Zero knowledge refers to policies and architecture that eliminate the possibility for a password manager to access your password.

I am unreasonably excited about passkeys, I’ve long been looking for a better/more convenient way than passwords to do authentication, and I think passkeys are finally it.

Ransomware negotiations are usually shrouded in secrecy, but some security experts think that we should make them public and analyze them to glean insights. So that's exactly what we did.

What are Canarytokens

You'll be familiar with web bugs, the transparent images which track when someone opens an email. They work by embedding a unique URL in a page's image tag, and monitoring incoming GET requests.

Imagine doing that, but for file reads, database queries, process executions or patterns in log files. Canarytokens does all this and more, letting you implant traps in your production systems rather than setting up separate honeypots.
#
Why should you use them

Network breaches happen. From mega-corps, to governments. From unsuspecting grandmas to well-known security pros. This is (kinda) excusable. What isn't excusable, is only finding out about it, months or years later.

Canarytokens are a free, quick, painless way to help defenders discover they've been breached (by having attackers announce themselves.)

But despite their increasing complexity, a great many initial intrusions that lead to data theft could be nipped in the bud if more organizations started looking for the telltale signs of newly-arrived cybercriminals behaving like network tourists, Cisco says.

“One of the most important things to talk about here is that in each of the cases we’ve seen, the threat actors are taking the type of ‘first steps’ that someone who wants to understand (and control) your environment would take,” Cisco’s Hazel Burton wrote. “Examples we have observed include threat actors performing a ‘show config,’ ‘show interface,’ ‘show route,’ ‘show arp table’ and a ‘show CDP neighbor.’ All these actions give the attackers a picture of a router’s perspective of the network, and an understanding of what foothold they have.” //

when those stolen resources first get used by would-be data thieves, almost invariably the attackers will run a series of basic commands asking the local system to confirm exactly who and where they are on the victim’s network.

This fundamental reality about modern cyberattacks — that cybercriminals almost always orient themselves by “looking up” who and where they are upon entering a foreign network for the first time — forms the business model of an innovative security company called Thinkst, which gives away easy-to-use tripwires or “canaries” that can fire off an alert whenever all sorts of suspicious activity is witnessed.

“Many people have pointed out that there are a handful of commands that are overwhelmingly run by attackers on compromised hosts (and seldom ever by regular users/usage),” the Thinkst website explains. “Reliably alerting when a user on your code-sign server runs whoami.exe can mean the difference between catching a compromise in week-1 (before the attackers dig in) and learning about the attack on CNN.”

These canaries — or “canary tokens” — are meant to be embedded inside regular files, acting much like a web beacon or web bug that tracks when someone opens an email. //

Thinkst operates alongside a burgeoning industry offering so-called “deception” or “honeypot” services — those designed to confuse, disrupt and entangle network intruders. But in an interview with KrebsOnSecurity, Thinkst founder and CEO Haroon Meer said most deception techniques involve some degree of hubris. //

One nice thing about canary tokens is that Thinkst gives them away for free. Head over to canarytokens.org, and choose from a drop-down menu of available tokens

Rather than compromising infrastructure used to make various MFA services work, as more advanced groups do, a Lapsus$ leader last year described his approach to defeating MFA this way: “Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.” //

• A phishing campaign that used MFA bombing and other unsophisticated techniques successfully breached San Francisco-based MFA provider Twilio and came close to breaching content delivery network Cloudflare were it not for the latter’s use of MFA that’s compliant with the FIDO2 industry standard. //

The report contains a variety of recommendations. Key among them is moving to passwordless authentication systems, which presumably refer to passkeys, based on FIDO2. Like all FIDO2 offerings, passkeys are immune to all known credential phishing attacks because the standard requires the device that provides MFA to be no further than a few feet away from the device logging in.

Microsoft finds vulnerabilities it says could be used to shut down power plants
Exploitation is hard and patches are already out, but the potential risk is great.

Microsoft on Friday disclosed 15 high-severity vulnerabilities in a widely used collection of tools used to program operational devices inside industrial facilities such as plants for power generation, factory automation, energy automation, and process automation. The company warned that while exploiting the code-execution and denial-of-service vulnerabilities was difficult, it enabled threat actors to “inflict great damage on targets."

The vulnerabilities affect the CODESYS V3 software development kit. Developers inside companies such as Schneider Electric and WAGO use the platform-independent tools to develop programmable logic controllers, the toaster-sized devices that open and close valves, turn rotors, and control various other physical devices in industrial facilities worldwide. Specifically, the SDK allows developers to make PLCs compatible with IEC 611131-3, an international standard that defines programming languages that are safe to use in industrial environments. Examples of devices that use CODESYS V3 include Schneider Electric’s Modicon TM251 and the WAGO PFC200.

Both consumer and server processors from Intel show the gap. For consumers, all PCs or laptops with Intel Core processors of the 6th “Skylake” generation up to and including the 11th-gen “Tiger Lake” chips contain the vulnerability. This means that the vulnerability has existed since at least 2015, when Skylake was released.

Intel’s corresponding Xeon processors are also at risk to Downfall. Due to Intel’s dominant position in server processors, virtually every internet user could be affected, at least indirectly.

The Russian government today handed down a treason conviction and 14-year prison sentence on Iyla Sachkov, the former founder and CEO of one of Russia’s largest cybersecurity firms. Sachkov, 37, has been detained for nearly two years under charges that the Kremlin has kept classified and hidden from public view, and he joins a growing roster of former Russian cybercrime fighters who are now serving hard time for farcical treason convictions.

In 2003, Sachkov founded Group-IB, a cybersecurity and digital forensics company that quickly earned a reputation for exposing and disrupting large-scale cybercrime operations, including quite a few that were based in Russia and stealing from Russian companies and citizens. //

Prior to his arrest in 2021, Sachkov publicly chastised the Kremlin for turning a blind eye to the epidemic of ransomware attacks coming from Russia. In a speech covered by the Financial Times in 2021, Sachkov railed against the likes of Russian hacker Maksim Yakubets, the accused head of a hacking group called Evil Corp. that U.S. officials say has stolen hundreds of millions of dollars over the past decade.

One frustrating aspect of email phishing is the frequency with which scammers fall back on tried-and-true methods that really have no business working these days. Like attaching a phishing email to a traditional, clean email message, or leveraging link redirects on LinkedIn, or abusing an encoding method that makes it easy to disguise booby-trapped Microsoft Windows files as relatively harmless documents. //

re: “Teach a Man to Phish and He’s Set for Life”
This is an old saw from the UN … Give a man a fish and you’ve fed him for a day, teach a man to fish and you’ve fed him for life.

A coworker fixed it for me: Feed blowfish sushi to spammers as often as necessary.

johnwalker

When I wrote “The Digital Imprimatur” almost twenty years ago (published on 2003-09-13), I was motivated by the push for mandated digital rights management with hardware enforcement, attacks on anonymity on the Internet, the ability to track individuals’ use of the Internet, and mandated back-doors that defeated encryption and other means of preserving privacy against government and corporate surveillance. //

This time it’s called “Web Environment Integrity 1” (WEI), and it comes, not from Microsoft but from the company that traded in their original slogan of “Don’t be evil 1” for “What the Hell, evil pays a lot better!”—Google.

So, what is WEI? Let’s start with a popular overview from Ars Technica.

Security researchers are warning that tens of thousands of photovoltaic (PV) monitoring and diagnostic systems are reachable over the public web, making them potential targets for hackers.

These systems are used for remote performance monitoring, troubleshooting, system optimization, and other functions to allow remote management of renewable energy production units.

Cyble’s threat analysts scanned the web for internet-exposed PV utilities and found 134,634 products from various vendors, which include Solar-Log, Danfoss Solar Web Server, SolarView Contec, SMA Sunny Webbox, SMA Cluster Controller, SMA Power Reducer Box, Kaco New Energy & Web, Fronis Datamanager, Saj Solar Inverter, and ABB Solar Inverter Web GUI.

It is important to note that the exposed assets are not necessarily vulnerable or misconfigured in a way that allows attackers to interact with them. However, Cyble’s research shows that unauthenticated visitors can glean information, including settings, that could be used to mount an attack. //

Exploiting vulnerabilities in the PV systems that Cyble found exposed online has happened recently, with hackers scanning the web for vulnerable devices to add them to botnets.

For example, CVE-2022-29303, an unauthenticated remote command injection vulnerability impacting Contec’s SolarView system was used by a relatively new Mirai variant looking for fresh systems to grow its distributed denial-of-service (DDoS) power.

Microsoft’s Threat Intelligence team’s statement points to Beijing’s motives and its belief that there will be no repercussions from the current U.S. administration: “Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.”

There are two key take-aways from Wednesday’s news from Microsoft: 1) Chinese President Xi Jinping has consistently brushed aside diplomacy while actively preparing for potential conflict with the U.S. and 2) detection of such attacks remains a key gap for critical infrastructure cybersecurity. //

More policies and more people are themselves not a solution. The Department of Homeland Security and other federal stakeholders have been given authorities to be proactive in their approach to cybersecurity. However, the model the government has embraced is a flat-footed and clumsy approach that keeps them in a constant state of response and recovery—awaiting alerts from the private sector and then managing damage-control messaging afterward.

Instead of waiting for the private sector to decide to share information, DHS must become forward-leaning and take meaningful steps toward addressing the risk and mitigating cyber threats to our critical infrastructure. ///

Not sure we should have the government leading the way in this, we would end up just like China, with bureaucrats inside private sector security...

Editor’s note: based on industry research (from Chrome and others), and the ubiquity of HTTPS, we will be replacing the lock icon in Chrome’s address bar with a new “tune” icon – both to emphasize that security should be the default state, and to make site settings more accessible. Read on to learn about this multi-year journey.

An FBI spokesperson told me this month’s tweet was “a standard PSA-type post—nothing new” and that it stemmed from the FCC warning. “This was a general reminder for the American public to stay safe and diligent, especially while traveling.” They added: “I am sorry I can’t give you an answer that is more newsy.” When I asked an FCC spokesperson what the basis was for the agency to update its warning five days later, they said it was prompted by the Denver FBI tweet.

What this means is that state and federal authorities and hundreds of news outlets—none of them with any expertise in cybersecurity—have generated a continuous feedback loop. This vicious cycle has done little more than scare the public into eschewing charging stations when there’s wide consensus among security professionals that there’s no reason for anyone other than high-asset targets of nation-states to do so. //

Finally, besides there being no universal script that will work on hundreds or even dozens of different devices, the customized scripts are non-trivial to write. They require a high skill level and a huge amount of trial-and-error troubleshooting.

None of this is to say that people shouldn’t bring their own charging cord and wall plug when they’re out of the home or office. That is a best practice, but it's wrong to characterize it as a required practice. //

The problem with the warnings coming out of the FCC and FBI is that they divert attention away from bigger security threats, such as weak passwords and the failure to install security updates. They create unneeded anxiety and inconvenience that run the risk of people simply giving up trying to be secure.

As security researcher Kenn White recently wrote of the warnings on Mastodon: “What's the end goal here? Convince people who are down to 2 percent battery while traveling to never use modern public infrastructure? Come on. There are 20 things that threaten muggle endpoint security, and this isn't among them.”

Fen Labalme • March 2, 2023 6:44 PM

I like the password policies according to NIST SP 800-63b guidelines as follows:

All users will be required to have strong “memorized secret” passwords/passphrases that:

• Are at least 16 characters in length (allowing up to 255 characters)
• Do not match a dictionary of known breached passwords and other common phrases
• Have sufficient complexity and entropy (make use of zxcvbn)
• Cannot be changed until they have been in use at least 5 days
• Do not match any of the previous 25 passwords used //

mark • March 2, 2023 1:00 PM

And NIST guidelines, as of three years ago, were that you don’t need to change your passwords more than every couple of years.

https://pages.nist.gov/800-63-3/

Bill • November 16, 2021 8:34 AM

The NIST has already advised on passwords, and issued guidelines a couple of years ago — recommending LESS COMPLEX passwords (no rules) in favor of longer passwords.
They cite research indicating that complex passwords are not harder to crack, and are much harder to remember (which is why people write them down, or now use password managers). Longer passwords, on the other hand, can be easy to remember as phrases or strings of words, etc. Longer passwords are harder to crack. //

William Entriken • November 16, 2021 9:27 AM

NIST has published guidelines on what types of passwords should be accepted for login systems. We should promote and share solutions to the problem.

https://pages.nist.gov/800-63-3/sp800-63b.html

Specifically the relevant recommendation here is: Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. //

Usability has a huge impact on how people interact with systems. If you purposely make the experiance different from site to site – users will take shortcuts including making weaker passwords. A common “password standard” would benefit everyone greatly and reduce risk over all. //

mark • March 2, 2023 1:00 PM

And NIST guidelines, as of three years ago, were that you don’t need to change your passwords more than every couple of years.

https://pages.nist.gov/800-63-3/

ikjadoon

What I don't understand is how any of this could grant access to actual end-user data. From what I know of their design, LastPass's master vault passwords are split - by definition, LastPass is only supposed to have a part of that key; the other half is only known to the end user's device(s). LastPass is never by design supposed to have the full master vault keys. Unless... they do...?

Ditto with unencrypted vaults; those are only ever supposed to exist on end-user devices in-memory, per their own service descriptions. It's one of their selling points. How could LastPass even have unencrypted vault copies to expose? Their own developer vaults, sure; but not end-user vaults. All a bad guy could ever manage to get, absolute worst case, would be an end-user's encrypted vault and half of a key. Supposedly...??

I'm genuinely curious now.

There are two separate vault breaches here.

1) LastPass internally uses LastPass to keep their Amazon S3 login information. This internal LastPass Vault itself the logins to LastPass' internal Amazon account. One LastPass dev had access to this internal dev vault and was allowed to install Plex, which had a major security vulnerability. The hackers installed a keylogger onto that developer's PC and extracted that dev's Master Password and MFA code to the LastPass internal vault. Thus, the LastPass internal vault was immediately decrypted. Because they stole that dev's Master Password + MFA.

If hackers install a keylogger onto a developer's system, then hackers can steal passwords and immediately decrypt any of that user's vaults. That LastPass dev had nobody else's Master Password.

2) Well, that dev's vault was damn valuable. Because now the hackers used that developer's now-decrypted Amazon S3 login and extracted 30 million encrypted consumer vaults stored on Amazon S3 (because LastPass backed up encrypted consumer vaults to Amazon S3). This is all the consumer data.

TL;DR: the hackers keylogged the Master Password of a LastPass employee, not of any consumers. So that LastPass employee's vault was immediately decrypted. Essentially, the LastPass dev accidentally gave away access to his entire PC & work credentials.

//

Encrypted LastPass vaults aren't safe by default, however. If your vault had low iteration counts (e.g., 1 or 500) and a short, non-machine-generated Master Password plus stored juicy things the hackers might want (crypto logins, bank logins), then your vault is more likely a higher priority to be guessed / brute-forced.

A helpful note: some people keep saying "But the accounts had AES-256! Nobody can crack that!" Imagine your LastPass Vault has 100-feet steel walls (that's AES-256) and a locked door (that's the Master Password).

The hackers will not try to drill through the massive walls; they will try billions or even trillions of keys on the door.
February 28, 2023 at 4:38 am

The numbers don’t lie! We’ve updated this table by Mike Halsey, Microsoft MVP, since hackers are getting faster. If you’re using a weak password, you can say goodbye to your money or social media account!

The 2022 update to our famous Hive Systems Password Table that’s been shared across the internet, social media, the news, and organizations worldwide. So what’s new, and what’s our methodology behind it?