Week in security with Tony Anscombe

Microsoft plugs a serious hole in Windows – Your options after Windows 7 end of life – iPhones as security keys for Google accounts

Microsoft has released a security patch to address a severe Windows vulnerability discovered and reported by the United States’ National Security Agency. Also this week, Microsoft ended support for Windows 7, and we weighed in on how people who use the operating system can stay safe. iPhone owners can now use their phones as hardware-based security keys for authentication into Google accounts. All this – and more – on WeLiveSecurity.com.

FBI shuts down website selling billions of stolen records

A subscription to the trove of personal details could be had for as little as $2

US law enforcement has seized the WeLeakInfo.com domain name for peddling personal data stolen in data breaches. The shadowy website offered a pay-to-play scenario that allowed anyone to search for and access other people’s personal details, according to a statement from the Department of Justice (DOJ).

WeLeakInfo.com “claimed to provide its users a search engine to review and obtain the personal information illegally obtained in over 10,000 data breaches containing over 12 billion indexed records,” said the authorities

The records spanned the gamut, but primarily included names, email addresses, usernames, phone numbers, and passwords for online accounts. Any of this could be had dirt-cheap, as subscriptions started from as little as US$2 for access valid for 24 hours – an especially meager sum compared to the damage that may follow after somebody pilfers your personal details and commits identity fraud. Longer subscription periods were also available.

Seizure notice (source: DOJ)

The crackdown was the result of a joint effort that also involved law enforcement in the United Kingdom, the Netherlands and Germany. The UK’s National Crime Agency said earlier today that two men suspected of operating the website have been arrested in the Netherlands and Northern Ireland.

RELATED READING: Simple steps to protect yourself against identity theft

In a separate case, LeakedSource.com, a repository of three billion stolen or leaked online credentials, was busted two years ago. In May 2019, the site’s operator pleaded guilty to trafficking in stolen information.

It’s worth noting that there are legitimate services that enable you to check if your login credentials may have been compromised in a data breach. The Chrome and Firefox web browsers offer similar features.

17 Jan 2020 – 02:19PM

You can now turn your iPhone into a Google security key

And it doesn’t require much more than downloading a dedicated app

Last year, Google made it possible for most Android users to use their phone as a physical security key for their Google accounts. Fast forward a few months and most iPhone users receive the same option.

According to Google’s blog post yesterday, the feature was introduced with an update to the Google Smart Lock app on iOS and is available to all iPhone owners running iOS 10 or newer. The new functionality essentially turns the devices into FIDO2-compliant security keys, allowing authentication into Google accounts on Windows 10, macOS, iOS and Chrome OS devices. It leverages the Secure Enclave, the hardware component of modern Apple devices that protects people’s most sensitive data.

The move has to do with Google’s streamlining of the enrollment process for its Advanced Protection Program (APP), which provides extra protection against phishing and other attacks that prey on login credentials. The program, which once required people to use dedicated hardware security keys, is mainly aimed at high-risk users.

Importantly, however, you needn’t be a business leader, journalist or politician to harden your Google account security. Anyone who uses a newer iPhone (iOS 10 or higher) or Android (7.0 Nougat or higher) and wishes to prevent successful account-hijacking attacks can enroll in the program and avail themselves of the security enhancement.

RELATED READING: 2FA: Double down on your security

Indeed, if you own an iPhone, using a solid 2FA method to secure your Google account has never been easier. On top of being more secure than SMS-based two-factor authentication (2FA), the new option is also more convenient than carrying around a separate security token, such as Google‘s own Titan Security Key. Also, you would previously need to buy one of the dedicated security keys in the first place.

This is not to say that you should rush to ditch your security token once you switch to the more convenient option. One potential issue is the loss or theft of your phone, which Google says is best addressed by having a backup security key at the ready.

How to get started

Most of all, you’ll need to enable the new 2FA option in your Google account settings and download the Google Smart Lock app. The subsequent setup process is quite quick and self-explanatory but, if needed, Google’s step-by-step guide is there to help.

To verify sign-ins, you will need to turn on Bluetooth on both your phone and computer, as well as allow the app to send push notifications, which will act as the second authentication factor. Your phone will also need to be relatively close to your computer, leaving a typical phisher who has no access to your unlocked phone out of luck.

Speaking of phishing, Google has more than once spoken highly of the capabilities of hardware-based 2FA. “Zero users that exclusively use security keys fell victim to targeted phishing during our investigation,” the tech giant said about the results of a study last year.

The same functionality, for all intents and purposes, is now available on all newer iPhones and Android devices.

16 Jan 2020 – 07:39PM

Cyberawareness in Australia: The good and the bad

An ESET-commissioned survey sheds light on the browsing habits of Australians and how they protect themselves online

Australia is a highly interconnected country with nine in ten inhabitants being internet users, most of which use the internet every day. What do they know about cybersecurity and how do they approach it, though? A recent survey commissioned by ESET sought to find out.

The two questions above are especially pertinent, since six out of ten Australian businesses have been affected by breaches. A total of 60% of these breaches have been caused by malicious or criminal attacks, and scams have swindled Australians out of almost half a billion Australian dollars. Not to mention that identity crimes have cost them AU$2.2 billion a year.

Those are not optimistic numbers, considering the fact that nearly all respondents implied that they conduct financial transactions online. Nine in ten use internet banking and over three quarters use online transactions to settle their utility bills and pay taxes. Their online transactions are not limited to mundane tasks, as almost half of the respondents admitted they buy and download online games and eight out of ten engage in purchasing products and services online as well.

Australians usually interact with the internet on the go. So, it should come as no surprise that most of their financial transactions are done the same way. Over half of them are done on smartphones and almost a quarter are done on laptops. Although convenient, it introduces its own set of challenges and problems, since usually users automatically connect to available Wi-Fi networks. Something many Australians underestimate since they admit that 36% of them use public Wi-Fi to conduct their financial transactions. A much safer option is to rely on cellular data or purchasing a mobile hotspot since then you can be sure about the safety of your connection.

RELATED ARTICLE: Can regulations improve cybersecurity? In APAC, opinions vary

Although they may interact with the internet from different locations, when it comes to spending, Australians rely on platforms they know and trust. Nine out of ten participants in the survey responded that they used PayPal, while eight out of ten said they usually stick to the official banking platform of their bank. Almost half also use popular payment platforms designed for smartphones such as Apple Pay, Google Pay or Android Pay.

While convenient, respondents are aware of the risks these activities bring. Over three-quarters of them worry about the security of their data either often or occasionally. Australians worry most about security while doing online banking and online shopping. Not surprising, since one-fifth of them had experience with a virus or some other malware on their devices. 18% has had their social media accounts hacked and one in three people had their emails compromised. Not to mention that one in six have lost money to online banking scams.

Being aware of the risks is not enough, these concerns need to be addressed and apparently Australians are doing just that. Almost all the respondents know how to create a strong password, and a vast majority downloads software from official sources. Three-quarters of them use two-factor authentication to secure their accounts when the option is available.

To sum it up, the survey shows that Australians are quite capable netizens aware of the risks their online activities pose. They are also willing to take precautions to lower their susceptibility to attacks and are willing to educate themselves although, as seen above, there is room in improvement. For a more detailed look at the cyberawareness of Australians, you may want to refer to the full report.

16 Jan 2020 – 11:32AM

Google to end support for third‑party cookies in Chrome

The company will also soon launch anti-fingerprinting measures aimed at detecting and mitigating covert tracking and workarounds

Google has announced plans to phase out support for third-party cookies in its Chrome web browser within the next two years. The company is joining the ranks of Mozilla and Apple that, also in a bid to improve privacy on the web, have implemented similar changes in the Firefox and Safari browsers, respectively. But the way Google approaches the issue diverges from the path the competition took.

While Apple and Mozilla instituted a block of all third-party cookies by default, Google is planning to develop its own set of technical solutions and tools that it believes will satisfy the needs of all the parties concerned – users, web publishers, and advertisers. The reasoning behind this decision is that the nuclear option of blocking all third-party cookies, which are instrumental for targeted advertising, may have unintended adverse effects.

Justin Schuh, director of Chrome Engineering put it this way:

“Some browsers have reacted to these concerns by blocking third-party cookies, but we believe this has unintended consequences that can negatively impact both users and the web ecosystem. By undermining the business model of many ad-supported websites, blunt approaches to cookies encourage the use of opaque techniques such as fingerprinting (an invasive workaround to replace cookies), which can actually reduce user privacy and control.”

RELATED READING: Six tips to help you avoid targeted marketing

You won’t have to wait until 2022 to see the steps Google is taking to mitigate tracking in Chrome, which remains the most popular web browser by far. As of next month, Google will limit insecure cross-site tracking. Cookies that don’t include the SameSite label will be treated as first-party cookies, while third-party cookies will have to be accessed using HTTPS connections. According to Schuh, this should make third-party cookies more secure and give users more control. At the same time, Schuh said that, by the end of this year, the company will launch anti-fingerprinting measures aimed at detecting and mitigating “covert tracking and workarounds.”

Google is also asking web users to engage in the debate and to help them in achieving the goal of a “more trustworthy and sustainable web.” They can do that by giving feedback and sharing ideas and proposals on GitHub. Users ranging from publishers, developers to advertisers will have a chance to experiment with the new mechanisms and test if they work in different situations.

The tech giant hasn’t been blind to the shift in the public’s opinion on data privacy and security and has engaged in the ongoing debate for quite some time. The latest move is part of the Privacy Sandbox initiative, which Google introduced last August and which, per the company’s statement at the time, is aimed at “evolving the web with architecture that advances privacy while continuing to support a free and open ecosystem”.

15 Jan 2020 – 04:19PM

Microsoft patches severe Windows flaw after tip‑off from NSA

The US intelligence agency expects attackers to waste no time in developing tools aimed at exploiting the vulnerability

Microsoft has shipped out a security patch to address a serious vulnerability in the Windows operating system that, if abused, could enable attackers to make malware appear as though it was code from a legitimate source.

The vulnerability, which is being fixed as part of this month’s Patch Tuesday rollout, affects a key cryptographic component of Windows 10, Windows Server 2019 and Windows Server 2016. The flaw was discovered by the United States’ National Security Agency (NSA), which, for the first time ever, is now officially credited with the discovery of a software vulnerability.

Indexed as CVE-2020-0601, the bug resides “in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates,” reads Microsoft’s security advisory. The Crypt32.dll module is responsible for many certificate and cryptographic messaging functions in the CryptoAPI.

“An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source,“ said Microsoft.

In other words, a threat actor could get victims to install malware by passing it off as, say, a legitimate software update, including from Microsoft itself, while the targets would be none the wiser.

“The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider,“ according to the tech giant.

“A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software,” said Microsoft.

“Severe and widespread”

Hours before the official announcement, rumors began to swirl that this would not be a typical Patch Tuesday rollout. Indeed, some in the security community may have been waiting on pins and needles after veteran security journalist Brian Krebs more than hinted at the magnitude of the problem:

“An extraordinarily serious security vulnerability,” Krebs wrote when describing the bug on Monday night. The US government and military, as well as several high-profile companies, are said to have received the patches in advance.

The severity of the situation eventually prompted a bevy of official communications from US authorities. This included an alert from the Cybersecurity and Infrastructure Security Agency (CISA), an emergency directive from the Department of Homeland Security (DHS) requesting expedited patching across federal entities, and an advisory from the NSA itself.

“The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners,” said the intelligence agency. Neither the NSA nor Microsoft are aware of the flaw being abused in the wild.

Windows 7, which happened to reach its end of life on this very day, Windows 8 or other Windows systems are not affected by the vulnerability.

This month’s Patch Tuesday bundle is made up of fixes for a total of 49 vulnerabilities, which are nearly summarized in this table by the SANS Technology Institute. Two critical flaws in Windows Remote Desktop Gateway (RD Gateway), CVE-2020-0609 and CVE-2020-0610, stand out, as they allow remote non-authenticated attackers to execute arbitrary code on the targeted system.

15 Jan 2020 – 12:20AM

Millions of modems at risk of remote hijacking

Multiple cable modem models from various manufacturers found vulnerable to takeover attacks

Hundreds of millions of cable modems from various manufacturers may be susceptible to a critical vulnerability that can enable attackers to intercept people’s private messages or redirect their internet traffic, new research has found.

Tracked as CVE-2019-19494 and nicknamed Cable Haunt, the vulnerability is estimated to have affected nearly all cable modems in Europe until recently, with many still remaining at risk. How so? The researchers from Denmark-based security consultancy Lyrebird – who discovered the security hole and detailed their findings in a paper available for download from this dedicated website – put it this way:

“There are an estimated 200 million cable modems in Europe alone. With almost no cable modem tested being secure without a firmware update, the number of modems initially vulnerable in Europe is estimated to be close to this number,” said the company. Some internet service providers (ISPs) were recently notified of the issue and shipped out firmware to address the problem. Either way, it is strongly suspected that there are more vulnerable modems throughout the world.

The ghost in the modem

The flaw resides in reference software that runs the spectrum analyzer tool on chips made by semiconductor company Broadcom. The spectrum analyzer component, which is tasked with pinpointing and debugging problems in modem cable connection, is used by various cable modem manufacturers in their devices’ firmware – hence the apparently vast number of vulnerable modems.

While the spectrum analyzer is exposed to the local network, attackers could still abuse Cable Haunt for remote access from anywhere in the world. The modems were found to be vulnerable to remote code execution through a WebSocket connection, which is initiated after the victim is lured to a booby-trapped website that serves malicious JavaScript code. The ensuing buffer overflow attack provides the threat actors with access to the modem, while browser security mechanisms are successfully bypassed with a DNS rebinding attack.

“The exploit is possible due to lack of protection proper authorization of the websocket client, default credentials and a programming error in the spectrum analyzer. These vulnerabilities can give an attacker full remote control over the entire unit, and all the traffic that flows through it, while being invisible for both the user and ISP and able to ignore remote system updates,” said the researchers.

The possible malicious actions include tampering with DNS settings, replacing modem firmware, corralling devices into a botnet, or conducting remote Man-in-the-Middle (MitM) attacks to intercept private information.

The research team created a proof-of-concept (POC) exploit and tested it successfully against multiple firmware versions on several cable modems from Sagemcom, Netgear, Arris, Compal and Technicolor. A full list of modems and firmware versions that were confirmed to be vulnerable is available on the aforementioned website. Also available is the POC code, which allows users to check whether their particular cable modem may also be susceptible to the threat.

What (else) to do?

The researchers also said that they had notified as many of the largest ISPs and manufacturers as possible, with varying success: “Some of the contacted ISPs have informed us that they have or are rolling out firmware updates; however, we are still missing updates from several, and some have wished not to be listed on this website”. People who have received their cable modem from their ISP will probably need to wait for their provider to ship the update, unless this has happened already.

In the meantime, BankInfoSecurity quoted Broadcom as saying that the company “made the relevant fix to the reference code and this fix was made available to customers in May 2019″.

On a positive note, the researchers said that they’re not aware of actual in-the-wild attacks abusing Cable Haunt. Indeed, the attacks are not trivial to carry out.

14 Jan 2020 – 05:23PM

Windows 7 end of life: Time to move on

Today, Microsoft is officially pulling the plug on its support for Windows 7. What’s your plan?

As the adage goes, “all good things must come to an end”. And so it is with Windows 7. It received a distinctly warmer welcome than its predecessor, Vista, when it first graced our personal computers in October 2009. The immensely popular operating system (OS) sold over 630 million licenses and introduced a slew of improvements and a new look. After over 10 years of supporting it, Microsoft is officially retiring the OS by ending its Extended Support today.

But, as of December 2019, Windows 7 still commanded over 26% of the Windows market share, a figure that includes millions of home users. So, what does the end of life of Windows 7 mean for all those people who still run the operating system?

You may become an easy target

Most of all, it means leaving your computer more vulnerable. Microsoft will no longer support Windows 7, which means you will no longer receive security updates, nor will you get any technical support from Microsoft customer service. While Microsoft will not stop you from using Windows 7 and you can keep on browsing the internet and accessing your email, in a way you will be choosing to do so at your peril.

Now, you may argue that you use the latest version of a reputable security solution. We commend your proper cybersecurity habits but, unfortunately, it won’t help if bad actors find a new vulnerability in the operating system. If they can uncover and exploit the security hole, they can install all manner of malware on susceptible machines, wreaking havoc and potentially dealing insurmountable damage.

What you may be exposing yourself to

By technology standards, your machine is running on an antiquated operating system that won’t be patched in the future and will be disregarded by Microsoft (barring special circumstances – think the BlueKeep vulnerability and Windows XP and Windows Server 2003). The software that will be running on it may receive updates until the developer decides otherwise, so it may still work.

As for the OS itself, it has now become more susceptible to various forms of malware and other threats. Examples of malicious code that may possibly compromise unpatched computers include ransomware, similar to the one that hit some towns in the state of Texas last year, or spyware, which you can read up on in this article. Computers with unpatched operating systems don’t have to be hit, but they are easier targets.

RELATED READING: Windows 10 security and privacy: An in‑depth review and analysis

Options to consider when upgrading

So, what are your options? Simply put, you may want to consider upgrading at last. Biting the bullet and shouldering the expense of upgrading can save you from picking up the tab for a costly cyberattack.

On the bright side, if you were thinking about switching to another system, there is no better opportunity than now. You have several options to choose from. You can opt for Linux, which offers a number of distributions (the name for Linux operating systems) such as Ubuntu, ElementaryOS, or alternatively you can take a peek at some of the distros we discussed in one of our recent articles.

If you have a more creative streak and don’t really want to delve deep into configuring your system, you might want to consider purchasing a macOS machine. If you’re a jack-of-all-trades, then upgrading to Windows 10 would be the way to go.

Unfortunately, if you’re reading this article now, you’ve missed the window (pun intended) to upgrade to Windows 10 for free. If you want to upgrade to Windows 10 on your old machine, you should refer to Microsoft’s recommendations on the topic. As you can see, there are myriad options available to choose from – you just have to pick one that fits your needs the best.

Conclusion

Moving from a decade-old, now-unsupported operating system is just the first step in the right direction. Now that you’re running on a supported operating system, you still have to be on top of your cybersecurity game. Never underestimate patching your system – it just might save you from threats like the infamous WannaCryptor, aka WannaCry. Last, but not least: always have a reputable security solution installed on your machine that can go a long way towards securing your existence in the cyberworld.

14 Jan 2020 – 11:30AM

5 major US wireless carriers vulnerable to SIM swapping attacks

When it comes to protection against this insidious type of scam, the telcos’ authentication procedures leave a lot be desired, a study finds

Five major US wireless carriers – AT&T, T-Mobile, Verizon, Tracfone and US Mobile – are susceptible to SIM swap scams, a danger apparently looming large especially over prepaid accounts, a study by Princeton University researchers has found.

SIM swapping attacks, also known as port-out or SIM swap scams, have been a serious and growing problem of late, with its victims including Twitter CEO Jack Dorsey. It has previously been shown that attackers can, with relative ease, execute these attacks to commandeer control of people’s phone numbers. From there, they can break into the victims’ banking, social media and other accounts that use the same phone number for multi-factor authentication.

To test the carriers’ resilience to this type of fraud, the researchers created 10 simulated identities with all the bells and whistles, including names, dates of birth, and addresses. For each identity, they registered a prepaid account with all five wireless carrier providers, totaling 50 phone numbers. They then created a trail of phone calls and text messages, giving the accounts an aura of credibility.

Research assistants (RAs) then went on to pose as bad actors and called in the companies’ customer support representatives, trying to hoodwink them into unwittingly completing successful SIM swap fraud. If the “scammers” weren’t able to provide correct responses to the authentication challenges, they would feign ignorance and intentionally provide false answers. This hardly mattered in the end, however.

Example scenario (source: An Empirical Study of Wireless Carrier Authentication for SIM Swaps)

“When providing incorrect answers to personal questions such as date of birth or billing ZIP code, RAs would explain that they had been careless at signup, possibly having provided incorrect information, and could not recall the information they had used,” reads the paper.

The customer service staff then resorted to other methods of authentication, some of which turned out to be easily subvertible. The questionable methods included asking about recently dialed numbers or recent payment information. When it comes to prepaid accounts, this is easily bypassed if you use a refill card.

Worryingly, the would-be scammers needed to pass only one of the tests to be authenticated, even if they had failed several previous challenges. In the researchers’ own words, “attackers generally only needed to target the most vulnerable authentication challenges, because the rest could be bypassed”.

RELATED ARTICLE: Simple steps to protect yourself against identity theft

The carriers were notified about the shortcomings of their authentication procedures so that they could respond appropriately. T-Mobile, for one, said it had “discontinued the use of call logs for customer authentication”, reads the study.

In addition, the researchers also analyzed 145 websites that use phone-based authentication to determine how SIM swap scams could help an attacker compromise a user’s account. They found that 17 of them could be compromised with just a SIM swap.

On a related note, one day before the research was published, members of the United States Congress happened to send a letter to Federal Communications Commission (FCC) chairman Ajit Pai. The letter urged the FCC to require mobile carriers to bolster the security of users against SIM swap fraud.

13 Jan 2020 – 05:28PM

Week in security with Tony Anscombe

Some takeaways from CES 2020 – Firefox update plugs a zero-day – Facebook cracks down on deepfakes

Writing from the CES floor, ESET security researcher Cameron Camp notes how cities that seek to become smart lack a road map that includes security, as well as why car manufacturers have resisted using standards such as Automotive Grade Linux. Also this week, Mozilla released a new version of its Firefox browser to address a critical vulnerability that is being abused in the wild. Meanwhile, Facebook is banning deepfakes while making additional policy changes in an attempt to curb the spread of manipulated media. All this – and more – on WeLiveSecurity.com.