President Donald Trump has finally signed a long-awaited executive order on cybersecurity, and he called for the U.S. government to move more into the cloud and modernize its IT infrastructure. The order, signed on Thursday, is designed to “centralize risk” and move the government’s agencies toward shared IT services, White House homeland security adviser Tom Bossert said in a press briefing “We’ve got to move to the cloud, and try to protect ourselves, instead of fracturing our security posture,” he said. Too much time and money have been spent protecting old federal IT systems, some of which store U.S. citizens’ data, he said. In response, Trump’s executive order demands that all agency heads “show preference” for shared IT services when procuring new IT services. The planned modernization also includes transitioning government agencies to one or more consolidated networks. Bossert said the goal is to view “our IT as one federal enterprise network.” “If we don’t do so, we will not be able to adequately understand what risk exists and how to mitigate it,” he said. Government agencies will also implement the NIST framework, voluntary guidance that the U.S. National Institute of Standards and Technology first published in 2014 to protect organizations from cyberthreats. “It is something we have asked the private sector to implement, and not forced upon ourselves,” Bossert said. “From this point forward, departments and agencies shall practice what we preach.” Security experts said the executive order is a good start toward safer IT systems and moves toward tackling a whole host of cybersecurity issues facing the U.S. For instance, it calls on the government to release reports over the next months, detailing how it can bolster the U.S. cybersecurity work force, protect the country from hacks, and work with foreign countries to stop cyber-related threats. “This order is more of a plan for a plan,” Michael Daniel, former White House cybersecurity coordinator, said in an email. “I think the main question is whether these reports will be studies or presenting options, and hopefully it will be more of the latter,” added David Simon, a former special counsel at the U.S. Department of Defense and partner at legal firm Mayer Brown. Trump signed the order after questions arose over its delay. Bossert said there were concerns with parts of the order, one of which called on industry stakeholders to help stop DDoS attacks from botnets, which are armies of hacked computers. Some had worried the executive order would force private companies to stop botnets, but Bossert said any action would occur voluntarily. Thursday’s executive order was also timed to coordinate with another Trump effort to modernize the U.S. government’s IT infrastructure, which the White House announced earlier this month. The post Trump's cybersecurity order pushes U.S. government to the cloud appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/trumps-cybersecurity-order-pushes-u-s-government-to-the-cloud/
0 Comments
President Trump today signed a long-delayed cybersecurity executive order that prioritizes the protection of federal networks and critical industries, and instructs agency heads to implement the NIST Framework for Improving Critical Infrastructure Cybersecurity. The order was to be signed in late January, before it was postponed. Early drafts called for a 60-day assessment of critical federal systems and raised concerns that service providers could be compelled to shut down suspicious traffic. The order today instead puts an emphasis on risk management, updating antiquated systems such as those at the core of the disastrous OPM hack in 2015, and treating federal networks as one enterprise network, said Tom Bossert, Trump’s Homeland Security adviser, during a White House press briefing. The order also keeps cybersecurity in the mainstream as officials continue to deliberate how to handle Russian interference in the U.S. presidential election, relentless data leaks from WikiLeaks and the Shadowbrokers, and the threat to the U.S. economy and privacy posed by cybercriminals. Bossert said the executive order is the first step toward not only enhancing the security of critical industries such as finance, health care and utilities, but also in creating a deterrence policy, calling it long overdue. “Russia is not our only adversary there. Other nations are motivated to use cyber to attack our people and our data,” Bossert said. “We need to establish rules of the road of proper behavior on the Internet and deter those who don’t abide.” Bossert said that he expects more interaction between the feds and private sector tech leaders, and singled out the reduction of botnets and their potential to initiate DDoS attacks as a premise for enhanced cooperation from service providers and manufacturers with the government. “What the president calls for is for the government to provide a basis for coordination,” Bossert said. “We know they have the technical capacity to reduce botnets dramatically.” Rep. James Langevin (D-RI) said the executive order’s mandate to review existing policy and modernize IT by going to a shared services model and giving preference to cloud services in future procurement will help secure critical federal networks. “Relying on agencies to adequately protect their assets in this new domain has proven unsustainable, as evidenced by the 2015 breach of the Office of Personnel Management,” Langevin said, “and strengthening the review process by the Department of Homeland Security and the Office of Management and Budget should help agencies better understand the risks they face and the resources available to them.” The order puts an emphasis on risk management through the use of the NIST Framework. Agency heads will have 90 days to report to DHS and OMB on their respective risk mitigation strategies, budgetary considerations, accepted risks (unmitigated vulnerabilities) and an action plan to implement the Framework. “We have practiced one thing and preached another,” Bossert said, adding that the government has asked the private sector to implement the Framework, but not enforced upon itself. “From this point forward, departments and agencies will practices what we preach and implement that same NIST Framework for risk management and risk reduction.” The executive order is written in three sections, with the first focusing on the NIST Framework, and the second and third on securing critical infrastructure and national security respectively. With respect to critical infrastructure, the order directs DHS, FBI, the Director of National Intelligence and the Attorney General to identify infrastructure at greatest risk and report to the president within six months findings and recommendations. Officials are also to prepare reports on resilience to botnets, attacks against the electric utilities and readiness to respond. The national security section of the order focuses on deterrence and protection and mandates within 90 days a report providing strategic options in that direction. The president also wants recommendations on enhancing international cooperation and workforce development. “It will be interesting to see whether the deterrence report and the international strategy will say anything new—but in general, I don’t see anything unusual or that really goes in a different policy direction,” said Michael Daniel, former White House cybersecurity coordinator and president of the Cyber Threat Alliance, in a statement. “Of course, this order is more of a plan for a plan, because an EO can only direct federal agencies to do things they can already do within the law, but the reports it calls for are good ones to have, for the most part.” The post Trump Signs Cybersecurity Executive Order appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/trump-signs-cybersecurity-executive-order/ Microsoft is receiving mixed reviews for its shift to delivering security update information via its newly launched Security Update Guides. The change was official in April, with Microsoft explaining it would allow system administrators to effectively pair specific patches with vulnerabilities, and that the introduction of API support would help customers automate some aspects of patching. After this week’s release of patches, however, the jury is still out when it comes to liking or loathing the new format. For starters, some critics argue it takes longer to parse the data delivered via Security Update Guides. “I typically spend two to three hours to read through and determine what updates need to go to our systems, document, etc. I spent a solid eight hours trying to make sense of everything today and get it organized, and I’m not close to being finished,” wrote a Tech Net community member on a forum where Microsoft is soliciting feedback on the new format. Other gripes include broken third-party patching tools reliant on the way Microsoft’s old security bulletins presented data, and Security Update Guide glitches that make using the tool more difficult. On the plus side, security experts say the new focus on Common Vulnerabilities and Exposures (CVE) is refreshing, making it easier to prioritize critical fixes and ignore products that are not relevant to a company. They also argue support for APIs in the long run will make the regular Patch Tuesday release of vulnerability data more pliable and useful. “I think it is more aligned with the continuous update model Microsoft has been rolling out over the past year,” said Allen Falcon, CEO of Cumulus Global, IT solution provider and Microsoft partner. “I think it’s easier to read and better communicates the flaws relevant to my customers.” Security professionals and system administrators alike have had time to adjust. Microsoft told customers about the switch in November; Microsoft had planned the switchover for February’s Patch Tuesday, but when that update was postponed, the changeover was rescheduled for April. The biggest changes include no longer publishing security updates on the Microsoft Security Bulletin website and instead on a new site called Security Update Guide. Differences include new sorting capabilities that allows users to filter vulnerabilities and updates by things such as CVEs, KB numbers, products and release dates. The idea, Microsoft said, is to allow users to filter out products that don’t apply to them and more easily find updates relevant to the products they use. To help accomplish this, Microsoft is leveraging a new RESTful API to obtain security update information and share it. “This eliminates the need for you to employ outdated methods like screen-scraping of security bulletin web pages to assemble working databases of necessary and actionable information,” according to a Nov. 8 TechNet blog post. When asked to respond to critics regarding the update, Microsoft declined to answer specific Threatpost questions and released the statement: “The new portal gives customers access to all the information they had before in a customizable way, ensuring transparency with our releases and providing tools that enable more personal computing,” a Microsoft spokesperson wrote. The switch to Security Update Guides is the latest change that is part of Microsoft’s overhaul in how it delivers software updates and security patches that began last year. In October, Microsoft introduced its new patch process for Windows 7 and 8. The move was an effort to streamline patching to more closely match how Microsoft delivered updates to Windows 10. That method, referred to as Windows as a service, has also been welcomed and feared by sysadmin. “Unfortunately, Microsoft has a track record that includes releasing faulty patches and ones that can break mission critical systems,” said Joe Balsarotti, president of Software To Go, an IT solution provider and Microsoft partner. He said a bad update can cost tens of thousands of dollars in time and money if he has to roll back systems and fix problems caused by a bad patch. Balsarotti said the move to Security Update Guides goes hand in hand with the cumulative roll-up model. The new information and delivery of updates is geared more toward automation and supports APIs to download information into a structured format. That allows sysadmin to create their own scripts and programs for parsing Patch Tuesday data. “People do not want to think about individual patches anymore; they just want to know they are safe,” said Aamir Lakhani, global security strategist for Fortinet. “Things have changed. Microsoft is following operating systems such as OS X, Google Chromium OS, iOS, where systems are updated, not individual patches. Applications have been using this method for a long time. When you update Firefox, Adobe Reader or most other applications, you get one single file with all the security updates and patches.” Gone are Microsoft Security Bulletins that used to group information on related vulnerability, products and KBs together to give a holistic view of updates being released on Patch Tuesday, said Amol Sarwate, director of engineering at Qualys. “In March 2017, Microsoft released 18 security bulletins in the old format which in my opinion are easy to understand as compared to the 1,774 items that were downloaded in a spreadsheet using the new security update guide for the same month,” Sarwate said. Greg Wiseman, Senior Security Researcher at Rapid7, argues with the introduction of API support system administrators can be used to custom configure patching data however they see fit. “In the short to medium term, I expect security teams will develop tools and processes based on API that can replicate the Patch Tuesday summaries that Microsoft used to provide,” Wiseman said. “The API makes it easier to develop such tools, and we may find this ease of development leads to a wider array of useful, more flexible utilities.” The post Microsoft’s New Security Update Guides Get Mixed Reviews appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/microsofts-new-security-update-guides-get-mixed-reviews/ A hacker has stolen millions of user account details from popular education platform Edmodo, and the data is apparently for sale on the so-called dark web. Teachers, students and parents use Edmodo to work on lesson plans, assign homework, and more. The organization claims to have over 78 million members. “Thanks to those who guided and supported us in the beginning, we’re now the number one K-12 social learning network in the world, dedicated to connecting all learners with the people and resources they need to reach their full potential,” Edmodo’s website reads. For-profit breach notification site LeakBase provided Motherboard with a sample of over two million user records for verification purposes. The data includes usernames, email addresses, and hashed passwords. The passwords have apparently been hashed with the robust bcrypt algorithm, and a string of random characters known as a salt, meaning hackers will have a much harder time obtaining user’s actual login credentials. Not all of the records include a user email address. Motherboard verified the data by attempting to create new Edmodo accounts with a large, random selection of emails included in the data. With every tested email this was not possible, because the address was already linked to an Edmodo account. One Edmodo user reached by Motherboard also confirmed they used the service, and said she signed up five to six years ago. ![]() The dark web listing of the stolen Edmodo data. Image: Screenshot A vendor going under the name of nclay is currently listing the Edmodo data on the dark web marketplace Hansa for just over $1,000. In all, nclay claims to have 77 million accounts, and according to LeakBase, around 40 million include an email address. (Motherboard has not seen the full alleged database). The accounts were stolen last month according to nclay’s dark web listing. The vendor did not respond to a request for clarification. “Protecting the privacy and security of our users has always been critical to Edmodo,” the company’s VP of Marketing and Communications Mollie Carter told Motherboard in an email. The company is investigating the data breach. The post Hacker Steals Millions Of User Account Details From Education Platform Edmodo appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/hacker-steals-millions-of-user-account-details-from-education-platform-edmodo/ Unlike most of the other multifactor authentication products that have been profiled in this series, SecureAuth IdP can be used for both multifactor authentication and single sign-on purposes. SecureAuth came to multifactor authentication from the single sign-on space, where the company got its start. As a multifactor authentication (MFA) tool, SecureAuth IdP (currently on version 9.0), like other similar MFA products in this series, adds additional security measures to standard username/password logins to a variety of servers and services. This prevents unauthorized logins, even when passwords have been compromised and shared among many different services. As a single sign-on (SSO) tool, SecureAuth IdP connects to a directory service, such as Active Directory (AD), during the sign-in process. Users sign in to a web-based portal and use that as the basis for the authentication of the SSO app portfolio, where the multifactor elements are applied. This means users don’t have to remember — or, in some cases, even need to know — what their Google or Box passwords are to gain access to these apps. The cloud-based authentication service is an appropriate technology for midsize to large enterprises. It is especially suitable for those that make use of a variety of external software as a service (SaaS)-based services and want to greatly improve security. SecureAuth IdP pricingSecureAuth IdP offers user-based pricing, as quoted below (see chart). There are surcharges for a version supporting more than five applications, and a higher charge for a version supporting more than 10 applications. On top of this, risk-based authentication adds another $3 per user, per year. It is sold both directly by the vendor and via channel partners. ![]() SecureAuth IdP management and administrationAs with Okta Verify, SecureAuth IdP comes from the SSO world and, as such, reflects a very strong federation and Security Assertion Markup Language (SAML) story. This means the MFA product is easily integrated into a wide variety of applications, and under an assortment of circumstances, especially as SAML gains credence and popularity among SaaS applications. Besides SAML, SecureAuth IdP can leverage a number of other MFA integration methods. These include, for example, specific agents that customers can add to Microsoft Internet Information Services, Apache Tomcat and JBoss web servers to enable those technologies to accept the authentication federation. It also supports virtually all VPNs currently on the market, any application that supports federation and any application where the customer controls the login page itself. All of this makes SecureAuth IdP a very flexible, strong authentication tool. End users get a self-service, web-based portal where they can update their second-factor connections or even reset their AD password without any IT involvement. This reduces the amount of administration time required to maintain user logins, which is a plus for many IT employees. Administrators, meanwhile, can set up a separate help desk web app where they or the end user can easily revoke any certificates or disable any authentication tokens that have gone awry. Also, unlike some of the other MFA products we’ve looked at, there is no additional software to download or agents to install. This greatly simplifies the configuration process as compared to products such as Symantec’s Validation and ID Protection Service or EMC RSA’s Authentication Manager and SecurID platform, for example. ![]() One of the more interesting aspects of SecureAuth IdP is that, unlike most other multifactor authentication solutions, it supports multiple authentications that can be issued in a sequence, depending on the level of security required. That way, IT managers can move a password (usually the first factor) to the last entry in a workflow. This means very flexible workflows can be created with step-up authentication inserted at any point in the login process. For example, IT can have a user enter his or her social network ID upfront, and then strengthen the login afterwards with additional authentication hurdles. Version 9.0 now includes behavior biometrics in its platform. One drawback to SecureAuth IdP is that the reports are not as simple to set up as with some of its competitors, and it will require some customization on its web portal. Once reports are created, they are easily exported into a CSV format, however. ConclusionSecureAuth IdP is both a solid SSO and multifactor authentication tool that combines the best of both worlds. If an enterprise is using numerous SaaS-based apps and wants to solve the issue of needing stronger passwords that are unique across a wide variety of services, this product should receive serious consideration. The post SecureAuth IdP: An overview of its multifactor authentication ability appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/secureauth-idp-an-overview-of-its-multifactor-authentication-ability/ An audio driver that comes installed on some HP-manufactured computers records users’ keystrokes and stores them in a world-readable plaintext file, researchers said Thursday. The culprit appears to be version 1.0.0.31 of MicTray64.exe, a program that comes installed with the Conexant audio driver package on select HP machines. ModZero, a Swiss security firm, found the file–which it calls a keylogger, and disclosed it Thursday via an advisory on its site. Researchers with the firm say the program monitors all keystrokes made by the user and that it’s been programmed to capture and react to functions such as microphone mute/unmute keys/hotkeys. The keylogger broadcasts the keystrokes through a debugging interface and writes them to a log file, C:UsersPublicMicTray.log. ModZero is warning the issue (CVE-2017-8360) could lead to the leaking of sensitive user information, such as passwords. Anyone with access to the unencrypted file system could recover the data. Furthermore, since the program isn’t considered malicious, malware authors wouldn’t have trouble capturing victim’s keystrokes either. Researchers say the keylogger comes registered as a Microsoft Scheduled Task, so it runs after each user login. While the file is overwritten each time, ModZero says it could easily be recruited by a running process or analyzed by someone with forensic tools. Researchers surmised the software has been recording keystrokes since version 1.0.0.31 was released, on Christmas Eve 2015, but stress that the same problem exists in the most recent version, 1.0.0.46, released last October. Researchers say it’s not known if the log data is submitted to Conexant or for that matter why the keystrokes are logged being logged in the first place. Thorsten Schroeder, ModZero’s senior security consultant and CEO, says there’s no proof the program was intentionally implemented but that it mostly demonstrates the developers’ “negligence.” “If the developer would just disable all logging, using debug-logs only in the development environment, there wouldn’t be problems with the confidentiality of the data of any user,” Schroeder wrote Thursday. Schroeder says he attempted to contact Conexant about the driver twice, once via email in April and again in May via Twitter, but failed to hear back both times.
ModZero also warns the audio driver comes installed on a slew of HP machines, including its EliteBook, Elite x2, ProBook, and ZBook lines, but could exist in other machines. The company also delivers audio drivers for Dell, Lenovo, and Asus machines although at this point it’s not certain they feature the same audio driver. The firm says the following HP products are affected however:
Conexant Systems, which began as a spinoff of Rockwell International in 1999, makes chips and software for audio and image processing. The company did not immediately return a request for comment Thursday morning. Schroeder said he attempted to contact HP about the issue as well. A Hewlett-Packard Enterprise security advisor reportedly denied any wrongdoing and contacted members of HP Inc.’s security team earlier this month. After failing to hear back, Schroeder disclosed the issue, including proof of concept code, Thursday morning. Neither HP, nor HPE responded to requests for comment on Thursday. It’s unclear if this is a feature or a flaw of the driver, but until it’s sorted out ModZero is encouraging HP computer owners to verify whether MicTray.exe is installed on their machines and delete the executable. “We recommend that you delete or rename the executable files so that no keystrokes are recorded anymore,” Schroeder wrote, “However, the special function keys on the keyboards might no longer work as expected. If a C:UsersPublicMicTray.log file exists on the hard-drive, it should also be deleted immediately, as it can contain a lot of sensitive information such as login-information and passwords.” The post Keylogger Found in Audio Drivers on Some HP Machines appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/keylogger-found-in-audio-drivers-on-some-hp-machines/ Nearly thirty different Hewlett-Packard Windows PC models may be recording every keystroke their owners make and storing them in a human-readable file accessible to any user on the PC. Oh, boy. Switzerland-based security company Modzero recently discovered a keylogger present in an audio program in HP PCs called MicTray. Modzero reported it on their blog early Thursday morning. You can also find a complete list of affected HP PC models in the company’s security advisory. Affected models include PCs from the HP Elitebook 800 series, HP ProBook 600 and 400 series’, the EliteBook Folio G1, and others. The program has existed on HP PCs since at least late 2015, Modzero says. The keylogger in question appears to be a creation of either HP or Conexant, one of HP’s component partners. PCWorld has contacted HP and Conexant for comment. We’ll update this article if the companies respond. Poor executionWhile the keylogger sounds nefarious, it’s appears to be the result of some poorly conceived solutions to legitimate problems. The software in question is designed to identify whether a user has entered certain keystrokes that activate audio hardware features, according to Modzero. The program could be monitoring to see whether a microphone is supposed to be on or off, for example. But in addition to monitoring for specific key presses there are also some diagnostic and debugging features built into the software, Modzero says. The end result is that as of MicTray version 1.0.0.46 all keystrokes on affected HP PCs are recorded in human readable format and accessible at That file could contain sensitive information such as passwords and usernames, as reported by Modzero. The file is overwritten with every login on the PC, but that erased content could still conceivably be retrieved by a sophisticated attacker. The impact on you at home: If you have an HP PC, first check to see if the program in question exists on your PC as either Next, go to The post Some HP PCs are recording your keystrokes appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/some-hp-pcs-are-recording-your-keystrokes/ A recent ASUS firmware update addressed a number of vulnerabilities in 30 models of its popular RT routers. The flaws were privately disclosed by researchers at Baltimore consultancy Nightwatch Cybersecurity, and were patched starting in March, with 10 updates added Wednesday. Users should ensure their firmware is up to date and running on version 3.0.0.4.380.7378. The vulnerabilities were found in a native web interface on the devices and allow an attacker on the same local network to change router settings, steal Wi-Fi passwords or leak system information. ASUS addressed all but one of the disclosed vulnerabilities, an issue found in two JSONP endpoints that leak some information about the router without the need for the attacker to be logged in. Nightwatch’s Yakov Shafranovich said ASUS did not consider this a security issue. “It is an information disclosure issue which can be used to detect if a router is an ASUS router, but cannot be used as an attack on its own,” Shafranovich said. “We disagree because this can be used to facilitate an attack; it would be the first step to detect if the router is an ASUS router.” Shafranovich said that two cross-site request forgery vulnerabilities were the most critical among the disclosures. One was found on the router’s login page and the other within the interface that saves settings, both of which lacked CSRF protection. An attacker could lure a victim to a site hosting malicious JavaScript and carry out a CSRF attack to login to the router. If the user has failed to change the default password on the device, this facilitates the attack even further. “Fool a user that is on a network using an Asus router into visiting a malicious page; the JavaScript code on that page that can do the rest,” Shafranovich said. Nightwatch also found a separate JSONP information disclosure vulnerability that requires authentication. An attacker can use these to learn information through the router, including network information, surrounding access points, a map of devices on the local network, external IP addresses, WebDAV information and more. The researchers also found an XML endpoint in the router that reveals the router’s Wi-Fi- password. “But to fully exploit this issue, it would require a mobile or desktop application running on the local network since XML cannot be loaded cross origin in the browser,” Nightwatch said in its advisory. The researchers said that exploits targeting the JSONP issues would load the JSONP endpoints via SCRIPT tags, while the XML endpoint issue could be exploited through a malicious application. “All of these assume that the attacker knows the local IP address of the router,” the researchers said. “This could probably be guessed or be determined via Javascript APIs like WebRTC. For desktop and mobile applications, determination of the gateway address should be trivial to implement.” Nightwatch also published a list of affected models: Added Wednesday:
Originally updated in March:
The post ASUS Patches RT Router Vulnerabilities appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/asus-patches-rt-router-vulnerabilities/ The IDENTIKEY Authentication Server, which includes multifactor authentication software tools and DIGIPASS tokens offered by VASCO Data Security International Inc., adds additional security measures to standard username/password logins across a wide range of servers and services. This stops unauthorized logins, even when passwords have been compromised and shared among many different services. These multifactor authentication (MFA) tools are appropriate for midsize and large enterprises, especially those that want to make use of a variety of external software-as-a-service offerings. VASCO has been one of the leaders in multifactor authentication for two decades, as is evident from the breadth and depth of its offerings (see table below). It supports a wide selection of token and server types, mobile operating systems, phones and authentication methods. ![]() This makes the product a lot more flexible and useful for a greater variety of use cases, as well as enabling it to secure a lot more applications than a number of its competitors. The downside is that there are multiple pieces of this MFA product that have to be purchased and integrated together to provide a full platform. By contrast, cloud-based tools, such as Okta, have fewer moving parts and better integration. IDENTIKEY servers and applicationsThe company has several product lines that work together. The VASCO IDENTIKEY Authentication Server family of products is the company’s off-the-shelf authentication product that supports applications that can utilize industry standard protocols, such as Active Directory, RADIUS, Lightweight Directory Access Protocol and Simple Object Access Protocol (SOAP). In addition, VASCO provides DIGIPASS Authentication plugins for the Outlook Web App, Citrix StoreFront, Microsoft Active Directory Federation Services 3.0, Microsoft’s Internet Information Service web server and Remote Desktop Web interfaces. VASCO also offers an API-based tool called VACMAN Controller that the customer can integrate into their existing applications. The controller enables customers to add MFA support to any application and just about any workflow they wish. The VASCO IDENTIKEY comes as Windows or Linux software, runs on most hypervisors (VMware, Citrix, Hyper-V) and is also available as a physical or virtual appliance for on-premises deployments, or as a cloud-based, managed authentication service. VASCO DIGIPASS tokensVASCO has been in the token business for a long time, dating back to when its tokens were first used to secure interactive voice response systems. In addition to the usual types of tokens mentioned, VASCO also supports web-based and Windows software-type tokens. Administrators can determine which end users have access to certain user and DIGIPASS pools, as well as who can assign them, and which DIGIPASS types they can use on each policy. Unfortunately, customers will also need to review separate manuals for each of these components. Provisioning and activation of the DIGIPASS software has become an easier task since VASCO released the User Self-Management website for that purpose. The VASCO product requires a separate federation server for its Security Assertion Markup Language (SAML) 2.0 support, but once this is set up, the functionality is similar to other vendors’ software. IDENTIKEY Authentication Server reportingReports are available in a wide selection of PDF, HTML and XML formats. There are more than 30 report templates that can be customized in a variety of ways and then downloaded once they are complete. There are also numerous preset policies that can be customized — along with menus — to set authentication for particular groups, or for situations such as logins from internal versus external machines. This makes getting the right reports generated for either management or support staff a lot easier and more useful. VASCO IDENTIKEY pricingThere are also three grades for server software pricing: the standard level, which doesn’t include any software application agents; the gold level, which includes 10 web-based applications, such as Outlook Web Access and Citrix Receiver, along with high-availability support; and the enterprise level, which includes all connectors and the higher support level. Mobile software tokens cost extra, and VASCO sells through a two-tiered reseller network. Support for 24/7 responses is extra. VASCO IDENTIKEY Authentication Server is a powerful tool that has sold many tokens over the years, and which supports a wide variety of applications and use cases. While its pricing is complex, VASCO offers comparative features to RSA, but at a more affordable price. This product also comes in a cloud-based version. The post VASCO IDENTIKEY Authentication Server and a look at its key features appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/vasco-identikey-authentication-server-and-a-look-at-its-key-features/ Researchers have identified a strain of cookie stealing malware injected into a legitimate JavaScript file, that masquerades as a WordPress core domain. Cesar Anjos, a security analyst at Sucuri, a firm that specializes in WordPress security, came across the malware during an incident response investigation and described it in a blog post Tuesday. Anjos says it appears attackers used typosquatting, or URL hijacking, to craft the phony domain, code.wordprssapi[.]com. Typosquatting is a technique that usually relies on users making typographical errors when inputting URLs into a web browser. In this case the fake site is designed to look like a legitimate WordPress domain so it doesn’t appear out of place in the code. The researcher said it appeared attackers injected malware into the bottom of a legitimate WordPress JavaScript file designed to reroute sensitive information, such as cookies, to the fake domain. Denis Sinegubko, a senior malware researcher at Sucuri, told Threatpost Wednesday that it’s likely an attacker took advantage of another vulnerability in WordPress to inject the obfuscated code in the first place. “Modern attacks rarely use one specific vulnerability. They usually scan for multiple known vulnerabilities (mostly in third-party themes and plugins) and then exploit whatever they find,” Sinegubko said. Anjos points out that in addition to appearing at the bottom of an actual WordPress JavaScript file – wp-includes/js/hoverIntent[.]min[.]js – the code also uses a typical obfuscation pattern, eval(function(p,a,c,k,e,d). The function, commonly used in JavaScript libraries and scripts, tightly packs code that’s later executed when the page loads. After Anjos decoded the obfuscated code, he saw the malicious – and now offline – wordprssapi site. In this case Anjos says a conditional statement hidden at the top of the code excludes cookies from user agents from search engine crawlers. That “extra mile” by the attacker, Anjos says, helps weeds out cookie information from crawlers and bots and “ensures that the data being sent to attackers is more likely to immediately be usable.” Once it’s been determined the data – in this case a users’ cookies – are valuable, a script sends it to the malicious site (code.wordprssapi[.]com) so it can be siphoned up and used by attackers, Anjos says. By stealing a user’s cookies, through what’s essentially a session hijacking attack, an attacker can pretend to be that user and perform any actions the user has permission to perform. At least until those permissions are revoked; something that’s done after a period of inactivity for many types of online accounts, including WordPress. The site that URL is mimicking, code.wordpressapi[.]com, isn’t even a legitimate site, the researcher points out. But in this case, that doesn’t matter; the fact that it includes the word “WordPress” is enough to make it look like it belongs, Anjos says; that’s what tricks users. “By purchasing a domain closely resembling a legitimate website platform or service, some webmasters might overlook this in their code and assume it is an official WordPress domain (which it is not),” Anjos wrote. Sinegubko is a bit puzzled when it comes to who may have been behind the malicious site. “No clue,” Sinegubko said when asked Wednesday, “As always, WHOIS data is ‘privacy protected,’ the IP (45.32.137.126) points to vultr[.]com network (not a typical choice for hackers especially with the Windows IIS/8.5 server).” In addition to ensuring they have clean code, webmasters should double check sites to ensure they’re not sending sensitive data, like cookies or passwords, to a third party, Anjos says. “This is something that all webmasters should be aware of when they are auditing their own code. Be careful and always check that a domain is legitimate, especially if it is involved in collecting or sending information to a third-party site,” the researcher wrote. The post Session Hijacking, Cookie-Stealing WordPress Malware Spotted appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/session-hijacking-cookie-stealing-wordpress-malware-spotted/ |
ABOUT USFree, secure collections for I.T recycling and CESG approved data erasure for individuals, businesses and large-scale projects. I.T Asset Disposal | Computer Recycling | Re-marketing & Cashback | Secure Data Erasure. Archives
May 2017
Categories |