David Balaban, Author at eWEEK https://www.eweek.com/author/david-balaban/ Technology News, Tech Product Reviews, Research and Enterprise Analysis Thu, 06 Jun 2024 20:54:17 +0000 en-US hourly 1 https://wordpress.org/?v=6.5.3 New Ransomware Trends Causing Fear in 2021 https://www.eweek.com/security/new-ransomware-trends-causing-fear-in-2021/ Mon, 03 May 2021 19:45:36 +0000 https://www.eweek.com/?p=218817 In this article, we’re going to touch on the most visible ransomware-related trends that have impacted the threat landscape recently. Among them are attacks involving RDP (remote desktop), RAT (remote-access Trojan), threats faced by the health-care system, attacks on remote workers and other things. There’s no question that the most serious cyber threat in 2021 […]

The post New Ransomware Trends Causing Fear in 2021 appeared first on eWEEK.

]]>
In this article, we’re going to touch on the most visible ransomware-related trends that have impacted the threat landscape recently. Among them are attacks involving RDP (remote desktop), RAT (remote-access Trojan), threats faced by the health-care system, attacks on remote workers and other things.

There’s no question that the most serious cyber threat in 2021 is ransomware. There are two main reasons for this:

  • The results of ransomware attacks are visible to everyone, and
  • this area of ​​malicious activity brings cybercriminals really significant income.

For example, only one criminal group that launched just several attacks managed to collect about 190 bitcoins, which at the current exchange rate is about $11 million. Being able to bring such big sums, it is highly likely that the number of ransomware attacks will grow.

The damage caused by ransomware already exceeds the results of the actions of APT (advanced persistent threat) groups. In both cases, attackers access the organizations’ online resources using administrator rights and software vulnerabilities. They use various mechanisms to hide their activity and often steal valuable information. However, a ransomware attack also knocks out the entire infrastructure and causes disruption or even stoppage of business processes.

Ransomware attacks in numbers

  • 51% of companies faced ransomware attacks.
  • 26% of companies paid the ransom to cybercriminals.
  • The average ransom amount in 2020 was $180,000 for big companies.
  • The average ransom amount in 2020 for small businesses was $6,000.
  • A set of software tools needed to launch a ransomware attack costs about $50 on the darknet.
  • A new ransomware attack is detected every 11 seconds.

The income of APT groups that target financial institutions declined as money mules are unable to fully operate due to the pandemic. Therefore, these hacker teams began to partner with the owners of the ransomware, selling them the ability to access the networks of compromised companies.

Another trend in 2021 is disclosing or selling sensitive data stolen from victims who refused to pay the ransom. Maze ransomware operators were the first to use this method. Later, it was picked up by other cybercriminal teams.

One more trend that I continue to observe in 2021 is a decrease in the number of attacks aimed at home users. This happens because the effectiveness of ransomware in this segment is falling. For communication, home users now use mostly instant messengers. They steadily move away from emails, which is the main channel of ransomware infections. In addition, their important data is backed up in the cloud automatically. Overall, the number of desktop PCs is decreasing while the number of mobile devices is increasing.

Small and big businesses look much more attractive to ransomware authors. The income from attacking them is much higher. It is important to note that for many companies, the ransom payment is just one more expense that can also be covered by insurance. And hackers know the budgets of their victims very well. Pure business needs dictate the decision to pay the ransom. This decision does not carry an emotional connotation. So, all these factors cause the number of ransomware attacks against organizations to grow.

Maze ransomware

One of the most active ransomware families now is the Maze ransomware, which has become a trend-setter in its field. These malicious program owners devoted much time to their reputation and actively interacted with the media, commenting on rumors and refuting false information, thus achieving increased publicity. The group formed a pseudo-positive image, calling victims “clients” and offering them technical support. These cybercriminals also pledged not to attack medical institutions and organizations affected by the economic crisis.

At the same time, Maze operators have created a kind of cartel with operators of other ransomware viruses, exchanging attack tactics and data stolen from victims. They spread their viruses through exploit kits, phishing emails, exploiting vulnerabilities in Adobe Flash, VPNs, and web browsers.

Other notable ransomware families: Phobos, Sodinokibi, Dharma, Ryuk, DoppelPaymer.

Remote access Trojans

Although phishing emails remain the main distribution channel, experts note an increase in the number of attacks using the RDP protocol and remote-access trojans (RAT).

RAT programs are not talked about as much as ransomware, since their activity is usually not so visible. The key task of the Trojan is to secretly infiltrate the victim’s computer. Modern RAT programs have a modular architecture–a kind of “Swiss army knife” of a hacker. They are able to secretly transfer gigabytes of data to C&C servers, collect passwords, intercept keyboard strokes, record audio and video, as well as download and install other malicious programs on the infected devices.

There are known cases when the RAT program consisted of more than 70 modules intended to solve different problems. However, this is rather an exception; usually, such Trojans contain about 10-15 functional modules.

Remote Desktop Protocol

COVID-19 dictates us to employ remote access more and more. One of the tools here is Microsoft’s RDP (remote desktop). This is not a new tool, but COVID-19 made it tremendously popular. RDP is part of the Windows operating system. Due to its accessibility and simplicity, many companies have begun to use it to connect home employees to work computers.

Consequently, RDP started to attract cybercriminals too. Many vulnerabilities have been found in it. One of the key flaws in this protocol was the BlueKeep vulnerability. It has been actively exploited recently. According to the specialized search engine Shodan, there are about 4 million systems on the internet with an open RDP port. Attempts to scan ports used by this service are ranked seventh, ahead of other protocols such as SMB or POP3. Cisco Systems reported that about a third of organizations have RDP-related security alerts every month.

Working from home

The cybercrooks quickly responded to the transfer of a large number of employees to the remote work mode. More than half of companies have transferred from 50% to 100% of their employees to home offices. The security perimeter became blurred. Experts recorded an explosive growth in the number of malicious sites with the words like “covid” or “coronavirus” in their domain names. Attackers reorient their existing infrastructure to host websites that exploit relevant, newsworthy topics. Many of these rogue websites host ransomware and other malware.

Looking for passwords

A significant part of malicious operations is devoted to obtaining passwords. This is the second-most popular activity used by ransomware gangs after phishing. Legitimate accounts allow cybercriminals to remain undetected in a compromised system and leave no traces, unlike attacks involving Trojans or exploitation of vulnerabilities. Often, a hacked user account can only be identified using behavioral analysis tools.

Logins and passwords are processed in browsers, as well as other places in the system where cached information is stored. Attackers use special tools to steal this data. One of the most popular tools used in such attacks is the Mimikatz utility. This program, originally created for pentests (penetration testing), has been adopted and is actively used by cybercriminals.

Attacks on health-care institutions

Although some ransomware groups loudly proclaim that they do not target the health-care sector, researchers observe an increase in attacks against such organizations. Cybercriminals are interested in both research institutions and ordinary clinics. In the first case, the goal of the cybercriminals is classified information that could be sold on the dark market; in the second, the ransom. Medical institutions pay money faster than other organizations, since equipment failure can entail a threat to the life and health of patients.

Conclusion

In 2021, I expect a massive surge in the number of ransomware threats, the reasons for which could be both the acceleration of digital transformation in all industries and the widespread transition to remote work. During the course of the year, the number of cyberattacks will grow, their complexity should increase, and it will become increasingly difficult to protect them.

The post New Ransomware Trends Causing Fear in 2021 appeared first on eWEEK.

]]>
How AI is Mishandled to Become a Cybersecurity Risk https://www.eweek.com/security/how-ai-is-mishandled-to-become-a-cybersecurity-risk/ Thu, 29 Apr 2021 18:37:52 +0000 https://www.eweek.com/?p=218790 The rapid evolution of artificial intelligence algorithms has turned this technology into an element of critical business processes. The caveat is that there is a lack of transparency in the design and practical applications of these algorithms, so they can be used for different purposes. Whereas infosec specialists use AI for benign purposes, threat actors […]

The post How AI is Mishandled to Become a Cybersecurity Risk appeared first on eWEEK.

]]>
The rapid evolution of artificial intelligence algorithms has turned this technology into an element of critical business processes. The caveat is that there is a lack of transparency in the design and practical applications of these algorithms, so they can be used for different purposes.

Whereas infosec specialists use AI for benign purposes, threat actors mishandle it to orchestrate real-world attacks. At this point, it is hard to say for sure who is winning. The current state of the balance between offense and defense via machine learning algorithms has yet to be evaluated.

There is also a security principles gap regarding the design, implementation and management of AI solutions. Completely new tools are required to secure AI-based processes and thereby mitigate serious security risks.

Increasingly intelligent autonomous devices

The global race to develop advanced AI algorithms is accelerating non-stop. The goal is to create a system in which AI can solve complex problems (e.g., decision-making, visual recognition and speech recognition) and flexibly adapt to circumstances. These will be self-contained machines that can think without human assistance. This is a somewhat distant future of AI, however.

At this point, AI algorithms cover limited areas and already demonstrate certain advantages over humans, save analysis time and form predictions. The four main vectors of AI development are speech and language processing, computer vision, pattern recognition–in addition to reasoning and optimization.

Huge investments are flowing into AI research and development along with machine learning methods. Global AI spending in 2019 amounted to $37.5 billion, and it is predicted to reach a whopping $97.9 billion by 2023. China and the U.S. dominate the worldwide funding of AI development.

Transportation, manufacturing, finance, commerce, health care, big-data processing, robotics, analytics and many more sectors will be optimized in the next five to 10 years with the ubiquitous adoption of AI technologies and workflows.

Unstable balance: The use of AI in offense and defense

With reinforcement learning in its toolkit, AI can play into attackers’ hands by paving the way for all-new and highly effective attack vectors. For instance, the AlphaGo algorithm has given rise to fundamentally new tactics and strategies in the famous Chinese board game Go. If mishandled, such mechanisms can lead to disruptive consequences.

Let us list the main advantages of the first generation of offensive tools based on AI:

  • Speed and scale: Automation makes incursions faster, expands the attack surface and lowers the bar for less experienced offenders.
  • Accuracy: Deep learning analytics make an attack highly focused by determining how exactly the target system’s defenses are built.
  • Stealth: Some AI algorithms leveraged in the offense can fly under the radar of security controls, allowing perpetrators to orchestrate evasive attacks.

At the same time, AI can help infosec experts to identify and mitigate risks and threats, predict attack vectors and stay one step ahead of criminals. Furthermore, it is worth keeping in mind that a human being is behind any AI algorithm and its practical application vectors.

Attacking vs defending systems using AI

Let us try to outline the balance between attacking and defending via AI. The main stages of an AI-based attack are as follows:

  • Reconnaissance: Learning from social media profiles, analyzing communication style. By collecting this data, AI creates an alias of a trusted individual.
  • Intrusion: Spear-phishing emails based on previously harvested information, vulnerability detection through autonomous scanning, and perimeter testing (fuzzing). AI quickly discovers the strongholds of the target’s security posture.
  • Privilege escalation: AI creates a list of keywords based on data from the infected device and generates potential username-password combinations to hack credentials in mere seconds.
  • Lateral movement: Autonomous harvesting of target credentials and records, calculation of the optimal path to achieve the goal, abandonment of the Command and Control (C2) communication channel; this increases the speed of interaction with the malware dramatically.
  • Completion and result: AI can identify sensitive data based on context and use it against the victim. Nothing but the necessary information is extracted, allowing the attacker to reduce traffic and make the malware harder to detect.

Now, let us provide an example of how AI can be leveraged in defense:

  • Security enhancements: Identifying and fixing software and hardware vulnerabilities, code upgrades using AI to protect potential entry points.
  • Dynamic threat detection: Active protection capable of detecting new and potential threats (as opposed to traditional defenses relying on historical patterns and malware signatures); autonomous detection of malware, network anomalies, spam, bot sessions; next-generation antivirus.
  • Proactive protection: Creating “honeypots” and other conditions to make it problematic for intruders to operate.
  • Fast response and recovery: Automatic real-time incident response and threat containment; advanced analytics facilitating human efforts in investigation and response; quick recovery from a virus attack.
  • Competence: The use of pattern recognition and analytical capabilities of AI in forensics.

The expanding range of attack vectors is only one of the current problems related to AI. Attackers can manipulate AI algorithms to their advantage by modifying the code and abusing it at a completely different level.

AI also plays a significant role in creating Deepfakes. Images, audio, and video materials fraudulently processed with AI algorithms can wreak information havoc making it difficult to distinguish the truth from the lies.

What security solutions are required for AI?

To summarize, here are the main challenges and systemic risks associated with AI technology, as well as the possible solutions:

The current evolution of security tools: The infosec community needs to focus on AI-based defense tools. We must understand that there will be an incessant battle between the evolution of AI attack models and AI defenses. Enhancing the defenses will be pushing the attack methods forward, and therefore this cyber-arms race should be kept within the realms of common sense. Coordinated action by all members of the ecosystem will be crucial to eliminating risks.

Operations security (OPSEC): A security breach or AI failure in one part of the ecosystem could potentially affect its other components. Cooperative approaches to operations security will be required to ensure that the ecosystem is resilient to the escalating AI threat. Information sharing among participants will play a crucial role in activities such as detecting threats in AI algorithms.

Building defense capabilities: The evolution of AI can turn some parts of the ecosystem into low-hanging fruit for attackers. Unless cooperative action is taken to build a collective AI defense, the entire system’s stability could be undermined. It is important to encourage the development of defensive technologies at the nation-state level. AI skills, education, and communication will be essential.

Secure algorithms: As industries become increasingly dependent on machine learning technology, it is critical to ensure its integrity and keep AI algorithms unbiased. At this point, approaches to concepts such as ethics, competitiveness, and code-readability of AI algorithms have not yet been fully developed.

Algorithm developers can be held liable for catastrophic errors in decisions made by AI. Consequently, it is necessary to come up with secure AI development principles and standards that are accepted not only in the academic environment and among developers, but also at the highest international level.

These principles should include secure design (tamper-proof and readable code), operational management (traceability and rigid version control)  and incident management (developer responsibility for maintaining integrity).

David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. He runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. Mr. Balaban has a strong malware troubleshooting background, with a recent focus on ransomware countermeasures.

The post How AI is Mishandled to Become a Cybersecurity Risk appeared first on eWEEK.

]]>
How To Check a Website for Vulnerabilities https://www.eweek.com/security/how-to-check-a-website-for-vulnerabilities/ Sat, 06 Mar 2021 00:38:06 +0000 https://www.eweek.com/?p=218480 The internet is home to roughly 1.8 billion websites. Many of them have vulnerabilities that turn them into easy prey for cybercriminals. According to researchers’ recent findings, more than 56% of content management system (CMS) installations are out of date and hence susceptible to compromise. Another study says 19% of web applications running on websites […]

The post How To Check a Website for Vulnerabilities appeared first on eWEEK.

]]>
The internet is home to roughly 1.8 billion websites. Many of them have vulnerabilities that turn them into easy prey for cybercriminals. According to researchers’ recent findings, more than 56% of content management system (CMS) installations are out of date and hence susceptible to compromise. Another study says 19% of web applications running on websites are vulnerable. In a global context, these stats translate to a gigantic attack surface.

Read: The Best Website Vulnerability Scanners

 

KEY TAKEAWAYS

    • A significant percentage of CMS installations are outdated, making them susceptible to automated attacks that exploit known vulnerabilities. (Jump to Section)
    • Effective penetration testing involves reconnaissance, using tools like WhatWeb to gather site information, and WPScan to detect WordPress vulnerabilities, including plugins and admin credentials. (Jump to Section)
    • Regular updates, cautious use of plugins, and employing third-party penetration testing can significantly enhance website security.
      (Jump to Section)

Website Vulnerability Assessment

Broadly speaking, all websites in existence can be broken down into three overarching categories:

  • Hand-coded (manually written in HTML, created with a static site generator such as Jekyll, or designed using a web development tool such as Adobe Dreamweaver).
  • Created with website builders (for the most part, these are simple sites containing no databases and user interaction elements).
  • CMS-based (made with turnkey content management systems).

A one-of-a-kind CMS platform tailor-made for a specific site is a more exotic type. It is becoming increasingly obsolete these days due to high development costs few businesses can afford. That said, the vast majority of websites out there are based on content management systems.

For a hacker, CMS platforms hardly differ from other web-facing services in terms of exploitation. Their underlying code is publicly available, and therefore anyone can scrutinize it for bugs as well as security weaknesses. This explains why CMS-based websites rarely fall victim to targeted attacks. Instead, they tend to be hacked “in bulk.”

This form of compromise is automated and typically follows a well-trodden path. First, a malefactor pinpoints a zero-day vulnerability or a recently discovered flaw in the target CMS. Next, he creates an exploit and contrives a bot that scans all websites within a specified range for the vulnerability in question.

At first sight, it may appear that fending off these automated hacks is a matter of keeping the CMS installation up to date. However, as such websites’ functionality is extended through various plugins down the line, it’s problematic to stay abreast of this growingly complex ecosystem.

When a penetration test is under way, the white hat’s objective is to thoroughly inspect a specific website for vulnerabilities so that a potential attacker can’t exploit them. Let’s take a dive into this multi-pronged process.

Website Reconnaissance

Before trying to compromise a site, a pentester (penetration tester) needs to collect information about it. A tool called WhatWeb can do the trick. It retrieves details regarding the CMS and extra components in use.

It’s best to launch WhatWeb with the “-a” key and then specify the value of 3 or 4. The only difference between the two is that in the latter scenario, the utility will additionally traverse subdirectories. Keep in mind that either option triggers a straightforward querying mechanism that spans the entirety of logs streaming toward the server.

If configured properly, the tool will return the site’s geolocation and CMS details. It will also let the pentester know whether the site uses PHP or jQuery. This information suffices to commence a trial attack. In case you simply need to determine the CMS type, there are services that provide that info in a snap.

By the way, here are the latest statistics reflecting the market share of different CMS platforms:

  • WordPress: 64.1%
  • Shopify: 5.2%
  • Joomla: 3.5%
  • Squarespace: 2.5 %
  • Drupal: 2.4%.

How to Check a WordPress Site for Vulnerabilities

Because WordPress currently dominates the CMS ecosystem, let’s first go over the methods to spot weaknesses in websites running it. There is a hugely effective scanner you can use – it’s called WPScan.

It can fetch the WordPress version, brute-force the admin dashboard via a built-in dictionary, spot vulnerable open directories, detect all plugins installed, and do many more cool things. It is also included as a separate module in Kali Linux and other popular pentesting instruments. You can use its Docker Hub version if you so desire, too.

From where I stand, WPScan’s controls and keys could use some simplification. For instance, the tool comes with two help modules: a brief and a detailed one. That’s kind of redundant.

You’ll need to update the database of WPScan if you’re about to use it for the first time. When done, you can run a scan. Here are important details the scan report will include:

  • WordPress version;
  • open directories;
  • potential vulnerabilities; and
  • hyperlinks to resources describing these vulnerabilities.

The tool displays exclamation marks to flag things that don’t get along with proper security practices. An example is an unsecured wp-config.php file containing database access credentials.

As previously mentioned, this utility can also brute-force the username and password for the admin panel. This workflow is super-fast because it leverages multithreading. In other words, it won’t take WPScan long to retrieve weak credentials. Accessing the WP database is just as simple if the admin has specified a password that isn’t strong enough.

Whereas these details could suffice an attacker to take over the average site, there are quite a few more things to check. These include WP plugins and other potential entry points.

If the scanner doesn’t detect any plugins in the target website, it doesn’t necessarily mean that no plugins are installed. It could be an upshot of restrictions inherent to a passive scanning mode. To identify plugins more efficiently, consider applying an aggressive crawling mode.

This way, the scanner can accurately pinpoint all plugins, including vulnerable ones. Be advised that this usually takes a decent amount of time. If the site is hosted on a distant server, the speed will be lower. As a rule, it won’t take less than half an hour.

Additionally, use the CVE service to check the identifiers of documented vulnerabilities.  For instance, you may want to go over loopholes in the PHP version the CMS is using. As part of the research, look for readily available Metasploit modules for WP and give them a shot.

Checking a Joomla Site for Vulnerabilities

Joomla, another popular CMS, can be probed for weaknesses using a tool called JoomScan. It was created by researchers at the Open Web Application Security Project (OWASP). It resembles WPScan in many ways, except that it doesn’t have as many features under the hood. It is embedded in many pentesting (penetration testing) tools, and its user manual consists of only a few lines of text.

JoomScan supports an aggressive method of scanning website components. Its scan report includes the CMS version, the CVEs corresponding to the detected vulnerabilities, and links leading to known exploits that can be unleashed to compromise the site. Plus, it lists all of the site’s directories and a hyperlink to the configuration file if the admin has neglected to obfuscate it.

This tool can’t brute-force the Joomla admin dashboard. To execute attacks like that, you’ll need a powerful solution that operates in tandem with a series of proxy servers. That’s in part because lots of Joomla sites use the highly effective Brute Force Stop plugin. It blocks a malefactor’s IP address if the number of unsuccessful authentication attempts reaches a specified threshold.

If your site uses HTTP, which is fairly uncommon nowadays, try running the Nmap script to assess its resistance against brute-force attacks.

Checking Drupal and other CMS sites

In the case of Drupal and other less popular CMS platforms, things are more complicated. There is no effective scanner to audit these sites for security imperfections. DroopeScan is perhaps the only worthwhile automatic tool you can use, but with the caveat that it doesn’t retrieve details beyond basic site information.

You’ll have to dig into the site manually or search the web to get in-depth data you may need. Vulnerability databases like CVEdetails or proof-of-concept exploits on GitHub can point a pentester in the right direction.

An example of what you can come across is the CVE-2018-7600 vulnerability, which affects Drupal 7.x and 8.x versions and allows a hacker to cause redirects and even execute arbitrary code remotely. An exploit for this PoC can be found here. If the scanner returns nothing but the CMS version of a target site, it could be enough to exploit the vulnerability as long as the Drupal version is within the vulnerable range.

By and large, there is no fundamental difference between compromising CMS platforms such as Drupal and breaching any other Internet-facing service. Security loopholes are either there or haven’t been found just yet.

How to check a hand-coded website for vulnerabilities

Looking for security flaws in a hand-coded website is easier said than done. You can’t possibly find a scanner that will say: “This particular web application is out of date, it has a known vulnerability, and here is a link to the corresponding exploit plus a comprehensive tutorial on how to use it.”

In other words, you have a long list of potential weaknesses to check the site for. Audits like that hinge on the OWASP methodology or unique workflows.

Probing a website for unsecured entry points is a deeply creative activity. You aren’t limited to using a clear-cut framework or specific tools, especially if they are open-source. Nevertheless, security auditing is no joke. It comes as no surprise that some companies try to enforce guidelines for implementing these check-ups so that a penetration tester doesn’t miss anything in a flight of imagination.

One of the best ways to do this is to use the OWASP Web Security Testing Guide. It’s a detailed rundown of the rules for web application vulnerability detection. Its authors compiled and described the methods for testing vulnerabilities that fall under the ten most common categories (OWASP Top 10).

If you need to check the feasibility of compromising a hand-coded site, using the above-mentioned WhatWeb tool is a good starting point. Keep in mind, though, that you aren’t inspecting a CMS in this scenario – instead, you are looking for all embedded services and their versions.

Tons of framework versions are susceptible to exploitation. For instance, outdated editions of Apache Tomcat or Ruby on Rails can be breached using publicly available exploits.

Determining the programming language versions can give you important clues, too. For instance, new PHP vulnerabilities are surfacing off and on, and they can stay unpatched for weeks after discovery.

Your next move is to leverage a security scanner. Even if it doesn’t dot all the i’s and cross all the t’s, it could give you some actionable insights into the security condition of the website under scrutiny. For instance, a tool called DIRB will traverse the open directories and analyze the responses.

To look for common weaknesses, consider using one-size-fits-all scanners such as OWASP ZAP, w3af, skipfish and nikto. Keep the Mantra Security Toolkit close at hand as well. To thoroughly scan a website for web application vulnerabilities, you can use a more sophisticated tool called Burp Suite.

Protection best practices

If your website is built with a CMS, then the most effective security tactic is to refrain from installing dubious plugins, remove plugins you aren’t actively using, and keep all the software up to date. Web designers should stick with safe coding practices such as filtering special characters in database queries and extensively vetting scripts found online.

If you own a custom-built website, be sure to scrutinize its web components, get rid of redundant ones, and keep the rest up to date. Also, ascertain that the site is backed by proper tech support.

Also, you can’t go wrong with penetration testing conducted by a third-party professional. Speaking of which, many big businesses set up bug bounty programs and pay white hats for identifying weak links in their online services. On a side note, this type of activity could be a great launchpad for a bright pentesting career.

Tools that help manage vulnerabilities

The bottom line

If you are keen on finding vulnerabilities in web services, you can refine your skills using the OWASP Top 10 guide. Also, before probing real websites for security flaws, consider trying your hand at inspecting test environments such as virtual machines riddled with known flaws.

Amsterdam-based David Balaban is the founder of the Privacy-PC.com project and is a computer security researcher with more than 17 years of experience in malware analysis.

The post How To Check a Website for Vulnerabilities appeared first on eWEEK.

]]>
Comparing In-Browser-Based, Commercial Password Managers https://www.eweek.com/search-engines/comparing-in-browser-based-commercial-password-managers/ Wed, 17 Feb 2021 02:01:02 +0000 https://www.eweek.com/?p=218353 Most of us visit numerous websites every single day, including online stores, social networks, email services and e-banking resources. To interact with some of these sites as a customer or simply a registered user, you need to enter a login and a password. However, since it is impossible to remember those numerous combos of letters, […]

The post Comparing In-Browser-Based, Commercial Password Managers appeared first on eWEEK.

]]>
Most of us visit numerous websites every single day, including online stores, social networks, email services and e-banking resources. To interact with some of these sites as a customer or simply a registered user, you need to enter a login and a password. However, since it is impossible to remember those numerous combos of letters, numbers and special characters, some people reuse passwords in different sign-in scenarios.

This tactic is a slippery slope, though. A malicious actor who manages to infect your device and crack one such combination will be able to impersonate you by accessing your multiple accounts. Of course, you can keep a separate file with all your credentials or use similar characters in a different order, but these methods are not safe enough either.

The silver lining is that there are hugely convenient services you can use to step up your authentication hygiene. They are called–you guessed it–password managers. In a nutshell, these are tools that enable you to securely store numerous login-password pairs for various web resources.

How are password managers used?

Broadly speaking, there are two types of password managers to choose from: in-browser ones and standalone third-party apps. In this review, we will go over both categories. Regardless of the type, these tools store all your sign-in credentials for different sites and automate the authentication process.

This makes complex things easy and adds an extra layer of security to your data. Plus, it prevents anyone who compromises one account from accessing other accounts, thus helping you avoid the scourge of a single point of failure (SPOF).

Top in-browser password managers

To begin, let us dive into the password management features built into popular web browsers. One of their key advantages boils down to user-friendliness, because the browser prompts you to save a password and then allows you to view it in a dedicated interface whenever you want.

Another perk is the ability to synchronize your credentials between different devices. Passwords can also be encrypted and stored that way in the cloud. The browsers listed in the following rundown are free to use and so are their built-in password managers.

Google Chrome

Supported operating systems: Windows, macOS, Linux, Android.

Chrome’s built-in password manager offers you to store passwords under the umbrella of your Google account. It is convenient and easy for users with any level of tech skills to get the hang of.

This service can generate passwords for you, but keep in mind that the resulting combos are not as strong as the ones most commercial counterparts can create. For instance, there is no option to specify a larger number of characters than the default set-up offers or to use special characters.

Overall, this is a mainstream and very intuitive tool. The only caveat is that many security experts find it fairly unreliable because there is no master password, and if an account is hacked, the intruder may get hold of all the data in one hit.

Another thing worth considering is that user data is Google’s main product leveraged for targeted advertising and other sketchy things. Therefore, it might not be a good idea to store all your credentials using a single built-in password manager, especially when it comes to extremely sensitive information.

Mozilla Firefox

Supported operating systems: Windows, macOS, Linux, Android, iOS.

Firefox allows you to encrypt your passwords with a single master key. Furthermore, it is open-source and does not share users’ data with a parent company as some competing web browsers do.

The tool is equipped with a classic feature set: storing login-password pairs, encrypting the master password and the option for Windows users to import passwords from Chrome and Internet Explorer. It uses the symmetric 256-bit AES algorithm to encrypt users’ sign-in details. The manager also includes a component that generates complex passwords.

Opera

Supported operating systems: Windows, macOS, Linux, Android, iOS.

Although Opera’s built-in password manager is fairly rudimentary because it simply stores passwords and web forms, it has two significant advantages over some competitors. First, as is the case with the Firefox counterpart, it allows you to add a master password that will be required to unlock passwords in the browser’s storage. The master password matches the string used to log into the computer, though. The second advantage is the availability of a VPN.

Unfortunately, Opera is not immune to security incidents. In April 2016, the company reportedly suffered a breach in which hackers obtained more than 1.7 million Sync passwords and login credentials. However, the likelihood of such an attack occurring again is minuscule because Opera software engineers have since provided the option to add an extra passphrase to the Sync feature, which can now encrypt passwords, or all data synchronized between devices.

Safari

Supported operating systems: macOS, iOS.

Unlike Chrome or Edge, Apple does not allow its proprietary browser to handle sign-in credentials in isolation from the operating system. Passwords are kept in the iCloud Keychain, which functions seamlessly on Macs as well as iPhones and iPads.

Other than that, there are hardly any functional differences from the browsers mentioned above. Be advised, though, that you cannot specify a master password. The built-in password generator boasts decent efficiency: it distinguishes between authentication, registration and password change forms; moreover, it harnesses individual password creation algorithms for some sites.

The Safari browser is not available for PCs or Android devices, so this password manager is only suitable for those entirely committed to the Apple ecosystem.

Microsoft Edge

Supported operating systems: Windows, macOS, Android, iOS.

Since the redesigned Edge is based on the same open-source Chromium core as Google Chrome, the password manager configuration mechanisms in the two browsers are very similar. The browser has been recently enhanced with a password generator, which appears to work better than Chrome’s counterpart. Previously saved passwords must be deleted individually so that they are eliminated from Edge on other synced devices.

To sum it up, whereas built-in password managers are easy for the average user to master, they should be treated as a handy extension rather than as a separate solution that secures your passwords from different angles.

Their weakest link is that if someone gains unauthorized access to your computer and opens your browser, all passwords may be compromised in a snap because additional defenses such as extra user verification mechanisms are missing in most cases.

Best Commercial Password Managers

Password managers made by third-party developers offer more functionality. These products are cross-browser, provide more sophisticated mechanisms for generating passwords and have additional bells and whistles under the hood.

Dashlane

Price: $0 – $5.99 per month.
Supported operating systems: Windows, macOS, Android, iOS.

In addition to basic password management, this tool allows you to check your stored passwords for strength and have them automatically replaced with more complex ones in a single click if necessary. You also get 1GB of secure storage and a VPN service with no traffic limitations.

Dashlane supports Windows Hello, giving you the ability to log in with biometrics, including face and fingerprint scans. Plus, it allows you to check if your email addresses, passwords and financial information have been compromised and leaked on the dark web. The app has a free version, but with the caveat that it cannot store more than 50 passwords.

Keeper

Price: $2.91 – $6.01 per month.
Supported operating systems: Windows, macOS, Linux, Android, iOS.

Keeper boasts a streamlined and user-friendly interface while providing 10GB of secure storage. Like Dashlane, Keeper supports biometric authentication with Windows Hello. This password manager additionally offers a two-factor authentication (2FA) mechanism dubbed Keeper DNA, which generates one-time passwords on mobile devices. Keeper has built-in dark web monitoring and encrypted chat features that allow users to share files securely.

1Password

Price: $3.99 – $7.99 per month.
Supported operating systems: Windows, macOS, Linux, Android, iOS.

Just like the apps described above, 1Password is compatible with Windows Hello and scans the dark web for leaks of your sensitive data. It provides 1GB of encrypted storage. One of the awesome things about it is the family account option that supports up to five users simultaneously with an unlimited number of devices. 1Password also comes with a built-in parental control feature that prevents your kids from changing passwords for important services.

LastPass

Price: €0-€3.9 ($4.73) per month.
Supported operating systems: Windows, macOS, Android, iOS.

The free version of LastPass provides the broadest range of features across the whole spectrum of commercial password managers. It allows you to store an unlimited number of passwords on an unlimited number of devices with an extra option of granting access to one more user. The premium version lets you give access to multiple users and includes biometric authentication features, 1GB of secure storage, as well as 24/7 email tech support.

How do you choose the best password manager?

Password managers make it much easier to work with web services and to secure your accounts. This way of handling passwords is definitely more secure than old-school approaches, such as reusing passwords or using terribly similar combinations. It comes as no surprise that these apps are gaining a good deal of traction among users these days.

Nevertheless, when choosing a password manager that suits you the most, be sure to scrutinize its features. In-browser services are convenient and understandable for most users. Still, they tend to lag behind their commercial analogs in terms of generating strong passwords, availability of two-factor authentication and the option of switching between browsers. As a result, most InfoSec professionals think of these tools as garden-variety browser extensions and advise against using them to store sensitive data such as e-banking credentials.

Commercial password managers offer overarching functionality and work as standalone apps. Although many experts consider them more reliable than those built into browsers, the vast majority of users prefer the latter for their day-to-day web surfing.

Amsterdam-based David Balaban is the founder of the Privacy-PC.com project and is a computer security researcher with more than 17 years of experience in malware analysis.

The post Comparing In-Browser-Based, Commercial Password Managers appeared first on eWEEK.

]]>
How to Solve Security Problems of Identity Verification Systems https://www.eweek.com/security/how-to-solve-security-problems-of-identity-verification-systems/ Fri, 12 Feb 2021 22:46:18 +0000 https://www.eweek.com/?p=218335 There are many different perspectives on how identity verification systems should work to provide confidence, trust and interoperability between different sectors, both local and international. At the same time, these solutions should ensure a decent level of privacy. Comprehensive security instruments are required to address threats such as the abuse of power by some privileged […]

The post How to Solve Security Problems of Identity Verification Systems appeared first on eWEEK.

]]>
There are many different perspectives on how identity verification systems should work to provide confidence, trust and interoperability between different sectors, both local and international. At the same time, these solutions should ensure a decent level of privacy. Comprehensive security instruments are required to address threats such as the abuse of power by some privileged players in the ID verification ecosystem.

The international scale of the issue

The current methods of identity management have plenty of weak links that underlie many forms of cybercrime. Furthermore, the fact that these isolated systems do not overlap prevents law-enforcement agencies from conducting coordinated operations at the international level.

At this point, the approaches to ID verification are undergoing transformations. Security professionals have come up with new principles, developed auxiliary technologies and specified new scenarios for testing these services.

The implementation of modern identity verification services is closely related to the degree of interaction between various sectors of this industry. High-end solutions already have been created both at the enterprise and nation-state levels, but most of them ignore the need for interoperability. Expert communities are actively discussing these issues in an attempt to create relevant solutions.

Next-generation ID verification systems can be a response to security problems in related areas such as identity spoofing via AI algorithms. However, new risks continue to emerge.

Businesses and digital services are becoming more and more interconnected. Digital transactions require sufficient trust and confidentiality between different systems, which can only be achieved through consolidated identity solutions. In other words, the global community needs to create a uniform digital identity model to reduce security risks.

Risks to secure identity verification

The development of next-generation ID verification systems will cause society to increasingly rely on this technology in critical areas. As a result, cyber-attacks targeting this environment will be escalating. Malicious actors will try to find and exploit vulnerabilities in devices and identification mechanisms to access sensitive data.

That said, let us highlight the top threats in this context along with different facets of the motivation for compromising such systems.

  • Insider threat. Motivation: service disruption or money. An intruder disguised as a trusted individual can take advantage of access obtained by circumventing physical security.
  • Unethical competition. Motivation: gaining a competitive advantage. A malefactor can engage insiders and other third parties to carry out the attack.
  • Nation-state foul play. Motivation: politics and economic gain. This type spans espionage, account takeover, authentication system compromise and surveillance.
  • Organized crime. Motivation: money. The dodgy instruments include identity theft, account takeover, data abuse, authentication system compromise, man-in-the-middle (MITM) attacks and document forgery.
  • Hacktivism. Motivation: disrupting a target’s operation, causing reputational damage. Account takeover and impersonation, as well as authentication and authorization compromise, can be applied.

Now, let us outline the key risks to the security of present-day ID verification systems.

  • Privacy: Perpetrators may obtain large amounts of personal data, including biometrics, behavioral and geolocation details.
  • Integrity: Undermining the integrity of these solutions could reduce trust between participants of the ecosystem.
  • Availability: Attackers may try to hack the identity verification infrastructure to disrupt a service that the participants heavily depend on, thus causing a cascading effect.

Information security professionals will face new challenges when building a secure digital identity environment and ensuring both the availability and integrity of these services. A breach could entail more serious systemic consequences, ruining trust between participants that underpins the effective functioning of cyberspace.

Security solutions

ID verification of the future will be backed by a distributed and heterogeneous infrastructure. Trust and transparency, as well as the reliability of the service, will play a fundamental role on a global scale. Reducing security risks in this paradigm is a complex task that hinges on a collective approach.

Unless all the security issues are addressed in a coordinated way, the technology cannot reach its full potential. InfoSec experts need to step in to develop a tamper-proof technology for digital identity verification.

Here are some possible ways to deal with the challenges that will likely occur in the near future.

Assurance, trust and transparency: The resilience of the ID verification infrastructure components is achieved through the transparency of all interactions between participants. The community will need to have an understanding of the trust level in such a system and accurately gauge the trust gap. This will facilitate the implementation of defenses to maintain integrity.

Despite significant progress in developing approaches and security standards for autonomous ID verification services at both regional and national levels, there are still no uniform criteria for a distributed identity framework that would ensure compatibility of approaches across different cyberspace sectors and create a decent level of trust. These criteria need to be formed at an international scale, drawing on previous experience (open-source code and alliances like FIDO or DID) and offering new approaches.

Shared management principles: Collaborative efforts to standardize and certify identity verification systems internationally will provide baseline levels of cybersecurity for all participants across the board. Such standards, for instance, have been formed for payment transaction security (PCI DSS) and the aviation industry (SARPs, ICAO). These fundamental principles will specify both technical requirements and performance criteria for the digital identity process while additionally addressing privacy challenges.

The end-user needs to have control over personal data and understand how it is processed and to whom it is transmitted. Developing additional incentive models for businesses and politics will encourage all the involved entities to support interoperability and innovation of ID verification services combined with a profound understanding of who is responsible for ensuring security in different parts of the distributed environment.

Getting participants together: Local, isolated identity verification systems are already here. An assembly of different industry players will help explore the interoperability of its various sectors, creating incentives for developing management principles to ensure proper security. This way, it will be possible to single out the overarching entities (government, private sector, society) and key players in the ID verification area (banks, telecommunications service providers, technology companies).

Such an assembly would open new opportunities for cooperation between sectors, identifying not only the key roadblocks on the way toward creating a global ID verification infrastructure but also the ways to dodge them. The economic, political and even crisis factors (the COVID-19 pandemic) emphasize the need for collaborative action and naturally shape up next-generation ID verification services.

Cooperative Operations Security (OPSEC): The InfoSec community is bound to meet the tough challenge of protecting the distributed, heterogeneous and inherently complex ID verification systems of the future against hackers and their malicious code. These should be entirely new approaches and coordinated actions by all security professionals in the digital identity arena.

As the other technologies evolve and next-generation ID verification systems are deployed, experts will need to consider the potential threats of the future. One of the things on their to-do list is to ensure a proper level of quantum cryptography of distributed components. While some approaches to detecting, tracking and neutralizing fraudulent activity are available for isolated ID verification systems, they have yet to be created for end-to-end solutions of that kind. There is a need for systemic risk and threat modeling that takes different industry players’ privileges into account.

A common incident reporting framework will be key to assessing current risks and optimizing incident response rates. Coordinated efforts at the level of the InfoSec community as well as the development of international ID verification security standards and data sharing will ensure a decent level of security for all members of the ecosystem and unleash the true potential of the next-generation digital identity technology.

Amsterdam-based David Balaban is the founder of the Privacy-PC.com project and is a computer security researcher with more than 17 years of experience in malware analysis.

The post How to Solve Security Problems of Identity Verification Systems appeared first on eWEEK.

]]>