The Guardian is reporting about microchips in wheels of Parmesan cheese as an anti-forgery measure.
Category: authentication
A bunch of networks, including US Government networks, have been hacked by the Chinese. The hackers used forged authentication tokens to access user email, using a stolen Microsoft Azure account consumer signing key. Congress wants answers. The phrase “negligent security practices” is being tossed about—and with good reason. Master signing keys are not supposed to be left around, waiting to be stolen.
Actually, two things went badly wrong here. The first is that Azure accepted an expired signing key, implying a vulnerability in whatever is supposed to check key validity. The second is that this key was supposed to remain in the the system’s Hardware Security Module—and not be in software. This implies a really serious breach of good security practice. The fact that Microsoft has not been forthcoming about the details of what happened tell me that the details are really bad.
I believe this all traces back to SolarWinds. In addition to Russia inserting malware into a SolarWinds update, China used a different SolarWinds vulnerability to break into networks. We know that Russia accessed Microsoft source code in that attack. I have heard from informed government officials that China used their SolarWinds vulnerability to break into Microsoft and access source code, including Azure’s.
I think we are grossly underestimating the long-term results of the SolarWinds attacks. That backdoored update was downloaded by over 14,000 networks worldwide. Organizations patched their networks, but not before Russia—and others—used the vulnerability to enter those networks. And once someone is in a network, it’s really hard to be sure that you’ve kicked them out.
Sophisticated threat actors are realizing that stealing source code of infrastructure providers, and then combing that code for vulnerabilities, is an excellent way to break into organizations who use those infrastructure providers. Attackers like Russia and China—and presumably the US as well—are prioritizing going after those providers.
EDITED TO ADD: Commentary:
This is from Microsoft’s explanation. The China attackers “acquired an inactive MSA consumer signing key and used it to forge authentication tokens for Azure AD enterprise and MSA consumer to access OWA and Outlook.com. All MSA keys active prior to the incident—including the actor-acquired MSA signing key—have been invalidated. Azure AD keys were not impacted. Though the key was intended only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens. The actor was able to obtain new access tokens by presenting one previously issued from this API due to a design flaw. This flaw in the GetAccessTokenForResourceAPI has since been fixed to only accept tokens issued from Azure AD or MSA respectively. The actor used these tokens to retrieve mail messages from the OWA API.”
The first compromise didn't get the crooks as far as they wanted, so they found a second one that did...
It’s neither hard nor expensive:
Unlike password authentication, which requires a direct match between what is inputted and what’s stored in a database, fingerprint authentication determines a match using a reference threshold. As a result, a successful fingerprint brute-force attack requires only that an inputted image provides an acceptable approximation of an image in the fingerprint database. BrutePrint manipulates the false acceptance rate (FAR) to increase the threshold so fewer approximate images are accepted.
BrutePrint acts as an adversary in the middle between the fingerprint sensor and the trusted execution environment and exploits vulnerabilities that allow for unlimited guesses.
In a BrutePrint attack, the adversary removes the back cover of the device and attaches the $15 circuit board that has the fingerprint database loaded in the flash storage. The adversary then must convert the database into a fingerprint dictionary that’s formatted to work with the specific sensor used by the targeted phone. The process uses a neural-style transfer when converting the database into the usable dictionary. This process increases the chances of a match.
With the fingerprint dictionary in place, the adversary device is now in a position to input each entry into the targeted phone. Normally, a protection known as attempt limiting effectively locks a phone after a set number of failed login attempts are reached. BrutePrint can fully bypass this limit in the eight tested Android models, meaning the adversary device can try an infinite number of guesses. (On the two iPhones, the attack can expand the number of guesses to 15, three times higher than the five permitted.)
The bypasses result from exploiting what the researchers said are two zero-day vulnerabilities in the smartphone fingerprint authentication framework of virtually all smartphones. The vulnerabilities—one known as CAMF (cancel-after-match fail) and the other MAL (match-after-lock)—result from logic bugs in the authentication framework. CAMF exploits invalidate the checksum of transmitted fingerprint data, and MAL exploits infer matching results through side-channel attacks.
Depending on the model, the attack takes between 40 minutes and 14 hours.
Also:
The ability of BrutePrint to successfully hijack fingerprints stored on Android devices but not iPhones is the result of one simple design difference: iOS encrypts the data, and Android does not.
By Sameer Hajarnis, CPO, OneSpan
With the digital economy flourishing, both organizations and consumers are becoming more comfortable making high-value transactions online. To keep up with Web3, organizations have had to offer flexible, digital alternatives to their business processes. Among these processes is the electronic signature, or rather “e-signature,”– the digital alternative to signing documents in person. Although e-signatures ease the consumer process, many organizations neglect security practices throughout the transaction lifecycle. In parallel, remote online notarization is also becoming more commonplace, with high-value transactions including contractual agreements, mortgages, and powers of attorney, becoming digitized. As the threat landscape continues to progress, there is a growing concern that hackers will increasingly manipulate the integrity of digital agreements, especially as more transactions of higher and higher value are taking place online.
According to MSB Docs, 65% of companies using pen and paper report that collecting physical signatures add an entire day to their work process. In addition to accelerating workflow, E-signature improves customer experience, eliminates errors, tracks processes, etc. The commoditization of e-signatures happened so quickly, but it was so convenient that many organizations neglected security measures when implementing these digitized processes.
Along with this, cyberattacks are becoming increasingly sophisticated; recently, The Neustar International Security Council found that only about half of companies have the necessary budgets to meet their current cybersecurity requirements. This is especially alarming for industries that conduct high-value transactions online, such as banking, healthcare, government, etc., because a person’s most critical information could potentially be exposed. According to the Insurance Information Institute, there was a 45-percent increase in identity theft in 2020, and the rapid digital transformation that took place during 2020 would not have helped improve this figure.
The main reason why companies continue to abandon cybersecurity is because they believe it will disrupt the customer journey. Abandonment and customer drop-off are through the roof and today, the slightest inconvenience will turn consumers away. While customers are looking for digital trust, many organizations believe security processes can disrupt the customer experience, but Digicert’s 2022 State of Digital Trust Survey found that 47% percent of consumers have stopped doing business with a company after losing trust in that company’s digital security. Another 84% of customers would consider switching providers.
With those consequences in mind, organizations should consider the following cyber initiatives to secure digital interactions.
Compliance
Organizations must comply with e-signature security requirements. Electronic signature solutions are regulated by the ESIGN and UETA. These acts were passed to (1) solidify the legitimacy of e-signatures in the business world, (2) ensure all parties have consented to conduct business electronically, and (3) authenticate the signer’s identity. Depending on a company’s location and/or industry, these regulations may differ.
In the past year, nine in ten Americans encountered a fraud attempt. To safeguard users’ identities and critical information, the government stepped in to enforce strict security measures. It is of the utmost importance that e-signature solutions act in accordance with these laws, as they ensure the highest level of security and reduce the probability of identity fraud.
When it comes to remote online notarization, the compliance requirements become even more complex. Where a traditional notarization calls for an in-person screening to help protect the personal rights and property from threat actors, a remote online notarization requires organizations to authenticate the applicants’ identities virtually. Applicants must virtually verify their identity through ID Verification and Knowledge-based Authentication (KBA) and then execute the e-signature before being affixed by the notary. Failure to meet these compliance requirements may result in notaries facing civil liability or the loss of their license.
Certificates of Completion
Vendors must provide immediate proof of completion upon the execution of an electronic agreement. That certification of completion must include the associate IP address, email address, date, timestamp, names, and all other aspects of a transaction. The certificate will act as a legal record of the transaction and should be stored on a secure site to avoid any tampering. By doing so, organizations can be confident that all e-signatures are lawful and will hold up in court. When notarizing a document online, consumers must obtain a digital certificate that provides evidence of the notarization.
Authentication
To ensure the highest level of security, e-signature providers must also provide a two-key encryption system, such as public key infrastructure (PKI), and/or two-step verification. This helps avoid attacks such as man in the middle (MITM), a common attack where an attacker positions themselves between two parties and attempts to intercept the information passed between them. Authentication also reduces the overall likelihood of compromising information.
For online notarizations, organizations can mitigate security risks with identity verification, KBA, and built-in security controls preventing participants from signing on behalf of others.
Digital processes and customer interactions must be secured at every touchpoint throughout a transaction. Most providers will require one-time verification, which may seem secure for consumers when carrying out a transaction. But, in order to secure e-signatures and notarizations, continuous authentication is essential– organizations must secure every interaction throughout the customer journey.
The digitization of high-value transactions lends many benefits to an organization, but it also poses quite a few risks if its associated cyber threats remain ignored. In the world of Web3, organizations must be made completely aware of such cyber attacks, insider threats, and compliance failures, threatening the validity of online transactions. When focusing on online notarizations, it is important that they occur in a secure environment, as they operate across industries where valuable information is transferred (automotive, banking, real estate, legal, and insurance).
Following such awareness, security needs to be interwoven into all choices application providers are making. Solution providers must adopt an increased level of security to be integrated into the fabric of all transactions and agreements. Organizations, especially those that handle high-value transactions, should invest in alternative e-signature and notarization solutions that utilize multi-factor authentication, identity verification, encryption, and other secure processes. These processes safeguard important information and ensure those completing the transaction are who they say they are.
The post Signed, Secured, Delivered: Authenticating Digital Agreements in the Time of Web3 appeared first on Cybersecurity Insiders.
Jenny Blessing and Ross Anderson have evaluated the security of systems designed to allow the various Internet messaging platforms to interoperate with each other:
The Digital Markets Act ruled that users on different platforms should be able to exchange messages with each other. This opens up a real Pandora’s box. How will the networks manage keys, authenticate users, and moderate content? How much metadata will have to be shared, and how?
In our latest paper, One Protocol to Rule Them All? On Securing Interoperable Messaging, we explore the security tensions, the conflicts of interest, the usability traps, and the likely consequences for individual and institutional behaviour.
Interoperability will vastly increase the attack surface at every level in the stack from the cryptography up through usability to commercial incentives and the opportunities for government interference.
It’s a good idea in theory, but will likely result in the overall security being the worst of each platform’s security.
A reporter used an AI synthesis of his own voice to fool the voice authentication system for Lloyd’s Bank.
A group of Swiss researchers have published an impressive security analysis of Threema.
We provide an extensive cryptographic analysis of Threema, a Swiss-based encrypted messaging application with more than 10 million users and 7000 corporate customers. We present seven different attacks against the protocol in three different threat models. As one example, we present a cross-protocol attack which breaks authentication in Threema and which exploits the lack of proper key separation between different sub-protocols. As another, we demonstrate a compression-based side-channel attack that recovers users’ long-term private keys through observation of the size of Threema encrypted back-ups. We discuss remediations for our attacks and draw three wider lessons for developers of secure protocols.
From a news article:
Threema has more than 10 million users, which include the Swiss government, the Swiss army, German Chancellor Olaf Scholz, and other politicians in that country. Threema developers advertise it as a more secure alternative to Meta’s WhatsApp messenger. It’s among the top Android apps for a fee-based category in Switzerland, Germany, Austria, Canada, and Australia. The app uses a custom-designed encryption protocol in contravention of established cryptographic norms.
The company is performing the usual denials and deflections:
In a web post, Threema officials said the vulnerabilities applied to an old protocol that’s no longer in use. It also said the researchers were overselling their findings.
“While some of the findings presented in the paper may be interesting from a theoretical standpoint, none of them ever had any considerable real-world impact,” the post stated. “Most assume extensive and unrealistic prerequisites that would have far greater consequences than the respective finding itself.”
Left out of the statement is that the protocol the researchers analyzed is old because they disclosed the vulnerabilities to Threema, and Threema updated it.
This is a really interesting paper that discusses what the authors call the Decoupling Principle:
The idea is simple, yet previously not clearly articulated: to ensure privacy, information should be divided architecturally and institutionally such that each entity has only the information they need to perform their relevant function. Architectural decoupling entails splitting functionality for different fundamental actions in a system, such as decoupling authentication (proving who is allowed to use the network) from connectivity (establishing session state for communicating). Institutional decoupling entails splitting what information remains between non-colluding entities, such as distinct companies or network operators, or between a user and network peers. This decoupling makes service providers individually breach-proof, as they each have little or no sensitive data that can be lost to hackers. Put simply, the Decoupling Principle suggests always separating who you are from what you do.
Lots of interesting details in the paper.
This is an actual CAPTCHA I was shown when trying to log into PayPal.
As an actual human and not a bot, I had no idea how to answer. Is this a joke? (Seems not.) Is it a Magritte-like existential question? (It’s not a bicycle. It’s a drawing of a bicycle. Actually, it’s a photograph of a drawing of a bicycle. No, it’s really a computer image of a photograph of a drawing of a bicycle.) Am I overthinking this? (Definitely.) I stared at the screen, paralyzed, for way too long.
It’s probably the best CAPTCHA I have ever encountered; a computer would have just answered.
(In the end, I I treated the drawing as a real bicycle and selected the appropriate squares…and it seemed to like that.)