Daily Archives: January 12, 2021

Experts Sound Alarm On New Android Malware Sold On Hacking Forums

Cybersecurity researchers have exposed the operations of an Android malware vendor who teamed up with a second threat actor to market and sell a remote access Trojan (RAT) capable of device takeover and exfiltration of photos, locations, contacts, and messages from popular apps such as Facebook, Instagram, WhatsApp, Skype, Telegram, Kik, Line, and Google Messages. The vendor, who goes by the

Microsoft Issues Patches for Defender Zero-Day and 82 Other Windows Flaws

For the first patch Tuesday of 2021, Microsoft released security updates addressing a total of 83 flaws spanning as many as 11 products and services, including an actively exploited zero-day vulnerability. The latest security patches cover Microsoft Windows, Edge browser, ChakraCore, Office and Microsoft Office Services, and Web Apps, Visual Studio, Microsoft Malware Protection Engine, .NET Core

More Lessons Learned About Trying Harder and Passing the Offensive Security Certified Professional Exam (OSCP)

On February 11, 2020, Offensive Security introduced a major overhaul and update to their already fantastic course: Penetration Testing with Kali Linux. Those changes included updates to their lab environment. The study materials were substantially updated, with additional material including entire new sections on Bash Scripting, Active Directory Attacks, and PowerShell Empire. The training videos […]… Read More

The post More Lessons Learned About Trying Harder and Passing the Offensive Security Certified Professional Exam (OSCP) appeared first on The State of Security.

Microsoft Patch Tuesday, January 2021 Edition

Microsoft today released updates to plug more than 80 security holes in its Windows operating systems and other software, including one that is actively being exploited and another which was disclosed prior to today. Ten of the flaws earned Microsoft’s most-dire “critical” rating, meaning they could be exploited by malware or miscreants to seize remote control over unpatched systems with little or no interaction from Windows users.

Most concerning of this month’s batch is probably a critical bug (CVE-2021-1647) in Microsoft’s default anti-malware suite — Windows Defender — that is seeing active exploitation. Microsoft recently stopped providing a great deal of detail in their vulnerability advisories, so it’s not entirely clear how this is being exploited.

But Kevin Breen, director of research at Immersive Labs, says depending on the vector the flaw could be trivial to exploit.

“It could be as simple as sending a file,” he said. “The user doesn’t need to interact with anything, as Defender will access it as soon as it is placed on the system.”

Fortunately, this bug is probably already patched by Microsoft on end-user systems, as the company continuously updates Defender outside of the normal monthly patch cycle.

Breen called attention to another critical vulnerability this month — CVE-2020-1660 — which is a remote code execution flaw in nearly every version of Windows that earned a CVSS score of 8.8 (10 is the most dangerous).

“They classify this vulnerability as ‘low’ in complexity, meaning an attack could be easy to reproduce,” Breen said. “However, they also note that it’s ‘less likely’ to be exploited, which seems counterintuitive. Without full context of this vulnerability, we have to rely on Microsoft to make the decision for us.”

CVE-2020-1660 is actually just one of five bugs in a core Microsoft service called Remote Procedure Call (RPC), which is responsible for a lot of heavy lifting in Windows. Some of the more memorable computer worms of the last decade spread automatically by exploiting RPC vulnerabilities.

Allan Liska, senior security architect at Recorded Future, said while it is concerning that so many vulnerabilities around the same component were released simultaneously, two previous vulnerabilities in RPC — CVE-2019-1409 and CVE-2018-8514 — were not widely exploited.

The remaining 70 or so flaws patched this month earned Microsoft’s less-dire “important” ratings, which is not to say they’re much less of a security concern. Case in point: CVE-2021-1709, which is an “elevation of privilege” flaw in Windows 8 through 10 and Windows Server 2008 through 2019.

“Unfortunately, this type of vulnerability is often quickly exploited by attackers,” Liska said. “For example, CVE-2019-1458 was announced on December 10th of 2019, and by December 19th an attacker was seen selling an exploit for the vulnerability on underground markets. So, while CVE-2021-1709 is only rated as [an information exposure flaw] by Microsoft it should be prioritized for patching.”

Trend Micro’s ZDI Initiative pointed out another flaw marked “important” — CVE-2021-1648, an elevation of privilege bug in Windows 8, 10 and some Windows Server 2012 and 2019 that was publicly disclosed by ZDI prior to today.

“It was also discovered by Google likely because this patch corrects a bug introduced by a previous patch,” ZDI’s Dustin Childs said. “The previous CVE was being exploited in the wild, so it’s within reason to think this CVE will be actively exploited as well.”

Separately, Adobe released security updates to tackle at least eight vulnerabilities across a range of products, including Adobe Photoshop and Illustrator. There are no Flash Player updates because Adobe retired the browser plugin in December (hallelujah!), and Microsoft’s update cycle from last month removed the program from Microsoft’s browsers.

Windows 10 users should be aware that the operating system will download updates and install them all at once on its own schedule, closing out active programs and rebooting the system. If you wish to ensure Windows has been set to pause updating so you have ample opportunity to back up your files and/or system, see this guide.

Please back up your system before applying any of these updates. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once. You never know when a patch roll-up will bork your system or possibly damage important files. For those seeking more flexible and full-featured backup options (including incremental backups), Acronis and Macrium are two that I’ve used previously and are worth a look.

That said, there don’t appear to be any major issues cropping up yet with this month’s update batch. But before you apply updates consider paying a visit to AskWoody.com, which usually has the skinny on any reports about problematic patches.

As always, if you experience glitches or issues installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.

VERT Threat Alert: January 2021 Patch Tuesday Analysis

Today’s VERT Alert addresses Microsoft’s January 2021 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-922 on Wednesday, January 13th. In-The-Wild & Disclosed CVEs CVE-2021-1647 A vulnerability in the Microsoft Malware Protection Engine (MMPE) is currently seeing active exploitation. Since the MMPE is updated regularly with malware definitions, […]… Read More

The post VERT Threat Alert: January 2021 Patch Tuesday Analysis appeared first on The State of Security.

CES 2021: Intel’s new vPro platform, Tiger Lake-H, new chips for education, and Rocket Lake-S

Intel announced the 11th gen intel vPro mobile platform, 11th gen Core H-series mobile processors, new Pentium and Celeron processors, and previewed Rocket Lake-S and Alder Lake desktop processors.

11th Gen Intel vPro platform

Intel’s vPro platform has been updated to 11th generation. With it, commercial and enterprise users can now benefit from the more efficient 10nm SuperFin transistors and Intel’s Xe graphics. The 11th gen Core i5 and i7 vPro processors also natively support Wi-Fi 6/6E, as well as Thunderbolt 4.0. Intel says that the new vPro platform is 23 per cent faster in productivity than the competition in Office 365 and up to 50 per cent faster in video conferencing.

On the heel of its vPro platform, Intel also announced the Intel Evo vPro platform to push the industry towards sexier laptop designs for business. Similar to the consumer Evo verification, Intel has set criteria around responsiveness, wake times, and battery life to ensure user experience.

High-performance Tiger Lake-H (H35) processors

Tiger Lake mobile processors have been around for some time now, but Intel has been mum on the arrival of its H-series chips. Seeing its release at CES 2021 is a sight for sore eyes.

Tiger Lake-H launch lineup. Click to enlarge. All image credits: Intel

The new H-series lineup consists of the Core i5-11300H, Core i7-11370H, and the Core i7-11375H Special Edition. They retain the 4 cores of the power-effient Tiger Lake U processors but raise the thermal design power (TDP) to 35W. This increased TDP refers to the configurable TDP (cTDP) up, the highest base TDP the processor can run at with adequate cooling.

Perhaps even more significant is the jump in the minimum configurable TDP. For Tiger Lake-H, the cTDP-down, the lowest TDP the processor can be configured, has been increased to 28W. The new Tiger Lake-H’s cTDP-down matches the cTDP-up of the highest-end Tiger Lake processor in the mobile segment.

Related:

Big cat swims: Intel details Tiger Lake and SuperFin transistors

 

Raising the cTDP-down also raises the processor’s base frequency. Whereas the Core i7-1185G7 runs at 1.2GHz at its cTDP-down of 12W, the Core i7-11375H runs at 3GHz at 28W, which is the cTDP-up frequency of the Core i7-1185G7.

Intel Tiger Lake-H performance and features overview. Click to enlarge.

Looking at the three SKUs, the only difference between the Core i7-11375H Special Edition and the Core i7-11370H is that the former has a 200MHz higher boost clock. The Core i5-11300H has the same number of cores but lower frequencies, as well as 4MB less cache.

Because Tiger Lake-H’s cTPD-down has more than doubled, it needs more powerful cooling solutions. Since it needs more thermal pampering, Tiger Lake-H will be more at home in gaming systems that have better cooling than ultraportables.

Intel has been making an effort into the mobile gaming market. Despite its higher power profile, Tiger Lake-H will find itself in 14 to 15-inch laptops that are under 2cm thick.

Other than the tweaked power and thermal parameters, Tiger Lake-H looks identical to the high-end Tiger Lake U processors launched last year. In this launch, Intel could be trying to squeeze out more performance from its existing chips by tuning the power profiles until it could release the next product. Intel was not immediately available for comment.

Click to enlarge.

And the next product is coming soon. The company also showcased an 8-core mobile processor that’s still in the works. Not much is known about this chip other than it can hit 5GHz across multiple cores.

Tiger Lake-H will come with DDR4 support, Wi-Fi 6 and 6E, PCIe Gen 4, and a resizable base address register (BAR) feature that will give CPU access to the entire GPU memory. AMD’s Smart Access Memory (SAM) is built on the same concept.

New Celeron and Pentium processors for education

Remote learning has exponentially driven up the demand for affordable mobile PCs. Intel suggests that 10 per cent of all PC purchased were for students. Targeting this sector, Intel launched the Pentium Silver N6000, Celeron N6211, Celeron N5100, and Celeron N4500 series processors built on the 10nm node. Intel claims that these new processors deliver up to 35 per cent overall application performance and 78 per cent better graphics performance gen-on-gen.

Core i9-11900K to lead Rocket Lake-S lineup, Alder Lake-S powered on

Intel also announced that Rocket Lake-S, the 11th generation desktop processors, will arrive in Q1 2021. The lineup will be led by the Core i9-11900K that features 8-cores and 16 threads. Rocket Lake’s Cypress Cove core architecture is a backport of Ice Lake’s 10nm Sunny Cove core architecture onto Intel’s 14nm node. It is not based on Tiger Lake’s Willow Cove core.

With the backport, Intel hopes to at least bring the architectural benefit of Sunny Cove to its 14nm node. According to the company, Rocket Lake-S achieves 19 per cent instruction per cycle (IPC) improvement over Comet Lake-S. Several slides also show that the Core i9-11900K can hit a max single-core frequency of 5.3GHz on a single core and 4.8GHz on all cores.

The Core i9-11900K is expected to carry to 20 CPU PCIe 4.0 lanes, four more than what Comet Lake processors offer and a generation newer. It will support up to DDR4-3200 memory. Intel will release a new 500 series chipset with Rocket Lake-S, but the processor will be backward compatible with motherboards using Intel’s 400 series chipsets.

Looking towards the future, Intel’s 12th gen Alder Lake processors are set to arrive in the second half of 2021. In addition to its enhanced 10nm SuperFin transistor, Alder Lake’s will see a new design by combining performance cores and efficiency cores into a single product. This approach is reminiscent of the long-standing strategy adopted by smartphone processors.

Intel demonstrated an Alder Lake PC during its CES presentation. Click to enlarge.

 

The post CES 2021: Intel’s new vPro platform, Tiger Lake-H, new chips for education, and Rocket Lake-S first appeared on IT World Canada.

SolarWinds: What Hit Us Could Hit Others

New research into the malware that set the stage for the megabreach at IT vendor SolarWinds shows the perpetrators spent months inside the company’s software development labs honing their attack before inserting malicious code into updates that SolarWinds then shipped to thousands of customers. More worrisome, the research suggests the insidious methods used by the intruders to subvert the company’s software development pipeline could be repurposed against many other major software providers.

In a blog post published Jan. 11, SolarWinds said the attackers first compromised its development environment on Sept. 4, 2019. Soon after, the attackers began testing code designed to surreptitiously inject backdoors into Orion, a suite of tools used by many Fortune 500 firms and a broad swath of the federal government to manage their internal networks.

Image: SolarWinds.

According to SolarWinds and a technical analysis from CrowdStrike, the intruders were trying to work out whether their “Sunspot” malware — designed specifically for use in undermining SolarWinds’ software development process — could successfully insert their malicious “Sunburst” backdoor into Orion products without tripping any alarms or alerting Orion developers.

In October 2019, SolarWinds pushed an update to their Orion customers that contained the modified test code. By February 2020, the intruders had used Sunspot to inject the Sunburst backdoor into the Orion source code, which was then digitally signed by the company and propagated to customers via SolarWinds’ software update process.

Crowdstrike said Sunspot was written to be able to detect when it was installed on a SolarWinds developer system, and to lie in wait until specific Orion source code files were accessed by developers. This allowed the intruders to “replace source code files during the build process, before compilation,” Crowdstrike wrote.

The attackers also included safeguards to prevent the backdoor code lines from appearing in Orion software build logs, and checks to ensure that such tampering wouldn’t cause build errors.

“The design of SUNSPOT suggests [the malware] developers invested a lot of effort to ensure the code was properly inserted and remained undetected, and prioritized operational security to avoid revealing their presence in the build environment to SolarWinds developers,” CrowdStrike wrote.

A third malware strain — dubbed “Teardrop” by FireEye, the company that first disclosed the SolarWinds attack in December — was installed via the backdoored Orion updates on networks that the SolarWinds attackers wanted to plunder more deeply.

So far, the Teardrop malware has been found on several government networks, including the Commerce, Energy and Treasury departments, the Department of Justice and the Administrative Office of the U.S. Courts.

SolarWinds emphasized that while the Sunspot code was specifically designed to compromise the integrity of its software development process, that same process is likely common across the software industry.

“Our concern is that right now similar processes may exist in software development environments at other companies throughout the world,” said SolarWinds CEO Sudhakar Ramakrishna. “The severity and complexity of this attack has taught us that more effectively combatting similar attacks in the future will require an industry-wide approach as well as public-private partnerships that leverage the skills, insight, knowledge, and resources of all constituents.”

TELUS Health: Accelerating digital health growth and adoption in response to COVID-19

A seasoned executive with extensive knowledge in health technology, TELUS Health’s director of business development and healthcare transformation, Kathryn Seeley answered a few of our questions.

The post TELUS Health: Accelerating digital health growth and adoption in response to COVID-19 first appeared on IT World Canada.

Veracode Named a Leader in The Forrester Wave: Static Application Security Testing, Q1 2021

If you???re looking to start or optimize an AppSec program in 2021, the Forrester WaveTM report is a good place to begin your research. The report not only details essential elements of AppSec solutions, but also ranks 12 static application security testing (SAST) vendors based on their current offering, strategy, and market presence.

Development speeds and methods are changing and the requirements for a SAST solution are evolving as well. Forrester notes that SAST providers need to build their security solutions into the software development lifecycle (SDLC); integrate them into the CI/CD pipeline; protect new architectures like containers; and provide accurate, actionable results.

To help development teams and security and risk professionals identify the industry???s foremost SAST providers, Forrester conducted a 28-criterion evaluation. The research and analysis identified Veracode as a leader among SAST providers. The Forrester report noted, ???For firms looking for an enterprise-grade SAST tool, Veracode remains a top choice.???

The Forrester report specifically mentions, ???Veracode has invested in the developer experience.??? Veracode???s SAST offering is fully cloud-based and offers three different levels of scans that aid developers:

  • IDE Scan provides focused, real-time security feedback while the developer codes. It also helps developers remediate faster and learn on the job through positive reinforcement, remediation guidance, code examples, and links to Veracode application security (AppSec) tutorials.
  • Pipeline Scan happens in the build phase. It directly embeds into teams??? CI tooling and provides fast feedback on flaws being introduced on new commits. It helps answer the question, ???is the code my team is writing secure????
  • Policy Scan reviews code before production to ensure that applications are meeting policy compliance and industry standards. It helps answer the question, ???are my organization's applications secure????

Veracode also offers Security Labs, which trains developers to tackle evolving security threats by exploiting and patching real code. Through hands-on labs that use modern web apps, developers learn the skills and strategies that are directly applicable to their organization's code. Detailed progress reporting, email assignments, and a leaderboard encourage developers to continuously level up their secure coding skills.

We believe prioritization is another important strength for Veracode. As the Forrester report states, ?????ヲVeracode???s graphical representation of code flaws according to risk and ease of fix [are] unmatched in the market.??? In addition, the report states, ???References complimented Veracode's premium support,??? and Veracode is highly rated by customers for remediation guidance. As one customer stated, ???the relationship [with Veracode] really stands out.???

Learn more

Download The Forrester WaveTM: Static Application Security Testing, Q1 2021 report to learn more on what to look for in a SAST vendor and for more information on Veracode???s position as a Leader.

Bains exits as Canadian innovation minister

Navdeep Bains, Minister of Innovation, Science and Industry says he does not intend to run in the next federal election for family reasons. A cabinet reshuffle was called by Trudeau this morning, who named a new foreign minister and shuffled other top players in his cabinet. Francois-Philippe Champagne will leave the foreign ministry to take…

The post Bains exits as Canadian innovation minister first appeared on IT World Canada.

Network equipment maker Ubiquity urges admins to change passwords after third-party hack

Administrators with network equipment from manufacturer Ubiquiti are being urged to change their passwords and enable two-factor authentication after the company acknowledged a hack at a third-party may endanger access.

The post Network equipment maker Ubiquity urges admins to change passwords after third-party hack first appeared on IT World Canada.

Common development error likely led to huge Parler data theft, says expert

The huge theft of data from the controversial — and now almost homeless — social media app Parler was accomplished in part through a common web development mistake, according to one expert.

“Essentially the Parler [software] engineers made a mistake in that they allowed an endpoint [a web address] to exist that people could sequentially query,” says Matt Warner, CTO and co-founder of Blumira, an Ann Arbor, Mich.-based a cloud-based threat detection provider. “And if you can stand up enough people looking at different blocks of numbers you can essentially scrape nearly unlimited amounts of data through that endpoint.”

In short, the URLs Parler developers created included sequential numbers, like “ID=12345.” Knowledgeable people could guess the next numbered page was 12346 and would get a hit if access wasn’t protected.

That’s all right if the page is public. If it’s not — for example, it’s a page only logged in bank customer “Jane” is only allowed to access — then once anyone is logged in they can see other pages/accounts just by changing the page number.

Software developers call this an insecure indirect object reference (IDOR), and for years it was one of the Open Web Application Security Project’s (OWASP) Top 10 vulnerabilities. To be exploited, OWASP says, an IDOR issue must be combined with an access control problem, which gives an attacker access to a web page. Warner suggested the researchers or activists might have gained that access after several providers like Twilio dropped Parler after last week’s mob attack on the U.S. Congress. That may have made it impacted email verification, making it easier for new users to subscribe, opening the door to the IDOR expoit.

The data scraping happened shortly after it was revealed that Parler would be de-listed by providers because people involved in last week’s mob attack on the U.S. Congress used it to communicate. Apple and Google dropped Parler from their app stores, and Amazon stopped allowing Parler to use its hosting facilities. Parler is now suing Amazon.

In what Warner calls “probably the most co-ordinated hactivism we’ve seen in a while,” some 15 people who were told of Parler’s vulnerabilities quickly copied apparently almost every users’ post and attachment. According to the news site Gizmodo, 56 terabytes of data has been captured.

A question of timing

One interesting question is whether the IDOR vulnerability was discovered after the incident in Washington, or if it’s been known for some time, according to Warner.

IDOR is “a really common risk” among developers who build their own websites and application programming interfaces (APIs), Warner said. “It used to be a lot more common five or 10 years ago when people were standing up early database-driven web sites. It’s not that common these days with the prevalence of UUIDs (universally unique identifier, sometimes called a globally unique identifier), which are long and complex [URL] IDs, but for whatever reason on this specific endpoint, which was associated with their mobile app, they weren’t doing that. And because of that it essentially exposed all of Parler’s attachments and metadata.”

It’s one of the reasons why application security and testing is essential, Warner said. Parler more than likely didn’t have their application tested from a web application point of view. And it’s one of those things that can cascade very quickly just because it indicates other areas of risk within the environment — if you’re missing checks in this area you’re probably missing other areas in the application.”

IDOR vulnerabilities can be avoided if website designers make sure authentication and authorization of URLs are included early in development, says Warner. Otherwise, “if you have a lot of complex code you have to figure out where to jam that authentication check.”

Another way is to make sure sequential IDs are not part of page numbering so people can’t guess brute force access to pages.

The post Common development error likely led to huge Parler data theft, says expert first appeared on IT World Canada.

Cisco Secure Endpoint Named an Endpoint Security Top Player

The Radicati Group has named Cisco a Top Player in the Endpoint Security – Market Quadrant 2020. Radicati recognizes endpoint security top players as “current market leaders with products that offer, both breadth and depth of functionality, as well as possess a solid vision for the future. Top Players shape the market with their technology and strategic vision.” We believe our leadership position in this report is validation of our robust, comprehensive and integrated approach and execution towards being our customers’ trusted endpoint security provider.

Cisco is a top player in the Radicati Market Quadrant for 2020 Endpoint Security

Cisco Secure Endpoint (formerly AMP for Endpoints) stands out from the competition for many reasons, and it all starts with our world-class threat intelligence organization, Talos. Talos constantly analyzes threat data and creates protections that Secure Endpoint uses to automatically protect organizations against known, unknown and emerging threats.

“That ability to push information automatically into Talos and then update the system automatically, saves us an enormous amount of time.”– Technical Director, read full review

We offer multifaceted prevention techniques as part of our Endpoint Platform Protection (EPP) capabilities, including machine learning, behavioral analysis, heuristics, sandboxing, and more, to prevent threats from entering the endpoint. We also offer unified user access and endpoint protection, allowing you to enforce multi-factor authentication and block the access of infected endpoints to sensitive information.

“It has decreased time to detection by 95%. A lot of the time, prior to having AMP…we weren’t aware of any type of malicious activity until it had an impact on the organization.” – Systems Architect, read full review

But we know that you can’t stop threats that you can’t see. So, Cisco Secure Endpoint goes beyond prevention by providing advanced Endpoint Detection and Response (EDR) capabilities to give you deep visibility into telemetry and potentially malicious file activity across your endpoint environment. This enables you to detect malicious activity fast and eliminate it before damage can be done.

“We had a 97% reduction in time to remediation, because it’s almost instantaneous. In the 18 months that we’ve had AMP, there has not been malicious activity on an endpoint that we weren’t able to resolve immediately.” – Systems Architect, read full review

Finally, we help you save time by enabling automation using our integrated architecture. Built-in to Cisco Secure Endpoint, the Cisco SecureX platform delivers threat response with automatic threat context enrichment and unified threat response capabilities across the entire security ecosystem, including Endpoints, Network, Email, DNS, and more to provide thorough network edge to endpoint visibility. Cisco Secure Endpoint works together with the rest of our integrated security portfolio so you can see more, detect faster and automatically block and respond to advanced threats.

This solution interfaces with Talos Intelligence, Threat Grid, Threat Response, and SecureX. All of these things are integrating together, and a lot of stuff is now starting to happen automatically. So, I went from about 100 or so odd alerts a week to around five because everything is now happening on its own.” – Security Officer, read full review

Cisco Secure Endpoint has gained incredible momentum, including the introduction of our built-in SecureX platform, advanced EDR capabilities like live queries, cloud secure malware analytics, and human-driven threat hunting, continued enhancements to our prevention engines, and enhanced integration with third-party tools and our own growing security portfolio.

No other vendor can deliver both the strength of EPP and EDR and the breadth of integrated XDR capabilities from the edge to the endpoint that Cisco offers. We’re committed to continuing our momentum and helping our customers grow their businesses by protecting their environments from today’s threats.

 

Download Radicati’s 2020 Magic Quadrant for Endpoint Security.

 

Warning — 5 New Trojanized Android Apps Spying On Users In Pakistan

Cybersecurity researchers took the wraps off a new spyware operation targeting users in Pakistan that leverages trojanized versions of legitimate Android apps to carry out covert surveillance and espionage. Designed to masquerade apps such as the Pakistan Citizen Portal, a Muslim prayer-clock app called Pakistan Salat Time, Mobile Packages Pakistan, Registered SIMs Checker, and TPL Insurance,

Hashtag Trending – CES 2021 news drops already; Parler woes; New return policy turns heads

CES 2021 is in session, Parler’s controversy continues as it goes from number 1 to where’d it go, and a new retail policy where you can just keep your return items.

The post Hashtag Trending – CES 2021 news drops already; Parler woes; New return policy turns heads first appeared on IT World Canada.

Cloning Google Titan 2FA keys

This is a clever side-channel attack:

The cloning works by using a hot air gun and a scalpel to remove the plastic key casing and expose the NXP A700X chip, which acts as a secure element that stores the cryptographic secrets. Next, an attacker connects the chip to hardware and software that take measurements as the key is being used to authenticate on an existing account. Once the measurement-taking is finished, the attacker seals the chip in a new casing and returns it to the victim.

Extracting and later resealing the chip takes about four hours. It takes another six hours to take measurements for each account the attacker wants to hack. In other words, the process would take 10 hours to clone the key for a single account, 16 hours to clone a key for two accounts, and 22 hours for three accounts.

By observing the local electromagnetic radiations as the chip generates the digital signatures, the researchers exploit a side channel vulnerability in the NXP chip. The exploit allows an attacker to obtain the long-term elliptic curve digital signal algorithm private key designated for a given account. With the crypto key in hand, the attacker can then create her own key, which will work for each account she targeted.

The attack isn’t free, but it’s not expensive either:

A hacker would first have to steal a target’s account password and also gain covert possession of the physical key for as many as 10 hours. The cloning also requires up to $12,000 worth of equipment and custom software, plus an advanced background in electrical engineering and cryptography. That means the key cloning — ­were it ever to happen in the wild — ­would likely be done only by a nation-state pursuing its highest-value targets.

That last line about “nation-state pursuing its highest-value targets” is just not true. There are many other situations where this attack is feasible.

Note that the attack isn’t against the Google system specifically. It exploits a side-channel attack in the NXP chip. Which means that other systems are probably vulnerable:

While the researchers performed their attack on the Google Titan, they believe that other hardware that uses the A700X, or chips based on the A700X, may also be vulnerable. If true, that would include Yubico’s YubiKey NEO and several 2FA keys made by Feitian.

Security incident forces firm to consider its MSP options

This is the second is a series of three articles sponsored by Ricoh looking at how real companies facing transformation evaluated their MSP options. The variety of services MSPs provide can range from the monitoring of IT networks to being responsible or all repairs, updates, and patches, as well as providing new software, hardware, infrastructure,…

The post Security incident forces firm to consider its MSP options first appeared on IT World Canada.

Top 8 challenges IT leaders will face in 2021

Thanks to the tumultuous events of the past year, in 2021 IT professionals will face challenges in the workplace they’ve never seen before. There was no roadmap for taking much of the American workforce remote overnight, and none exists for a large-scale, staggered return to the hybrid environment of in-person and remote work that most organizations expect to make work in the months to come. 

To read this article in full, please click here