News

Multi-Factor is incomplete without backup codes

Read Time:2 Minute, 42 Second

This blog was written by an independent guest blogger.

I was logging into one of my favorite online shopping sites the other day, and, as with all my other sites, I was presented with the multi-factor authentication prompt to complete the login process.  Anyone who knows me, knows that I have been a long-time supporter of multi-factor, or 2-step verification of any kind. 

The only problem I had with the login on this occasion, was that my phone was dead.  Like most folks, my phone contains the authenticator applications that allow me to log into most of the sites that do not allow the use of a FIDO hardware token.   This created an unusual conundrum, whereas, not only does my phone contain the authenticator application, but the only backup method the site offers is to send a text message to a registered phone number if the authenticator application is unavailable.   The problem is that the registered phone number is attached to the same dead phone that contains the authenticator application.

Usually, this is not a problem, as most sites that have fully thought through their implementation of multi-factor authentication have also considered the problem of the lost, or otherwise non-functioning phone, and they issue one-time codes when the 2FA process is first enabled.  These codes can be stored in a safe place.

Recently, when Google announced to a select group of GMail users that their mail account will be forced to use multi-factor authentication, many people protested.  While I can understand the shock that many felt at the imposition of an unsolicited change to the login process, I commended the fact that steps were being taken to protect these vulnerable accounts.  Google also did everything right, that is, they gave people multiple options to verify the log in process, including one-time backup codes to be used if the authenticating device is unavailable.

Many people who dislike multi-factor will lament at the thought of also having to store what amounts to other passwords, as one-time codes can arguably be thought of as just another password.  This is where a password manager can serve double-duty to assist the password-weary.

Most password managers offer text fields that often go ignored and unused. However, that big open space can be used to store a ton of useful information.  For example, the one-time codes can be stored there, in addition to the random answers to the common security questions asked by many sites.

None of what I am positing here should be misinterpreted to think that I am against multi-factor authentication in any way.  Until passwordless technology replaces the current methods, I will remain committed to supporting 2FA as the best method we have right now.  In the meantime, the problem that needs to be addressed is how to get more sites to fully realize their multi-factor implementations, and offer one-time codes along with whatever other methods they use for their enhanced security options.  One has to wonder why this was overlooked in the first place?  Until these solutions are established, I suppose I need to be more diligent about keeping my phone charged.  Happy shopping!

Read More

News

500M Avira Antivirus Users Introduced to Cryptomining

Read Time:3 Minute, 34 Second

Many readers were surprised to learn recently that the popular Norton 360 antivirus suite now ships with a program which lets customers make money mining virtual currency. But Norton 360 isn’t alone in this dubious endeavor: Avira antivirus — which has built a base of 500 million users worldwide largely by making the product free — was recently bought by the same company that owns Norton 360 and is introducing its customers to a service called Avira Crypto.

Avira Crypto

Founded in 2006, Avira Operations GmbH & Co. KG is a German multinational software company best known for their Avira Free Security (a.k.a. Avira Free Antivirus). In January 2021, Avira was acquired by Tempe, Ariz.-based NortonLifeLock Inc., the same company that now owns Norton 360.

In 2017, the identity theft protection company LifeLock was acquired by Symantec Corp., which was renamed to NortonLifeLock in 2019. LifeLock is now included in the Norton 360 service; Avira offers users a similar service called Breach Monitor.

Like Norton 360, Avira comes with a cryptominer already installed, but customers have to opt in to using the service that powers it. Avira’s FAQ on its cryptomining service is somewhat sparse. For example, it doesn’t specify how much NortonLifeLock gets out of the deal (NortonLifeLock keeps 15 percent of any cryptocurrency mined by Norton Crypto).

“Avira Crypto allows you to use your computer’s idle time to mine the cryptocurrency Ethereum (ETH),” the FAQ explains. “Since cryptomining requires a high level of processing power, it is not suitable for users with an average computer. Even with compatible hardware, mining cryptocurrencies on your own can be less rewarding. Your best option is to join a mining pool that shares their computer power to improve their chance of mining cryptocurrency. The rewards are then distributed evenly to all members in the pool.”

NortonLifeLock hasn’t yet responded to requests for comment, so it’s unclear whether Avira uses the same cryptomining code as Norton Crypto. But there are clues that suggest that’s the case. NortonLifeLock announced Avira Crypto in late October 2021, but multiple other antivirus products have flagged Avira’s installer as malicious or unsafe for including a cryptominer as far back as Sept. 9, 2021.

Avira was detected as potentially unsafe for including a cryptominer back in Sept. 2021. Image: Virustotal.com.

The above screenshot was taken on Virustotal.com, a service owned by Google that scans submitted files against dozens of antivirus products. The detection report pictured was found by searching Virustotal for “ANvOptimusEnablementCuda,” a function included in the Norton Crypto mining component “Ncrypt.exe.”

Some longtime Norton customers took to NortonLifeLock’s online forum to express horror at the prospect of their antivirus product installing coin-mining software, regardless of whether the mining service was turned off by default.

“Norton should be DETECTING and killing off crypto mining hijacking, not installing their own,” reads a Dec. 28 thread on Norton’s forum titled “Absolutely furious.”

Others have charged that the crypto offering will end up costing customers more in electricity bills than they can ever hope to gain from letting their antivirus mine ETH. What’s more, there are hefty fees involved in moving any ETH mined by Norton or Avira Crypto to an account that the user can cash out, and many users apparently don’t understand they can’t cash out until they at least earn enough ETH to cover the fees.

In August 2021, NortonLifeLock said it had reached an agreement to acquire Avast, another longtime free antivirus product that also claims to have around 500 million users. It remains to be seen whether Avast Crypto will be the next brilliant offering from NortonLifeLock.

As mentioned in this week’s story on Norton Crypto, I get that participation in these cryptomining schemes is voluntary, but much of that ultimately hinges on how these crypto programs are pitched and whether users really understand what they’re doing when they enable them. But what bugs me most is they will be introducing hundreds of millions of perhaps less savvy Internet users to the world of cryptocurrency, which comes with its own set of unique security and privacy challenges that require users to “level up” their personal security practices in fairly significant ways.

Read More

Advisories

Multiple Vulnerabilities in Google Android OS Could Allow for Remote Code Execution

Read Time:38 Second

Multiple vulnerabilities have been discovered in the Google Android operating system (OS), the most severe of which could allow for remote code execution. Android is an operating system developed by Google for mobile devices, including, but not limited to, smartphones, tablets, and watches. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution within the context of a privileged process. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

Read More

Advisories

Multiple Vulnerabilities in Google Chrome Could Allow for Remote Code Execution

Read Time:31 Second

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for remote code execution. Google Chrome is a web browser used to access the Internet. Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could view, change, or delete data. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

Read More

Advisories

WordPress 5.8.3 Security Release

Read Time:1 Minute, 45 Second

This security release features four security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.

WordPress 5.8.3 is a short-cycle security release. The next major release will be version 5.9, which is already in the Release Candidate stage.

You can update to WordPress 5.8.3 by downloading from WordPress.org or visiting your Dashboard → Updates and clicking Update Now.

If you have sites that support automatic background updates, they’ve already started the update process.

Security Updates

Four security issues affect WordPress versions between 3.7 and 5.8. If you haven’t yet updated to 5.8, all WordPress versions since 3.7 have also been updated to fix the following security issue (except where noted otherwise):

Props to Karim El Ouerghemmi and Simon Scannell of SonarSource for disclosing an issue with stored XSS through post slugs.Props to Simon Scannell of SonarSource for reporting an issue with Object injection in some multisite installations.Props to ngocnb and khuyenn from GiaoHangTietKiem JSC for working with Trend Micro Zero Day Initiative on reporting a SQL injection vulnerability in WP_Query.Props to Ben Bidner from the WordPress security team for reporting a SQL injection vulnerability in WP_Meta_Query (only relevant to versions 4.1-5.8).

Thank you to all of the reporters above for privately disclosing the vulnerabilities. This gave the security team time to fix the vulnerabilities before WordPress sites could be attacked. Thank you to the members of the WordPress security team for implementing these fixes in WordPress.

For more information, check out the 5.8.3 HelpHub documentation page.

Thanks and props!

The 5.8.3 release was led by @desrosj and @circlecube.

In addition to the security researchers and release squad members mentioned above, thank you to everyone who helped make WordPress 5.8.3 happen:

Alex Concha, Dion Hulse, Dominik Schilling, ehtis, Evan Mullins, Jake Spurlock, Jb Audras, Jonathan Desrosiers, Ian Dunn, Peter Wilson, Sergey Biryukov, vortfu, and zieladam.

Read More

News

Norton 360 Now Comes With a Cryptominer

Read Time:5 Minute, 4 Second

Norton 360, one of the most popular antivirus products on the market today, has installed a cryptocurrency mining program on its customers’ computers. Norton’s parent firm says the cloud-based service that activates the program and allows customers to profit from the scheme — in which the company keeps 15 percent of any currencies mined — is “opt-in,” meaning users have to agree to enable it. But many Norton users complain the mining program is difficult to remove, and reactions from longtime customers have ranged from unease and disbelief to, “Dude, where’s my crypto?”

Norton 360 is owned by Tempe, Ariz.-based NortonLifeLock Inc. In 2017, the identity theft protection company LifeLock was acquired by Symantec Corp., which was renamed to NortonLifeLock in 2019 (LifeLock is now included in the Norton 360 service).

According to the FAQ posted on its site, “Norton Crypto” will mine Ethereum (ETH) cryptocurrency while the customer’s computer is idle. The FAQ also says Norton Crypto will only run on systems that meet certain hardware and software requirements (such as an NVIDIA graphics card with at least 6 GB of memory).

“Norton creates a secure digital Ethereum wallet for each user,” the FAQ reads. “The key to the wallet is encrypted and stored securely in the cloud. Only you have access to the wallet.”

NortonLifeLock began offering the mining service in July 2021, and early news coverage of the program did not immediately receive widespread attention. That changed on Jan. 4, when Boing Boing co-editor Cory Doctorow tweeted that NortonCrypto would run by default for Norton 360 users.

NortonLifeLock says Norton Crypto is an opt-in feature only and is not enabled without user permission.

“If users have turned on Norton Crypto but no longer wish to use the feature, it can be disabled by temporarily shutting off ‘tamper protection’ (which allows users to modify the Norton installation) and deleting NCrypt.exe from your computer,” NortonLifeLock said in a written statement. However, many users have reported difficulty removing the mining program.

From reading user posts on the Norton Crypto community forum, it seems some longtime Norton customers were horrified at the prospect of their antivirus product installing coin-mining software, regardless of whether the mining service was turned off by default.

“How on Earth could anyone at Norton think that adding crypto mining within a security product would be a good thing?,” reads a Dec. 28 thread titled “Absolutely furious.”

“Norton should be DETECTING and killing off crypto mining hijacking, not installing their own,” the post reads. “The product people need firing. What’s the next ‘bright idea’? Norton Botnet? ‘ And I was just about to re-install Norton 360 too, but this has literally has caused me to no longer trust Norton and their direction.”

It’s an open question whether Norton Crypto users can expect to see much profit from participating in this scheme, at least in the short run. Mining cryptocurrencies basically involves using your computer’s spare resources to help validate financial transactions of other crypto users. Crypto mining causes one’s computer to draw more power, which can increase one’s overall electricity costs.

“Norton is pretty much amplifying energy consumption worldwide, costing their customers more in electricity use than the customer makes on the mining, yet allowing Norton to make a ton of profit,” tweeted security researcher Chris Vickery. “It’s disgusting, gross, and brand-suicide.”

Then there’s the matter of getting paid. Norton Crypto lets users withdraw their earnings to an account at cryptocurrency platform CoinBase, but as Norton Crypto’s FAQ rightly points out, there are coin mining fees as well as transaction costs to transfer Ethereum.

“The coin mining fee is currently 15% of the crypto allocated to the miner,” the FAQ explains. “Transfers of cryptocurrencies may result in transaction fees (also known as “gas” fees) paid to the users of the cryptocurrency blockchain network who process the transaction. In addition, if you choose to exchange crypto for another currency, you may be required to pay fees to an exchange facilitating the transaction. Transaction fees fluctuate due to cryptocurrency market conditions and other factors. These fees are not set by Norton.”

Which might explain why so many Norton Crypto users have taken to the community’s online forum to complain they were having trouble withdrawing their earnings. Those gas fees are the same regardless of the amount of crypto being moved, so the system simply blocks withdrawals if the amount requested can’t cover the transfer fees.

Norton Crypto. Image: Bleeping Computer.

I guess what bothers me most about Norton Crypto is that it will be introducing millions of perhaps less savvy Internet users to the world of cryptocurrency, which comes with its own set of unique security and privacy challenges that require users to “level up” their personal security practices in fairly significant ways.

Several of my elder family members and closest friends are longtime Norton users who renew their subscription year after year (despite my reminding them that it’s way cheaper just to purchase it again each year as a new user). None of them are particularly interested in or experts at securing their computers and digital lives, and the thought of them opening CoinBase accounts and navigating that space is terrifying.

Big Yellow is not the only brand that’s cashing in on investor fervor over cryptocurrencies and hoping to appeal to a broader (or maybe just older) audience: The venerable electronics retailer RadioShack, which relaunched in 2020 as an online-focused brand, now says it plans to chart a future as a cryptocurrency exchange.

“RadioShack’s argument is basically that as a very old brand, it’s primed to sell old CEOs on cryptocurrency,” writes Adi Robertson for The Verge.

“Too many [cryptocurrency companies] focused on speculation and not enough on making the ‘old-school’ customer feel comfortable,” the company’s website states, claiming that the average “decision-making” corporate CEO is 68 years old. “The older generation simply doesn’t trust the new-fangled ideas of the Bitcoin youth.”

Read More

News

The Feeling of Safety

Read Time:2 Minute, 12 Second

The internet’s greatest feat? Fundamentally shifting how we live. Once a revelation, it quickly set our long-standing beliefs about how we work, play, and connect into a whole new context. 

Today, the shifts come fast. Video meetings once felt alien. Now, they’re part of our routine. We’ve gone from setting doctor’s appointments online to actually seeing the doctor online—and from family visits to seeing everyone in seconds on a screen.  

At McAfee, we’ve seen our share of shifts as well. Looking back across our thirty-plus years, we were among the first to deliver antivirus technology. First to create a biometric password manager. First to give people an intuitive Protection Score, and so much more. And we’re not stopping. We’re protecting people and their ever-changing lives. That means covering all your life online, from security to privacy to identity, in a way that adds to your confidence and enjoyment too. 

Confidence and enjoyment. Those two words mark our next shift in online protection. We’re bringing those feelings to life across the McAfee experience. And it’ll redefine the way you stay safe online.  

Safety has an unmistakable feeling. As we bring that feeling to online protection, you’ll see a remarkable evolution. It will look and act in bold new ways, guide you, reassure you, and most importantly, keep you safe. In all, it’s a new breed of online protection that’s helpful, even thoughtful, in the ways it looks out for you. 

And this evolution is already underway. You’ll find that feeling in everyday moments as we make them simpler, freer, and safer—such as paying your bills at a coffee shop, managing your family’s healthcare from your laptop, and booking flights to catch up with old friends. Across them all, our protection will have your back, and even offer guidance when needed, all while you do you—wherever your day takes you and no matter what “online” looks like next. 

There’s simply so much to see out there. And with us by your side, you’ll feel safe and stay that way. Life online will continue to surprise us. In the best of ways. And people have a right to enjoy every moment of it, confident that they’re safe and secure, in ways they can point to and feel.  

That’s our next big shift. Giving you the unmistakable feeling of safety. You deserve it. More than that, it’s your right. And we’re proud to bring it to you. 

The post The Feeling of Safety appeared first on McAfee Blogs.

Read More

News

Endangered data in online transactions and how to safeguard company information

Read Time:5 Minute, 29 Second

This blog was written by an independent guest blogger.

Online transactions are essential for every modern business. From online shopping to banking, transferring funds, and sending invoices, online transactions ensure utter convenience and efficiency.

However, the familiarity of making financial transactions online can make people forget about security and all the dangers that they may be facing. On top of that, new cybersecurity threats keep popping up constantly.

That’s why it’s crucial to have a robust IT security strategy in place.

How safe are your company’s online transactions?

Source; Pexels

From hardware or software issues and hidden backdoor programs to vulnerable process controls, weak passwords, and other human errors, many problems can put your transactions at risk and leave the door open to cybercriminals.

Did you know that human error is the main culprit of 95% of data breaches? Many people still don’t realize the dangers of phishing, malware, ransomware, unpatched software, and weak passwords. They could expose your sensitive data and put you, your employees, clients, and customers at risk of identity theft and fraud.

Believe it or not, pay stubs are among the most common vulnerabilities because many companies don’t store them carefully, risking theft of their employee data and confidential files.

That’s why savvy businesses have started using online generators for making stubs. With a paystub generator, you can create and store your pay stubs online, so you don’t have to keep them in your system, preventing cybercriminals from gaining access to your sensitive data.

No cybersecurity experts

Cybersecurity is a complex issue that requires comprehensive knowledge. Sadly, most companies don’t hire any cybersecurity experts. What they don’t realize is that they could be supercharging their productivity.

What can a business do to improve its productivity?

By putting experts in charge of  cybersecurity, companies can keep other employees productive. They can work with up-to-date  technology, reduce their workload, work  smarter, and improve their performance.

A cybersecurity team can even train your employees and teach them how to identify and avoid threats. This way, your employees won’t make security mistakes, and can focus on their core competencies.

How to protect your transactions

Given that the average cost of a data breach is $3.86 million, implementing proper security measures  to protect your transactions is a no-brainer. Here are some of the best ways to do so.

Use a Secure Sockets Layer

Secure Sockets Layer (SSL) is a standard security protocol that encrypts the connection between a web browser and a server. It prevents a third party from intercepting the data that is exchanged between the two.

This is especially  beneficial for financial transactions as all the data, including credit card information, remains private. .

An SSL certificate is beneficial  for your SEO as well, since Google uses HTTPS as a ranking signal.

To secure your transactions with an SSL certificate, you need to purchase the right one for your business and install it on your server with the help of your web host manager. This only takes a few clicks, because an SSL certificate is a text file with encrypted data.

Implement multi-layered protection

A multi-layered security approach is a defense mechanism for cybersecurity protection. It’s about  implementing multiple components to protect your entire IT infrastructure.

If a potential hacker finds a loophole and tries to break into your system, they will be prevented from doing so by another layer of security. .

Some of the most important security layers include the network (IP and ICMP), the application (e.g., HTTPS and DNS), data link (e.g., Ethernet and MAC), the session (WEB sockets), transport (SSL, TCP, and UDP), perimeter (firewalls), and physical layers (securing endpoint devices).

Avoid storing payment data from your customers

If you store payment details from your customers, a potential data breach could expose their personal and sensitive information. This could severely damage your company’s reputation.

So, once a customer completes a purchase, make sure there are no logs of their financial information

If you want to ensure a seamless shopping experience by allowing your customers to save payment details for future purchases, you should use a reliable e-commerce platform and a secure payment processor. This will  help you detect and prevent potential cyberattacks.

Use data encryption

Data encryption is the key to keeping sensitive data private. It ensures integrity, authentication, and non-repudiation.

There are three main types of data encryption:

3DES (Triple Data Encryption Standard) — 3DES uses three 56-bit keys to encrypt data, but it takes a long time. Its predecessor, DES (Data Encryption Standard), is no longer secure  on its own.
AES (Advanced Encryption Standard) — AES is the best and most widely-used type which uses symmetric key encryption where only one key can encrypt and decrypt data. It’s the most secure method you can use.
RSA (Rivest-Shamir-Adleman) — RSA uses an asymmetric key encryption (one public key to encrypt data and one private key to decrypt). This is time-consuming but great for verifying digital signatures.

Consider tokenization

Tokenization involves replacing sensitive data, such as credit card numbers, with random strings of characters (tokens) that have no meaningful value. If a hacker were to steal tokenized data, they could not exploit it.

Furthermore, tokenization removes the original data from the system and serves only as a reference. That’s quite different from data encryption, where the data is preserved but can only be accessed with the right key.

Use electronic signatures

Like data encryption, electronic signatures ensure integrity, authentication, and unforgeability.

They also increase security and speed up transactions by enabling the authentication of  electronic documents and online forms in seconds.

Create a verification process

Verifying accounts, addresses, and transactions helps  you prevent identity theft and fraud.

An AVS (Address Verification Service) can help you verify your customers’ billing addresses. At the same time, a card security code (a CVV number) is the best way to verify bank accounts and transactions.

Don’t forget to enable 2FA (Two-Factor Authentication) and MFA (Multi-Factor Authentication), which are among the best ways to secure user authentication protocols. They provide additional protection for the login process, and effectively prevent fraudulent login attempts.

Conclusion

These are the most proven methods to keep your online transactions and company information private, but you should consider other security tips, too.

Don’t forget to comply with the PCI DSS before you start accepting online payments. This way you can eliminate any vulnerabilities beforehand and ensure that your customers’ data remains safe and secure.

Read More

News, Advisories and much more

Exit mobile version