Category Archives: Authentication

Worst password offenders of 2018 exposed

Kanye West is the worst password offender of 2018, according to Dashlane. When visiting the White House, the famous rapper was sprotted unlocking his iPhone with the passcode “000000”. The Pentagon made second place: an audit by the Government Accountability Office revealed easy-to-guess admin passwords and default passwords for multiple weapons systems. Other offenders on the list include: Italian company Ferrero, who offered spectacularly bad password advice to users (they suggested the use of “Nutella” … More

The post Worst password offenders of 2018 exposed appeared first on Help Net Security.

Latest Malware Strains Target Cloudera Hadoop for Bitcoin Mining and DDoS Attacks

­­

Security researchers discovered that several new malware strains are targeting known Cloudera Hadoop vulnerabilities.

The malware variants, including XBash and DemonBot, target Hadoop clusters that are connected to the internet and do not use Kerberos authentication, according to Cloudera. This can lead to certain exploits such as bitcoin mining and distributed denial-of-service (DDoS) attacks, which can create significant negative performance impacts within client environments.

These vulnerability attacks can occur when your Cloudera Hadoop system is not properly configured and secured. For example, when Kerberos is not enabled clusterwide, your Hadoop clusters become yet another possible attack vector.

The good news is that the attack techniques in question are not sophisticated and utilize known exploits, meaning organizations can protect themselves by taking the right precautions.

Protect Yourself With Strong Kerberos Authentication

Countering such attacks requires the use of strong Kerberos authentication to identify the right access for privileged users. Without proper Kerberos authentication, any user can connect to Hadoop clusters, access the system and make bad choices.

To follow best practices, implement additional authentication steps to secure your Cloudera Hadoop clusters, including the following:

  • Secure default accounts and passwords.
  • Utilize Lightweight Directory Access Protocol (LDAP) authentication for Cloudera Manager.
  • Enable Sentry service using Kerberos.
  • Use a secure protocol such as Secure Sockets Layer (SSL) or Transport Layer Security (TLS).
  • Secure default ports.

How do you know whether or not your environment is at risk to begin with? That’s where vulnerability scans come into play.

How to Identify if Your Cloudera Hadoop Clusters Are Affected

Vulnerability assessment solutions for Cloudera Hadoop can provide critical insight into your environment to help mitigate potential attacks. Advanced tools offer security checks and hardening rules to help customers secure their Hadoop clusters, provide rules to help identify Hadoop-specific vulnerabilities, and list detailed recommendations to fix and resolve the vulnerabilities.

To use vulnerability assessment tests to check whether a Cloudera authentication parameter is appropriately set to Kerberos — which is strongly recommended by Cloudera — an organization should take the following steps:

  1. Leverage a vulnerability assessment solution to run the following test: “Authentication method set to Kerberos.”
  2. If a cluster is properly configured, it will pass the test. Multiple systems can be connected to check for this test and get visibility into configuration statuses in minutes.
  3. After running the tests, organizations should attend to the clusters that did not pass. Note that such vulnerabilities can only be addressed with proper configuration, not by simply applying the latest security patches.
  4. Once the configurations have been updated and all nodes authenticate using Kerberos, the problem will be resolved.

As these recent attacks illustrate, vulnerability assessment is a critical piece of any comprehensive data protection program. Last year alone, more than 2 billion records were exposed due to misconfigurations — a number that could have been drastically reduced if teams had been leveraging vulnerability scanning tools.

Source: Cloudera

The post Latest Malware Strains Target Cloudera Hadoop for Bitcoin Mining and DDoS Attacks appeared first on Security Intelligence.

Protect the Keys to Your Kingdom With Privileged Access Management

The importance of implementing privileged access management (PAM) is undeniable. A user with privileged access holds the keys to the kingdom, access to the highly valuable and confidential information that is often targeted by cybercriminals and malicious insiders. In fact, Gartner listed PAM as the No. 1 project for security teams to explore in 2018.

“This project is intended to make it harder for attackers to access privileged accounts and should allow security teams to monitor behaviors for unusual access,” Gartner advises.

PAM tools are critically important and must work together with identity governance, authentication, and application, network and cloud security. But how are organizations doing with actually implementing PAM solutions?

Thycotic, a PAM provider and partner of IBM Security, released its “2018 Global State of Privileged Access Management Risk and Compliance” report earlier this year. The report revealed that privileged credentials are at great risk due to inadequate policies, poorly executed process and insufficient controls. There are major risk and compliance gaps in how organizations manage and secure their privileged accounts and access to sensitive systems, infrastructure and data. While most organizations acknowledge the important role PAM plays in their cybersecurity posture, a shocking 70 percent of organizations would fail an access controls audit, putting their privileged credentials at high risk.

Establish Consistent Access Control Processes

Organizations must develop consistent processes when granting access for employees to handle privileged accounts and passwords securely. This ensures that access is gained properly for privileged users. Without implementing consistent, repeatable access control processes, such as rotating passwords, enabling and revoking access, and making it easier to create risk and compliance reports, the organization is at risk.

As stated in the Thycotic report, 70 percent of organizations fail to fully discover privileged accounts, and 40 percent do nothing at all to discover these accounts. You cannot secure and manage what you do not know you have. Privileged accounts are often unknown, unmanaged and unprotected due to manual processes or error. There must be an established privileged account discovery process in place.

Audit and Track User Behavior

As Gartner noted, security teams should be able to monitor user behavior for unusual access. This is crucial, especially when it comes to privileged access. According to the Thycotic report, 63 percent of organizations do not track and alert on failed login attempts for privileged accounts.

All critical systems should have full audit logs to track logins and activities. Access to audit logs should be restricted, and they should be checked regularly and monitored for changes. Without auditing and tracking, there is no accountability for who is using these accounts and no way to properly analyze an incident and mitigate its damage.

Take Control of Your Privileged Access Management

Don’t get left in the dust. Build a proactive PAM program that doesn’t fall short on policies, processes and controls. A leading privileged access management solution should protect privileged accounts from cybercriminals and insider threats, help ensure compliance with evolving regulations, and give authorized employees access to the tools and information they need to drive productivity. Lastly, it should protect privileged accounts from misuse and enable organizations to enforce least privilege policies and control applications to reduce their attack surface.

Download the report

The post Protect the Keys to Your Kingdom With Privileged Access Management appeared first on Security Intelligence.

Researchers create AI that could spell the end for website security captchas

Researchers have created new artificial intelligence that could spell the end for one of the most widely used website security systems. The new algorithm, based on deep learning methods, is the most effective solver of captcha security and authentication systems to date and is able to defeat versions of text captcha schemes used to defend the majority of the world’s most popular websites. Text-based captchas use a jumble of letters and numbers, along with other … More

The post Researchers create AI that could spell the end for website security captchas appeared first on Help Net Security.

Key reasons holding back MFA adoption by mainframe customers

While 64 per cent of mainframers are aware that multi-factor authentication (MFA) is now available to control access to mainframe applications, only 20 per cent acknowledge their organization is already using it or plans to do so, according to Macro 4. Concerns about disrupting applications, lack of mainframe and security skills and resistance from end users are some of the issues holding back adoption. “With data protection and security a major priority among most enterprises, … More

The post Key reasons holding back MFA adoption by mainframe customers appeared first on Help Net Security.

Using Machine Learning to Create Fake Fingerprints

Researchers are able to create fake fingerprints that result in a 20% false-positive rate.

The problem is that these sensors obtain only partial images of users' fingerprints -- at the points where they make contact with the scanner. The paper noted that since partial prints are not as distinctive as complete prints, the chances of one partial print getting matched with another is high.

The artificially generated prints, dubbed DeepMasterPrints by the researchers, capitalize on the aforementioned vulnerability to accurately imitate one in five fingerprints in a database. The database was originally supposed to have only an error rate of one in a thousand.

Another vulnerability exploited by the researchers was the high prevalence of some natural fingerprint features such as loops and whorls, compared to others. With this understanding, the team generated some prints that contain several of these common features. They found that these artificial prints were more likely to match with other prints than would be normally possible.

If this result is robust -- and I assume it will be improved upon over the coming years -- it will make the current generation of fingerprint readers obsolete as secure biometrics. It also opens a new chapter in the arms race between biometric authentication systems and fake biometrics that can fool them.

More interestingly, I wonder if similar techniques can be brought to bear against other biometrics are well.

Research paper.

Slashdot thread

Security Affairs: Flaw allowing identity spoofing affects authentication based on German eID cards

The authentication process via German eID cards with RFID chips is flawed, an attacker could impersonate any other citizen.

The nightmare comes true, the authentication process via German eID cards with RFID chips is flawed and a flaw could allow an attacker to allow identity spoofing and changing the date of birth.

The situation is very serious, the new cards are accepted as an ID document in most countries in Europe and allow the German citizens to access online government services (i.e. tax service).

The German ID cards issued since November 1st, 2010, store holder’s information (i.e. name, date of birth, a biometric picture, and optionally fingerprints) in the embedded radio frequency identification (RFID) chip.

The cards could be used to authenticate the holder via the RFID chip, in this scenario, it is possible to use an eID application (i.e. AusweisApp) along with an RFI smartcard reader.

The mutual authentication leverages a PKI infrastructure, the authentication process starts with the web application sending a request to the eID client that initiates all further steps needed for the authentication, and requests it a PIN.

The web application communicates with an authentication server (eID-Server or SAML-Processor) providing it the data contained in the RFID chip (i.e. the name or date of birth of the citizen).

German eID cards

To prevent eavesdropping, the response is digitally signed by the authentication server.

Security researchers at SEC Consult Vulnerability Lab demonstrated that is possible to spoof the identity of a German eID card holder and alter data.

The security expert Wolfgang Ettlinger at SEC Consult Vulnerability Lab discovered a flaw in the Governikus Autent SDK that could be used by companies to implement the ID card authentication to a web service via German eID cards.

The expert devised a method to alter the digitally signed response from the server making it still valid for the client, it was able to authenticate with an arbitrary name (he used the name of the popular writer Johann Wolfgang von Goethe and his address) against a demo version of the AusweisApp eID client.

The expert discovered that Governikus Autent SDK verifies the signature doesn’t implement the management of a parameter with same name occurring multiple times. This implies that the parameter is validated just one time, other instances are parsed as if they already passed verification.

“The vulnerability abuses the fact that HTTP allows multiple parameters having the same name. When the method HttpRedirectUtils.checkQueryString creates a canonical version of the query string, it parses the parameters from it and generates a new query string with the parameters placed in a specific order. The case that a parameter can occur multiple times, is not considered.” reads the analysis published by the expert.

“If an attacker supplies multiple parameters named SAMLResponse, the signature is verified against the last occurrence of the parameter, while the SAML response that is processed further, will be taken from the first occurrence.”

All the attacker needs is a query string signed by the authentication server, no matter how long it is valid because the expiration check is conducted on the manipulated data. According to the expert, this information could be easily obtained using a Google search for eID client logs.

Ettlinger published a video PoC of the attack:

The vulnerability affects Web applications running Autent SDK 3.8.1 and earlier that handle duplicate HTTP parameters.

SEC Consult privately reported technical details of the issues to CERT-Bund in July and Governikus released the version 3.8.1.2 its SDK to fix the flaw.

Experts pointed out that the attack works only partially for services that require an initial registration.

“The id card authentication specification includes the concept of pseudonyms. A pseudonym is a random-looking string generated by the id card. For each web application, the id card generates a different pseudonym. When the user creates an account, the pseudonym is stored by the web application. During login, the web application only requires to request the pseudonym string from the id card and compare it with the values stored in its user database.” conclude the experts.

“As another user’s pseudonym is not easily guessable, an attacker cannot login as another user. The account creation step, however, is still affected by this vulnerability as the attacker could simply generate a random pseudonym. Moreover, this attack is only applicable to web applications that use the method HttpServletRequest.getParameter.”

Pierluigi Paganini

(Security Affairs – German eID cards, hacking)

The post Flaw allowing identity spoofing affects authentication based on German eID cards appeared first on Security Affairs.



Security Affairs

Flaw allowing identity spoofing affects authentication based on German eID cards

The authentication process via German eID cards with RFID chips is flawed, an attacker could impersonate any other citizen.

The nightmare comes true, the authentication process via German eID cards with RFID chips is flawed and a flaw could allow an attacker to allow identity spoofing and changing the date of birth.

The situation is very serious, the new cards are accepted as an ID document in most countries in Europe and allow the German citizens to access online government services (i.e. tax service).

The German ID cards issued since November 1st, 2010, store holder’s information (i.e. name, date of birth, a biometric picture, and optionally fingerprints) in the embedded radio frequency identification (RFID) chip.

The cards could be used to authenticate the holder via the RFID chip, in this scenario, it is possible to use an eID application (i.e. AusweisApp) along with an RFI smartcard reader.

The mutual authentication leverages a PKI infrastructure, the authentication process starts with the web application sending a request to the eID client that initiates all further steps needed for the authentication, and requests it a PIN.

The web application communicates with an authentication server (eID-Server or SAML-Processor) providing it the data contained in the RFID chip (i.e. the name or date of birth of the citizen).

German eID cards

To prevent eavesdropping, the response is digitally signed by the authentication server.

Security researchers at SEC Consult Vulnerability Lab demonstrated that is possible to spoof the identity of a German eID card holder and alter data.

The security expert Wolfgang Ettlinger at SEC Consult Vulnerability Lab discovered a flaw in the Governikus Autent SDK that could be used by companies to implement the ID card authentication to a web service via German eID cards.

The expert devised a method to alter the digitally signed response from the server making it still valid for the client, it was able to authenticate with an arbitrary name (he used the name of the popular writer Johann Wolfgang von Goethe and his address) against a demo version of the AusweisApp eID client.

The expert discovered that Governikus Autent SDK verifies the signature doesn’t implement the management of a parameter with same name occurring multiple times. This implies that the parameter is validated just one time, other instances are parsed as if they already passed verification.

“The vulnerability abuses the fact that HTTP allows multiple parameters having the same name. When the method HttpRedirectUtils.checkQueryString creates a canonical version of the query string, it parses the parameters from it and generates a new query string with the parameters placed in a specific order. The case that a parameter can occur multiple times, is not considered.” reads the analysis published by the expert.

“If an attacker supplies multiple parameters named SAMLResponse, the signature is verified against the last occurrence of the parameter, while the SAML response that is processed further, will be taken from the first occurrence.”

All the attacker needs is a query string signed by the authentication server, no matter how long it is valid because the expiration check is conducted on the manipulated data. According to the expert, this information could be easily obtained using a Google search for eID client logs.

Ettlinger published a video PoC of the attack:

The vulnerability affects Web applications running Autent SDK 3.8.1 and earlier that handle duplicate HTTP parameters.

SEC Consult privately reported technical details of the issues to CERT-Bund in July and Governikus released the version 3.8.1.2 its SDK to fix the flaw.

Experts pointed out that the attack works only partially for services that require an initial registration.

“The id card authentication specification includes the concept of pseudonyms. A pseudonym is a random-looking string generated by the id card. For each web application, the id card generates a different pseudonym. When the user creates an account, the pseudonym is stored by the web application. During login, the web application only requires to request the pseudonym string from the id card and compare it with the values stored in its user database.” conclude the experts.

“As another user’s pseudonym is not easily guessable, an attacker cannot login as another user. The account creation step, however, is still affected by this vulnerability as the attacker could simply generate a random pseudonym. Moreover, this attack is only applicable to web applications that use the method HttpServletRequest.getParameter.”

Pierluigi Paganini

(Security Affairs – German eID cards, hacking)

The post Flaw allowing identity spoofing affects authentication based on German eID cards appeared first on Security Affairs.

Cyber Monday 2018: 5 Best Practices to Protect Consumer Data

Cyber Monday is coming. Last year, the online shopping event generated $6.6 billion, according to Forbes, and marked “the largest online shopping day in U.S. history.” According to CNBC, consumer spending is up strongly this year, suggesting that Cyber Monday 2018 could be another record-breaker.

Given the sheer number of customers, websites and companies that drive Cyber Monday success, consumers and businesses need to make sure security doesn’t get lost in the hustle and bustle. Cybercriminals are hoping that in all the commotion they can compromise user accounts, infect corporate websites and crack business networks.

With customers expecting both great sales and solid security, organizations must improve their data protection practices and implement effective defense strategies ahead of the online onslaught.

Listen to the podcast: The State of Retail Cybersecurity Ahead of the 2018 Holiday Season

Why Retailers Must Adapt to the Evolving Landscape

Although Cyber Monday only started in 2005, the online sales frenzy has almost caught up to Black Friday in sheer sales numbers. Increasing familiarity with e-commerce stores and trust in digital transactions are paving the way. Fortune reported that more than 174 million Americans shoppers participated both online and in-store over the last Black Friday/Cyber Monday weekend — meaning that opportunities abound for attackers across platforms.

It’s up to retailers to justify and preserve the comfort levels that are driving their success. If cybercriminals are able to infiltrate smartphones and desktops with malware and phishing emails, consumers may unwittingly hand over account credentials and financial information. If companies can’t secure e-commerce portals, fraudsters could gain visibility into all transactions or place fraudulent orders and charge them to unsuspecting customers.

For retail companies, the trend is clear: Cyber Monday interest is on the rise among both consumers and criminals, meaning it’s no longer an option to post great deals without great security to back them up. Now, the holiday season calls for greater cybersecurity vigilance than ever, supported by evolving information security best practices for retailers.

Watch for This Year’s Most Common Scams

According to ACI Worldwide, fraud attempts are projected to increase 14 percent between Thanksgiving and Cyber Monday, with the average cost of fraudulent transactions rising 3 percent to $243. Meanwhile, the firm forecast the volume of purchases to increase by 18 percent as values rise by 19 percent.

Since more is at stake than ever for shoppers and retailers this season, cybercriminals are also varying their approaches, opting for omnichannel attacks across e-commerce sites, call centers, email accounts and in-store pickup programs, according to ACI Worldwide.

TechRadar reported that phishing attacks still account for half of all online fraud. That’s simply because they work: Well-crafted emails that convey a sense of urgency and create an emotional response can fool even experienced cybershoppers.

Meanwhile, Security Boulevard reported that threat actors also like to eavesdrop on insecure Hypertext Transfer Protocol (HTTP) sites and Wi-Fi to steal credentials and account information, leverage compromised devices to install keyloggers, and typosquat to create domain names that are very similar to popular Cyber Monday sites to collect and monetize consumer information.

5 Steps to Optimize Cyber Monday 2018 Protection

All the usual advice for consumer protection on Cyber Monday applies: Don’t save financial information on websites, watch out for email scams and avoid deals that are too good to be true. But retailers must hold up their end of the security deal as well.

Here are some security best practices for retailers to implement to keep consumers safe and protect corporate networks during the post-Thanksgiving shopping rush.

1. Account for Time

As noted by Forbes, cyberattackers don’t keep regular business hours. As a result, fraud rates may rise during off-peak traffic hours when there are fewer consumers shopping, but also fewer security personnel on duty.

Retailers should consider adding extra information security staff for the holiday season or implementing additional fraud checks for purchases made from different countries or after usual business hours.

2. Limit Purchase Velocity

Speed is another way malicious actors attempt to defraud Cyber Monday retailers. Instead of making high-value transactions that may be flagged as suspicious, attackers often make high-volume transactions — up to 10 times more quickly than legitimate users — to generate greater revenue.

Here, machine learning tools are invaluable assets to help identify and eliminate rapid-fire transactions.

3. Authenticate Users

Authentication is critical to Cyber Monday security. With many users still using weak passwords across websites — many of which are stolen in phishing scams — retail companies should implement two-factor authentication (2FA) wherever possible. Even low-friction options such as email or mobile codes can significantly reduce fraud and boost consumer confidence.

4. Separate Infrastructure

With many retail merchants now deploying both online and in-store sales to capture customer attention across Thanksgiving weekend, there’s an emerging need to separate point-of-sale (POS) and corporate infrastructure. This ensures that in-store device breaches don’t compromise e-commerce sites, and vice versa.

5. Manage Permissions

Who has access to what, when and why? Threat actors often exploit the chaos associated with Cyber Monday to infiltrate networks, install keyloggers and wait. It’s time for retailers to implement effective identity and access management (IAM) solutions that permit granular, permissions-based assignments of roles and responsibilities to foil criminal attempts to breach corporate systems.

Attackers are gearing up for one of the most lucrative days of their year on Cyber Monday. For retailers, the combination of increased consumer spending and security expectations demands stringent security practices that account for common threat vectors, prioritize user authentication, separate infrastructure and effectively manage permissions inside and outside the enterprise.

Listen to the podcast: The State of Retail Cybersecurity Ahead of the 2018 Holiday Season

The post Cyber Monday 2018: 5 Best Practices to Protect Consumer Data appeared first on Security Intelligence.

Business email compromise scam costs Pathé $21.5 million

Recently released court documents show that European-based cinema chain Pathé lost a small fortune to a business email compromise (BEC) scam in March 2018. How much? An astonishing US$21.5 million (roughly 19 million euros). The attack, which ran for about a month, cost the company 10 percent of its total earnings.

What is business email compromise?

Business email compromise is a type of phishing attack, sprinkled with a dash of targeted social engineering. A scammer pretends to be an organisation’s CEO, then starts bombarding the CFO with urgent requests for a money transfer. The requests are generally for wire transfers (hard to trace), and are often routed through Hong Kong (lots of wire transfers, even harder to trace).

Scammers will sometimes buy domain names to make the fake emails look even more convincing. These attacks rely on the social importance of the CEO: nobody wants to question the boss. If an organisation has no safeguards in place against these attacks, a scammer will likely be very rich indeed. It only takes one successful scam to generate a huge haul, at which point the scammer simply vanishes into the ether.

What happened here?

This particular BEC scam is of interest because it highlights a slightly different approach to the attack. Scammers abandoned pitting the fake CEO against the real CFO in favour of faking French head office missives to the Dutch management.

It all begins with the following mail:

“We are currently carrying out a financial transaction for the acquisition of foreign corporation based in Dubai. The transaction must remain strictly confidential. No one else has to be made aware of it in order to give us an advantage over our competitors.”

Even though the CFO and CEO thought it strange, they pressed on regardless and sent over 800,000 in Euros. More requests followed, including some while the CFO was on vacation—both executives were fired after the head office noticed. Although they weren’t involved in the fraud, Pathé said they could—and should—have noticed the “red flags.” They didn’t, and there was no safety net in place, so the business email compromise attempt was devastatingly successful.

The shame game

Many instances of BEC fraud go unreported because nobody wants to voluntarily admit they fell victim. As a result, the first you tend to hear about it is in court proceedings. It’s hard to guess how much is really lost to BEC fraud, but the FBI have previously floated a $2.1 billion-dollar figure. The actual figure could easily be higher.

How can businesses combat this?

  1. Check the social media accounts and other online portals of your executives, and have those connected to finance make their profiles as private—and secure—as possible. You can certainly reduce a CFO’s online footprint, even if you can’t remove it completely.
  2. Authentication is key. The CFO and CEO, or whoever is responsible for wire authorisation, should have a special process in place for approvals. It shouldn’t be email based, as that’s how people end up in BEC scam trouble in the first place. If you have a unique, secure method of communication, then use it. If you can lock down approvals with additional security like two-factor authentication, then do so. Some organisations make use of bespoke, offline authenticator apps on personal devices. The solution is out there!
  3. If you have many offices, and different branches move money around independently, the same rules apply: find a consistent method of authentication that can be used across multiple locations. This would have almost certainly saved Pathé from losing $21.5 million.
  4. When there’s no other way to lock things down, it’s time to break out the telephone and rely on verbal authentication. While this may cause a small amount of business drag (If you’re on the other side of the world, is your CFO fielding calls at 2:00am?), it’s better than losing everything.

A threat worth tackling

Business email compromise continues to grow in popularity among scammers, and it’s up to all of us to combat it. If your organisation doesn’t take BEC seriously, you could easily be on the receiving end of an eye-watering phone call from your bank manager. Keeping your finances in the black is a priority, and BECs are one of the most insidious threats around, whether you distribute movies, IT services, or anything else for that matter. Don’t let malicious individuals decide when to call things a wrap.

The post Business email compromise scam costs Pathé $21.5 million appeared first on Malwarebytes Labs.

Major SMS Leak Exposed Millions Of Messages

Two-factor authentication codes were also exposed in Voxox leak. A huge database with user names, smartphone numbers, SMS messages and even two-factor authentication codes has been exposed, putting personal details at

The post Major SMS Leak Exposed Millions Of Messages appeared first on The Cyber Security Place.

Review: Specops Password Policy

All who work in the information security industry agree that passwords are one of the worst security nightmares of the modern information security age. Having weak passwords – even as part of a multi-factor authentication scheme – degrades the security posture of an organization. Unfortunately, as passwords scale well, they are still present in practically every organization and even central authentication places like Active Directory. There are multiple security controls, even in core operating systems, … More

The post Review: Specops Password Policy appeared first on Help Net Security.

Privacy and Permissions | Google+

With Google making headlines about the privacy of apps and the breaking news of the Facebook data breach earlier this year, it has become clear that the apps on our phones are now holding, and disseminating, large amounts of data and are doing so most of the time. More often than not, we as consumers don’t know what they are sharing or what we have given consent for these apps to do.

We often trade privacy and data usage agreements we might not be comfortable with, for a membership to an online community, an app, or a network.

Kit Walsh, a staff attorney with the Electronic Frontier Foundation, a digital rights advocacy group mentioned, “It would take you two months to read all of the agreements that you click through in a year. The PayPal terms of service is longer than ‘Hamlet’ and lot less interesting to read.”

In this age of data prevalence and machine learning, permission is an increasingly valuable asset. Privacy permissions are supposed to provide a barrier between information shared and the app creators – but these permissions are often vague, and at times withhold functionality of permissions you are granting.

Where once companies created seemingly intentionally long privacy policies, the increased scrutiny from federal regulators has caused tech companies to take steps in improving and clarifying privacy policies for their users. With the latest announcement of Google discovering a bug that allowed app developers to access users data as well as their friends, Google is taking steps to up its protections.  

Customers have expectations for who they do business with, and if they are willing to trust their data with a company, privacy and protection should be upheld. Transparency in security measures is especially important today because fraudsters evolve with and know the in’s and out’s to authentication and security measures. Privacy policies and security measures can demonstrate that customer experience is a priority by use of technology like machine learning and AI – rather than easily surpassed traditional methods of authentication.

The post Privacy and Permissions | Google+ appeared first on Pindrop.

NBlog Oct 13/2 – CERT NZ goes phishing

CERT NZ (apparently) has once again circulated an email warning about phishing, containing a distinctly phishy link to "READ MORE INFORMATION". The hyperlink leads from there to certnz.cmail20.com with a tracker-type URL tail.

Unlike most of the intended audience, I guess, I'm cyber-smart enough to check out the whois record: cmail20.com domain is registered to Campaign Monitor Pty Ltd of New South Wales - presumably a legitimate mass emailer/marketing company whose services are being used by CERT NZ to circulate the warnings - but that's not the point: the fact is that the embedded link target is patently not CERT NZ's own domain.

What's more, the body of the email is a rather vaguely-worded warning, not entirely dissimilar to many a classic phisher. "Nasty stuff is going to happen unless you do something" just about sums it up. It isn't even addressed to me by name, despite me being required to supply my name and email address when I signed up for CERT NZ's "updates". They know who I am.

I've notified CERT NZ about this kind of thing privately before, to no avail, so this time around I'm going public, here on the blog.

CERT NZ, you are perpetuating the problem. Wake up guys! It's simply not good enough. I expect more of you. Your sponsors, partners and taxpayers expect more of you. NZ expects more of you.

Is it really that difficult to either drop the marketing tracking, or at least to route clickers via cert.govt.nz first, with a redirect from there to the tracker?

Is there nobody in CERT NZ with sufficient clue to appreciate and respond to such an obvious concern? 

Am I wasting these bytes? Hello, CERT NZ! Anyone home?

Ironically, CERT NZ has allegedly been promoting the past five days as "Cyber Smart Week 2018", which as far as I can make out appears to consist of a single web page on CERT NZ's website expanding a little on these four simple tips:
  1. Use unique passwords
  2. Turn on 2FA
  3. Update your apps
  4. Check your privacy

Admirably brief ... but there's nothing explicit about phishing or business email compromise, nor social engineering, scams and frauds. No obvious links to further information. 

Ironically, again, the Cyber Smart page ends: 
"Report any cyber security issue you experience to CERT NZ. We’ll help you identify it and let you know what the next steps are to resolve it. We’ll also use the information to create advice and guidance for others who might be experiencing the same issue."
Been there, done that, got precisely nowhere. I despair.

Next time I receive a phishing-like email from CERT NZ, I'll take it up with the news media. Maybe they care as much as me.

The Future of Voice, Fraud, and the Impact to CX | A Recap

Voice is growing out of the call center, out of your telephone and is growing into the next interface. In previous years, we have released fraud reports revolving around the call center, but with the expansion of voice, and the fraud that follows, we have shifted our perspective to voice intelligence – after all, voice is everywhere: your digital assistant, your latest kitchen appliance, and even your car.

The eras of economies have passed us by, first characterized by digitalization, then the wave of mobile devices, and now by voice – paving the way to the conversational economy. These economies are accompanied by their own collection of problems – and fraudsters are not letting up. There has been a 350% increase from 2013 to 2017 in phone fraud, and a 47% increase from last year. Banks and the insurance industry are experiencing a higher level of fraud, with a 20% and 36% increase in fraud year over year respectively.

So how did we get to these increased fraud rates?

There have been an increasing amount of data breaches year over year; last year, there were 1,300 data breaches. These breaches make it easy for criminals to commit fraud – ultimately feeding into the $1.5 trillion cybercrime market. Additionally, a lot of enterprises rely heavily on KBAs, or knowledge-based authentication questions, which function as secrets for security. These “secrets” can be easily hacked through social engineering or through the black market.

The arrival of the omnichannel has not helped with containing fraud – consumers want to be able to contact a business through any channel, with the expectations for the experience to remain consistent. However, there are consequences for the omnichannel – it allows fraudsters to use resources from one channel to access an individual’s details in another channel. Lastly, as we build more tools to stop fraud, fraudsters are evolving quickly and learning how to combat these security measures.

Overall, fraud is the ultimate impact to customer experience – your customers have expectations for who they do business with, and if they expect their data to be safe with you, this should be upheld. We’re living in a world where consumers are likely to switch who they do business with if their customer experience expectations are fulfilled.

For more information on the future of voice, fraud in the voice channel, and the impact it has on customer experience, tune into our on-demand webinar here.

The post The Future of Voice, Fraud, and the Impact to CX | A Recap appeared first on Pindrop.

NBlog Oct – phishing awareness & training module

It's out: a fully revised (almost completely rewritten!) awareness and training module on phishing.

Phishing is one of many social engineering threats, perhaps the most widespread and most threatening.

Socially-engineering people into opening malicious messages, attachments and links has proven an effective way to bypass many technical security controls.

Phishing is a business enterprise, a highly profitable and successful one making this a growth industry. Typical losses from phishing attacks have been estimated at $1.6m per incident, with some stretching into the tens and perhaps hundreds of millions of dollars.

Just as Advanced Persistent Threat (APT) takes malware to a higher level of risk, so Business Email Compromise (BEC) puts an even more sinister spin on regular phishing. With BEC, the social engineering is custom-designed to coerce employees in powerful, trusted corporate roles to compromise their organizations, for example by making unauthorized and inappropriate wire transfers or online payments from corporate bank accounts to accounts controlled by the fraudsters.

As with ordinary phishing, the fraudsters behind BEC and other novel forms of social engineering have plenty of opportunities to develop variants of existing attacks as well as developing totally novel ones. Therefore, we can expect to see more numerous, sophisticated and costly incidents as a result. Aggressive dark-side innovation is a particular feature of the challenges in this area, making creative approaches to awareness and training (such as NoticeBored!) even more valuable. We hope to prompt managers and professionals especially to think through the ramifications of the specific incidents described, generalize the lessons and consider the broader implications. We’re doing our best to make the organization future-proof. It’s a big ask though! Good luck.

Learning objectives

October’s module is designed to:
  • Introduce and explain phishing and related threats in straightforward terms, illustrated with examples and diagrams;
  • Expand on the associated information risks and controls, from the dual perspectives of individuals and the organization;
  • Encourage individuals to spot and react appropriately to possible phishing attempts targeting them personally;
  • Encourage workers to spot and react appropriately to phishing and BEC attacks targeting the organization, plus other social engineering attacks, frauds and scams;
  • Stimulate people to think - and most of all act - more securely in a general way, for example being more alert for the clues or indicators of trouble ahead, and reporting them.
Consider your organization’s learning objectives in relation to phishing. Are there specific concerns in this area, or just a general interest? Has your organization been used as a phishing lure, maybe, or suffered spear-phishing or BEC incidents? Do you feel particularly vulnerable in some way, perhaps having narrowly avoided disaster (a near-miss)? Are there certain business units, departments, functions, teams or individuals that could really do with a knowledge and motivational boost? Lots to think about this month!

Content outline



Get in touch to purchase the phishing module alone, or to subscribe to the NoticeBored service for more like this every month. Phishing is undoubtedly an important topic for awareness and training, but definitely not the only one. Build and sustain your corporate security culture through NoticeBored.

NBlog Sept 28 – phishing awareness module imminent

Things are falling rapidly into place as the delivery deadline for October's NoticeBored awareness module on phishing looms large.

Three cool awareness poster graphics are in from the art department, and three awareness seminars are about done. 

The seminar slides and speaker notes, in turn, form the basis for accompanying awareness briefings for staff, managers and professionals, respectively.  

We also have two 'scam alert' one-pagers, plus the usual set of supporting collateral all coming along nicely - a train-the-trainer guide on how to get the best out of the new batch of materials, an awareness challenge/quiz, an extensive glossary (with a few new phishing-related terms added this month), an updated policy template, Internal Controls Questionnaire (IT audit checklist), board agenda, phishing maturity metric, and newsletter.  Lots on the go and several gaps to be plugged yet.


Today we're ploughing on, full speed ahead thanks to copious fresh coffee and Guy Garvey singing "It's all gonna be magnificent" on the office sound system to encourage us rapidly towards the end of another month's furrow.  So inspirational!  

We've drawn from at least five phishing-related reports and countless Internet sources, stitching together a patchwork of data, analysis and advice in a more coherent form that makes sense to our three audience groups. I rely on a plain text file of notes, mostly quotable paragraphs and URLs for the sources since we always credit our sources. There are so many aspects to phishing that I'd be lost without my notes!  As it is, I have a headfull of stuff on the go so I press ahead with the remaining writing or I'll either lose the plot completely or burst!

For most organizations, security awareness and training is just another thing on a long to-do list with limited resources and many competing priorities, whereas we have the benefit of our well-practiced production methods and team, and the luxury of being able to concentrate on the single topic at hand. We do have other things going on, not least running the business, feeding the animals and blogging. But today is when the next module falls neatly into place, ready to deliver and then pause briefly for breath before the next one. Our lovely customers, meanwhile, are busy running their businesses and rounding-off their awareness and training activities on 'outsider threats', September's topic. As those awareness messages sink in, October's fresh topic and new NoticeBored module will boost energy and take things up another notch, a step closer to the corporate security culture that generates genuine business returns from all this effort.

NBlog Sept 14 – black market credit card values

An otherwise unremarkable marketing email from Armor caught my beady with this:
"Armor has been tracking hackers, on both English-speaking and Russian-speaking markets, and found that current prices for stolen U.K. credit cards (Visa, Mastercard and American Express), with corresponding CVV data and expiration dates runs $35 each, $30 for a European Visa, Mastercard or American Express card, and $15 for a U.S. Visa or Mastercard and $18 for an American Express card." 
That's quite a range of values. I wonder why some stolen credit card details are twice as valuable as others on the black market. What makes them so attractive, relatively speaking?

Possible reasons for the discrepancy:

  • Market imperfections such as time lags between changes in supply or demand and price adjustments;
  • Some are rarer, in relatively short supply, with consistent demand driving prices up;
  • Vendors are simply taking advantage of 'market pricing': they charge whatever the market will bear, by reference to prices and sales for similar commodities;
  • Buyers are price-insensitive: the purchase price is insignificant compared to the anticipated income;
  • Demand is higher for some of them hence they are 'worth' more because: 
    • Identity fraud is somehow easier with them (e.g. the card providers' anti-fraud controls are weaker, perhaps detection and prosecution of fraudsters is less likely?);
    • Identity fraud is more lucrative with them (e.g. the accounts to which they link have larger balances and credit limits);
    • They are more likely to be and remain active, less likely to have been or be deactivated by the companies or card holders concerned (perhaps they are less aware of and/or responsive to identity fraud?);
    • The financial companies concerned and/or the authorities are actively buying up these cards in order to take them out of circulation, hoping perhaps to trace the sellers, in the process inadvertently driving up their market value (doh!);
    • Buyers value them for some other reason: they are deemed to be of higher quality, maybe 'needed' to complete collectors' sets?;

    • Statistical anomalies, truly random fluctuation, data errors and plain ol' mistakes e.g. we're not told how many of each type of card were on sale, nor is there any indication of the variance in prices;
    • Ulterior motives and bias behind the reported numbers: they were, after all, included in a mass marketing email, an unsolicited one at that i.e. spam.
    As usual, I'm quoting and citing the source to illustrate an analytical approach, not to discredit or challenge the source so much as encourage you, dear blog reader, to think critically about such information rather than taking it at face value. I've seen similar numbers from other sources ... which may mean they are 'in the right ballpark' but could equally be an example of anchoring bias (if people have no idea of the correct value, they tend to estimate within or near whatever range is suggested to them, focusing on and implicitly assuming that the suggested range is valid).

    Just sayin'

    A [Female] Voice of Concern

    The number of people using digital assistants are growing by the day, and the increasing popularity has led to predictions of as many as 75% of US households owning smart speakers by 2020 according to Gartner. Within this expansive growth, there are several brands of assistants, including Amazon Alexa, Google Home, and Microsoft Cortana, taking the lead. Their offerings contain many similarities, and of course differences too, but when it comes to the obvious characteristics – what do these devices all have in common? The voice behind the technology, in each device, is female.

    A recent study questioning the design of artificial intelligence revealed that out of almost 12,000 people from 139 countries, 44% prefer their digital assistant to be gender neutral. However, when broken down into gender, 36% of men thought the assistant should be gender neutral, contrasting to 62% of women. While most assistants offer voices of either gender, the default is female – and is lacking a gender neutral option completely. This opens up the question: why?

    Tech companies are beginning to recognize the parallel between the voice – whether female or male – to the role of the assistant itself as they become more ubiquitous. Alexa, Siri, Cortana, and Google Assistant are all synthesized versions of a woman – required to answer questions and demands in a polite manner. On the other hand, IBM’s Watson is male, holding a higher role of leadership and knowledge, compared to its female counterparts. These preferences and the difference can be linked to norms tied to tradition or other cultural values, furthering gender bias.

    Examining this concern and contemplation regarding why the default voice is female, many AI companies have, or are, considering moving towards a more inclusive design. While the bias within voice AI is seemingly present, how is speech recognition, natural language processing, text to speech, and voice biometrics technologies impacted with the same bias?

    Each of these technologies require large amounts of data for machine learning – and male voices are dominating these datasets. Women’s voices for speaker recognition systems are harder to recognize because training data has more male voices. So for Pindrop’s Deep Voice™  biometric engine – how does gender impact accuracy?

    We take great care in balancing gender in our data set evaluation. Today we’re working with the largest banks globally. When you take a look at what that means in the US – the top banks account for 60% of the US population demographic, which is evenly split between men and women.

    Artificial intelligence is destined to power some of our most important services, but there’s growing concern that it could repeat much of the prejudice that humans have about race, gender and more because of the way it’s built. There’s a lot of work from the major players to evaluate these systems and remove prejudice from AI.

    The post A [Female] Voice of Concern appeared first on Pindrop.

    Zelle | A direct funds transfer disruptor…What Are You Trading For Convenience?

    With convenience on the mind of most consumers, peer to peer payment apps are making it easy to transfer money to friends, family, or acquaintances. The money-transfer market is dominated by Venmo and Paypal, however, Zelle is quickly catching up, offering an alternative that is backed by U.S. financial institutions. Zelle is known for its pervasive nature, as a natural extension to a consumer’s existing mobile banking app and the speed it is able to offer funds transfers from account to account directly. This differentiates from Venmo, Square (and even Paypal) that have elements of a “mobile wallet,” which can be seen as more of an ‘escrow account’ before your money clears the transfer. Zelle is quickly disrupting the money-transfer space.

    The almost frictionless enrollment and speed that Zelle supports financial transfers has exposed some potential misuse patterns. As the New York Times found, the perks embedded into Zelle are not only attracting customers, but criminals as well. Fraudsters are taking advantage of the system to drain the bank accounts of unsuspecting Zelle users – or nonusers. Some victims of Zelle fraud had never used, or heard of, the money-transfer application prior to the discovery of an empty bank account. So, what makes Zelle so susceptible to fraud?

    In efforts to catch up with Venmo and Paypal, many banks moved quickly in implementing Zelle. Normal security processes may have been reduced in an effort to provide a more frictionless experience, with some banks implementing Zelle with reduced protections, like no two-factor authentication or behavior monitoring, to send a payment. Additionally, within the Zelle network, checking accounts are linked directly to other checking accounts – allowing the transfer to be completed in seconds and making it difficult to reverse fraudulent transactions.

    Venmo and Square both rely on unique usernames to initiate transfers, whereas Zelle operates under either a user’s phone number or email address. If a single phone number happens to be tied to two (or more) individuals, transfers can easily be sent to the wrong person. If this were to happen, and the transfer was initiated and unknowingly sent to the wrong person, the bank may not have to refund the claim, because the bank may not be obligated to intervene.

    Peer to peer payment apps can provide a fast and convenient way to send money, but that convenience may come with a price. The vulnerabilities present in sending money this way is akin to sending cash in the mail. The convenience is alluring but the risk may be higher. App users should use caution when sending money to any unknown parties, and try to set up alerts to be notified of any transfers. Financial institutions should be on high alert for password reset requests coming through the call center, as this could be an early indicators of fraudsters attempting account takeover of your Zelle app to send themselves your money.

    It is clear that users see enormous value from the convenience provided by Zelle’s frictionless and near instantaneous support of direct funds transfers. Let’s make sure that the value and convenience that this service offers are not also being offered to those with mal intent to misuse this service.

    The post Zelle | A direct funds transfer disruptor…What Are You Trading For Convenience? appeared first on Pindrop.

    Pindrop® Express | Authentication, Risk, CX and the Enterprise

    Businesses today often suffer from lagging or inefficient authentication solutions – from knowledge based authentication questions (KBAs) to simple caller ID verification. These traditional methods are tedious and create friction within the overall customer experience, extending call handle time which also impacts operational costs. Additionally, we are moving into an era defined by a conversational economy – which has placed expectations on enterprises to support the growing popularity and use of voice technology by customers.

    Aligned with the voice first movement, Pindrop® Express, a risk-based authentication solution, can validate a customer’s phone number prior to the call arriving at the contact center, delivering a “yes” or “no” authentication decision. Going beyond phone number validation, Pindrop Express works within carrier networks, gaining access to additional metadata. The calls are analyzed using a proprietary risk engine and then the validated caller ID is matched to a customer number on file to provide the simple authentication decision. Pindrop Express removes friction by verifying legitimate calls, reducing the amount of time consuming KBAs required, and enabling more advanced self-service transactions.

    • Authentication

    Pindrop Express leverages intelligence from carrier networks, allowing ANI validation prior to the phone ringing. This pre-ring authentication will reduce call handle time by removing lengthy authentication practices (KBAs), eliminating some of the friction of the overall customer experience.

    • Risk Assessment

    Beyond ANI validation, Pindrop Express includes Pindrop’s proprietary risk engine and intelligence from the Pindrop Consortium – allowing more than just spoofed calls to be stopped.

    • Customer Experience

    With reduced average call handle time, Pindrop Express reduces the need for extensive identity verification methods for most of your customers. With less friction encountered, customers are granted a quicker resolution.

    Requiring no enrollment and offering passive authentication that works on every customer call – regardless of whether they have previously called, Pindrop Express is fit for enterprises of all sizes.

    Learn more here.

    The post Pindrop® Express | Authentication, Risk, CX and the Enterprise appeared first on Pindrop.

    Call Center Fraudsters | Voice Morphing, Social Engineering, and the Need for Authentication

    As technology advances, fraudsters use different, constantly evolving techniques that include exploiting the phone channel. With increasingly sophisticated attacks, fraudsters maneuver around authentication and security measures to access sensitive information that helps them take over accounts.

    This evolving criminal strategy is part of a $14 billion call center problem. From January 2016 to August 2017, call centers have experienced a 160% increase in global fraud call rate – a rise from 1 fraudulent call for every 937 calls compared to 1 in 769 calls. Additionally, Pindrop® Labs analyzed millions of calls and collected data from the top eight U.S. banks, top five U.S. insurers, and additional enterprise call centers to find recurring techniques used by fraudsters.

    Data dealing, spoofing, and voice morphing are only a few methods fraudsters use to access accounts. Additionally, social engineering is often added into a fraudster’s mix of techniques as a tactic to help them get around call center agent procedures.

    For example, a fraudster duo known as Mr. and Mrs. Smith is actually one fraudster acting as two. Armed with voice morphing technology, this fraudster may call into a call center to add an “authorized” user (such as a spouse) to an account. If “Mr. and Mrs. Smith” is clever enough, a call center agent may add an “authorized” user without first properly authenticating.

    According to Pindrop® Labs, this fraudster attempts to evade voice biometrics by using voice morphing in an attempt to sound like their victim. However, Pindrop identified the fraudster with a known phoneprint and generated voiceprints for both the male and female voices.

    In addition to voice morphing, Mr. and Mrs. Smith utilized social engineering – one of the simplest yet most effective fraudster tactics. Fraudsters know your employees want to deliver a positive customer experience, and they will relentlessly exploit that desire through psychological manipulation. The fraudster will socially engineer a situation to connect empathetically with the call center agent – such as acting like a parent in a hurry – to maneuver around standard authentication or voice biometric standards.

    Because each fraudster uses different combinations of techniques, a “one-size-fits-all” authentication solution approach will not detect all fraudsters. Call centers need a multifactor authentication solution that focuses on enhancing customer experience while deterring fraudsters.

    To take a deeper dive into the minds of fraudsters like Mr. and Mrs. Smith, read our eBook Part One: Call Center Fraudsters Unmasked. To find out how Pindrop helped identify and deter these fraudsters, be sure to check out Part Two: Call Center Fraudsters Defeated.

    The post Call Center Fraudsters | Voice Morphing, Social Engineering, and the Need for Authentication appeared first on Pindrop.