Connect with us

Security

Lightning-compatible YubiKey 5Ci could secure your iPhone logins

Published

on

iPhone owners with a mind toward security have a new option for protecting their online accounts. On Tuesday, security key manufacturer Yubico announced the $70 YubiKey 5Ci, which the company says is the world’s first Lightning port-compatible security key.

At launch, the 5Ci supports a variety of popular password managers, including 1Password, Dashlane, LastPass and Bitwarden. It’s also compatible with authentication services like Okta. In all those instances, you’ll be able to plug in the 5Ci into your iPhone, launch the security app of your choice and log in to an online account without ever entering a password. And if you happen to use Brave instead of Safari for web browsing, the 5Ci removes the need to first open a password manager first in the case of some online services.

The 5Ci also includes a USB-C port for when you need to log in through an Android device or computer. However, one limitation of the 5Ci is that it currently doesn’t work with the 2018 iPad Pro. We’ve reached out to Yubikey to find the exact reason for this limitation, but we suspect it has something to do with restrictions iOS 12 places on USB-C connectivity. That could change when iOS 13 comes out this fall. The Yubikey 5Ci also doesn’t work with any FIDO-compliant service or app out of the box. In a statement to The Verge, Yubico said third-party developers must add support for the 5Ci to their apps individually. A full list of compatible services is available on the company’s website.

If you’re not familiar with physical security keys, they’re currently one of the most effective ways to protect yourself against online hackers because they remove the need for passwords and one-time codes, both of which malicious individuals can easily intercept in the right circumstances. In 2018, Google said it was able to reduce successful phishing attacks on its 85,000 employees to zero thanks to a new policy of mandatory security keys.

However, at $70 the 5Ci is one of the more expensive security keys out on the market. If you’re looking for something more affordable, Yubico also offers the $45 YubiKey 5 NFC, which is similarly compatible with the iPhone. Another option is Google’s $50 Titan security key, which has the advantage of also working through Bluetooth. And while a security key will help keep you as safe as possible, most people need to start with a simple password manager, as reused passwords are the single largest culprit behind hacked accounts. Once you have a password manager, a security key like the YubiKey 5Ci is a good next step if you want to further secure your online accounts.

Source: https://www.engadget.com/2019/08/20/yubico-yubikey-5ci-iphone-lightning/

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Security

GitHub launches ‘Security Lab’ to help secure open source ecosystem

Published

on

By

Today, at the GitHub Universe developer conference, GitHub announced the launch of a new community program called Security Lab that brings together security researchers from different organizations to hunt and help fix bugs in popular open source projects.

“GitHub Security Lab’s mission is to inspire and enable the global security research community to secure the world’s code,” the company said in a press release.

“Our team will lead by example, dedicating full-time resources to finding and reporting vulnerabilities in critical open source projects,” it said.

Founding members include security researchers from organizations like Microsoft, Google, Intel, Mozilla, Oracle, Uber, VMWare, LinkedIn, J.P. Morgan, NCC Group, IOActive, F5, Trail of Bits, and HackerOne.

GitHub says Security Lab founding members have found, reported, and helped fix more than 100 security flaws already.

Other organizations, as well as individual security researchers, can also join. A bug bounty program with rewards of up to $3,000 is also available, to compensate bug hunters for the time they put into searching for vulnerabilities in open source projects.

Bug reports must contain a CodeQL query. CodeQL is a new open source tool that GitHub released today; a semantic code analysis engine that was designed to find different versions of the same vulnerability across vasts swaths of code. Besides GitHub, CodeQL is already being rolled out in other places to help with vulnerability code scans, such as Mozilla.

SolarWinds® Network Insight for Cisco ASA goes beyond basic up/down status. It can help provide comprehensive firewall performance, and also offers access control list monitoring.Downloads provided by SolarWinds

GitHub’s new Security Lab project did not come out of the blue. Efforts have been going on at the company to improve the overall security state of the GitHub ecosystem for some time. Security Lab merges all these together.

For example, GitHub has been working for the past two years on rolling out security notifications that warn project maintainers about dependencies that contain security flaws.

Earlier this year, GitHub started testing a feature that would enable project authors to create “automated security updates.” When GitHub would detect a security flaw inside a project’s dependency, GitHub would automatically update the dependency and release a new project version on behalf of the project maintainer.

The feature has been in beta testing for all 2019, but starting today automated security updates are generally available and have been rolled out to every active repository with security alerts enabled. [Also see official announcement.]

github-automated-fixes.png
Image: GitHub

Furthermore, GitHub also recently became an authorized CVE Numbering Authority (CNA), which means it can issue CVE identifiers for vulnerabilities. GitHub didn’t apply to become a CNA for nothing.

Its CNA capability has been added to a new service feature called “security advisories.” These are special entries in a project’s Issues Tracker where security flaws are handled in private.

Once a security flaw is fixed, the project owner can publish the security, and GitHub will warn all upstream project owners who are using vulnerable versions of the original maintainer’s code.

But before publishing a security advisory, project owners can also request and receive a CVE number for their project’s vulnerability directly from GitHub.

Previously, many open source project owners who hosted their projects on GitHub didn’t bother requesting a CVE number due to the arduous process.

However, getting CVE identifiers is crucial, as these IDs and additional details can be integrated into many other security tools that scan source code and projects for vulnerabilities, helping companies detect vulnerabilities in open sourcec tools that they would have normally missed.[Also see official announcement.]

github-cve-advisory.png
Image: GitHub

And in addition to the new GitHub Security Lab, the code-sharing platform is also launching the GitHub Advisory Database, where it will collect all security advisories found on the platform, to make it easier for everyone to keep track of security flaws found in GitHub-hosted projects. [Also see official announcement.]

And last, but not least, GitHub also updated Token Scanning, its in-house service that can scan users’ projects for API keys and tokens that have been accidentally left inside their source code.

Starting today, the service, which previously could detect API tokens from 20 services, can identify four more formats, from GoCardless, HashiCorp, Postman, and Tencent. [Also see official announcement.]

Source: https://www.zdnet.com/article/github-launches-security-lab-to-help-secure-open-source-ecosystem/

Continue Reading

Security

iPhone owners should delete these 17 apps now, security experts warn

Published

on

By

APPLE has confirmed that 17 applications have been removed from the App Store after they were found to be secretly committing fraud behind users’ backs to quietly collect advertising revenue from their smartphones. Here’s which apps were called out, so you can immediately delete any that are still sitting pretty on your iOS home screen.

iPhone App Delete

If you’ve got any of these apps on your iPhone, you really need to do something about it (Image: GETTY)

If you’ve got any of these 17 apps saved on your iPhone, you’d best delete them as soon as possible.

Apple has confirmed the applications have now been wiped from its App Store, but you’ll still need to manually delete them from your smartphone if you’d already downloaded and run the software. The apps, which were all created by a single developer, were maliciously collecting advertising revenue behind iPhone owners’ backs.

The warning comes just hours after Android users were cautioned to delete a number of malicious apps from Google’s rival Play Store.

Mobile security firm Wandera sniffed-out the malicious software made available for iPhone owners worldwide. For users, it would be almost impossible to tell that anything was wrong, since the apps did exactly what they promised on the tin… except that they were secretly fraud in the background on your iPhone too.

“The objective of most clicker trojans is to generate revenue for the attacker on a pay-per-click basis by inflating website traffic. They can also be used to drain the budget of a competitor by artificially inflating the balance owed to the ad network,” the security firm explains.

Although the apps weren’t designed to cause any direct harm to users or their smartphones themselves, the nefarious behind-the-scenes activity would drain mobile data faster than usual, so if you’re not on an unlimited 4G plan – it would cost you each month. Secondly, the activity from the apps could also cost you precious battery life, as well as slowing down your phone, since it’s having to process all the extra ad requests.

So, deleting the software could see a drop in any additional monthly charges from your network provider, faster performance, as well as a few more hours battery life, which are all pretty substantial benefits.

Wandera claims these iPhone apps were able to Apple’s stringent review process since the malicious code was never inside the apps themselves – therefore there was nothing for Apple to detect when scanning them before allowing them onto the App Store. Instead, the apps would receive instructions to begin their activities from a remote server hosted by the developers.

Apple says it’s now improving the app review process to stop this happening in future.

iPhone Apps Delete

The malicious apps in question – check your iPhone for these (Image: WANDERA)

The same server was also designed to control a similar set of Android apps. Unfortunately, the weaker security on the Android operating system meant that the developer was able to go even further with these malicious apps – causing direct harm to the user.

According to the Wandera security team, “Android apps communicating with the same server were gathering private information from the user’s device, such as the make and model of the device, the user’s country of residence and various configuration details.

“One example involved users who had been fraudulently subscribed to expensive content services following the installation of an infected app.”

The full list of infected apps:

  • RTO Vehicle Information
  • EMI Calculator & Loan Planner
  • File Manager – Documents
  • Smart GPS Speedometer
  • CrickOne – Live Cricket Scores
  • Daily Fitness – Yoga Poses
  • FM Radio – Internet Radio
  • My Train Info – IRCTC & PNR (not listed under developer profile)
  • Around Me Place Finder
  • Easy Contacts Backup Manager
  • Ramadan Times 2019
  • Restaurant Finder – Find Food
  • BMI Calculator – BMR Calc
  • Dual Accounts
  • Video Editor – Mute Video
  • Islamic World – Qibla
  • Smart Video Compressor

All 17 infected apps are published on the App Stores in various countries by the same developer, India-based AppAspect Technologies Pvt. Ltd. So, if you spot the name on a listing of an app that looks good… don’t download it.

Source: https://www.express.co.uk/life-style/science-technology/1196281/iPhone-Delete-These-Apps

Continue Reading

Security

Top Linux developer on Intel chip security problems: ‘They’re not going away.’

Published

on

By

Greg Kroah-Hartman, the stable Linux kernel maintainer, could have prefaced his Open Source Summit Europe keynote speech, MDS, Fallout, Zombieland, and Linux, by paraphrasing Winston Churchill: I have nothing to offer but blood sweat and tears for dealing with Intel CPU’s security problems. 

Or as a Chinese developer told him recently about these problems: “This is a sad talk.” The sadness is that the same Intel CPU speculative execution problems, which led to Meltdown and Spectre security issues, are alive and well and causing more trouble.

The problem with how Intel designed speculative execution is that, while anticipating the next action for the CPU to take does indeed speed things up, it also exposes data along the way. That’s bad enough on your own server, but when it breaks down the barriers between virtual machines (VM)s in cloud computing environments, it’s a security nightmare.

Kroah-Hartman said, “These problems are going to be with us for a very long time, they’re not going away. They’re all CPU bugs, in some ways they’re all the same problem,” but each has to be solved in its own way. “MDS, RDDL, Fallout, Zombieland: They’re all variants of the same basic problem.”

And they’re all potentially deadly for your security: “RIDL and Zombieload, for example, can steal data across applications, virtual machines, even secure enclaves. The last is really funny, because [Intel Software Guard Extensions (SGX)] is what supposed to be secure inside Intel ships” [but, it turns out it’s] really porous. You can see right through this thing.”
 
To fix each problem as it pops up, you must patch both your Linux kernel and your CPU’s BIOS and microcode. This is not a Linux problem; any operating system faces the same problem. 

OpenBSD, a BSD Unix devoted to security first and foremost, Kroah-Hartman freely admits was the first to come up with what’s currently the best answer for this class of security holes: Turn Intel’s simultaneous multithreading (SMT) off and deal with the performance hit. Linux has adopted this method. 

But it’s not enough. You must secure the operating system as each new way to exploit hyper-threading appears. For Linux, that means flushing the CPU buffers every time there’s a context switch (e.g. when the CPU stops running one VM and starts another).

You can probably guess what the trouble is. Each buffer flush takes a lot of time, and the more VMs, containers, whatever, you’re running, the more time you lose.

How bad are these delays? It depends on the job. Kroah-Hartman said he spends his days writing and answering emails. That activity only takes a 2% performance hit. That’s not bad at all. He also is always building Linux kernels. That takes a much more painful 20% performance hit. Just how bad will it be for you? The only way to know is to benchmark your workloads. 

Of course, it’s up to you, but as Kroah-Hartman said, “The bad part of this is that you now must choose: Performance or security. And that is not a good option.” It’s also, he reminded the developer-heavy crowd, which choice your cloud provider has made for you.

But wait! The bad news keeps coming. You must update your Linux kernel and patch your microcode as each Intel-related security update comes down the pike. The only way to be safe is to run the latest CanonicalDebianRed Hat, or SUSE distros, or the newest long-term support Linux kernel. Kroah-Hartman added, “If you are not using a supported Linux distribution kernel or a stable/long term kernel, you have an insecure system.”

So, on that note, you can look forward to constantly updating your operating system and hardware until the current generation of Intel processors are in antique shops. And you’ll be stuck with poor performance if you elect to put security ahead of speed. Fun, fun, fun!

Source: https://www.zdnet.com/article/top-linux-developer-on-intel-chip-security-problems-theyre-not-going-away/

Continue Reading
Advertisement

Trending

%d bloggers like this: