Category Archives: password

Is FIDO the future instrument to prove our identity?

FIDO, short for Fast IDentity Online, is an industry consortium started in 2013 to address the lack of interoperability among strong authentication devices and the problems users face creating and remembering multiple usernames and passwords. Among the founders were those who work in the financial sector, device manufacturers, and providers of authentication solutions.

What is FIDO?

According to the FIDO Alliance website, FIDO is a set of open and scalable standards that enable simpler and more secure user authentication experiences across many websites and mobile services.

FIDO set out to make authentication devices easier to use and fix the conflicts between devices from different vendors. Their goal is to provide a set of specifications for the entire range of authentication techniques. These specifications should then provide a standard for the entire industry leading to better compatibility and more ease of use.

Logging in

Currently, there are a variety of options for users to log in to their services and devices. We have discussed the basics of two-factor authentication (2FA) in the past, and almost everyone agrees that it is impractical to remember 27 or more passwords and usernames for individual accounts—nor is it safe to re-use passwords through multiple accounts. So, what are our options for logging in?

The most common ones are divided up into these categories:

  • The classic username and password combination
  • Knowing a PIN or TAN code (ATM withdrawals, money transfers)
  • Having access to an email account (when verification codes are sent by mail) or mobile device (texted codes)
  • Secret questions (often frowned upon as they are sometimes easy to guess, or easy to obtain through phishing)
  • Physical keys (card readers, USB keys)
  • Biometrics (fingerprint readers, iris scanners, voice recognition)
  • Mobile devices that can scan barcodes or QR codes and calculate a login code for one time use (Authy, Google Authenticator)
  • Already being logged in to a verified account (e.g. Facebook login)

Problems and solutions

As FIDO seeks to standardize authentication protocols for the wide range of login options listed above, they must identify techniques that are problematic from a security standpoint and look for solutions.

One of the problems with many of the login options is the use of shared secrets, meaning that both the user and the software that checks the login need to know the correct answers. You might be able to keep a secret, but your software could be fooled into handing over all your information to attackers. On a regular basis they succeed in breaching a sites’ or services’ security and obtaining a multitude of login credentials.

One solution for this problem is to use asymmetric cryptography. Basically, a user creates two different keys, a private and a public key. When a user proves that he has the private key by responding to a challenge, the service or website can check the answer that the user provided to the challenge by using the public key, which the user provided the website or service with when he signed up. As a handshake, the server asks the user a question based on the public key that only the holder of the private key can answer. But the answer does not give away the actual private key.

The challenge is created especially for that login attempt, so the answer can’t be used for another login with the same service or a different service. This way, the user is the only one that can answer the challenge and the only one that has access to both keys.

Advantages and disadvantages

The advantages of using asymmetric cryptography are clear:

  • It’s easy to use without having to remember a password.
  • Strong asymmetric encryption can’t be brute forced, unlike weak passwords.
  • The same key combination can be used for multiple logins (not to be confused with the challenge question, which is uniquely generated for each login attempt).
  • It’s impossible to steal from websites and services, even using Man-in-the-Middle attacks, because the private key is never sent across the Internet.

A major set-back could be if the user should ever give their private key to a third party, for example, because she lost it or because she was a victim of a phishing attack that asked directly for the private key. In such a case, having used this method across a multitude of sites and services means the user is in for a multitude of problems: each service she signed in with using this combo could be compromised.

What does FIDO have to do with this?

The FIDO Alliance hosts the open authentication standard FIDO2, which enables strong, passwordless authentication built on public key cryptography using hardware devices like security keys, mobile phones, and other built-in devices. It does this using both the W3C Web Authentication specification (WebAuthn API) and the Client to Authentication Protocol (CTAP), a protocol used for communication between a client (the browser) or a platform (the operating system) and an external authenticator, i.e., the hardware security key.

With these capabilities, the hardware security key can replace weak, static username/password credentials with strong, hardware-backed public/private-key credentials.

Because FIDO2 is an open standard, the security device can be designed for existing hardware, such as phones or computers, and for many authentication modalities. In addition, it can be used for different communication methods, such as USB, Bluetooth, and Near Field Communication (NFC), which allows for contactless authentication to take place safely from many systems and devices.

FIDO2 can be enhanced further still for organizations requiring a higher level of security, as it supports the use of a hardware authentication device with a PIN, biometric, or gesture for additional protection.

Proving your identity in the future

Where FIDO has enabled the industry to make steps toward a safer method of online authentication, it is still far from being the standard it sets out to be. The current usage of FIDO is limited to high-end applications and organizations.

And even though browsers and operating systems have started to develop built-in support for FIDO2, they are not ready for market yet. Also, a new Universal Server certification for servers that operates with all FIDO authenticator types (FIDO UAF, FIDO U2F, WebAuthn, and CTAP) is on its way. And even when those stages are complete, the websites and services that require a secure authentication method will probably need some convincing to start using this new format. And finally, only once early adopters have adapted to the technology and sung its praises will more mainstream usage follow suit.

Alternatives

Using asymmetric keys is the most logical and secure method to prove your identity right now, but it could very well be replaced by a blockchain technology. Given the rate of development in blockchain technology, especially compared to the relatively slow advances made in FIDO, this seems a likely scenario. And it doesn’t help that competing standards are created like the PCI-DSS, instead of bundling the efforts into creating an all-encompassing standard.

The one standard to rule them all will probably be the one that has the widest applicability. Being able to log in anywhere without the hassle of passwords almost sounds too good to be true, but the answers are out there. Hopefully, with the application of the best standard, we will see a future with less breaches and more peace of mind.

The post Is FIDO the future instrument to prove our identity? appeared first on Malwarebytes Labs.

Facebook faces a whopping €1.4 billion penalty under GDPR for Sept. 30 data breach

Facebook, which revealed last week that a massive data breach compromised 50 million accounts, is facing a potential $1.63 billion / €1.4 billion penalty under new European regulations.

A Facebook investigation revealed that attackers exploited a vulnerability in the “View As” feature that lets people see what their own profile looks like to external parties.

“This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts,” the company said in a breach notice signed by its VP of Product Management, Guy Rosen.

Facebook discovered the breach Tuesday, Sept. 25, and complied with the EU’s General Data Protection Regulation’s requirement that entities report a breach within 72 hours of the moment they learned of it. The company offered few details about the hack, but promised to take the incident extremely seriously and offer updates as investigators learn more about what happened.

Facebook’s lead privacy regulator in Europe, Ireland’s Data Protection Commission, is ready to fine the social network up to $1.63 billion / €1.4 billion for this incident, under the European Union’s GDPR.

In an emailed statement, the regulator told the press it was “concerned at the fact that this breach was discovered on Tuesday and affects many millions of user accounts but Facebook is unable to clarify the nature of the breach and the risk for users at this point.”

“Under GDPR, companies that don’t do enough to safeguard their users’ data risk a maximum fine of EUR20 million ($23 million), or 4% of a firm’s global annual revenue for the prior year, whichever is higher. Facebook’s maximum fine would be $1.63 billion using the larger calculation,” reports MarketWatch.

Since then, Facebook has issued several updates with clarifications about the breach, though the situation remains virtually unchanged – users’ whose accounts have fallen in the wrong hands before Facebook’s auto-logout could be compromised.

If you’ve found yourself logged out of Facebook after the news hit the wires, Facebook says there’s no need to change your password. But if you’re having trouble logging back into your account, the company says you should learn what you can do at this address.

Chegg Resets Passwords After Data Breach That Affected 40 Million Users

For all students out there using EasyBib, it’s time to reset your account passwords at Chegg. Reportedly, Chegg reset the

Chegg Resets Passwords After Data Breach That Affected 40 Million Users on Latest Hacking News.

AdGuard Reset User Passwords After Enduring Credential Stuffing Attacks

AdGuard has recently alerted all its users about a recent cyber attack. The company noticed a credential stuffing attack after

AdGuard Reset User Passwords After Enduring Credential Stuffing Attacks on Latest Hacking News.

Netflix Users Being Hit by Phishing Attacks

Phishing scammers are after Netflix accounts by sending emails to steal sensitive details from the subscribers of the platform. A

Netflix Users Being Hit by Phishing Attacks on Latest Hacking News.

Authentication Bypass Vulnerability Disclosed in Western Digital My Cloud NAS Devices

Security Researchers at Securify have found an elevation of privilege vulnerability in the WD MyCloud platform which can be exploited by

Authentication Bypass Vulnerability Disclosed in Western Digital My Cloud NAS Devices on Latest Hacking News.

Compromised Chrome Extension Snooped on Users’ Credentials, Cryptocurrency Private Keys

Someone compromised a Google Chrome extension with malicious code designed to snoop on users’ account credentials and cryptocurrency private keys. On 4 September, a security researcher who goes by the name “SerHack” tweeted out a warning about version 3.39.4 of the Chrome extension for MEGA.nz, a cloud storage and file sharing service. !!! WARNING !!!!!!! […]… Read More

The post Compromised Chrome Extension Snooped on Users’ Credentials, Cryptocurrency Private Keys appeared first on The State of Security.

Porn Extortion Email tied to Password Breach

(An update to this post has been made at the end)

This weekend I received an email forwarded from a stranger.  They had received a threatening email and had shared it with a former student of mine to ask advice.  Fortunately, the correct advice in this case was "Ignore it."  But they still shared it with me in case we could use it to help others.

The email claims that the sender has planted malware on the recipient's computer and has observed them watching pornography online.   As evidence that they really have control of the computer, the email begins by sharing one of the recipient's former passwords.

They then threaten that they are going to release a video of the recipient recorded from their webcam while they watched the pornography unless they receive $1000 in Bitcoin.  The good news, as my former student knew, was that this was almost certainly an empty threat.   There have dozens of variations on this scheme, but it is based on the concept that if someone knows your password, they COULD know much more about you.  In this case, the password came from a data breach involving a gaming site where the recipient used to hang out online.  So, if you think to yourself "This must be real, they know my password!" just remember that there have been  HUNDREDS of data breaches where email addresses and their corresponding passwords have been leaked.  (The website "Have I Been Pwned?" has collected over 500 Million such email/password pair leaks.  In full disclosure, my personal email is in their database TEN times and my work email is in their database SIX times, which doesn't concern me because I follow the proper password practice of using different passwords on every site I visit.  Sites including Adobe, which asks for you to register before downloading software, and LinkedIn are among some of the giants who have had breaches that revealed passwords.  One list circulating on the dark web has 1.4 BILLION userids and passwords gathered from at least 250 distinct data breaches.)

Knowing that context, even if you happen to be one of those millions of Americans who have watched porn online.  DON'T PANIC!  This email is definitely a fake, using their knowledge of a breached password to try to convince you they have blackmail information about you.

We'll go ahead and share the exact text of the email, replacing only the password with the word YOURPASSWORDHERE.

YOURPASSWORDHERE is one of your passphrase. Lets get directly to the point. There is no one who has paid me to investigate you. You don't know me and you are most likely wondering why you are getting this mail?
In fact, I actually installed a malware on the X video clips (porn) web site and do you know what, you visited this site to experience fun (you know what I mean). When you were watching video clips, your browser initiated functioning as a RDP that has a key logger which provided me accessibility to your display screen and also cam. after that, my software obtained your entire contacts from your Messenger, Facebook, and email . After that I made a double-screen video. 1st part shows the video you were viewing (you've got a nice taste omg), and next part shows the view of your web cam, & its you. 
You have got not one but two alternatives. We will go through these choices in details:
First alternative is to neglect this email message. In such a case, I will send out your very own videotape to all of your contacts and also visualize about the embarrassment you will definitely get. And definitely if you happen to be in a romantic relationship, exactly how this will affect?
Latter solution is to compensate me $1000. Let us describe it as a donation. In such a case, I will asap delete your video. You can go forward your daily life like this never occurred and you surely will never hear back again from me.
You'll make the payment through Bitcoin (if you do not know this, search for "how to buy bitcoin" in Google). 
BTC Address: 192hBrF64LcTQUkQRmRAVgLRC5SQRCWshi[CASE sensitive so copy and paste it]
If you are thinking about going to the law, well, this email can not be traced back to me. I have taken care of my moves. I am not attempting to charge a fee a huge amount, I simply want to be rewarded. You have one day in order to pay. I have a specific pixel in this e-mail, and now I know that you have read through this mail. If I do not receive the BitCoins, I will definately send your video to all of your contacts including family members, co-workers, and so forth. Having said that, if I receive the payment, I'll destroy the video right away. If you really want proof, reply with Yes & I definitely will send out your video recording to your 5 friends. This is the non-negotiable offer and thus don't waste mine time & yours by responding to this message.
This particular scam was first seen in the wild back in December of 2017, though some similar versions predate it.  However, beginning in late May the scam kicked up in prevalence, and in the second week of July, apparently someone's botnet started sending this spam in SERIOUS volumes, as there have been more than a dozen news stories just in the past ten days about the scam.

Here's one such warning article from the Better Business Bureau's Scam Tracker.

One thing to mention is that the Bitcoin address means that we can track whether payments have been made to the criminal.  It seems that this particular botnet is using a very large number of unique bitcoin addresses.  It would be extremely helpful to this investigation if you could share in the comments section what Bitcoin address (the "BTC Address") was seen in your copy of the spam email.

As always, we encourage any victim of a cyber crime to report it to the FBI's Internet Crime and Complaint Center by visiting ic3.gov:



Please feel free to share this note with your friends!
Thank you!

UPDATE!!!

The excellent analysts at the SANS Internet Storm Center have also been gathering bitcoin addresses from victims.  In their sample so far, 17% of the Bitcoins have received payments totalling $235,000, so people truly are falling victim to this scam!

Please continue to share this post and encourage people to add their Bitcoin addresses as a comment below!

Let’s stop talking about password strength

Picture from EFF -- CC-BY license
Near the top of most security recommendations is to use "strong passwords". We need to stop doing this.

Yes, weak passwords can be a problem. If a website gets hacked, weak passwords are easier to crack. It's not that this is wrong advice.

On the other hand, it's not particularly good advice, either. It's far down the list of important advice that people need to remember. "Weak passwords" are nowhere near the risk of "password reuse". When your Facebook or email account gets hacked, it's because you used the same password across many websites, not because you used a weak password.

Important websites, where the strength of your password matters, already take care of the problem. They use strong, salted hashes on the backend to protect the password. On the frontend, they force passwords to be a certain length and a certain complexity. Maybe the better advice is to not trust any website that doesn't enforce stronger passwords (minimum of 8 characters consisting of both letters and non-letters).

To some extent, this "strong password" advice has become obsolete. A decade ago, websites had poor protection (MD5 hashes) and no enforcement of complexity, so it was up to the user to choose strong passwords. Now that important websites have changed their behavior, such as using bcrypt, there is less onus on the user.


But the real issue here is that "strong password" advice reflects the evil, authoritarian impulses of the infosec community. Instead of measuring insecurity in terms of costs vs. benefits, risks vs. rewards, we insist that it's an issue of moral weakness. We pretend that flaws happen because people are greedy, lazy, and ignorant. We pretend that security is its own goal, a benefit we should achieve, rather than a cost we must endure.

We like giving moral advice because it's easy: just be "stronger". Discussing "password reuse" is more complicated, forcing us discuss password managers, writing down passwords on paper, that it's okay to reuse passwords for crappy websites you don't care about, and so on.

What I'm trying to say is that the moral weakness here is us. Rather then give pertinent advice we give lazy advice. We give the advice that victim shames them for being weak while pretending that we are strong.

So stop telling people to use strong passwords. It's crass advice on your part and largely unhelpful for your audience, distracting them from the more important things.

POLL: Do you use two-factor authentication?

October is National Cyber Security Awareness Month in the US, and European Cyber Security Month in Europe. Basically, institutions in these two countries have decided that it’s time for people to get serious about cybersecurity. And they’re right to do it – according to F-Secure’s Business Security Insider blog, there was 81 cyberattacks every minute in 2014.

So hacking is a serious business for these attackers. And one security measure that experts would like to see used more widely is two-factor authentication.

 

Two-factor (or multi-factor) authentication refers to using more than one piece of information to safeguard access to accounts. Many popular services, such as Facebook and Twitter, offer it to users. However, very few services require it. It’s really more of an option for people interested in having a little bit of extra security for their accounts. A recent survey from Google points out that 89 percent of security experts use two-factor authentication for at least one of their online accounts.

But it’s less popular amongst non-experts. Only 62 percent of non-expert respondents to Google’s survey used two-factor authentication. Other studies indicate that two-factor authentication may be even less popular, with one recent consumer survey finding that 56 percent of respondents were unfamiliar with two-factor authentication.

Although two-factor authentication has been around for ages, it’s starting to become offered by many online services. Passwords are currently the standard in account security, but adding in two-factor authentication adds an extra layer of security. It basically means anyone that gets access to your password will essentially only have “half a key” to your account.

So why don’t more people use it? After all, nearly 80 percent of people are open to alternatives to traditional passwords. One reason might be that it’s too difficult or inconvenient. But the widespread use of mobile devices is making this much easier. Email and SMS messages seem to be easiest and the most popular, with one study finding almost 90 percent of participants using two-factor authentication did so by receiving a code through SMS or email, which they could then enter into a website to confirm their identity.

Another reason could be availability. It’s up to companies and organizations providing online accounts to offer two-factor authentication to customers. This website provides a pretty good list of different online services offering two-factor authentication, so it’s a pretty handy resource. You can also use the site to send tweets to companies not offering two-factor authentication (so don’t hesitate to send a message if you want someone providing you with a service to improve their account security features).

If you crunch the numbers provided by the site, you can get an idea about how common two-factor authentication is for different kinds of services:

  • Cryptocurrencies: 96%
  • Identity Management: 93%
  • Cloud Computing: 77%
  • Gaming: 69%
  • Hosting/VPS: 69%
  • Email: 65%
  • Domains: 65%
  • Developers: 63%
  • Communication: 62%
  • Backup and Sync Services: 60%
  • Investing: 38%
  • Banking and Financial Services: 35%
  • Health: 30%
  • Finance: 28%
  • Education: 25%
  • Entertainment: 7%

So two-factor authentication is definitely more prominent in some industries than others. F-Secure Security Advisor Sean Sullivan says that it’s definitely worth choosing services offering two-factor authentication, especially for important accounts that you use daily, or contain really sensitive information.

“You should figure out what accounts are critical and focus on securing those by using strong, unique passwords and two-factor authentication,” he says. “Lots of companies will offer a monthly or periodic two-factor authentication check, which requires you to enter a code you receive via SMS into a pre-defined phone or computer. It’s really worth having a primary email account with one of these services, as you can centralize information there instead of spreading it around, which makes it easier to stay in control of your accounts.”

Next time you’re thinking about setting up an online account somewhere, you may want to circle back to whether or not they offer two-factor authentication. With the number of devices expected to explode as the Internet of Things becomes more and more popular, it only makes sense to consider whether you’re information is as secure as you’d like.

[ Image by momentcaptured1 | Flickr ]

3 Password Tips from the Pros

Passwords are the keys to online accounts. A good password known only to account owners can ensure email, social media accounts, bank accounts, etc. stay accessible only to the person (or people) that need them. But a bad password will do little to prevent people from getting access to those accounts, and can expose you to serious security risks (such as identity theft). And sadly, many people continue to recycle easy to guess/crack passwords.

A recent study conducted by researchers from Google attempted to nail down the most common pieces of advice and practices recommended by security researchers, and unsurprisingly, several of them had to do with passwords. And there were several gaps between what security experts recommend people do when creating passwords, and what actually happens. Here’s 3 expert tips to help you use passwords to keep your accounts safe and secure.

  1. Unique Passwords are Better than Strong Passwords

One thing experts recommend doing is to choose a strong and unique password – advice many people hear but few actually follow. Chances are, if your password is on this computer science professor’s dress, it’s not keeping your accounts particularly secure.

Many major online service providers automatically force you to choose a password that follows certain guidelines (such as length and character combinations), and even provide you feedback on the password’s strength. But security researchers such as F-Secure Security Advisor Sean Sullivan say that, while strong passwords are important, the value of choosing unique passwords is an equally important part of securing your account.

Basically, using unique passwords means you shouldn’t recycle the same password for use with several different accounts, or even slight variations of the same word or phrase. Google likens that to having one key for all the doors in your house, as well as your car and office. Each service should get its own password. That way, one compromised account won’t give someone else the keys to everything you do online.

A strong password will be long, use combinations of upper-case and lower-case letters, numbers, and symbols. The password should also be a term or phrase that is personal to you – and not a phrase or slogan familiar to the general public, or something people that know you could easily guess. But there are still many ways to compromise these passwords, as proven by The Great Politician Hack.

So using unique passwords prevents criminals, spies, etc. from using one compromised password to access several different services. Sullivan says choosing strong and unique passwords for critical accounts – such as online banking, work related email or social media accounts, or cloud storage services containing personal documents – is a vital part of having good account security.

  1. Experts Use Password Managers for a Reason

One study showed that the average Internet user has 26 different online accounts. Assuming you’re choosing unique passwords, and you fit the bill of an “average Internet user”, you’ll find yourself with a large number of passwords. You’ve now made your account so safe and secure that you can’t even use it!

That’s why experts recommend using a password manager. Password managers can help people maintain strong account security by letting them choose strong and unique passwords for each account, and store them securely so that they’re centralized and accessible. Keeping 26 or more online accounts secure with strong and unique passwords known only to you is what password managers do to keep your data safe, which is why 73% of experts that took part in Google’s study use them, compared to just 24% of non-experts.

  1. Take Advantage of Additional Security Features

Another great way to secure accounts is to activate two-factor authentication whenever it’s made available. Two-factor (or multi-factor) authentication essentially uses two different methods to verify the identity of a particular account holder. An example of this would be protecting your account with a password, but also having your phone number registered as a back-up, so any kind of password reset done on the account makes use of your phone to verify you are who you say you are.

While the availability of this option may be limited, security experts recommend taking advantage of it whenever you can. You can find a list of some popular services that use two-factor authentication here, as well as some other great tips for using passwords to keep your online accounts secure.

[Photo by geralt | Pixabay]