fbpx
Surveillance, Security, Monitoring, Automation, Access Control, LVT, Liquid Video Technologies, Greenville South Carolina

Chinese Secretly Installing Spyware App

China’s Border Guards Secretly Installing Spyware App on Tourists’ Phones

Chinese authorities are secretly installing surveillance apps on smartphones of foreigners at border crossings in the Xinjiang region who are entering from neighboring Kyrgyzstan, an international investigation revealed.

Xinjiang (XUAR) is an autonomous territory and home to many Muslim ethnic minority groups where China is known to be conducting massive surveillance operations, especially on the activities of Uighurs, a Muslim Turkic minority group of about 8 million people.

The Chinese government has blamed the Muslim Turkic minority group for Islamic extremism and deadly attacks on Chinese targets.

According to a joint investigation by New York Times, the Guardian, Süddeutsche Zeitung and more, the surveillance app has been designed to instantly extract emails, texts, calendar entries, call records, contacts and insecurely uploads them to a local server set-up at the check-point only.

This suggests that the spyware app has not been designed to continuously and remotely track people while in China. In fact, in the majority of cases, the report says the surveillance app is uninstalled before the phone is returned to its owner.

The spyware, called Feng Cai (蜂采) or BXAQ, also scans infected Android devices for over 73,000 pre-defined files related to Islamic extremist groups, including ISIS recruitment fliers, bomb-making instructions, and images of executions.

Surveillance, Monitoring, Security, Access Control, Automation, LVT, Liquid Video Technologies, Greenville South Carolina

Besides this, it also looks for segments from the Quran, portions of an Arabic dictionary and information on the Dalai Lama, and for some bizarre reason, the list also includes a song from a Japanese grindcore band called Unholy Grace.

The app can directly be installed on Android phones, but for tourists, journalists, and other foreigners, using Apple devices, the border guards reportedly connect their phones to a hardware-based device that is believed to install similar spyware.

According to researchers at German cybersecurity firm Cure53, who analyzed [PDF] a sample of the surveillance app, the names that appear in Feng Cai app’s source code suggest that the app was developed by a unit of FiberHome, a Chinese telecom manufacturer that is partly owned by the government.

“The app is very simple in terms of its user interface, with just three available functions: Scan, Upload, and Uninstall,” the researchers said.

However, it remains unclear how long the collected information on travelers is stored on the Chinese server, or how the government uses it.

“The Chinese government, both in law and practice, often conflates peaceful religious activities with terrorism,” Maya Wang, a Chinese researcher at Human Rights Watch, told NY Times. “You can see in Xinjiang, privacy is a gateway right: Once you lose your right to privacy, you’re going to be afraid of practicing your religion, speaking what’s on your mind or even thinking your thoughts.”

It’s not the first time when Chinese authorities have been caught using spyware to keep tabs on people in the Xinjiang region, as this kind of intensive surveillance is very common in that region. However, it’s the first time when tourists are believed to have been the primary target.

In 2017, Chinese authorities had forced Xinjiang residents as well into installing a similar spyware app, called Jingwang, on their mobile devices that was intended to prevent them from accessing terrorist information.

Article Provided By: The Hacker News

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

 

If you would like liquidvideotechnologies.com to discuss developing your Home SecuritySystem, Networking, Access ControlFire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

Security, Monitoring, Access Control, Computer Networking, Networking, LVT, Liquid Video Technologies, Greenville South Carolina, iOS 13

Users Warned About iOS 13 Security Problem

When the “Sign in with Apple” functionality to appear as part of iOS 13 was announced at the Worldwide Developers Conference (WWDC) back on June 3, it was met with broad approval from Apple users. After all, what’s not to like about having an alternative to signing in to applications and services via your Facebook, Google, or Twitter account? It turns out, truth be told, quite a lot. Just how much depends upon whom you are talking to, of course.

The OpenID Foundation (OIDF), whose own OpenID Connect platform shares much in common with the proposed Apple solution and counts Google, Microsoft and PayPal amongst its members, is edging towards the not so keen side of the fence. Moreover, it’s not alone either.

In a  June 27 open letter addressed to Craig Federighi, senior vice-president of software engineering at Apple, Nat Sakimura, OIDF chairman, begins with some faint praise regarding Apple’s “efforts to allow users to log in to third-party mobile and Web applications with their Apple ID using OpenID Connect.” It very quickly goes downhill from there, however.

After explaining how OpenID Connect has been developed by a broad range of companies, along with experts from within the OIDF itself, the letter points out how it has become a widely-adopted protocol built on OAuth 2.0 to enable third-party logins in a secure and standard manner. The differences between OpenID Connect and Sign in with Apple, the letter continues, expose users “to greater security and privacy risks.”

It then goes on to insist that developers will be unnecessarily burdened by having to work on both as Apple will insist they offer it alongside the others, whereas by “closing the current gaps,” the OIDF argues, “Apple would be interoperable with widely-available OpenID Connect Relying Party software.”

So what seems to be the real problem here? The Apple system gets around having to pass your email to the third-party developer by creating a disposable one-off email address just for that purpose, assuming you choose to hide your real email address. By doing so, you also avoid the data aggregation problem that these sign-on platforms enable by seeing the various apps and services you use, which could build an accurate, and valuable, marketing profile. Opting out of emails can be done by deactivating individual service addresses, and Apple knows the apps you are using anyway so, assuming you trust it with that information, then the Sign in with Apple platform adds no new privacy concerns.

Why, then, is it being painted as such a security and privacy risk by the OIDF?

The answer comes mainly in the form of those “differences” mentioned earlier. These include failure to use the Proof Key for Code Exchange (PKCE) system that mitigates code injection and code replay attack threats. A document listing the differences was updated July 3 to acknowledge fixes that had been made since the open letter was sent.

That document can be found here and is worth reading as it also describes the specific attack and privacy problems that remain as a result of the protocol differences. These include Cross-Site Request Forgery (CSRF) attacks and potential leakage of the ID Token, which contains a set of personal data and Authorization Code, which could be used in the aforementioned code injection attack. According to this latest information, only the Apple documentation regarding the exchange of authorization codes has been fixed to date.

Sean Wright, an application security specialist, understands only too well how the problem with many open protocols is that at times organizations modify the protocol or standard just a little bit. “This causes potential compatibility issues when other organizations try to integrate,” Wright says, “so I can see why OpenID is so interested in trying to ensure that Apple sticks to the standard.” As for the security issues, these potentially stick their collective heads above the development parapet only because it will be a modification of a protocol and so open to newly introduced vulnerabilities.

A poll of information security professionals on Twitter revealed, that 60% thinking OIDF was right to call Apple out on these issues. The remaining 40% being evenly split between thinking OIDF was wrong, and it not mattering as both options improve security and privacy anyway.

“Any extra layer of security or privacy support added to accounts is a bonus in my book,” says Jake Moore, a security specialist at ESET, who continues, “but admittedly it appears this could still be even more secure by today’s standards.” Moore said that because Apple is dealing with millions of accounts, sadly this means if it were to make signing in too tricky for the average user, then there’s a risk that customers could be lost. “Albeit a bold move,” he concludes, “I like seeing accounts that force users to make their accounts more secure with strong password policies and Multi-Function Authentication as default.”

Neira Jones is a partner at the Global Cyber Alliance and an internationally renowned cyber risk and information security speaker. Jones tells that she thinks that while there will undoubtedly be teething problems, as with anything new, Sign in with Apple remains a good thing. “I do not doubt that Apple will address the security issues,” Jones says, “but whether Apple will fix the interoperability issues mentioned by OpenID remains to be seen as a number of factors are at play.” After all, Apple has traditionally been in the business of remaining a closed ecosystem, and Jones isn’t sure that will change any time soon.

Not that it’s impossible given that Facebook has announced the Libra cryptocurrency and in amongst the white paper documentation there’s a paragraph that states: “An additional goal of the association is to develop and promote an open identity standard. We believe that decentralized and portable digital identity is a prerequisite to financial inclusion and competition.”

With more than 3 billion users, Facebook is potentially hoping for a big play in the identity space, according to Jones. They may or may not succeed, but Facebook does have a trust issue. “Apple haven’t,” Jones concludes, “or certainly not to the extent of Facebook’s trust issues.”

Article Provided By: Forbes

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

 

If you would like liquidvideotechnologies.com to discuss developing your Home SecuritySystem, Networking, Access ControlFire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

Security, Monitoring, Access Control, Networking, LVT, Liquid Video Technologies, Greenville South Carolina, Election

Election Official Highlights Email Threat

US Election Security Official Highlights Email Threat

SANTA FE, N.M. (AP) — Beware the phishing attempts.

An election security official with the U.S. Department of Homeland Security on Tuesday warned top state election officials nationwide to safeguard against fraudulent emails targeting state and local election workers.

The emails appear as if they come from a legitimate source and contain links that, if clicked, can open up election data systems to manipulation or attacks.

Geoff Hale, director of the department’s Election Security Initiative, told a gathering of secretaries of state that the nation’s decentralized voting systems remain especially vulnerable to emails that can trick unsuspecting workers into providing access to elections databases.

“We know that phishing is how a significant number of state and local government networks become exploited,” Hale told scores of secretaries of state gathered in the New Mexico capital city. “Understanding your organization’s susceptibility to phishing is one of the biggest things you can do.”

Email phishing schemes haunted the electoral landscape in 2016. Hillary Clinton’s 2016 campaign chairman, John Podesta, fell for trick emails on his personal account, allowing Russians to steal thousands of messages about the inner workings of the campaign. Targeted phishing emails also allowed Russians to gain access to the Democratic Congressional Campaign Committee’s networks and eventually exploited that to gain entry to the Democratic National Committee.

In the run-up to the 2020 vote, Iowa Secretary of State Paul Pate, a Republican, is calling phishing the No. 1 concern when it comes to securing election-related computer systems in his state.

Iowa’s 100 county political subdivisions make the threat especially challenging. He said his fear is that phishing emails may target overlooked public employees who don’t have adequate training.

“If they get into the courthouse, they can then get into the county auditor, which is our elections folks — and that’s not a good thing,” Pate said.

Pate’s agency is fighting back with two-factor identification requirements for anyone accessing state voter systems, and mandatory annual cyber-security training sessions.

Phishing threats lay bare the difficulties of guarding election systems across large rural expanses. New Mexico Democratic Secretary of State Maggie Toulouse Oliver says new federal funding is needed to bolster cyber security in counties that are too small to hire information technology specialists. There are seven counties in the state with fewer than 5,000 residents; Harding County is home to about 700.

State election chiefs gathered in Santa Fe for the first time since the release of special counsel Robert Mueller’s report documenting Russian meddling in the 2016 election.

California’s Secretary of State Alex Padilla said he, too, is concerned about so-called soft cybersecurity threats, beyond voting equipment or software, such as predatory phishing for security weaknesses among election workers.

“You can read the Mueller report on what the most effective strategies were that the Russians engaged in, and most cyber experts will tell you that it’s still phishing attempts that are rampant,” he said.

Article Provided By: SFGate

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

 

If you would like liquidvideotechnologies.com to discuss developing your Home SecuritySystem, Networking, Access ControlFire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

 

Security, Monitoring, Surveillance, Access Control, Networking, LVT, Liquid Video Technologies, Greenville South Carolina

Microsoft Adds an Extra Security Layer

Microsoft Adds an Extra Security Layer to its OneDrive Storage Service

Microsoft  today announced OneDrive Personal Vault, a new security layer on top of its OneDrive online file storage service that adds additional security features to keep your files save. The security features ensure that the only way to access these files is with a strong authentication method or two-step verification, which can include a fingerprint or face recognition with a Window Hello-compatible device, PIN code or a one-time code sent by email or SMS (which isn’t necessarily the most secure method, of course), or by using Microsoft Authenticator.

Security, Surveillance, Monitoring, Computer Networking, Networking, Liquid Video Technologies, Greenville South CarolinaIn addition, Microsoft is also doubling the storage plan for its $1.99/month standalone OneDrive subscription from 50GB to 100GB. If you’re on a free plan, you’ll be able to try Personal Vault, too, but Microsoft will limit the number of files you can store in it.

The new Personal Vault will be available to OneDrive users on the web, on Windows 10 and through Microsoft’s mobile apps. It’ll roll out to users in Australia, New Zealand and Canada soon and become available to all OneDrive users by the end of the year.

By default, all OneDrive files are already encrypted at rest and in transit. Personal Vault essentially adds another layer of optional security features on top of this. In that OneDrive app, this is represented by a special Personal Vault folder that you can then use to save your most important files — or those with the largest amount of sensitive information (think financial records etc.).

On Windows 10 PCs, Personal Vault also sets up a Bitlocker-encrypted area on your local hard drive to sync your Personal Vault files.

Article Provided By: techcrunch

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

 

If you would like liquidvideotechnologies.com to discuss developing your Home SecuritySystem, Networking, Access ControlFire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

Security, Monitoring, Computer Networking, Access Control, Networking, Liquid Video Technologies, Greenville South Carolina, File Sharing

Increase in Abuse of File Sharing Services

Security researchers are warning of a “dramatic” increase in the exploitation of legitimate file sharing services to deliver malware in email-based attacks, especially OneDrive.

FireEye claimed in its latest Email Threat Report for Q1 2019 that services including WeTransfer, Dropbox, Google Drive and OneDrive are increasingly being used to host malicious and phishing files.

However, while Dropbox was most commonly used of all the services, OneDrive is catching up fast. From hardly being used in any attacks in Q4 2018, it shot up by over 60% in the intervening months.

Hackers are using such services as they bypass the initial domain reputation checks made by security tools.

Detection filters are also challenged by the use of “nested emails.” With this tactic, a first email contains a second email as attachment, which in turn contains the malicious content or URL.

FireEye also warned of a 17% increase in total phishing emails spotted over the previous quarter, with the most-spoofed brands including Microsoft, followed by OneDrive, Apple, PayPal and Amazon.

Hackers are increasingly using HTTPS in phishing attacks featuring URLs in a bid to trick users into clicking. FireEye observed a 26% quarter-on-quarter increase in the tactic, which exploits the consumer perception that HTTPS is inherently secure.

In fact, the FBI was recently forced to issue an alert warning that HTTPS and padlock icons in the address bar are not enough to prove the authenticity of sites.

It said that users should resist clicking on links in unsolicited emails, it added.

Finally, FireEye warned that cyber-criminals are expanding their repertoire when it comes to BEC attacks.

In one version they target the payroll department with requests to change the bank details of senior executives with the hope of diverting their salary. In another, they focus on accounts payable but pretend to be trusted suppliers who are owed money, instead of the CEO/CFO.

Article Provided By: infosecurity

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

 

If you would like liquidvideotechnologies.com to discuss developing your Home SecuritySystem, Networking, Access ControlFire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

Monitoring, Security, Access Control, Networking, Liquid Video Technologies, Greenville South Carolina, Cybersecurity

5 Keys to Improve Your Cybersecurity

Cybersecurity isn’t easy. If there was a product or service you could buy that would just magically solve all of your cybersecurity problems, everyone would buy that thing, and we could all rest easy.

However, that is not the way it works. Technology continues to evolve. Cyber attackers adapt and develop new malicious tools and techniques, and cybersecurity vendors design creative new ways to detect and block those threats. Rinse and repeat.

Cybersecurity isn’t easy, and there is no magic solution, but there are a handful of things you can do that will greatly reduce your exposure to risk and significantly improve your security posture.

The right platform, intelligence, and expertise can help you avoid the vast majority of threats, and help you detect and respond more quickly to the attacks that get through.

Challenges of Cybersecurity

Effective cybersecurity is challenging for a variety of reasons, but the changing perimeter and the confusing variety of solutions don’t help.

Long ago, during a time that is all but a distant memory by tech standards, cybersecurity was built around a concept of inside vs. outside, and us vs. them. The servers, applications, users, and data inside the network were inherently trusted, and everything outside of the network was assumed to be a potential threat.

The advent of free public Wi-Fi, portable laptops, mobile devices, and cloud computing have eroded the idea that there is any sort of perimeter, and most attacks leverage valid credentials and appear to be legitimate users, so the old model of defending the perimeter is no longer valid.

Meanwhile, as new platforms and technologies are developed, cybersecurity vendors inevitably create targeted point solutions for each one.

The result is a confusing mix of tools and services that protect specific facets of the environment, but don’t play well with each other and don’t provide a holistic view of the whole infrastructure so you can understand your security posture as a whole.

The constantly expanding and evolving threat landscape doesn’t make it any easier, either. Attacks are increasingly complex and harder to identify or detect—like fileless or “Living off the Land” (LotL) attacks.

The complexity of the IT infrastructure—particularly in a hybrid or multi-cloud environment—leads to misconfiguration and other human error that exposes the network to unnecessary risk. Attackers are also adopting machine learning and artificial intelligence to automate the process of developing customized attacks and evading detection.

Improve Your Cybersecurity

All of that sounds daunting—like cybersecurity is an exercise in futility—but there are things you can do. Keep in mind that your goal is not to be impervious to attack—there is no such thing as perfect cybersecurity.

The goal is to increase the level of difficulty for an attacker to succeed in compromising your network and to improve your chances of quickly detecting and stopping attacks that occur.

Here are 5 tips to help you do that:

  • Assess your business objectives and unique attack surface — Choose a threat detection method that can address your workloads. For instance, cloud servers spin up and spin down constantly. Your detection must follow the provision and deprovision actions of your cloud platform(s) and collect metadata to follow events as they traverse this dynamic environment. Most SIEMs cannot do this.
  • Eliminate vulnerabilities before they need threat detection — Use vulnerability assessments to identify and remove weaknesses before they become exploited. Assess your full application stack, including your code, third party code, and code configurations.
  • Align data from multiple sources to enhance your use cases and desired outcomes — Collect and inspect all three kinds of data for suspicious activity: web, log, and network. Each data type has unique strengths in identifying certain kinds of threats and together present a whole picture for greater accuracy and actionable context.
  • Use analytics to detect today’s sophisticated attacks — ensure your threat detection methods look at both real-time events and patterns in historical events across time. Apply machine learning to find what you do not even know to look for. If you use SIEM, enlist machine learning to see what correlation missed and better tune your SIEM rules.
  • Align security objectives to your business demands — There is more than one way to improve your security posture and detect threats. While SIEMs are a traditional approach, they are most useful for organizations that have a well-staffed security program. A SIEM alone is not the best solution for security monitoring against today’s web applications and cloud environments.

Article Provided By: TheHackerNews

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

 

If you would like liquidvideotechnologies.com to discuss developing your Home SecuritySystem, Networking, Access ControlFire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

Video Surveillance, Surveillance, Monitoring, Access Control, Security, Liquid Video Technologies, Greenville South Carolina

Video Surveillance and the Evolving Needs

Video Surveillance and the Evolving Needs of the End-User: Update, Integrate, Analyze, Act

Video surveillance has long been a critical component of facility management and security plans, and it is only expected to grow. Being able to use this video surveillance footage in relatively new and helpful ways is becoming more and more important.

The Global Video Surveillance Storage market generated $28.52 billion in 2016 and is projected to grow by 18 percent by 2023. With so many resources being devoted to storing video data, it will be more crucial than ever to maximize returns on that investment by increasing capabilities to use that stored video. Based on the massive amounts of data gathered by surveillance technologies, it is becoming increasingly possible to take informed action grounded in analysis of the information gathered.

Demand for these capabilities is increasing and the market is responding with more innovative video surveillance technology than ever. End-users expect their technologies to protect and optimize their businesses and facilities; however, the path to this transformation is a two-way street. The technologies to support the users’ desired needs exist. It is a matter of investment and proper implementation to arrive at a place of optimization for facility security and operations.

Updating Systems: The First Step

When discussing the improvement of end-user experiences, updating outdated technologies may seem like a rudimentary and even obvious step. However, many facilities still rely on simpler systems such as analog cameras that keep footage only for a limited period of time. A video camera is no longer just a static piece of equipment meant to be monitored in real time. They also do not take the step that many have come to expect of providing actionable insights based on data gathered.

Thirty cameras, during a 24-hour period, throughout 30 days, will record 21,600 hours of video. That is a massive amount of data that goes nowhere and is essentially useless with a ‘traditional’ video surveillance system. There is a real and valuable return to be made in the form of insights that can be gathered from all this data to understanding where customers linger, how to improve workflow and increased security capabilities. These insights can even be monetized for interested parties, such as brands selling products in a store, thereby helping the facility’s bottom line. Updating outdated video surveillance equipment is the first step to unlocking the potential of integration and analytics.

Next Up: Systems Integration

Once systems are updated, it becomes possible to unlock the next steps in the optimization of a facility, resulting in increased overall security and better day-to-day operations.  Integration with other building and security systems such as lighting, HVAC and access control allow for a more complete picture of the “pulse” of the building. It also improves the experience and comfort of occupants, staff and patrons.

Let’s take lighting, for example. There are several ways that lighting and video surveillance can work together—the simple replacement of regular light bulbs with LED bulbs can improve visibility for video surveillance systems, while also driving down energy costs. Add in motion-sensor technology, and the lights and cameras can work to deter intruders and capture their image more effectively for law enforcement. By making these changes, it is no longer on the facility manager to look at grainy, poorly lit footage to try and decipher what is going on in the event of an incident. By integrating lighting and video surveillance, the facility manager is empowered to work smarter, not harder with a basis in intelligent data they can rely on.

Analytics, Security and Operations

The ability to analyze endless hours of video footage in a realistic and intelligent way has completely changed the game. Being able to define search parameters when reviewing footage can turn an hours-long review process into one that takes minutes, saving precious time in the event of an incident and allowing personnel to make the best use of their resources. For example, knowing the gender or clothing color of someone they are hoping to identify and being able to search footage accordingly can shave hours off a search.

By integrating analytics with other systems, such as access control, users can gain insight into things like the flow of occupants through a space and who is attempting to access restricted areas. In addition, these technologies can learn patterns and establish what is the norm for the facility they protect.  When something outside of their learned patterns occurs, such as someone trying to access a building after hours, they can detect it and relay that information, as well.

Security has never been the only use for video surveillance. As analytics are being more widely implemented, operational intelligence gathering has also been affected. Some of the most important uses for video surveillance are improving sales or customer service, examining and managing employee productivity and analyzing customer behavior and patterns. Analytics increase the ability of users to examine traffic flow, wait times, the efficiency of retail floor plans and much more. This information can then be utilized to address vulnerabilities and improve the operations of the facility.

Building on existing video surveillance systems (or implementing them from scratch) gives employees the support from technology they have come to expect in other areas of their life. By prioritizing upgrades and layering in integration and analytic technology, facilities can increase productivity, safety and efficiency, while also seeing significant ROI in the form of valuable, usable data, streamlined operations and a better overall experience. Technology is the first line of defense in many cases, but it can also be a support, enabling security and operations professionals to do their job more effectively and with the knowledge that their actions are driven by data.

Article Provided By: SecurityMagazine

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

 

If you would like liquidvideotechnologies.com to discuss developing your Home SecuritySystem, Networking, Access ControlFire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

Security, Monitoring, Access Control, Computer Networking, Networking, Liquid Video Technologies, Greenville South Carolina, Security Key

Google Opens its Android Security Key Tech

Google Opens its Android Security-Key Tech to iPhone and iPad Users

Google will now allow iPhone and iPad owners to use their Android security key to verify sign-ins, the company said Wednesday.

Last month, the search and mobile giant said it developed a new Bluetooth-based protocol that will allow modern Android 7.0 devices and later to act as a security key for two-factor authentication. Since then, Google said 100,000 users are already using it.

Since its debut, the technology was limited to Chrome sign-ins. Now Google says Apple device owners can get the same protections without having to plug anything in.

Google Security-Keys

Signing in to a Google account on an iPad using an Android 7.0 device (Image: Google)

Security keys are an important security step for users who are particularly at risk of advanced attacks. They’re designed to thwart even the smartest and most resourceful attackers, like nation-state hackers. Instead of a security key that you keep on your key ring, newer Android devices have the technology built-in. When you log in to your account, you are prompted to authenticate with your key. Even if someone steals your password, they can’t log in without your authenticating device. Even phishing pages won’t work because only legitimate websites support security keys.

For the most part, security keys are a last line of defense. Google admitted last month that its standalone Titan security keys were vulnerable to a pairing bug, potentially putting it at risk of hijack. The company offered a free replacement for any affected device.

The security key technology is also FIDO2 compliant, a secure and flexible standard that allows various devices running different operating systems to communicate with each other for authentication.

For the Android security key to work, iPhone and iPad users need the Google Smart Lock app installed. For now, Google said the Android security key will be limited to sign-ins to Google accounts only.

Article Provided By: techcrunch

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

 

If you would like liquidvideotechnologies.com to discuss developing your Home SecuritySystem, Networking, Access ControlFire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

Security, Access Control, Monitoring, Networking, Liquid Video Technologies, Greenville South Carolina, Data Breach

3 U.S. Universities Disclose Data Breach

Three U.S. Universities Disclose Data Breaches Over Two-Day Span

Three U.S. universities have disclosed data breach incidents impacting personally identifiable information of students or employees following unauthorized access to some of their employees’ email accounts.

All three universities — Graceland University, Oregon State University, and Missouri Southern State University — have notified the individuals whose personal information was potentially stolen or accessed about the security incidents.

In addition, no evidence has been found of the impacted personal information being stolen or used in a malicious manner while investigating the disclosed data privacy incidents involving all three universities.

Graceland University says in a notice of data breach published on June 14 that an “unauthorized user gained access to the email accounts of current employees,” on March 29, 2019, as well as “from April 1-30 and April 12-May 1, 2019, respectively.”

As the university discovered during the breach investigation, “the personal information of some people who had interacted with these email accounts over the past several years was available during the time the unauthorized user(s) had access.”

The information that could have been accessed during the incident contained:

• full name
• social security number
• date of birth
• address
• telephone number
• email address
• parents/children
• salary information
• financial aid information for enrollment or possible enrollment at Graceland

Oregon State University (OSU) states in a press release that “636 student records and family records of students containing personally identifiable information were potentially affected by a data privacy incident that occurred in early May.”

OSU says that a joint investigation carried out with the help of forensics specialists found that an employee’s hacked email account containing documents with the info of the 636 students and their family members was also used by the attackers to “send phishing e-mails across the nation.”

As detailed by Steve Clark, OSU’s VP for university relations and marketing:

OSU is continuing to investigate this matter and determine whether the cyber attacker viewed or copied these documents with personal information.

According to Clark, the university is also reviewing the protection systems and procedures used to shield OSU’s e-mail accounts and information systems.

Missouri Southern State University (MSSU), the third entity which reported a breach, states in a notice of data breach sent to the Office of the Vermont Attorney General that it was alerted of a possible cyber attack triggered by a phishing email on January 9.

The phishing attack made several victims among the university’s employees which prompted a law enforcement notification. The university officials were told afterward to delay notification of affected individuals until investigations are complete.

MSSU also hired a leading forensic investigation firm to look into the security incident and to “block potential email exploitation, including a mass password reset of all employee Office 365 accounts.”

After analyzing the contents of the impacted Office 365 accounts, MSSU found that the emails contained within stored “first and last names, dates of birth, home addresses, email addresses, telephone numbers, and social security numbers.”

As further explained in the data breach notification send to the Vermont Attorney General by MSSU:

In late March, April, and early May, the University identified emails containing personal information that may have been compromised by the attack. In mid-May, the University confirmed that your first and last name and social security number were contained in the impacted accounts.

Article Provided By: BleepingComputer

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

 

If you would like liquidvideotechnologies.com to discuss developing your Home SecuritySystem, Networking, Access ControlFire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

Security, Access Control, Computer Networking, Monitoring, LVT, Liquid Video Technologies, Greenville South Carolina, Banking Apps

US Mobile Banking Apps Have Security Flaws

Most US mobile banking apps have security and privacy flaws, researchers say

You might figure the biggest U.S. banks would have some of the most secure mobile apps. Spoiler alert: not so much.

New findings from security firm Zimperium, shared exclusively with TechCrunch, say most of the top banking apps have security flaws that put user data at risk. The security firm, which has a commercial stake in the mobile security business, downloaded the banks’ iOS and Android apps and scanned for security and privacy issues, like data leaks, which put private user data and communications at risk.

The researchers found most of the apps had issues, like failing to adhere to best coding practices and using old open-source libraries that are infrequently updated.

Some of the apps were using open-source code from GitHub from more than three years ago, said Scott King, Zimperium’s director of embedded security.

Worse, more than half of the banking apps are sharing customer data with at least one advertiser, the researchers said.

An unnamed iOS banking app with an 86/100 risk score (Image: Zimperium)

Banks Apps

Two unnamed Android banking apps each with an 82/100 risk score (Image: Zimperium)

The researchers, who didn’t name the banks, said one of the worst offending iOS apps scored 86 out of 100 on the risk scale for several privacy lapses, including communicating over an unencrypted HTTP connection. The same app was vulnerable to two known remote bugs dating back to 2015. The researchers said the risk scores for the banks’ corresponding Android apps were far higher. Two of the apps were rated with a risk score of 82 out of 100. Both of the apps were storing data in an insecure way, which third-party apps could access and recover sensitive data on a rooted device, said King.

One of the Android apps wasn’t properly validating HTTPS certificates, making it possible for an attacker to perform a man-in-the-middle attack. Several of the iOS and Android apps were capable of taking screenshots of the app’s display, increasing the risk of data leaking.

Zimperium said two-thirds of the Android banking apps are targeted by several malware campaigns, such as BankBot, which tricks users into downloading fake apps from Google Play and waits until the victim signs in to a banking app on their phone. Using an overlay screen, the malware campaigns steal logins and passwords.

The security firm called on banking apps to do more to bolster their apps’ security.

Article Provided By: techcrunch

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

 

If you would like liquidvideotechnologies.com to discuss developing your Home SecuritySystem, Networking, Access ControlFire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

1 2 3 6