0 Comments
Google this week made it easier for Android users to enable strong 2-factor authentication (2FA) when logging into Google’s various services. The company announced that all phones running Android 7.0 and higher can now be used as Security Keys, an additional authentication layer that helps thwart phishing sites and password theft. As first disclosed by KrebsOnSecurity last summer, Google maintains it has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes. The most commonly used Security Keys are inexpensive USB-based devices that offer an alternative approach to 2FA, which requires the user to log in to a Web site using something they know (the password) and something they have (e.g. a one-time token, key fob or mobile device). But Google said starting this week, any mobile phone running Android 7.0+ (Nougat) can serve the same function as a USB-based security key. Once a user has enrolled their Android phone as a Security Key, the user will need to approve logins via a prompt sent to their phone after submitting their username and password at a Google login page. Many readers have expressed confusion or skepticism about how Security Keys can prevent users from getting hooked by phishing sites or clever man-in-the-middle attacks. This capability was described in far greater visual detail in this video last year by Christiaan Brand, product manager at Google Cloud. But the short version is that even if a user who has enrolled a Security Key for authentication tries to log in at a site pretending to be Google, the company’s systems simply refuse to request the Security Key if the user isn’t on an official Google site, and the login attempt fails. “It puts you in this mode….[in] which is there is no other way to log in apart from the Security Key,” Brand said. “No one can trick you into a downgrade attack, no one can trick you into anything different. You need to provide a security key or you don’t get into your account.” Google says built-in security keys available on phones running Android 7.0+ (Nougat) with Google Play Services, enabling existing phones to act as users’ primary 2FA method for work (G Suite, Cloud Identity, and GCP) and personal Google accounts to sign in on a Bluetooth-enabled Chrome OS, macOS X, or Windows 10 device with a Chrome browser. The basic idea behind two-factor authentication (Google calls it “two step verification” or 2SV) is that even if thieves manage to phish or steal your password, they still cannot log in to your account unless they also hack or possess that second factor. The most common forms of 2FA require the user to supplement a password with a one-time code sent to their mobile device via an app (like Authy or Google Authenticator), text message, or an automated phone call. But all of these methods are susceptible to interception by various attacks. For example, thieves can intercept that one-time code by tricking your mobile provider into either swapping your mobile device’s SIM card or “porting” your mobile number to a different device. A Security Key implements a form of multi-factor authentication known as Universal 2nd Factor (U2F), which allows the user to complete the login process simply by inserting the USB device and pressing a button on the device. The key works without the need for any special software drivers. Probably the most popular maker of Security Keys is Yubico, which sells a basic U2F key for $20 (it offers regular USB versions as well as those made for devices that require USB-C connections, such as Apple’s newer Mac OS systems). Yubikey also sells more expensive U2F keys designed to work with mobile devices. A number of high-profile sites now allow users to enroll their accounts with USB- or Bluetooth-based Security Keys, including Dropbox, Facebook, Github and Twitter. If you decide to use Security Keys with your account, it’s a good idea to register a backup key and keep it in a safe place, so you can still get into your account if you loose your initial key (or phone, in Google’s case). To be sure you’re using the most robust forms of authentication at sites you entrust with sensitive data, spend a few minutes reviewing the options at twofactorauth.org, which maintains probably the most comprehensive list of which sites support 2FA, indexing each by type of site (email, gaming, finance, etc) and the type of 2FA offered (SMS, phone call, software token, etc.). Please bear in mind that if the only 2FA options offered by a site you frequent are SMS and/or phone calls, this is still better than simply relying on a password to secure your account. I should also note that Google says Android 7.0+ phones also can be used as the Security Key for people who have adopted the company’s super-paranoid Advanced Protection option. This is a far more stringent authentication process for Google properties designed specifically for users who are most likely to be targeted by sophisticated attacks, such as journalists, activists, business leaders and political campaigns. I’ve had Advanced Protection turned on since shortly after Google made it available. It wasn’t terribly difficult to set up, but it’s probably not for your casual user. For one thing, it requires users to enroll two security keys, and in the event the user loses both of those keys, Google may take days to validate your request and grant you access to your account. from https://krebsonsecurity.com/2019/04/android-7-0-phones-can-now-double-as-google-security-keys/ Microsoft today released fifteen software updates to fix more than 70 unique security vulnerabilities in various flavors of its Windows operating systems and supported software, including at least two zero-day bugs. These patches apply to Windows, Internet Explorer (IE) and Edge browsers, Office, Sharepoint and Exchange. Separately, Adobe has issued security updates for Acrobat/Reader and Flash Player. According to security firm Rapid 7, two of the vulnerabilities — CVE-2019-0803 and CVE-2019-0859 — are already being exploited in the wild. They can result in unauthorized elevation of privilege, and affect all supported versions of Windows. “An attacker must already have local access to an affected system to use these to gain kernel-level code execution capabilities,” Rapid7 researcher Greg Wiseman observed. “However, one of the 32 Remote Code Execution (RCE) vulnerabilities patched today could potentially be used with them in an exploit chain to obtain full control of a system.” Aside from these zero-day privilege escalation flaws, Wiseman said, it’s a fairly standard Patch Tuesday. “Which of course still means that there are bugs that should be patched as soon as possible, such as the eight vulnerabilities classified as critical in the scripting engine used by Microsoft browsers, and CVE-2019-0822 (an RCE in Microsoft Office that can be exploited by convincing a user to open a malicious file).” Adobe’s Patch Tuesday includes security updates for its Flash Player and AIR software, as well as Adobe Reader and Acrobat. Flash updates are installed along with other monthly Windows patch rollups for consumers, and auto-installed by Google Chrome, but users may need to reboot the operating system (in the case of IE/Edge) or the browser (in Chrome) for the new updates to take effect. Adobe’s actions also sound the death knell for Adobe Shockwave Player, which has at long last reached end-of-life. That means no more security updates for Shockwave, which has always been something of an ugly stepchild to Flash. That is to say, Shockwave never really got the security attention Flash has received but nevertheless has been just as vulnerable and often lagging months or years behind Flash in terms of updates. Chris Goettl, director of product management and security for security firm Ivanti, said Windows users need to get any existing Shockwave installations out of their environments now. “There are 7 vulnerabilities that are going to be vulnerable for the majority of Shockwave installs still in existence,” Goettl said. “You can bet an exploit is imminent there.” Standard advice: Staying up-to-date on Windows patches is good. Updating only after you’ve backed up your important data and files is even better. A good backup means you’re not pulling your hair out if the odd buggy patch causes problems booting the system. Windows 10 likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update. As always, if you experience any problems installing any of these patches this month, please feel free to leave a comment about it below; there’s a good chance other readers have experienced the same and may even chime in here with some helpful tips. Further reading: SANS Internet Storm Center’s Patch Tuesday Priorities. Martin Brinkmann of Ghacks.net from https://krebsonsecurity.com/2019/04/patch-tuesday-lowdown-april-2019-edition/ Almost exactly one year ago, KrebsOnSecurity reported that a mere two hours of searching revealed more than 100 Facebook groups with some 300,000 members openly advertising services to support all types of cybercrime, including spam, credit card fraud and identity theft. Facebook responded by deleting those groups. Last week, a similar analysis led to the takedown of 74 cybercrime groups operating openly on Facebook with more than 385,000 members. Researchers at Cisco Talos discovered the groups using the same sophisticated methods I employed last year — running a search on Facebook.com for terms unambiguously tied to fraud, such as “spam” and “phishing.” Talos said most of the groups were less than a year old, and that Facebook deleted the groups after being notified by Cisco. Talos also re-confirmed my findings that Facebook still generally ignores individual abuse reports about groups that supposedly violate its ‘community standards,’ which specifically forbid the types of activity espoused by the groups that Talos flagged. “Talos initially attempted to take down these groups individually through Facebook’s abuse reporting functionality,” the researchers found. “While some groups were removed immediately, other groups only had specific posts removed.” But Facebook deleted all offending groups after researchers told Facebook’s security team they were going to publish their findings. This is precisely what I experienced a year ago. Not long after Facebook deleted most of the 120 cybercrime groups I reported to it back in April 2018, many of the groups began reemerging elsewhere on the social network under similar names with the same members. Instead of reporting those emergent groups directly to people at Facebook’s public relations arm — something most mere mortals aren’t able to do — KrebsOnSecurity decided to report the re-offenders via Facebook’s regular abuse reporting procedures. What did we find? I received a series of replies saying that Facebook had reviewed my reports but that none of the groups were found to have violated its standards. KrebsOnSecurity later found that reporting the abusive Facebook groups to a quarter-million followers on Twitter was the fastest way to get them disabled. How else have Facebook’s public statements about its supposed commitment to security and privacy been undermined by pesky facts over the past few weeks?
Once again, that old adage applies: If you can’t quite figure out how you’re the customer in a given online relationship, that’s probably because you’re best described as the product being sold to others. I long ago stopped providing personal information via any Facebook account. But for my part, there remain probably three big reasons why I’m still on Facebook. For better or worse, a great many sources choose to share important information this way. Also, sometimes Facebook is the fastest way to find a potential source and get their attention. Secondly, many people unfortunately still get much of their news from Facebook and prefer to be notified about new stories this way. Finally, I periodically need to verify some new boneheaded privacy disclosure or security screw-up manufactured by Facebook. I would probably never delete my Facebook account, for the same reason I wouldn’t voluntarily delete my accounts from various cybercrime forums: For my part, the potential benefits of being there outweigh the potential risks. Then again, I am likely far from your typical Facebook (ab)user. But what about you, Dear Reader? How does your Facebook cost/benefit analysis break down? Have any of the recent or not-so-recent Facebook scandals prompted you to delete your account, or to heavily restrict what types of information you store on the social network or make available to others? Sound off in the comments below. from https://krebsonsecurity.com/2019/04/a-year-later-cybercrime-groups-still-rampant-on-facebook/ |
ABOUT MEHi my name is Anthony I am 32 years old from Houston. I am working in local store selling electronic devices. I have been interested in eclectronics since childhood and I like to reacd about it. Archives
April 2019
Categories |