Apple May Soon Be Barred From Using SMS For 2FA
- One of the options available when using Apple’s two-factor authentication (2FA) is to have a code sent to you via SMS.
- The US National Institute for Standards and Technology, which sets the standards for authentication software, says that text messaging is not sufficiently secure.
- Apple is likely to drop support for SMS authentication once the recommendation is published.
- The current NIST draft says only that companies must ensure that trusted phone numbers are associated with a mobile network, and not a virtual number operating via a VoIP service.
- The guidelines suggest that use of SMS will be barred in the future.
- NIST guidelines do not have the power of law, but most major companies do abide by them.
Source: 9TO5 MAC, July 26, 2016
How Predictive Analytics Discovers A Data Breach Before It Happens
- Machine-learning-powered solutions have helped organizations to cut down the time it takes to detect attacks, but we’re still talking about attacks that have already happened.
- Predictive analytics is the science that is enabling organizations to modernize and reinvent the way they do business by looking into the future and obtaining foresight they lacked previously.
- This rising trend is now finding its way into the domain of cybersecurity, helping to determine the probability of attacks against organizations and agencies and set up defenses before cybercriminals reach their perimeters.
- Though a promising trend, predictive analytics has some hefty requirements when applied to cybersecurity use – the variety and volume of data involved are overwhelming.
- Cyber threats are sophisticated and continue to evolve and change rapidly, so predictive analytics must be paired with other strategies to keep data safe.
Source: Tech Crunch, July 25, 2016
Major LastPass Security Bug Puts Millions Of Accounts At Risk
- Millions of users of cloud-based password store LastPass could be at risk from hackers after a huge security hole was revealed.
- Users could be at risk of being hacked, simply by clicking on a malicious web link.
- Established security researcher Tavis Ormandy found and reported the problem to LastPass.
- The researcher also stated he would check password manager 1Password for any security holes next.
- So far, there hasn’t been any news of cyber attacks relating to the security hole, so LastPass may be able to patch the software in time to prevent any private information being leaked.
- LastPass recommends that users update LastPass on their browsers to apply fixes.
Source: Wired, July 27, 2016
New Portal Offers Decryption Tools For Some Ransomware Victims
- Nomoreransom.org is a joint initiative that offers help in getting encrypted data back following a ransomware attack.
- Victims of crypto-ransomware now have an online portal they can turn to for help in trying to recover encrypted data.
- The site provides users general information on ransomware, how such malware works, and how to mitigate exposure to the threat.
- It also provides an option where victims and upload encrypted files to help identify the ransomware and see if there are tools available to decrypt the data.
- The director of the global research and analysis team at Kaspersky Lab US says the impetus for the initiative stems from the rapidly growing scope of the ransomware threat.
- The crypto protocols used to encrypt data in many of these attacks have been so strong and sophisticated that victims have had little option but to pay the demanded ransom to get their data back.
- Nomoreransom.org is the first initiative to attempt to help victims retrieve their data and could well prove a turning point in the fight against the ransomware epidemic.
Source: Dark Reading, July 25, 2016
DNC Attack Was Deeper Thank Previously Thought
- New evidence collected by investigators suggests that the Democratic National Committee (DNC) hackers accessed more information than previously thought.
- The breach of DNC servers is just one of many in a long list of attacks against government and political organization around the world.
- Investigators believe hackers also compromised personal email accounts and stole data from DNC officials’ smartphones.
- The investigation conducted by the security firm CrowdStrike suggests that Russian government was behind the espionage campaign.
- The case demonstrates the potential influence of hackers on the politics of one of the most important governments of the world.
Source: Security Affairs, July 26, 2016
U.S. Issues First Government Guide On Responding To Cyber-Attacks
- The U.S. government's first emergency response manual for a major cyber-attack, though some officials acknowledged it lacked clear guidance on possible retaliation against hacker adversaries.
- The Obama administration published a “presidential policy directive” that includes a five-level grading system.
- No hack attack so far has hit level five; that would be reserved for a threat to infrastructure, government stability, or American lives.
- Cyber threats are growing more frequent and more diverse and the directive will help answer the question, “In the wake of an attack, who do I call for help?”
- The magnitude of any response will be determined by the severity assigned to an attack.
- The Department of Justice, working through the FBI and the National Cyber Investigative Joint Task Force, will be the lead agency for investigative criminal intrusions or those that could affect national security.
- The Department of Homeland Security will serve as the lead contact in helping companies respond to breaches of their networks.
*Source: Reuters, July 27, 2016
How Hackers Are Making The Internet And The World As Safer Place
- It's 2016 and hacking is all around us – everyone is hacking everyone, trying each other's defenses, constantly looking for weaknesses.
- Yet contrary to popular belief, not all hackers are bad – some are working hard to fix security problems.
- Hackers are the immune system for our connected society, forcing us to fix things, or demand something better.
- Since 2013 the movement “I Am the Cavalry” has been actively encouraging responsible, ethical and meaningful security research work to help identify and prevent life-threatening security vulnerabilities in areas like medical devices and automotive technologies.
- More and more people are proud to call themselves hackers as “bug bounty” software vulnerability reward programs show growing participation.
- Technology is constantly created and updated and full of new and worrying dangers, but many in the global hacker community see themselves as part of the solution, not the problem.
Source: Mother Board, July 26, 2016