Subterms
Netgear BR200 small-business router
The
Netgear
BR200
Insight
Managed
Business
Router
has
been
designed
to
be
easy
to
set
up,
and
features
a
built-in
firewall,
VLAN
management,
and
remote
cloud
monitoring,
and
can
be
… More
[embedded content]
Today sees YubiKey security keys become even better with Yubico’s launch of the YubiKey Bio — biometric authentication built right into a security key, allowing for quick, simple, and streamlined passwordless authentication for desktop-based FIDO-supported services and applications. The YubiKey Bio uses a three-chip architecture that stores the biometric fingerprint in a separate secure element, offering protection from physical attacks. This, according to Yubico, allows the YubiKey Bio to “act as a single, trusted hardware-backed root of trust which allows the user to authenticate with the same key across multiple desktop devices, operating systems, and applications.” For when biometrics are not supported, users can enter a PIN entered during the initial setup.
By having everything built into the key, it means that authentication mechanisms are protected from tampering even if the host systems are compromised. The keys can be managed using the Yubico Authenticator for Desktop, an app that is available for Windows, macOS, and Linux. This is used to enroll new fingerprints and add or delete fingerprints when native platform and browser capabilities are limited.
[embedded content]
Customers should choose the YubiKey Bio if they are: Securing an account with a service that supports only FIDO U2F or FIDO2/WebAuthn protocolsAuthenticating using a desktop deviceIn cloud-first environmentsUsing shared workstations and are in mobile-restricted environments
However, there are situations where users will be better off using the
YubiKey Series 5 keys
: They require broader form factors and NFC supportThe users need to work across desktop and mobile devicesUsers need to support applications and services using a range of protocols such as OTP, FIDO U2F and FIDO2/WebAuthn, and Smart card/PIVThey are securing legacy and modern environments offering a bridge to passwordless, utilizing non-FIDO protocols
I’ve had my hands on the YubiKey Bio for the past few days, and I have to say that they are an impressive bit of technology. The biometric reader is fast and super reliable, and the whole robust package is everything I’ve come to expect from Yubico.The YubiKey Bio enables biometric login on desktop with all applications and services that support FIDO protocols, as well as offering out-of-the-box support for Citrix Workspace, Duo, GitHub, IBM Security Verify, Microsoft Azure Active Directory and Microsoft 365, Okta, and Ping Identity.The YubiKey Bio Series is available in USB-A and USB-C form factors, and keys are priced at $80 and $85, respectively. They are available for purchase from Yubico. More
Another new form of Android malware is being spread via text messages with the aim of luring victims into clicking a malicious link, and inadvertently allowing cyber criminals to gain full control of the device to steal personal information and bank details. Dubbed TangleBot, the malware first appeared in September and once installed gains access to many different permissions required for eavesdropping on communications and stealing sensitive data, including the ability to monitor all user activity, use the camera, listen to audio, monitor the location of the device, and more. Currently, it’s targeting users in the US and Canada.
ZDNet Recommends
The campaign has been detailed by cybersecurity researchers at Proofpoint who note that while the initial lures came in the form of SMS messages masquerading as information about Covid-19 vaccination appointments and regulations, more recent efforts have falsely claimed local power outages are about to occur. SEE: A winning strategy for cybersecurity (ZDNet special report) In each case, the potential victim is encouraged to follow a link referencing the subject of the lure for more information. If they do, they’re told that in order to view the content on the website they’re looking for, Adobe Flash Player needs to be updated. Adobe stopped supporting Flash in December 2020 and it hasn’t been supported on mobile devices since 2012, but many users probably won’t know this. Clicking the link leads victims through a series of nine dialogue boxes requesting acceptance of the permissions and installation from unknown sources that, if accepted, provide cyber attackers with the ability to setup and configure the malware. TangleBot provides the attackers with full control over the infected Android device, allowing them to monitor and record all user activity, including knowing websites visited, stealing usernames and passwords using a keylogger, while also allowing the attackers to record audio and video using the microphone and camera.
The malware can also monitor data on the phone including messages and stored files, as well as monitoring the GPS location, allowing what researchers describe as a “full range of surveillance and collection capabilities”. SEE: Don’t want to get hacked? Then avoid these three ‘exceptionally dangerous’ cybersecurity mistakesSMS messages have become a common vector for spreading malware with FluBot malware being particularly prominent in recent months. FluBot often spreads via text messages claiming the victim has missed a delivery and, like TangleBot, tricks users into downloading malware that allows cyber criminals to steal sensitive information. The two forms of malware are unlikely to come from the same cyber-criminal group, but the success and potency of both demonstrates how SMS has become an attractive means of spreading campaigns. “If the Android ecosystem has shown us anything this summer, it is that the Android landscape is rife with clever social engineering, outright fraud, and malicious software all designed to deceive and steal mobile users’ money and other sensitive information,” said Proofpoint researchers in a blog post. “These schemes can appear quite convincing and may play on fears or emotions that cause users to let down their guard,” they added. MORE ON CYBERSECURITY More
A new ransomware operator is targeting Confluence servers by using a recently-disclosed vulnerability to obtain initial access to vulnerable systems.
According to Sophos cybersecurity researchers Sean Gallagher and Vikas Singh, the new threat actors, dubbed Atom Silo, are taking advantage of the flaw in the hopes that Confluence server owners are yet to apply the required security updates to resolve the bug. Atlassian Confluence is a web-based virtual workplace for the enterprise, allowing teams to communicate and collaborate on projects. Sophos described a recent attack conducted by Atom Silo over a period of two days. The vulnerability used in the attack, tracked as CVE-2021-08-25, allowed the cybercriminals to obtain initial access to the victim’s corporate environment. The Confluence vulnerability is being actively exploited in the wild. While fixed in August, the vendor warned that Confluence Server and Confluence Data Center are at risk and should be patched immediately. If exploited, unauthenticated threat actors are able to perform an OGNL injection attack and execute arbitrary code. CVE-2021-08-25 was used to compromise the Jenkins project in September. US Cybercom said in the same month that attacks were “ongoing and expected to accelerate.”
In the case examined by Sophos, Atom Silo utilized the vulnerability on September 13 and was able to use the code injection bug to create a backdoor, leading to the download and execution of a second, stealthy backdoor. To stay under the radar, this payload dropped a legitimate and signed piece of software vulnerable to an unsigned DLL sideload attack. A malicious .DLL was then used to decrypt and load the backdoor from a separate file containing code similar to a Cobalt Strike beacon, creating a tunnel for remotely executing Windows Shell commands through WMI. “The intrusion that made the ransomware attack possible made use of several novel techniques that made it extremely difficult to investigate, including the side-loading of malicious dynamic-link libraries tailored to disrupt endpoint protection software,” the researchers say. Within a matter of hours, Atom Silo began moving laterally across its victims’ network, compromising multiple servers in the process and executing the same backdoor binaries on each while also conducting additional reconnaissance. 11 days after its initial intrusion, ransomware and a malicious Kernel Driver utility payload, designed to disrupt endpoint protection, were then deployed. Separately, another threat actor noticed the same system was vulnerable to CVE-2021-08-25 and quietly implanted cryptocurrency mining software. The ransomware is “virtually identical” to LockFile. Files were encrypted using the .ATOMSILO extension and a ransomware note demanding $200,000 was then dropped on the victim’s system. “Ransomware operators and other malware developers are becoming very adept at taking advantage of these gaps, jumping on published proof of concept exploits for newly-revealed vulnerabilities and weaponizing them rapidly to profit off them,” Sophos says. “To reduce the threat, organizations need to both ensure that they have robust ransomware and malware protection in place, and are vigilant about emerging vulnerabilities on Internet-facing software products they operate on their networks.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More
Apache Airflow instances that have not been properly secured are exposing everything from Slack to AWS credentials online.
On Monday, Intezer malware analyst Nicole Fishbein and cybersecurity researcher Ryan Robinson said the instances, vulnerable to data theft, belong to industries including IT, cybersecurity, health, energy, finance, and manufacturing, among other sectors. Apache Airflow, available on GitHub, is an open source platform designed for scheduling, managing, and monitoring workflows. The modular software is also used to process data in real-time, with work pipelines configured as code. Apache Airflow version 2.0.0 was released in December 2020 and implemented a number of security enhancements including a new REST API that enforced operational authentication, as well as a shift to explicit value settings, rather than default options. While examining active, older versions of the workflow software, the cybersecurity firm found a number of unprotected instances that exposed credentials for business and financial services including Slack, PayPal, AWS, Stripe, Binance, MySQL, Facebook, and Klarna. “They [instances] are typically hosted on the cloud to provide increased accessibility and scalability,” Intezer noted. “On the flip side, misconfigured instances that allow internet-wide access make these platforms ideal candidates for exploitation by attackers.” The most common security issue causing these leaks was the use of hardcoded passwords within instances that were embedded in Python DAG code.
Intezer
In addition, the researchers discovered that the Airflow “variables” feature was a credential leak source. Variable values can be set across all DAG scripts within an instance, but if it is not configured properly, this can lead to exposed passwords. The team also found misconfigurations in the “Connections” feature of Airflow which provides the link between the software and a user’s environment. However, not all credentials may be input properly and they could end up in the “extra” field, the team says, rather than the secure and encrypted portion of Connections. As a result, credentials can be exposed in plaintext. “Many Airflow instances contain sensitive information,” the researchers explained. “When these instances are exposed to the internet the information becomes accessible to everyone since the authentication is disabled. In versions prior to v1.10 of Airflow, there is a feature that lets users run Ad Hoc database queries and get results from the database. While this feature can be handy, it is also very dangerous because on top of there being no authentication, anyone with access to the server can get information from the database.” Intezer has notified the owners of the vulnerable instances through responsible disclosure. It is recommended that Apache Airflow users upgrade their builds to the latest version and check user privilege settings to make sure no unauthorized users can obtain access to their instances. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More
Software company JFrog has become the latest organization to be designated by the CVE Program as a CVE Numbering Authority.Currently, there are 189 organizations from 31 countries participating as CNAs, with more than 100 based in the US. The classification will allow the company to assign CVE identification numbers to newly discovered security vulnerabilities and publish related details in associated CVE Records for public consumption. JFrog will now be authorized to work with the cybersecurity community on a variety of security issues and provide customers with differentiated remediation data through its JFrog XrayMoran Ashkenazi, CISO and VP of Security Engineering at JFrog, said becoming a CNA will not only allow them to help security researchers verify and triage their vulnerabilities but also help keep companies’ binaries more secure by collaborating on potential threats with the wider security community.”The number of security risks in software and connected devices continues to grow. As a CNA we’re empowered to work with the community to accelerate threat detection and share information on new vulnerabilities fast — before they compromise businesses,” Ashkenazi said. CVE records are used around the world to identify and organize the critical software vulnerabilities that are discovered on a daily basis. Each vulnerability is assigned a CVE IDs by companies like JFrog.
JFrog Security CTO Asaf Karas said that with the CNA designation, the company can more effectively and efficiently disseminate the results of their research to customers and the software community in general — for both newly discovered vulnerabilities and existing CVE records that may be inaccurate or incomplete.”With this achievement, JFrog reinforces its commitment to being an active participant in the security community and providing our customers with scalable, secure, development to edge DevSecOps solutions,” Karas said. More
October 4th got off to a bad start for Facebook. The world’s most popular social network went down at about 11:44 EDT. It wasn’t just Facebook though. Instagram, WhatsApp, and Facebook Messenger also went down.While Facebook has yet to report on what’s happening with this total social network failure, website status sites such as DownForEveryoneOrJustMe and DownDetector are all reporting that Facebook is down. The problem isn’t limited to just the United States. There are numerous reports that the site is down in Europe and the Middle East.Some Facebook users report seeing an error message reading: “Sorry, something went wrong. We’re working on it and we’ll get it fixed as soon as we can.” Instagram and WhatsApp users say they’re getting a “5xx Server Error.” Facebook Communications Director Andy Stone tweeted, “We’re aware that some people are having trouble accessing our apps and products. We’re working to get things back to normal as quickly as possible, and we apologize for any inconvenience.”This collapse comes the morning after Facebook whistleblower Frances Haugen revealed on 60 Minutes that Facebook’s own research shows that it amplifies hate, misinformation, and political unrest to maximize profits over the good of the public.Related Stories: More
Apple was in such a rush to get iOS 15 out based on its self-imposed timeline that it tripped over its shoelaces and fell flat onto its face in front of millions of iPhone users.The bugs were big and obvious and included “Storage almost full,” an inability to unlock with the Apple Watch when wearing a mask, weird camera juddering, and a temperamental swipe to unlock function.Those were a lot of bugs for iPhone owners to get used to, especially users who’d dropped a lot of money on new hardware.It took almost two weeks for Apple to release iOS 15.0.1, an update that consists of last-minute bug fixes and improvements.But is it an improvement?In a word, yes.And taking that further, it’s what iOS 15 should have been.
iOS 15.0.1 fixes a lot of the big obvious bugs.
Gone is the “Storage almost full” message.Apple Watch unlocking when wearing a mask now works.The Camera app doesn’t do that crazy judder when switching between lenses.The unlocking bug seems gone.The operating system feels a lot smoother and less glitchy.It doesn’t feel like ProMotion is working properly yet, but it doesn’t feel as jarring now, so it’s better on the eyes.Battery life and performance seem to be about the same as for iOS 15, but your mileage there may vary across different devices.The first few weeks and months following a new iOS release is a busy time for Apple, and iOS 15 is no exception. iOS 15.1 is making its way through the beta stages, and we’re likely to see more releases between now and spring.If you’ve been holding back on making the leap to iOS 15, then I’d say that iOS 15.0.1 is not a bad time to jump. There may be some surprises waiting to be uncovered, but early reports seem good and it’s a huge improvement on the initial release. More
