Home Tags Two Factor Authentication

Tag: Two Factor Authentication

Two-factor authentication (also known as 2FA) is a method of confirming a user’s claimed identity by utilizing a combination of two different components. These components may be something that the user knows, something that the user possesses or something that is inseparable from the user. A good example from everyday life is the withdrawing of money from a cash machine. Only the correct combination of a bank card (something that the user possesses) and a PIN (personal identification number, something that the user knows) allows the transaction to be carried out. 2FA is ineffective against modern threats, like ATM skimming, phishing, and malware etc. Two-factor authentication is a type of multi-factor authentication.

GM Bot can rip creds, steal SMS and phone two factor tokens Android users could be hit with a new wave of dangerous banking malware following the leak of source code for a capable Android trojan. Users could be targeted with variants of the malware, known as "GM Bot", that is capable of harvesting usernames and passwords using slick keystroke-capturing website overlays. Since it infects mobile handsets it can steal two factor authentication including SMS and even redirect phone calls. IBM threat bod Limor Kessem says the leak appears to have come from a GM Bot buyer and is bad news for users. "This turnkey capability is the true differentiator; previous mobile malware could steal SMS codes, but those would have been meaningless without phishing schemes or a trojan on the victim’s PC to steal access credentials," Kessem says. "The reverse was also true: phishers and PC trojan operators could not facilitate fraudulent transactions without mobile malware to intercept the SMS codes or calls from the bank. "In short, mobile banking trojans such as GM Bot are a one-stop fraud shop for criminals." Attackers can target any website or banking app to harvest credentials and tokens from infected phones. GM Bot was first discovered late last year when CERT Poland described the malware as a simple but effective bank raiding tool. The CERT's researchers said of the malware that "... the attacker needs only to infect the Android phone and there is no need for a Windows counterpart." The malware joins the ranks of other leaked PC trojans including Zeus, SpyEye, and Carberp. If history is a judge, it is likely the malware will result in various low- and high- quality spin-offs. Users should update their handsets to the latest Android versions which contain more rigorous security and permission checks.

Those who cannot upgrade from old versions on account of vendors no longer shipping updates can consider installing custom but well-supported-and-maintained ROMs such as Cyanogenmod and NamelessROM. ® Sponsored: Building secure multi-factor authentication
New API, policies and open source manager added to ward off future stolen creds attacks Hosting outfit Linode has announced a slew of changes to its user procedures after a long analysis of the attack that led to a system-wide password reset in January.
It's also determined that the breach was the result of customer credential theft. The company's post-mortem of the issue, published here, notes that the December 2015 breach – and an earlier breach in July 2015 – both appeared to have resulted from stolen customer credentials being used by fraudsters. One new breach revealed by the investigation is that an attacker somehow worked out a way to generate valid two-factor authentication keys, something which the company says “significantly changed the seriousness of our investigation”, even though it doesn't seem to have been related to any logins. “After examining the image from our July investigation, we discovered software capable of generating TOTP* codes if provided a TOTP key. We found software implementing the decryption method we use to secure TOTP keys, along with the secret key we use to encrypt them. We also found commands in the bash history that successfully generated a one-time code,” the post states. (*TOTP is the Time-based One-time Password Algorithm-based method, used by systems like Google Authenticator to generate 2FA tokens.
In November, a security researcher warned that if the TOTP implementation used the NTP daemon as its time input, it might be vulnerable at the sysadmin level, by someone manipulating the time the daemon offers to TOTP.) Back to Linode: in both cases, its investigation supports the idea that someone is successfully stealing credentials, rather than stealing them through vulnerability in the data host's infrastructure. However, the investigation also identified places where processes needed hardening, so Linode's announce the following: Authentication – the company says it's replaced SHA-256 salted hashing of passwords with bcrypt.
It's also created an “authentication microservice” that completely separates customer applications from customer credentials.
Instead, credentials are split off into the microservice, and an application asking for authentication receives only “yes” or “no”. Credit card tokenisation – the company says credit cards haven't been compromised, but this feature adds another layer of protection. Policies – the company is revamping its own security policies based on the NIST framework, most particularly to create security zones in its infrastructure, cutting the number of employees with access to “sensitive systems and data”. Other changes over time will include new Linode Manager Notifications, adding a new “senior level security expert” to the company's team, and a new API it expects to reveal as in alpha in the next few weeks. That API will be supported by an open-source version of its Linode Manager. The company also noted that the DDoS attack it suffered in December/January still seems unrelated to the customer credential theft, and nobody seems to have exploited the SSH bug it discovered in February. ® Sponsored: Building secure multi-factor authentication
MicrosiervosApple's encryption battle Activists plan rally on Tuesday at dozens of Apple Stores worldwide How the FBI could use acid and lasers to access data stored on seized iPhone Apple CEO Tim Cook: Complying with court order is “too dangerous to do” Apple: We tried to help FBI terror probe, but someone changed iCloud password Trump urges supporters to boycott Apple in wake of encryption brouhaha View all…The FBI sent Ars a statement late Saturday further clarifying its role in resetting the iCloud password on the seized iPhone 5C central to the San Bernardino terrorism investigation. Earlier in the day a spokesman for the San Bernardino County Health Department confirmed to Ars that his agency changed the iPhone’s associated iCloud password at the request of the FBI.

That action had the unintended effect of making any further iCloud backup attempts impossible, likely frustrating the terror probe.

The San Bernardino County Health Department, which owns the phone, was shooter Syed Rizwan Farook’s employer. However, the Saturday evening statement, written by FBI Los Angeles Field Office spokeswoman Laura Eimiller, also claimed that "we know that direct data extraction from an iOS device often provides more data than an iCloud backup contains." She did not respond to further questions by phone and e-mail. The latest FBI statement directly contravenes what an Apple executive, who was granted anonymity, told reporters on Friday afternoon: That if the iPhone had backed up to iCloud as Apple had suggested, then the data that the FBI may have been able to recover would be precisely the data that it is currently trying to get directly off of the phone that Farook used. Ars spoke with three iOS security experts at length.

They agreed that Apple’s statement is theoretically correct only if the bureau performed just a classic Cellebrite-style direct data extraction.

Doing that would produce the same data as an iCloud backup. However, there might be other information and data on the phone that the FBI could access if agents could break the passcode and decrypt the phone.

After all, bypassing that passcode limit is precisely what the FBI has asked Apple to do. Last week, Apple was given an unprecedented court order—under an obscure 18th century law known as the All Writs Act—to create custom firmware for the iPhone 5C that was used by Farook.

That new firmware would remove a possible automatic wipe feature on the phone if a passcode is incorrectly entered 10 times and would remove a delay between passcode attempts intended to make brute-force entry more difficult.
If Apple does comply, it would allow the government to enter PIN codes in rapid succession until it gained access to the phone.

Apple CEO Tim Cook has publicly said it will resist this attempt, calling it a significant "overreach." A court hearing has been scheduled for March 22 in Riverside, California. Pwned two-factor authentication? So, what information on the phone wouldn’t be available as part of an iCloud backup? There are a handful of applications that Farook may have had installed on the phone that don’t associate with iCloud.

The FBI has not said publicly what it expects to find on the phone. "Signal Messenger isn’t going to back up your messages to iCloud and since they’re end-to-end encrypted, the only place they’re going to be is on the phone," Dan Guido, the CEO of Trail of Bits, a security firm, told Ars. Another possible app that the FBI may want to see running on the phone could include Telegram, another messaging app that has been known to be associated with Islamic State radicals.

Telegram, however, has an optional app-specific passcode that protects access to the app even if the phone is unlocked. "That would be a thing that me as an FBI agent would be concerned about," Guido added. "Maybe [Farook] communicated on it, so we need to get access to the phone.

That’s a reasonable line of thinking for an FBI agent to make." With access to installed apps like Signal and Telegram, the FBI may want to know who else Farook was communicating with, and what was said, which could open up other avenues or confirm other details about who he was communicating with. According to John Adams, a former security official at Twitter, with access to the phone itself, the FBI may also be able to access Farook’s two-factor authentication apps, if they exist.

For example, having data from the Google Authenticator app could potentially give the FBI access to his Gmail account. "They gain a massive amount of functionality and visibility of the user that they didn’t have before," he said. Slow down, turbo Ars learned Friday that Apple had suggested that the FBI try to force the iPhone to perform an iCloud backup by taking it to a previously used Wi-Fi location, plugging it into an electrical wall socket, and leaving it overnight.

Because the iCloud password was reset four days after the attack by the San Bernardino County Health Department, at the behest of the FBI, the possibility of forcing the phone to perform an auto-backup to its associated iCloud account was eliminated. On Saturday, Apple declined to answer Ars’ question as to whether the company was consulted prior to the iCloud password reset. The FBI has been doggedly trying to extract a missing six weeks worth of data from the iPhone since its last iCloud backup on October 19, 2015. No one knows why there were no further backups subsequent to that date, but the same Apple executive described Farook’s iCloud backup history as "sporadic." Guido, the iOS security expert, also noted that it was foolish for the FBI to suggest that San Bernardino officials reset the iCloud password rather than simply wait for Apple to hand over iCloud data as part of a normal legal request. "Any investigator knows that you can make a simple request to Apple—you don’t need to reset the password," he added. "It was likely a panicked response and they thought they could get the data faster than Apple could give it to them.

That, unfortunately, was probably not the best idea." For his part, a third iOS expert, Jonathan Zdziarski, who wrote a book called iPhone Forensics, speculated to Ars that the FBI is "hiding the fact that there's going to be a second [court] order to complete the [data] acquisition." In a blog post published late Saturday night, Zdziarski theorized that federal prosecutors may try to expand their court order, and demand that Apple perform a physical extraction and decryption of all the data that currently sits on the phone. As he wrote: In other words, if the FBI is planning to have Apple perform a physical extraction of this extra data, then they are forcing Apple to create this backdoor tool for a separate reason, as it is completely unnecessary if Apple will be forced to extract the contents of the device in the end.
It would also mean that they’re hiding all of this extra work from both the courts and from Apple, possibly because the combination of the two [All Writs Act] orders would have constituted "unreasonable" assistance in the court’s view.
It completely modifies the purpose of the first order as well; we’ve now gone from having a single tool with a very specific purpose to having two separate tools to create a modular platform for FBI to use (via the courts) as each piece becomes needed.
Solfyre offering is a hit with industry experts and the public, proving itself a true trailblazer in the fintech and mobile spacesLondon – 18th February 2016 - British cybersecurity pioneer Solfyre were awarded with the winner’s title for an outstanding three categories in global startup awards scheme the Tech Trailblazers Awards.

The voting public and judging panel made up of industry experts both decided that Solfyre would take home the Trailblazers title in FinTech, Mobile and Firestarter categories. Solfyre logo With the ability to offer businesses and consumers a secure and hassle-free login experience on any website, and its commitment to acknowledging and meeting the needs of the user, Solfyre’s login and password management mobile app ‘SID’ gained top scores all round. SID encrypts a user’s passwords, and when the user plans to log in to any website on their desktop it generates one time QR codes for two factor authentication.

This is an extremely easy and quick way to securely log in without having to constantly remember multiple passwords.

Furthermore, the judges were very impressed with SID’s biometric components for further authentication and personal security. Craig Vallis, founder and CEO of Solfyre said, “Gaining top recognition in these three categories illustrates our understanding of and commitment to the mobile technology we are evolving, the financial technology sector which SID is a strong solution for, as well as our strategy to grow as an early stage pre-funding startup. We are very proud to have gained recognition in three areas that are integral to Solfyre’s aims and progression as a company.” Rose Ross, Chief Trailblazer said, “On behalf of the team and esteemed international judging panel, I congratulate all the winners of the Tech Trailblazers Awards. We were greatly impressed by the ingenuity and innovation shown in the entries . Winners of this year’s Tech Trailblazers Awards are some of the most exciting enterprise tech startups making an impact in the business world today.
I’m sure we will be hearing more about the successes from these inspiring startups in the future. We wish them the very best of tech trailblazing luck in 2016.” For more information on the Tech Trailblazers, please visit www.techtrailblazers.com, follow the buzz on Twitter @Techtrailblaze, hashtag #TTawards or check out LinkedIn for the latest updates http://www.linkedin.com/company/tech-trailblazers-awards. ### About SolfyreSolfyre is a British startup specialising in identity and password management. Headquartered in London, the company is committed to igniting the Identity Revolution.

The first step is the development of SID, a mobile app that simplifies password management and ensures passwords are always secure and always accessible.

The app will available in iOS, Android and Windows Mobile versions in early 2016. For more information, visit the Solfyre website on: www.solfyre.com or follow them on Twitter on www.twitter.com/solfyreID Media ContactOmarketing for SolfyreRosalind Carrrosalind@omarketing.com+44(0)20 8255 5225@omarketingnews
Dial P for pwnage A new Trojan banker for Android is capable of wiping compromised smartphones as well stealing online banking credentials, security researchers are warn. The Mazar BOT Android malware is read using booby-trapped multi-media messages. If installed, the malware gains admin rights that give it the ability to do almost anything with a victim's phone. The malware can read SMS messages, which means it can also circumvent (two factor authentication) 2FA systems. The malware also gain the ability to send SMS messages to premium channel numbers, run man-in-the-middle attacks or even erase compromised phones. It also uses TOR for communication. Antivirus detection is currently very low, Danish security outfit Heimdal Security warns. “Mazar BOT has been advertised for sale on several websites on the Dark Web, but this is the first time we’ve seen this code be abused in active attacks,” Heimdal Security adds in a blog post on the threat. The malware cannot be installed on smartphones running Android with the Russian language option. More on the Mazar BOT Android malware can be found in a blog post by CSIS, Heimdal Security’s parent firm, here. CSIS shows how the malware can abuse Chrome injects, among other tricks in its armoury. ® Sponsored: Building secure multi-factor authentication
Hackers are using stolen Social Security numbers and bots to steal your money from the IRS's E-File system. It's tax season, and hackers are once again trying to cash in. The IRS on Tuesday announced that hackers recently attempted to use some 464,000 stolen Social Security numbers and an automated bot to generate E-file PINs, which can be used to electronically file a tax return. The incident occurred last month, and the hackers were able to successfully access an E-file PIN with 101,000 of the SSNs. "No personal taxpayer data was compromised or disclosed by IRS systems," the agency said. It is now working to notify affected taxpayers that their personal information was used in an attempt to access the IRS application. The IRS has also flagged accounts to protect against tax-related identity theft. As Paul Ducklin, a senior security advisor at Sophos, pointed out, fraudsters are likely trying to take advantage of those who have not yet filed returns.  "This is an ideal time for tax refund fraudsters to get stuck in, filing a fraudulent return in your name, understating your income in order to claim a refund, and then scooping up the refund by having the funds diverted out of your account and into theirs," he wrote in a blog post. If hackers are trying to use your SSN, Ducklin suggests the IRS will let you "request a special, stronger form of 2FA [two-factor authentication] from the IRS known as the IP Identity Protection PIN (IP PIN). "Annoyingly, the IP PIN isn't available to everyone on demand — only to taxpayers who have already suffered some kind of identity breach," Ducklin wrote. "We think that the IRS ought to let anyone who wants one sign up for an IP PIN." Last year, Turbo Tax temporarily halted e-filing for state returns across the U.S. after it found "an increase in suspicious filings and attempts by criminals to use stolen identity information to file fraudulent state tax returns and claim tax refunds."
The White House calls for more investment in protecting data and proposes to spend $19 billion this year on a variety of security initiatives, including educating consumers to use two-factor authentication. President Barack Obama on Feb. 9 proposed spending more than $19 billion over the next year on cyber-security initiatives as part of a new plan to better protect the computers, networks and data of United States’ citizens, businesses and government agencies. The initiatives, which the administration wove together in its 2016 budget proposal as the Cybersecurity National Action Plan (CNAP), aim to secure government computers and increase the security of corporate networks and citizens’ data. The White House earmarked $19 billion in its proposed budget for cyber-security, an increase of 35 percent over the previous year, Michael David, special assistant to the President and cyber-security coordinator, said in a statement posted to the official White House site. “The President believes that meeting these new threats is necessary and within our grasp,” David said. “But it requires a bold reassessment of the way that we approach security in the digital age and a significant investment to ensure we can implement the best security strategies.” The cyber-security spending increase is part of the $4.1 trillion federal budget proposal Obama sent to Congress on Feb. 9. The plan follows yet another abysmal year for American citizens’ efforts to protect their personal data. The U.S. Office of Personnel Management reported in June that hackers had compromised its systems and stolen extremely sensitive information on federal employees and job seekers—information which included the contents of background checks. In November, federal authorities charged three men with infiltrating and stealing data from nine financial institutions and publishers, including JPMorgan, Dow Jones, Scottrade and eTrade. Information on more than 100 million customers was compromised in the breaches. A variety of initiatives make up the Cybersecurity National Action Plan. The Obama administration plans to establish a panel of experts to advise the government on ways to improve its cyber-security and to protect citizens’ data. The administration also proposed a federal chief information security officer (CISO) to identify weak spots in the infrastructure. The White House also intends to expand education initiatives to make consumers more security aware, such as teaching people that passwords are not enough. Security firms applauded the Obama administration’s efforts, but also pointed out numerous shortcomings of the plan. The CISO, for example, will be ineffective, unless given direct power over the government's cyber-security infrastructure. “The CISO needs to be both a leader and a recognized cyber-security expert who can move the needle quickly and make decisions on behalf of the entire federal government,” Mark Weatherford, chief strategist for cyber-security firm vArmour, said in a statement sent to eWEEK. “Without this level of authority, there is no chance for any real success.” Before joining vArmour, Weatherford served in the Department of Homeland Security as its first deputy undersecretary for cyber-security. Avivah Litan, research vice president with business intelligence firm Gartner, agreed that a federal CISO needs to have power to require agencies to secure their infrastructure. “Obviously it is a step in the right direction, but in many ways, it is just one more level of bureaucracy,” she told eWEEK. Pointing to reports from last year that showed the Internal Revenue Service paid out more than $5 billion to fraudsters as part of tax-refund fraud schemes, Litan argued that security improvements at the IRS could easily pay for themselves in reduced losses due to fraud. “They should not have to allocate extra money for the civilian agencies,” she said.
Every year there are more studies revealing that the most-popular passwords are plain awful. Obvious passwords like "123456" and "password" always top the lists. Worse, many people use the same lame password everywhere. It doesn't take a hacker to break into an account that uses one of these terrible passwords, just a good guesser. The problem is, avoiding same passwords and lame passwords is hard—too hard for most people to manage without help. Fortunately, help is available in the form of password management software. For your own sanity and security, install a password manager and change all of your passwords so every single one is different, and every single one is long and hard to crack. Until our Internet culture evolves into some post-password Nirvana, everybody needs a password manager, even our own John Dvorak. There are plenty of good choices. All the commercial password managers listed here earned 3.5 stars or better. Strapped for cash? We've rounded up free password managers separately. The BasicsThe typical password manager installs as a browser plug-in to handle password capture and replay. When you log in to a secure site, it offers to save your credentials. When you return to that site, it offers to automatically fill in those credentials. And, if you've saved multiple logins for the same site, the password manager offers you multiple account login options. Most also offer a browser-toolbar menu of saved logins, so you can go straight to a saved site and log in automatically. Some products detect password-change events and offer to update the existing record. Some even record your credentials during the process of signing up for a new secure website. On the flip side, a password manager that doesn't include password capture and replay automation needs to offset that lack with significant other assets. Getting all of your existing passwords into the password manager is a good first step. Next, you need to identify the weak and duplicate passwords and replace them with tough ones. Many password managers flag weak and duplicate passwords, and some offer help with the update process. The very best ones can automate the password-change process for you. When you create a new secure account or update a weak password, you don't want to strain your brain trying to come up with something strong and unique. Why bother? You don't have to remember it. All but one of our top-rated products include a built-in password generator. Make sure your generated passwords are at least 12 characters long; some products default to a shorter length. Entering a password like ^@V3B.u'j@Z}c?sAE on your smartphone's tiny keyboard can be tough. Fortunately, almost all of our top password managers can sync across all of your Windows, Mac, Android, and iOS devices. A few even let you authenticate on iOS or Android with your fingerprint rather than typing the master password. Most include some form of two-factor authentication, be it biometric, SMS-based, Google Authenticator, or something else entirely. Fill Those FormsSince most password managers can auto-fill stored credentials, it's just a small step for them to automatically fill in personal data on Web forms—first and last name, email address, phone number, and so on. Most of the top-rated products include Web form-filling. The breadth and flexibility of their personal data collections vary, as does their accuracy when matching Web-form fields with their stored items. Even if they miss a field or two, the ones they do fill are ones you don't have to type. Think about how many sites you go to that want all the same information; this feature is a huge time-saver. Different products handle form-filling in their own ways. Some immediately fill all recognized fields, some wait for you to click in a field, some pop up and ask what you'd prefer. You'll even find products that offer your choice of credit cards using realistic images with the correct color and bank logo! Advanced FeaturesGiven that all these products take care of basic password management tasks, how can one product stand out from the pack? One handy advanced feature is managing passwords for applications, not just websites. Another is provision of a secure browser, designed to protect sensitive transactions and invoked automatically when you visit a financial site. And of course automating the password change process is a big plus. As noted, these top products let you sync your passwords across all of your devices. Some of them also include a built-in mechanism for securely sharing passwords with other users. Some let you share a login without making the password visible, some let you revoke sharing, and with some the sharing goes both ways—that is, if the recipient makes a change it will change the original. On a grimmer note, what happens to your secure accounts after you've died? A few products include some provision for a digital legacy, a method to transfer your logins to a trusted individual in the event of your death or incapacity. The Very BestVeteran password manager LastPass 3.0 Premium offers an impressively comprehensive set of features. Slick and polished Dashlane 3 also boasts a ton of features, even some that LastPass lacks. Sticky Password Premium handles essential tasks better than most, and a portion of every purchase goes to help an endangered species. But even the products not named as Editors' Choice have their merits; you may prefer one of them. Read our reviews to decide which will serve you best. FEATURED IN THIS ROUNDUP
Up to 21 million accounts on Alibaba e-commerce site TaoBao may have been compromised likely thanks to stolen credentials reused on breached third party sites. TaoBao is a seller-to-seller commerce site like Gumtree or eBay where users rely on reputation to secure the most sales. Reuters reports China's Ministry of Public Security says the hackers used a database brimming with 99 million usernames and passwords, which they entered into Alibaba's cloud network. Doing so showed that 20.6 million passwords were accurate and linked to TaoBao accounts. The epic brute force siege lasted from mid-October to November, using compromised accounts to buy products from accounts and post fake reviews to bolster seller reputation. The attacks were immediately reported to police. Six people have been arrested. Alibaba says its systems were not breached and adds that it has reminded users not to reuse passwords. It has not commented on how it's "world-class security team" failed to detect the likely millions of failed rapid-fire bot entries into its login portals until weeks after it begun. Sophos security man Paul Ducklin says the attack may have flown under TaoBao's radar since only a few common passwords needed to be used in order to gain access to a large number of accounts. "One problem in this case is that with nearly 100 million account names to work with, the crooks didn’t need to try thousands of passwords per account to get a good hit rate, so Taobao may not have seen evidence of massive password guessing," Ducklin says. "Taobao is one of the busiest websites in the world, so processing hundreds of millions of logins, even it they come from the same internet region - Alibaba’s cloud network - is all in a day’s work." Ducklin says the attack serves as a warning for web site owners to apply login rate limiters and for users to deploy two factor authentication and ensure passwords are not reused. ® Sponsored: Building secure multi-factor authentication
Insecure commercial and internal mobile app coding practices leave the door wide open to cyber attackers, a security researcher has discovered. A lot emphasis is placed on the millions of mobile malware samples being detected, but insecure apps could represent an even greater threat, according to an analysis of the top 1,000 apps. “A scan of just over 600 of the top apps so far shows a very obvious and alarming trend,” said James Lyne, global head of security research at Sophos. “Programming practices are pretty bad despite there being ready-made security functionality available to consumers, but this is just not being used,” he told Computer Weekly. Although the study includes relatively few in-house mobile apps, Lyne said that so far, most are lining up with the worst of the commercial applications. The study compares the maturity of app development in the mobile and traditional desktop worlds, focusing on the use of encryption, data transmission, authentication and data storage. “It is really no surprise that these two worlds are not in alignment, but it is quite shocking how many applications, including large brands, are failing to make use of the security features available on mobile devices,” said Lyne. Despite the existence of easy-to- use application program interfaces (APIs) that will perform proper validation of the transport [layer], most app developers continue to use older, less secure methods of exchanging data.   The study shows that an alarming majority of apps are failing to do things such as certificate pinning or public key pinning to prevent man-in-the-middle attacks. “Many developers seem to be using recycled code for making connections that they have simply copied from somewhere that will accept any certificate, enabling attackers to steal data easily on open Wi-Fi connections unless a VPN [virtual private network] connection is being used, but relatively few people do,” said Lyne. Local storage of data Another area of common failings is local storage of data. Although most of the latest iOS and Android devices will do volume-based encryption by default and provide very good functionality to store “secrets” that have extra encryption applied and are unlocked only if the app is authenticated, Lyne said this functionality is used very poorly and inconsistently by most mobile apps. “Only around 3% of apps stick to an astonishing amount of best practice, like the Twitter app which has two-factor authentication, but then there is this cliff where all of the best standards and practices are not applied and all the data is put into the same unimportant bucket to be stored on the device,” he said. The result is a very weak app ecosystem, where app A can see data from app B and there is a “flat” data model on the device, similar to that which was on PCs up until a few years ago. The study also focuses on the use of credentials and authentication, and has found this to be another area of poor practice in about 90% of the apps analysed. Credentials are often sent “over the wire” using just hashing, often with outdated mechanisms such as MD5 and SHA-1, without salting instead of using standards such as OAuth and SAML.   “The majority of the authentication we have seen uses models that are abysmally poor,” said Lyne. “Loads of MD5 passwords unhashed are being sent, which requires the user to have an incredibly strong password to avoid it being cracked. Authentication poorly deployed “Authentication, which should be a very solved problem in 2016 with all the wonderful program libraries available and all the functionality built into mobiles, is very poorly deployed,” he added. In many cases, simply adding a single argument to the code would turn on the built-in functionality that would fix the problem, said Lyne. In some of the latest Android releases, he said, Google has done some “amazing work” to implement security features in the operating system. “We are seeing some really good generic exploit prevention in Android, but on top of that you have this layer of apps that are failing to do the security basics and check for basic flaws,” he added.   Lyne blames the huge focus on rapid app development over “quality solution engineering” and “almost no investment” in checking mobile apps for poor programming practices. “Any rudimentary penetration testing or quality assurance processes as part of a software development lifecycle would catch stuff like this,” said Lyne. The risk to the enterprise is that this failure to do rudimentary security controls can be picked up by attackers using any source code scanner, he said. “At the same time, businesses are putting pretty much the same sensitive company data on mobiles as they have put on PCs in the past, and tend to trust mobiles more than PCs,” he said. “But this study shows that the mobile industry does not have the same checks and balances or the same maturity.” This means the fear that mobiles will become an easy route for attackers into the enterprise is likely to be realised as the lines between PCs and mobiles continue to blur. “The lack of security basics in mobile apps and processes for checking flaws is a really bad combination now, but in one or two years’ time, when there is even more data on mobiles and they have an even greater position of trust, we are likely to end up with a really nasty mess,” said Lyne. Attackers are aware of this situation and could already be exploiting the fact that most mobile apps are “leaving the door wide open”, but it is hard to quantify that, he said. And even if it is not being exploited yet, Lyne said: “We are building an ecosystem with massive trust on one side and a provable lack of integrity on the other, which is a terrible combination that could really burn us.” We are building an ecosystem with massive trust on one side and a provable lack of integrity on the other, which is a terrible combination that could really burn us James Lyne, Sophos He believes there is an urgent need for fundamental change, but says regulation is unlikely to deliver the necessary results. “It is very difficult to create a regulatory framework that has sufficient specificity to drive the desired technical behaviours,” said Lyne. However, he said some legal action could be taken in light of the fact that some failures are so great and tantamount to releasing a car to market without testing the brakes once, that they could be classified as “negligence” and challenged legally. But even if regulators or others challenge the status quo on grounds of negligence, Lyne said it is unlikely to drive any significant change. “What is really required would be a change in consumer or end-user values to believe that mobile application security is important, but that is unlikely given the trust people have in mobiles and the fact that most are completely unaware of the flaws,” he said. “The only thing likely to break the back of it is a really, really bad or nasty series of incidents that force companies to make changes due to bad press and consumers becoming more wary and demanding in terms of security. But in the meantime, who knows how much data siphoning is occurring.”
If you're a gamer (or anyone else), this is not a screen you want to see.Bromium LabsIt's still not clear how, but a disproportionately large number of websites that run on the WordPress content management system are being hacked to deliver crypto ransomware and other malicious software to unwitting end users. In the past four days, researchers from three separate security firms have reported that a large number of legitimate WordPress sites have been hacked to silently redirect visitors to a series of malicious sites.

The attack sites host code from the Nuclear exploit kit that's available for sale in black markets across the Internet. People who visit the WordPress sites using out-of-date versions of Adobe Flash Player, Adobe Reader, Microsoft Silverlight, or Internet Explorer can then find their computers infected with the Teslacrypt ransomware package, which encrypts user files and demands a hefty ransom for the decryption key needed to restore them. "WordPress sites are injected with huge blurbs of rogue code that perform a silent redirection to domains appearing to be hosting ads," Malwarebytes Senior Security Researcher Jérôme Segura wrote in a blog post published Wednesday. "This is a distraction (and fraud) as the ad is stuffed with more code that sends visitors to the Nuclear Exploit Kit." According to a Monday blog post published by website security firm Sucuri, the compromised WordPress sites he observed have been hacked to include encrypted code at the end of all legitimate JavaScript files.

The encrypted content is different from site to site, but once decrypted, it looks similar to that shown in the image below: EnlargeSucuri To prevent detection by researchers visiting the compromised site, the code takes pains to infect only first-time visitors.

To further conceal the attack, the code redirects end users through a series of sites before delivering the final, malicious payload. Sucuri said Google's Safe Browsing mechanism—which browser makers use to help users avoid malicious websites—had blacklisted some of the Internet domains used in the ruse.

A post published Thursday by Heimdal Security, however, listed a different domain, leaving open the possibility that the attackers are regularly refreshing as old ones get flagged. Heimdal Security also warned that antivirus programs may do little to protect end users.

During the latest leg of the campaign, for instance, the exploit code was detected by just two of the 66 leading AV packages, while the payload it delivered was also limited (the blog post didn't provide specifics). Driveby attacks not just on porn sites anymore The attacks are the latest reminder that people can be exposed to potent malware attacks even when visiting legitimate websites they know and trust.

The best defense against such driveby attacks is to install security updates as soon as they become available. Other measures include running Microsoft's Enhanced Mitigation Experience Toolkit on any Windows-based computers and using the 64-bit version of Google's Chrome browser if possible. It's not yet clear how the WordPress sites are getting infected in the first place.
It's possible that administrators are failing to lock down the login credentials that allow the site content to be changed.
It's also feasible that attackers are exploiting an unknown vulnerability in the CMS, one of the plugins it uses, or the operating system they run on. Once a system is infected, however, the website malware installs a variety of backdoors on the webserver, a feature that's causing many hacked sites to be repeatedly reinfected.

As Sucuri researcher Denis Sinegubko wrote: The malware tries to infect all accessible .js files.

This means that if you host several domains on the same hosting account all of them will be infected via a concept known as cross-site contamination.
It’s not enough to clean just one site (e.g. the one you care about) or all but one (e.g. you don’t care about a test or backup site) in such situations – an abandoned site will be the source of the reinfection.
In other words, you either need to isolate every site or clean/update/protect all of them at the same time! People running WordPress sites should take time to make sure their servers are fully patched and locked down with a strong password and two-factor authentication.

This post will be updated if researchers uncover a cause of this ongoing hack campaign. Until then, admins and end users alike should stay vigilant for signs one of their systems is being targeted and follow the usual best practices listed earlier.