![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
When password security isn’t enough, banks and sensitive websites turn to multi-factor authentication. But not all factors are equal. A Swedish research team demonstrated that sending an authentication code via a text message is inherently insecure. They identified a number of recent breaches involving a failure of two-factor authentication and went on to demonstrate hacking techniques. If a hacker has your login credentials and your phone number, text-based authentication won’t protect you(More details:https://www.pcmag.com/news/sms-based-multi-factor-authentication-what-could-go-wrong-plenty).We know that a keylogger can steal the words we type, and a gimmicked USB drive can pretend to be a keyboard, inputting unwanted commands. Surely the touch-screen interface is more secure? Nope. An academic research team explained how they managed an attack that triggers touch-screen events from several centimeters away. If you set your device down on the table containing their hidden antennas, the attack can use its invisible finger to take control(More details:https://www.pcmag.com/news/this-invisible-finger-can-take-over-your-touch-screen).
If you just say “don’t do that,” some will do it anyway. You need to protect those people (and those around them) by reducing the negative consequences of their risky behavior. This harm-reduction philosophy has proven effective in medicine for years, for example providing clean needles rather than telling addicts “No drugs!” It can work in security too(More details:https://www.pcmag.com/news/people-ignore-fear-based-security-rules-lets-protect-them-anyway).
If organizations don't take the time to investigate how cybersecurity incidents happen, they could be doomed to repeat history. That's the problem a team of researchers sought to answer by creating the Major Cyber Incident Investigations Playbook. The document contains a guide for creating independent review boards at organizations, from deciding who should be on the board to presenting investigation results to interested parties. These groups would be tasked with gathering the facts about cybersecurity incidents, and then sharing that information with the wider cybersecurity community online. Currently, the document is available on GitHub(More details:https://www.pcmag.com/news/wtf-just-happened-why-your-org-needs-a-cybersecurity-incident-review-board).
Global threat actors are taking advantage of "the great resignation" and targeting job seekers online with phishing links. The main offenders are groups from Iran and North Korea. The hackers create fake websites, job descriptions, job posts, and social media profiles to deliver malicious links and file attachments to their victims. Do not click links in your emails or in LinkedIn messages you receive from strangers. That advice is doubly important when you're on the job. Explaining to your manager that you infected the company network with malware because you opened a link about an amazing job opportunity at another company isn't a great look(More details:https://www.pcmag.com/news/global-threat-actors-use-the-great-resignation-to-target-job-seekers).
Luta Security founder and CEO Katie Moussouris reminded about how she discovered serious vulnerabilities in the Clubhouse app last year, then struggled to get the company’s attention: "It took me a couple of weeks even to find the right contact." The company eventually did respond, at which point she learned that Clubhouse’s bug-bounty program was not only saddled with a non-disclosure-agreement requirement but was run by one of the co-founders in his probably nonexistent spare time. Noting that Clubhouse’s venture-capital funding valued it at about $4 billion, Moussouris griped: "They had fewer employees at that company than I have at my company!" Clubhouse did, however, finally fix those bugs(More details:https://www.pcmag.com/news/7-huge-bug-bounty-payouts).
Macs are way more secure than PCs, right? Everybody knows that. The layers of security keep growing with every update to macOS. However, not every component of the operating platform keeps up with those security upgrades. One persistent researcher dug deep into macOS and came up with a process-injection attack that allowed him to bypass all those security layers. He demonstrated using this attack to escape the sandbox, escalate privileges, and get around the ever-vigilant System Integrity Protection system. The security hole is fixed in macOS Monterey and even back-ported to Big Sur and Catalina, but it won’t be totally closed until every app gets a simple tweak(More details:https://www.pcmag.com/news/your-macs-arent-as-secure-as-you-think).
Microsoft is doing its best to make Windows more secure, but sometimes security efforts can backfire. The Early Launch Antimalware (ELAM) system lets security programs launch super-early in the boot process and protects them against all tampering. There’s no way to fake an ELAM driver, as Microsoft must approve them, nor can you tweak or change existing drivers. But one very persistent researcher found a way in through existing approved drivers with lax approval rules. The result? A program that could not only enter the secure bunker provided by ELAM, but also shoot down the antivirus programs already residing there(More details:https://www.pcmag.com/news/its-coming-from-inside-the-house-subverting-deep-security-in-windows).
Being a security bug hunter is an exciting life. You could earn a six-figure bounty for detecting and reporting a serious security flaw. You could also get sued or charged with a crime. Recent policy changes protect honest hackers, but they don’t address one particular problem. In gathering information to prove a reported bug, hunters often capture scads of personal information records. One bug hunter teamed up with a lawyer to engagingly present the problem and, if not a solution, a better direction(More details:https://www.pcmag.com/news/security-bug-hunters-could-expose-your-personal-data).
Recording and replaying radio signals is easily done with a laptop and the right equipment. That's why car key fobs employ a rolling code system, where each button press sends a different signal. A pre-recorded signal shouldn't be accepted. Researchers discovered that for some cars, however, playing multiple old signals can roll back the rolling code system and let an attacker unlock your car's doors. Worse, the researchers discovered that there was no time limit for their attack, with old codes being accepted over 100 days after they were captured(More details:https://www.pcmag.com/news/is-your-car-key-fob-vulnerable-to-this-simple-replay-attack).
Zoom and the pandemic go together like cookies and milk, or security researchers and decades-old technology. It turns out that Zoom's instant messaging is built on XMPP, which one researcher figured out how to abuse in a number of ways. Spoof message sender? Easy. Intercept all messages to and from a target? Yawn. The real prize was using this attack to obtain remote code execution on a target's computer(More details:https://www.pcmag.com/news/turns-out-zoom-is-great-for-remote-work-and-remote-code-execution).
Keeping track of people and stuff is a breeze when you attach location-reporting tags to them. But can these systems be abused? Of course they can. Researchers showed how they were able to manipulate ultra wide-band real-time location systems (UWB RTLS) to trick disease contact tracing and industrial safety technologies(More details:https://www.pcmag.com/news/researchers-stalk-and-impersonate-tracking-devices-for-safety).
Researchers from ESET, a security company based in neighboring Ukraine Slovakia, walked through a timeline of attacks on Ukraine's power grid. The most recent used the Industroyer2 malware that, if successful, could have knocked out power to 2 million residents. Interestingly, Industroyer2 used "wiper" malware to render infected machines unusable, slowing recovery efforts. Tom Hegel and Juan Andres Guerrero-Saade, both researchers from SentinelOne, pointed out that this was unusual as wipers meant the attacker has to give up access to the infected machines. They analyzed the observable cyberattacks in Ukraine and stressed that it's difficult to draw conclusions, since what's detectable is likely only a small part of what's actually happening(More details:https://www.pcmag.com/news/researchers-look-inside-russian-malware-targeting-ukrainian-power-grid).
