Microsoft reckons 0.5 per cent of Azure Active Directory accounts as used by Office 365 are compromised every month.

The Window giant’s director of identity security, Alex Weinert, and IT identity and access program manager Lee Walker revealed the figures at the RSA conference last month in San Francisco.

“About a half of a per cent of the enterprise accounts on our system will be compromised every month, which is a really high number. If you have an organisation of 10,000 users, 50 will be compromised each month,” said Weinert.

It is an astonishing and disturbing figure. Account compromise means that a malicious actor or script has some access to internal resources, though the degree of compromise is not stated. The goal could be as simple as sending out spam or, more seriously, stealing secrets and trying to escalate access.

Password spray attacks account for 40% of compromised accounts

How do these attacks happen? About 40 per cent are what Microsoft calls password spray attacks. Attackers use a database of usernames and try logging in with statistically probable passwords, such as “123” or “p@ssw0rd”. Most fail but some succeed. A further 40 per cent are password replay attacks, where attackers mine data breaches on the assumption that many people reuse passwords and enterprise passwords in non-enterprise environments. That leaves 20 per cent for other kinds of attacks like phishing.

The key point, though, is that if an account is compromised, said Weinert, “there’s a 99.9 per cent chance that it did not have MFA [Multi Factor Authentication]”. MFA is where at least one additional identifier is required when logging in, such as a code on an authenticator application or a text message to a mobile phone. It is also possible (and preferable) to use FIDO2 security keys, a feature now in preview for Azure AD. Even just disabling legacy authentication helps, with a 67 per cent reduction in the likelihood of compromise.

Source: Enable that MF-ing MFA: 1.2 million Azure Active Directory accounts compromised every month, reckons Microsoft • The Register

An error in chipset read-only memory (ROM) could allow attackers to compromise platform encryption keys and steal sensitive information.

Intel has thanked Positive Technologies experts for their discovery of a vulnerability in Intel CSME. Most Intel chipsets released in the last five years contain the vulnerability in question.

By exploiting vulnerability CVE-2019-0090, a local attacker could extract the chipset key stored on the PCH microchip and obtain access to data encrypted with the key. Worse still, it is impossible to detect such a key breach. With the chipset key, attackers can decrypt data stored on a target computer and even forge its Enhanced Privacy ID (EPID) attestation, or in other words, pass off an attacker computer as the victim’s computer. EPID is used in DRM, financial transactions, and attestation of IoT devices.

One of the researchers, Mark Ermolov, Lead Specialist of OS and Hardware Security at Positive Technologies, explained: “The vulnerability resembles an error recently identified in the BootROM of Apple mobile platforms, but affects only Intel systems. Both vulnerabilities allow extracting users’ encrypted data. Here, attackers can obtain the key in many different ways. For example, they can extract it from a lost or stolen laptop in order to decrypt confidential data. Unscrupulous suppliers, contractors, or even employees with physical access to the computer can get hold of the key. In some cases, attackers can intercept the key remotely, provided they have gained local access to a target PC as part of a multistage attack, or if the manufacturer allows remote firmware updates of internal devices, such as Intel Integrated Sensor Hub.”

The vulnerability potentially allows compromising common data protection technologies that rely on hardware keys for encryption, such as DRM, firmware TPM, and Intel Identity Protection. For example, attackers can exploit the vulnerability on their own computers to bypass content DRM and make illegal copies. In ROM, this vulnerability also allows for arbitrary code execution at the zero level of privilege of Intel CSME. No firmware updates can fix the vulnerability.

Intel recommends that users of Intel CSME, Intel SPS, Intel TXE, Intel DAL, and Intel AMT contact their device or motherboard manufacturer for microchip or BIOS updates to address the vulnerability. Check the Intel website for the latest recommendations on mitigation of vulnerability CVE-2019-0090.

Since it is impossible to fully fix the vulnerability by modifying the chipset ROM, Positive Technologies experts recommend disabling Intel CSME based encryption of data storage devices or considering migration to tenth-generation or later Intel CPUs. In this context, retrospective detection of infrastructure compromise with the help of traffic analysis systems such as PT Network Attack Discovery becomes just as important.

Source: Positive Technologies: Unfixable vulnerability in Intel chipsets threatens users and content rightsholders

The European Commission has told its staff to start using Signal, an end-to-end-encrypted messaging app, in a push to increase the security of its communications.

The instruction appeared on internal messaging boards in early February, notifying employees that “Signal has been selected as the recommended application for public instant messaging.”

The app is favored by privacy activists because of its end-to-end encryption and open-source technology.

“It’s like Facebook’s WhatsApp and Apple’s iMessage but it’s based on an encryption protocol that’s very innovative,” said Bart Preneel, cryptography expert at the University of Leuven. “Because it’s open-source, you can check what’s happening under the hood,” he added.

[…]

Privacy experts consider that Signal’s security is superior to other apps’. “We can’t read your messages or see your calls,” its website reads, “and no one else can either.”

[…]

The use of Signal was mainly recommended for communications between staff and people outside the institution. The move to use the application shows that the Commission is working on improving its security policies.

Promoting the app, however, could antagonize the law enforcement community.

Officials in Brussels, Washington and other capitals have been putting strong pressure on Facebook and Apple to allow government agencies to access to encrypted messages; if these agencies refuse, legal requirements could be introduced that force firms to do just that.

American, British and Australian officials have published an open letter to Facebook CEO Mark Zuckerberg in October, asking that he call off plans to encrypt the company’s messaging service. Dutch Minister for Justice and Security Ferd Grappehaus told POLITICO last April that the EU needs to look into legislation allowing governments to access encrypted data.

Cybersecurity officials have dismissed calls to weaken encryption for decades, arguing that it would put the confidentiality of communications at risk across the board.

Source: EU Commission to staff: Switch to Signal messaging app – POLITICO

Finally, an organisation showing some sense!

A billion-plus computers, phones, and other devices are said to suffer a chip-level security vulnerability that can be exploited by nearby miscreants to snoop on victims’ encrypted Wi-Fi traffic.

The flaw [PDF] was branded KrØØk by the bods at Euro infosec outfit ESET who discovered it. The design blunder is otherwise known as CVE-2019-15126, and is related to 2017’s KRACK technique for spying on Wi-Fi networks.

An eavesdropper doesn’t have to be logged into the target device’s wireless network to exploit KrØØk. If successful, the miscreant can take repeated snapshots of the device’s wireless traffic as if it were on an open and insecure Wi-Fi. These snapshots may contain things like URLs of requested websites, personal information in transit, and so on.

It’s not something to be totally freaking out over: someone exploiting this has to be physically near you, and you may notice your Wi-Fi being disrupted. But it’s worth knowing about.

Source: Wi-Fi of more than a billion PCs, phones, gadgets can be snooped on. But you’re using HTTPS, SSH, VPNs… right? • The Register

Automating connections from 3rd party providers makes it easy to access your financial data because people re-use their logins and these logins have been repeatedly leaked online.

New data from security and content delivery company Akamai shows that one in every five attempts to gain unauthorized access to user accounts is now done through application programming interfaces (APIs) instead of user-facing login pages. This trend is even more pronounced in the financial services industry where the use of APIs is widespread and in part fueled by regulatory requirements.

According to a report released today, between December 2017 and November 2019, Akamai observed 85.4 billion credential abuse attacks against companies worldwide that use its services. Of those attacks, around 16.5 billion, or nearly 20%, targeted hostnames that were clearly identified as API endpoints. However, in the financial industry, the percentage of attacks that targeted APIs rose sharply between May and September 2019, at times reaching 75%.

“API usage and widespread adoption have enabled criminals to automate their attacks,” the company said in its report. “This is why the volume of credential stuffing incidents has continued to grow year over year, and why such attacks remain a steady and constant risk across all market segments.”

The credential stuffing problem

Credential stuffing, a type of brute-force attack where criminals use lists of leaked username and password combinations to gain access to accounts, has become a major problem in recent years. This is a consequence of the large number of data breaches over the past decade that have resulted in billions of stolen credentials being released publicly on the internet or sold on underground markets as commodities.

Knowing that users reuse passwords across various websites, attackers have used the credentials exposed in data breaches to build so-called combo lists. These lists of username and password combinations are then loaded into botnets or automated tools and are used to flood websites with login requests in an attempt to gain access.

However, once access is gained, extracting information from the affected services by crawling the customer pages requires some effort and customization, whereas requesting and extracting information through APIs is standardized and well suited for automation. After all, the very purpose of an API is to facilitate applications talking to each other and exchanging data automatically.

Source: APIs are becoming a major target for credential stuffing attacks