Category Archives: MFA

Passwords are and have always been an Achilles Heel in CyberSecurity

LogMeOnce, a password identity management suite provider, has published a detailed interview with myself titled 'Passwords are and have always been an Achilles Heel in CyberSecurity'. In the Q&A I talk about Passwords Security (obviously), Threat Actors, IoT Security, Multi-Factor Authentication (MFA), Anti-Virus, Biometrics, AI, Privacy, and a bit on how I got into a career in Cybersecurity.

Quotes
“I’m afraid people will remain the weakest link in security, and the vast majority of cybercriminals go after this lowest hanging fruit. It’s the least effort for the most reward.”

"There is no silver bullet with password security, but MFA comes close, it significantly reduces the risk of account compromise"

"The built-in biometric authentication capabilities of smartphones are a significant advancement for security"

"Cybercriminals go after this lowest hanging fruit, the least effort for the most reward."

"As technology becomes more secure and more difficult to defeat, it stands to reason criminals will increasingly target people more."

"The impact of the WannaCry ransomware outbreak on NHS IT systems is a recent example of such cyberattack which threatens lives."

"Machine Learning can provide real benefits, especially in large Security Operations Centres (SOC), by helping analysts breakdown the steady stream of data into actionable intelligence, reducing workload and false-positive errors"

"When I look at new technology today, I still seek to thoroughly understand how it works, naturally thinking about the weaknesses which could be exploited, and the negative impact of such exploits on the people and businesses using the technology. I developed a kind of a ‘hacker’s eye for business’"

Security Threats Facing Modern Mobile Apps

We use mobile apps every day from a number of different developers, but do we ever stop to think about how much thought and effort went into the security of these apps?

It is believed that 1 out of every 36 mobile devices has been compromised by a mobile app security breach. And with more than 5 billion mobile devices globally, you do the math.

The news that a consumer-facing application or business has experienced a security breach is a story that breaks far too often. As of late, video conferencing apps like Zoom and Houseparty have been the centre of attention in the news cycle.

As apps continue to integrate into the everyday life of our users, we cannot wait for a breach to start considering the efficacy of our security measures. When users shop online, update their fitness training log, review a financial statement, or connect with a colleague over video, we are wielding their personal data and must do so responsibly.

Let’s cover some of the ways hackers access sensitive information and tips to prevent these hacks from happening to you.

The Authentication Problem

Authentication is the ability to reliably determine that the person trying to access a given account is the actual person who owns that account. One factor authentication would be accepting a username and password to authenticate a user, but as we know, people use the same insecure passwords and then reuse them for all their accounts.

If a hacker accesses a user’s username and password, even if through no fault of yours, they are able to access that user’s account information.

Although two-factor authentication (2FA) can feel superfluous at times, it is a simple way to protect user accounts from hackers.


2FA uses a secondary means of authenticating the user, such as sending a confirmation code to a mobile device or email address. This adds another layer of protection by making it more difficult for hackers to fake authentication. 

Consider using services that handle authentication securely and having users sign in with them. Google and Facebook, for example, are used by billions of people and they have had to solve authentication problems on a large scale.
Reverse Engineering

Reverse engineering is when hackers develop a clone of an app to get innocent people to download malware. How is this accomplished? All the hacker has to do is gain access to the source code. And if your team is not cautious with permissions and version control systems, a hacker can walk right in unannounced and gain access to the source code along with private environment variables.

One way to safeguard against this is to obfuscate code. Obfuscation and minification make the code less readable to hackers. That way, they’re unable to conduct reverse engineering on an app. You should also make sure your code is in a private repository, secret keys and variables are encrypted, and your team is aware of best practices.

If you’re interested in learning more ways hackers can breach mobile app security, check out the infographic below from CleverTap.



Authored by Drew Page Drew is a content marketing lead from San Diego, where he helps create epic content for companies like CleverTap. He loves learning, writing and playing music. When not surfing the web, you can find him actually surfing, in the kitchen or in a book.

Cyber Security Roundup for January 2020

A roundup of UK focused cyber and information security news stories, blog posts, reports and threat intelligence from the previous calendar month, December 2019.

Happy New Year!  The final month of the decade was a pretty quiet one as major security news and data breaches go, given cybers attack have become the norm in the past decade. The biggest UK media security story was saved for the very end of 2019, with the freshly elected UK government apologising after it had accidentally published online the addresses of the 1,097 New Year Honour recipients.  Among the addresses posted were those of Sir Elton John, cricketer and BBC 'Sports Personality of the Year' Ben Stokes, former Conservative Party leader Iain Duncan Smith, 'Great British Bakeoff Winner' Nadiya Hussain, and former Ofcom boss Sharon White. The Cabinet Office said it was "looking into how this happened", probably come down to a 'user error' in my view.

An investigation by The Times found Hedge funds had been eavesdropping on the Bank of England’s press conferences before their official broadcast after its internal systems were compromised. Hedge funds were said to have gained a significant advantage over rivals by purchasing access to an audio feed of Bank of England news conferences. The Bank said it was "wholly unacceptable" and it was investigating further. The Times claimed those paying for the audio feed, via the third party, would receive details of the Bank's news conferences up to eight seconds before those using the television feed - potentially making them money. It is alleged the supplier charged each client a subscription fee and up to £5,000 per use. The system, which had been misused by the supplier since earlier this year, was installed in case the Bloomberg-managed television feed failed.

A video showing a hacker talking to a young girl in her bedroom via her family's Ring camera was shared on social media. The hacker tells the young girl: "It's Santa. It's your best friend." The Motherboard website reported hackers were offering software making it easier to break into such devices. Ring owner Amazon said the incident was not related to a security breach, but compromised was due to password stuffing, stating "Due to the fact that customers often use the same username and password for their various accounts and subscriptions, bad actors often re-use credentials stolen or leaked from one service on other services."


Ransomware continues to plague multiple industries and it has throughout 2019, even security companies aren't immune, with Spanish security company Prosegur reported to have been taken down by the Ryuk ransomware.

Finally, a Microsoft Security Intelligence Report concluded what all security professionals know well, is that implementing Multi-Factor Authenication (MFA) would have thwarted the vast majority of identity attacks. The Microsoft study found reusing passwords across multiple account-based services is still common, of nearly 30 million users and their passwords, password reuse and modifications were common for 52% of users. The same study also found that 30% of the modified passwords and all the reused passwords can be cracked within just 10 guesses. This behaviour puts users at risk of being victims of a breach replay attack. Once a threat actor gets hold of spilled credentials or credentials in the wild, they can try to execute a breach replay attack. In this attack, the actor tries out the same credentials on different service accounts to see if there is a match.

BLOG
NEWS 
VULNERABILITIES AND SECURITY UPDATES
AWARENESS, EDUCATION AND THREAT INTELLIGENCE