Sophos | Bach Seat

Tag Archive for Sophos

RB | October 27, 2019

Comments Off

Church Wearable Device Very Holey

The Vatican recently launched a holey wearable app onto the Internet of Things (IoT). The Church’s wearable IoT device, Click To Pray eRosary, is a bracelet of rosary beads along with a smart cross. The device is part of the Vatican’s mission to pray for peace. But the app is bedeviled by what sources call a “significant cybersecurity flaw.”

The $110 device syncs with Click to Pray, the official prayer app of the Pope’s Worldwide Prayer Network. It tracks the user’s progress as they work through different sets of themed prayers. Oh, it also tracks your steps, too, for those that want to exercise both body and soul.

The Verge reports the gadget, designed by GadgeTek, a division of Acer, and pairs with an iOS or Android app you can download. The device can be bought through Amazon Italy or , the specs include:

Six-axis inertial sensing
Bluetooth 5.0
IP67 water and dust resistance
Wireless charging
a 15mAh lithium-ion battery
10 black agate beads and 11 hematite beads

The “smart cross” stores all technical data. The app, however, appears to handle all of the actual user-interaction — the “smart cross,” does not appear to interact directly with the user. Engadget claims that the device also tracks health-related information. It’s basically an adapted fitness tracker, and it still doubles as a fitness tracker. The Vatican News explained the Church’s moved to the IoT like this:

The Click To Pray eRosary is an interactive, smart and app-driven wearable device that serves as a tool for learning how to pray the rosary for peace in the world. It can be worn as a bracelet and is activated by making the sign of the cross. It is synchronized with a free app of the same name, which allows access to an audio guide, exclusive images and personalized content…

Its target audience is:

the peripheral frontiers of the digital world where the young people dwell (rb- Maybe something got lost in translation)

The Catholic Church proved it is merely mortal when it comes to the Internet of Things. Like Most things IoT it was released with security holes. Sopho’s Naked Security blog explains that Fidus Information Security discovered a flaw in the prayer app’s authentication mechanism. The pious can safely log in via Google and Facebook but in the good catholic tradition, any alternatives cause issues.

The flaw rises when a user resets their account using the Click to Pray app. it makes an API call to the server, which then sends the PIN to the user’s email. The server also returns the PIN in its response to the API request, meaning that someone accessing the API directly could get the user’s PIN without having access to their email.

The researchers say they used this method to easily log in and obtained phone numbers, height, weight, gender, and birth dates. CNet says the Android version of the app also asks for access to location data and permissions to make calls.

Also, there was no limit to the number of login attempts, which is a dream for any hacker who wants to make automated, or brute force, attempts to break in.

Security researcher Elliot Alderson not only found the eRosary vulnerability, but he also reported it to the Vatican first. And of course, the Vatican respond via Twitter with appreciation. The Vatican’s representative, a self-described “Digital Jesuit in Rome,” Father Robert Ballecer, understood the significance of having a security researcher attempting to contact the Vatican.

The church’s developers reportedly patched the eRosary within 24 hours.

rb-

The quick response by the Vatican is more than we can say for most organizations. So when it comes to the security of the Vatican’s new wearable device, it’s a good thing the Digital Jesuit is on the team.

They moved pretty fast for an organization that took 350 years to forgive Galileo.

Catholic Church Sends $1.7 Million to Hackers (SecureWorld)

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: 2019, Authentication, Fail, Fidus Information Security, Internet of Things, IOT, Prayers, Sophos

RB | October 20, 2019

Comments Off

VC Buys Sophos – Start of Bubble?

Cyber-security firm Sophos has been acquired by private equity firm Thoma Bravo for $3.9 billion. The firms disclosed the deal on Oct 14, 2019. Sophos Group (SOPH.L) was founded in 1985 and is a FTSE 250 company. The cybersecurity firm is based in Abingdon near Oxford and employs 3,400 people. Sophos has 400,000 clients around the world including Pixar, Ford, Under Armour, Northrop Grumman, and Toshiba.

The Sophos board accepted the deal and would unanimously recommend the offer from Thoma Bravo. The deal is subject to shareholder approval. Some speculate that the timing of the deal is to take advantage of the pound’s weakness around BREXIT.

The deal continues Thoma Bravo’s buying spree gathering technology companies that offer cybersecurity and business management tools. Thoma Bravo also has ownership stakes in cyber-security firms Barracuda Networks, Imperva, McAfee, and Veracode and remote managing and management (RMM) firms ConnectWise, Continuum, SolarWinds, and LogRhythm, among others. It is the first acquisition outside the U.S. for the Chicago-based buyout firm.

The Sophos acquisition is one of many transactions affecting the endpoint security market, which is consolidating. Rik Turner, the principal analyst at Ovum, told Dark Reading, “There are probably too many vendors coming at this market in different ways, so a degree of simplification is in order.”

Among some of the notable endpoint deals thus far are VMware‘s acquisition of Carbon Black, Blackberry‘s purchase of Cylance, and HP’s acquisition of Bromium, for example.

Bubble burst So the question is the cybersecurity space in a bubble? Have valuations and VC investments grown too rich? TechCrunch recently wrote that security may be in a bubble, but it is not about to burst. Here are the arguments they laid out.

TechCrunch explains the bubble part of the equation is building:

The landscape of cybersecurity solutions and services is strikingly saturated. Still, this busy frontier continues to attract founders and investors alike, with 300+ new startups launching every year and VCs investing in cybersecurity at a record high of $5.3 billion in 2018. Further, many cybersecurity startups are able to raise large rounds of funding, with exceedingly high valuations, despite having little market traction.

However, the demand side of the equation is also growing and shifting according to TechCrunch:

The global cybersecurity market is booming: Cybersecurity-related spending is on track to surpass $133 billion in 2022, and the market has grown more than 30x in 13 years. Moreover, security is often integrated into new business initiatives and used as a competitive advantage.

rb-

I wonder what the looming Trump trade-war-induced recession will do to the cyber-security bubble. We know that consolidator means job losses and recessions men more jobs are lost. To quote the great American philosopher Yogi Bera – It’s déjà vu all over again for those of us who lived thru Webvan and dot-bomb.

What Happens To Enterprises If the Cybersecurity Bubble Pops? (ITSP Magazine)

Category: Uncategorized | Tags: 2019, Mergers and Acquisition, Security, Sophos, Tech bubble, Thoma Bravo

RB | September 7, 2016

Comments Off

Stop using SMS for Two-Factor Authentication

Followers of the Bach Seat know that passwords suck and no longer provide reliable security. Because automated mass cybercrime attacks are hammering businesses daily, the National Institute of Standards and Technology (NIST) is disrupting the online security status–quo. According to InfoWorld, the US government’s standards body has decided that passwords are not good enough anymore. NIST now wants government agencies to use two-factor authentication (2FA) to secure applications, networks, and systems.

Two-factor authentication is a security process where the user provides two means of identification from separate categories of credentials. The first is typically something you have, a physical token, such as a card. The second is usually something you know like a PIN number.

The proposed standard discourages organizations from sending special codes via SMS messages. Many services offer two-factor authentication. They ask users to enter a one-time passcode sent via SMS into the app or site to verify the transaction. The author writes that weaknesses in the SMS mechanism concern NIST.

NIST now recommends that developers use tokens and software cryptographic authenticators instead of SMS to deliver special codes. They wrote in a draft version of the DAG; “OOB [out of band] using SMS is deprecated and will no longer be allowed in future releases of this guidance.”

Federal agencies must use applications that conform to NIST guidelines. This means for software to be sold to federal agencies, it must follow NIST guidelines. InfoWorld says this is especially relevant for secure electronic communications.

SMS-based Two-Factor Authentication is considered insecure by NIST for a number of reasons. First, someone other than the user may be in possession of the phone. The author says an attacker with a stolen phone would be able to trigger the login request. In some cases, the contents of the text message appear on the lock screen, which means the code is exposed to anyone who glances at the screen.

InfoWorld says that NIST isn’t deprecating SMS-based methods simply because someone may be able to intercept the codes by taking control of the handset, that risk also exists with tokens and software authenticators. The main reason NIST appears to be down on SMS is that it is insecure over VoIP.

The author says there has been a significant increase in attacks targeting SMS-based two-factor authentication recently. SMS messages can be hijacked over some VoIP services. SMS messages delivered through VoIP are only as secure as the websites and systems of the VoIP provider. If an attacker can hack the VoIP servers or network they can intercept the SMS security codes or have them rerouted to her own phone. Security researchers have used weaknesses in the SMS protocol to remotely interact with applications on the target phone and compromise users.

Sophos’ Naked Security Blog further explains some of the risks. There is malware that can redirect text messages. There are attacks against the Signalling System 7 (SS7) protocol. SS7 controls how the phone system works. (rb- Some believe that TLA’s hacked SS7 to spy on citizens.) This hack allows an attacker to divert the SMS containing a one-time passcode to their own device, which lets the attacker hijack any service, including Twitter (TWTR), Facebook (FB) or Google (GOOG) Gmail, that uses SMS to send the secret code to reset the account password.

Mobile phone number portability also poses a problem for SMS security. Sophos says that phone ports, also known as SIM swaps can make SMS insecure. SIM swap attacks are where an attacker convinces your mobile provider to issue you a new SIM card to replace one that’s been lost, damaged, stolen or that is the wrong size for your new phone.

SIM swap attacks Sophos also says in many places it is very easy for criminals to convince a mobile phone store to transfer someone’s phone number to a new SIM and therefore hijacking all their text messages.

ComputerWorld highlights a recent attack that used social engineering to bypass Google’s two-factor authentication. Criminals sent users text messages informing them that someone was trying to break into their Gmail accounts and that they should enter the passcode to temporarily lock the account. The passcode, which was a real code generated by Google when the attackers tried to log in, arrived in a separate text message, and users who didn’t realize the first message was not legitimate would pass the unique code on to the criminals.

“NIST’s decision to deprecate SMS two-factor authentication is a smart one,” said Keith Graham, CTO of authentication provider SecureAuth. “The days of vanilla two-factor approaches are no longer enough for security.”

For now, applications and services using SMS-based authentication can continue to do so as long as it isn’t a service that virtualizes phone numbers. Developers and application owners should explore other options, including dedicated two-factor apps. One example is Google Authenticator, which uses a secret key and time to generate a unique code locally on the device for the user to enter into the application.

Hardware tokens such as RSA’s SecurID display a new code every few seconds. A hardware security dongle such as YubiKey, used by many companies including Google and GitHub, supports one-time passwords, public-key encryption, and authentication. Knowing that NIST is not very happy with SMS will push the authentication industry towards more secure options.

Many popular services and applications offer only SMS-based authentication, including Twitter and online banking services from major banks. Once the NIST guidelines are final, these services will have to make some changes.

Many developers are increasingly looking at fingerprint recognition. ComputerWorld says this is because the latest mobile devices have fingerprint sensors. Organizations can also use adaptive authentication techniques, such as layering device recognition, geo-location, login history, or even behavioral biometrics to continually verify the true identity of the user, SecureAuth’s Graham said.

NIST acknowledged that biometrics is becoming more widespread as a method for authentication, but refrained from issuing a full recommendation. The recommendation was withheld because biometrics aren’t considered secret and can be obtained and forged by attackers through various methods.

Biometric methods are acceptable only when used with another authentication factor, according to the draft guidelines. NIST wrote in the DAG;

[Biometrics] can be obtained online or by taking a picture of someone with a camera phone (e.g. facial images) with or without their knowledge, lifted from objects someone touches (e.g., latent fingerprints), or captured with high-resolution images (e.g., iris patterns for blue eyes)

At this point, it appears NIST is moving away from recommending SMS-based authentication as a secure method for out-of-band verification. They are soliciting feedback from partners and NIST stakeholders on the new standard. They told InfoWorld, “It only seemed appropriate for us to engage where so much of our community already congregates and collaborates.”

You can review the draft of Special Publication 800-63-3: Digital Authentication Guidelines on Github or on NIST’s website until Sept. 17. Sophos recommends security researcher Jim Fenton’s presentation from the PasswordsCon event in Las Vegas that sums up the changes.

VentureBeat offers some suggestions to replace your SMS system:

Hardware tokens that generate time-based codes.
Apps that generate time-based codes, such as the Google Authenticator app or RSA SecurID,
Hardware dongles based on the U2F standard.
Systems that use push notifications to your phone.

Which Form Of Two-Factor Authentication Should I Use? (lifehacker.com.au)

Category: Uncategorized | Tags: 2016, 800-63, Authentication, Github, GOOG, Google, Government, Multi-factor authentication, NIST, Passwords, Security, Short Message Service, SMS, Sophos, SS7, Two-factor authentication

RB | March 12, 2015

Comments Off

What the FREAK !

Earlier this month news broke that Google, Apple, and Microsoft are vulnerable to a new bug poetically called – Factoring RSA Export Keys – FREAK. The cause of the FREAK bug is not new. In fact, the origin of the FREAK back goes back to the 1990s and government meddling.

Paul Dirkin at Sophos’ Naked Security blog explains that FREAK is a risk to all users. It is a risk because an attacker can trick you and the server into settling on a much weaker HTTPS encryption scheme than from the 1990s. Basically, the attacker gets you to use what’s called “export grade” RSA encryption. Export grade encryption is a ghost from an earlier U.S. Gooberment attempt to break encryption. In the ’90s the NSA required exported encryption to be deliberately weakened. The idea was that export grade keys were just about good enough for every day, not-so-secret use, but could be cracked by superpowers with supercomputers if national security should demand it.

No one should be using export-grade keys anymore – indeed, no one usually does. But many clients and servers still support them according to Sophos. Somehow, in 2015 it never seemed to matter that the 1990 code was still lying around.

If attackers can watch the traffic flowing between vulnerable devices and websites they could inject code that forces both sides to use 512-bit encryption, which can be easily cracked. It took researchers seven months to crack the key In 1999, the article claims that the same crack takes about 12 hours and $100 using Amazon’s (AMZN) cloud in 2015. It would then be technically pretty straightforward to launch a MITM by pretending to be the official website.

Now that your security is compromised, an attacker can use a “man in the middle” attack (someone who can listen into and change the network traffic between you and your destination server).

Additionally, the author says many servers use the same RSA key over and over again. This allows attackers to use the compromised export grade key to decrypt other sessions, using the same key. Another risk Sophos claims is that export-grade keys allow evil-doers to steal both the public and private keys by using a technique known as “factoring the modulus,” With the critical private key, criminals can now sign traffic from an imposter website as though it came from a trusted third-party.

The author says the team that identified the original FREAK vulnerability claim to have used this bug to create a fake nsa dot gov. University of Michigan computer scientists J. Alex Halderman and Zakir Durumeric, told InfoSecurity that the vulnerability affects around 36% of all sites trusted by browsers and around 10% of the Alexa top one million domains.

The good news, according to Sophos: Users of Chromium/Chrome and Firefox are OK.

The bad news – the bug affects TLS/SSL, the security protocol that puts the S into HTTPS and is responsible for the padlock in your browser’s address bar. The bug is known to exist in:

OpenSSL‘s TLS implementation (before version 1.0.1k), which includes Google (GOOG) Android‘s “Browser” browser, and therefore probably Samsung‘s (005930) derived browser known as “Internet.”
Apple (AAPL) SecureTransport puts OS X software at risk, including Safari.
Microsoft (MSFT) Windows Schannel TLS library puts Windows software including Internet Explorer at risk.

You can check to see if your browser is vulnerable to the FREAK attack on a UMich page here.

You can also check on your favorite website on this UMich page.

rb-

“Export grade” encryption was largely abandoned by 2000 because it was a bad idea. silly idea. It hurt the US software industry and Americans who bought an inferior product. It is still a dumb idea in 2015. As the Gooberment wants to cripple the latest generation of encryption by putting backdoors into encrypted messaging. They seem to have won with Google. Google has dumped plans to encrypt communications by default in Android.

In the short term, if you are worried, use another browser Firefox or Chrome.

Apple’s App Stores Out of Order (blogs.barrons.com)

Category: Uncategorized | Tags: 2015, AAPL, Apple, Encryption, Freak, GOOG, Google, Hack, Microsoft, MSFT, Security, Sophos, SSL, TLS, University of Michigan

RB | August 19, 2014

Comments Off

Password Free Future

Let’s just admit it, passwords suck, people don’t use good passwords. Password breaches seem to be the new normal. This new normal is forcing firms to find new ways of verifying their users and securing their data. Now, security firm Trustwave says traditional password policies are useless.

According to an article at Infosecurity Magazine the Chicago-based firm says mixing upper and lower case letters, numbers and special characters don’t make passwords any harder for hackers to crack, only increasing the number of characters makes passwords more secure. Will we end up with 1,024 character secure passwords. I say let’s ditch passwords altogether.

What else can we use to secure our IDs? John Hawes at Sophos Naked Security Blog recently bemoaned the state of the clunky, fiddly, and mostly rather insecure passwords we use for almost all of our authentication needs. He says we may not be stuck with passwords forever. He offers some future options.

You are the proof

Facial Recognition – The author cites Australian researchers who have been promoting facial recognition as a means of authentication. This idea seems obvious, faces are the main way people identify each other in the real world, so it makes sense to have computers recognize our faces, or at least bits of our faces. The Sophos article says the approach has become common of late, with PC login systems and mobile apps trying to use our faces to authenticate us to various things. There is even a Finnish company that plans to use faces in place of credit cards.

The anti-malware firm says facial recognition systems have proven less than perfect, either easily fooled by photos, similar-looking people, or technical tricks, or failing to authenticate real users thanks to bad hair days or bad moods affecting how we look.

Mr. Hawes says University of Queensland researchers are trying to improve the accuracy and security of facial recognition. The Aussies are working to be able to get facial recognition to work from a single initial still image and from different angles and different lighting conditions, which sounds like a must for any decent recognition system.

The good thing about face recognition, the author says is that it’s relatively low-tech, using a standard part (the rear-facing camera) of most of the devices we use. The software looks for patterns on the human face, such as distance between eyes, to identify people. But the researchers expect it will take more time to have a fool-proof working prototype.

CNN points out that security is great for consumers, but it’s not the primary goal of most facial recognition tools. Law enforcement and spies are building databases (PDF) to take advantage of recent advancements in facial recognition. Identifying one person using their trail of selfies left online and in surveillance footage from stores could be a huge business. Some stores already use facial recognition to build profiles on repeat customers and collect data about how they shop.

Facebook (FB) recently bragged that its own facial recognition project named DeepFace was almost as accurate at detecting people as the human brain. More recently, it also claimed to be able to recognize faces from the side as well as the front.

Ears – CNN reports that with the right software, a phone can detect the shape of a human ear and use it to log in. That’s the idea behind the Ergo Android app by Descartes Biometrics. When an ear is pressed against the screen, the points where it makes contact with the glass are mapped out and compared to a stored ear print. If it matches, the user is authenticated. The app is adjustable and can require multiple scans for the highest levels of security.

For now, it’s limited to unlocking a phone. But CNN claims ear prints could be used to identify people for any number of uses on the phone, such as making purchases in app stores or signing into services.

Walking – CNN says that if you’ve ever identified someone by how listening to how they walk down the hall, you’ve already seen the power of gait recognition. For 30 years, researchers have tinkered with gait-recognition technology but the recent boom in inexpensive motion sensors like accelerometers and gyros have given new life to the field. CNN reports that with the right software and sensors, they should be able to analyze a person’s walk. A wearable fitness device or smartphone can act as a password to authorize users.

The benefit of gait recognition is that it can gather the necessary information in the background while people go about their normal routines. There’s no need for the subject to touch their device or look into a camera.

Things you do are proof

Typing – Like walking, typing varies from person to person according to CNN. Keystroke biometrics record how a person types and calculates their unique pattern, speed, and rhythm. It determines how long they hold down each key and the space of time between different letters. Keystrokes could be used to authenticate anyone working on a computer. This system could appeal to companies that are watching out for unauthorized users on their internal systems.

Gestures – Gesture-based authentication is another potential password replacement emerging from the world of smartphones and tablets. Mr. Hawes says hand movements repeated often enough can lead to muscle memory, so quite complex patterns can become quite easy to reliably and accurately reproduce. This is the basis of a very venerable form of authentication, the signature. It should be harder to compromise though, as, unlike signatures, swipes leave few traces to be copied.

Android phones have long had swipe-pattern unlock features, and Microsoft (MSFT) Windows 8 includes a system based on a few swipes around a picture. Research has poked some serious holes in this approach though, showing that people are just as bad at picking hard-to-guess shapes as they are at choosing passwords.

Besides monitoring your body to authenticate you, there are hybrid authentication technologies. Hybrid authentication combines biometric factors with other techs.

Brain waves – I covered the Interaxon Muse headband sensor device a while ago. It is designed to allow users to create a specific brain wave signature for a password that will never have to be said or typed to log in.

Biostamps – The biostamp idea proposed a hybrid of body and technology. The biostamps are flexible electronic circuits attached to the skin, which theoretically can communicate your password wirelessly with any device which needs to check who you are.

Bracelets – Another hybrid approach uses a bracelet device that measures heart rhythms to check who we are, and then connects to our devices via Bluetooth to pass on that confirmation. I covered Nymi here.

The actual authentication takes place only when the bracelet is first put on. It requires a quick touch of some sensors, and from then on it will confirm you’re you until it’s removed. It includes motion sensors, so the basic authentication can also be combined with movements and gestures to create multi-factor passwords, using both the body and the mind of the attached user. Gestures could be used to unlock cars, for example.

Over the years the password systems we use have seen various improvements, both in usability (ranging from simple but today’s indispensable systems for replacing forgotten passwords to the latest secure password management utilities) and security, for example, two-factor authentication schemes using dongles or smartphones combined with our computers.

All have helped in some ways, but have also introduced further opportunities for insecurity – recovery systems can be tricked, management tools can have vulnerabilities or simply be insecurely designed, and two-factor approaches can be defeated by man-in-the-mobile techniques.

rb-

Biometrics are not bullet-proof. They have a number of problems still.

Biometric data cannot be changed once it is compromised.
Will stress, fitness, or aging, have on the physiological elements of biometrics.
Cost, most of these techniques require new equipment.
They all need connectivity, Bluetooth connectivity.
Biometric data still needs to be stored somewhere. And that would be an attractive target for attackers.

Make Passwords Strong And Long (securitywatch.pcmag.com)

Category: Uncategorized | Tags: 2014, Biometrics, Brain waves, Facebook, Facial recognition, FB, GOOG, Google, Heart beat, Malware, Passwords, Security, Sophos, Trustwave

« Older Entries

Bach Seat

Tag Archive for Sophos

Church Wearable Device Very Holey

Related articles

VC Buys Sophos – Start of Bubble?

Related articles

Stop using SMS for Two-Factor Authentication

Related articles

What the FREAK !

Related articles

Password Free Future

You are the proof

Things you do are proof

Related articles

Meta