CVE-2017-6145

CVE-2017-6145

http://ift.tt/2hRHzMV

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because
they may have information that would be of interest to you. No inferences should be drawn on account of other sites
being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose.
NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further,
NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about
this page to nvd@nist.gov.

Technical Details

Vulnerability Type
(View All)

Security News

via National Vulnerability Database http://ift.tt/OD63ZH

October 20, 2017 at 12:24PM

CVE-2017-6144

CVE-2017-6144

http://ift.tt/2yWSbFg

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because
they may have information that would be of interest to you. No inferences should be drawn on account of other sites
being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose.
NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further,
NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about
this page to nvd@nist.gov.

Technical Details

Vulnerability Type
(View All)

Security News

via National Vulnerability Database http://ift.tt/OD63ZH

October 20, 2017 at 12:24PM

CVE-2017-14937

CVE-2017-14937

http://ift.tt/2hS6oIO

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because
they may have information that would be of interest to you. No inferences should be drawn on account of other sites
being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose.
NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further,
NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about
this page to nvd@nist.gov.

Technical Details

Vulnerability Type
(View All)

Security News

via National Vulnerability Database http://ift.tt/OD63ZH

October 20, 2017 at 12:24PM

CVE-2017-6165

CVE-2017-6165

http://ift.tt/2yY3AEE

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because
they may have information that would be of interest to you. No inferences should be drawn on account of other sites
being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose.
NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further,
NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about
this page to nvd@nist.gov.

Technical Details

Vulnerability Type
(View All)

Security News

via National Vulnerability Database http://ift.tt/OD63ZH

October 20, 2017 at 12:24PM

Driving Security Orchestration with Your Cyber Threat Intelligence Playbook

Driving Security Orchestration with Your Cyber Threat Intelligence Playbook

http://ift.tt/2xctMqz

A newish buzzword in the cybersecurity world is “orchestration”. Which to me is the junction where people, process and technology all come together. It’s where people build automation into process and consume information and insight generated by technology. 

The goal makes sense… to operationalize all of the disparate data, tools, platforms, into one cohesive, agile, functioning security program. An important component of security orchestration is to have agile “playbooks”. A playbook can tell you what to do if/when you see a certain threat or when an attack happens. Just like in football – where if you see the offense line up in a certain formation, the defense has clues for calling the right defensive scheme – a playbook can help defenders enact the most effective tactics for the situation. Similarly, playbooks can be used to prepare and plan for impending threats (as opposed to only reactive/responsive plays). 

Most of the security playbook discussions have been focused around incident response workflows and automation via security orchestration. These playbooks are typically very tactical in nature and specifically created for the SOC. But security playbooks can and should go well beyond response and be used more pre-emptively to drive better outcomes. 

Think about it this way – you cannot possibly address every threat – and with your digital footprint being nearly impossible to fully manage, you’re in a constant state of reacting and responding to security events (some of which may be really important, while others might not be). So understanding your greatest areas of concern and the threats that can exploit those areas should be where you focus your game plan.

Sticking with the football analogy here, think of it like watching game film. By looking at previous games and dissecting formations, plays and how each side reacted to one another, you can gather critical intel such as:

What went wrong?

What worked?

How can we improve the outcome?

How do we put ourselves in a better position?

How does all of this intel help us craft a game plan moving forward?

From a cyber perspective, this all applies. So what do playbooks for the strategic and operational levels look like? 

At the strategic level, it’s all about looking at business risk and deriving the best “decision-making” plays. Each situation is unique and so the play might have different routes for you to defend against. From a strategic perspective, it’s looking at what is most critical for you to protect and then plan as best as possible to guard it. It’s to help move from uncertainty to more certainty, from unknowns to known. A good way to think about this would be the difference between breach response versus incident response. Some examples of strategic questions that your playbook should address:

What are the risks due to the threat to each line of business or operating zone?

What are my response options from a breach perspective?

What are the potential near term and long-term impacts based on our decisions?

What resource(s) do I need to deploy? I.e. People, Process & Technology

At the operational level it’s looking at common malicious actor Tactics, Techniques, and Procedures (TTPs) and putting a game plan together to thwart or severely limit that threat. What countermeasures will give you the best bang for your buck based on impact of the threat, cost to implement a solution and the effort that is required to implement that countermeasure? Operational-level examples your playbook should address include:

• What are the Actor’s potential Capabilities, Motivations and Intentions?

• What is the Actor’s “Avenue of Approach”?

• What opportunities am I presenting to the Actor that will allow them to be successful?

• What are the recommended countermeasures to deploy based on cost, effort and impact?

While the industry has so far concentrated on “playbooks” that support tactical-level needs using orchestration for SOC operations, there is a very obvious need for playbooks that guide business risk decision makers. These playbooks can provide key stakeholders with courses of action that help position the organization into achieving better threat outcomes, namely:

• Knowing where to position resources for a given threat scenario

• Enabling the right countermeasures for the threat

• Ensuring a faster, more effective response process for a threat scenario if it occurs 

• Breach response recommendations if the threat scenario is successful

Threat intelligence playbooks that support strategic and operational levels help teams be more effective, more certain in their actions and allow security programs to be agile/maintained as situations change. 

Adam Meyer is Chief Security Strategist at

SurfWatch Labs

. He has served in leadership positions in the defense, technology, and critical infrastructure sectors for more than 15 years. Prior to joining SurfWatch Labs, he was CISO for the Washington Metropolitan Area Transit Authority. He formerly served as the Director of Information Assurance and Command IA Program Manager for the Naval Air Warfare Center, Naval Air Systems Command one of the Navy’s premier engineering and acquisition commands. Mr. Meyer holds undergraduate and graduate degrees from American Military University and Capitol College.

Previous Columns by Adam Meyer:

Tags:

Security News

via SecurityWeek RSS Feed http://ift.tt/T5XpCH

October 20, 2017 at 12:15PM

Necurs-Based DDE Attacks Now Spreading Locky Ransomware

Necurs-Based DDE Attacks Now Spreading Locky Ransomware

http://ift.tt/2hSA7kT

Microsoft may soon have to reflect on its stance that the use of an Office feature called DDE to execute code on compromised computers doesn’t merit a patch.

The SANS Internet Storm Center last night said the Necurs botnet has been spreading Locky ransomware using the DDE attack. Handler Brad Duncan said he had access to several dozen emails that are part of a spam campaign moving the ransomware. The emails contain one of three distinct Word document attachments spreading the malware and opting for the DDE technique rather than macros, which for more than a year have been the preferred means of downloading malware from a remote server.

“I think attackers are using DDE because it’s different. We’ve been seeing the same macro-based attacks for years now, so perhaps criminals are trying something different just to see if it works any better. In my opinion, DDE is probably a little less effective than using macros,” Duncan said. “We might see more DDE-based attacks in the coming weeks, but I predict that will taper off in the next few months.”

Like macros, DDE or Dynamic Data Exchange is a legitimate Office feature. It allows a user to pull data from one document and inject it into a second, such as a when a sales report is opened in Word, and an embedded field can dynamically update it with data from an Excel spreadsheet.

Last Friday, researchers at SensePost disclosed that a number of document-based attacks have been installing malware using DDE. They disclosed their findings to Microsoft in August and Microsoft said in late September that DDE was a feature and no further action would be taken.

SensePost said that a proof-of-concept exploit for this situation suppresses language in a dialog box that could ward off a user from starting an executable.

“The second prompt asks the user whether or not they want to execute the specified application, now this can be considered as a security warning since it asks the user to execute ‘cmd.exe’, however with proper syntax modification it can be hidden,” SensePost said.

 

Attacks using DDE are also likely to bypass antimalware and intrusion prevention scanners given that it’s likely a whitelisted feature.

“Apparently, DDE and macros are both legitimate features in Microsoft Office.  Both have been used in malware attacks.  In both cases, Office documents from malicious spam provide warnings to let a victim know what’s going on.  To fix the issue, you’d have to remove the DDE entirely,” Duncan said. “If DDE is a functionality, then yes, I agree with Microsoft’s statement that it won’t be patched. However, many articles about DDE state it’s been superseded by OLE functionality. If so, why doesn’t Microsoft get rid of DDE entirely?  Are there any legitimate DDE cases that require Microsoft to retain this backwards compatibility?”

Microsoft has indeed replaced DDE with the Object Linking and Embedding toolkit, but it has not discontinued support for DDE because Office still supports legacy documents that use the feature.

Duncan’s analysis of the Locky attacks show that the Word attachment using the DDE attack grabs the first stage of the attack, likely a downloader which then downloads the ransomware. Duncan described the traffic flow in a SANS ISC post:

“Traffic was a bit different than I’ve seen with recent attachments from the Necurs Botnet.  The first HTTP request returned a base64 string that contained further URLs for the 1st-stage malware download.  The second HTTP request returned the 1st-stage malware.  Two follow-up HTTP POST requests came from the 1st-stage malware with the User-Agent string Windows-Update-Agent.  Then came an HTTP POST request that returned the Locky ransomware binary.  The Locky binary was encoded as it passed through the network, and it was decrypted on the local host. No callback traffic from the Locky binary was noted.  I just saw some more HTTP POST requests from the 1st-stage malware.”

The Locky infection encrypts files stored on the local hard drive and demands 0.25 Bitcoin in exchange for the decryption key. SANS posted a number of indicators of compromise, including hashes of the attachments and malware, as well as IP addresses involved in the attacks.

“The best option I’ve found so far to disable DDE?  For each office Application, under the Options menu, go to Advanced Options –> General, then make sure the “Update automatic links at open” box is un-checked,” Duncan said. “I found that prevents Word documents with DDE attacks from working.  But in online forums, some people indicate this change doesn’t necessarily stay, and ‘Update automatic links at open’ may get re-checked again on its own.”

Security News

via Threatpost | The first stop for security news http://threatpost.com

October 20, 2017 at 12:05PM

EquiFIX – Lessons Learned From the Most Impactful Breach in U.S. History

EquiFIX – Lessons Learned From the Most Impactful Breach in U.S. History

http://ift.tt/2gUaoIT

While Equifax is the latest major data breach to hit the headlines, we know it will not be the last. How prepared is your organization if you were similarly targeted?

As we all know, the impact of the Equifax breach is widespread, potentially affecting 145.5 million individuals in the U.S., Canada and the UK whose personally identifiable information (PII) and (to some extent) financial information was accessed by malicious actors. The exact impact is yet to be seen and depends on the motives of the attackers and the ways in which they plan to use the data, but any exposure puts individuals at risk. We’ve also seen tremendous impact on the company as a result of the breach, including a dramatic drop in share price, reputational damage, and job losses for some senior staff members including the CEO. There’s more to come as the total costs of dealing with the breach itself mount and the incident makes its way through the legal system. 

In the midst of National Cyber Security Awareness Month and with the pain of this breach fresh in our minds, now is an appropriate time to reflect on the lessons we can learn before, during and after discovering a breach to address gaps in processes and technologies and help prevent, detect and mitigate these types of threats.

Before the breach

Equifax has said that the initial intrusion was through exploitation of a vulnerable Apache Struts web application. It turns out that prior to the intrusion multiple alerts about exploitation of this particular vulnerability were issued and a patch was made available. However even without following recommended patch management programs, implementing other basic security principles could have mitigated the damage.

Lessons:

• Maintain awareness of what an attacker can see regarding your infrastructure, people and processes so you can see potential weaknesses and points of access for attackers.

• Understand what methods attackers are using against your sector so you can proactively protect your valuable digital assets.

• Establish and maintain a threat intelligence program and act on the intelligence.

• Implement and follow general cybersecurity good practice measures, such as defense-in-depth, and include vulnerability and patch management.

• Protect your sensitive information through the use of encryption and network segmentation.

• Educate users on the importance of password hygiene and strong authentication requirements.

• Go a step further and assume a breach will occur and plan for this outcome. Ensure your strategy, people and processes are in place in advance.

After discovery

Not only did Equifax have to deal with the fallout of the breach itself, but unusual trading activity in Equifax shares have provoked suspicions of insider trading and a criminal investigation. Further, Equifax’s infrastructure to handle customer inquiries proved inadequate and some of the strategies put in place to address customer concerns in the wake of the discovery backfired.

Lessons:

Control knowledge of a breach to trusted individuals to prevent collateral damage; no matter how swiftly an organization moves there will always be some lapse in time between discovery and disclosure.

Anticipate fallout and prepare for announcements by analyzing the possible consequences of decisions to mitigate negative publicity and outcomes.

Closely monitor response and make arrangements for extra bandwidth capacity – both infrastructure and people – to handle an initial flood of inquiries if needed.

After public disclosure

Once a breach is disclosed, researchers and opportunistic malicious actors will look for additional weaknesses in infrastructure. After the Equifax breach an insecure portal used to manage credit report disputes was discovered. When the news becomes public immediate questions arise as to who was responsible, what data was compromised and how the data is being used. The answers to these questions can dictate the impact of the breach to the organization and its customers.

Lessons:

• Communicate clearly when a breach happens, stating the knowns and unknowns publicly; speculation from media and researchers can damage reputation.

• Look for your compromised data online to try to discern the attacker’s motive, if not identity; understanding whether the motive was financial gain may help mitigate against prolonged malicious activity. For example, knowing that financial fraud is imminent helps to put counter measures in place.

The Equifax breach has had a damaging impact on the company and has put its customers at risk. But it has also served as a wake-up call for organizations around the globe. Security professionals and executive management can use this as an opportunity to identify areas they can address to better prepare for and deal with a breach. In the weeks and months to come as more information comes to light, it’s in our collective best interest to focus on gaining a deeper understanding of what we can do to mitigate risk. 

Alastair Paterson is CEO and Co-Founder of

Digital Shadows

. Alastair has worked for over a decade advising secure government and FTSE 100 clients on large-scale data analytics for risk and intelligence. Before founding Digital Shadows in 2011, Alastair was International Propositions Manager at BAE Systems Detica working with clients in the Gulf, Europe and Australasia. He holds a first class MEng in Computer Science from the University of Bristol.

Previous Columns by Alastair Paterson:

Tags:

Security News

via SecurityWeek RSS Feed http://ift.tt/T5XpCH

October 20, 2017 at 11:53AM

5 ways to do 15 minutes of cybersecurity without a computer

5 ways to do 15 minutes of cybersecurity without a computer

http://ift.tt/2xcnxD9

If there’s one cybersecurity practice that absolutely everybody can do, that absolutely everybody should do, that should be as much a part of your day as brushing your teeth, making the first cup of coffee and correcting people who are wrong on Reddit, it’s this:

Keep your software up to date.

There’s an army of criminal hackers out there using computer programs to scour the internet for devices with out of date software. When they find a bug they’re looking for they can use it like a crowbar to prize open your electronic life.

They can steal your photos; spy on you through your camera; sniff out your banking password; exhaust your battery by mining cryptocoins; sell access to your Facebook account or wrap up all your stuff with encryption and demand a ransom.

Regularly updating your software is the single best, most efficient, most easy-as-falling-off-a-log thing you can do to shut them out.

That’s why we were delighted to hear about the UK government’s new Cyber Aware campaign.

Cyber Aware is encouraging you to take time to update your software with the inducement of giving yourself 15 minutes away from your screen while your tech feeds and waters itself (a #techfree15 minutes, if you will).

Just think what you can do with an extra 15 minutes.

Wait… what? 15 minutes?

Clearly these guys haven’t done a major Windows or MacOS update recently. To be fair to them I guess #techfreeForAnythingUpToAnHourMaybeEvenLongerIt’sHardToSay is a hard sell.

Cyber Aware suggest you spend your 15ish minutes doing sensible things like taking a walk in your local park, talking to other humans or having a 15 minute tech-free rest before bed.

A rest.

Don’t they know you’ve got other people’s computers to protect too? Moreover, don’t they know you’ve already drunk seven cans of Monster today.

Rest. Meh. There’s no rest for the wicked and not having a computer is no excuse for giving up the cyberfight. Here’s five things you can do without a computer to make everyone else’s computers more secure while you’re taking your #techfree15:

1. Make friends with your IT team

  • Duration: 5 mins
  • Difficulty: 3/5

If you already work in IT, skip to #3. Actually don’t. Go and speak to a colleague you don’t know. If you work with Windows go and speak to somebody wearing a heavy metal t-shirt. If you work with *nix go and speak to somebody wearing a shirt.

If you don’t work in IT, go and say hi. You’re going to need them one day so don’t wait for a crisis before you introduce yourself.

Not only is “Hello” a better greeting than “is the network down?”, but if the network is down then they’ll be too busy to talk to you anyway because the network’s down and it isn’t going to fix itself.

And while we’re on the subject, there is nothing more annoying than trying to fix a network and being constantly  interrupted by people who want to tell you the thing they’ve just stopped you from fixing isn’t working. If the network isn’t down and they still don’t want to talk to you, well, let’s just say it’s not them, it’s you, and it’s time to brush up on what you sound like to a sysadmin.

2. Put up some posters

  • Duration: 15 mins
  • Difficulty: 1/5

Get some security posters and stick them up around your office to remind other people who’ve torn themselves away from their computers to go back to them. They need to stop making coffee and sort out those awful passwords.

If you don’t want to make your own posters, you can find some snazzy posters in the Sophos Anti-Ransomware toolkit (you’ll have to do a little data capture tap dance to get it).

Pro tip: don’t put posters where people can walk past them. Put them at eye height where people don’t move much and don’t have anything to read. Yes, that’s right, I’m telling you to put them above the urinals and on the back of the toilet stall doors. Seriously.

3. Write a risk register

  • Duration: never ending
  • Difficulty: 162/5

Risk registers: everybody needs one, nobody wants to write it. Well, guess what, you’ve got at least 15 minutes to spare so get writing. Be careful though, risk registers can get quite long and you’ll have to write it by hand so don’t forget to add writer’s cramp and carpal tunnel syndrome to the register. Oh and if it’s as lengthy and comprehensive as your project manager’s PRINCE2 trainer would like it to be, be careful not to break your foot if you drop it.

4. Clean, wipe, shred

  • Duration: 15
  • Difficulty: 1/5

Lift your head up from your computer and look around you: you’re leaking data. The pay slip in the unlocked drawer; the password on a post-it stuck to your monitor; the bound conference notes you’re never going to read; the work of art on the whiteboard behind you.

Everyone can see them. They’ve got to go.

For your confidential paper waste that means a trip to Mordor the shredder. Unfortunately shredders, like their stablemates photocopiers and faxes, aren’t governed by the normal rules of physics nor any kind of recognisable logic. They are emotional, moody and vindictive machines that hate the taste of paper and hate you for feeding it to them. Luckily for you, you only have 15 minutes so there’s only have enough time to jam the shredder twenty seven times.

5. Make a tinfoil hat

  • Duration: 2 minutes
  • Difficulty: 2/5

If you don’t have a tinfoil hat already you clearly don’t understand the seriousness of the situation. You live in a surveillance state, your identity is toast, your phone is lying to you about being off and in a few years time you’ll consider yourself lucky if you’re kept around as a pet by some post-singularity AI.

You’re going to need a tinfoil hat.

I said it takes two minutes to make a tinfoil hat at the top of this section, but that’s not quite right. It takes a second to Google “how to make a tinfoil hat” and (bizarrely) 2:45 to watch the the YouTube video How to make a tin foil hat in less than two minutes. But you can’t use them because you’re having a tech free 15ish minutes, remember?

You don’t have Google, YouTube, iFixit, WikiHow or Stack Overflow. You’re on your own with some scissors and a roll of aluminium foil.

You’ll be lucky if you get out of this with ten fingers…

Best check if your updates have finished.


Security News

via Naked Security http://ift.tt/1pHdTOi

October 20, 2017 at 11:45AM

OSSIM Download – Open Source SIEM Tools & Software

OSSIM Download – Open Source SIEM Tools & Software

http://ift.tt/2xTaNRp

OSSIM is a popular Open Source SIEM or Security Information and Event Management (SIEM) product, providing event collection, normalization and correlation.

OSSIM Download - Open Source SIEM Tools & Software

OSSIM stands for Open Source Security Information Management, it was launched in 2003 by security engineers because of the lack of available open source products, OSSIM was created specifically to address the reality many security professionals face: A SIEM, whether it is open source or commercial, is virtually useless without the basic security controls necessary for security visibility.

What is OSSIM Security Information and Event Management System

As a SIEM system, OSSIM is intended to give security analysts and administrators a view of all the security-related aspects of their system, by combining log management and asset management and discovery with information from dedicated information security controls and detection systems. This information is then correlated together to create contexts to the information not visible from one piece alone.

OSSIM performs these functions using other well-known[8] open-source software security components, unifying them under a single browser-based user interface. The interface provides graphical analysis tools for information collected from the underlying open source software component (many of which are command line only tools that otherwise log only to a plain text file) and allows centralized management of configuration options.

It performs:

  • Asset discovery
  • Vulnerability assessment
  • Intrusion detection
  • Behavioral monitoring
  • SIEM

OSSIM Open Source SIEM Components

OSSIM features the following software components:

  • PRADS, used to identify hosts and services by passively monitoring network traffic. Added in release v4.0.[9]
  • OpenVAS, used for vulnerability assessment and for cross correlation of (Intrusion detection system (IDS) alerts vs Vulnerability Scanner) information.
  • Snort, used as an Intrusion detection system (IDS), and also used for cross correlation with Nessus.
  • Suricata, used as an Intrusion detection system (IDS), as of version 4.2 this is the IDS used in the default configuration
  • Tcptrack, used for session data information which can grant useful information for attack correlation.
  • Nagios, used to monitor host and service availability information based on a host asset database.
  • OSSEC, a Host-based intrusion detection system (HIDS).
  • Munin, for traffic analysis and service watchdogging.
  • NFSen/NFDump, used to collect and analyze NetFlow information.
  • FProbe, used to generate NetFlow data from captured traffic.
  • OSSIM also includes self developed tools, the most important being a generic correlation engine with logical directive support and logs integration with plugins.

Note: Suricata and Snort cannot be used at the same time. Snort is currently being phased out in favour of Suricata

You can download OSSIM here:

AlienVault_OSSIM_64bits.iso

Or read more here.

Security News

via Darknet – The Darkside | Ethical Hacking, Penetration Testing … http://ift.tt/2oouqvS

October 20, 2017 at 11:43AM

Visa Makes Biometrics Easier for Financial Institutions

Visa Makes Biometrics Easier for Financial Institutions

http://ift.tt/2gx6IQC

The acceptance and adoption of biometrics as a primary or second factor in multi-factor authentication has been considerably slower than expected. There are signs now, however, that it is finally gathering pace. Apple has long included TouchID with the iPhone, and has now added FaceID to the new iPhone X. It is particularly strong in the financial sector: HSBC and MasterCard allow selfies; Barclays allows voice authentication; and the Bank of Montreal allows selfies or fingerprints.

Now, payment giant Visa has announced the launch of a new platform, Visa ID Intelligence. It will allow Visa card issuers, acquirers and merchants to adopt new biometric methods of their own preference. Users are becoming more comfortable with using biometrics; but the technology is not without critics.

Passwords alone are no longer considered adequate: they are too easily stolen or guessed. Furthermore, they do not prove the identity of the user, only ownership of the password. One-time passwords sent to the user via a separate channel are more secure, but very inconvenient with a high friction factor for the user.

Biometrics solve many of these problems: they prove identity and have a very low user friction factor — but they can still be stolen if stored in an external database. “Traditional methods for authenticating a customer can create frustration or are simply not designed for the new ways people are shopping and paying,” explained Mark Nelsen, senior vice president of risk and authentication products at Visa. “We built Visa ID Intelligence to help accelerate smarter and easy-to-use authentication solutions for any commerce environment — to better protect against fraud and to move closer to a world without passwords.”

Visa launches new biometrics platform

The platform currently has two features: ID documents and biometrics. The document side can prove identity by matching a ‘selfie’ to a photo ID (such as a driver’s license, a passport or a military ID). The purpose is to allow financial institutions to make faster and smarter decisions. Uses include creating new accounts, requesting and issuing replacement cards, and an alternative to support calls for password resets.

The biometrics feature allows Visa’s clients to choose and use biometric authentication such as eyes, face, voice or fingerprints for consumer authentication. The intention is to increase speed and reduce user friction while improving security.

Visa ID Intelligence is currently partnering with Daon, a privately held biometric software firm. “Visa ID Intelligence is revolutionary in both scope and implementation, and will benefit consumers who are growing more and more frustrated by an antiquated password system,” said Tom Grissen, CEO, Daon. “Visa understands it is critical to provide both security and convenience, and that’s what Daon delivers through our proven biometrics platform, IdentityX.”

However, not all security experts are completely happy with biometrics as a form of authentication. One problem is that they may not be as secure as we are told. “The security and reliability of biometric authentication,” Tom Van de Wiele, F-Secure’s principal security consultant, told SecurityWeek, “has being overplayed by industry for quite some time.” One concern is that all biometrics can be spoofed.

“Biometric authentication as part of the ‘something you are’ property of access control,” he said, “can be used against you. For example, asleep on the plane someone can re-use your finger; your picture might be taken from Facebook and used against a facial recognition technology; and your voice can be recorded from any source the attacker has access to.” His concern is that biometrics (something you are) still needs to be supported by a PIN or password (something you know).

Van de Wiele points to a further problem with biometrics. Biometrics shifts the burden of security onto the user. It is “asking the customer to keep their iris/fingerprints/voice safe and that is not something people care about or even think about.”

Another problem is persistence. “Biometric data, unlike a username or password, is persistent: we carry it with us for life,” explains Kaspersky Lab’s principal security researcher, David Emm. “There’s one major downside to its use – stored by a service provider, biometric data is just as valuable as a database containing usernames and passwords. However, any security breach resulting in leakage of this information is likely to have much more serious consequences than the theft of a password: after all, we can change a weak password, but we can’t change a compromised fingerprint, iris scan or other biometric.”

The recent Equifax breach illustrates the cybersecurity quandary. Although the primary cause of the breach is linked to a failure to adequately patch a vulnerable system, Comodo subsequently reported, “From third-party (non-company system) sources, we uncovered that Equifax’s chief privacy officer, CIO, VP of PR and VP of Sales, used all lowercase letters, no special symbols, and easily guessable words like spouses’ names, city names, and even combinations of initials and birth year. This reveals that they didn’t follow basic security best practices and were lacking a complex password requirement.”

This demonstrates the weakness in password authentication — but it also demonstrates its primary strength. If those executives were aware that their passwords had been stolen, they could very easily change them. However, the danger in the data stolen from Equifax is primarily in the persistence of the data: birthdates, Social Security numbers, addresses, last names. None of these are easily changed, and criminals can use them as part of identity theft for many years to come. The same applies to biometrics.

The bottom line is that financial institutions need to be easier to use than their competitors or lose customers to those competitors. “The trade-off is between security and usability, and this is a hard choice,” says Van de Wiele.

Related: Visa and FireEye Launch Threat Intel Service for Payments Industry

Related: Mastercard Launches Fingerprint-Based Biometric Card

Related: U.S. Army to Protect Warfighters With Continuous Biometric Authentication

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Previous Columns by Kevin Townsend:

Tags:

Security News

via SecurityWeek RSS Feed http://ift.tt/T5XpCH

October 20, 2017 at 11:43AM