Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Security Risks. Show all posts
Twilio Alerts
CyberCrime Cyberhackers Cybersecurity CyberThreat Data Leak Mobile Security Phone number Security Risks Twilio Alerts

Twilio Alerts Authy Users of Potential Security Risks Involving Phone Numbers

 


The U.S. messaging giant Twilio has been accused of stealing 33 million phone numbers over the past week as a result of a hacker's exploit. Authy, a popular two-factor authentication app owned by Twilio that uses the phone numbers of people to authenticate, has confirmed to TechCrunch today that "threat actors" can identify the phone numbers of users of Authy. It was recently reported that a hacker or hacker group known as ShinyHunters entered into a well-known hacking forum and posted that they had hacked Twilio and received the cell phone numbers of 33 million subscribers from Twilio. 

As a spokesperson for Twilio Ramirez explained to TechCrunch, the company has detected that threat actors have been able to identify phone numbers associated with Authy accounts through an unauthenticated endpoint, however, it's yet to be known how this happened. According to a report by TechCrunch earlier this week, someone has obtained phone numbers related to Twilio's two-factor authentication service (2FA), Authy, of which it is a part. 

An alert from Twilio on Monday warned of possible phishing attacks and other scams using stolen phone numbers, which the company described as "threat actors" trying to steal personal information. An incident that happened in 2022 occurred following a phishing campaign that tricked employees into using their login credentials to gain access to the company's computer network. During the attack, hackers gained access to 163 Twilio accounts as well as 93 Authy accounts through which they were able to access and register additional devices. It has been revealed that Twilio traced this leak to an "unauthenticated endpoint" that has since been secured by the company. 

As the dark web was abuzz last week with the release of 33 million phone numbers from Authy accounts, the threat actor ShinyHunters published a collection of the data. The threat actor, as pointed out by BleepingComputer, appears to have obtained the information by using the app's unsecured API endpoint to input a massive list of phone numbers, which would then be checked to see whether the numbers were tied to the application. 

During the investigation into the matter, it was found that the data was compiled by feeding an enormous number of phone numbers into the unsecured API endpoint for an unsecured API. Upon validity of the number, Authy's endpoint will return information about the associated accounts registered with Authy once the request is made. Since the API has been secured, these are no longer able to be misused to verify whether a phone number is being used with Authy because the API has been secured.

Threat actors have used this technique in the past, as they exploited unsecure Twitter APIs and Facebook APIs to compile profiles of tens of millions of users that contain both public and private information about the users. Although the Authy scrape contained only phone numbers, such data can still prove to be valuable to users who are interested in conducting smishing and SIM-swapping attacks to breach the accounts of their consumers. 

A CSV file containing 33,420,546 rows is available for download. Each row contains an account ID, phone number, an "over_the_top" column, the account status of the account, as well as the number of devices according to the site. According to reports on Authy's blog, the company has acknowledged that it was attacked. Twilio has confirmed a recent data breach affecting its Authy two-factor authentication app users. 

While the company experienced two separate cyberattacks in 2022, it emphasized that this latest incident is not related to the previous breaches. In light of this development, Twilio is urging all Authy users to exercise extreme caution when dealing with unsolicited text messages that appear to be from the company. According to Sean Wright, Head of Application Security at Featurespace, the primary threat stemming from this incident is the potential for targeted phishing attacks. Exposure to users' phone numbers significantly increases the risk of such attacks. 

Wright reassures users that direct access to their Authy accounts remains unlikely unless the attackers can obtain the seeds for the multi-factor authentication (MFA) tokens stored within the app. Despite this, he stresses the importance of remaining vigilant. Users should be particularly wary of messages from unknown senders, especially those that convey a sense of urgency or threaten financial loss if no action is taken. 

To enhance security, Wright suggests that users consider switching to an alternative MFA application or opting for more secure hardware keys, such as the Yubico YubiKey. Additionally, if any user experiences difficulty accessing their Authy account, Twilio advises immediate contact with Authy support for assistance. Furthermore, Twilio recommends that users update their Authy app on iOS and Android platforms to address potential security vulnerabilities. 

Keeping the application up-to-date is critical in safeguarding against future threats and ensuring the highest level of protection for user accounts. This proactive approach will help mitigate the risks associated with the recent breach and reinforce the security of the authentication process for all Authy users.
Read more »
Technology
Android app ecosystem app sideloading Google Google Play Store Safety Security Risks Technology

Google CEO Warns of Potential Security Risks Associated with Sideloading Apps

 

In recent years, sideloading apps, the practice of installing apps from sources outside of official app stores, has gained significant traction. While Android has always embraced this openness, Apple is now facing pressure to follow suit. 

This shift in dynamics is evident in the ongoing legal battle between Google and Epic Games, where Epic Games accuses Google of stifling competition by imposing high fees on app developers.

Google CEO Sundar Pichai has defended Google's stance, citing security concerns associated with sideloading apps. He emphasizes that Google's policies, exemplified by Android's diverse device designs, foster innovation and provide users with choices.

However, Pichai's emphasis on security raises eyebrows, as Android has always been known for its open-source nature and embrace of sideloading. His focus on potential malware infections seems to be a tactic to instill fear among users. In reality, Google's Play Protect feature is only a recent addition for screening sideloaded apps.

Critics argue that sideloading empowers Google with greater control over the apps users can access. While Google maintains that the Play Store provides the highest level of security, a study by Kaspersky Labs contradicts this claim, revealing that over 600 million malicious app downloads occurred from the Google Play Store in 2023 alone.

Apple's staunch opposition to sideloading stems from its desire to retain control over the app distribution process on iPhones. However, both Apple and Google are undoubtedly aware of the 30% commission they charge developers for hosting apps on their respective app stores. This hefty fee has driven companies like Epic Games to explore alternative distribution channels.

The debate over sideloading highlights the growing tension between app developers, app store operators, and users. As the battle for app distribution intensifies, it remains to be seen whether sideloading will become a mainstream practice or remain a niche alternative.
Read more »
Vulnerabilities and Exploits
AI/ML vulnerabilities exploitable flaws Safety Security Risks Vulnerabilities and Exploits

AI/ML Tools Uncovered with 12+ Vulnerabilities Open to Exploitation

 

Since August 2023, individuals on the Huntr bug bounty platform dedicated to artificial intelligence (AI) and machine learning (ML) have exposed more than a dozen vulnerabilities that jeopardize AI/ML models, leading to potential system takeovers and theft of sensitive information.

Discovered in widely used tools, including H2O-3, MLflow, and Ray, each boasting hundreds of thousands or even millions of monthly downloads, these vulnerabilities have broader implications for the entire AI/ML supply chain, according to Protect AI, the entity overseeing Huntr.

H2O-3, a low-code machine learning platform facilitating the creation and deployment of ML models through a user-friendly web interface, has been revealed to have default network exposure without authentication. This flaw allows attackers to provide malicious Java objects, executed by H2O-3, providing unauthorized access to the operating system.

One significant vulnerability identified in H2O-3, labeled as CVE-2023-6016 with a CVSS score of 10, enables remote code execution (RCE), allowing attackers to seize control of the server and pilfer models, credentials, and other data. Bug hunters also pinpointed a local file include flaw (CVE-2023-6038), a cross-site scripting (XSS) bug (CVE-2023-6013), and a high-severity S3 bucket takeover vulnerability (CVE-2023-6017).

Moving on to MLflow, an open-source platform managing the entire ML lifecycle, it was disclosed that it lacks default authentication. Researchers identified four critical vulnerabilities, with the most severe being arbitrary file write and patch traversal bugs (CVE-2023-6018 and CVE-2023-6015, CVSS score of 10). These bugs empower unauthenticated attackers to overwrite files on the operating system and achieve RCE. Additionally, critical-severity arbitrary file inclusion (CVE-2023-1177) and authentication bypass (CVE-2023-6014) vulnerabilities were discovered.

The Ray project, an open-source framework for distributed ML model training, shares a similar default authentication vulnerability. A crucial code injection flaw in Ray's cpu_profile format parameter (CVE-2023-6019, CVSS score of 10) could result in a complete system compromise. The parameter lacked validation before being inserted into a system command executed in a shell. Bug hunters also identified two critical local file include issues (CVE-2023-6020 and CVE-2023-6021), enabling remote attackers to read any files on the Ray system.

All these vulnerabilities were responsibly reported to the respective vendors at least 45 days before public disclosure. Users are strongly advised to update their installations to the latest non-vulnerable versions and restrict access to applications lacking available patches.
Read more »
User Security
AI Cyber Security data security Security Risks User Security

Businesses Need to Ramp Up Their Security to Counter Future Attacks

 

The report, which was published by Perception Point and Osterman Research this week, found that firms typically spend $1,197 per employee each year to deal with cybersecurity incidents, which can add up quickly over time. Because of this, Deloitte believes that employees and board members will be better equipped to thwart cyberattacks in 2023. 

Moreover, Deloitte anticipates that securing emerging technologies, bolstering connected device visibility, and data security practices will be priorities for organizations in 2023. Security supply chains, in addition to security talent shortages and issues, are also likely to continue. The talent shortage, however, is likely to persist as security supply chains continue to struggle, the company leaders mentioned. 

The experts predicted that future-forward preparedness and organizational resilience will play an important role in helping enterprises better manage their vulnerability to adversary actors in the future, in addition to cybersecurity. 

Mulesoft, a Salesforce-owned company, also made predictions about the businesses in 2023. It noted that, up until now, companies have remained committed to digital transformation, speeded up by automation, composable agility, low-code, and no-code tools, data automation, and layered cyber defenses to continue to grow. 

Quantum Growth 

While tech giants like Google, IBM, Microsoft, and Intel made headlines this week, they are also pushing ahead with cloud services and other tools to test quantum algorithms. 

Sandeep Pattathil, a senior analyst at IT advisory firm Everest Group, told VentureBeat that quantum computing’s algorithmic improvements will remain the biggest challenge. He said that IBM, Microsoft, and Google are all working on cloud services to test quantum algorithms. It will also be difficult for them to develop speedy quantum computing programs. 

 AI Needs Change 

According to Kevin McNamara, CEO, and founder of synthetic data vendor, Parallel Domain, which just raised $30 million in a series B round led by March Capital, Artificial intelligence (AI) may be eating the world as we know it, but Ai itself is also starving — and needs to change its diet. 

“Data is food for AI, but AI today is underfed and malnourished,” stated Kevin McNamara. “That’s why things are growing slowly. But if we can feed that AI better, models will grow faster and in a healthier way. Synthetic data is like nourishment for training AI.”
Read more »
Technology
Blockchain Security cryptocurrency Security Risks Technology

5 Harsh Truths Regarding Blockchain Security

 

Cryptocurrencies are based on blockchain technology, which comprises multiple security features, such as cryptography, software-mediated contracts, and identity controls. However, the rise in popularity of cryptocurrencies has encouraged threat actors to employ new strategies to target the underlying blockchain. 

According to Atlas VPN, decentralized finance-related attacks constituted 76% of all major hacks in 2021, with over $1 billion lost in the third quarter alone. The third quarter of 2021 also had 20% more blockchain-based hacking incidents than in all of 2020, SlowMist reported. 

Here are five factors that have created issues for the blockchain security landscape.

1. 51% attacks 

51% of attacks involve the hacker being able to secure control of more than 50 percent of the hashing power. In 2018, three renowned cryptocurrency platforms experienced issues from 51% attacks. The three platforms were Ethereum Classic, Verge Currency, and ZenCash (now Horizen). 

2. Susceptibilities at Blockchain Endpoints 

Threat actors exploit every minor flaw, therefore it’s important to remember that most blockchain transactions have endpoints that are vulnerable. For example, the result of bitcoin trading or investment may be a large sum of bitcoin being deposited into a “hot wallet,” or virtual savings account. These wallet accounts may not be as hacker-proof as the actual blocks within the blockchain. 

To facilitate blockchain transactions, several third-party vendors may be enlisted. Some examples include payment processors, smart contracts, and blockchain payment platforms. These third-party blockchain vendors often have comparatively weak security on their own apps and websites, which can leave the door open to hacking. 

3. Regulation issues 

Many advocates of blockchain believe that regulation will result in innovation delays. However, it is quite opposite because regulations and standards can indeed benefit security and innovation. The current market is suffering from high fragmentation, where different firms have their own rules and protocols. This means developers can't learn from the mistakes and vulnerabilities of others -- never mind the risk of low integration. 

4. Lack of talented cybersecurity professionals 

The current blockchain security space is suffering from a major skills shortage of cybersecurity professionals who have blockchain expertise or a tight hold on novel security risks of the emerging Web3 decentralized economy.

5. Phishing Attacks 

Phishing is one of the most common methods employed by attackers. It is basically a scamming attempt to obtain the credentials of a user. Hackers send emails to wallet key owners by posing as an authentic, authoritative source. 

How to mitigate such attacks? 

The attacks can only be prevented by strengthening the security processes. And it comes at various levels. Here are a few tips recommended by experts to mitigate the risks in blockchain technology: -

  • Two-factor authentication
  • Ensuring proper wallet management 
  • Using different wallet addresses 
  • Keep off phishing links 
  • Regularly checking wallet approvals
Read more »
Weapons Programs
Cyber Security Defense DOD Security Risks Weapons Programs

U.S. DOD Weapons Programs Struggles to Add 'Key' Cybersecurity Measures

 

The U.S. Defense Department failed to communicate cybersecurity guidelines to contractors tasked with building systems for its weapon programs, according to a new watchdog report, released on Thursday. While the agency has developed a range of policies aimed at strengthening the security for its weapon programs, the guidance misses out a key point – the contracts for securing various weapons. 

The U.S. government sanctions hundreds of billions of dollars each year for contracting various manufacturers, from military contractors to small businesses. In a new report released on Thursday, the U.S. Government Accountability Office (GAO) said, 60 percent of the contracts meet zero requirements when it comes to cybersecurity measures. 

According to the GAO report, three out of five contracts reviewed by them had no cybersecurity requirements written into the contract language when they were awarded, with only vague requirements added later. The Air Force was the only service with broad guidance to define cybersecurity requirements and incorporate them in contracts.

“Specifically, cybersecurity requirements should be defined in acquisition program contracts, and criteria should be established for accepting or rejecting the work and for how the government will verify that requirements have been met,” according to the GAO’s report.

The Defense Department (DOD) has a huge network of sophisticated weapons systems that need to resist cyberattacks in order to operate when required. But the DOD also has a documented history of discovering mission-critical security flaws within those programs due to what the GAO says is a lack of focus on weapon systems cybersecurity. 

“As we reported in 2018, DOD had not prioritized weapon systems cybersecurity until recently, and was still determining how best to address it during the acquisition process. The department had historically focused its cybersecurity efforts on protecting networks and traditional IT systems, and key acquisition and requirements policies did not focus on cybersecurity. AS a result, DOD likely designed and build many systems without adequate security,” the report read.
Read more »
Subscribe to: Posts (Atom)