Tag: security

By Eric Limer for Popular Mechanics 

Twitter is suggesting all users change their passwords as a precaution after a reported glitch caused some passwords to be stored in plain text. If you’ve ever used your Twitter password for another service, you’d be wise to change it in both places.

Twitter says there is no evidence of a breach, but the error would have allowed any snoopers inside the system to scoop up unprotected passwords with ease. Typically, passwords are “hashed” before they are stored, a process which transforms them password into a unique series of numbers and letters that can’t be translated back into the actually sequence of numbers and letters you type in. This prevents hackers from snagging a phrase they can try on your other accounts.

Even with no evidence of an actual breach, this bug serves as a good reminder for some basic security hygiene. Use unique passwords for every service you use; a password manager can help you keep track of them all. Turn on two-factor authentication where available (it is available on Twitter). And while you’re at it, go look at the apps that have access to your account. These apps, if they’re insecure themselves, can offer hackers a limited way into your account without ever having to figure out your password.

Make your router hacker-proof

By Sandeep Nair Narayanan, Anupam Joshi and Sudip Mittal for The Conversation 

In late April, the top federal cybersecurity agency, US-CERT, announced that Russian hackers had attacked internet-connected devices throughout the U.S., including network routers in private homes. Most people set them up – or had their internet service provider set them up – and haven’t thought much about them since. But it’s the gateway to the internet for every device on your home network, including Wi-Fi connected ones. That makes it a potential target for anyone who wants to attack you, or, more likely, use your internet connection to attack someone else.

As graduate students and faculty doing research in cybersecurity, we know that hackers can take control of many routers, because manufacturers haven’t set them up securely. Router administrative passwords often are preset at the factory to default values that are widely known, like “admin” or “password.” By scanning the internet for older routers and guessing their passwords with specialized software, hackers can take control of routers and other devices. Then they can install malicious programs or modify the existing software running the device.

Once an attacker takes control
There’s a wide range of damage that a hacker can do once your router has been hijacked. Even though most people browse the web using securely encrypted communications, the directions themselves that let one computer connect to another are often not secure. When you want to connect to, say, theconversation.com, your computer sends a request to a domain name server – a sort of internet traffic director – for instructions on how to connect to that website. That request goes to the router, which either responds directly or passes it to another domain name server outside your home. That request, and the response, are not usually encrypted.

A hacker could take advantage of that and intercept your computer’s request, to track the sites you visit. An attacker could also attempt to alter the reply, redirecting your computer to a fake website designed to steal your login information or even gain access to your financial data, online photos, videos, chats and browsing history.

In addition, a hacker can use your router and other internet devices in your home to send out large amounts of nuisance internet traffic as part of what are called distributed denial of service attacks, like the October 2016 attack that affected major internet sites like Quora, Twitter, Netflix and Visa.

Has your router been hacked?
An expert with complex technical tools may be able to discover whether your router has been hacked, but it’s not something a regular person is likely to be able to figure out. Fortunately, you don’t need to know that to kick out unauthorized users and make your network safe.

The first step is to try to connect to your home router. If you bought the router, check the manual for the web address to enter into your browser and the default login and password information. If your internet provider supplied the router, contact their support department to find out what to do.

If you’re not able to login, then consider resetting your router – though be sure to check with your internet provider to find out any settings you’ll need to configure to reconnect after you reset it. When your reset router restarts, connect to it and set a strong administrative password. The next step US-CERT suggests is to disable older types of internet communications, protocols like telnet, SNMP, TFTP and SMI that are often unencrypted or have other security flaws. Your router’s manual or online instructions should detail how to do that.

After securing your router, it’s important to keep it protected. Hackers are very persistent and are always looking to find more flaws in routers and other systems. Hardware manufacturers know this and regularly issue updates to plug security holes. So you should check regularly and install any updates that come out. Some manufacturers have smartphone apps that can manage their routers, which can make updating easier, or even automate the process.

By Alison DeNisco Rayome for Tech Republic

Microsoft is doubling down on its promise to rid the world of passwords and replace them with more convenient and secure options, the company announced in a Tuesday blog post.

“Nobody likes passwords. They are inconvenient, insecure, and expensive,” according to the post. The tech giant wants to deliver on two key promises: That end users “should never have to deal with passwords in their day-to-day lives,” and to replace passwords with “user credentials [that] cannot be cracked, breached, or phished.”

Microsoft first made a move to reduce password use with Windows Hello, introduced in Windows 10, which uses biometric sensors to verify a user’s identity based on a fingerprint or face scan. It has since introduced the Authenticator app, which allows users to log into their Microsoft account on their desktop using their phone. Finally, Microsoft is working with the Fast Identity Online (FIDO) working group to update Windows Hello with physical FIDO2 security keys that allow for more secure authentication.

The Windows Hello FIDO2 Security Key feature is now in limited preview, the post noted.

“At its core, our fundamental philosophy is simple: devalue the password, and replace it with something that eradicates its use for the end user and drains its value for an attacker,” according to the post.

The Windows 10 April 2018 Update includes the ability to do just that, the post noted: Using Windows 10 in S mode, cloud users (with Managed Service Account or Azure Active Directory) can use their PC without ever entering a password. Users can take advantage of this feature by setting up the Microsoft Authenticator App, installing the Windows 10 April 2018 Update with S mode enabled, and setting up Windows Hello.

To achieve a password-less future for all devices, Microsoft laid out a four-step plan:

1. Develop password-replacement offerings. This would involve replacing passwords with a new set of alternatives that retain the positive elements of passwords while also improving their shortcomings.

2. Reduce user visible password-surface area. Microsoft wants to upgrade all elements in the lifecycle of a user’s identity, including provisioning of an account, setting up a new device, and accessing apps and websites, to make sure they work with password replacements.

3. Simulate a password-less world. This means helping end users and IT administrators to transition into a password-less world easily.

4. Eliminate passwords from the identity directory. Deleting passwords from the identity directory represents “the final frontier,” according to the post.

It remains to be seen if other tech giants will follow Microsoft’s lead and eliminate passwords. With the rise of biometric security in a number of fields, the future for businesses could very well be password-less.

Ropemaker: a new email security weakness

Most people live under the assumption that email is immutable once delivered, like a physical letter. A new email exploit, dubbed ROPEMAKER by Mimecast’s research team, turns that assumption on its head, undermining the security and non-repudiation of email; even for those that use SMIME or PGP for signing.

Using the ROPEMAKER exploit a malicious actor can change the displayed content in an email at will. For example, a malicious actor could swap a benign URL with a malicious one in an email already delivered to your inbox, turn simple text into a malicious URL, or edit any text in the body of an email whenever they want. All of this can be done without direct access to the inbox.

Described in more detail in a recently published security advisory, Mimecast has been able to add a defense against this exploit for our customers and also provide security recommendations that can be considered by non-customers to safeguard their email from this email exploit.

So what is ROPEMAKER?

The origin of ROPEMAKER lies at the intersection of email and Web technologies, more specifically Cascading Style Sheets (CSS) used with HTML. While the use of these Web technologies has made email more visually attractive and dynamic relative to its purely text-based predecessor, this has also introduced an exploitable attack vector for email.

Clearly, giving attackers remote control over any aspect of ones’ applications or infrastructure is a bad thing. As is described in more depth in the ROPEMAKER Security Advisory, this remote-control-ability could enable bad actors to direct unwitting users to malicious Web sites or cause other harmful consequences using a technique that could bypass common security controls and fool even the most security savvy users. ROPEMAKER could be leveraged in ways that are limited only by the creativity of the threat actors, which experience tells us, is often unlimited.

Changing this:

Into this, post-delivery (without having direct access to the user’s desktop):

To date, Mimecast has not seen ROPEMAKER exploited in the wild. We have, however, shown it to work on most popular email clients and online email services. Given that Mimecast currently serves more than 27K organizations and relays billions of emails monthly, if these types of exploits were being widely used it is very likely that Mimecast would see them. However, this is no guarantee that cybercriminals aren’t currently taking advantage of ROPEMAKER in very targeted attacks.

For details on email clients that we tested that are and are not exploitable by ROPEMAKER and the specifics on a security setting recommended by Apple for Apple Mail, please see the ROPEMAKER Security Advisory.

Is ROPEMAKER a software vulnerability, a form of potential application abuse/exploit, or a fundamental design flaw resulting from the intersection of Web technologies and email? Does it really matter which it is? For sure attackers don’t care why a system can be exploited, only that it can be. If you agree that the potential of an email being changeable post-delivery under the control of a malicious actor increases the probability of a successful email-borne attack, the issue simplifies itself. Experience tells us that cybercriminals are always looking for the next email attack technique to use. As an industry let’s work together to reduce the likelihood that the ROPEMAKER style of exploits gains any traction with cybercriminals!

by Matthew Gardiner for Mimecast

 

Cybercriminals could have access to hundreds of millions of Android smartphones’ data. This conclusion was reached after Check Point uncovered four vulnerabilities.

The security firm released a report that showed Android devices running Qualcomm chipsets are at risk from a threat dubbed QuadRooter.

The affected devices include smartphones from BlackBerry, Blackphone, Google Nexus, HTC, LG, Motorola, OnePlus, Samsung and Sony Xperia.

“Such an app would require no special permissions to take advantage of these vulnerabilities, alleviating any suspicion users may have when installing,” says Adam Donenfeld, a member of the Check Point mobile research team.

The attacker would then potentially be able to control devices and could access capabilities such as GPS tracking, and recording video and audio.

The weaknesses were found in software drivers that come with Qualcomm chipsets.

“The drivers, controlling communication between chipset components, become incorporated into Android builds manufacturers develop for their devices,” the company said in the report.

“Pre-installed on devices at the point of manufacturing, these vulnerable drivers can only be fixed by installing a patch from the distributor or carrier. Distributors and carriers can only issue patches after receiving fixed driver packs from Qualcomm.”

After discovering the faults, Check Point let the chip manufacturer know in April.

Qualcomm confirmed to the firm it would release patches to the device manufacturers. It is then up to the manufacturers to send updates to smartphones already sold, and for end-users to install them.

“This situation highlights the inherent risks in the Android security model. Critical security updates must pass through the entire supply chain before they can be made available to end-users,” says Donenfeld.

Check Point has developed a QuadRooter scanner app that is available free on Google Play. Running it will tell users if these vulnerabilities exist on their device.

Smartphone models which could be at risk include:

  • BlackBerry Priv
  • Blackphone 1 and Blackphone 2
  • Google Nexus 5X, Nexus 6 and Nexus 6P
  • HTC One, HTC M9 and HTC 10
  • LG G4, LG G5, and LG V10
  • New Moto X by Motorola
  • OnePlus One, OnePlus 2 and OnePlus 3
  • Samsung Galaxy S7 and Samsung S7 Edge
  • Sony Xperia Z Ultra

While the vulnerabilities unearthed by Check Point are serious, Google has said it has an app pre-installed onto most affected devices that will automatically block a malicious app from being downloaded.
A Google spokesperson told Android Central: “Exploitation of these issues depends on users also downloading and installing a malicious application. Our Verify Apps and SafetyNet protections help identify, block and remove applications that exploit vulnerabilities like these.”

However, Android phones that do not come with Google Play Services installed will still be at risk.

The spokesperson also said Google has released a security patch that protects against three of the vulnerabilities and is working on a patch for the fourth.

Smartphone manufacturer BlackBerry has released a statement saying it is aware of QuadRooter and a fix for BlackBerry’s Android devices has been tested and pushed to customers.

Risky behaviour
Much has been done by partners to mitigate the vulnerabilities and protect the device owners.

Those most at risk will be users who side-load Android apps, by downloading APK files, or those who have disabled Google’s Verify Apps feature.

Side-loading apps is often used to acquire apps that are not available in certain regions, like the mobile game Pokémon Go and music app Spotify.

Check Point recommends downloading and installing the latest Android updates as soon as they become available, carefully examining app permissions before giving access, and avoiding app downloads from third-party sources.

By Lauren Kate Rawlins for www.itweb.co.za

Over half (59%) of women in South Africa value the photos and videos they store on their phones more than anything else on the device – compared to 43% of men, according to a survey by Kaspersky Lab and B2B International. However, despite over a quarter of women worrying about the online safety of these images, many still fail to implement even basic security measures.

The study globally also found that while women are more likely than men to share with others photos of themselves (48%) and of people they know (40%) – compared to 43% and 33% of men respectively – one of their greatest security concerns, named by 29%, is the safety of their pictures and videos should a cyber-criminal gain access to their device.

Locally, one in four women worries that these images and other information could be shared inappropriately or without their consent, causing embarrassment and hurt if sent to the wrong person (45%) or even damage relationships (41%).

Despite this, many fail to appreciate how vulnerable they are to possible cyber-attacks – just 25% believe they could be a target, compared to 26% of men. As a result they don’t implement safety measures to safeguard their treasured photographs or other sensitive information stored on their device. Unlike men, up to 16% of women locally admit they don’t protect their device with a password and 15% of women do not use any form of security solution at all.

This lack of understanding about risk is confirmed by the fact that in a recent global security quiz, 27% of women admitted that they do not backup their devices, thereby risk losing all precious photos, videos and files if their device is stolen or damaged. Men are more prepared by comparison, with 80% of men agreeing that they backup their devices.

“It is not surprising that women use and value the information stored on connected devices differently from men. Devices play an important role in storing and sharing our happy memories and maintaining our relationships through email and text. Women worry more about the emotional impact on others should their devices be stolen or hacked. Celebrities aren’t the only ones to worry about what might happen if their private images were to be publically exposed. The only way to prevent this from happening is to take basic security precautions to keep what’s precious safe. We encourage women to start effectively protecting their devices to keep their precious information and photos safe,” says David Emm, principal security researcher at Kaspersky Lab.

In order to prevent cybercriminals from accessing images, videos and other precious data, files stored on digital devices should be protected by passwords and encryption. Files should also be regularly backed up so that if the device is stolen or damaged, they are not lost forever. If this data is shared or copied, it should be encrypted, so that even if it falls into the wrong hands, it will remain protected. Kaspersky Total Security – multi-device protects data on multiple mobile devices, allowing women – and men – to enjoy their mobile devices whilst remaining secure against cyberthreats.

In a piece of advice that seemingly contradicts everything else we’ve ever heard, GCHQ has recommended you should change your password less often.

According to the spy agency’s cybersecurity arm, forcing people to change their passwords regularly is ineffectual, because they are likely to choose a new password that is very similar to the old one.

They are also more likely to write the new password down, for fear of forgetting it. This increases the risk of the password falling into the wrong hands.

“Attackers can exploit this weakness,” says the Communications-Electronics Security Group (CESG). “The new password may have been used elsewhere, and attackers can exploit this too.”

Instead of forcing a changed password at regular intervals, it recommends organisations provide users with information on when their account was last activated.

GCHQ says sticking to the same password for a long time – unless it’s something like ABC123 – is a good idea.

The news comes as a new study into online privacy reveals that one in three Brits secretly know their partner’s passwords .

The survey by money-saving website VoucherCodesPro has revealed the UK’s attitude to trusting loved ones with our passwords .

It discovered that almost three quarters of us have looked through social media messages on someone else’s account without their permission.

The team responsible for the study polled 2,211 UK adults between 18 and 45 who have been in their current relationship for at least two years.

Initially respondents were asked if their partner let them access their social media channels when they wanted to; 51% of respondents stated they did. Respondents were then asked if their partner had let them know their password for social media channels, 21% stated they had.

Following straight on from this, all respondents were then asked if they knew their partner’s password without them being aware of this – with 34% stated they did.

Researchers asked these participants how it was they found their partners password out, 59% stated they ‘guessed’ it, 37% said they ‘keyboard watched’ and the remaining 4% asked their partner’s friends.

As to what those sneaky snoopers got up to once they’d accessed their partner’s accounts – the researchers provided a list:

  • Looked through social media messages – 74%
  • Looked through the photo gallery – 59%
  • Looked through emails – 54%
  • Looked through browser history – 46%
  • Looked through bank statements – 39%

George Charles, spokesperson for www.VoucherCodesPro.co.uk , made the following comments regarding the study:

“Being open with your partner is incredibly important and snooping at their social media channels or any private documentation just isn’t the way to achieve a healthy relationship,” said George Charles, a spokesperson for VoucherCodesPro.

“Knowing your partner’s password without their knowledge will only lead to trouble. It suggests you are looking for something and if you look hard enough, you will always find something to convince you that your fear is real.”

By Jeff Parsons for www.mirror.co.uk

Online shopping is a convenient way to find, compare, and purchase items in South Africa.

However, as security breaches increase and attacks grow more sophisticated, buyers need to take greater care with their personal and banking information.

Besides standard security precautions such as keeping your operating system, anti-virus, and browser up-to-date, you should also keep the following security tips in mind.

Watch out for scam specials
If you get a promotional e-mail from a retailer, even one you are familiar with, never click on a link – ever.

That’s the advice from Adam Levin, author of Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves.

Levin said two problems could occur:

The destination the link points to could contain malware used to steal your passwords.

You could be directed to a clone site that looks like the retailer’s, which is used to harvest your identity and credit card details.
Levin said shoppers must go directly to a shop’s URL and avoid following links from promotional messages.


Read reviews
Before using a store for the first time, Levin said buyers must read independent reviews to ensure the site is reputable.


Check the security certificate
Shoppers should always check an online store’s security certificate.

This can be done by clicking the lock icon next to the site’s URL in the address bar.

You can also take this a step further and test a site’s Transport Layer Security (TLS) using a tool such as the Qualys SSL Labs server tester.
Using public Wi-Fi or computers
While TLS helps protect against the dangers of unsecure networks such as public Wi-Fi, it is best to avoid shopping over public connections.

Similarly, users don’t know what software might be watching their activity on a public computer, so it is best not to use one when shopping online.
Re-using passwords
Another security mistake is using the same password on two or more Web sites.

This is to guard against an attacker only needing to get hold of a single password to get into multiple websites where you have registered accounts.
Saving billing information
If someone gets their hands on your password for an online shopping site and you have saved your credit card information, they might be able to buy items with your money.

Sites which save card and CVV numbers are prime examples.

Digital voucher codes or gift cards are a popular purchase among attackers in this instance.
Source: www.mybroadband.co.za

Can you shop online safely?

In our modern society, shopping and the Internet go together like bacon and eggs. After all, why leave home when you could be eating said food items and shopping simultaneously? To this end, shopping online is one of the most convenient things that modern technology has brought to us.

What makes online shopping so attractive is that it is convenient and it is instant. But is it secure? Yes and no. Remember, online security is only as good as the amount of effort expended and the systems put in place by the merchant to ensure you enjoy a secure experience.

“In recent years, shopping online has become much more convenient via mobile payment solutions,” states Gregory Anderson, country manager at Trend Micro South Africa. “However it’s important to note that when you are dashing through multiple sites on the Web from the comfort of your armchair, your accounts and financial transactions could be compromised by countless prying eyes. Due to the nature of e-commerce and the thousands of options for online shops, it can sometimes be hard to tell if you’re dealing with a legitimate merchant or a bogus one.”

According to Anderson, shopping online bears the same perils as shopping in store. You as an individual can’t rely on the merchant to shoulder all the risk; you need to become just as savvy as you would be if you were shopping in modern-day Hillbrow. What’s more, while we are all keen to secure our credit card information, online shopping doesn’t just pose a threat to your credit details but to your general privacy too.

Now that data breaches and incidents of hacking and identity theft are becoming more common, online shoppers should protect themselves against likely attacks that could threaten their privacy. There are a number of different methods that can be used to invade a user’s privacy and, sooner or later, an unaware user is bound to run into threats such as phishing, online scams, spam, Internet fraud and malicious URLs.
Here are a few general tips on how to secure and maintain your privacy and security when shopping online:

• Double-check URLs – if you hadn’t already bookmarked your favorite shopping site’s payment page and still rely on typing in names, always double check the URL. Cybercriminals can easily replace payment pages and apps with fake ones. One way to tell if a site is secure is by checking the security lock indicator (HTTPS instead of HTTP). HTTPS is more secure.

• Use an official online shopping app – if you’re an avid mobile shopper, make sure to use the official online shopping app and avoid third-party apps for secure transactions.

• Always use strong and secure passwords – attackers can easily hack online accounts, including banking and social media accounts. Since these accounts contain sensitive and personal details, it’s important that you use unique hard-to-crack passwords across all devices and change them regularly.

• Use a secure network – if you’re using a mobile device to pay, make sure that you are using the official payment app, and that you’re accessing a secure and private network.

• Think before you click – being scammed online could translate to an eventual invasion of your privacy. Before you click on unverified posts, messages or ads, think twice and stay away from suspicious-looking offers. They’re most likely used as bait to lead you to phishing sites. Check with official sites rather than relying on social media posts.

“Shopping online can be safe. But just be alert and be aware. Web threats are no longer limited to malware and scams. Attackers know that the more you perform any online activities, the more you increase the risk of revealing information about yourself – especially when you’re looking to make a purchase. Searching for items alone could lead you from one Web site to another, which increases the chance of stumbling upon a malicious one.

“So set yourself a small regime of ensuring the above each time you enter a new site. If you can do that, you will almost be assured of shopping securely and with the peace of mind you crave,” Anderson concludes.

  • 1
  • 2

Follow us on social media: 

               

View our magazine archives: 

                       


My Office News Ⓒ 2017 - Designed by A Collective


SUBSCRIBE TO OUR NEWSLETTER
Top