and retail by bringing protections to where people are moving their work: into the cloud.

Forrester analysts Jeff Pollard and Joseph Blankenship illustrate the threat in a new report intended to help security pros prepare to work with the companies as they focus on security in the cloud, a space the three effectively control. Legacy security vendors should be intimidated, says Pollard, Forrester’s principal analyst serving security and risk professionals.

“As more and more technologies are cloud-ready and more services are cloud-enabled, what winds up happening is, in the same way Amazon can control a retailer on Amazon Prime, that’s the kind of power Microsoft, Amazon, and Google will have on their own cloud marketplaces,” he continues, referring to Google Cloud, which operates under parent company Alphabet.

Cybersecurity is a hot market for venture funding; Forrester reports VCs poured $3.1 billion into nearly 300 startups in 2016. The investment has driven innovation but failed to address basics like full-featured APIs and integrated management consoles bridging on-prem with cloud.

With their strong influence over the tech market, Microsoft, Amazon, and Alphabet would have had some degree of impact on security no matter what. Now, their effect will be bigger. “They control the marketplace, and that means you have to pay attention to them,” Pollard notes.

Each firm bundles technologies and simplifies deployments for security teams, which can use preconfigured security policies for new servers and containers. Scalability isn’t an issue; as infrastructure and applications grow, so do cloud platforms. Teams don’t need to worry about whether hardware can handle bandwidth upgrades, or whether management servers can handle new endpoints.

As an example of bundling tech, Pollard points to Microsoft’s Advanced Threat Protection on Office 365. This puts pressure on email vendors offering spam filtering and automated analysis. If companies already use the Microsoft 365 platform, they don’t need additional tools.

Pollard explains how each company approaches security from a different angle. If you want to monitor endpoints you go to Microsoft, which sees how attackers target the Windows OS. If you want to interact with developers, you turn to Amazon Web Services (AWS). If you want to use VirusTotal, you work with Alphabet, which bought the malware and virus scanner in 2012.

He breaks down each company’s strategy and explains its perspective:

Microsoft

“Microsoft should probably scare most people as the biggest existential threat,” says Pollard.

The company has shown its ability to move into adjacent markets and succeed. Windows is the world’s most common OS, giving Microsoft a market advantage and the easiest path to market if they want to push out other vendors. Even if an antivirus tool is on 30% of Windows machines, the AV company has a small fraction of the data Microsoft does.

The shift has changed CISOs’ strategies, Pollard explains. Gone are the days when security leaders opted for separate antivirus tools in lieu of Windows Defender. Now, many question the business’ choice to buy an endpoint suite when Microsoft’s services have security built in.

Microsoft’s strategy relies on integrated capabilities; its plan is to build security into each part of Azure, Office 365, and Windows. Acquisitions of smaller firms like Adallom and Aorato have added cloud security capabilities and malware detection, respectively.

Looking ahead, he anticipates Microsoft will continue to target its core enterprise market by making security easy to buy and use. He cautions security teams against investing all their resources in one vendor, however. Microsoft may have succeeded with Windows, Office, and Azure, but has failed in the past with Bing, Windows Phone, and Zune.

Amazon

Amazon’s primary audience is developers, who benefit from the scalability and orchestration of AWS but put security teams in a tough spot with poor visibility and fragmented data. The Amazon strategy is to boost visibility in AWS so dev and security have the same set of threat intel, infrastructure logs, user activity, and CloudTrail API in one dashboard.

“Teams continue to use AWS and security teams aren’t prepared for that,” says Pollard. Amazon is now trying to empower both dev and security teams so they’re on the same page.

Look to Amazon if you’re focused on secure development, as developers will continue to be its primary audience, Forrester points out in the report. The company, analysts predict, will continue to add security features but will likely take time to broaden its target market.

Alphabet

Alphabet dabbled in the security space for a while, investing in VirusTotal and launching Project Zero for internal employees but it began its big push after Amazon and Microsoft did. Now it’s trying to bundle security and grow the Google compute platform, says Pollard.

It seems Google Cloud’s strategy is to go after the AWS market, he speculates. “They don’t have the enterprise relationship that Microsoft has, so it makes sense to go after AWS.” Its two focus areas include visibility and data analytics, and privacy on personal and professional levels.

Forrester recommends using Alphabet for data but approaching long-term investment with caution. “Alphabet has a history of announcing products and services, then letting them languish when they don’t take the world by storm,” Pollard and Blankenship report.

Cybersecurity is a focus for Alphabet now, but the issue is whether the company will continue to prioritize its security services or abandon them. If your business uses Google Cloud Platform then it’s worth investing in Alphabet’s strategy, but if feature developments start to slow, it’s recommended you reconsider.

Related Content:

• 12 Trends Shaping Identity Management
• The Default SAP Configuration That Every Enterprise Needs to Fix
• Google Adds Security Features to Gmail Face-lift
• Why Information Integrity Attacks Pose New Security Challenges

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/how-microsoft-amazon-alphabet-are-reshaping-security/d/d-id/1331664?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A new initiative from the Internet Society seeks to extend Mutually Agreed Norms for Routing Security (MANRS) protections from ISPs to the Internet eXchange Points (IXPs) over which they exchange traffic. Wide adoption of the initiative would be a useful step toward avoiding a repetition of the MyEtherWallet incident earlier this week.

According to the Internet Society, participating IXPs must implement at least three of the five stated IXP Programme Actions:

1. Facilitate prevention of propagation of incorrect routing information
2. Promote MANRS in the IXP’s membership
3. Protect the peering platform
4. Facilitate global operational communication and coordination between network operators
5. Provide monitoring and debugging tools to members

Actions 1 and 2 are required of all participants, who can then choose from among the other actions for completion.

The IXP Programme begins its existence with 10 founding IXPs from Africa, Europe, Russia, North America, and South America. The founding IXPs have each fulfilled the requirements for participation in the program.

In a prepared statement issued with the announcement of the initiative, Christoph Dietzel, Head of Research Development at DE-CIX (Germany) said, “We at DE-CIX are proud to support the MANRS IXP Programme as a founding participant with our knowledge and experience. It is time for IXPs to take responsibility to make the Internet a more secure and resilient place.”

For more, read here.

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/routing-security-gets-boost-with-new-set-of-manrs-for-ixps/d/d-id/1331666?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

On the eve of a historic summit with its rival neighbor South Korea and possible subsequent talks with the US President Donald Trump in the coming weeks, North Korea continues full-steam ahead in its mission to gather intelligence and generate income for the regime via its notorious nation-state hacking machine.

North Korea’s pervasive Lazarus Group, aka Hidden Cobra, was recently discovered ramping up a global cyber espionage campaign dubbed Operation GhostSecret, stealing information from organizations in the critical infrastructure, entertainment, finance, healthcare, and telecommunications sectors. Researchers from McAfee unearthed the wave of attacks, which they say first started with targeted hacks of banks in Turkey last month.

At the time, Ryan Sherstobitoff, McAfee’s senior analyst of major campaigns, told Dark Reading he believed the Turkish bank targets were part of an ongoing campaign. The goal could be to “surveil their operations, establish functions of their processes, and ultimately compromise funds,” he said.

Days after McAfee published those findings on the attacks on the Turkish financial industry via the so-called Bankshot Trojan implant, the researchers spotted the same spying malware in organizations in 17 countries. McAfee is working with the government in Thailand – where most of the attacks have occurred to date — to shut down Operation GhostSecret’s control-server infrastructure.

Operation GhostSecret employs multiple custom malware implants to pilfer information from its targets, and attempts to evade detection, including a new variant that looks a lot like Destover, the malware Lazarus Group used in its massive hack of Sony Pictures in 2014. In addition, researchers discovered a new malware family called Proxysvc, which they believe was used with the 2017 Destover variant, which is supported by a server infrastructure with IP addresses in India.

“Proxysvc was first collected by public and private sources on March 22 from an unknown entity in the United States. The executable dropper for the component was submitted from South Korea on March 19,” according to McAfee’s research report. “Our research shows this listener component appeared mostly in higher education organizations. We suspect this component is involved in core control server infrastructure. These targets were chosen intentionally to run Proxysvc because the attacker would have needed to know which systems were infected to connect to them.”

“As we monitor this campaign, it is clear that the publicity associated with the (we assume) first phase of this campaign did nothing to slow the attacks. The threat actors not only continued but also increased the scope of the attack, both in types of targets and in the tools they used,” Raj Samani, chief scientist at McAfee, said in a blog post.

Working — and Hacking — Abroad

Thailand has become one of the newest nations known for North Korean citizens to locate and generate income on behalf of the Pyongyang regime, according to Recorded Future, which along with Insikt Group this week published a new analysis report on North Korean activity online. Other locations include Bangladesh, along with India, Malaysia, China, New Zealand, Nepal, Kenya, Mozambique, and Indonesia.

North Koreans sent to Thailand, Bangladesh, China, and other nations, attend universities there and study computer science, for example. There they develop phony video games and bots that scam users out of valuable digital items that they then resell, and then they find and sell bugs in gaming software.

“Thailand and Bangladesh host North Korean state-run restaurants, diplomatic establishments tied to criminal activity, and allow North Korean investment,” Recorded Future’s report said.

Lazarus Group and other North Korean cyberattack groups are all about generating income for the nation, whether it’s cryptocurrency mining, online gaming scams, or bank heists. “The regime needs funds, and they will continue to pursue” attacks that make money, says Levi Gundert, vice president of intelligence and risk at Recorded Future.

But North Korea’s pure intelligence-gathering capabilities are still not at the level of other more cyber espionage-experienced nations, Gundert says. “They’re not a China,” he says. “They have tools and can develop their own toolsets … [and have] experience in offensive campaigns, but it’s not as broad as China or Russia.”

Meanwhile, North Korea’s ruling elite – most of whom are associated with the Kim family and regime and make up about .1% of the nation’s population and the only citizens allowed to access the global Internet — in the past six months have gone all obfuscation in their online activities, according to Recorded Future’s findings. They’ve mostly abandoned popular western social media and online services such as Google, Facebook, and Instagram, in favor of corresponding Chinese services Alibaba, Tencent, and Baidu, in an apparent attempt to hide from US researchers and intelligence agencies.

Most of their online activity includes video viewing and online gaming (70%), as well as Web browsing (13%). They’ve also increased their use of VPNs and the Tor anonymization browser by 1,200%, and have begun mining the more anonymous Monero digital currency, in addition to mining Bitcoin. Overall, 13% of North Korean leadership was using obfuscation methods online, up from less than 1% in July of 2017.

Priscilla Moriuchi, director of strategic threat development at Recorded Future, says she was surprised by the sudden shift in online behavior by the North Korean elites. “What this tells us is how adaptable” the North Korean leadership is, she says. “We often think of authoritarian regimes as static. But time after time … they’ve adapted quickly to new technologies, using and exploiting them and innovating new methods to circumvent sanctions.”

The consequence of the North Korean ruling elite basically going dark on the public Internet is less insight into their behaviors, interests, and other social intel, according to Moriuchi.

Related Content:

• Trump Administration Cyber Czar Rob Joyce to Return to the NSA
• North Korea-Linked Cyberattacks Spread Out of Control: Report
• Lazarus Group Attacks Banks, Bitcoin Users in New Campaign
• 8 Nation-State Hacking Groups to Watch in 2018

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/north-korea-ramps-up-operation-ghostsecret-cyber-espionage-campaign/d/d-id/1331667?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple