Security-Portal.cz je internetový portál zaměřený na počítačovou bezpečnost, hacking, anonymitu, počítačové sítě, programování, šifrování, exploity, Linux a BSD systémy. Provozuje spoustu zajímavých služeb a podporuje příznivce v zajímavých projektech.

Kategorie

BlueKeep Flaw Plagues Outdated Connected Medical Devices

Threatpost - 19 Únor, 2020 - 21:29
More than 55 percent of medical imaging devices - including MRIs, XRays and ultrasound machines - are powered by outdated Windows versions, researchers warn.
Kategorie: Hacking & Security

An Update on Android TLS Adoption

Google Security Blog - 19 Únor, 2020 - 20:02

Posted by Bram Bonné, Senior Software Engineer, Android Platform Security & Chad Brubaker, Staff Software Engineer, Android Platform Security

Android is committed to keeping users, their devices, and their data safe. One of the ways that we keep data safe is by protecting network traffic that enters or leaves an Android device with Transport Layer Security (TLS).

Android 7 (API level 24) introduced the Network Security Configuration in 2016, allowing app developers to configure the network security policy for their app through a declarative configuration file. To ensure apps are safe, apps targeting Android 9 (API level 28) or higher automatically have a policy set by default that prevents unencrypted traffic for every domain.

Today, we’re happy to announce that 80% of Android apps are encrypting traffic by default. The percentage is even greater for apps targeting Android 9 and higher, with 90% of them encrypting traffic by default.

Percentage of apps that block cleartext by default.

Since November 1 2019, all app (updates as well as all new apps on Google Play) must target at least Android 9. As a result, we expect these numbers to continue improving. Network traffic from these apps is secure by default and any use of unencrypted connections is the result of an explicit choice by the developer.

The latest releases of Android Studio and Google Play’s pre-launch report warn developers when their app includes a potentially insecure Network Security Configuration (for example, when they allow unencrypted traffic for all domains or when they accept user provided certificates outside of debug mode). This encourages the adoption of HTTPS across the Android ecosystem and ensures that developers are aware of their security configuration.

Example of a warning shown to developers in Android Studio.

Example of a warning shown to developers as part of the pre-launch report.

What can I do to secure my app?

For apps targeting Android 9 and higher, the out-of-the-box default is to encrypt all network traffic in transit and trust only certificates issued by an authority in the standard Android CA set without requiring any extra configuration. Apps can provide an exception to this only by including a separate Network Security Config file with carefully selected exceptions.

If your app needs to allow traffic to certain domains, it can do so by including a Network Security Config file that only includes these exceptions to the default secure policy. Keep in mind that you should be cautious about the data received over insecure connections as it could have been tampered with in transit.

<network-security-config>
<base-config cleartextTrafficPermitted="false" />
<domain-config cleartextTrafficPermitted="true">
<domain includeSubdomains="true">insecure.example.com</domain>
<domain includeSubdomains="true">insecure.cdn.example.com</domain>
</domain-config>
</network-security-config>

If your app needs to be able to accept user specified certificates for testing purposes (for example, connecting to a local server during testing), make sure to wrap your element inside a element. This ensures the connections in the production version of your app are secure.

<network-security-config>
<debug-overrides>
<trust-anchors>
<certificates src="user"/>
</trust-anchors>
</debug-overrides>
</network-security-config> What can I do to secure my library?

If your library directly creates secure/insecure connections, make sure that it honors the app's cleartext settings by checking isCleartextTrafficPermitted before opening any cleartext connection.

Android’s built-in networking libraries and other popular HTTP libraries such as OkHttp or Volley have built-in Network Security Config support.

Giles Hogben, Nwokedi Idika, Android Platform Security, Android Studio and Pre-Launch Report teams

Kategorie: Hacking & Security

Expanding the Android Security Rewards Program

Google Security Blog - 19 Únor, 2020 - 20:02
Posted by Jessica Lin, Android Security Team

The Android Security Rewards (ASR) program was created in 2015 to reward researchers who find and report security issues to help keep the Android ecosystem safe. Over the past 4 years, we have awarded over 1,800 reports, and paid out over four million dollars.

Today, we’re expanding the program and increasing reward amounts. We are introducing a top prize of $1 million for a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices. Additionally, we will be launching a specific program offering a 50% bonus for exploits found on specific developer preview versions of Android, meaning our top prize is now $1.5 million.

As mentioned in a previous blog post, in 2019 Gartner rated the Pixel 3 with Titan M as having the most “strong” ratings in the built-in security section out of all devices evaluated. This is why we’ve created a dedicated prize to reward researchers for exploits found to circumvent the secure elements protections.

In addition to exploits involving Pixel Titan M, we have added other categories of exploits to the rewards program, such as those involving data exfiltration and lockscreen bypass. These rewards go up to $500,000 depending on the exploit category. For full details, please refer to the Android Security Rewards Program Rules page.

Now that we’ve covered some of what’s new, let’s take a look back at some milestones from this year. Here are some highlights from 2019:

  • Total payouts in the last 12 months have been over $1.5 million.
  • Over 100 participating researchers have received an average reward amount of over $3,800 per finding (46% increase from last year). On average, this means we paid out over $15,000 (20% increase from last year) per researcher!
  • The top reward paid out in 2019 was $161,337.
Top Payout

The highest reward paid out to a member of the research community was for a report from Guang Gong (@oldfresher) of Alpha Lab, Qihoo 360 Technology Co. Ltd. This report detailed the first reported 1-click remote code execution exploit chain on the Pixel 3 device. Guang Gong was awarded $161,337 from the Android Security Rewards program and $40,000 by Chrome Rewards program for a total of $201,337. The $201,337 combined reward is also the highest reward for a single exploit chain across all Google VRP programs. The Chrome vulnerabilities leveraged in this report were fixed in Chrome 77.0.3865.75 and released in September, protecting users against this exploit chain.

We’d like to thank all of our researchers for contributing to the security of the Android ecosystem. If you’re interested in becoming a researcher, check out our Bughunter University for information on how to get started.

Starting today November 21, 2019 the new rewards take effect. Any reports that were submitted before November 21, 2019 will be rewarded based on the previously existing rewards table.

Happy bug hunting!

Kategorie: Hacking & Security

The App Defense Alliance: Bringing the security industry together to fight bad apps

Google Security Blog - 19 Únor, 2020 - 20:01
Posted by Dave Kleidermacher, VP, Android Security & Privacy
Fighting against bad actors in the ecosystem is a top priority for Google, but we know there are others doing great work to find and protect against attacks. Our research partners in the mobile security world have built successful teams and technology, helping us in the fight. Today, we’re excited to take this collaboration to the next level, announcing a partnership between Google, ESET, Lookout, and Zimperium. It’s called the App Defense Alliance and together, we’re working to stop bad apps before they reach users’ devices.
The Android ecosystem is thriving with over 2.5 billion devices, but this popularity also makes it an attractive target for abuse. This is true of all global platforms: where there is software with worldwide proliferation, there are bad actors trying to attack it for their gain. Working closely with our industry partners gives us an opportunity to collaborate with some truly talented researchers in our field and the detection engines they’ve built. This is all with the goal of, together, reducing the risk of app-based malware, identifying new threats, and protecting our users.
What will the App Defense Alliance do?
Our number one goal as partners is to ensure the safety of the Google Play Store, quickly finding potentially harmful applications and stopping them from being published
As part of this Alliance, we are integrating our Google Play Protect detection systems with each partner’s scanning engines. This will generate new app risk intelligence as apps are being queued to publish. Partners will analyze that dataset and act as another, vital set of eyes prior to an app going live on the Play Store.
Who are the partners?
All of our partners work in the world of endpoint protection, and offer specific products to protect mobile devices and the mobile ecosystem. Like Google Play Protect, our partners’ technologies use a combination of machine learning and static/dynamic analysis to detect abusive behavior. Multiple heuristic engines working in concert will increase our efficiency in identifying potentially harmful apps.
We hand-picked these partners based on their successes in finding potential threats and their dedication to improving the ecosystem. These partners are regularly recognized in analyst reports for their work.
Industry collaboration is key
Knowledge sharing and industry collaboration are important aspects in securing the world from attacks. We believe working together is the ultimate way we will get ahead of bad actors. We’re excited to work with these partners to arm the Google Play Store against bad apps.
Want to learn more about the App Defense Alliance’s work? Visit us here.
Kategorie: Hacking & Security

SMS Attack Spreads Emotet, Steals Bank Credentials

Threatpost - 19 Únor, 2020 - 17:00
A new Emotet campaign is spread via SMS messages pretending to be from banks and may have ties to the TrickBot trojan.
Kategorie: Hacking & Security

How to use Windows Backup and Restore Utility

InfoSec Institute Resources - 19 Únor, 2020 - 16:56

Introduction Since its first appearance in the Windows OS family in Windows 7, the Backup and Restore utility has been the go-to for managing the all-too-important backup and restore jobs Windows users need. This was a major improvement over previous backup and restore solutions offered by Windows and it has taken the user-friendly aspects of […]

The post How to use Windows Backup and Restore Utility appeared first on Infosec Resources.

How to use Windows Backup and Restore Utility was first posted on February 19, 2020 at 9:56 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com
Kategorie: Hacking & Security

Hamas Ensnares Israeli Soldiers with Pretty ‘Ladies’

Threatpost - 19 Únor, 2020 - 16:52
The third catfish attempt in three years from the Palestinian militant group adds a few technical advances to the mix.
Kategorie: Hacking & Security

How to reset Windows 10

InfoSec Institute Resources - 19 Únor, 2020 - 16:41

Introduction Windows 10 has been on a roll, offering users unprecedented choice regarding both customization of their system and different ways to get things done — including recovery options.  Reset is a feature offered by Windows 10. It’s a type of recovery not available in earlier versions of Windows and may be just the recovery […]

The post How to reset Windows 10 appeared first on Infosec Resources.

How to reset Windows 10 was first posted on February 19, 2020 at 9:41 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com
Kategorie: Hacking & Security

New Senate Bill Would Place Moratorium on Federal Use of Facial Recognition>

LinuxSecurity.com - 19 Únor, 2020 - 15:36
Two Democratic senators want to temporarily pause the government’s use of facial recognition technology while a commission develops regulations.
Kategorie: Hacking & Security

Ring Makes 2-Factor Authentication Mandatory Following Recent Hacks

The Hacker News - 19 Únor, 2020 - 15:24
Smart doorbells and cameras bring a great sense of security to your home, especially when you're away, but even a thought that someone could be spying on you through the same surveillance system would shiver up your spine. Following several recent reports of hackers gaining access to people's internet-connected Ring doorbell and security cameras, Amazon yesterday announced to make two-factor
Kategorie: Hacking & Security

Mozilla Firefox 73.0.1 Released with Critical Linux Fixes>

LinuxSecurity.com - 19 Únor, 2020 - 15:11
Mozilla has recently released the first minor update for Firefox 73, this time bringing important fixes for Windows and Linux systems running the browser.
Kategorie: Hacking & Security

Network traffic analysis for IR: Analyzing IoT attacks

InfoSec Institute Resources - 19 Únor, 2020 - 15:01

Introduction The Internet of Things (IoT) incorporates everything from tiny sensors and devices to huge structures like cloud computing. IoT includes the major networks types, such as vehicular, ubiquitous, grid and distributed. From childcare to elder care, from entering patient details to post-surgery care and from parking vehicles to tracking vehicles, sensors play a pivotal […]

The post Network traffic analysis for IR: Analyzing IoT attacks appeared first on Infosec Resources.

Network traffic analysis for IR: Analyzing IoT attacks was first posted on February 19, 2020 at 8:01 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com
Kategorie: Hacking & Security

Cynet Offers Free Threat Assessment for Mid-Sized and Large Organizations

Threatpost - 19 Únor, 2020 - 15:00
Cynet Free Threat Assessment spotlights critical, exposed attack surfaces and provides actionable knowledge of attacks that are currently alive and active.
Kategorie: Hacking & Security

NIST CSF: Implementing NIST CSF

InfoSec Institute Resources - 19 Únor, 2020 - 15:00

Introduction The National Institute of Standards and Technology’s Cybersecurity Framework, or NIST CSF, was first published in 2014 to provide voluntary guidance for organizational cybersecurity defenses and risk management. This framework combines industry standards with best practices and is renowned for its inherent flexibility and open-endedness to account for different organizational needs.  The implementation of […]

The post NIST CSF: Implementing NIST CSF appeared first on Infosec Resources.

NIST CSF: Implementing NIST CSF was first posted on February 19, 2020 at 8:00 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com
Kategorie: Hacking & Security

Latest Tax Scams Target Apps and Tax-Prep Websites

Threatpost - 19 Únor, 2020 - 13:03
Traditional e-mail based scams are also in the mix this year, one in particular that uses the legitimate app TeamViewer to take over victims’ systems.
Kategorie: Hacking & Security

Private photos leaked by PhotoSquared’s unsecured cloud storage

Sophos Naked Security - 19 Únor, 2020 - 12:49
With no password required and no encryption in place, a burglar or ID thief could have seen your photos, your address and more.

Facebook asks to be regulated kinda like a newspaper, kinda like telco

Sophos Naked Security - 19 Únor, 2020 - 12:37
Zuckerberg is in Brussels right in time for the European Commission's release of its manifesto on regulating AI.

WordPress plugin hole could have allowed attackers to wipe websites

Sophos Naked Security - 19 Únor, 2020 - 12:21
A WordPress plugin with over 100,000 active installations had a bug that could have allowed unauthorised attackers to wipe its users' blogs clean, it emerged this week.

OpenSSH eases admin hassles with FIDO U2F token support

Sophos Naked Security - 19 Únor, 2020 - 12:00
OpenSSH version 8.2 is out and the big news is that the world’s most popular remote management software now supports authentication using any FIDO (Fast Identity Online) U2F hardware token.

Vyděračské viry nepřestávají strašit. Útoků je stále více

Novinky.cz - bezpečnost - 19 Únor, 2020 - 08:46
Vyděračské viry, které jsou často označovány souhrnným názvem ransomware, byly v loňském roce jednou z nejrozšířenějších hrozeb. Podle zprávy bezpečnostní společnosti Emsisoft je dokonce výskyt těchto nezvaných návštěvníků na vzestupu, jak upozornil server TechPowerUp.
Kategorie: Hacking & Security
Syndikovat obsah