Tag: They’re | Page 2

Web apps have become so complex that they’re unsafe to use, researchers say

August 11, 2021/in Computer Security

The shared-login tokens and processes used by many web-based apps and services, as well as some web apps themselves, are fundamentally insecure and create a potential gold mine for hackers, three security researchers said at the Black Hat and DEF CON computer-security conferences here last week.

The problem is that today’s online services are so complex and difficult to understand that hackers, phishers and other crooks have plenty of opportunities to steal files, implant malware and gain access to accounts.

“Lots of bad assumptions were made when protecting these protocols,” said Jenko Hwong, a researcher at Netskope whose DEF CON talk Saturday (Aug. 7) focused on glaring weaknesses in the OAuth open-authentication protocol used by Microsoft, Facebook, Google, Twitter and hundreds of other companies. “OAuth is a mess, and no one understands it all.”

In the DEF CON presentation just before Hwong’s, Snapchat researcher Matt Bryant showed how Google’s own cloud-based Apps Script development tool makes it easy to hijack Google accounts and gain access to files, contacts and emails in the online Google Workspace environment.

And at Black Hat on Thursday (Aug. 5), Matthew Weeks of Deloitte showed how file-accessing web apps that are supposed to be restricted to specific directories can “escape” their confines and end up hacking desktop computers.

How you can protect yourself

To minimize the risks of phishing attacks that abuse OAuth and Google Workspace, you could in theory log out of each account when you’re finished using it for the day, in order to kill the access tokens and session cookies, but you’d have to do so on each device on which you’re logged in.

This creates tremendous inconvenience. Who really logs out of Twitter when they’re done using it? Who’s going to log out of Google every day on each PC, Mac or smartphone they own, only to log in again the next day? And furthermore, you’re vulnerable again as soon as you log in.

To minimize the risks of file-altering web apps, be very alert when a website asks you to grant permission to a file or folder on your PC or Mac — and be sure that the files that you grant access to have specific names.

You’ll also want to install and…

Source…

The Pentagon Tried to Take Down These Hackers. They’re Back.

July 12, 2021/in Computer Security

Last fall, on the eve of the elections, the U.S. Department of Defense tried to throttle a transnational cybercrime group. But the hackers have rebuilt much of their operations. It’s become clear in recent months that the gang is very much alive and well.

a circuit board: Photo Illustration by The Daily Beast/Getty

© Provided by The Daily Beast
Photo Illustration by The Daily Beast/Getty

The Russian-speaking hacking group, sometimes referred to by the name of the malware it uses, Trickbot, has gone after millions of victims around the globe, stealing victims’ banking credentials and facilitating ransomware attacks that have left businesses scrambling to pay hefty extortion demands for years.

Load Error

And now, even though the Pentagon’s U.S. Cyber Command tried to put a dent in the gang’s operations last year, there are signs the hacking gang is working behind the scenes, quietly updating its malware to monitor victims and gather intelligence. That’s according to the latest intelligence from Romania-based cybersecurity firm Bitdefender, which shared its findings exclusively with The Daily Beast.

Cyber Command went after Trickbot in advance of Election Day last year to prevent any disruptions to the 2020 presidential elections.

But in recent weeks the hackers have been updating a specific part of their operations, namely a tool that helps them remotely control victims’ computers called a VNC module, Bitdefender found. And the hackers already appear to be leveraging their new tool to plot their next attack, says Bogdan Botezatu, Bitdefender’s director of threat research and reporting.

”We’re talking about a massive operation,” Botezatu said, noting that his team set up a system mimicking a victim, known as a honeypot, and that Trickbot has already gone after it. “The administrators were doing reconnaissance… They will decide later what they can capitalize on depending on how much information is on the device or whether it’s part of a business environment or not.”

The hackers also appear to be working on infrastructure that could allow them to sell access to other attackers, according to Vikram Thakur, a technical director at the security firm Symantec, which has previously run efforts to disrupt…

Source…

Businesses are getting better at security. But they’re still forgetting one big risk

May 22, 2021/in Internet Security

With major cyber attacks on critical infrastructure such as the SolarWinds attack, the Florida’s water treatment facility hack, and the US East Coast’s Colonial Pipeline ransomware crisis, the security of products — and not just information systems — really need to be taken more seriously, argues Chris Wysopal, founder and CTO of code scanning company Veracode.

text

© ZDNet

While the CISO protects information in the enterprise, Wysopal is arguing this week at the RSA 2021 conference that products need an equivalent level of attention to enterprise information systems. His call for greater focus on product security comes as supply chain attacks are on the rise and governments across the world attempt to grapple with the problem of products that have been tampered with enter an organization.

Load Error

“Products are different. Products leave the enterprise. Think of Tesla’s product security. It’s the car. You could think of a medical device company, but even in more information-oriented companies, it’s an app, it’s a standalone website and they’re starting to become outside of the enterprise. They have a life of their own,” Wysopal tells ZDNet.

Wysopal is notable figure in the cybersecurity scene, and was one of the original vulnerability researchers and one of seven member of the L0pht ‘hacker think tank’ who told the US Senate in 1998 that the group could bring down the internet in 30 minutes.

Wysopal reckons products like these need a C-level exec with a better engineering skillset than a CISO typically has — a role more focused on monitoring networks and systems to keep hackers out.

“Historically, a CISO has not been required to build in security in to a piece of software or a device,” he says.

“The traditional CISO doesn’t have that security engineering and product engineering background. They traditionally have grown up through compliance or network security, and they don’t have the understanding of software or code-level vulnerabilities. So you’ll have a lot of times where you have product security not reporting to a CISO, but reporting to the VP of engineering.”

At Veracode, the CISO reports to him as the CTO, while his head of product, which…

Source…

Square’s Cash App vulnerable to hackers, customers claim: ‘They’re completely ghosting you’

March 20, 2021/in Computer Security

Without warning, hackers drained every dollar of cash, stock, or bitcoin out of accounts linked to Cash App, Square’s (SQ)’s popular payments platform, six of its customers told Yahoo Finance.

Load Error

Cash App functions as a substitute bank for many of its more than 36 million monthly users.

“I had to sell my car seat that I just bought for my baby that I’m going to have in a couple of months, so that I could feed my kids, because I have no money now,” Shania Jensen, 24, a Cash App user from Utah, said about her account shortly after it was drained of nearly $3,000.

Jensen, one of six Cash App customers who recently told Yahoo Finance they were targeted by unauthorized transactions, said when she went to bed on the evening of March 5 her money was in her account, and by 7 a.m. the next day, it was gone. She said she filed a police report, a complaint with the Better Business Bureau (BBB), and reported the matter to Utah’s attorney general.

graphical user interface, text, application: March 7, 2020 Tweet posted by Cash App user Shania Jensen

© Provided by Yahoo! Finance
March 7, 2020 Tweet posted by Cash App user Shania Jensen

Mobile payment platforms such as Cash App, as well as PayPal (PYPL), PayPal’s Venmo, Google Pay, and bank owned Zelle, have seen a rise in downloads during the COVID-19 pandemic, and with the increase, a jump in the number of app reviews mentioning the word “scam” or “fraud” for all except Zelle, according to mobile intelligence firm Apptopia.

Cash App — which accounted for nearly half of Square’s profit in the most recent quarter — stands out for its wide range of available transactions. It accepts direct deposits for paychecks and government stimulus funds, processes peer-to-peer transfers, offers its own branded debit card, and permits users to buy and sell stock and bitcoin (BIT-USD) within the app (as of March 17, it lets users send bitcoin to other Cash App users for free).

The six Cash App customers said repeated efforts to talk directly with a human being at the company to help them get their money back were largely unsuccessful, exhausting, and stressful. Cash App acknowledges that it has no live phone support “generally available,” but says it views fighting fraud as critically important and has invested in…

Source…

Tag Archive for: They’re