This week in InfoSec reminds us of when the Playstation Network was down for 3 weeks Rant of the Week is a reminder of why you don’t roll your own encryption Billy Big Balls is the story of Microsoft making authentication decisions for you Industry News brings us the latest and greatest security news stories from around the world And Tweet of the Week uses lessons from ChatGPT
European Security Blogger Awards 2023
Vote for us (and Thom and teissTalk) here:
https://forms.gle/o6LwY6t5bSY9Fp5CA
This week in InfoSec (11:24)
With content liberated from the “today in infosec” twitter account and further afield
15th May 2011: Sony Begins Restoration of Its PlayStation Network after Cyber Attack
After a malicious cyber attack compromises Sony Computer Entertainment's data center in San Diego, California, the PlayStation Network is shut down on April 20.
The ensuing investigation revealed a number of security flaws, and in tandem with outside security firms, Sony implemented a number of upgrades to deter and mitigate future attacks to its network and its customers’ personal information. The Americas, Oceania, Europe and the Middle East were the first regions to regain access to the PlayStation Network, and among other measures, customers were required to reset their passwords upon initially signing in.
As more and more personal information is posted online, whether for financial, social, or business transactions, the safekeeping and protection of this data has come to the forefront of Internet consumer concerns.
20th May 2003: Rain Forest Puppy reflected on change in the security industry and made a declaration of his personal change.
https://web.archive.org/web/20090510083820/www.wiretrip.net/rfp/txt/evolution.txt
https://twitter.com/todayininfosec/status/1395378144861896705
Rant of the Week (18:00)
Upstart encryption app walks back privacy claims, pulls from stores after probe
A new-ish messaging service that claimed to put privacy first has pulled its end-to-end encryption claims from its website and its app from both the Apple and Google software stores after being called out online.
Converso – a comms app launched in September 2022 – billed itself as a "next-generation messaging app that keeps your conversations completely private." This, according to the developer's website, included "proprietary state-of-the-art end-to-end encryption technology," no storage of messages on servers, and "absolutely no use of user data." It claimed it could stand up to the likes of Signal and WhatsApp in the security stakes.
A blogger who goes by Crnković and has an interest in encryption protocols heard about Converso from an ad on a podcast and decided to poke around to see if the software lived up to the hype.
Crnković found the app talked to a Google Cloud-hosted database that was left completely open to the public by the software's developers. This Firestore database, we're told, included encrypted message content, metadata about people's messages, their private encryption keys, phone numbers, and more. Essentially, it would be possible for anyone to fetch that information and decrypt a stranger's message that went through the app, according to the researcher.
Crnković concluded:
Not only is metadata public, but so too are the keys used to encrypt messages. Anyone can download a Converso user's private key, which could be used to decrypt their secret conversations.
There's no longer any real distinction between cleartext and encrypted messages – nothing is meaningfully encrypted. For your security, you shouldn't use Converso to send any message that you wouldn't also publish as a tweet.
"Dissecting Converso was in large part a learn-as-you-go exercise for me, as I don't have prior experience reverse engineering mobile apps," Crnković told The Register. "I was shocked at each exponentially worse mistake."
Telegram vulnerability: https://danrevah.github.io/2023/05/15/CVE-2023-26818-Bypass-TCC-with-Telegram/
Billy Big Balls of the Week (27:37)
Microsoft decides it will be the one to choose which secure login method you use
Microsoft wants to take the decision of which multi-factor authentication (MFA) method to use out of the users' hands and into its own.
The software maker this week is rolling out what it calls system-preferred authentication for MFA, which will present individuals signing in with the most secure method and then alternatives if that method is unavailable.
Redmond first unveiled the feature in a disabled state in April and is now making it generally available to all commercial users through the Azure Portal or Graph APIs, with the decision whether to enable it for tenants now resting with administrators.
That said, in July Microsoft will make system-preferred authentication a default feature in its Azure Entra portfolio for all user accounts, with more information coming out next month.
The goal is to shore up security by not only delivering new features to harden products and services but to, at times, strong-arm people into using them.
More security, fewer problems?
"This system prompts the user to sign in with the most secure method they've registered and the method that's enabled by admin policy," Alex Weinert, vice president and director of identity security at Microsoft, wrote in a blog post. "This will transition users from choosing a default method to use first to always using the most secure method available. If they can't use the method they were prompted to use, they can choose a different MFA method to sign in."
Industry News (36:43)
Ex-Ubiquiti Employee Imprisoned For $2m Crypto Extortion Scheme
NSO Group Spends Millions Lobbying US Government
Cyber-Resilience Programs Failing on Poor Visibility
New Cloud Data Leak Adds to Capita's Woes
Government Publishes Playbook to Enhance Smart City Security
ChatGPT Leveraged to Enhance Software Supply Chain Security
Montana Signs Ban on TikTok Usage on Personal Devices
Apple's App Store Blocks $2bn in Fraudulent Transactions
Cyber Warfare Escalates Amid China-Taiwan Tensions
Tweet of the Week (48:17)
https://twitter.com/pmbaumgartner/status/1658804805014368256