NijaSecure...: September 2017

China Bans WhatsApp Messenger

Popular instant messaging app WhatsApp has already been struggling for its existence in China ever since July when Chinese government blocked its users from sending photos and videos over the app.

Now, it appears that China has largely blocked Facebook-owned WhatsApp in its latest step to tighten censorship as the country prepares for a major Communist Party gathering next month.
Yes, WhatsApp no longer works in the country at all.

China has a long history of blocking and limiting access to web services, especially social networks and Western-owned sites through its Great Firewall. The service currently blocks some 171 out of the world's leading websites, including Wikipedia, Twitter, Facebook, Instagram, and many Google services in mainland China.
And now, it is WhatsApp.

Although it's unclear how long the messaging app may remain inaccessible in the country, according to Symbolic Software, a Paris-based research firm that monitors WhatsApp's situation in China, the country has restricted its users from sending even text-based WhatsApp messages within its borders.
WhatsApp was seeing severe disruptions as early as last Wednesday when some users reported WhatsApp disruptions in China, but at this time, the service has reportedly been completely blocked and only accessible via VPNs (virtual private networks) which can circumvent China's internet firewall.

But, in case you are unaware, China has begun a 14-month-long crackdown on VPNs and proxy services in the country and made it mandatory for all VPN providers to have a license from the government to use such services.

This move of censoring the end-to-end encrypted messaging app comes ahead of next month's 19th National Congress of the ruling Communist Party.
At this sensitive gathering, which takes place once every 5 years, the Chinese government will select new leaders and determine policy priorities.
By preventing its citizens from using WhatsApp, Chinese authorities hope to force them to use the secure messenger alternatives like WeChat, which offers the Chinese government with its citizens' personal data.

Neither WhatsApp nor its parent company Facebook has provided any comment on this censorship.

The move is a severe blow to the social media giant, whose main website and app have already been banned in China since at least 2009. Facebook-owned Instagram is also blocked in the country.

Now with the blocking of WhatsApp, Facebook's only left hope in China is the photo-sharing app, Colorful Balloons, which the social network stealthily released in the country last month.

Source: the hackernews

Why don’t big companies keep their computer systems up-to-date?

The Equifax hack, exposing 143 million people’s personal data to unknown cybercriminals starting in March but not made public until mid-September, was entirely avoidable. The company was using out-of-date software with known security weaknesses. But it appears that with Equifax, as with many organizations, those were just the beginning of the problems.

During the past three decades we’ve researched, developed and tested millions of lines of software for many purposes, including national defense and security, telecommunications, financial services, health care and online gaming. Over the years we’ve observed that the technical means by which a breach happens often reveal software vulnerabilities that need fixing.

But when the digital weaknesses are publicly known before an attack happens – as with the Equifax case – the more important element is why companies don’t move more quickly to protect themselves and the people whose data they store. As suggested by the sudden departure of three top leaders (including the CEO) at Equifax, some of the problem is technical, but another big reason has to do with management and organizational structure.

Interconnected complexity

Equifax, like most Fortune 100 firms, was using an open-source software platform called Apache Struts to run parts of its website. Every major piece of software has vulnerabilities, almost inevitably. When they’re found, typically the company or organization that writes the software creates a fix and shares it with the world, along with notifications that users should update to the latest version. For regular people, that is often as easy as clicking a button to agree to update an operating system or software application.

For businesses, the process can be much harder. In part that’s because many companies use complex systems of interacting software to run their websites. Changing one element may affect the other parts in unpredictable ways. This problem is especially true when companies use the same hardware and software for many years and don’t keep up with every update along the way. It only makes matters worse when businesses outsource their software development and maintenance, denying themselves in-house expertise to call on when problems arise.

The best practices of cyber hygiene suggest combining development and operations (known as “DevOps”) to simplify the process of regular and prompt patches and updates. Not practicing good cyber hygiene is like a doctor not washing her hands – doing so may take extra time and energy, but it protects thousands of patients from infection.

When cyber hygiene works well, it’s quite effective. In April 2017, news broke of a major flaw in iOS and Android systems that allowed hackers to remotely take over smartphones via Wi-Fi. Google and Apple immediately addressed the issue and distributed patches to fix it. This quick response indicates those companies have development and operations processes that meet industry standards for rapid and reliable writing, testing and rollout of software updates.

Trouble at the top

Beyond the inherent challenges in technology and in current business practices, corporate management can play a significant role in whether problems become disasters.

Companies that have systems for regular investment in software maintenance and rapid reaction to security vulnerabilities can respond to problems very quickly, as Apple and Google did. Equifax’s slow response suggests it wasn’t well prepared that way. And the company’s history of outsourcing development to remote off-shore locations suggests there may not have been anyone in-house who had worked on the software needing updating.

Making matters worse, the chief security officer, who retired along with the company’s chief information officer and CEO in the wake of the breach, appears not to have a technical background. That could help explain why Equifax experienced back-to-back breaches requiring outside assistance: the first in March and another in July.

Well-run companies have top executives who know the importance of having cybersecurity teams ready to work around the clock when vulnerabilities arise. And leaders need to understand the risks of placing sensitive information online, rather than the safer practice of storing it on computers disconnected – or “air-gapped” – from the internet. Unfortunately, when senior executives at companies aren’t tech-savvy, they often lack understanding of what’s at stake and how to quickly protect valuable information.

A long road ahead

It looks like Equifax’s troubles aren’t close to being over. After the major breach was revealed, it didn’t take long for victims to discover that even their attempts to freeze their credit would be thwarted by other examples of Equifax’s poor cyber hygiene: The company-created PIN a customer would use to unfreeze credit was based on the date and time of the freeze request, and therefore potentially guessable by an attacker.

More recently, the company’s official Twitter account repeatedly directed the public not to its own security site but to a phishing site seeking to trick people into disclosing their personal information.

All these problems, on top of Equifax’s slowness in repairing the key software vulnerabilities, point to corporate management as a crucial element in preventing and recovering from security breaches – or making them worse.

Source: The Conversation

Goodbye, login. Hello, heart scan.

The system uses low-level Doppler radar to measure your heart, and then continually monitors your heart to make sure no one else has stepped in to run your computer. Credit: Bob Wilder/University at Buffalo

A new non-contact, remote biometric tool could be the next advance in computer security.

BUFFALO, N.Y. — Forget fingerprint computer identification or retinal scanning. A University at Buffalo-led team has developed a computer security system using the dimensions of your heart as your identifier.

The system uses low-level Doppler radar to measure your heart, and then continually monitors your heart to make sure no one else has stepped in to run your computer.

The technology is described in a paper that the inventors will present at next month’s 23rd Annual International Conference on Mobile Computing and Communication (MobiCom) in Utah. The system is a safe and potentially more effective alternative to passwords and other biometric identifiers, they say. It may eventually be used for smartphones and at airport screening barricades.

“We would like to use it for every computer because everyone needs privacy,” said Wenyao Xu, PhD, the study’s lead author, and an assistant professor in the Department of Computer Science and Engineering in UB’s School of Engineering and Applied Sciences.

“Logging-in and logging-out are tedious,” he said.

The signal strength of the system’s radar “is much less than Wi-Fi,” and therefore does not pose any health threat, Xu said.

“We are living in a Wi-Fi surrounding environment every day, and the new system is as safe as those Wi-Fi devices,” he said. “The reader is about 5 milliwatts, even less than 1 percent of the radiation from our smartphones.”

The system needs about 8 seconds to scan a heart the first time, and thereafter the monitor can continuously recognize that heart.

The system, which was three years in the making, uses the geometry of the heart, its shape and size, and how it moves to make an identification. “No two people with identical hearts have ever been found,” Xu said. And people’s hearts do not change shape, unless they suffer from serious heart disease, he said.

Heart-based biometrics systems have been used for almost a decade, primarily with electrodes measuring electrocardiogram signals, “but no one has done a non-contact remote device to characterize our hearts’ geometry traits for identification,” he said.

The new system has several advantages over current biometric tools, like fingerprints and retinal scans, Xu said. First, it is a passive, non-contact device, so users are not bothered with authenticating themselves whenever they log-in. And second, it monitors users constantly. This means the computer will not operate if a different person is in front of it. Therefore, people do not have to remember to log-off when away from their computers.

Xu plans to miniaturize the system and have it installed onto the corners of computer keyboards. The system could also be used for user identification on cell phones. For airport identification, a device could monitor a person up to 30 meters away.

Xu and collaborators will present the paper — “Cardiac Scan: A Non-contact and Continuous Heart-based User Authentication System” — at MobiCom, which is billed as the flagship conference in mobile computing. Organized by the Association for Computing Machinery, the conferernce will be held from Oct. 16-20 in Snowbird, Utah.

Additional authors are, from the UB Department of Computer Science and Engineering, Feng Lin, PhD (now an assistant professor at the University of Colorado Denver); Chen Song, a PhD student; Yan Zhuang, a master’s student; and Kui Ren, PhD, SUNY Empire Innovation Professor; and from Texas Tech University, Changzhi Li, PhD.

The research was supported, in part, by the U.S. National Science Foundation.

Source: Buffalo

This malware just got more powerful by adding the WannaCry trick to its arsenal

Swiss banks represent a lucrative target for cybercriminals. Image: Getty

A trojan banking malware campaign has returned and now it's leveraging EternalBlue -- the leaked NSA surveillence exploit -- to target Swiss financial institutions.

Developed by the NSA but revealed to the world by a hacking group, the EternalBlue Windows security flaw exploits a version of Windows' Server Message Block (SMB ) networking protocol to spread itself across an infected network using worm-like capabilities.

It was by using the EternalBlue exploit that May's WannaCry ransomware attackwas able to spread so quickly. The tool was soon adopted by cybercriminal groups looking to make their malware more powerful -- and now it's being used to steal credentials and cash from Swiss banks by the group behind the Retefe malware.

Active since 2013, the Retefe banking trojan isn't as notorious as the likes of Dridex, but targets banks in the UK, Switzerland, Austria, Sweden, and Japan. It has also been known to target Mac users.

Unlike other banking trojans, which rely on webinjects to hijack online banking sessions, Retefe routes traffic to and from the target banks through proxy servers hosted on the TOR network. These proxy sites host phishing pages designed to look like the the targeted bank's login page in order to steal credentials from victims, providing access to accounts for theft and fraud.

Retefe is typically delivered via phishing emails containing malicious Microsoft Office documents containing embedded Package Shell Objects -- although some contain malicious macros instead. If the user runs the file, a PowerShell command will run the malicious payload and install the code.

Now researchers at Proofpoint have discovered that the payload contains the configuration for EternalBlue, with code taken from a publically available proof-of-concept for the exploit posted in a dump on GitHub. The tool is now used to download the PowerShell script which installs Retefe.

While the addition of EternalBlue, malware can spread across networks. This particular installation of the exploit lacks the module responsible for infinitely spreading the malware as WannaCry did.

However, researchers note that the attackers behind Retefe could be merely experimenting with EternalBlue for now -- and that they could roll out the leaked exploit in full force in future.

"It is possible that the addition of limited network propagation capabilities may represent an emerging trend for the threat landscape as 2018 approaches," wrote Proofpoint researchers.

Indeed, those behind Retefe aren't the only threat actors looking to leverage EternalBlue to make malware more powerful. The attack group behind the Trickbot malware has also been experimenting with deploying the exploit.

Source: zdnet

1.4 Million New Phishing Sites Launched Each Month

The number of phishing attacks reach a record rate in 2017, but the majority of the phishing sites remain active for just four- to eight hours.

The average number of new phishing sites created in a given day has skyrocketed to more than 46,000, or 1.385 million each month, according to the Webroot Quarterly Threat Trends Report released this week.

This number of these sites is up substantially from Webroot's quarterly report released in December, which noted more than 13,000 new phishing sites were created daily.

The trend of temporary phishing sites continued with the majority of sites remaining active for only four to eight hours. The purpose of the short-lived sites, according to Webroot, is to avoid detection by such measures as block lists.

Meanwhile, the top 10 websites that were impersonated the most during the first half of the year include:

Google, 35%;
Chase, 15%;
Dropbox, 13%;
PayPal, 10%;
Facebook, 7%;
Apple, 6%;
Yahoo, 4%;
Wells Fargo, 4%;
Citi, 3%; and
Adobe, 3%.

Source: Darkreading

DON'T RELY ON AN UNLOCK PATTERN TO SECURE YOUR ANDROID PHONE

SMARTPHONES TODAY COMPETE over which can best secure your secrets. They encrypt your data, store the digital keys to unlock themselves on specialized hardware, and even offer fancy biometrics from fingerprints to faceprints. But many millions of smartphones remain open to an absurdly low-tech attack: a sly glance at someone's phone while they unlock it. One new study has quantified just how easy an Android-style unlock pattern—as opposed to a six-digit PIN or biometric unlock—makes the job of any over-the-shoulder snoop.

Security researchers at the US Naval Academy and the University of Maryland Baltimore County this week published a study that shows that a casual observer can visually pick up and then reproduce an Android unlock pattern with relative ease. In their tests, they found that six-point Android unlock patterns can be recreated by about two out of three observers who see it performed from five or six feet away after a single viewing. Spotting a six-digit PIN of the kind used in most iPhones, on the other hand, proved surprisingly difficult: Only about one in ten observers in the study could reproduce it after one look.

That disparity is in part due to how memorable an Android unlock pattern is for human brains, says Naval Academy professor Adam Aviv. "Patterns are really nice in memorability, but it’s the same as asking people to recall a glyph," says Aviv, who along with his fellow researchers will present the paper at the Annual Computer Security Applications Conference in Puerto Rico in December. "Patterns are definitely less secure than PINs."

In their tests, the researchers recruited 1,173 subjects from Amazon's Mechanical Turk crowdsourcing platform to watch carefully controlled videos of the unlocking online, and had subjects try guessing PINs and unlock patterns after watching the phone's owner unlock it with commonly used PINs, or patterns from five different angles and distances, averaging out those variables. They also repeated the video test with 91 people in person, just to check their online results. They found that around 64 percent of the online test subjects could reproduce a six-point pattern after one viewing, and 80 percent after two. Only 11 percent could identify a six-digit PIN after one viewing, and 27 percent after two.

For Android users who feel attached to their pattern unlock, the study did find one point of solace. Turning off the "feedback" lines that trace your finger's path as you swipe through a pattern helped significantly to reduce snooping potential. Only 35 percent of online test subjects could identify a pattern without those lines. "If you’re using a pattern and you like it, turning off those feedback lines will give you some protection," says Aviv. To do so, go to Settings > Lock screen and security > Secure lock settings, and turn off the Make pattern visible option. (Different Android versions and manufacturers will require slightly different steps.)

There are plenty of other reasons not to trust a pattern to keep your secrets safely locked up. An earlier study (which the Naval Academy's Aviv also worked on) found that the randomness of an unlocking pattern is roughly equivalent to just a three-digit PIN code. Researchers have shown they can vastly narrow patterns down with automated image recognition software based on video recorded from dozens of feet away, and even derived them fairly reliably from the smudge prints on a phone's screen. But the latest study presents evidence of the security mechanism's vulnerability to the simplest, most manual attack method yet.

The PIN versus pattern debate, of course, isn't quite as relevant as it was a few years ago. Today many Android users and most iPhone users unlock their phones with a fingerprint, or soon, with facial recognition. But smartphones still frequently fall back on PINs and patterns, when the phone first turns on, for instance, or when a biometric reader fails. And plenty of security-sensitive users disable biometrics to avoid spoofing attacks, or being forced to unlock their phone by authorities—the Fifth Amendment sometimes protects Americans who refuse to offer up their PIN, but not their finger or face.

The Naval Academy and Maryland researchers' snooping study, though, shows just how vulnerable PINs and especially patterns are to the most low-tech form of hacking there is. The lesson: If you use a pattern, switch to a six-digit PIN, or at least turn off those pattern feedback lines. It may be less convenient, but it beats peering over your shoulder with every unlock.

Source: wired

Maintain Your &%$#* Systems! A Mantra for IT Professionals in the Wake of Equifax

Once again, we have a basic failure in cyber hygiene causing a massive data breach. This one affects potentially half of the U.S. population and compromises particularly sensitive personal information that can be used by criminals to wreak havoc on people’s bank accounts, credit scores and identities.

I’m referring, of course, to the Equifax breach. What I find particularly disturbing is that criminals took advantage of a known vulnerability for which a patch had been available for two months. Let that sink in for a moment -- two months is an eternity of exposure to hostile internet actors when efficient systems management and compensating controls are readily available. In fact, the Tenable team had published this post in March about this particular Apache Struts vulnerability and the availability of Tenable plugins. In an era where companies are continuously updating their software, IT and security teams should be consistently patching bugs and closing vulnerabilities as they are reported.

These types of attacks take advantage of the worst and most common habits -- the avoidance of doing something as simple as maintaining good cyber hygiene and patching systems. Cyber criminals don’t need to waste a precious and rare zero-day exploit when they can easily get into your network using a known exploit of an unpatched vulnerability.

Every organization has a responsibility to know what systems it operates and which ones it relies on. To know those systems are exposed and to efficiently manage and reduce cyber risk, frequently through patching and compensating controls. This isn’t sexy work, but it gets the job done. Maintaining good cyber hygiene is so fundamental to building a solid, scalable and IT program that it ought to be a requirement against which all IT functions are measured. Imagine the benefits to the business if CIOs and CISOs rewarded their teams for maintaining top rate systems hygiene and celebrated defense and prevention?

Just as doctors take the Hippocratic oath to “first do no harm,” IT and security teams ought to adopt a similar mantra, “Maintain your systems.” That is the surest way to keep the business healthy and safe from cybercriminals. And it's the only way we're going to stop this vicious cycle of breaches and the inevitable face palm that results from knowing the breach was entirely preventable.

Source: tenable

How to disable SMBv1 to protect your Windows PC from malicious attacks

Your PC may be vulnerable to attacks — use this guide to disable the Server Message Block (SMB) version 1 (v1) protocol on Windows 10.

Recent ransomware attacks, including WannaCry and Petya, both wreaked havoc on hundreds of thousands of PCs around the globe, taking advantage of a flaw found in the old SMBv1, which still comes enabled by default on Windows 10.

SMB is a network file sharing protocol that Windows 10 uses to allow apps to read and write to files, as well as to perform services requests for another device on the network. There are three versions of SMB, but version 1 is the only one affected; versions 2 and 3 are not vulnerable.

If your computer is not running applications that require the use of this protocol, it's recommended to disable SMBv1 completely to prevent future malicious attacks that could use this vulnerability.

In this Windows 10 guide, we walk you through the steps to disable the SMBv1 protocol to make your device less vulnerable to attacks.

How to disable SMBv1 protocol on Windows 10

To disable the vulnerable protocol on Windows 10, follow these steps:

Note: Before proceeding, make sure to save all your work and close any running applications.

Open Start.
Type Turn Windows features on or offand click the result.
Clear the SMB 1.0/CIFS File Sharing Support option.
Click OK.
Click Restart now.

Once you've completed the steps and your machine reboots, SMBv1 will no longer present a threat to your system.

Microsoft is expected to remove this protocol with the Windows 10 Fall Creators Update, but in the meantime, you can use these steps to prevent your device from getting compromised.

Source: Windowscentral

Here’s How Hackers Can Hijack Your Online Bitcoin Wallets

Researchers have been warning for years about critical issues with the Signaling System 7 (SS7) that could allow hackers to listen in private phone calls and read text messages on a potentially vast scale, despite the most advanced encryption used by cellular networks.

Despite fixes being available for years, the global cellular networks have consistently been ignoring this serious issue, saying that the exploitation of the SS7 weaknessesrequires significant technical and financial investment, so is a very low risk for people.

However, earlier this year we saw a real-world attacks, hackers utilised this designing flaw in SS7 to drain victims' bank accounts by intercepting two-factor authentication code (one-time passcode, or OTP) sent by banks to their customers and redirecting it to themselves.

If that incident wasn't enough for the global telecoms networks to consider fixing the flaws, white hat hackers from Positive Technologies now demonstrated how cybercriminals could exploit the SS7 flaw to take control of the online bitcoin wallets to steal all your funds.

Created in the 1980s, SS7 is a telephony signalling protocol that powers over 800 telecom operators across the world, including AT&T and Verizon, to interconnect and exchange data, like routing calls and texts with one another, enabling roaming and other services.

While demonstrating the attack, the Positive researchers first obtained Gmail address and phone number of the target, and then initiated a password reset request for the account, which involved sending a one-time authorization token to be sent to the target's phone number.

Just like in previous SS7 hacks, the Positive researchers were able to intercept the SMS messages containing the 2FA code by exploiting known designing flaws in SS7 and gain access to the Gmail inbox.

From there, the researchers went straight to the Coinbase account that was registered with the compromised Gmail account and initiated another password reset, this time, for the victim's Coinbase wallet. They then logged into the wallet and emptied it of crypto-cash.

Fortunately, this attack was carried out by security researchers rather than cybercriminals, so there wasn't any actual fraud of bitcoin cryptocurrencies.

This issue looks like a vulnerability in Coinbase, but it's not. The real weakness resides in the cellular system itself.

Positive Technologies has also posted a proof-of-concept video, demonstrating how easy it is to hack into a bitcoin wallet just by intercepting text messages in transit.

Different SS7 Attack Scenarios

This attack is not limited to only cryptocurrency wallets. Any service, be it Facebook or Gmail, that relies on two-step verification are vulnerable to the attacks.

The designing flaws in SS7 have been in circulation since 2014 when a team of researchers at German Security Research Labs alerted the world to it.

The flaws could allow hackers to listen to phone calls and intercept text messages on a potentially massive scale, despite the most advanced encryption used by cellular network operators.

Last year, the researchers from Positive Technologies also gave demonstrations on the WhatsApp, Telegram, and Facebook hacksusing the same designing flaws in SS7 to bypass two-factor authentication used by those services.

At TV program 60 Minutes, Karsten Nohl of German Security Research Labs last year demonstrated the SS7 attack on US Congressman Ted Lieu's phone number (with his permission) and successfully intercepted his iPhone, recorded call, and tracked his precise location in real-time just by using his cell phone number and access to an SS7 network.

Although the network operators are unable to patch the issues anytime soon, there's little a smartphone user can do.

Avoid using two-factor authentication via SMStexts for receiving OTP codes. Instead, rely on cryptographically-based security keys as a second authentication factor.

Source: TheHacker News

RISKS LIMITED WITH LATEST APACHE BUG, OPTIONSBLEED

Servers running Apache software are susceptible to memory leaks that an attacker could theoretically piece together to learn secrets transmitted during a session. But the risk is most pressing only in shared hosting environments apparently, and only if the software is running a certain rare configuration.

Details of the bug, which has been called Optionsbleed given its similarity to Heartbleed and other vulnerabilities that leak memory, were disclosed yesterday by researcher Hanno Bock.

Bock pointed out in a report that an attacker could use the HTTP OPTIONS request method to exploit the vulnerability. The request returns an “Allow” header from a server running Apache with a list of supported methods. Servers running the misconfiguration also return what looks like corrupted data but instead were Apache configuration options.

Yann Ylavic, member of the Apache HTTP Server Project Management Committee, told Threatpost that the risk is limited and only a few bytes are leaked in affected configurations. There has been no indication sensitive data is disclosed, he said. The Apache Server Foundation has patched the vulnerability, as have a number of Linux distributions.

“The fix has been committed to our repository (‘upstream’) and will be in a new numbered release shortly,” Ylavic said. “Many of our users rely on a third party for their builds and maintenance, commonly Linux distribution vendors.”

Bock describes the issue as a use-after-free vulnerability, which Ylavic conceded is not difficult to reproduce on affected systems. Bock, however, said he was able to see only 466 hosts among the Alexa top 1 million sites returning corrupted Allow headers.

“The vast majority of systems are not running an affected configuration, and causing the configuration to be affected requires write access to the configuration. In some shared environments, one user with write access could cause the configuration to be affected without the knowledge of other users,” Ylavic said. “This can be mitigated already on unpatched systems, by setting some directives in the main configuration which is not writable by users (default configurations are not affected).”

Bock said he collaborated with Apache developer Jacob Champion who traced the issue to a configuration directive called Limit that allows restricting access to HTTP methods to a specific user.

“And if one sets the Limit directive in an .htaccess file for an HTTP method that’s not globally registered in the server then the corruption happens,” Bock wrote. “Setting a Limit directive for any invalid HTTP method in an .htaccess file caused a use after free error in the construction of the Allow header.”

Bock said he collaborated with Apache developer Jacob Champion who traced the issue to a configuration directive called Limit that allows restricting access to HTTP methods to a specific user.

Jeff Williams, CTO and cofounder of Contrast Security, said attempts to exploit this flaw would be exceptionally noisy, and easy to identify and block.

“It looks like only small bits of this information are leaked. So it would be extremely difficult to get something useful,” Williams said. “Second, only 400-some servers are affected out of the top 1m. That dramatically reduces the attack options. They came up with a great name, OptionsBleed. And it’s theoretically interesting. But not much danger to you and me. Upgrade your server and get on with life.”

Ylavic said updates would be routine for most users.

“Medium and large users will generally have an architecture/procedure where maintenance can be rolled out without interruption,” he said. “The smallest of users, with a single server and no frontend load balancing, may take a brief but planned outage for any maintenance. The fix also consists in disallowing the misconfiguration, so some users may need to adapt their configuration (if ever they really needed it).”

Source: threatpost

Bitcoin is for drug dealers and murderers, says JPMorgan CEO

Following recent measures by the Chinese government to close bitcoin exchanges, JPMorgan CEO Jamie Dimon said at a bank investor conference in New York that cryptocurrency is merely a “fraud” and not “a real thing,” writes CNBC.

Dimon compared the craze around bitcoin with the Dutch tulip mania of the Golden Age, when prices went up outrageously only to drastically plunge later.

“The currency isn’t going to work. You can’t have a business where people can invent a currency out of thin air and think that people who are buying it are really smart,” Dimon said.

“If you were in Venezuela or Ecuador or North Korea or a bunch of parts like that, or if you were a drug dealer, a murderer, stuff like that, you are better off doing it in bitcoin than US dollars. So there may be a market for that, but it’d be a limited market.”

Although Dimon said he would fire any JPMorgan trader involved in cryptocurrency, the company is allegedly engaged in a blockchain project in an attempt to reduce trading costs.

Since it was released by an unknown author calling himself Satoshi Nakamoto in 2009, digital currency quickly gained traction among tech enthusiasts. Because transactions don’t require an intermediary, Bitcoin turned into the preferred digital payment system on the dark web, raising concern among financial institutions that it aids money laundering and online crime activities.

Source: hotforsecurity

OurMine hacks Vevo, leaks 3 terabytes of internal data

More than 3 terabytes of office documents, videos and other promotional materials belonging to video-hosting service Vevo were leaked online after hackers breached the service late Thursday.

Infamous hacking group OurMine claimed responsibility for the breach of Vevo, a joint venture between the “big three” record companies (Universal Music Group, Sony Music Entertainment, and Warner Music Group.

OurMine was also behind this year’s Game of Thrones leak, the WikiLeaks DNS attack, and the hacking of Facebook CEO Mark Zuckerberg’s Twitter and Pinterest accounts.

Roughly 3.12 terabytes of files were leaked online, and at least two of the documents appear sensitive, Gizmodo reports.

The leaked material is mostly benign. The files include music charts, social media content planned to go online, artist details, etc. One leaked document shows an alarm code (probably changed by now) for Vevo’s UK offices in plain text.

OurMine reportedly had reached out to Vevo and was told off. The group then hacked a Vevo employee’s Okta account, accessed the internal files and leaked them online. In an email to Gizmodo, the hackers said “If they asked us to remove the files then we will.”

A Vevo spokesperson said “Vevo experienced a data breach as a result of a phishing scam via Linkedin. We have addressed the issue and are investigating the extent of exposure.”

OurMine hacks companies and websites as a way of advertising its prowess, but at the same time the group positions itself as an ethical, white hat hacking group. However, their practices are controversial and, at times, detrimental to the businesses that they target – such as HBO’s loss of viewers because of the Game of Thrones leak.

In 2017, OurMine also hacked the Twitter accounts of DJ David Guetta, the New York Times, WWE (World Wrestling Entertainment), Playstation Network, FC Barcelona and Real Madrid, as well as several high-profile Youtube and Facebook accounts.

More recently, the group had a bone to pick with whistleblowing site WikiLeaks, leaving a tongue-in-cheek message on the front page as evidence that the site could be hacked, after WikiLeaks challenged the group to try and do it.

Source: hotforsecurity

CCleaner malware infected 2.27 million users - Avast

Users of a free software tool designed to optimize system performance on Windows PCs and Android mobile devices got a nasty shock this morning when Piriform, the company which makes the CCleaner tool, revealed in a blog post that certain versions of the software had been compromised by hackers — and that malicious, data-harvesting software had piggybacked on its installer program.

The affected versions of the software are CCleaner 5.33.6162 and CCleaner Cloud 1.07.3191.

The company is urging users to upgrade to version 5.34 or higher (which it says is available for download here).

So clearly some users may still have a compromised PC on their hands (Piriform says it’s moving all users of the CCleaner to the latest version of the software, while noting that users of CCleaner Cloud will have been updated automatically.)

The malware was apparently capable of harvesting various types of data from infected machines — specifically, Piriform says: the computer name, IP address, list of installed software, list of active software and list of network adapters (data it describes as “non-sensitive”) — transmitting it to a third party computer server located in the US.

“We have no indications that any other data has been sent to the server,” it writes.

“Working with US law enforcement, we caused this server to be shut down on the 15th of September before any known harm was done. It would have been an impediment to the law enforcement agency’s investigation to have gone public with this before the server was disabled and we completed our initial assessment,” it added.

A spokeswoman for security giant Avast, which acquired the UK-based company back in July, told us: “We believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm.”

“We estimate that 2.27 million users had the affected software installed on 32-bit Windows machines,” she further added.

At the time of the acquisition, CCleaner was billed as having 130M users, including 15M on Android. So concerns had been raised about the very large potential number of affected devices.

Although it would appear that, in this instance, the illegal payload was only successfully delivered to a small minority of users — and specifically to those using 32-bit Windows PCs.

No people running the tool on Android devices were affected, according to Avast’s spokeswoman.

Piriform’s VP of products has gone into some technical detail regarding the hack here, writing that: “An unauthorized modification of the CCleaner.exe binary resulted in an insertion of a two-stage backdoor capable of running code received from a remote IP address on affected systems.”

He also notes the company first noticed suspicious activity on September 12, 2017, before further investigation revealed “the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public”.

That means some Windows users of CCleaner could have had their machines compromised for more than a month — given the affected versions of the tool were released on August 15 and August 24 respectively.

Piriform added that it estimates these versions “may have been used by up to 3% of our users” — which would push the pool of affected users as high as 3.9M.

Avast’s CTO Ondrej Vlcek declined to speculate on the hackers’ intentions for the data being harvest by the malware — saying he could not comment on account of a law enforcement investigation currently underway.

Asked what additional measures it’s taking to guard against a similar future attack, Vlcek told us: “We are making sure the problem doesn’t happen again by moving the entire Piriform product build environment to a more robust, secure infrastructure provided by Avast.”

Source: TechCrunch

CCleaner was hacked to spread malware to millions of users for a month

Now this is an ironic flub-up. Popular utility tool CCleaner (short for ‘Crap Cleaner’), which promises to clean up your system for enhanced performance, was hacked to distribute malware directly to its users, Cisco Talos reports.

The app, which touts more than two billion downloads and over two million active users according to parent company Avast, was infected with a malicious payload that made it possible to download and execute other suspicious software, including ransomware and keyloggers.

While developer Piriform and Avast have already confirmed the attack, the good thing is that there is currently no evidence to suggest the exploit was used to install additional malware.

The malware was also programmed to collect a bunch of user data, including:

Name of the computer

List of installed software, including Windowsupdates

List of running processes

MAC addresses of first three network adapters

Additional information whether the process is running with administrator privileges, whether it is a 64-bit system, etc.

Though it in no way alleviates the blunder, the appmaker says all stolen data was encrypted and unlikely to be accessed.

Talos’ report warns that the malware was found in CCleaner version 5.33, which was actively distributed between August 15 and September 12. What is particularly jarring is that it appears the infected app was signed with a valid certificate Symantec issued to Piriform (recently acquired by Avast).

According to reports, the malware-infested version of CCleaner was downloaded by 2.27 million users. Speaking to Forbes, Avast chief technical officer Ondrej Vlcek said that, “2.27 million is certainly a large number, so we’re not downplaying in any way. It’s a serious incident. But based on all the knowledge, we don’t think there’s any reason for users to panic.

“To the best of our knowledge, the second-stage payload never activated… It was prep for something bigger, but it was stopped before the attacker got the chance.”

Should you happen to be one of the millions of users that downloaded the infected version 5.33, your best bet is to head to Piriform’s website here and update to the latest iteration of CCleaner.

Those interested in more technical details can peruse Talos’ full vulnerability report here.

Source: TNW

2017’s 5 Most Dangerous DDoS Attacks & How to Mitigate Them (Part 2)

By Carl Herberger

This is Part 2 of our series on the top 5 most dangerous DDoS attacks and how you can successfully mitigate them.

ATTACK TYPE #3: Friend Turned Enemy: SSL-Based Cyber Attacks

There is a new set of challenges facing organizations leveraging encryption technologies. Cyber-attacks, including DDoS attacks and advanced web application attacks, continue to plague businesses as they continuously shift operations online. For both types of assaults, those leveraging encrypted traffic as an attack vector are on the rise, further challenging current security solutions. Most mitigation technologies do not actually inspect SSL traffic, as it requires decrypting/encrypting traffic. Recent surveys show that between 25% – 35% of enterprise communication sent via an LAN and WAN is SSL-encrypted traffic.

SSL-based attacks take many forms, including:

Encrypted SYN Floods: These attacks are similar to standard, non-encrypted SYN flood attacks in that they seek to exhaust the resources in place to complete the SYN-ACK handshake, only they further complicate the challenge by encrypting traffic and forcing resource use of SSL handshake resources.

SSL Renegotiation: These attacks work by initiating a regular SSL handshake and then immediately request the renegotiation of the encryption key. The tool repeats this renegotiation request until all server resources have been exhausted.

HTTPS Floods: These attacks generate floods of encrypted HTTP traffic, often as part of multi-vector attack campaigns. Compounding the impact of “normal” HTTP floods, encrypted HTTP attacks add several other challenges, such as the burden of encryption and decryption mechanisms.

Encrypted Web Application Attacks: Multi-vector attack campaigns also increasingly leverage non-DoS, web application logic attacks. By encrypting the traffic masking these advanced attacks, they often pass through both DDoS and web application protections undetected.

In the same way SSL and encryption protect the integrity of legitimate communications, they effectively obfuscate many of the attributes used to determine if traffic is malicious or legitimate. Identifying attack traffic within encrypted traffic flows is akin to finding a needle in a haystack . . . in the dark. Most cyber-attack solutions struggle mightily to identify potentially malicious traffic from encrypted traffic sources and isolate that traffic for further analysis (and potential mitigation).

The other major advantage that SSL attacks offer to attackers is the ability to put significant computing stress on network and application infrastructures they target. The process of decrypting and re-encrypting SSL traffic increases the requirements of processing the traffic, in many cases beyond the functional performance of devices used for attack mitigation. In a recent report, Gartner Research notes that less than 20% of organizations using common security technologies (firewall, IPS) are inspecting inbound or outbound encrypted traffic.

Even the most advanced mitigation technologies have gaps in their encryption-based protections. Few of these solutions can be deployed out-of-path, which is a necessity for providing protection while limiting the impact on legitimate users. Many solutions that can do some level of decryption tend to rely on rate-limiting requests, thereby resulting in dropped legitimate traffic. Finally, many solutions require the customer to share actual server certificates, which complicates implementation, certificate management and forces customers to share private keys for protection in the cloud. Here are some tips to consider when considering protection from encrypted attacks:

Stateless mitigation: As previously mentioned, many security technologies are stateful in nature, meaning they maintain state throughout a session. This requires additional computing resources and poses the risk of filling session tables, at which point the device will fall over. Be sure the technologies you’re depending on for encrypted attack protection are stateless in nature to ensure ability to scale to the higher demands of these attacks.

Asymmetric deployment options: Most security technologies rely on a symmetric deployment model, meaning they are in the path for both inbound and outbound traffic. This has key benefits for some aspects of security, but in the case of encrypted attack mitigation, adds unnecessary computational strain on the solution. Look for technologies that can support an asymmetric deployment where only ingress encrypted traffic passes through the mitigation engine.

Certificate management: Some security technologies that claim to cover encrypted attacks do so at the burden of operations teams that manage server certificates. Specifically, these technologies require the sharing of the actual web server certificates, meaning any change to these certificates have to be replicated in the security solution. Look for technologies that can manage the inspection of encrypted traffic through use of certificates legitimately issued to the organization but not tied specifically to the web server.

Ensuring integrity of the trust model: One of the principles behind website authentication through certificates is the confirmation to the end customer that they are engaged in a “private” communication with the intended organizations. Some service providers offer SSL capabilities that break this trust model and actually initiate a secure channel between the unknowing end user and themselves. In so doing, they essentially dup the end user into trusting them with the shared information (as well as the service provider’s certificate management).

Optimizing legitimate user experience: As is so often the case, IT and security professionals are left to strike a balance between having lightweight security and creating such a locked-down user experience as to chase away customers. This balancing act plays out in encrypted attack mitigation as well, where some technologies employ something of an on/off switch for decrypting all encrypted traffic when a potential attack is detected. Look for technologies that can selectively apply challenge-and-response specifically to traffic identified as suspicious, thereby maintaining user experience for legitimate users sending through encrypted traffic.

The fact that many organizations are seeing an increase in encrypted traffic is, in general, a good thing. It is however, a complicating factor when it comes to encrypted cyber-attacks. The bottom line is that to provide effective protection, solutions need to deliver full attack vector coverage (including SSL), high scalability to meet the growing demands of the consumer, and innovative ways to handle management of encryption technologies (today predominantly SSL/TLS) in a manner that can be operationalized effectively and efficiently.

ATTACK TYPE #4: Fire & Forget: PDoS – Permanent Denial of Service

A permanent denial-of-service (PDoS) attack, also known loosely as phlashing in some circles, is an attack that damages a system so badly that it requires replacement or reinstallation of hardware. By exploiting security flaws or misconfigurations, PDoS can destroy the firmware and/or basic functions of system. It is a contrast to its well-known cousin, the DDoS attack, which overloads systems with requests meant to saturate resources through unintended usage.

One method PDoS uses to accomplish its damage is via remote or physical administration on the management interfaces of the victim’s hardware, such as routers, printers, or other networking hardware. In the case of firmware attacks, the attacker may use vulnerabilities to replace a device’s basic software with a modified, corrupt, or defective firmware image—a process which when done legitimately is known as flashing. This therefore “bricks” the device, rendering it unusable for its original purpose until it can be repaired or replaced. Other attacks include overloading the battery or power systems.

Why Bother with Temporary Outages when you can Achieve Permanent?

Imagine a fast moving bot attack designed not to collect data but rather to completely prevent a victim’s technology from functioning. Sounds unlikely, but it’s possible. Permanent denial-of-service (PDoS) attacks have been around for a long time; however, this type of attack shows itself spectacularly to the public only time to time.

The most recent example was BrickerBot, which Radware discovered in April, 2017. Over a four-day period, BrickerBot launched thousands of PDoS attempts from various locations leveraging Telnet vulnerabilities to breach a victim’s devices.

In a recent article published by Help Net Security, they detailed how a new USB exploit can be inserted into a computer and render a computer bricked. In fact, according to Help Net, the latest PDoS USB attack “when plugged into a computer … draws power from the device itself. With the help of a voltage converter, the device’s capacitors are charged to 220V, and it releases a negative electric surge into the USB port.”

[You might also like: From BrickerBot to Phlashing, Predictions for Next-Level IoT Attacks.]

Another example, covered in a 2008 article in Dark Reading, additionally highlighted a tool uncovered by HP Labs called PhlashDance. This tool was leveraged to find vulnerabilities in often forgotten firmware and binaries that sit localized on computing devices. The risk lies in the lack of patches and upgrades made to the devices.

This article goes on to say that “remotely abusing firmware update mechanisms with a phlashing attack, for instance, is basically a one-shot attack. Phlashing attacks can achieve the goal of disrupting service without ongoing expense to the attacker; once the firmware has been corrupted, no further action is required for the DOS condition to continue.”

Assessing Risks & Taking Action

The following behaviors and trends may increase the risk of a PDoS attack targeting your organization.

– Running a highly virtualized environment that leverages a few hardware devices, but powerfully overloads software functions. One PDoS on the platform can create a disaster recovery situation. This includes Software Defined Networks (SDNs).

– Organizations highly dependent on IoT. “Things” are highly susceptible to PDoS as they are often simple devices with little to no inherent security measures.

– Organizations with centralized security gateways. One powerful PDoS can punch a hole in your attack detection and mitigation capabilities.

– Organizations that are considered critical infrastructure.

The clear action to take is to conduct an assessment on the type of technology you are running at or below the operating system level. Develop a clear understanding of the different firmware versions, binaries, chip-level software (like ASICs and FPGA) and technology that is in use in your environment. Also consider batteries, power systems and fan system vulnerabilities.

Assessing the likelihood and risk of a PDoS attack can help your organization take the necessary precautions and onboarding controls to protect your most critical assets. Education is an important step in evaluating your risk of PDoS attacks.

[You might also like: Chatting With IoT Bots]

ATTACK TYPE #5: IoT Botnets and the Economics Of DDoS Protection

2016 brought a long-feared DDoS threat to fruition: cyber-attacks that are launched from multiple connected devices turned into botnets. Botnets are one of the fastest growing and fluid threats facing cyber security experts today and have propelled us into the 1Tbps DDoS era.

First, here is a timeline of the most notable attacks in 2016/17 that propelled botnets into the front pages and onto the desks of C-suite executives.

June 28, 2016: PCWorld reports that “25,000 digital video recorders and CCTV cameras were compromised and used to launch distributed denial-of-service (DDoS) attacks, flooded targets with about 50,000 HTTP requests per second.” Though impressive and startling, this attack said nothing about what was still to come.

September 20, 2016: Around 8:00 pm, KrebsOnSecurity.com becomes the target of a record-breaking 620Gbps volumetric DDoS attack from a botnet designed to take the site offline.

September 21, 2016: The same type of botnet is used in a 1Tbps attack targeting the French web host OVH. A few days later, the IoT botnet source code goes public—spawning what would become the “marquee” attack of the year.

October 21, 2016: Dyn, a US-based DNS provider that many Fortune 500 companies rely on, is attacked by the same botnet in what is publicly known as a “water torture” attack (see below). The attack renders many services unreachable and causes massive connectivity issues—mostly along the East Coast of the United States.

April 5, 2017: Radware discovers BrickerBot, which over a four-day period, launches thousands of PDoS attempts from various locations around the world. BrickerBot uses Telnet brute force – the same exploit leveraged by Mirai – to breach a victim’s devices.

The Appeal of Internet of Things (IoT) Devices

For hackers, IoT devices are attractive targets for several reasons:

IoT devices usually fall short when it gets to endpoint protection implementation.

Unlike PCs and servers, there are no regulations or standards for secure use of IoT devices. Such regulations help ensure secured configurations and practices. Among them: changing default passwords and implementing access control restrictions (for example, to disable remote access to administrative ports).

IoT devices operate 24×7 and can be in use at any moment.

According to Radware’s 2016 – 2017 Global Application & Network Security Report, 52% of security professionals indicated that they do not believe IoT botnets complicate mitigation or increase detection requirements.

Figure 1: IoT threat impact as perceived by cyber-security professionals.

Botnets: Making Use of Different Attack Vectors

The Mirai botnet provides a perfect example of the various attack vectors one IoT botnet can unleash on its victims. We can all thank a user named “Anna-senpai” for publishing the Mirai source code to a public and easily accessible forum. In short order, the code spread to numerous locations, including several GitHub repositories, where hackers began taking a closer look. Since then, the Mirai botnet has been infecting hundreds of thousands of IoT devices—turning them into a “zombie army” capable of launching powerful volumetric DDoS attacks. Security researchers estimate that there are millions of vulnerable IoT devices actively taking part in these coordinated attacks.

[You might also like: The offspring of two comic book giants bring us the Bot Squad! Super freaky!]

In a surprising departure from previous record-holding amplification attacks, attackers did not use DNS and NTP. Instead, these attacks consisted mainly of TCP-SYN, TCP-ACK and TCP-ACK + PSH along with HTTP and non-amplified UDP floods. In the case of KrebsOnSecurity, the biggest chunk of attack traffic came in the form of GRE, which is highly unusual. In the OVHattack, more than 140,000 unique IPs were reported in what seemed to be a SYN and ACK flood attack followed by short bursts over 100Gbps each over a four-day period.

The Economics of Botnets

While much has been discussed around Mirai, IoT, “the rise of the machines” and other catchy buzz-phrases, we believe one of the most disruptive changes is the new economics model of IoT botnets.

Not so long ago, hackers were investing a great deal of money, time and effort to scan the Internet for vulnerable servers, build their zombie bots army and then safeguard it against other hackers who might also want to claim ownership of them. All the while, hackers would keep continual watch for new infection targets that could join their zombie army.

Things have changed: There are now millions of vulnerable devices sitting with default credentials. Bot masters—the authors and owners of the botnets—do not even bother to secure their bots after infection. After all, as Mirai demonstrates, it does not even persist infection to disk, so a simple device reboot brings it back to clean and healthy state.

For a bot master, gaining control of powerful servers would cost hundreds of dollars every month. Often he or she would gain illegal access to it and work diligently to hide it from others. Finding these servers was and still is difficult and expensive.

Now with IoT botnets, instead of spending months of effort and hundreds of dollars to control a few powerful servers and several hundred infected PCs, bot masters can take control of millions of IoT devices with near zero cost.

Knowledge is Power

Botnets will be an ongoing tale as threats, detection and mitigation solutions continuously change. Knowledge is the key to staying ahead of the menace. Read When the Bots Come Marching In, a Closer Look at Evolving Threats from Botnets, Web Scraping & IoT Zombies to understand what made this threat possible, how to protect IoT devices from becoming enslaved, and how to become a ‘botnet killer.’

Google Is Fighting A Massive Android Malware Outbreak -- Up To 21 Million Victims

Another month, another bunch of Android malware that’s found its way onto Google Play. That’s according to researchers from Check Point, who claimed to have found the second-biggest outbreak to ever hit Google’s platform, with as many as 21.1 million infections from one malware family.

The malware’s been dubbed ExpensiveWall after hiding inside wallpaper apps. The researchers warned it sent fraudulent premium SMS messages and charged for fake services. In the latest outbreak detected by Check Point, ExpensiveWall infected at least 50 apps, which together were downloaded between 1 million and 4.2 million times, according to data straight from Google Play. A previous sample of the malware, uncovered by McAfee, was installed millions of times too, taking the total number of victims to somewhere between 5.9 million and 21.1 million, the researchers claimed Thursday.

That’s a lot, but not quite the stratospheric heights of the Judy malware, which hit Android in May and was downloaded as many as 36 million times, though it was in fewer apps on the Google Play store, as the tech giant had to throw 40 off its store, according to Check Point.

In terms of the biggest ever Android malware, Check Point mobile researcher Daniel Padon told Forbes ExpensiveWall was probably second only to Judy, though he couldn’t put an estimate on how much the criminals made in the latest explosion in SMS fraud.

Check Point disclosed its ExpensiveWall findings to Google on August 7. Google removed incriminating apps, though the hackers moved quickly, uploading another sample to Google Play that infected at least 5,000 devices before being removed four days later.

A Google spokesperson said: “We’ve removed these apps from Play and always appreciate the research community’s efforts to help keep the Android ecosystem safe.”

ExpensiveWall doesn’t just pilfer people’s money, it also grabs data about the infected device, including location and IP address. It could also force users to click on online advertisements, another money-making scheme, as the hackers were at the end of the pay-per-click ad chain.

The researchers said in a blog postExpensiveWall was able to find a way onto Google Play by using encryption techniques to hide its malicious code. They think ExpensiveWall has spread via some nice advertising over social platforms like LinkedIn, while it infiltrated legitimate apps by posing as a software development kit called “gtk.” Developers, believing it to be innocent, embedded it in their apps.

Not that all those who downloaded the infected apps were duped. As Check Point found, a handful of customers were angry about being scammed.

Alongside Judy and ExpensiveWall, Google Play has been plagued by various forms of fraud over the last year. A hacker going by the name Maza-In, interviewed by Forbes in June, was blamed for a big spike in bank login thefts over the world’s most popular mobile operating system. With this latest success for the crooks, it’s apparent Google still has work to do to cut off fraudsters exploiting Android’s openness.

Source: Forbes

Experts Weigh Pros, Cons of FaceID Authentication in iPhone X

Security pros discuss Apple's decision to swap fingerprint scanning for facial recognition technology in the latest iPhone.

Apple demonstrated FaceID, its new 3D facial recognition technology, on Sept. 12 as part of the iPhone X. FaceID will replace TouchID fingerprint scanning in the latest iPhone, which doesn't have a home button, to authenticate users so they can access apps and Apple Pay.

If you were apprehensive after the announcement, you're not alone. Apple isn't the first company to use facial recognition and others have been unsuccessful. Samsung's Face Unlock proved easy to hack when a user logged into one phone using a photo of himself on another; before that, Android's facial scanning tech could be similarly fooled.

Apple uses a different kind of technology, which it promises is more secure. The TrueDepth sensor on iPhone X has a dot projector, flood illuminator, and infrared camera in addition to the built-in camera. The phone creates a 3D map of a user's face and dimensions of their features. Data is locally stored in the iPhone's secure enclave.

"FaceID uses AI in addition to the static biometric recognition techniques," says Zighra CEO Deepak Dutt. "The algorithms bring an adaptive piece into the picture which continuously learns. FaceID typically would have a learning phase where the engine would build a 3D model of the user's face from a large number of data points."

Apple claims its FaceID authentication is 20x more accurate than TouchID. Only one in 1,000,000 people would have a face similar enough to a user's to successfully bypass FaceID -- the same failure rate as a six-digit passcode. In comparison, there is a one in 50,000 chance a random user could log into an iPhone with TouchID using a fingerprint.

So is FaceID really more secure than TouchID, or a passcode?

One concern about FaceID is in its current implementation, only one face can be used per device, says Pepijn Bruienne, senior R&D engineer at Duo Security. TouchID lets users register up to five fingerprints. If a third party obtains a user's fingerprint and reproduces it, and the user is aware, they could register a different unique fingerprint.

This is not the case with FaceID, he says, though an attacker would need a 100% reproducible bypass using an easily obtainable picture of a user's face. Once the system is broken and can be bypassed using a photo, a victim would have to fall back on using strong and unique passcodes. For some, the old six-digit key login is preferred.

"Given that a passcode can be made strong enough to make brute-force attacks useless, they will still have the preference for some security conscious users," says Bruienne. "When combined with good security hygiene, a strong unique passcode (which iOS allows) can be more secure but less convenient."

That said, passcodes also have their downsides. They cannot be forcibly divulged but can be snooped or coerced from users. An attacker with your passcode can get into your iPhone.

FaceID requires a user's attention and can detect whether someone is correctly holding the phone and looking at it to authenticate. This may lessen the chance of "sneak auths" in which someone holds up a phone and attempts to capture a user's face from a distance.

However, if someone has your body under their control, they can force your finger onto a sensor or force your eye open for an iris scanner. What happens if an attacker tries to use FaceID on a sleeping target, or law enforcement wants to get into a suspect's phone?

"It's one thing to compel someone to unlock a device with their finger," says Bruienne. "It's another thing to just point the camera at their face - [it] will be interesting to see how this is managed"

There has been discussion around forcible authentication. The five-click feature, which is reportedly part of iOS 11, would logically apply to both TouchID and FaceID. If someone expects possible forced authentication, they could use this to set the phone back to passcode login. Right now, there isn't a specific expression or fingerprint that would disable biometric login.

"We will not know of the quality of Apple's FaceID facial scanning until the security community tests it, but the combination of an IR sensor and camera makes this system quite accurate and difficult to trick," says WatchGuard Technologies CTO Corey Nachreiner.

Nachreiner says while he strongly believes in biometric authentication, "bad actors will continually find ways around different identity tokens, even biometric ones." The key, he says, is layering multiple forms of authentication in a way that's still convenient for users.

"While ease and usability are always a factor -- if it's too hard, people won’t use it -- relying on just a single token is asking for trouble," he explains

Source: DarkReading