Strengthening 2-Step Verification with Security Key

2-Step Verification offers a strong extra layer of protection for Google Accounts. Once enabled, you’re asked for a verification code from your phone in addition to your password, to prove that it’s really you signing in from an unfamiliar device. Hackers usually work from afar, so this second factor makes it much harder for a hacker who has your password to access your account, since they don’t have your phone.

Today we’re adding even stronger protection for particularly security-sensitive individuals. Security Key is a physical USB second factor that only works after verifying the login site is truly a Google website, not a fake site pretending to be Google. Rather than typing a code, just insert Security Key into your computer’s USB port and tap it when prompted in Chrome. When you sign into your Google Account using Chrome and Security Key, you can be sure that the cryptographic signature cannot be phished.

Security Key and Chrome incorporate the open Universal 2nd Factor (U2F) protocol from the FIDO Alliance, so other websites with account login systems can get FIDO U2F working in Chrome today. It’s our hope that other browsers will add FIDO U2F support, too. As more sites and browsers come onboard, security-sensitive users can carry a single Security Key that works everywhere FIDO U2F is supported.

Source:
http://googleonlinesecurity.blogspot.com/2014/10/strengthening-2-step-verification-with.html

Posted in Hardware, Internet, Privacy, Security | No Comments

Banks: Credit Card Breach at Staples Stores

Multiple banks say they have identified a pattern of credit and debit card fraud suggesting that several Staples Inc. office supply locations in the Northeastern United States are currently dealing with a data breach. Staples says it is investigating “a potential issue” and has contacted law enforcement.

According to more than a half-dozen sources at banks operating on the East Coast, it appears likely that fraudsters have succeeded in stealing customer card data from some subset of Staples locations, including seven Staples stores in Pennsylvania, at least three in New York City, and another in New Jersey.

Framingham, Mass.-based Staples has more than 1,800 stores nationwide, but so far the banks contacted by this reporter have traced a pattern of fraudulent transactions on a group of cards that had all previously been used at a small number of Staples locations in the Northeast.

The fraudulent charges occurred at other (non-Staples) businesses, such as supermarkets and other big-box retailers. This suggests that the cash registers in at least some Staples locations may have fallen victim to card-stealing malware that lets thieves create counterfeit copies of cards that customers swipe at compromised payment terminals.

Source:
http://krebsonsecurity.com/2014/10/banks-credit-card-breach-at-staples-stores/

Posted in Internet, Privacy, Security | No Comments

This POODLE bites: exploiting the SSL 3.0 fallback

Today we are publishing details of a vulnerability in the design of SSL version 3.0. This vulnerability allows the plaintext of secure connections to be calculated by a network attacker. I discovered this issue in collaboration with Thai Duong and Krzysztof Kotowicz (also Googlers).

SSL 3.0 is nearly 15 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue.

Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.

Google Chrome and our servers have supported TLS_FALLBACK_SCSV since February and thus we have good evidence that it can be used without compatibility problems. Additionally, Google Chrome will begin testing changes today that disable the fallback to SSL 3.0. This change will break some sites and those sites will need to be updated quickly.

In the coming months, we hope to remove support for SSL 3.0 completely from our client products.

Source:
http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-ssl-30.html

Posted in Internet, Privacy, Security | 1 Comment

Dropbox has been hacked, change your password immediately

If you use Dropbox, you need to change your password immediately as it looks like there has been a breach in the security. In a posting on Pastebin, which will not link to as it contains account data, the user claims to have nearly 7 million account user names and passwords. To prove that the information is real, 420 user names and passwords have been posted.

It looks like Dropbox has taken quick action as well and is now forcing everyone to change their password. If you attempt to use any of the combinations, it will tell you that your password has expired.

Neowin can confirm that some of the accounts were real and that this appears to be a legitimate breach in security as we have seen evidence of some of the account credentials leak authenticate to Dropbox’s servers.

While Dropbox has taken quick action, we know that many users have the same passwords on multiple sites. Because of this, it is best to keep all of your passwords site specific so that if there is a breach, you do not have to change every site. Further, any site that has two-factor authentication, it is a best practice to enable this functionality.

It goes without saying that this will hurt Dropbox’s reputation but it will also affect that entire industry too as some users are already nervous about giving other company’s the ability to store their content.

While we wait for Dropbox to issue a statement on the breach, all signs point to the fact that this could be a real exposure of user credentials which raises many new questions such as how do they get the information and why are the passwords in plain text?

Source:
http://www.neowin.net/news/dropbox-has-been-hacked-change-your-password-immediately

Posted in Internet, Security | No Comments

The malware of the future may come bearing real gifts

“What,” asked the speaker. “if Notepad behaved just like you would expect it to, but only for the first hour or so that you used it? What if it began to do different things after that?”

According to Giovanni Vigna, a professor at the University of California, Santa Barbara, and the head of the Center for CyberSecurity and Seclab there, such possum-like behaviour and long-term thinking represents the future of the malware arms race.

Speaking at IP Expo today, Prof. Vigna outlined scenarios in which an increasingly sophisticated and opaque breed of malicious executable will evolve to ‘mimic’ the behaviour patterns of benign software, in an attempt to avoid wasting its payload behaviour on a sandbox or virtualised environment.

Three thousand previously unidentified malware entities flood the network every day. Many are old ‘friends’ repackaged to generate hashes unfamiliar to the databases of BitDefender, Symantec and other anti-malware companies, and this guarantees them at least an hour in the wild, if not a whole ‘zero’ day.

But others are genuinely evolutionary. Instead of sprinting for a buffer overflow, some malware now demonstrates incredibly circumspect behaviour upon launch. The first thing the entity wants to know is if it is running in front of a real user and in a real system, and to this end it has developed an ever-growing map of tell-tale signs that it might not be in Kansas after all.

Source:
http://thestack.com/mimicry-in-malware-giovanni-vigna-081014

Posted in Internet, Privacy, Security, Windows | No Comments