UPbit has announced that, as a precaution, all transactions will remain suspended for at least two weeks
The post Cryptocurrency exchange loses US$50 million in apparent hack appeared first on WeLiveSecurity
ESET researchers have discovered that the criminals behind the Stantinko botnet are distributing a cryptomining module to the computers they control
The post Stantinko botnet adds cryptomining to its pool of criminal activities appeared first on WeLiveSecurity
How the field of play has changed and why endpoint protection often comes down to doing the basics, even in the face of increasingly complex threats
The post CyberwarCon – the future of nation‑state nastiness appeared first on WeLiveSecurity
ESET researchers publish their findings on Mispadu, a banking trojan targeting Brazil and Mexico, and on DePriMon, a downloader with a unique installation technique
Experts weigh in on whether schools should teach kids the skills they need to safely reap the benefits of the online world
Posted by Jessica Lin, Android Security Team
The Android Security Rewards (ASR) program was created in 2015 to reward researchers who find and report security issues to help keep the Android ecosystem safe. Over the past 4 years, we have awarded over 1,800 reports, and paid out over four million dollars.
Today, we’re expanding the program and increasing reward amounts. We are introducing a top prize of $1 million for a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices. Additionally, we will be launching a specific program offering a 50% bonus for exploits found on specific developer preview versions of Android, meaning our top prize is now $1.5 million.
As mentioned in a previous blog post, in 2019 Gartner rated the Pixel 3 with Titan M as having the most “strong” ratings in the built-in security section out of all devices evaluated. This is why we’ve created a dedicated prize to reward researchers for exploits found to circumvent the secure elements protections.
In addition to exploits involving Pixel Titan M, we have added other categories of exploits to the rewards program, such as those involving data exfiltration and lockscreen bypass. These rewards go up to $500,000 depending on the exploit category. For full details, please refer to the Android Security Rewards Program Rules page.
Now that we’ve covered some of what’s new, let’s take a look back at some milestones from this year. Here are some highlights from 2019:
- Total payouts in the last 12 months have been over $1.5 million.
- Over 100 participating researchers have received an average reward amount of over $3,800 per finding (46% increase from last year). On average, this means we paid out over $15,000 (20% increase from last year) per researcher!
- The top reward paid out in 2019 was $161,337.
The highest reward paid out to a member of the research community was for a report from Guang Gong (@oldfresher) of Alpha Lab, Qihoo 360 Technology Co. Ltd. This report detailed the first reported 1-click remote code execution exploit chain on the Pixel 3 device. Guang Gong was awarded $161,337 from the Android Security Rewards program and $40,000 by Chrome Rewards program for a total of $201,337. The $201,337 combined reward is also the highest reward for a single exploit chain across all Google VRP programs. The Chrome vulnerabilities leveraged in this report were fixed in Chrome 77.0.3865.75 and released in September, protecting users against this exploit chain.
We’d like to thank all of our researchers for contributing to the security of the Android ecosystem. If you’re interested in becoming a researcher, check out our Bughunter University for information on how to get started.
Starting today November 21, 2019 the new rewards take effect. Any reports that were submitted before November 21, 2019 will be rewarded based on the previously existing rewards table.
Happy bug hunting!
ESET researchers have discovered a new downloader with a novel, not previously seen in the wild installation technique
The post Registers as “Default Print Monitor”, but is a malicious downloader. Meet DePriMon appeared first on WeLiveSecurity
From professional backgrounds to competitive salaries – a study delves into what it takes to build strong cybersecurity teams
The post What does it take to attract top cybersecurity talent? appeared first on WeLiveSecurity
Posted by Christiaan Brand, Product Manager, Google Cloud
We previously announced that starting with Chrome 76, most latest-generation Chromebooks gained the option to enable a built-in FIDO authenticator backed by hardware-based Titan security. For supported services (e.g. G Suite, Google Cloud Platform), enterprise administrators can now allow end users to use the power button on these devices to protect against certain classes of account takeover attempts. This feature is disabled by default, however, administrators can enable it by changing DeviceSecondFactorAuthentication policy in the Google Admin console.
Before we dive deeper into this capability, let’s first cover the main use cases FIDO technology solves, and then explore how this new enhancement can satisfy an advanced requirement that can help enterprise organizations.
FIDO technology aims to solve three separate use cases for relying parties (or otherwise referred to as Internet services) by helping to:
- Prevent phishing during initial login to a service on a new device;
- Reverify a user’s identity to a service on a device on which they’ve already logged in to;
- Confirm that the device a user is connecting from is still the original device where they logged in from previously. This is typically needed in the enterprise.
Security-savvy professionals may interpret the third use case as a special instance of use case #2. However, there are some differences, which we break down a bit further below:
- In case #2, the problem that FIDO technology tries to solve is re-verifying a user’s identity by unlocking a private key stored on the device.
- In case #3, FIDO technology helps to determine whether a previously created key is still available on the original device without any proof of who the user is.
How use case #1 works: Roaming security keys
Once the user is successfully logged in, trust is conferred from the security key to the device on which the user is logging on, usually by placing a cookie or other token on the device in order for the relying party to “remember” that the user already performed a second factor authenticator on this device. Once this step is completed, it is no longer necessary to require a physical second factor on this device because the presence of the cookie signals to the relying party that this device is to be trusted.
Optionally, some services might require the user to still periodically verify that it’s the correct user in front of the already recognized device (for example, particularly sensitive and regulated services such as financial services companies). In almost all cases, it shouldn’t be necessary for the user to also-in addition to providing their knowledge factor (such as a password) – re-present their second factor when re-authenticating as they’ve already done that during initial bootstrapping.
Note that on Chrome OS devices, your data is encrypted when you’re not logged on, which further protects your data against malicious access.
Frequently referred to as “re-authentication,” use case #2 allows a relying party to reverify that the same user is still interacting with the service from a previously verified device. This mainly happens when a user performs an action that’s particularly sensitive, such as changing their password or when interacting with regulated services, such as financial services companies. In this case, a built-in biometric authenticator (e.g. a fingerprint sensor or PIN on Android devices) can be registered, which offers users a more convenient way to re-verify their identity to the service in question. In fact, we have recently enabled this use case on Android devices for some Google services.
The challenge of verifying that a device a user has previously logged in on is still the device from which they’re interacting with the relying party, is what the built-in FIDO authenticator on most latest-generation Chromebooks is able to help solve.
Earlier we noted that upon initial log-in, relying parties regularly place cookies or tokens on a user’s device, so they can remember that a user has previously authenticated. Under some circumstances, such as when there’s malware present on a device, it might be possible for these tokens to be exfiltrated. Asking for the “touch of a built-in authenticator” at regular intervals helps the relying party know that the user is still interacting from a legitimate device which has previously been issued a token. It also helps verify that the token has not been exfiltrated to a different device since FIDO authenticators offer increased protection against the exfiltration of the private key. This is because it’s usually housed in the hardware itself. For example, in the case of most latest-generation Chromebooks (e.g. Pixel Slate), it’s protected by hardware-based Titan security.
In the case of our implementation on Chrome OS, the FIDO keys are also scoped to the specific logged in user, meaning that every user on the device essentially gets their own FIDO authenticator that can’t be accessed across user boundaries. We expect this use case to be particularly useful in enterprise environments, which is why the feature is not enabled by default. Administrators can enable it in the Google Admin console.
Even though it’s technically possible to register the built-in FIDO authenticator on a Chrome OS device as a “security key” with services, it’s best to avoid this instance as users can run an increased risk of account lockout if they ever need to sign in to the service from a different machine.
Starting with Chrome 76, most latest-generation Chromebooks gained the option to enable a built-in FIDO authenticator backed by hardware-based Titan security. To see if your Chromebook can be enabled with this capability, you can navigate to chrome://system and check the “tpm-version” entry. If “vendor” equals “43524f53”, then your Chromebook is backed by Titan security.
In summary, we believe that this new enhancement can provide value to enterprise organizations that want to confirm that the device a user is connecting from is still the original device from which a user logged in from in the past. Most users, however, should be using roaming FIDO security keys, such as Titan Security Key, their Android phone, or security keys from other vendors, in order to avoid account lockouts.
Zack is amazing! I have gone to him with computer issues for the past few years now and he always finds a way to fix… Read more “Amazing!”
Professional, smart & sensitive
Cannot say enough good things about Zack Rahhal and his team. Professional, smart, sensitive to small biz budgets and a helluva good guy. Could not… Read more “Professional, smart & sensitive”
AMAZINGLY WONDERFUL STAFF
stars indeed. So reliable and helpful and kind and smart. We call Al and he is “on it” immediately and such a FABULOUS teacher, patient… Read more “AMAZINGLY WONDERFUL STAFF”
Whatever my need, unfailingly helpful
I’ve been a customer of the staff at Advantage for many years now. They have never let me down! Whatever my need, however big or… Read more “Whatever my need, unfailingly helpful”
Best Kept Secret
I’ve known the Advantage Team for years. They are the absolute best techs in the field, bar none. I couldn’t tell you how many tens… Read more “Best Kept Secret”
I had an excellent experience with Advantage. Aside from being extremely professional and pleasant generally, Zack was incredibly responsive and helpful, even before and after… Read more “Excellent Experience”
The engineering team at Advantage Computers is the best in the business. They are nothing short of technical wizards.
It’s like having a cousin in the business.
Al, Nasser and Zack have been keeping our operations going for over a decade, taking care of our regular upgrades and our emergency system problems.… Read more “It’s like having a cousin in the business.”
I became a customer about 6-7 months and I can say nothing but great things about this business. Zack takes care of me. I am… Read more “Highly Recommended”
THANK GOD for this local computer repair business who saved me hundreds, my hard drive was messed up, i called the company with warranty they… Read more “Life Savers”
I don’t have enough words to express my appreciation
I don’t have enough words to express my appreciation for Nassar and Paul, and the other members of Advantage Computer Solutions. I live in Bergen… Read more “I don’t have enough words to express my appreciation”
Great Advice and Service
Advantage offers great advice and service
I bought parts for my gaming pc online and they put it together in a day for a… Read more “Great Advice and Service”