Information Technology

It’s not often that I say you absolutely need to buy something. But this is something you need to buy.Two-factor authentication — a combination of something you remember (such as a password) and something you have (a smartphone or a token) — offers far better security than relying on passwords alone. And while SMS-based authentication is better than nothing, what’s even better is hardware-based authentication.I’ve tested dozens of hardware-based security keys, and the one that I use to secure my online accounts is the Yubikey 5C NFC More

The Cybersecurity & Infrastructure Security Agency (CISA) is now advising federal agencies and others to patch a Windows flaw from Microsoft’s May Patch Tuesday. CISA has re-added the Windows flaw CVE-2022-26925 to its Known Exploited Vulnerabilities (KEV) Catalog and has told federal agencies to patch it by 22 July. The bug is in Windows Local Security Authority (LSA), which “contains a spoofing vulnerability where an attacker can coerce the domain controller to authenticate to the attacker using NTLM.”NTLM or NT Lan Manager (NTLM) is a legacy Microsoft authentication protocol for Active Directory that was implemented in Windows 2000. LSA allows applications to authenticate and log users on to a local system. CISA on May 15 temporarily removed CVE-2022-26925 from the KEV catalog because of login issues customers faced after applying the update on Windows Servers used as domain controllers, that is, Windows servers used for user authentication.  Besides potentially breaking logins for users at many federal agencies, it’s also a complicated fix to roll out.    CISA on July 1 noted in separate guidance for applying the patch for CVE-2022-26925 that it contains fixes for two related flaws addressed in the May Patch Tuesday update: CVE-2022-26923, an Active Directory domain services elevation of privilege flaw; and CVE-2022-26931, a Windows Kerberos elevation of privilege vulnerability. (Kerberos is the successor to NTLM for authentication in Active Directory).   But as CISA explains, these updates caused logins failures at “many federal agencies” that use Personal Identity Verification (PIV)/Common Access Card (CAC) certificates for authentication. The breakage stems from Active Directory, after the May 2022 update, looks for “strong mapping between the certificate and account”. To avoid these login issues, CISA now recommends following its steps for setting two registry keys on domain controllers.The registry key settings allow admins to control whether the domain controller is in “Compatibility Mode” or “Full Enforcement Mode”. Microsoft explains the reason for tighter checks on certificates in Compatibility Mode is that prior to May 2022 security update, certificate-based authentication would not account for a dollar sign ($) at the end of a machine name, allowing for spoofing attacks. Applying the May 2022 security update puts devices in Compatibility Mode. And next year, on May 9, 2023, Microsoft will update all devices to Full Enforcement Mode if they are not already in it. “Once you have installed the May 10, 2022 Windows updates, devices will be in Compatibility mode. If a certificate can be strongly mapped to a user, authentication will occur as expected. If a certificate can only be weakly mapped to a user, authentication will occur as expected,” Microsoft explains in an FAQ. “However, a warning message will be logged unless the certificate is older than the user. If the certificate is older than the user and Certificate Backdating registry key is not present or the range is outside the backdating compensation, authentication will fail, and an error message will be logged. If the Certificate Backdating registry key is configured, it will log a warning message in the event log if the dates falls within the backdating compensation.”After you install the May 10, 2022 Windows updates, watch for any warning message that might appear after a month or more. If there are no warning messages, we strongly recommend that you enable Full Enforcement mode on all domain controllers using certificate-based authentication. You can use the KDC registry key to enable Full Enforcement mode.” But CISA says agencies should not migrate to strong certificate-user mapping yet, partly because it could conflict with some valid use cases in the Federal PKI ecosystem. CISA says it is in discussions with Microsoft to find a less disruptive solution. CISA says that Microsoft pushing Windows Server devices to ‘Full Enforcement’ mode in May 2023 “will break authentication if agencies have not created a strong mapping or added SIDs to certificates.””CISA and the interagency working group are in active discussions with Microsoft for an improved path forward. At this time, CISA does not recommend agencies pursue migration to a strong mapping,” CISA says.  More

Businesses in China should brace themselves for a potential spike in smishing attacks and identity theft, following reports that the personal data of 1 billion residents in the country has been put up for sale online. If legitimate, the massive data breach can result in phone swapping or other identity fraud activities, which can impact a Chinese user’s social credit scoring.Hackers claiming to have access to databases containing the data had offered the information for sale on an online forum, which specialised in the trading of stolen databases. Priced at 10 Bitcoins ($197,376) for 24TB worth of data, the personal details included date and place of birth, national identification number, residential address, and mobile number. The hackers claimed the data came from the Shanghai National Police and offered a sample dump. A report from Wall Street Journal said the details of at least nine residents from this sample were confirmed to be legitimate. According to data security vendor Acronis, the data sample contained three categories of information comprising the resident’s personal data file, phone location data or address and phone number, and police incident or criminal case registry. For the latter, information such as location of the crime and brief incident description appeared to be leaked, Acronis’ co-founder and technology president Stas Protassov told ZDNet. Most of the criminal case information involved minor incidents and descriptions of the scene, including “a fight” at a specific location in Zhujing Town and minor road incidents.Protassov noted that these police records referred to people involved in the incidents, which could be damaging to them. He added that the compromised data could be used to personalise future attacks, such as spear phishing, or to commit fraud using the identity of the victims. He urged organisations and individuals to be on the lookout for fraudulent activities and malicious email or text messages.Asked if the data breach could have greater impact in China, where the use of some services required registration based on personal information, Protassov said it was unlikely the compromised data on its own could result in hackers taking over such services. However, he warned that it could lead to phone swapping or other identity theft activities that could negatively impact a Chinese user’s scoring on social media platforms. Operators of apps that provide news, instant messaging, and other related services in China must require their users to register based on their mobile and identification card numbers. Users who refuse to do so or who use fraudulent identification data cannot be permitted to use the app. China operates a social credit system that aims to track and assess the trustworthiness of a person, company, and government agency. Each is tagged with a social credit score that is evaluated against various data sources, such as financial, government, and criminal records. The system is undergoing further refinement by the government. Protassov said while news of data leaks were common, this breach was unique due to its volume. According to Check Point Software Technologies’ threat intelligence group manager Sergey Shykevich, the significant size of the compromised data indicated a high likelihood cybercriminals might use the information to launch phishing and spear-phishing attacks. With the leaked data encompassing mobile numbers, Shykevich said businesses in China should be prepared for a potential wave of smishing or SMS phishing attacks. He added that the online forum touting the sale of the data also peddled other databases from China, including a courier database with 66 million user records that were allegedly stolen from ShunFeng Express in 2020, and data from driving schools in the country.A tweet from Binance CEO Changpeng Zhao suggested the latest data breach was the result of a government employee posting a tech blog on Chinese Software Developer Network that accidentally included user credentials. Without access to the log files, Protassov said it was impossible to confirm the attack vector. Based on the ID format, he surmised it was likely an Elasticsearch dump, but it was unclear whether the breach was due to leaked credentials or poorly configured systems. “Such data leaks most commonly happen when someone leaves unauthenticated Elastic instance available on the internet,” he added.RELATED COVERAGE More

Image: Shutterstock/GaudiLab A new phishing campaign on WhatsApp is scamming individuals who want to work in the United Kingdom. As documented by Malwarebytes, the scheme’s operators are sending out messages claiming to be from the UK government, offering a free visa and other benefits to individuals willing to move to the country. SEE: Google: Half […] More

Image: Getty Images Ukrainian police said they have arrested suspected members of a cyber-criminal gang conducting an EU payments phishing scheme. In a statement, Ukraine’s Cyber Police Department and the Kyiv-based Pechersk Police Department said the criminal group created and promoted roughly 400 phishing links to send to the county’s citizens. The links sent victims […] More

Image: 10’000 Hours/GETTY Google has released an update to Chrome 103 for Windows desktops that fixes a flaw in its implementation of WebRTC, which it warns is already under attack.  The issue that Chrome update 103.0.5060.114 for Windows addresses is a “heap buffer overflow in WebRTC”, referring to when the buffer allocated in the heap […] More

Singapore is mulling over additional rules in cryptocurrency trading that it says are necessary to safeguard the general public. These may include restrictions on retail trading and the use of leverage in cryptocurrency transactions. The revelation comes weeks after repeated warnings from the government that cryptocurrencies, due to their “sharp speculative price swings”, are unsuitable retail investments for the public. Recent market events clearly demonstrated the risks with prices of several cryptocurrencies dipping significantly, said Senior Minister and Minister in Charge of Monetary Authority of Singapore (MAS) Tharman Shanmugaratnam. In a written response issued Monday to a parliamentary question, he said MAS since 2017 had issued cautionary notes about cryptocurrency investments.Noting that the industry regulator already had taken steps that went further than most others, Tharman said MAS in January restricted the marketing and advertising of cryptocurrency services in public areas as well as barred the portrayal of cryptocurrency trading as trivial. He added that digital payment token service providers since had adhered to the rules, which included the removal of both cryptocurrency ATMs and advertisements from public areas and public transport venues. Under the country’s Payment Services Act, MAS was empowered to implement further measures to ensure better consumer protection, maintain financial stability, and safeguard the effectiveness of its monetary policies, the minister said. Tharman said: “MAS has been carefully considering the introduction of additional consumer protection safeguards. These may include placing limits on retail participation and rules on the use of leverage when transacting in cryptocurrencies. Given the borderless nature of cryptocurrency markets, however, there is a need for regulatory coordination and cooperation globally. These issues are being discussed at various international standard setting bodies where MAS actively participates.”The European Union last week reached a provisional agreement on cryptocurrency regulations that aimed to “protect investors and preserve financial stability”. Coined Markets in Crypto Assets (MICA), the regulatory framework would cover issuers of unbacked crypto assets and stablecoins, trading platforms, and wallets in which crypto assets were held. For instance, under the new rules, cryptocurrency service providers must adopt “strong requirements” to protect consumers wallets and would be held liable when investors’ assets were lost. French Minister for the Economy, Finance, and Industrial and Digital Sovereignty, Bruno Le Maire, said: “Recent developments on this quickly evolving sector have confirmed the urgent need for an EU-wide regulation. MICA will better protect Europeans who have invested in these assets and prevent the misuse of crypto-assets, while being innovation-friendly to maintain the EU’s attractiveness.”MICA still is subject the approval of the Council and European Parliament, before going through formal adoption procedures.Singapore, though, had stressed the importance of driving the development of underlying technologies often associated with cryptocurrencies, specifically, blockchain. Deputy Prime Minister and Coordinating Minister for Economic Policies, Heng Swee Keat, said last month efforts were needed to bring out the best potential of emerging technologies while mitigating the risks. For instance, he said a consortium was set up to ensure the responsible use of artificial intelligence (AI) in the financial sector and this led to the release of whitepapers and toolkits to guide the industry.  The same approach should be applied to drive the upsides and minimise the downsides of Web 3.0 developments, Heng said, pointing to distributed ledgers and tokenisation, which drove transparency and cost savings.”Crypto assets have more recently been in the spotlight for the wrong reasons. This, however, does not reflect where the greatest value of blockchain and digital assets lies, much of which is away from the retail glare,” he said. He noted that while cryptocurrencies were unsuitable as retail investments due to their volatile prices, the underlying blockchain technology had the potential to streamline and improve wholesale cross-border transactions. MAS in May announced plans to pilot use cases of asset tokenisation and assess the feasibility of autonomous trading powered by blockchain technology. Efforts here would include the development of interoperable networks to facilitate digital asset trading as well as an evaluation of regulations needed to safeguard against potential risks. According to a study released last August, 67% of personal investors in Singapore held cryptocurrencies with 78% owning Ethereum and 69% holding Bitcoin.Investments in Singapore’s fintech sector also grew 47% year-on-year to hit $3.94 billion last year, with blockchain and cryptocurrencies raking in almost half of the funds with $1.48 billion across 82 deals, according to KPMG. RELATED COVERAGE More

Sensitive personal information about over a billion people has apparently been leaked from a government agency and put up for sale on the dark web, in what would be one of the biggest data breaches in history.  Information which has been leaked is said to include names, addresses, national ID numbers and mobile phone numbers, […] More