Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for How secure are authe ...

 Technology

Information security experts have long agreed that the most reliable form of two-factor authentication is a one-time code from an authenticator app. Most services offer this method as a second level of account protection, while in some cases, two-factor authentication using a code from an app is the only available   show more ...

option. But the reasons why one-time codes are considered so safe is rarely discussed, so legit questions arise as to whether its really a good option, how reliable it is, what dangers are worth considering, and what you need to keep in mind when using this two-factor authentication method. The main purpose of this post is to answer those questions. How authenticator apps work Generally, such apps operate as follows: the service in which youre authenticating and the authenticator itself share a number — a secret key (it is contained in a QR code that you use to enable authentication for this service in the app). The authenticator and the service simultaneously use the same algorithm to generate a code based on this key and the current time. When you enter the code that your app has generated, the service compares it with what it generated itself. If the codes match, everything is fine, and you can access the account (and if not, you cant). Also, when you connect the authenticator app via a QR code, a lot of information is transferred in addition to the secret key. This includes the one-time codes expiration period (usually 30 seconds). The most important information — the secret key — is transmitted just once, when the service pairs with the authenticator, and then both parties remember it. That is, with each new login to the account, no information is transmitted from the service to your authenticator at all, so theres nothing to intercept. In fact, authenticator apps dont even need internet access to perform their main function. All that a hacker can theoretically get is the actual one-time code that the system generates for you to enter. And this code is valid for just half a minute or so. Weve already discussed in more detail how authenticator apps work in a separate post. Read it if you want to know about authentication standards, the information contained in QR codes to connect those apps, and about services that are incompatible with the most common authenticators. How secure is 2FA with a one-time code? Lets summarize the main advantages of one-time code authentication from an app: Good protection against leaks: a password alone isnt enough to gain access to an account — you also need a one-time code. Decent protection against interception of this one-time code. Since the code is valid for just 30 seconds, hackers dont have much time to use it. Its impossible to recover a secret key from a one-time code, so even if the code is intercepted, attackers wont be able to clone the authenticator. No internet connection is required on the device generating one-time codes. It can be kept completely isolated from it. As you can see, the system is well thought out. Its developers have done everything in their power to make it as secure as possible. But no solution is completely safe. So even when using authentication by code from an app, there are some risks to consider and precautions to take. Thats what well talk about next. Leaks, e-mail hacking and workarounds I mentioned above that authenticating with one-time codes from an app is great protection against password leaks. And in a perfect world, it would be. Unfortunately, we dont leave there, Theres a crucial nuance, which stems from the fact that services usually dont want to lose their users because of such a small annoying detail like losing the authenticator (which can happen to anyone); therefore, they usually provide an alternative way to log into accounts: sending a one-time code or confirmation link to an associated e-mail address. This means that if a leak has occurred and attackers know both the password and the e-mail address its linked to, they can try to use this alternative method to log in to the account. And if your e-mail is poorly protected (especially if you use the same password for it and dont enable two-factor authentication) its very likely that hackers would be able to bypass entering a one-time code from an app. Whats worth doing about it: Keep an eye out for data leaks, and promptly change passwords for affected services. Dont use the same password for different services. This is especially important for e-mail to which other accounts are linked. Some services allow you to disable alternative methods of logging in. For especially valuable accounts, it may be worth doing this (but dont forget to back up the authenticator — theres more on this below). Physical access and people looking over your shoulder Someone might look over your shoulder when youre using an authenticator app and see the one-time code. And not only one code, as authenticators often display several codes in a row. So the intruder could log in to any of those accounts if they saw the code. Of course, hackers would not have much time to take advantage of what they caught sight of. But its better not to take any chances — 30 seconds might be enough time for a nimble-fingered cybercrook The situation is more dangerous if someone manages to get their hands on an unlocked smartphone with an authenticator. In this case, that someone could well take the opportunity to log into your accounts without much haste or trouble. How to minimize such risks: Use an authenticator app that doesnt display the codes on screen by default (there are quite a lot of them). Set a strong password to unlock the smartphone on which the authenticator app is installed and turn on auto screen locking after a short period of inactivity. Use an app where you can additionally set a login password (such apps exist, too). Phishing sites Most phishing sites designed for mass attacks are quite primitive. Their creators are usually satisfied with stealing logins and passwords, followed by selling them dirt cheap wholesale somewhere on the dark web. Of course, two-factor authentication is perfect protection against such hackers: even if someone gets your login credentials, theyre completely useless without a one-time code from an app. However, on more carefully and plausibly crafted phishing sites, particularly those designed for targeted attacks, phishers can also imitate the two-factor authentication verification mechanism. In this case, theyll not only intercept the login and password, but also the one-time code. After that, the attackers will quickly log into the victims real account, while the phishing site may issue an error message and suggest retrying. Unfortunately, despite its apparent simplicity, phishing remains an extremely effective trick for criminals, and it can be difficult to protect yourself against sophisticated versions of scams. The general advice here is as follows: Dont click on links in e-mails — especially those received from unknown or suspicious addresses. Carefully check the address of the pages where youre entering your account information. Use a reliable solution with automatic phishing protection. Stealing malware To put it mildly, people dont really like going through the full authentication process. Therefore, services try not to bother their users unnecessarily. In fact, in most cases, you only have to be fully authenticated with a password and confirmation code when you log in to your account on each device for the first time. Or maybe a further time — if youve accidently cleared the cookies from your browser. After successfully logging in, the service saves a small cookie on your computer, which contains a long and very secret number. This file is what your browser will present to the service for authentication from now on. So if someone manages to steal this file, it can be used to sign into your account. No password or one-time code will be needed for this at all. Such files (along with a bunch of other information like browser-saved passwords, cryptocurrency wallet keys and other similar goodies) can be stolen by Trojan stealers. If youre unfortunate enough to get a stealer on your computer, theres a very good chance that your accounts will be hijacked, even with all the other precautions. To prevent this from happening: Dont install programs from dubious sources. Be sure to use reliable protection all your devices. The lack of authenticator backups Access to your accounts can also be lost due to protection being too strong. Like if after youve prohibited getting into your accounts without a code from an app, you somehow lose the authenticator. In this case, you might permanently lose your accounts and information in them. Or at least youre assured of a few fun days of tearful correspondence with support for access restoration. There are in fact quite a few circumstances where you might lose your authenticator: A smartphone can break in a way that you cant get any information out of it. You might lose it. And of course, it could be stolen. All these are unpredictable events, so its better to prepare for them in advance to avoid any unpleasant consequences: Be sure to back up the authenticator data. Many apps allow backup to the cloud; some can also save it as a local file. It may be wise to install the authenticator on two different devices or even use several different apps. This protects you from being locked out from your backup if the cloud infrastructure of a single authenticator is unavailable at the most inopportune moment. How to stay safe Lets summarize. Two-factor authentication itself seriously reduces the risk of your accounts being hijacked, but it doesnt guarantee complete security. Its therefore worth taking extra precautions: Be sure to set a password to log in to the device where the authenticator is installed. Use an authenticator app that knows how to hide one-time codes from unwanted eyes and allows you to set a password to log in to the app itself. Dont forget to back up the authenticator. Dont use simple passwords and dont use the same passwords for different accounts. A password manager will help you generate and remember unique and secure character sequences. Watch out for leaks, and promptly change passwords from affected services, especially if its the e-mail to which other accounts are linked. Incidentally, Kaspersky Password Manager tracks password leaks and warns you about them. To protect yourself from phishing and stealing malware, install a reliable security solution on all of your devices. Watch out for login attempts to your accounts and respond quickly to suspicious activity. By the way, we have a tutorial that tells you what to do if your account is hacked.

image for Transatlantic Cable ...

 News

The latest episode of the Transatlantic Cable sees the team starting out with news around Signal and their refusal to weaken encryption for the U.K government.  Following that, the team move onto discussions around Meta and National Center for Missing and Exploited Childrens (NCMEC) campaign to help people with the   show more ...

spread of minors intimate images online. To wrap up, the team discuss SnapChat A.I chat bots and LockBits attack against the U.Ks Royal Mail service. If you liked what you heard, please do consider subscribing. Signal would walk from UK if Online Safety Bill undermined encryption LockBit leaks 44GB of Royal Mails data and sets fresh £33 million ransom Meta supports new platform preventing spread of minors intimate images online Snapchat is adding OpenAI chatbot capabilities for the new My AI feature

image for Highlights from the ...

 A Little Sunshine

The Biden administration today issued its vision for beefing up the nation’s collective cybersecurity posture, including calls for legislation establishing liability for software products and services that are sold with little regard for security. The White House’s new national cybersecurity strategy also   show more ...

envisions a more active role by cloud providers and the U.S. military in disrupting cybercriminal infrastructure, and it names China as the single biggest cyber threat to U.S. interests. The strategy says the White House will work with Congress and the private sector to develop legislation that would prevent companies from disavowing responsibility for the security of their software products or services. Coupled with this stick would be a carrot: An as-yet-undefined “safe harbor framework” that would lay out what these companies could do to demonstrate that they are making cybersecurity a central concern of their design and operations. “Any such legislation should prevent manufacturers and software publishers with market power from fully disclaiming liability by contract, and establish higher standards of care for software in specific high-risk scenarios,” the strategy explains. “To begin to shape standards of care for secure software development, the Administration will drive the development of an adaptable safe harbor framework to shield from liability companies that securely develop and maintain their software products and services.” Brian Fox, chief technology officer and founder of the software supply chain security firm Sonatype, called the software liability push a landmark moment for the industry. “Market forces are leading to a race to the bottom in certain industries, while contract law allows software vendors of all kinds to shield themselves from liability,” Fox said. “Regulations for other industries went through a similar transformation, and we saw a positive result — there’s now an expectation of appropriate due care, and accountability for those who fail to comply. Establishing the concept of safe harbors allows the industry to mature incrementally, leveling up security best practices in order to retain a liability shield, versus calling for sweeping reform and unrealistic outcomes as previous regulatory attempts have.” THE MOST ACTIVE, PERSISTENT THREAT In 2012 (approximately three national cyber strategies ago), then director of the U.S. National Security Agency (NSA) Keith Alexander made headlines when he remarked that years of successful cyber espionage campaigns from Chinese state-sponsored hackers represented “the greatest transfer of wealth in history.” The document released today says the People’s Republic of China (PRC) “now presents the broadest, most active, and most persistent threat to both government and private sector networks,” and says China is “the only country with both the intent to reshape the international order and, increasingly, the economic, diplomatic, military, and technological power to do so.” Many of the U.S. government’s efforts to restrain China’s technology prowess involve ongoing initiatives like the CHIPS Act, a new law signed by President Biden last year that sets aside more than $50 billion to expand U.S.-based semiconductor manufacturing and research and to make the U.S. less dependent on foreign suppliers; the National Artificial Intelligence Initiative; and the National Strategy to Secure 5G. As the maker of most consumer gizmos with a computer chip inside, China is also the source of an incredible number of low-cost Internet of Things (IoT) devices that are not only poorly secured, but are probably more accurately described as insecure by design. The Biden administration said it would continue its previously announced plans to develop a system of labeling that could be applied to various IoT products and give consumers some idea of how secure the products may be. But it remains unclear how those labels might apply to products made by companies outside of the United States. FIGHTING BADNESS IN THE CLOUD One could convincingly make the case that the world has witnessed yet another historic transfer of wealth and trade secrets over the past decade — in the form of ransomware and data ransom attacks by Russia-based cybercriminal syndicates, as well as Russian intelligence agency operations like the U.S. government-wide Solar Winds compromise. On the ransomware front, the White House strategy seems to focus heavily on building the capability to disrupt the digital infrastructure used by adversaries that are threatening vital U.S. cyber interests. The document points to the 2021 takedown of the Emotet botnet — a cybercrime machine that was heavily used by multiple Russian ransomware groups — as a model for this activity, but says those disruptive operations need to happen faster and more often. To that end, the Biden administration says it will expand the capacity of the National Cyber Investigative Joint Task Force (NCIJTF), the primary federal agency for coordinating cyber threat investigations across law enforcement agencies, the intelligence community, and the Department of Defense. “To increase the volume and speed of these integrated disruption campaigns, the Federal Government must further develop technological and organizational platforms that enable continuous, coordinated operations,” the strategy observes. “The NCIJTF will expand its capacity to coordinate takedown and disruption campaigns with greater speed, scale, and frequency. Similarly, DoD and the Intelligence Community are committed to bringing to bear their full range of complementary authorities to disruption campaigns.” The strategy anticipates the U.S. government working more closely with cloud and other Internet infrastructure providers to quickly identify malicious use of U.S.-based infrastructure, share reports of malicious use with the government, and make it easier for victims to report abuse of these systems. “Given the interest of the cybersecurity community and digital infrastructure owners and operators in continuing this approach, we must sustain and expand upon this model so that collaborative disruption operations can be carried out on a continuous basis,” the strategy argues. “Threat specific collaboration should take the form of nimble, temporary cells, comprised of a small number of trusted operators, hosted and supported by a relevant hub. Using virtual collaboration platforms, members of the cell would share information bidirectionally and work rapidly to disrupt adversaries.” But here, again, there is a carrot-and-stick approach: The administration said it is taking steps to implement Executive Order (EO) 13984 –issued by the Trump administration in January 2021 — which requires cloud providers to verify the identity of foreign persons using their services. “All service providers must make reasonable attempts to secure the use of their infrastructure against abuse or other criminal behavior,” the strategy states. “The Administration will prioritize adoption and enforcement of a risk-based approach to cybersecurity across Infrastructure-as-a-Service providers that addresses known methods and indicators of malicious activity including through implementation of EO 13984.” Ted Schlein, founding partner of the cybersecurity venture capital firm Ballistic Ventures, said how this gets implemented will determine whether it can be effective. “Adversaries know the NSA, which is the elite portion of the nation’s cyber defense, cannot monitor U.S.-based infrastructure, so they just use U.S.-based cloud infrastructure to perpetrate their attacks,” Schlein said. “We have to fix this. I believe some of this section is a bit pollyannaish, as it assumes a bad actor with a desire to do a bad thing will self-identify themselves, as the major recommendation here is around KYC (‘know your customer’).” INSURING THE INSURERS One brief but interesting section of the strategy titled “Explore a Federal Cyber Insurance Backdrop” contemplates the government’s liability and response to a too-big-to-fail scenario or “catastrophic cyber incident.” “We will explore how the government can stabilize insurance markets against catastrophic risk to drive better cybersecurity practices and to provide market certainty when catastrophic events do occur,” the strategy reads. When the Bush administration released the first U.S. national cybersecurity strategy 20 years ago after the 9/11 attacks, the popular term for that same scenario was a “digital Pearl Harbor,” and there was a great deal of talk then about how the cyber insurance market would soon help companies shore up their cybersecurity practices. In the wake of countless ransomware intrusions, many companies now hold cybersecurity insurance to help cover the considerable costs of responding to such intrusions. Leaving aside the question of whether insurance coverage has helped companies improve security, what happens if every one of these companies has to make a claim at the same time? The notion of a Digital Pearl Harbor incident struck many experts at the time as a hyperbolic justification for expanding the government’s digital surveillance capabilities, and an overstatement of the capabilities of our adversaries. But back in 2003, most of the world’s companies didn’t host their entire business in the cloud. Today, nobody questions the capabilities, goals and outcomes of dozens of nation-state level cyber adversaries. And these days, a catastrophic cyber incident could be little more than an extended, simultaneous outage at multiple cloud providers. The full national cybersecurity strategy is available from the White House website (PDF).

 Threat Actors

BlackBerry researchers spotted the APT-C-36 threat group, aka Blind Eagle, masquerading as a Colombian government tax agency to target financial, health, immigration, and law enforcement sectors. Based on the infection vector and other tactics, researchers believed that the campaign targeted some organizations in Chile, Spain, and Ecuador.

 Trends, Reports, Analysis

A new report by Kaspersky states that almost 200,000 new mobile banking trojans surfaced in 2022, marking a 100% increase from 2021, with China being the most affected, followed by Syria and Iran. RiskTool-type potentially unwanted software accounted for the most distributions at 27.39%, followed by adware at 24.05% and trojan-type malware at 15.56%.

 Laws, Policy, Regulations

The European Data Protection Board on Tuesday published an analysis of the framework, lauding "substantial improvements" but simultaneously expressing "concerns" and requesting "clarifications on several points."

 Govt., Critical Infrastructure

The new strategy has five pillars: Defend critical infrastructure; Target and disrupt threat actors; Use market forces to improve security and resilience; Invest in resilience; and Enhance international partnerships.

 Trends, Reports, Analysis

Vulnerabilities associated with Microsoft Exchange Server and some virtual private networks, many of which were first disclosed in 2017, continue to be a popular route for hackers to exploit, a report from exposure management company Tenable found.

 Govt., Critical Infrastructure

A new federal strategy to make manufacturers liable for insecure software requires an attainable safe harbor policy and could be a disincentive for them in sharing important vulnerability info with the government, according to industry observers.

 Security Products & Services

Decider makes the mapping process easier by asking the user a series of questions about the adversary’s activity in their network. The tool also provides search and filtering functionality, and allows users to export the results to common formats.

 Feed

Ubuntu Security Notice 5871-2 - USN-5871-1 fixed vulnerabilities in Git. A backport fixing part of the vulnerability in CVE-2023-22490 was required. This update fix this for Ubuntu 18.04 LTS. It was discovered that Git incorrectly handled certain repositories. An attacker could use this issue to make Git uses its local clone optimization even when using a non-local transport.

 Feed

Ubuntu Security Notice 5908-1 - It was discovered that Sudo incorrectly handled the per-command chroot feature. In certain environments where Sudo is configured with a rule that contains a CHROOT setting, a local attacker could use this issue to cause Sudo to crash, resulting in a denial of service, or possibly escalate privileges.

 Feed

Wireshark is a GTK+-based network protocol analyzer that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and Win32 and to give Wireshark features that are missing from closed-source sniffers. This is the source code release.

 Feed

Barracuda CloudGen WAN provides a private edge appliance for hybrid deployments. An authenticated user in the administration interface for the private edge virtual appliance can inject arbitrary OS commands via the /ajax/update_certificate endpoint. Versions prior to v8.* hotfix 1089 are affected.

 Feed

Ubuntu Security Notice 5913-1 - It was discovered that the Upper Level Protocol subsystem in the Linux kernel did not properly handle sockets entering the LISTEN state in certain protocols, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute   show more ...

arbitrary code. Lee Jones discovered that a use-after-free vulnerability existed in the Bluetooth implementation in the Linux kernel. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

 Feed

Ubuntu Security Notice 5911-1 - It was discovered that the Upper Level Protocol subsystem in the Linux kernel did not properly handle sockets entering the LISTEN state in certain protocols, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute   show more ...

arbitrary code. Davide Ornaghi discovered that the netfilter subsystem in the Linux kernel did not properly handle VLAN headers in some situations. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

 Feed

Ubuntu Security Notice 5912-1 - It was discovered that the Upper Level Protocol subsystem in the Linux kernel did not properly handle sockets entering the LISTEN state in certain protocols, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute   show more ...

arbitrary code. Davide Ornaghi discovered that the netfilter subsystem in the Linux kernel did not properly handle VLAN headers in some situations. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

 Feed

Ubuntu Security Notice 5916-1 - Jann Horn discovered that the Linux kernel did not properly track memory allocations for anonymous VMA mappings in some situations, leading to potential data structure reuse. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

 Feed

Ubuntu Security Notice 5915-1 - It was discovered that the Upper Level Protocol subsystem in the Linux kernel did not properly handle sockets entering the LISTEN state in certain protocols, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute   show more ...

arbitrary code. Davide Ornaghi discovered that the netfilter subsystem in the Linux kernel did not properly handle VLAN headers in some situations. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

 Feed

Ubuntu Security Notice 5914-1 - It was discovered that the Upper Level Protocol subsystem in the Linux kernel did not properly handle sockets entering the LISTEN state in certain protocols, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute   show more ...

arbitrary code. It was discovered that the NFSD implementation in the Linux kernel did not properly handle some RPC messages, leading to a buffer overflow. A remote attacker could use this to cause a denial of service or possibly execute arbitrary code.

 Feed

Ubuntu Security Notice 5910-1 - It was discovered that Rack did not properly structure regular expressions in some of its parsing components, which could result in uncontrolled resource consumption if an application using Rack received specially crafted input. A remote attacker could possibly use this issue to cause a   show more ...

denial of service. It was discovered that Rack did not properly structure regular expressions in its multipart parsing component, which could result in uncontrolled resource consumption if an application using Rack to parse multipart posts received specially crafted input. A remote attacker could possibly use this issue to cause a denial of service. This issue was only fixed in Ubuntu 20.04 ESM and Ubuntu 22.04 ESM.

 Feed

Ubuntu Security Notice 5905-1 - It was discovered that PHP incorrectly handled certain gzip files. An attacker could possibly use this issue to cause a denial of service. It was discovered that PHP incorrectly handled certain cookies. An attacker could possibly use this issue to compromise data integrity. It was   show more ...

discovered that PHP incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or execute arbitrary code.

 Feed

Ubuntu Security Notice 5821-4 - USN-5821-3 fixed a vulnerability in pip. The update introduced a minor regression in Ubuntu 14.04 ESM, Ubuntu 16.04 ESM and Ubuntu 18.04 LTS. This update fixes the problem. Sebastian Chnelik discovered that wheel incorrectly handled certain file names when validated against a regex expression. An attacker could possibly use this issue to cause a denial of service.

 Feed

Ubuntu Security Notice 5909-1 - It was discovered that the Broadcom FullMAC USB WiFi driver in the Linux kernel did not properly perform bounds checking in some situations. A physically proximate attacker could use this to craft a malicious USB device that when inserted, could cause a denial of service or possibly   show more ...

execute arbitrary code. It was discovered that a use-after-free vulnerability existed in the Bluetooth stack in the Linux kernel. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

 Feed

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a new advisory about Royal ransomware, which emerged in the threat landscape last year. "After gaining access to victims' networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems," CISA said. The custom ransomware

 Feed

The China-aligned Mustang Panda actor has been observed using a hitherto unseen custom backdoor called MQsTTang as part of an ongoing social engineering campaign that commenced in January 2023. "Unlike most of the group's malware, MQsTTang doesn't seem to be based on existing families or publicly available projects," ESET researcher Alexandre Côté Cyr said in a new report. Attack chains

 Feed

A pair of serious security defects has been disclosed in the Trusted Platform Module (TPM) 2.0 reference library specification that could potentially lead to information disclosure or privilege escalation. One of the vulnerabilities, CVE-2023-1017, concerns an out-of-bounds write, while the other, CVE-2023-1018, is described as an out-of-bounds read. Credited with discovering and reporting the

2023-03
Aggregator history
Friday, March 03
WED
THU
FRI
SAT
SUN
MON
TUE
MarchAprilMay