How to protect your Roblox account from hackers with two-step verification (2SV)

How to protect your Roblox account from hackers with two-step verification (2SV)

Accounts on the popular online gaming platform keep getting hacked. So, how can you better protect your Roblox account?

First things first. Make sure that you are using a unique, hard-to-crack password for your Roblox account. That means not using a simple, easy-to-guess password, dictionary words, or passwords that you are using anywhere else online.

That last point is particularly important, perhaps the biggest mistake internet users make when it comes to securing their accounts is to use the same password in multiple places. Reusing passwords across different services means that if a hacker breaches one website’s password database they can then use those passwords to see if they unlock your other online accounts.

For instance, Mark Zuckerberg had his Twitter, LinkedIn, Instagram and Pinterest accounts hacked in 2016 because he was using the same password for them as he’d been using on LinkedIn, which suffered a password breach in 2012.

But choosing a unique, strong, password isn’t enough. That password could still be phished from you, for instance.

And that’s why I recommend that computer users enable two-factor authentication or two-step verification (read this if you want to know the difference) where available, to add an extra step to the login process.

Email

Email

Sign up to our newsletterSign up to Graham Cluley’s newsletter – “GCHQ”
Security news, advice, and tips.

How to enable two-step verification (2SV) for your Roblox account

Having logged into your Roblox account from a desktop or laptop computer, click on the cog in the upper-right hand corner of the screen and choose “Settings”.

Roblox cog

Roblox cog

Choose the “Settings” tab, and enable “2 Step Verification”.

Roblox settings

Roblox settings

Note that if you haven’t already done so, you will need to give Roblox an email address (and verified it) before enabling two-step verification. The reason why Roblox requires this will become clear in a moment.

Your account is now protected.

Roblox 2sv enabled

Roblox 2sv enabled

Next time you attempt to log into Roblox, the site will ask you for not just a username and password, but also a six digit code.

Roblox verification dialog

Roblox verification dialog

This is the reason why Roblox requires you to give it a verified email address. Upon attempting to login, you should have received in your email a message from Roblox containing the temporary verification code.

Roblox verification email

Roblox verification email

Of course, if it wasn’t you trying to access your Roblox account you now have a heads-up that someone else was… and that maybe your username and password have been compromised.

Email-based 2SV, not app-based

Users who are familiar with 2FA and 2SV will notice that there’s a difference between how Roblox has implemented two-step verification and the way that many other online services do it.

Many websites these days offer app-based 2SV where an authenticator app – often running on the user’s smartphone – generates a six digit code to help the user authenticate their identity.

The idea is that a hacker might have managed to grab your password, but they won’t – hopefully – have physical access to your smartphone.

Roblox, unfortunately, does not offer users the option of app-based 2SV. Instead when you attempt to log into an account protected by 2SV, Roblox will send a code to your email address. And that’s the code you enter to complete your login.

That’s certainly better protection than simply defending your Roblox account with a username and password, but it’s not going to be much help if a hacker has also managed to compromise your email account, and so is able to view the verification code that Roblox has just emailed to you.

My guess is that Roblox feels it’s easier to support two-step verification conducted only via email, particularly with a userbase largely made up of youngsters.

But it seems a shame that Roblox is not offering the option of app-based authentication which has been adopted by so many other sites.

Read more about two-factor authentication and two-step verification:

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

Follow me for more information.

Cybersecurity staff are on edge for the same reason that there are no cooks on the ISS: Organizations are carefully watching expenses for jobs that don’t require dedicated team members.

There are no cooks in space.

Think about it: When we picture the great seagoing voyages of discovery, there were cooks, chandlers, medics, and all sorts of other support staff. But that’s not the case in space. And the reasons why have critical echoes for professionals in cybersecurity.

Today, it costs roughly $10,000 to put one pound into orbit. If you pick a weight of 150 pounds for a space cook, that means it would cost $1.5 million just to get the cook into orbit. Add in food, clothes, and all the other material required to support a human, and it starts to be an awful lot of money for someone to sling hash for astronauts.

The cost of putting stuff in orbit means that everything that goes into the payload section of a rocket has to be directly tied to the mission at hand. There just isn’t room in the budget for much in the way of support.

When you talk to executives in enterprise IT today, you hear some of the same language. Everything — everything — that companies are doing right now is focused on bringing in revenue. If it isn’t tied to the balance sheet’s top line, it’s not a priority.

Core Competency
We all have to admit that security is rarely tied to increasing revenue. Business trends have somewhat predictably swung between definitions of “core competency” that were laser-focused on the primary product or service being sold, and those that include all important support tasks. A global pandemic has moved the needle squarely toward the “laser focus” side of the spectrum. And that means many security professionals find themselves feeling like a NASA astro-cook: It’s a nice idea but an awfully expensive way to get the job done.

At the same time, though, what we haven’t seen is a broad enterprise move to the modern astronaut model in IT. On modern space flights, there are no cooks because the astronauts — typically highly trained test pilots, PhD scientists and engineers, or both rolled into a very highly skilled package — cook their own food. They also straighten up after themselves, clear any sanitation issues, and act as mechanics for the craft when something goes wrong.

In all of these cases, the focus is on the mission and the people carrying out the mission. The support functions are simply tacked onto their primary tasks. In business, you tend to see this degree of task-stacking in only the smallest companies, where the assumption is that the various support tasks won’t actually be done very well. Specialization and expertise are benefits that larger enterprises are presumed to be able to access: Will the coronavirus epidemic take away these advantages as it takes office culture and free coffee?

Competence, Cost, and Core Business
Anecdotally, enterprises are responding in a couple of ways. First, they have for some time been shifting perimeter protection and security analysis to managed security service providers (MSSPs). As I talk with CISOs and CIOs, it seems that the pandemic has accelerated this transition, even as organizations work to firm up the knowledge necessary to properly write contracts and manage relationships with the service providers.

Next, there are companies that have decided to list security in the “nice to have” category, accepting the risk that they might have a security incident before they’re able to restart their normal spending.

Some companies say they’re adopting something closer to the astronaut model, adding security responsibilities to the job descriptions of IT generalists and even line-of-business employees. While some IT generalists can become quite competent at IT security, turning enterprise “mission specialists” into cybersecurity staff isn’t realistic if for no other reason than the fact that cybersecurity has become a complex and demanding specialty. Most organizations feel they’ve done well if they can take employees out of the “adversary” category and into a neutral classification — pulling them all the way into the “security staff” is an orbit too far.

Security’s Value
Ultimately, the question will come down to security’s value to the organization’s mission. Over the past few years I’ve had many conversations with CISOs and other senior cybersecurity executives about what might take security out of the purely expense accounting category. While I’ve heard many optimistic statements about reducing transitional friction for customers and employees, most experts acknowledge that security is an expense rather than a revenue-producing activity.

Right now companies of all sizes are re-evaluating expenses once thought to be essential. The expense for office space is one such example that comes immediately to mind as ripe for rethinking. Cybersecurity isn’t in that category because almost everyone can see that working from home requires a different security strategy than one in which most employees are coming into the office. (That new model requires a new analogy and another column, so I won’t get into it here.)

The fact is that, until business revenue increases on a broad basis and cybersecurity’s profile in the enterprise is raised, executives will see most cybersecurity staff in the same light as astronaut cooks: something that’s really useful, but an awfully expensive way to get the job done.

Related Content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Recommended Reading:

More Insights

Follow me for more information.

encrochat encrypted pgp phone

In a joint operation, European and British law enforcement agencies recently arrested hundreds of alleged drug dealers and other criminals after infiltrating into a global network of an encrypted chatting app that was used to plot drug deals, money laundering, extortions, and even murders.

Dubbed EncroChat, the top-secret encrypted communication app comes pre-installed on a customized Android-based handset with GPS, camera, and microphone functionality removed for anonymity and security.

EncroChat phones aim to securely exchange data and messages with pre-loaded apps for secure instant messaging, VOIP calling, self destruct messages, and includes a ‘kill code’ functionality to let users remotely wipe complete data in times of trouble.

The handset and its services, which cost around £1,500 for a six-month subscription, had 60,000 users worldwide and approximately 10,000 users in the United Kingdom.

“EncroChat phones were presented to customers as guaranteeing perfect anonymity (no device or SIM card association on the customer’s account, acquisition under conditions guaranteeing the absence of traceability) and perfect discretion both of the encrypted interface (dual operating system, the encrypted interface being hidden so as not to be detectable) and the terminal itself (removal of the camera, microphone, GPS and USB port),” Europol said.

[embedded content]

However, the encrypted communication network was not so secure, as French and Dutch police successfully hacked into the network and analyzed millions of messages and hundreds of thousands of images in real-time, “over the shoulder of the unsuspecting senders.”

International law enforcement authorities successfully dismantled Encrochat and disrupted one of the key communication networks used by some of the most severe offenders.

The National Crime Agency, Europol and Metropolitan Police on Thursday announced that they shut down the EncroChat servers and arrested 746 suspects, including two law enforcement officers, which resulted in the seizure of:

  • over £54 million in illegal cash,
  • 77 firearms, including an AK47 assault rifle, submachine guns, handguns, four grenades, and over 1,800 rounds of ammunition
  • More than two tonnes of Class A and B drugs
  • Over 28 million Etizolam pills (street Valium) from an illicit laboratory
  • 55 high-value cars, and 73 luxury watches

The NCA also worked closely with policing partners to successfully mitigate more than 200 threats to life by preventing rival gangs from carrying out kidnappings and executions on Britain’s streets.

“In early 2020, EncroChat was one of the largest encrypted digital communication providers with a very high share of users presumably engaged in criminal activity. User hotspots were particularly present in source and destination countries for cocaine and cannabis trade, as well as in money laundering centers,” Europol said.

Law enforcement agencies claimed to have cracked the encryption code of EncroChat in March this year and began penetrating data from April 1. On June 13, EncroChat realized the platform had been penetrated and sent a message to users urging them to throw away their devices as its servers had been compromised by law enforcement.

hacker arrested

“A large number of suspects have also been arrested in several countries which were not participating in the JIT (joint investigation team) but particularly affected by the illegal use of these phones by individuals active in organized crime, including in the UK, Sweden, and Norway,” Europol said.

“The effects of the operation will continue to echo in criminal circles for many years to come, as the information has been provided to hundreds of ongoing investigations and, at the same time, is triggering a very large number of new criminal investigations of organised crime across the European continent and beyond.”

Follow me for more information.

Sponsored Business Email Compromise (BEC) and Email Account Compromise (EAC) are the most expensive cyber threats facing businesses around the globe. The FBI’s Internet Crime Complaint Center (IC3) reports that both scams have resulted in worldwide losses of $26 billion since 2016 – with $1.7 billion in the last year alone.

No organisation is immune – nearly 90% experienced these types of attacks in 2019. In the past year alone, victims have ranged from the tiny Florida city of Ocala to Japan’s largest media conglomerate, via a national museum in the Netherlands, racking up losses of over $33 million between them.

While the basic methodology is similar, each attack has its own unique personality – a web of ploys and psychological tricks, combining elements of phishing, social engineering, spoofing and wire fraud. In both cases, the attacker, posing as a trusted contact, tricks the victim over email into wiring money or sending sensitive data.

In the event of a BEC attack, these fraudulent emails are sent from spoofed or lookalike domains and display-names. Where EAC is concerned, the attacker takes over the actual email account of someone the victim trusts — in essence, becoming that trusted person.

Both are incredibly difficult to spot. By their very nature, successful attacks appear convincing. They are carefully designed not to stand out, trigger defences or arouse suspicions. What’s more, BEC and EAC tactics are complex, multifaceted and ever-changing.

This makes defending against them a considerable challenge. Just as organisations thwart one threat, another appears elsewhere in an incredibly high-stakes game of whack-a-mole.

That said, while fighting BEC and EAC is difficult, it’s not impossible. But doing so requires company-wide awareness and understanding of both common attack methods and the best ways to limit their chances of success.

A threat-aware cyber defence

While this type of attack has grown more refined, targeted, and inconspicuous in recent years, there remains a few tell-tale signs of BEC and EAC.

Ensuring every member of your organisation, across all levels, is aware of these red flags will significantly increase your chances of defending against them. Common warning signs include: Time-sensitive requests: The longer an account is spoofed or compromised, the greater the chance of arousing suspicion. Cybercriminals know this. They also know that victims are most likely to make mistakes under pressure.

That’s why fraudulent requests are often time-sensitive.

An attacker may ask for an urgent ‘last-minute change’ to an invoice or make a request at the end of the workday, stressing that it must be completed before the close of business.

Personal requests: Spoofing the personal email address of an executive or employee allows cybercriminals to bypass corporate defences and adds a more personal touch to the scam.

Posing as a legitimate contact, attackers may email to say they are out of the office and have received a request from a critical supplier to change payment information. Victims will be asked to help, ‘just this once’, to ensure payments are not delayed.

Direct requests from the supply chain: An increasingly popular attack method involves the use of supplier identities, whether spoofed or compromised.

Posing as a third-party allows attackers to circumvent internal controls and make direct requests for changes to payment information. This approach also adds an extra degree of separation, as employees may not be as familiar with suppliers as they are with their colleagues.

Fighting an insidious threat

Whatever the threat, a successful cyber defence must always combine technology, process, and people.

Your organisation should be equipped with controls, particularly on email and cloud accounts, to monitor network access, authenticate domains, and flag malicious content.

Beyond this, you need processes in place to verify all requests for expedited payment or changes to banking information. Better still, ensure that any request concerning finance or other sensitive data is authenticated at multiple points, and never solely by email. Next comes the most important tool in your arsenal – your people. Once an account is successfully compromised, any requests sent to or from it are unlikely to trigger network controls.

With the attacker inside your network, it is your people who quickly become the last and only line of defence. The consequences for this line of defence failing can be severe. That’s why you must equip your end-users with the knowledge and education to detect and deter malicious communications.

This is only possible through comprehensive, ongoing, adaptive cybersecurity training that evolves to reflect the latest threat landscape. Training must be much more than a once-a-year box-ticking exercise.

Employees not only need to be aware of common attack methods, but they must also have a deep-seated understanding of the vital role they play in protecting your organisation from those attacks. The result is a culture within which cyber defence is everyone’s responsibility.

None of these strategies alone can protect your organisation from BEC and EAC attacks. But combined, they create a multi-layered, complex, and people-centric defence – one that could save your business from becoming yet another sorry statistic.

Sponsored by Proofpoint

Follow me for more information.

Network administrators are urged to patch their F5 BIG-IP application delivery controllers following the disclosure of a pair of critical remote takeover bugs.

The flaws in question, CVE-2020-5902 and CVE-2020-5903, lie within in a configuration tool known as the Traffic Management User Interface. Successful exploitation results in full admin control over the device.

In the case of CVE-2020-5902, the hole puts the equipment at risk of arbitrary code execution, while CVE-2020-5903 is a JavaScript-based cross-site-scripting vulnerability. CVE-2020-5902 has a CVSS score of 10 out of 10, which is not good, while CVE-2020-5903 has a lower, but still serious, score of 7.5.

“The attacker can create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network,” said Mikhail Klyuchnikov of Positive Technologies who discovered and reported the vulnerabilities to F5.

patch

Hold off that rush into the July 4 weekend – you may need this: Microsoft patches pwn-by-picture pitfalls in Win 10

READ MORE

“RCE in this case results from security flaws in multiple components, such as one that allows directory traversal exploitation.”

These flaws are particularly bad because the vulnerable BIG-IP gear is generally used by large enterprises to handle traffic to and from critical applications. A successful attack could potentially be disastrous for Fortune 500 companies that make up F5’s userbase.

Admins are advised to update their firmware as soon as possible. The flaws are present in BIG-IP versions 11 through 15, and the updated versions, released this week, are 15.1.0.4, 14.1.2.6, 13.1.3.4, 12.1.5.2, and 11.6.5.2. BIG-IQ and Traffix SDC products are not vulnerable.

Fixing the bugs could be a bit of a pain, as the app delivery gear by definition sits in between critical application servers and users on the network, and patching could mean downtime. Those in the US might want to take advantage of the upcoming holiday weekend.

Ideally, the vulnerable traffic management interface is not exposed to the open internet. However, it is estimated more than 10,000 devices running the software could be facing the public web. Positive Technologies reckons that figure is at least 8,000. Gulp. ®

Follow me for more information.

Security experts discuss the rise in cybercrime affecting sub-Saharan Africa and the necessary changes to improve security.

The use of technology is rapidly expanding across sub-Saharan Africa, putting its people and businesses at risk as cybercriminals take advantage. Experts say this trend emphasizes a critical need for new policies and tools designed for the region’s distinct operating environment.

IDC data shows sub-Saharan Africa’s ICT market is predicted to grow from $95.4 billion in 2020 to $104.2 billion by 2023. Technologies including cloud, social media, and big data are all key areas of growth and components to a sharp rise in digital crime. The World Economic Forum considers cybercrime one of the three greatest threats to Africa, where sub-Saharan nations lose millions of dollars to cyberattacks each year – a very large sum in proportion to their GDP.

Cybersecurity consultant Laura Tich and security researcher Evelyn Kilel noticed a lack of data on the security landscape of sub-Saharan Africa when designing a curriculum for members of Shehacks_KE. The duo co-founded this organization to create a community of women in infosec across Kenya. They offer educational initiatives like meetups, bootcamps, and webinars, and partner with organizations to see where they can help fill the gaps in security talent.  

Their own research and professional experience have given Tich and Kilel greater insight into the region’s security threats. Mobile banking, for example, is ripe for attack. “Mobile money and mobile platforms are the key platforms where we transact, where we process our cashflows,” Kilel explains. Africa leads the world in the use of mobile money transfers, she and Tich say, with an estimated 14% of its citizens receiving money via mobile transfers like Kenya’s MPesa.

Mobile money is a prime target; both users and providers are hit with different kinds of attacks. Social engineering and reverse engineering are common on financial platforms. Social media has also become a popular space for social engineering threats. “When it comes to mobile money and social media, some of our biggest threats are mainly human-based,” Tich says.

Where Sub-Saharan Businesses Stand
While progress has been made in enterprise cybersecurity, work remains to be done. Small and midsize enterprises (SMEs) typically have small budgets and tend to not include cybersecurity, Tich says. Many companies make security an afterthought. Larger firms tend to have stronger security departments, she adds, and some have bug-bounty programs.

“We can say the bigger organizations do know the value of cybersecurity while the smaller organizations, as much as they might know about cybersecurity, they do not have the budget for it, so it becomes a problem,” she explains.

SMEs are adapting to their situations by moving to the cloud, which allows them to pay as they go, minimize their infrastructure, and operate more easily, Kilel says. Most work with Google Cloud and AWS; however, she adds that more businesses are also moving toward Azure. Last year Microsoft opened its first Africa Development Center in Kenya and Nigeria. Tich expects this will lead to technological growth, “but we also need people to come in with security expertise.”

As much as the region is catching up, Tich notes security will continue to pose a problem to enterprises. Some organizations, especially larger ones, still use legacy systems that are susceptible to cyberattacks and may fear telling clients if an incident takes place. The technology, human attack vectors, budget, and economy all determine how attacks are constructed and the attacker’s approach to specific platforms in the sub-Saharan region.

How to Improve: Brainstorming Policies and Solutions
In building out their SheHacks_KE educational efforts, Tich and Kilel realized there wasn’t much data for them to work with.

“There’s little to no data about the cybersecurity field, or the cybersecurity landscape, in sub-Saharan Africa,” says Tich. “And we realized that this is a problem because if we do not know what is needed, then we won’t know what solutions to offer.” Research is essential, she adds, as it helps them better explain to companies why they need a certain security tool or skill set.

In addition to improved research, the experts point to a need for effective policies and tools designed for the distinct operating environment of the sub-Saharan region. Most organizations struggle with limited budget, high cost of security products, use of pirated versions of security tools, and the absence of sufficient tools to provide accurate data. They propose encouraging local security pros to develop open source or affordable tools for the local market.

They also emphasize the need for policies on an organizational and national level to address security incidents, voicing a need for better data protection policies to protect both people and businesses from cybercrime. If data is stolen, there should be a process to take care of it.

“Policies are important on an organizational level, but it’s very important also from a regional and national level,” Tich says. “We have to work with policymakers, other techies, other security professionals, and other stakeholders in order to come up with better cybersecurity policies for the regions.”

Tich and Kilel will share insights into the sub-Saharan security landscape, along with proposed policies and solutions, in their upcoming Black Hat USA talk, “Building Cyber Security Strategies for Emerging Industries in Sub-Saharan Africa,” to take place on Aug. 6, 2020.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio

Recommended Reading:

More Insights

Follow me for more information.

The Apache Project’s popular Guacamole open-source remote desktop software contained vulns allowing remote attackers to steal login creds and hijack targeted machines, researchers have said.

Israeli infosec outfit Check Point discovered the reverse RDP flaws, an attack method that allows a compromised host to transmit malware to a clean client machine opening a remote desktop protocol (RDP) session with it.

The Apache Foundation has issued patches for Guacamole following Check Point’s research, which resulted in two CVEs (2020-9497 and 2020-9498). Readers who haven’t patched it lately should do so immediately.

Guacamole is an open-source RDP gateway product. At its simplest, once installed on a server inside a corporate network, Guacamole lets users point their web browsers at a given address to log in and work on their remote machines as normal.

“Knowing that vulnerabilities in FreeRDP [a similar open-source RDP utility whose protocol is available through Guacamole] were only patched on version 2.0.0-rc4, this means that all versions that were released before January 2020 are using vulnerable versions of FreeRDP,” Check Point researcher Eyal Itkin said in a canned statement.

This inspired Check Point to probe older versions of Guacamole, which it surmised would support earlier, vulnerable versions of FreeRDP.

In the reverse attack scenario it tested, Check Point’s researchers uncovered a use-after-free memory vuln which, combined with flaws in how Guacamole handled FreeRDP audio (detailed at the link above), gave them arbitrary read and write privileges on the target server.

These, the researchers found, could be linked to a privilege escalation vuln through the guacd Guacamole process. After hijacking a guacd instance on the compromised server, the researchers noticed that new Guacamole connections were spawned using fork() – without using execve().

“A forked process contains the entire memory snapshot of its parent, and that snapshot is replaced with a new image when execve() is called,” Check Point said. “Without this crucial call, the child process inherits the entire memory address space of its parent.”

With the memory address space thus mapped, the researchers simply added themselves to each and every conversation of interest.

Omri Herscovici, vulnerability research team leader at Check Point, said in a statement: “While the global transition to remote work is a necessity, we cannot neglect the security implications of such remote connections, especially as we enter the post-coronavirus era.

“This research demonstrates how a quick change in the social landscape directly affects what attackers might focus their efforts on. In this case, it’s remote work.” ®

Follow me for more information.

Left unpatched, pair of vulnerabilities could give attackers wide access to a victim’s application delivery network.

Two vulnerabilities, including one with a Common Vulnerability Scoring System (CVSS) score of 10, have been discovered in the F5 BIG-IP application delivery controller. Both vulnerabilities have now been patched in updates available to BIG-IP customers.

The more serious of the two, CVE-2020-5902, was a remote code execution vulnerability in the Traffic Management User Interface (TMUI). By exploiting this vulnerability, an unauthorized user could create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets. Positive Technologies researcher Mikhail Klyuchnikov noted that this vulnerability is especially dangerous for that minority of BIG-IP owners who have exposed the TMUI to the Internet, where it can be discovered by tools such as Shodan.

The other vulnerability, CVE-2020-5903, is a cross-site scripting vulnerability in the BIG-IP Configuration utility. It could allow JavaScript with the permission of the targeted user, in the worst case allowing for remote arbitrary code execution without authorization. This vulnerability received a CVSS score of 7.5.

Both vulnerabilities have been patched in the most recent versions of BIG-IP. Customers are urged to update vulnerable versions immediately.

Read more here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Recommended Reading:

More Insights

Follow me for more information.

Left unpatched, pair of vulnerabilities could give attackers wide access to a victim’s application delivery network.

Two vulnerabilities, including one with a Common Vulnerability Scoring System (CVSS) score of 10, have been discovered in the F5 BIG-IP application delivery controller. Both vulnerabilities have now been patched in updates available to BIG-IP customers.

The more serious of the two, CVE-2020-5902, was a remote code execution vulnerability in the Traffic Management User Interface (TMUI). By exploiting this vulnerability, an unauthorized user could create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets. Positive Technologies researcher Mikhail Klyuchnikov noted that this vulnerability is especially dangerous for that minority of BIG-IP owners who have exposed the TMUI to the Internet, where it can be discovered by tools such as Shodan.

The other vulnerability, CVE-2020-5903, is a cross-site scripting vulnerability in the BIG-IP Configuration utility. It could allow JavaScript with the permission of the targeted user, in the worst case allowing for remote arbitrary code execution without authorization. This vulnerability received a CVSS score of 7.5.

Both vulnerabilities have been patched in the most recent versions of BIG-IP. Customers are urged to update vulnerable versions immediately.

Read more here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Recommended Reading:

More Insights

Follow me for more information.

French and Dutch police have boasted of infiltrating and killing off encrypted chat service EncroChat, alleging it was used by organised crime gangs to plot murders, sell drugs, launder criminal profits and more.

The encrypted chat platform is alleged by British, French and Dutch law enforcement agencies to have been used by around 60,000 people in total – many of whom, it is alleged, were members of organised crime gangs using the network to plan their crimes.

“Since 2017, the French gendarmerie and judicial authorities have been investigating phones that used the secured communication tool EncroChat, after discovering that the phones were regularly found in operations against organised crime groups and that the company was operating from servers in France,” said EU law enforcement coordination body Eurojust in a statement.

This is what £1.4m looks like... as hauled in by the East Midlands Special Operations Unit. Pic credit: National Crime Agency

This is what £1.4m looks like… as hauled in by the East Midlands Special Operations Unit. Pic credit: National Crime Agency

In May, police in France, assisted by the Netherlands’ cops, infiltrated EncroChat’s core network – and in mid-June the operator pulled the plug, having realised the game was up. Users were urged to throw away their handsets.

EncroChat was a reseller of encrypted phones as well as a mobile network operator – potentially an MVNO, if Motherboard’s description of its operations is accurate. Its handsets, said to be BQ Aquaris X2 Android units running two OSes side by side – one innocent, one with privacy features enabled – had a custom messaging app which routed messages through a central server.

The phones also had a panic button feature, where entering a certain PIN to the unlock screen would wipe the device. Handsets were said to cost around £1,500 for a six-month contract.

The takedown of the network has been a poorly disguised secret, with Northern Irish suspects reportedly being arrested last week after data from EncroChat’s servers was shared around European police forces. Various media reported a fortnight ago that EncroChat’s operators pulled the plug after realising the entire product had been compromised by police agencies.

“The data was in first instance shared with the Netherlands. Eurojust facilitated the creation of a joint investigation team (JIT) between the two countries and with the participation of Europol, the European Union Agency for Law Enforcement Cooperation, in April 2020,” said Eurojust, which tantalisingly mentioned that Dutch police had access to an “encrypted data stream”.

This latter phrase could be read as suggesting that EncroChat’s encryption had been broken, though official sources have, perhaps understandably, been very coy about what exactly was done to compromise EncroChat’s systems. More should emerge during criminal trials in the coming weeks and months.

After French and Dutch police broke into EncroChat, British police were permitted to use their findings, meaning UK police forces were then able to kick down doors and make arrests. The National Crime Agency (NCA) claims a total of 746 arrests and the seizure of two tonnes of drugs, 77 assorted firearms and £54m in cash – so far – as a result of the EncroChat intelligence.

“The NCA created the technology and specialist data exploitation capabilities required to process the EncroChat data, and help identify and locate offenders by analysing millions of messages and hundreds of thousands of images,” said the UK agency in a statement about its Operation Venetic.

There is no evidence in the public domain so far to support British police claims that all 10,000 of EncroChat’s UK users were criminals. Such devices are of interest to legitimate users (journalists, lawyers, academics, domestic and foreign political campaigners – to name just a few) as well as criminals, though the UK state is notably hostile to the idea of encrypted comms that its agents can’t read whenever they feel like it. ®

Follow me for more information.

Microsoft has emitted a pair of security patches to address flaws in Windows 10 that can be potentially exploited by miscreants to hijack PCs. A victim simply needs to be tricked into opening a file containing a specially crafted image on a vulnerable system.

The Redmond giant said this week the exploitable bugs, CVE-2020-1457 and CVE-2020-1425, are in the Windows HEVC Codec Library that some applications use to process images.

In the case of CVE-2020-1457, a successful exploit would lead directly to arbitrary code execution on the victim’s computer for the attacker, while Microsoft said CVE-2020-1425 would let the aggressor “obtain information to further compromise the user’s system” though it is also described as a remote-code-execution flaw.

If there’s some good news to be had from this, it is that Windows 10 in its default setup is not vulnerable. The HEVC codec in question is an optional add-on downloaded from the Windows Store.

Windows Server and older versions of Windows are not vulnerable.

It is relatively rare for Microsoft to post security updates outside of its normal Patch Tuesday cadence. In this case, Redmond said it went off-road because HEVC is a Windows Store download, and, therefore, not subject to the same patch release timings for built-in Windows 10 components.

Credit for the discovery went to Abdul-Aziz Hariri working through Trend Micro’s Zero Day Initiative. The flaw was privately reported, and thus far there have been no reports of in-the-wild exploits.

Downloading a patch

Cisco SMB kit harbors cross-site scripting bug: One wrong link click… and that’s your router pwned remotely

READ MORE

Microsoft’s next scheduled security update is July 14.

On the bright side for Microsoft, folks at F-Secure are applauding the US tech titan’s security gurus for preventing botnet and malware operators from abusing Azure and Office 354 services.

F-Secure’s Tim Carrington said his team can no longer use instances on either cloud service to function as command-and-control servers in its C3 framework.

The C3 service functions as a sort of proof-of-concept botnet service that F-Secure offers to help companies test their networks and services against real-world attacks. The idea is that, if testers can get in using C3, it’s a safe bet that criminals can as well.

In this case, Carrington explained, Microsoft has beefed up its detection and removal tools, and as a result any attempts to spin up a malware command-and-control server with Office365 or Azure are wiped out within three days.

“Microsoft has risen to the challenge of using offence to inform defense. This has not only disrupted F-Secure Consulting’s red team operators, but delivered a killer blow to real-world threat actors,” Carrington said.

“Any effort by an organization that forces attackers to redevelop their toolkit, and results in the redistribution of resources, is a welcome sight.” ®

Follow me for more information.

After Senate Judiciary Committee pushes EARN IT Act a step closer to ratification, raising further concerns for privacy advocates, here’s what to know.

Is encryption the biggest impediment to law enforcement’s ability to stop child sexual predators? For the advocates of the EARN IT Act, which would loosen the rules protecting Internet services’ use of encryption, it most certainly is.

The Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act would create an online child sexual exploitation prevention commission to develop “best practices” which Internet services would have to adhere to in order to retain the protections of Section 230 of the Communications Decency Act of 1996. Section 230 protects Internet services such as Facebook and Twitter from lawsuits over content published on their sites by their users.

Following the addition of a manager’s amendment by cosponsor Senator Lindsey Graham (R-SC) which weakens some parts of the bill and leaves the impact of other sections unclear, the Senate Judiciary Committee voted to approve the EARN IT Act today (Thursday, July 2). The next step for the bill is to be voted on by the full Senate. 

The EARN IT Act, originally introduced by Senators Richard Blumenthal (D-CT) and Graham, doesn’t actually use the word “encryption,” and both senators denied on Thursday that the bill is intended to interfere with how tech companies use encryption to protect their users’ data and communications. The bill creates a 19-member commission to determine what the “best practices” should be, with three mandatory commission members: the U.S. Attorney General, the Secretary of Homeland Security, and the Chair of the Federal Trade Commission. Any one of these three would be empowered by the guidelines set out in the EARN IT Act to veto recommended “best practices.”   

Given that many US government leaders have led decades-long history of opposition to private use of digital encryption, cybersecurity and privacy advocates fear that the EARN IT Act commission is a wolf in sheep’s clothing. Their concern is that EARN IT is an attempt to hide an attack on the use of encryption among the legitimate concerns of the proliferation of child sexual abuse material (CSAM) online, says Riana Pfefferkorn, associate director of surveillance and cybersecurity at the Stanford Center for Internet and Society.

“There is a sense that tech companies are too big for their britches, and someone should stick it to them,” Pfefferkorn says, thanks to the spread of hate speech, misinformation, and disinformation online. “EARN IT will hurt all of us, but it won’t financially hurt the companies, and it won’t help catch the bad guys. It’s the wrong tool to indulge that understandable impulse in the year of our lord 2020.”

A second bill: the LAED Act 

The EARN IT bill is not the only attempt by lawmakers to restrict the use of encryption, which has become increasingly more commonplace in the aftermath of the whistleblower disclosures taken by Edward Snowden, especially as used in messaging apps such as iMessage, Signal and WhatsApp to prevent malicious hackers and government snoops from spying on message content. A second bill, the Lawful Access To Encrypted Data (LAED) Act, would force tech companies with more than 1 million users to create government-accessible backdoors in encryption they’ve deployed to aid search warrants of devices used by government targets.

Where the intent of EARN IT is to focus on child abuse, LAED, co-sponsored by Republican senators Graham, Tom Cotton (R-AR), and Marsha Blackburn (R-TN), is much clearer, says Pfefferkorn.

Introduced on June 23, the LAED Act, she says, is uncomplicated in its requirements and would affect most tech providers today, including operating systems makers and device manufacturers such as Apple, Google, Microsoft, Amazon, Samsung, and the entire Android ecosystem; devices as diverse as the Xbox, voting machines, and the panoply of the Internet of Things; messaging services including Apple’s iMessage, Facebook’s WhatsApp, and Signal; and services that offer encrypted storage such as Box and Dropbox, she says.

“It’s a backdoor mandate. If you are one of the larger entities out there, you have to redesign everything” to pass muster.

However, advocates who specialize in stopping CSAM say that Big Tech is simply looking for a way out of a legitimate government interest in using its power to stop child sexual abuse and communication between those who create and disperse child pornography. Benjamin Bull, general counsel for the National Center on Sexual Exploitation, says that his organization supports the EARN IT Act and LAED Act because law enforcement has lacked the tools to stop CSAM thus far. 

“Predators and purveyors of CSAM are completely unregulated on the Dark Web and encrypted web,” he says, and calls concerns over privacy rights “a red herring” because “law enforcement would still have to prove probable cause” in order to obtain a warrant to search encrypted digital communications and files. 

“Today’s Internet is basically a law enforcement-free zone where child predators can swim around like sharks. The only privacy interests at stake are people engaging in criminal activity. People who are not violating the law don’t have anything to worry about,” Bull says.

Invest in Child Safety Act

The EARN IT and LAED bills are not the only ones attempting to address the issue of CSAM and encryption. The Invest in Child Safety Act, a sweeping law proposed by Sen. Ron Wyden (D-OR) in the Senate and Rep. Anna Eshoo (D-CA) in the House of Representatives, would provide $5 billion over a decade to better fund already-existing anti-CSAM measures at the FBI, National Center for Missing and Exploited Children, and Internet Crimes Against Children task forces. 

They’ve been making the case that ending encryption would stop the problem, but upsetting the entire intermediary liability regime we have is not the way to do it. Not to absolve what the companies have done, there’s more work to be done there, they say.

Impacts of laws could go far beyond privacy, security

Jeffrey Westling, a technology and innovation policy fellow at the nonprofit, nonpartisan R Street Institute, says that EARN IT and LAED could eliminate the Section 230 protections as they’ve been used since the rise of the commercial Internet in the mid-1990s, to facilitate global communications.

“People misunderstand why we need intermediary liability generally. It’s not a special carve-out for any one company or any big company. All it says is that a company is not responsible for individual speech on its platform. It’s going to have a terrible impact on our ability to communicate,” he says. “These communications are vital.”

Related content:

 

Seth is editor-in-chief and founder of The Parallax, an online cybersecurity and privacy news magazine. He has worked in online journalism since 1999, including eight years at CNET News, where he led coverage of security, privacy, and Google. Based in San Francisco, he also … View Full Bio

Recommended Reading:

More Insights

Follow me for more information.

A fraudster on LinkedIn used my online profile in an apparent attempt to pull off a wide-ranging scam business venture.

Phishing is one of the oldest fraud techniques online. Phishers often utilize a spray-and-pray method to hit as many potential victims as possible. The aim of such an attack is quick profit via the harvesting of user login or banking credentials. Once the victim surrenders his/her valuable information, the phisher moves on, either to the next victim or a different campaign altogether.

But some phishing attacks are entirely different. For the lack of a better term, I call them “long-con phishing.”

I was on the receiving end of one such phishing scam recently. In March, I received this LinkedIn message:

Even though I was connected to this guy, Tarun Poddar, I had no idea who he was (Okay, I admit, I have way too many LinkedIn connections. But hey, it’s LinkedIn.) Mr. Poddar here, who claimed to be a board member at Sequoia Capital, was looking for people who could join him in his new “venture capital firm.” His profile showed association with Sequoia Capital and that he had graduated from Stanford University with an Master of Business Administration degree.

His work experiences showed executive positions at high-profile companies like Apple, Boeing, and Cognizant.  

But if you scroll down on Mr. Poddar’s profile and look at his recommendations — none of them could spell or write in proper English.

I was mildly amused at how flashy his profile was yet how obvious the phishing techniques were. Never mind a reputable venture capital firm would never look for partners or investors on LinkedIn – the poorly worded recommendations were a classic sign of a made-up profile. I wondered if this was a sockpuppet account, so I googled Tarun Poddar. What came up was quite interesting. I found a press article about his being named Apple’s Process Head for Singapore, and another article on him being a “best-selling author” of a book called Love Turns Back. Both were from media sites of questionable quality. 

I also found a news article on a Delhi conman, Tarun Poddar, who posed as best-selling author and executives of global brands to defraud unsuspecting victims.

The article described Poddar, a 24-year-old computer science graduate, swindled a sizable sum from a Delhi woman by promising to get her nephew admitted to a top school. He posed as a best-selling author and a high-power executive with valuable connections. The article went on to say that he had taken a published book, redesigned the front and back covers, and republished it with an online shopping app. He also wrote many of the positive reviews himself for the book.

A further look found that Poddar has a YouTube channel and a SoundCloud account, both claiming him as a best-selling author and a high-flying executive of multinational corporations.

This guy is a piece of work, I remember saying that to myself. I briefly considered humoring him to see how far this would go, but thought better of it – I simply did not have the time. So I did not respond and put that out of my mind. 

A few weeks later, I received a LinkedIn message from a different person, whose profile looked like a real professional. Her message to me was simple: “Do you know Tarun Poddar?” 

I was intrigued by this and decided to respond: “No I do not.” 

What transpired after that was quite interesting. She said: “Do you know that they listed you on their website as a managing partner for their new venture fund?” She gave me the URL of Foxhog Ventures, a new “company” started by Tarun Poddar.

For a few seconds I thought to myself, “Is this a sophisticated, coordinated phishing scam to get me to click on the URL?” But I decided that she looked real enough and that this was probably too sophisticated a coordination for them to pull off. So I took a barely used Chromebook and went to Foxhog’s website.

Sure enough, I saw my own portrait front and center on their website staring back at me. The caption read: “Chenxi Wang is the Founder and General Partner of Rain Capital…… She serves Foxhog as managing partner.”

That was not all of it. Poddar also runs a newsletter called Budding Beats. He had featured me in one of his newsletters and sent out this message in the WhatsApp group for Budding Beats:

At that point, I realized that this was not a typical phish. They were not looking for credentials or login information. Instead, they were building up legitimacy in cyberspace for that eventual con.

In a conversation with my LinkedIn informant, she told me that Poddar and his conspirator had built a fake venture business. Putting trustworthy people on their website is one of the ploys to try to attract investors. It was an unsettling experience, seeing my own information and likeness being used in a blatant scam.

According to social engineering expert Rachel Tobac, a sockpuppet or a fake identity phishing is the trait of a long con. Tobac said perpetrators in these cases painstakingly build connections with trustworthy folks to look like they belong. But the real goal is to “either disrupt the legitimate party’s reputation, gain access to the connection’s private data, or get someone to surrender their bank account information via a scam.” 

This style of phishing, Tobac said, would take “anywhere from three- to six months for the perpetrator to reap benefit — they are in it for the long haul.”

A look on checkphish.ai with Foxhog’s URL revealed that the site is clean. This means that at least the website is not distributing malware. This, and the fact that the site is not actively phishing user credentials, made take-down with domain registrars difficult. So I decided to take matters into my own hands. I wrote Tarun Poddar a message via LinkedIn.

 (Article continues on next page)

 

Dr. Chenxi Wang is the founder and General Partner of Rain Capital, a Cyber focused venture fund. A well-known strategist, speaker, and technologist in the Cybersecurity industry, Dr. Wang also serves on the Board of Directors for MDU Resources (NYSE:MDU) and on various … View Full Bio

Recommended Reading:

Previous

1 of 2

Next

More Insights

Follow me for more information.

Sponsored In its raw form, email isn’t the most secure channel for carrying national secrets. It was originally designed for plain text, and plenty of modern mainstream email systems still don’t support encryption out of the box. So if you’re someone like Edward Snowden, you’ll want to make darn sure that your correspondent knows how to use encryption.

Snowden famously contacted journalist Glenn Greenwald asking for his PGP key, but Greenwald didn’t have one. “I had no idea how to install it or how to use it,” Greenwald says. Snowden didn’t have time to get him up to speed, so he moved on to documentary film maker Laura Poitras instead. It highlights a problem that people often forget when dealing with encrypted communication: Technology isn’t the only thing that matters.

“This is a very consumer facing product,” says Jacob Ginsberg, senior director of market intelligence at Toronto-based email security company Echoworx. “It’s something that your users, including sometimes your customers or business partners, must understand how to interact with.”

Thinking outside the checkbox

Ginsberg sees many companies floundering after spending money on email encryption systems. In his experience, their problems stem from some common misconceptions. The first is that simply having encryption of some kind makes them safe. These companies tend to concentrate on technology, checking product features on a list. That approach to evaluating email encryption systems has been out of date for years, he warns.

“We’ll do that all day long with anyone,” he says, “but if you’re a healthcare organisation mailing an encrypted email to a patient who has trouble opening it, you might as well not have invested in that solution.”

Users who don’t understand how to encrypt their emails won’t do it. This leads to several problems. Secure information might not be sent, spawning a thousand Greenwald incidents where communications are delayed or don’t happen at all.

Worse still are those situations where information is sent insecurely. Many users won’t think twice about sending customer data or sensitive personal or company information in plain text.

Those who do want to do the right thing but can’t make their email work might resort to third-party file transfer systems in a well-meaning bid to do things properly. This form of shadow IT takes communications outside the company’s control entirely. That isn’t always safe – just ask WeTransfer’s users.

There’s another danger for companies whose users do try to grapple with the internal email encryption system: rising support costs. If the interface for your email encryption system is geared for the IT department rather than the user, you can expect a torrent of support tickets.

Moving from risk avoidance to added value

The second big slip-up Ginsberg sees companies making is viewing email encryption purely as a compliance solution. The Ponemon Institute found that this was a major driver for 49 per cent of companies using encryption. It’s certainly an important consideration, says Ginsberg, but it shouldn’t be the first.

“If you’re trying to build a cost benefit analysis around encryption and you’re only looking at it to fulfil compliance requirements, then really the only benefit is the lack of a fine,” he says. “It’s really hard to build a business case around that.”

Rather than looking for business benefits, compliance-focused buyers end up opting for the lowest bidder, he warns. The result is a solution that doesn’t fit and isn’t used.

Building better business cases

By all means pay attention to technology and legal requirements, but don’t sacrifice the potential business value of an email encryption system. This shift in mindset from pure risk avoidance to business benefit has been a long time coming.

One such business case revolves around cost savings. Forrester has found that when done well, email encryption can shave a significant amount from the bottom line. Interviewing companies who took a user-focused approach to email, it found that they enjoyed savings of $2.7m over three years on implementation costs of $1.1m. That’s a net present value of $1.6m, or an ROI of 155 per cent. All it took was for them to think of the system’s possibilities, rather than their own compliance liabilities.

These cost savings tied into other potential business cases for encrypted email. One of these is an improvement in user experience.Enabling employees, customers, and business partners to exchange documents with you securely has knock-on benefits for your customer satisfaction and image.

“Any way you’re communicating with your customers should be a part of your marketing strategy, and that includes emailing with them,” points out Ginsberg.

It also saves money through more efficient workflows. The Forrester report noted a $1 saving for each document sent digitally, leading to a three-year cost saving of $1.5m. It also saw a $318,900 saving in contact centre productivity over three years.

Having the confidence to send documents digitally can slash the use of paper by up to 10%, according to the Forrester data. This carries a corporate social responsibility benefit for companies trying to green their operations. Or to put it another way: save a tree – encrypt an email.

<Another use case is better, faster, and ultimately cheaper user support. According to Forrester, user-focused email encryption cuts the number of encryption-related call centre tickets by 80 per cent as employees stopped sending first-tier ‘what does this button do?’ support tickets.

Reframing your communication strategy

Looking at possible business cases is fine in theory, but in practice many IT directors and CIOs are programmed to enumerating technology features and judge products purely on price. How can they shift the conversation to make email encryption more relevant for users?

The first step is not to think about this as an email encryption problem or a data protection issue, says Ginsberg. Instead, think about your broader communication strategy. Explore who’s sending and receiving what kinds of information, and how it ties into your company workflows.

“You can split that up into two different analyses,” says Ginsberg. “One focuses on the sending experience. What will its employees have to do differently? The other focuses on the recipient’s experience. How do they pick up the emails?”

When considering each, look at the user’s demographic profiles and capabilities, he says. If you’re dealing with tech-savvy freelance software developers who communicate with your company regularly, then something like PGP or S/MIME might work. For the senior citizen trying to upload their identity documents to interact with your investment advisory firm, no so much. In that case, something like a secure online portal for exchanging documents might be more appropriate.

Ideally, your software should be able to support a variety of sender and recipient types. Echoworx’s OneWorld encryption platform integrates into Microsoft 365 and supports several options for recipients: TLS, encrypted PDFs or other attachments (along with instructions for retrieving a password), certificate encryption, and a company web portal accessible via OAuth.

The system enables senders to automatically encrypt email without any extra interaction, or they can specify an encryption channel based on the recipient if they want.

Auditing your users and your communications and choosing an appropriate form of secure business communication is just the first step. The next part involves rethinking your communication strategy and looking at what can now be sent via these channels that wasn’t possible before.

“When you gain the confidence that your online conversations are secure, then that opens up new types of conversation with your business partners and your customers,” says Ginsberg. “So, you can overhaul and change a bunch of standing policies and ways that you work with people.”

At this point, think about ways to integrate email into your existing workflows, or create new ones. Many companies treat email as a separate bolt-on to their other business processes. That means manually switching systems, transferring files, and then figuring out how to send them securely. Building event-based triggers into your existing systems that kick off automated emails could streamline your operations.

Integrating secure communications into your company could lead to profound changes. Automated email could remove some of the heavy lifting from call centres, leaving agents to focus on higher-quality conversations with customers.

Even if email technology had originally shipped with encryption, it’s unlikely that it would have satisfied everybody. Once the technology hit the mainstream, the kinds of user accessing it and the delivery channels they used to send and receive email exploded. Old technologies must adapt, serving new users who will never knowingly touch a PGP key or understand what encryption is. They deserve safe, secure email communications along with everyone else.

Sponsored by Echoworx

Follow me for more information.

Three steps to better serve consumers, ensure maximum security, and achieve compliance with the California Consumer Privacy Act.

The California Consumer Privacy Act (CCPA) went into effect at the beginning of the year, and the enforcement date of July 1 is just around the corner — with no signs of an extension. Organizations are beginning to feel the pressure to comply with the strict requirements that are designed to ensure that the collection, storage, and processing of personal data is consistent, secure, and noninvasive. Unfortunately, many are not ready to take on this new level of consumer privacy regulation, with 63% of respondents from a recent survey stating that working remotely has complicated maintaining compliance with the mandates that are applicable to their organization.

Similarly, many companies delayed reaching General Data Protection Regulation (GDPR) compliance, which resulted in multimillion-dollar fines for companies including Marriott and British Airways. Enterprises that are not CCPA compliant ahead of the enforcement date may face even heftier fees as it calls for fines “…not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater.” This means that if CCPA had been in effect at the time of Marriott’s breach of 383 million guest records, then the company could have been subjected to fines totaling nearly $280 billion. The regulation affects more than just organizations that have headquarters in California; it extends to all that collect or sell consumer information relating to California residents. The following are considerations all companies should keep in mind to reach and maintain CCPA compliance.

CCPA Is More than Just California’s Version of GDP
Organizations may assume that they are compliant with CCPA by virtue of their being compliant with GDPR. The two regulations are designed to offer strong protections for data subjects, and they do have some overlap in terms of overarching goals and specific requirements. However, the two also have significant differences. For example, CCPA’s compliance requirements are applicable to information at the household and device level — it is not just about individuals directly.

To stay secure and compliant, enterprises should have a thorough understanding of all applicable regulations and make them an organizational priority. Note that this emphasis will not be without its benefits. Security and compliance can lead to a competitive edge as 87% of consumers are willing to take their business elsewhere if they don’t trust how a company is handling their data.

How Companies Can Prepare to Comply and Secure Consumer Data
To better serve consumers, ensure maximum security, and achieve compliance, businesses should follow these steps:

  • Have an accurate inventory of data. According to CCPA, if you don’t know what data you have, then you can’t ensure you’re protecting it. Comprehensive activity logs should track all file, user, and app activity, revealing everything that is happening with individuals’ data. Furthermore, companies going through M&A deals should conduct a thorough IT audit so they know what data they’re inheriting. It’s also critical to have security solutions, such as data loss prevention, that will prevent data leakage.
  • Protect information and access. Beyond keeping track of data, businesses should know how the data is stored and destroyed, how it moves throughout the company, and who has access to it. Organizations that migrate to the cloud allow data to be accessed on numerous applications from various devices, such as employees’ personal phones. Employees that access data should authenticate through single sign-on and multifactor authentication to ensure that only authorized employees handle data.
  • Know data jurisdictions. Under CCPA, data may only be stored or transferred where the state has jurisdiction — or where an agreement is in place. If data is stored or transferred without an agreement, organizations should turn to solutions that can encrypt cloud data and give organizations direct control over their own encryption keys. This will ensure compliance under data residency rules, as the data only exists outside of acceptable regions in indecipherable ciphertext format. Tools like selective wipe also allow administrators to remove sensitive information from any device in any location, protecting data from unauthorized users.

If a company were to suffer a data breach, CCPA mandates that it provides detailed documentation on the causes and effects of the breach, as well as security measures taken to address it. As data privacy has increasingly become top of mind for consumers, enterprises must protect data with the proper tools and comply with relevant regulations if they are to avoid security incidents. Moving forward, it would also be wise of companies to stay ahead of regulation enforcement dates as the unexpected can occur at any moment, causing delays in their compliance plans. 

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that “really bad day” in cybersecurity. Click for more information and to register for this On-Demand event. 

As Chief Technology Officer of Bitglass, Anurag Kahol expedites technology direction and architecture. Anurag was director of engineering in Juniper Networks’ Security Business Unit before co-founding Bitglass. He received a global education, earning an M.S. in computer … View Full Bio

Recommended Reading:

More Insights

Follow me for more information.

Enterprise Vulnerabilities
From DHS/US-CERT’s National Vulnerability Database CVE-2020-9498
PUBLISHED: 2020-07-02

Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed…

CVE-2020-3282
PUBLISHED: 2020-07-02

A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM &amp;amp; Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack…

CVE-2020-5909
PUBLISHED: 2020-07-02

In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.

CVE-2020-5910
PUBLISHED: 2020-07-02

In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.

CVE-2020-5911
PUBLISHED: 2020-07-02

In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.

Follow me for more information.

What do they have in common? The Click2Gov online utility payment system

Websites of eight US cities poisoned by malware skimming the credit card details of residents

Websites of eight US cities poisoned by malware skimming the credit card details of residents

Beware if you’re paying your bills for local government services – the payment information you type into that web form may be heading straight to cybercriminals.

Security experts at Trend Micro report that they have identified eight cities in the USA where online payment portals have been compromised to host Magecart-style credit card skimming code.

Magecart is a family of Javascript malware used to steal credit card details and personal information from unsuspecting internet users as they interact with websites – often as sensitive details are entered to make a purchase.

What makes this type of attack often more serious than a conventional data breach, is that most companies do not store your full credit card details, such as your CVV security code. But those details are entered on online checkout forms by consumers, and can be stolen by a malicious script hidden in the website’s code.

As Trend Micro explains, the common factor between the affected websites they have uncovered is that they all use the third-party Click2Gov platform:

These sites all appear to have been built using Click2Gov, a web-based platform meant for use by local governments. It is used to provide services such as community engagement, issues reporting, and online payment for local goverments. Residents can use the platform to pay for city services, such as utilities.

According to the researchers, the attacks against the eight unnamed US cities started in April, when malicious Javascript code was planted on the websites, silently harvesting credit card details and residents’ personal information as they entered it into online payment forms.

Credit card skimming attack chain

Credit card skimming attack chain

Credit card skimming attack chain. Source: Trend Micro.

Unlike other skimmers which grab data on various types of payment forms, the skimmer used here is rather simple and only works on a Click2Gov payment form. No obfuscation or anti-debugging techniques were used. The skimmer hooks the submit event of the payment form; when a victim clicks the button to send the payment information, the skimmer will grab the information from the selected columns inside the payment form and immediately send the collected information to remote server via a HTTP POST request.

Details exfiltrated by the script to a remote server under the hackers’ control included credit card numbers, CVV security codes, card expiry dates, cardholder’s name, address, and postal code.

Simple the skimming code might be, but that doesn’t mean it’s not effective.

Email

Email

Sign up to our newsletterSign up to Graham Cluley’s newsletter – “GCHQ”
Security news, advice, and tips.

Rightly or wrongly, Click2Gov is earning itself a bad reputation. In recent years security researchers have been tracking attacks launched against the Click2Gov payment portal, with reports of breaches involving city websites stretching across the United States and Canada.

Late last year, for instance, the city of College Station admitted its Click2Gov online utility payment system had been hacked for some months, as had the City of Waco’s Click2Gov portal for water bill payments.

The onus is on cities to follow best practices when building and maintaining its online payment systems, ensuring that patches and security updates are applied in a timely fashion and that networks are properly secured.

Meanwhile, other websites with payment forms online would be wise to remember that credit-card skimming attacks are not limited to local governments taking payments from residents.

Magecart-style attacks have been seen hitting a diverse range of victims, including hotel chain booking websites, academic campuses, as well as the likes of Ticketmaster, British Airways, Forbes, Umbro, Vision Direct, and Newegg.

If you’re making online purchases (and hey, these days, who isn’t?) you might want to investigate disposable virtual payment cards, so you’re never exposing your real life credit card to the websites to which you are making a payment. A virtual card could be locked to a single merchant, have a limited amount that can be used in a single payment, or be single-use.

There is more discussion of virtual credit cards in this episode of the “Smashing Security” podcast:

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

Follow me for more information.

Hackers are once again finding unsecured MongoDB databases carelessly left exposed on the internet, wiping their contents, and leaving a ransom note demanding a cryptocurrency payment for the data’s safe return.As ZDNet reports, ransom notes have been left on almost 23,000 MongoDB databases that were let unprotected on the public internet without a password.Unsecured MongoDB databases being attacked by hackers is nothing new, of course. Over recent years security breaches involving exposed MongoDB installations have occurred on multiple occasions, claiming the scalps of Verizon, OCR software firm ABBYY, dating websites, amongst others.What makes this particular attack more unusual is that the hacker threatens to contact regulatory authorities if the victim does not pay up, to report them for a GDPR violation.In an example shared by ZDNet, the ransom note demanded 0.015 Bitcoins (at current prices approximately US $140) or data would be leaked and the authorities informed.Part of the ransom note, which is in broken English, reads as follows:All of your data is a backed up. You must pay 0.015 BTC to [REDACTED] 48 hours for recover it. After 48 hours expiration we will leaked and exposed all your data. In case of refusal to pay, we will contact the General Data Protection Regulation, GDPR and notify them that you store user data in an open form and is not safe. Under the rules of the law, you face a heavy fine or arrest and your base dump will be dropped from our server.If you’re unlucky enough to find your MongoDB database wiped by the hacker and replaced by a ransom note, there are an important couple of points to consider:Firstly, will paying the ransom get your data back?Almost certainly not. The hacker may well have accessed 22,900 databases that were not properly secured online, but that’s a very different proposition from actually having successfully exfiltrated what must be a huge amount of data from so many servers. There’s no reason to believe that even if the data was copied by the hacker before it was wiped that they will feel duty bound to return your data to you safely.Secondly, will you be reported for a GDPR violation?Personally I find it hard to imagine that a criminal hacker would make a GDPR complaint against his victims. That’s not to say, of course, that someone else won’t.And that’s a reason, if further reason was ever needed, that everyone running a MongoDB database needs to ensure that they have set it up securely, and not left it open for any Tom, Dick or Hacker to waltz in and cause havoc.Despite MongoDB coming with security features, and providing a checklist for administrators to properly keep their databases out of the reach of unauthorised parties, breaches continue to happen.The tools are there, the information about how to use the tools is available, all that we need is for system administrators to wake up and realise that they need to fix their database security as a matter of priority…. or run the gauntlet of being the next victim of a damaging hack.Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.Follow me for more information.

We need to learn from the attacks and attempts that have occurred in order to prepare for the future.

Cyber actors have shown us during the pandemic that they will let no opportunity go by without trying to take advantage. We’ve seen them prey upon the fear and concern around COVID-19 with phishing attacks, and capitalize on security weaknesses as organizations switched to remote work scenarios. And it’s had a significant impact on security professionals’ roles — a recent survey from (ISC)² found that 81% of respondents said their job function had changed during the pandemic.

The upside of this is that there are lessons to learn from the types of attacks and attempts that have occurred that will help prepare organizations for the future.

Capitalizing on Panic
The easiest, fastest way to exploit a target is through social engineering attacks — they are fastest to spin up and have the highest rate of return. What we’ve seen during the pandemic underscores this. From the point of view of social engineering, panic has been a key way for bad actors to capitalize on the situation.

Many of the phishing campaigns we’ve seen have targeted hospitals, manufacturers of medical equipment, and health insurance companies. Attackers have taken advantage of the shortages of medical equipment and supplies, gaining traction amid the misinformation and fear. A major theme has been to make it look as if these emails and texts come from organizations such as the World Health Organization or the Centers for Disease Control, knowing that these are important organizations everyone is familiar with.

Regardless of whatever technological security measures are in place, the human psyche is always the weakest link — the easiest to exploit — in any security system. In fact, human error and negligence is involved in the majority of security breaches. When humans are facing emotional, physical, and financial distress, they become even more vulnerable to cybersecurity risks.

The Who, What, and Where of Attacks
Most of the attacks we’ve seen during the pandemic are being delivered via email, so typically they are mass spam campaigns. In fact, in March alone, FortiGuard Labs recorded a 131% increase in viruses — no surprise given that email attachments contain infected and malicious content.

Some attacks have been very targeted, and some accidental and distributed denial-of-service (DDoS) too. While the DDoS can be caused by attackers, the sheer volume of use that’s resulted from the move to remote work has also been a factor. Almost everyone is now connected to the Internet for the bulk of the day, whether it’s for work or recreation (streaming media, browsing, playing online games, etc.). These devices are often the most unsecured on the network and can be exploited and hacked; attackers can use them as a springboard into corporate laptops in some situations.

The email threats have largely been conducted with the intent of delivering malware to a system. Ransomware has also seen an uptick, with most targeted at critical infrastructures. Bad actors using ransomware know a company is more likely to pay the ransom when the critical infrastructure their business relies on is affected. That’s always a reality, but in these times of increased concern around business continuity, it’s even more the case.

One thing that’s interesting to note is that we haven’t seen a lot of shift in terms of innovative or novel techniques and tricks. While approaches have certainly been sophisticated, bad actors have tended to rely on old standards (such as social engineering and ransomware). That’s because if the old tricks still work, they aren’t likely to change tactics until they see their success rate dropping. Cybercriminals are leveraging well-known advanced attack techniques and layers of obfuscation — which means they have a decent likelihood of breaking into networks and should be treated accordingly. Again, it all goes back to the heightened sense of fear and anxiety that the pandemic has ushered in. Bad actors are all too aware that when people’s guards are down, they may not be practicing best-in-class cyber hygiene.

Moving Forward
The importance of due diligence cannot be stressed enough. Some might argue that too much caution can be counterproductive, but it’s certainly less counterproductive than having your entire company shut down because someone didn’t double and triple check before clicking that file.

Cybersecurity user awareness training continues to be crucial. Cyber hygiene isn’t just the domain of IT and security teams — everyone in your company needs to be given regular training and instruction on best practices for keeping individual employees and the organization as a whole safe and secure. Having a robust email security solution with a sandbox can also stop these threats at the network perimeter — for example, not allowing these to propagate and reach the user’s email inboxes.

Even as businesses and operations start to open up around the globe, certain social distancing measures will continue to be in place. Similarly, organizations and individuals should continue to practice “cyber distancing.” Keep your cyber distance by staying wary of suspicious requests, unknown attempts at contact and unsolicited information, and be the protector of your information, networks and health.

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that “really bad day” in cybersecurity. Click for more information and to register for this On-Demand event. 

 

Derek Manky formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy … View Full Bio

Recommended Reading:

More Insights

Follow me for more information.

Apache Guacamole Hacking

A new research has uncovered multiple critical reverse RDP vulnerabilities in Apache Guacamole, a popular remote desktop application used by system administrators to access and manage Windows and Linux machines remotely.

The reported flaws could potentially let bad actors achieve full control over the Guacamole server, intercept, and control all other connected sessions.

According to a report published by Check Point Research and shared with The Hacker News, the flaws grant “an attacker, who has already successfully compromised a computer inside the organization, to launch an attack on the Guacamole gateway when an unsuspecting worker tries to connect to an infected machine.”

After the cybersecurity firm responsibly disclosed its findings to Apache, the maintainers of Guacamole, on March 31, the company released a patched version in June 2020.

Apache Guacamole is a popular open-source clientless remote desktop gateways solution. When installed on a company’s server, it allows users to remotely connect to their desktops simply using a web browser post an authentication process.

Notably, Apache Guacamole remote desktop application has amassed over 10 million downloads to date on Docker Hub.

Memory Corruption Flaw to RCE

The attacks stem one of the two possible ways the gateway can be taken over: either by a compromised machine inside the corporate network that leverages an incoming benign connection to attack the Apache gateway or a rogue employee who uses a computer inside the network to hijack the gateway.

Check Point team said it identified the flaws as part of Guacamole’s recent security audit, which also added support for FreeRDP 2.0.0 towards the end of January 2020.

It’s worth pointing out that FreeRDP, an open-source RDP client, had its own fair share of remote code execution flaws, which were disclosed early last year following the release of 2.0.0-rc4.

“Knowing that vulnerabilities in FreeRDP were only patched on version 2.0.0-rc4, this means that all versions that were released before January 2020 are using vulnerable versions of FreeRDP,” Check Point researcher Eyal Itkin said.

Here’s a quick summary of all flaws discovered:

  • Information disclosure vulnerabilities (CVE-2020-9497) — Two separate flaws were identified in the developers’ custom implementation of an RDP channel used to handle audio packets from the server (“rdpsnd”). The first of the two flaws permits an attacker to craft a malicious rdpsnd message that could lead to an out-of-bounds read similar to Heartbleed. A second bug in the same channel is a data leak that transmits the out-of-bounds data to a connected client.

The third information disclosure bug is a variant of the aforementioned flaw that resides in a different channel called “guacai,” responsible for audio input and is disabled by default.

  • Out-of-bounds reads in FreeRDP — Looking to find a memory corruption vulnerability that could be leveraged to exploit the above data leaks, Check Point said they uncovered two additional instances of out-of-bounds reads that take advantage of a design flaw in FreeRDP.

  • Memory Corruption flaw in Guacamole (CVE-2020-9498) — This flaw, present in an abstraction layer (“guac_common_svc.c”) laid over rdpsnd and rdpdr (Device Redirection) channels, arises from a memory safety violation, resulting in a dangling pointer that allows an attacker to achieve code execution by combining the two flaws.

Use-after-free vulnerabilities are memory corruption bugs that typically occur when an application tries to use memory space that is no longer assigned to it. This usually causes a program to crash but can also sometimes lead to other unintended consequences, such as code execution that can be exploited by malicious actors.
By using vulnerabilities CVE-2020-9497 and CVE-2020-9498, “a malicious corporate computer (our RDP ‘server’) can take control of the guacd process when a remote user requests to connect to his (infected) computer,” Itkin said.

A Case of Privilege Escalation

More concerning, Check Point found it was possible to seize control of all of the connections in the gateway from only a single guacd process, which runs on the Guacamole server to handle remote connections to the corporate network.

In addition to controlling the gateway, this privilege escalation allows an attacker to eavesdrop on all incoming sessions, record the credentials used, and even start new sessions to control the rest of the organization’s computers.

“While the transition to remote work from home is a necessity in these tough times of the COVID-19 pandemic, we can’t neglect the security implications of such remote connections,” Itkin concluded. “When most of the organization is working remotely, this foothold is equivalent to gaining full control over the entire organizational network.”

“We strongly recommend that everyone makes sure that all servers are up-to-date, and that whatever technology used for working from home is fully patched to block such attack attempts.”

Follow me for more information.

Product categories

Post

July 2020
SMTWTFS
 1234
567891011
12131415161718
19202122232425
262728293031 
X