IBM has patched a vulnerability in Verify Gateway (IVG) that allows attackers to brute-force their way into systems remotely.

IVG is software designed to protect enterprise systems through multi-factor authentication features and pre-built credential provider services. IVG supports a range of operating systems and platforms including Windows, RedHat, Centos, Ubuntu, Debian, AIX, and SuSE.
This week, the tech giant issued a set of security advisories relating to versions 1.0.0 and 1.0.1 of the software, the most serious being the disclosure of CVE-2020-4400. 
Issued a CVSS severity score of 7.5, the vulnerability has been caused by an account lockout mechanism deemed “inadequate” which does not prevent multiple access attempts. In automated brute-force attacks, threat actors will hammer a system with usernames and passwords until they come across the right combinations, and to prevent these forms of attacks from being successful, software will often include login attempt restrictions.
See also: IBM intros new security dashboard for its financial services cloud

However, IVG’s settings did not reach this standard when it comes to time-based one-time passwords (TOTPs), and so the bug “could allow a remote attacker to brute-force account credentials,” according to IBM. 
The patched version of the software — v1.0.1 IVG for RADIUS and AIX PAM — as well as v1.0.2 of IVG for Linux PAM and IVG for Windows Login, has now added a throttling mechanism.  
IBM has also released a security advisory for CVE-2020-4369, a vulnerability in the privileged access management (PAM) components of the authentication gateway. 
This vulnerability is based on how IVG (AIX PAM and Linux PAM) manages the encryption of client-side property. While PAM allows encryption through the pam_ibm_auth.json file, this is not enabled by default, and so users have to remember to add obfuscation commands manually. 
CNET: Apple’s new security program gives special iPhone hardware, with restrictions attached
As this relies on customers to implement encryption, this may be considered a potential security risk that does not need to exist, and one that could lead to the “storage [of] highly sensitive information in cleartext that could be obtained by a user,” the company says. 
Now, IBM has now added client-side encryption by default in AIX PAM and Linux PAM. 
In addition, IBM has also tackled CVE-2020-4372, another information disclosure issue present in IVG for RADIUS, AIX PAM, Linux PAM, and Windows Login. 
TechRepublic: Phishing attacks and ransomware are the most challenging threats for many organizations
The vulnerability occurs when IVG components are running with debug tracing. When active, client secrets are exposed in cleartext via the debug log, including client usernames, passwords, and client IDs. 
IBM has patched the issue by suppressing client secrets when debug tracing is active. 
The company recommends that users install the latest updates of IVG, now renamed as IBM Security Verify Gateway.

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A list of all the major vulnerabilities that impact Intel processors. Source: Information Technologies – zdnet.com More

IT leaders are taking issue with the amount of cybersecurity money their organizations are spending to support remote work, according to a new survey from JumpCloud.On Wednesday, the company released the findings of its 2021 State of the SME IT Admin Report, which featured the responses of 401 IT decision-makers at small and medium-sized enterprises from April. Those surveyed include managers, directors, vice presidents, and executives.More than 60% of respondents said their enterprise was paying “for more tooling than they need” to manage user identities, while another 56% said too much was being spent on enabling remote work. Respondents were more split on the top concerns, with 39% referencing software vulnerabilities, 37% expressing concern about reused usernames and passwords and 36% mentioning unsecured networks. Another 29% said device theft was also a concern. 
JumpCloud
Nearly one-fourth of all respondents said their organization was adopting a Zero Trust security approach, and 33% said they were in the process of incorporating it. MFA is also popular among respondents, with 53% saying they require MFA across everything.Much of the study focused on employees who are now using both personal and work devices while also accessing company resources from devices outside of the corporate security perimeter. Rajat Bhargava, CEO of JumpCloud, attributed the responses to the situation IT administrators faced during COVID-19.

“Remote work put enormous pressure on admins and organizations, and now that the work landscape has changed permanently, the top priority for SMEs is to address those challenges,” Bhargava said. “IT professionals’ 2021 priorities of layered security for more secure work-from-anywhere, making remote work easier, and more efficient device management underscore the need for a more consolidated, platform-based approach to IT that reduces complexities and cost.”According to more than 50% of survey respondents, IT budgets will be devoted overwhelmingly to supporting remote management, security, and cloud services. More than 73% of respondents said remote work allowed employees to develop bad security practices, and managing remote workers has become one of the biggest challenges for IT administrators. Two-thirds of all IT managers reported feeling “overwhelmed” with managing remote workers. “IT admins turn to MSPs in droves: 84% of respondents said they have already or plan to engage an MSP. 34% engaged an MSP to manage the IT stack completely; 30% engaged an MSP to support internal IT teams/individuals, and 21% said they are exploring what an MSP can do to support IT better,” the company explained.  “Most common reasons to use MSPs are: for security (51%); employee hardware (46%); and cloud services (46%). Nearly 75% say their IT budgets increased in the past year, while only 38% saw their own salaries increase. In fact, 26% say they’re being paid less. Despite all they’ve gone through, a clear majority report they’re actually happier in their work (58.6%). Only 17% say they’re less happy.” More

<!–> Google Have you ever found a private or confidential piece of information about you in a public search result? That can not only be embarrassing but it can also potentially lead to identity theft and other threats.  Also: Best secure browsers to protect your privacy online Now, Google is trying to make it easier […] More

Written by

Mary Jo Foley, Contributor

Mary Jo Foley
Contributor

Mary Jo Foley has covered the tech industry for 30 years for a variety of publications, including ZDNet, eWeek, and Baseline. She is the author of Microsoft 2.

Full Bio

Microsoft rolled out a new Windows 11 Insider test build, No. 22610, to the Dev and Beta Channels on April 29. This build includes a lot of fixes, along with a handful of new features and updates. Today’s test build also no longer enables the SMB1 file-sharing client by default in the name of security. However, testers who have installed SMB1 manually or upgraded from a preview Windows version where SMB1 was installed will not have SMB1 removed from the latest test builds. Build 22610 adds new mobile device management and group policies for IT admins. These new policies can be configured locally using the group policy editor or via Microsoft EndPoint Manager. Among the policies available as of today:Disable Quick Settings flyoutDisable Notification Center and calendar flyoutsDisable all taskbar settingsDisable search (across Start & taskbar)Hide Task View from taskbarBlock customization of ‘Pinned’ in StartHide ‘Recommended’ in StartDisable Start context menusHide ‘All apps’ in StartToday’s test build also includes an update to the Family Safety Widget which provides a new location-sharing view to show where those using the Family Safety app are located. There’s also an update that includes “an improved view” of screen time usage across apps and devices. For those with PCs that support it, the estimated battery life timing will show up in the battery icon in the system tray. Today’s test build does not include the usual build watermark, which typically indicates that Microsoft is closing in on completing a new Windows feature update. However, officials reminded testers “this doesn’t mean we’re done” and said the watermark will be back in a future build. And even once Windows 11 22H2, expected this fall, does “RTM” relatively soon, testers will get updates and fixes for months before 22H2 rolls out to the mainstream.Today’s build also disables the tablet-optimized taskbar feature that Microsoft began rolling out in Build 22563. Officials said they are hoping to bring this feature back “after further refinement of the experience.” Build 22610 also updates the rename, properties, and optimize icons used in the context menu and command bar to improve discoverability and consistency.For a full list of the fixes, updates and known issues in Build 22610, see Microsoft’s blog post.

Windows 11 More