Google will test new feature in Chrome to curb phishing

The web browser will only display domain names as a way to help people recognize impostor websites

The post Google will test new feature in Chrome to curb phishing appeared first on WeLiveSecurity

What is the cost of a data breach?

The price tag is higher if the incident exposed customer data or if it was the result of a malicious attack, an annual IBM study finds

The post What is the cost of a data breach? appeared first on WeLiveSecurity

Twitter working to fix issue with 2FA feature

An apparent glitch is preventing a number of users from signing into their accounts

A number of Twitter users from around the globe report experiencing problems when attempting to log into their accounts. The microblogging site is investigating what seems to be a glitch in its verification systems that is affecting some people who utilize text messages or automated phone calls as an added means of authentication.

We’re looking into account verification codes not being delivered via SMS text or phone call. Sorry for the inconvenience, and we’ll keep you updated as we continue our work to fix this.

— Twitter Support (@TwitterSupport) August 10, 2020

Meanwhile, numerous complaints have been piling up in the Twitter Support thread, with many people claiming that the bug isn’t exactly new. Some users insist that they have been experiencing the issue for weeks, while others mentioned that the glitch has led to their accounts being suspended.

Users who rely on SMS messages or phone calls for two-factor authentication (2FA) can alternatively use a single-use back-up code that was generated by Twitter when they activated 2FA. The recovery code can also be useful when you lose your phone, obviously assuming you saved the code in a secure place in the first place.

Generally speaking, while SMS-based 2FA is better than not using the added factor at all, the social media giant offers two more – and safer – 2FA authentication methods: an authentication app and a physical security key.

Twitter introduced 2FA back in 2013 but it wasn’t until last November that it stopped requiring users to supply their phone numbers when activating 2FA – even when they wanted to use either of the two safer methods.

Among other things, SMS-based 2FA falls short of protecting people against SIM swapping attacks, which is also how the account of the platform’s CEO Jack Dorsey was hijacked last year.

Speaking of account takeovers, Twitter was thrust into the spotlight last month after experiencing one of the biggest data breaches in its history.

Black Hat 2020: Fixing voting – boiling the ocean?

With the big voting day rapidly approaching, can the security of the election still be shored up? If so, how?

Following the Black Hat keynote about voting security, we wonder how fixing elections might be possible in the next few months amidst pressure of U.S. elections rapidly approaching, requiring massive, coordinated effort at immense expense. Is that possible? If so, how likely?

It’s hard to quick-fix a many-headed monster decades in the making.

Since each state has its own say about running its own election, with predictably differing approaches, it all filters upward to create a federal mess. That, coupled with the impracticality of building something secure quickly on tight budgets, and with reduced public mobility during a pandemic, you can see the problem.

No pressure.

Add to that the training cycle needed to get a whole multitude of energized volunteers up to speed on whatever systems are to be replaced in record time.

What to do? Folks out in Oregon dust off a rousing chorus of “paper ballots only!” But can the rest of the states in a federal election year do the same? Hardly. With fewer than 100 days to go, the federal government couldn’t hand out free beer to the electorate, let alone overhaul to paper.

And how would you staff massive change? Many election volunteers would probably have a difficult time setting up and securing a home router, so they can’t be reliably trusted to stop election hacking with a few tools, even if they had the time and inclination.

At Black Hat you get reamed for even mentioning blockchain in any presentation, but there, I said it. Every sticky accounting problem was supposed to be fixed by blockchain. Turns out some of the same software challenges needed to make blockchain behave in an election context are similar to any other software project. Good software is hard. Software isn’t perfect because people aren’t perfect – even if they have a blockchain at their disposal. And you couldn’t do it quickly.

In all likelihood, there will be a bevy of trust-building statements from everyone with “election” in the name of their organization. Organizations will over-promise and sit nervously by hoping nothing really bad happens, with few tools to measure if it did. Not much comfort for those running for office, or those seeking to elect them.

What IS possible is enlisting some security wonks to get the best instrumentation on the subject between now and the big voting day. If those embroiled in the voting festivities can coax security folks to help between now and then, we’ll be so much the better.

It seems plausible – after engaging the security community meaningfully – to produce two deliverables:

Assume a breach of integrity is imminent and develop a meaningful response plan. As data people, we’re good at being thrust into situations with few facts and expected to tell C-level folks both what could happen and how to respond to minimize impact. We’re good at this. Start a long-term plan now to build a secure election stack. We’re good at that sort of thing too. That doesn’t mean eliminating any possibility of compromise, but making it far more expensive for the perpetrators.

Meanwhile, the giant droves of bots and their masters will attempt to swing the needle on public sentiment, making its veracity even more opaque.

Fixing voting will take time, but not as much time as it took us all to get into this mess. There is hope in the end.

Week in security with Tony Anscombe

ESET highlights new research at Black Hat 2020 – What to if your data was stolen in the Blackbaud breach

This week, the cybersecurity community ‘met up’ at the virtual Black Hat 2020, and ESET researchers elaborated on their discovery of the KrØØk vulnerability, revealing that variants of the same bug also affect Wi-Fi chips produced by other brands. Also at the virtual conference, ESET researchers introduce Stadeo, a set of scripts intended to help fellow researchers deobfuscate the code of Stantinko and other malware. Meanwhile, we looked at what you should know if your personal data was stolen in the recent data breach at Blackbaud. All this – and more – on WeLiveSecurity.com.

Small and medium‑sized businesses: Big targets for ransomware attacks

Why are SMBs a target for ransomware-wielding gangs and what can they do to protect themselves against cyber-extortion?

According to the World Bank, small and medium-sized businesses (SMBs) play a huge role in most economies, accounting for 90% of businesses worldwide and representing over 50% of employment. These are businesses that range from family-owned restaurants, through startups to established businesses with several hundred employees on their payrolls.

Besides being instrumental to countries’ economies, another thing SMBs share is that they are often ill-prepared to deal with cyber-threats. Such incidents can vary, from distributed denial-of-service (DDoS) attacks resulting in hours of downtime and revenue loss, to malware attacks, including those involving ransomware, that may ultimately cause a company to go out of business.

Why are SMBs a target?

While large enterprises may present themselves as more lucrative prey, SMBs are an attractive target due to their lack of resources to defend against such attacks.

According to a recent report by the Ponemon Institute, the biggest challenge faced by SMBs is a shortage of personnel to deal with cyber-risks, attacks, and vulnerabilities, while the second greatest problem revolves around limited budgets. The third biggest challenge is that the firms may lack an understanding of how to protect against cyberattacks.

With that in mind, it stands to reason that the employees wouldn’t be able to identify potential threats or attacks. The Ponemon report points out as much, stating that when companies experienced ransomware attacks, the most frequent attack vectors were phishing and social engineering, with spoofed websites coming in second and malvertisements taking third place.

This goes to show how underestimating proper cybersecurity training can hurt your company in the long run. While proper training may be a costly investment, having to deal with the aftermath of a ransomware attack can prove to be even costlier.

What’s the cost of being hit?

According to Datto’s report, ransomware is at the top of the list of the malware threats that SMBs face, with one in five reporting that they had fallen victim to a ransomware attack. The average ransom requested by threat actors is about US$5,900. However, that is not the final price tag; the cost of downtime is 23 times greater than the ransom requested in 2019, coming in at US$141,000 and representing an increase of over 200% from 2018 to 2019.

And you still haven’t factored in other costs – the discovery of the attack, investigation, containment, recovery, and reputational damage. Then you still have to account for the cost of the information lost.

Some businesses may opt for paying the ransom to limit their downtime and restore access to sensitive files, but there are no guarantees. The cybercriminals behind the ransomware may keep increasing the ransom, and even if you pay up, you can’t be sure that you’ll recover all the data, so the damage will still be done.

“Funding cybercriminals also funds larger cyberattacks, so it must be reiterated that paying won’t always get make the issue go away,” says ESET cybersecurity specialist Jake Moore.

What are your options?

Clearly, you want to avoid a successful ransomware attack in the first place. The key, then, is prevention, and it includes these basic measures:

All employees should undergo regular training so as to be up-to-date on cybersecurity best practices. This can go a long way in lowering the chances of them clicking on potentially hazardous links in their emails that could be laced with ransomware or plugging in unknown USB devices that could be loaded with malware. You should always keep your operating systems and other software updated to the newest version available and, whenever a patch is released, apply it. Always plan for the worst and hope for the best, so have a business continuity plan at the ready in case disaster strikes. It should include a data backup and maybe even a backup infrastructure you can use while you try to restore your locked systems. Backups are essential for everyone, be it individuals or huge enterprises. Back up your business-critical data regularly and test those backups frequently to see if they are functioning correctly, so that they don’t leave you in a bind if you’re hit. At least the most valuable data should also be stored off-line. Reduce the attack surface by disabling or uninstalling any unnecessary software or services. Notably, as remote access services are often the primary vector for many ransomware attacks, you would be well advised to disable internet-facing RDP entirely or at least limit the number of people allowed remote access to the firm’s servers over the internet. Never underestimate the value of a reputable, multilayered security solution. Besides your employees, it is your first line of defense that you should have up and running to protect you against all manner of threats, not ‘just’ ransomware attacks. Also, make sure the product is patched and up-to-date. Further reading:

Social engineering and ransomware
Ransomware: Should you pay up?
The economics of ransomware recovery

Beyond KrØØk: Even more Wi‑Fi chips vulnerable to eavesdropping

At Black Hat USA 2020, ESET researchers delved into details about the KrØØk vulnerability in Wi-Fi chips and revealed that similar bugs affect more chip brands than previously thought

From KrØØk to finding related vulnerabilities

KrØØk (formally CVE-2019-15126) is a vulnerability in Broadcom and Cypress Wi-Fi chips that allows unauthorized decryption of some WPA2-encrypted traffic. Specifically, the bug has led to wireless network data being encrypted with a WPA2 pairwise session key that is all zeros instead of the proper session key that had previously been established in the 4-way handshake. This undesirable state occurs on vulnerable Broadcom and Cypress chips following a Wi-Fi disassociation.

Figure 1. Overview of KrØØk – following a disassociation, data is transmitted encrypted with an all zero session key

Exploiting KrØØk allows adversaries to intercept and decrypt (potentially sensitive) data of interest and, when compared to other techniques commonly used against Wi-Fi, exploiting KrØØk has a significant advantage: while they need to be in range of the Wi-Fi signal, the attackers do not need to be authenticated and associated to the WLAN. In other words, they don’t need to know the Wi-Fi password.

We worked with the affected vendors (as well as ICASI) through a responsible disclosure process before we first publicly disclosed the flaw at the RSA Conference in February 2020. The ensuing publicity brought the issue to the attention of many more chipset and device manufacturers, some of which discovered they also had vulnerable products – and have since deployed patches. We are maintaining a list of related vendor advisories on this webpage[1].

While we did not observe CVE-2019-15126 in other Wi-Fi chips than Broadcom and Cypress, we did find that similar vulnerabilities affected chips by other vendors. These findings were first presented at Black Hat USA 2020 and we’re briefly outlining them below.

Qualcomm – CVE-2020-3702

One of the chips we looked at, aside from those from Broadcom and Cypress, was by Qualcomm. The vulnerability we discovered (which was assigned CVE-2020-3702) was also triggerable by a disassociation and led to undesirable disclosure of data by transmitting unencrypted data in the place of encrypted data frames – much like with KrØØk. The main difference is, however, that instead of being encrypted with an all-zero session key, the data is not encrypted at all (despite the encryption flags being set).

The devices we tested and found to have been vulnerable are the D-Link DCH-G020 Smart Home Hub and the Turris Omnia wireless router. Of course, any other unpatched devices using the vulnerable Qualcomm chipsets will also be vulnerable.

Following our disclosure, Qualcomm was very cooperative and in July released a fix to the proprietary driver used in their officially supported products. Not all devices with Qualcomm chips use this proprietary driver, however – in some cases, open source Linux drivers are used – such as the upstream “ath9k” driver, for example. As it’s not actively developed by Qualcomm, it’s not clear at the time of writing if it will receive a patch from Qualcomm or the open-source community.

MediaTek and Microsoft Azure Sphere

We also observed the manifestation of a similar vulnerability (i.e. lack of encryption) on some Wi-Fi chips by MediaTek.

One of the affected devices is the ASUS RT-AC52U router. Another one is the Microsoft Azure Sphere development kit, which we looked into as part of our Azure Sphere Security Research Challenge partnership. Azure Sphere uses MediaTek’s MT3620 microcontroller and targets a wide range of IoT applications, including smart home, commercial, industrial and many other domains.

According to MediaTek, software patches fixing the issue were released during March and April 2020. The fix for MT3620 was included in Azure Sphere OS version 20.07, released in July 2020.

Release of testing script

As more than five months have passed since we publicly disclosed the KrØØk vulnerability – and several proofs-of-concept have been published by independent researchers – we’ve decided to release the script we’ve been using to test whether devices are vulnerable to KrØØk. We have also included tests for the newer variants described here. This script can be used by researchers or device manufacturers to verify that specific devices have been patched and are no longer vulnerable.

Special thanks to our colleague Martin Kalužník, who greatly contributed to this research.

[1] If you have an advisory you would like added to this list please contact us at threatintel[at]eset.com.

Blackbaud data breach: What you should know

Here’s what to be aware of if your personal data was compromised in the breach at the cloud software provider

Is yet another data breach newsworthy enough to write a blogpost? Probably not, unless there is a personal connection or something interesting. In the case of Blackbaud, for me, there are both. The majority of Blackbaud’s customers are non-profit organizations such as universities, one of which held data relating to someone I know. That university, as required by the European Union’s General Data Protection Regulation, sent an official notification of the breach to my friend, which they immediately forwarded to me, realizing its significance and that I might have an opinion. They were right – especially as the notification states the recipients of the notice need to do nothing but remain vigilant and report anything suspicious.

Blackbaud, a cloud software company, disclosed that they had been the victim of an attempted ransomware attack. Between their cybersecurity team, a forensics expert and law enforcement it was successfully thwarted. Unfortunately, the perpetrator, before being locked out, copied a subset of data which they then offered to delete for an undisclosed sum of money. Blackbaud paid the ransom-to-delete and received confirmation the data had been destroyed. They claim to have taken this action because “protecting our customers’ data is our top priority”.

Funding cybercriminals in this way has many consequences: they may come back later knowing you have a willingness to pay, it may encourage others to attack, and notably it funds this bad actor to launch an attack on the next victim. As with the current pandemic, it’s only when we all work together that we can rid the world of the bad stuff, like cybercriminals, and the actions of Blackbaud or any company paying cybercriminals could be viewed as self-serving.

The email notification from the University of York in the United Kingdom, notifying one of the true victims of this crime (my friend), whose data has potentially been breached. The university provides a detailed explanation of the situation and numerous ways to contact it for assistance.

The notification gives a detailed list of the types of information involved: name, gender, date of birth, email address, phone number, and many other personal data elements such as extracurricular activities, profession, employer and educational attainment. Data with this level of detail could be used in a variety of ways – identity theft and spearphishing being among the most likely. A well-crafted phishing email leveraging personal information about an interest, activity, occupation, or employer or competitor is likely to yield a higher click-through rate and potential credential theft for a cybercriminal than a more generic phishing spam email.

What’s missing?

As you can see in the email, the advice is to do nothing other than stay vigilant and report any suspicious activity. Providing some guidance on the types of threat that could be potentially unleashed would seem to be the minimum any organization should offer. An option that many companies suffering a data breach take is to offer identity theft monitoring, either through a specialized company or a credit monitoring agency.

Identity theft monitoring services scour the dark web looking for information such as email addresses or social security numbers and alerts you if someone attempts to get credit in your name. The offering of such a service that would normally cost the victim upwards of US$100 per year for a base service shows responsible behavior, good will and I am sure pacifies regulatory bodies investigating the breached organization’s behavior.

RELATED READING: Simple steps to protect yourself against identity theft

In this instance no identity theft protection monitoring service was offered, so I advised my friend to ask if the university or Blackbaud intended offering it. Sure enough, the university came back nearly instantly with the details of how to sign up and the offer for a no-cost, one-year subscription. I wonder how many of the victims are knowledgeable enough to know that such a service exists or that they should be asking for it? In my opinion it should be a mandatory offering to all victims.

Let me recap; no action needed and no identity theft protection offered – unless you request it. I hope you can feel the frustration in my words!

The broader picture

Getting an email stating your data has been involved in a data breach is not unusual, but just how many breaches are there and how many people do they affect?

Under the California Consumer Privacy Act, all businesses and state agencies are required by law to notify a California resident if they suspect or know that unencrypted personal information has been acquired by an unauthorized person. The law also requires a copy of the notification to be provided to the California Attorney General if it has been sent to more than 500 California residents. In the 30 days of June 2020, there are 38 such notifications listed on the website, some of which do relate to the Blackbaud data breach.

If we assume this rate is typical and scale based on California and world population estimates, we would expect approximately 7,500 data breaches per month. According to statista, between 2005 and 2019 inclusive, data breaches in the US averaged a little over 155,000 records per breach. I know this is a flawed way of calculating a statistic but indulge me… If we apply statista’s average records per breach to our estimate of 7,500 breaches per month worldwide, we get an estimate of an annual total of just under 14 billion records breached. Another way to view this is that every person’s data is breached almost twice a year.

There are so many data breaches that it’s hard to keep up with just how many times your personal information may have been stolen by a despicable, low-life cybercriminal. Maybe there should be an award each year for the person that has been the victim of the most data breaches and an award for the person that

NSA shares advice on how to limit location tracking

The intelligence agency warns of location tracking risks and offers tips for how to reduce the amount of data shared

The United States’ National Security Agency (NSA) has published guidance on how to reduce the variety of risks that stem from having your location tracked when using smartphones, IoT devices, social media and mobile apps. Despite being geared towards military and intelligence personnel, the advice can be useful for anybody who’s looking to limit their location exposure.

“Location data can be extremely valuable and must be protected. It can reveal details about the number of users in a location, user and supply movements, daily routines (user and organizational), and can expose otherwise unknown associations between users and locations,” according to the intelligence agency.

The guidance notes that a powered-on smartphone exposes your location – regardless of whether or not you’re actively using the device. “Mobile devices inherently trust cellular networks and providers, and the cellular provider receives real-time location information for a mobile device every time it connects to the network. This means a provider can track users across a wide area,” said the agency.

On a related note, a smartphone can reveal its location even if both the Global Positioning System (GPS) and cellular service are offline or disabled – relying on Wi-Fi and Bluetooth connections to do the ‘job’. This could provide ample opportunity for adversaries to track their targets using wireless sniffers, even if their potential victims aren’t using any of the wireless connections actively, said the NSA.

The intelligence agency also stressed the need to distinguish between location services, which are services provided by devices to apps, and GPS. “Perhaps the most important thing to remember is that disabling location services on a mobile device does not turn off GPS, and does not significantly reduce the risk of location exposure. Disabling location services only limits access to GPS and location data by apps,” according to the agency.

And it’s not just phones…

Similar risks are associated with other devices that send and receive wireless signals, including all sorts of Internet of Things (IoT) devices, fitness trackers, medical equipment, and smart home devices. However, staying safe while using these devices is easier said than done, not least because many of these gadgets don’t provide the option to turn their wireless features off. Indeed, the privacy and security of IoT devices in general leave a lot to be desired.

RELATED READING: Privacy of fitness tracking apps in the spotlight after soldiers’ exercise routes shared online

The agency also noted that many mobile apps request users’ permissions for location tracking although it isn’t necessary for them to operate. “Apps, even when installed using the approved app store, may collect, aggregate, and transmit information that exposes a user’s location,” said the NSA. ESET Chief Security Evangelist Tony Anscombe recently discussed the issue at length.

How to limit the risks

“While it may not always be possible to completely prevent the exposure of location information, it is possible – through careful configuration and use – to reduce the amount of location data shared,” said the NSA. To this end, the agency shared a bunch of tips on how to reduce the amount of location data shared and so mitigate the risks of being tracked. They include:

disabling location services settings on your device. disabling all the radio transmitters while you’re not using them (Bluetooth and Wi-Fi). using a Virtual Private Network to help conceal your location. giving apps as few permissions as possible. being very cautious about what you share on social media; metadata on pictures, for example, could contain location information.