Category: Mobile

This World Password Day consider ditching passwords altogether

Did you know that May 5, 2022, is World Password Day?1 Created by cybersecurity professionals in 2013 and designated as the first Thursday every May, World Password Day is meant to foster good password habits that help keep our online lives secure. It might seem strange to have a day set aside to honor something almost no one wants to deal with—like having a holiday for filing your income taxes (actually, that might be a good idea). But in today’s world of online work, school, shopping, healthcare, and almost everything else, keeping our accounts secure is more important than ever. Passwords are not only hard to remember and keep track of, but they’re also one of the most common entry points for attackers. In fact, there are 921 password attacks every secondnearly doubling in frequency over the past 12 months.2

But what if you didn’t have to deal with passwords at all? Last fall, we announced that anyone can completely remove the password from their Microsoft account. If you’re like me and happy to ditch passwords completely, read on to learn how Microsoft is making it possible to start enjoying a passwordless life today. Still, we know not everyone is ready to say goodbye to passwords, and it’s not possible for all your online accounts. We’ll also go over some easy ways to improve your password hygiene, as well as share some exciting news from our collaboration with the FIDO Alliance about a new way to sign in without a password.  

Free yourself with passwordless sign-in

Yes, you can now enjoy secure access to your Microsoft account without a password. By using the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email, you can go passwordless with any of your Microsoft apps and services. Just follow these five steps:

  1. Download and install Microsoft Authenticator (linked to your personal Microsoft account).
  2. Sign in to your Microsoft account.
  3. Choose Security. Under Advanced security options, you’ll see Passwordless account in the section titled Additional security.
  4. Select Turn on.
  5. Approve the notification from Authenticator.
User interface of Microsoft Authenticator app providing instructions on how to turn on passwordless account option.
Notification from Microsoft Authenticator app confirming user's password has been removed.

Once you approve the notification, you’ll no longer need a password to access your Microsoft accounts. If you decide you prefer using a password, you can always go back and turn off the passwordless feature. Here at Microsoft, nearly 100 percent of our employees use passwordless options to log into their corporate accounts.

Strengthen security with multifactor authentication

One simple step we can all take to protect our accounts today is adding multifactor authentication, which blocks 99.9 percent of account compromise attacks. The Microsoft Authenticator app is free and provides multiple options for authentication, including time-based one-time passcodes (TOTP), push notifications, and passwordless sign-in—all of which work for any site that supports multifactor authentication. Authenticator is available for Android and iOS and gives you the option to turn two-step verification on or off. For your Microsoft Account, multifactor authentication is usually only needed the first time you sign in or after changing your password. Once your device is recognized, you’ll just need your primary sign-in.

Microsoft Authenticator screen showing different accounts, including: Microsoft, Contoso Corporation, and Facebook.

Make sure your password isn’t the weak link

Rather than keeping attackers out, weak passwords often provide a way in. Using and reusing simple passwords across different accounts might make our online life easier, but it also leaves the door open. Attackers regularly scroll social media accounts looking for birthdates, vacation spots, pet names and other personal information they know people use to create easy-to-remember passwords. A recent study found that 68 percent of people use the same password for different accounts.3 For example, once a password and email combination has been compromised, it’s often sold on the dark web for use in additional attacks. As my friend Bret Arsenault, our Chief Information Security Officer (CISO) here at Microsoft, likes to say, “Hackers don’t break in, they log in.”

Some basics to remember—make sure your password is:

  • At least 12 characters long.
  • A combination of uppercase and lowercase letters, numbers, and symbols.
  • Not a word that can be found in a dictionary, or the name of a person, product, or organization.
  • Completely different from your previous passwords.
  • Changed immediately if you suspect it may have been compromised.

Tip: Consider using a password manager. Microsoft Edge and Microsoft Authenticator can create (and remember) strong passwords using Password Generator, and then automatically fill them in when accessing your accounts. Also, keep these other tips in mind:

  • Only share personal information in real-time—in person or by phone. (Be careful on social media.)
  • Be skeptical of messages with links, especially those asking for personal information.
  • Be on guard against messages with attached files, even from people or organizations you trust.
  • Enable the lock feature on all your mobile devices (fingerprint, PIN, or facial recognition).
  • Ensure all the apps on your device are legitimate (only from your device’s official app store).
  • Keep your browser updated, browse in incognito mode, and enable Pop-Up Blocker.
  • Use Windows 11 and turn on Tamper Protection to protect your security settings.

Tip: When answering security questions, provide an unrelated answer. For example, Q: “Where were you born?” A: “Green.” This helps throw off attackers who might use information skimmed from your social media accounts to hack your passwords. (Just be sure the unrelated answers are something you’ll remember.)

Passwordless authentication is becoming commonplace

As part of a historic collaboration, the FIDO Alliance, Microsoft, Apple, and Google have announced plans to expand support for a common passwordless sign-in standard. Commonly referred to as passkeys, these multi-device FIDO credentials offer users a platform-native way to safely and quickly sign in to any of their devices without a password. Virtually unable to be phished and available across all your devices, a passkey lets you sign in simply by authenticating with your face, fingerprint, or device PIN.

In addition to a consistent user experience and enhanced security, these new credentials offer two other compelling benefits:

  1. Users can automatically access their passkeys on many of their devices without having to re-enroll for each account. Simply authenticate with your platform on your new device and your passkeys will be there ready to use—protecting you against device loss and simplifying device upgrade scenarios.
  2. With passkeys on your mobile device, you’re able to sign in to an app or service on nearly any device, regardless of the platform or browser the device is running. For example, users can sign in on a Google Chrome browser that’s running on Microsoft Windows, using a passkey on an Apple device.

These new capabilities are expected to become available across Microsoft, Apple, and Google platforms starting in the next year. This type of Web Authentication (WebAuthn) credential represents a new era of authentication, and we’re thrilled to join the FIDO Alliance and others in the industry in supporting a common standard for a safe, consistent authentication experience. Learn more about this open-standards collaboration and exciting passwordless capabilities coming for Microsoft Azure Active Directory in a blog post from Alex Simons, Vice President, Identity Program Management.

Helping you stay secure year-round

Read more about Microsoft’s journey to provide passwordless authentication in a blog post by Joy Chik, Corporate Vice President of Identity. You can also read the complete guide to setting up your passwordless account with Microsoft, including FAQs and download links. And be sure to visit Security Insider for interviews with cybersecurity thought leaders, news on the latest cyberthreats, and lots more.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Source :
https://www.microsoft.com/security/blog/2022/05/05/this-world-password-day-consider-ditching-passwords-altogether/

Apple, Google and Microsoft Commit to Expanded Support for FIDO Standard to Accelerate Availability of Passwordless Sign-Ins

Faster, easier and more secure sign-ins will be available to consumers across leading devices and platforms 

Mountain View, California, MAY 5, 2022  – In a joint effort to make the web more secure and usable for all, Apple, Google and Microsoft today announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. The new capability will allow websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms.  

Password-only authentication is one of the biggest security problems on the web, and managing so many passwords is cumbersome for consumers, which often leads consumers to reuse the same ones across services. This practice can lead to costly account takeovers, data breaches, and even stolen identities. While password managers and legacy forms of two-factor authentication offer incremental improvements, there has been industry-wide collaboration to create sign-in technology that is more convenient and more secure.  

The expanded standards-based capabilities will give websites and apps the ability to offer an end-to-end passwordless option. Users will sign in through the same action that they take multiple times each day to unlock their devices, such as a simple verification of their fingerprint or face, or a device PIN. This new approach protects against phishing and sign-in will be radically more secure when compared to passwords and legacy multi-factor technologies such as one-time passcodes sent over SMS. 

An Expansion of Passwordless Standard Support 

Hundreds of technology companies and service providers from around the world worked within the FIDO Alliance and W3C to create the passwordless sign-in standards that are already supported in billions of devices and all modern web browsers. Apple, Google, and Microsoft have led development of this expanded set of capabilities and are now building support into their respective platforms. 

These companies’ platforms already support FIDO Alliance standards to enable passwordless sign-in on billions of industry-leading devices, but previous implementations require users to sign in to each website or app with each device before they can use passwordless functionality. Today’s announcement extends these platform implementations to give users two new capabilities for more seamless and secure passwordless sign-ins: 

  1. Allow users to automatically access their FIDO sign-in credentials (referred to by some as a “passkey”) on many of their devices, even new ones, without having to re-enroll every account. 
  2. Enable users to use FIDO authentication on their mobile device to sign in to an app or website on a nearby device, regardless of the OS platform or browser they are running.

In addition to facilitating a better user experience, the broad support of this standards-based approach will enable service providers to offer FIDO credentials without needing passwords as an alternative sign-in or account recovery method. 

These new capabilities are expected to become available across Apple, Google, and Microsoft platforms over the course of the coming year. 

“‘Simpler, stronger authentication’ is not just FIDO Alliance’s tagline — it also has been a guiding principle for our specifications and deployment guidelines. Ubiquity and usability are critical to seeing multi-factor authentication adopted at scale, and we applaud Apple, Google, and Microsoft for helping make this objective a reality by committing to support this user-friendly innovation in their platforms and products,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “This new capability stands to usher in a new wave of low-friction FIDO implementations alongside the ongoing and growing utilization of security keys — giving service providers a full range of options for deploying modern, phishing-resistant authentication.”

“The standards developed by the FIDO Alliance and World Wide Web Consortium and being led in practice by these innovative companies is the type of forward-leaning thinking that will ultimately keep the American people safer online. I applaud the commitment of our private sector partners to open standards that add flexibility for the service providers and a better user experience for customers,” said Jen Easterly, Director of the U.S. Cybersecurity and Infrastructure Security Agency. “At CISA, we are working to raise the cybersecurity baseline for all Americans. Today is an important milestone in the security journey to encourage built-in security best practices and help us move beyond passwords. Cyber is a team sport, and we’re pleased to continue our collaboration.”

“Just as we design our products to be intuitive and capable, we also design them to be private and secure,” said Kurt Knight, Apple’s Senior Director of Platform Product Marketing. “Working with the industry to establish new, more secure sign-in methods that offer better protection and eliminate the vulnerabilities of passwords is central to our commitment to building products that offer maximum security and a transparent user experience — all with the goal of keeping users’ personal information safe.” 

“This milestone is a testament to the collaborative work being done across the industry to increase protection and eliminate outdated password-based authentication,” said Mark Risher, Senior Director of Product Management, Google. “For Google, it represents nearly a decade of work we’ve done alongside FIDO, as part of our continued innovation towards a passwordless future. We look forward to making FIDO-based technology available across Chrome, ChromeOS, Android and other platforms, and encourage app and website developers to adopt it, so people around the world can safely move away from the risk and hassle of passwords.”

“The complete shift to a passwordless world will begin with consumers making it a natural part of their lives. Any viable solution must be safer, easier, and faster than the passwords and legacy multi-factor authentication methods used today,” says Alex Simons, Corporate Vice President, Identity Program Management at Microsoft. “By working together as a community across platforms, we can at last achieve this vision and make significant progress toward eliminating passwords. We see a bright future for FIDO-based credentials in both consumer and enterprise scenarios and will continue to build support across Microsoft apps and services.”

Available Resources:

White Paper: Multi-Device FIDO Credentials

Blog: Charting an Accelerated Path Forward for Passwordless Authentication Adoption

Webpage

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

About Apple

Apple revolutionized personal technology with the introduction of the Macintosh in 1984. Today, Apple leads the world in innovation with iPhone, iPad, Mac, Apple Watch, and Apple TV. Apple’s five software platforms — iOS, iPadOS, macOS, watchOS, and tvOS — provide seamless experiences across all Apple devices and empower people with breakthrough services including the App Store, Apple Music, Apple Pay, and iCloud. Apple’s more than 100,000 employees are dedicated to making the best products on earth, and to leaving the world better than we found it.

About Google

Google’s mission is to organize the world’s information and make it universally accessible and useful. Through products and platforms like Search, Maps, Gmail, Android, Google Play, Google Cloud, Chrome and YouTube, Google plays a meaningful role in the daily lives of billions of people and has become one of the most widely-known companies in the world. Google is a subsidiary of Alphabet Inc.

About Microsoft

Microsoft enables digital transformation for the era of an intelligent cloud and an intelligent edge. Its mission is to empower every person and every organization on the planet to achieve more.


Source :
https://fidoalliance.org/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard-to-accelerate-availability-of-passwordless-sign-ins/

Google Releases First Developer Preview of Privacy Sandbox on Android 13

Google has officially released the first developer preview for the Privacy Sandbox on Android 13, offering an “early look” at the SDK Runtime and Topics API to boost users’ privacy online.

“The Privacy Sandbox on Android Developer Preview program will run over the course of 2022, with a beta release planned by the end of the year,” the search giant said in an overview.

A “multi-year effort,” Privacy Sandbox on Android aims to create technologies that’s both privacy-preserving as well as keep online content and services free without having to resort to opaque methods of digital advertising.

The idea is to limit sharing of user data with third-parties and operate without cross-app identifiers, including advertising ID, a unique, user-resettable string of letters and digits that can be used to track users as they move between apps.

Google originally announced its plans to bring Privacy Sandbox to Android earlier this February, following the footsteps of Apple’s App Tracking Transparency (ATT) framework.

Integral to the proposed initiative are two key solutions —

  • SDK Runtime, which runs third-party code in mobile apps such as software development kits (SDKs), including those for ads and analytics, in a dedicated sandbox, and
  • Topics API, which gleans “coarse-grained” interest signals on-device based on a user’s app usage that are then shared with advertisers to serve tailored ads without cross-site and cross-app tracking

To address criticisms that the model could possibly give Google an unfair advantage, the tech behemoth noted that the privacy-oriented systems will be developed as part of the Android Open Source Project (AOSP) to ensure transparency into the design and implementation of these solutions.

“Android will collaborate with the entire industry and app ecosystem on the journey to a more privacy-first mobile platform, and one which supports a rich diversity of value-exchange that benefits users, developers, and advertisers,” the company said.

Source :
https://thehackernews.com/2022/05/google-releases-first-developer-preview.html

Google’s New Safety Section Shows What Data Android Apps Collect About Users

Google on Tuesday officially began rolling out a new “Data safety” section for Android apps on the Play Store to highlight the type of data being collected and shared with third-parties.

“Users want to know for what purpose their data is being collected and whether the developer is sharing user data with third parties,” Suzanne Frey, Vice President of product for Android security and privacy, said. “In addition, users want to understand how app developers are securing user data after an app is downloaded.”

The transparency measure, which is built along the lines of Apple’s “Privacy Nutrition Labels,” was first announced by Google nearly a year ago, in May 2021.

The Data safety section, which will show up against every app listing on the digital storefront, presents a unified view of what data is being collected, for what purpose it’s being used, and how it’s handled, while also highlighting what data is being shared with third-parties.

On top of that, the labels can also show an “app’s security practices, like encryption of data in transit and whether users can ask for data to be deleted,” Frey noted, in addition to validating those practices against security standards such as the Mobile Application Security Verification Standard (MASVS).

Google Data Safety Section

The feature is expected to be gradually made available to all users, while giving app developers a deadline of July 20, 2022 to complete the section and keep them updated should they change the apps’ functionality or data handling methods.

That said, Data safety is expected to face similar concerns to that of Apple’s in that the system is built entirely on an honor system, which requires app developers to be truthful and clear-cut about what they do with the data, and not list inaccurate labels.

Apple has since said that it would routinely audit labels for accuracy, thereby ensuring that the labels are reliable and don’t give users a false sense of security about the data being collected and shared.

Google, last year, had said that it intends to institute a mechanism in place that requires developers to furnish accurate information, and that it will mandate them to fix misrepresentations should it identify instances of policy violations.

While the search giant has explicitly stated that its app review process is not designed to certify the accuracy and completeness of the data safety declarations provided by third-party app developers, it’s outlining strong measures to handle such transgressions.

The company is warning that it will be taking suitable enforcement measures when it identifies a deviation from the information provided in the section. Failing to ensure compliance can result in blocked updates or removal from Google Play.

“When Google becomes aware of a discrepancy between your app behavior and your declaration, we may take appropriate action, including enforcement action,” the company said in an updated support article.

Source :
https://thehackernews.com/2022/04/googles-new-safety-section-shows-what.html

Android’s March 2022 security updates fix three critical bugs

Google has released the March 2022 security updates for Android 10, 11, and 12, addressing three critical severity flaws, one of which affects all devices running the latest version of the mobile OS.

Tracked as CVE-2021-39708, the flaw lies in the Android System component, and it’s an escalation of privilege problem requiring no user interaction or additional execution privileges.

“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.” – mentions Google’s bulletin.

The other two critical flaws are CVE-2021-1942 and CVE-2021-35110, both affecting closed-source components on Qualcomm-based devices.

For a full list of which Qualcomm chipsets are affected by these two vulnerabilities, check out the chipmaker’s security bulletin.

No further technical details have been published for any of the fixed vulnerabilities, as doing so would put users running an older patch level at risk.

Other fixes that land with the March 2022 update are:

  • 1 medium severity escalation of privilege flaw in Android runtime (version 12)
  • 5 high severity escalation of privileges flaws in Android Framework (versions 10, 11, 12)
  • 2 high severity denial of service flaws in Android Framework (version 12)
  • 1 high severity information disclosure in Media Framework (versions 10, 11, 12)
  • 8 high severity escalation of privilege flaws in System (versions 10, 11, 12)
  • 1 high severity information disclosure flaw in System (versions 10, 11, 12)
  • 4 high severity escalation of privilege flaws in Kernel
  • 1 high severity information disclosure in Kernel
  • 3 high severity flaws in MediaTek components
  • 10 high severity flaws in Qualcomm components

As is the case every month, Google has released two patch levels for March 2022, one denoted as “2022-03-01” and one as “2022-03-05”.

The second patch level includes everything in the first set plus fixes for third-party closed source and Kernel components that may not apply to all devices.

As such, your device vendor may choose to push the first level to save on roll-out time, and it won’t necessarily mean that you are left vulnerable to exploitation.

With the only exception being Google’s Pixel line which receives these security updates immediately, all other vendors will need some time to bundle the patches for each of their models, as different hardware configurations require dedicated testing and fine-tuning.

If you are running anything older than Android 10, consider upgrading to a new and actively supported device or flashing your existing with a third-party Android ROM that’s based on a recent AOSP version.

Source :
https://www.bleepingcomputer.com/news/security/androids-march-2022-security-updates-fix-three-critical-bugs/

Apple Issues Patches for 2 Actively Exploited Zero-Days in iPhone, iPad and Mac Devices

Apple on Thursday rolled out emergency patches to address two zero-day flaws in its mobile and desktop operating systems that it said may have been exploited in the wild.

The shortcomings have been fixed as part of updates to iOS and iPadOS 15.4.1, macOS Monterey 12.3.1, tvOS 15.4.1, and watchOS 8.5.1. Both the vulnerabilities have been reported to Apple anonymously.

Tracked as CVE-2022-22675, the issue has been described as an out-of-bounds write vulnerability in an audio and video decoding component called AppleAVD that could allow an application to execute arbitrary code with kernel privileges.

Apple said the defect was resolved with improved bounds checking, adding it’s aware that “this issue may have been actively exploited.”

The latest version of macOS Monterey, besides fixing CVE-2022-22675, also includes remediation for CVE-2022-22674, an out-of-bounds read issue in the Intel Graphics Driver module that could enable a malicious actor to read kernel memory.

The bug was “addressed with improved input validation,” the iPhone maker noted, once again stating there’s evidence of active exploitation, while withholding additional details to prevent further abuse.

The latest updates bring the total number of actively exploited zero-days patched by Apple to four since the start of year, not to mention a publicly disclosed flaw in the IndexedDB API (CVE-2022-22594), which could be weaponized by a malicious website to track users’ online activity and identities in the web browser.

  • CVE-2022-22587 (IOMobileFrameBuffer) – A malicious application may be able to execute arbitrary code with kernel privileges
  • CVE-2022-22620 (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution

In light of active exploitation of the flaws, Apple iPhone, iPad, and Mac users are highly recommended to upgrade to the latest versions of the software as soon as possible to mitigate potential threats.

The iOS and iPad updates are available to iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

Source :
https://thehackernews.com/2022/03/apple-issues-patches-for-2-actively.html

Samsung Confirms Data Breach After Hackers Leak Galaxy Source Code

Samsung on Monday confirmed a security breach that resulted in the exposure of internal company data, including the source code related to its Galaxy smartphones.

“According to our initial analysis, the breach involves some source code relating to the operation of Galaxy devices, but does not include the personal information of our consumers or employees,” the electronics giant told Bloomberg.

The South Korean chaebol also confirmed that it doesn’t anticipate any impact to its business or its customers as a result of the incident and that it has implemented new security measures to prevent such breaches in the future.

The confirmation comes after the LAPSUS$ hacking group dumped 190GB of Samsung data on its Telegram channel towards the end of last week, allegedly exposing the source code for trusted applets installed within TrustZone, algorithms for biometric authentication, bootloaders for recent devices, and even confidential data from its chip supplier Qualcomm.

The news of the leak was first reported by Bleeping Computer on March 4, 2022.

If the name LAPSUS$ rings familiar, it’s the same extortionist gang that made away with a 1TB trove of proprietary data from NVIDIA last month, namely employee credentials, schematics, driver source code, and information pertaining to the latest graphics chips.

Samsung Galaxy Source Code

The group, which first emerged in late December 2021, also placed an unusual demand urging the company to open-source its GPU drivers forever and remove its Ethereum cryptocurrency mining cap from all NVIDIA 30-series GPUs to prevent more leaks.

It’s not immediately clear if LAPSUS$ has made any similar demands to Samsung before publishing the information.

The fallout from the NVIDIA leaks has also led to the release of “over 70,000 employee email addresses and NTLM password hashes, many of which were subsequently cracked and circulated within the hacking community.”

That’s not all. Two code-signing certificates included in cache dump from NVIDIA have been used to sign malicious Windows drivers and other tools often used by hacking crews, namely Cobalt Strike beacons, Mimikatz, and other remote access trojans.

“Threat actors started on 1st March, a day after torrent [was] posted,” security researcher Kevin Beaumont said in a tweet last week.

Source :
https://thehackernews.com/2022/03/samsung-confirms-data-breach-after.html

100 Million Samsung Galaxy Phones Affected with Flawed Hardware Encryption Feature

A group of academics from Tel Aviv University have disclosed details of now-patched “severe” design flaws affecting about 100 million Android-based Samsung smartphones that could have resulted in the extraction of secret cryptographic keys.

The shortcomings are the result of an analysis of the cryptographic design and implementation of Android’s hardware-backed Keystore in Samsung’s Galaxy S8, S9, S10, S20, and S21 flagship devices, researchers Alon Shakevsky, Eyal Ronen, and Avishai Wool said.

Trusted Execution Environments (TEEs) are a secure zone that provide an isolated environment for the execution of Trusted Applications (TAs) to carry out security critical tasks to ensure confidentiality and integrity.

On Android, the hardware-backed Keystore is a system that facilitates the creation and storage of cryptographic keys within the TEE, making them more difficult to be extracted from the device in a manner that prevents the underlying operating system from having direct access.

Instead, the Android Keystore exposes APIs in the form of Keymaster TA (trusted application) to perform cryptographic operations within this environment, including secure key generation, storage, and its usage for digital signing and encryption. On Samsung mobile devices, the Keymaster TA runs in an ARM TrustZone-based TEE.

However, security flaws uncovered in Samsung’s implementation meant that they could provide an adversary with root privileges a workable path to recover the hardware-protected private keys from the secure element. The list of issues identified is as below –

  • Initialization Vector (IV) reuse in Keymaster TA (CVE-2021-25444) – An IV reuse vulnerability in Keymaster prior to SMR AUG-2021 Release 1 allows decryption of custom keyblob with privileged process. (Impacts Galaxy S9, J3 Top, J7 Top, J7 Duo, TabS4, Tab-A-S-Lite, A6 Plus, and A9S)
  • Downgrade attack in Keymaster TA (CVE-2021-25490) – A keyblob downgrade attack in Keymaster prior to SMR Oct-2021 Release 1 allows [an] attacker to trigger IV reuse vulnerability with privileged process. (Impacts Galaxy S10, S20, and S21)

In a nutshell, successful exploitation of the flaws against the Keymaster TA could achieve unauthorized access to hardware-protected keys and data secured by the TEE. Implications of such an attack could range from an authentication bypass to advanced attacks that can break fundamental security guarantees offered by cryptographic systems.

Following responsible disclosure in May and July 2021, the issues were addressed via security updates shipped in August and October 2021 for the affected devices. The findings are expected to be presented at the USENIX Security Symposium later this August.

“Vendors including Samsung and Qualcomm maintain secrecy around their implementation and design of [TrustZone operating systems] and Tas,” the researchers said. “The design and implementation details should be well audited and reviewed by independent researchers and should not rely on the difficulty of reverse engineering proprietary systems.”

Source :
https://thehackernews.com/2022/02/100-million-samsung-galaxy-phones.html

Why You Need to Care About Data Privacy & 5 Tips for Better Data Security

The privacy of our data has always been important. However, because we’re sharing more of it than ever before, being aware of data privacy and taking the necessary steps to protect it has never been more crucial. In this article, in celebration of Data Privacy Week, we cover why data privacy is so important, what can happen if your data were to fall into the wrong hands, and what you can do to protect your personal data.

Find out if your email address appeared in any data leaks

What is data privacy and why is it important?

Data privacy often refers to the practice of handling sensitive data in line with regulatory requirements. In most developed countries, there are specific data privacy laws in place that regulate how companies can collect, store, and share customer data.

While the EU has a comprehensive data privacy law, the General Data Protection Regulation (GDPR), which covers all different types of data, only three US states currently have similar, all-encompassing data privacy laws (California, Virginia, and Colorado). Instead, the US has many different laws designed to target specific types of data. For example, the Fair Credit Reporting Act (FCRA) protects information in your credit report, and the Family Educational Rights and Privacy Act (FERPA) protects students’ education reports from being freely accessible.

However, because of how much time we spend online nowadays, we’re putting more of our personal data out there for others to see than ever before. As a result, it is not only important to understand how protected your data is when you share it with a company, but also how private it is when you share it online.

How to protect your data privacy

Here are some of our top tips for data privacy protection:

  1. Only give your data to trustworthy companies and websites — Perhaps you’ve come across a new online clothing store or seen an app on the app store that takes your fancy, but you’re unsure if you can trust the company. If you’ve never heard of the company before, it’s best to do some quick research to learn whether or not you can trust it with your data.
  2. Think twice before sharing — With social media being such a big part of our everyday lives, it’s easy to forget that what we post online, stays online forever. Always think twice before sharing something online. Don’t publicly share personal information such as your address, phone number, or social security number.
  3. Take advantage of privacy settings — On every website, app, and game that you use, make sure you’re taking advantage of the built-in privacy settings. By doing so, you’ll ensure that only people you know can view your information.
  4. Use strong passwords and enable 2FA — When you create an online account, you almost always need to share lots of personal data — your full name, email address, and date of birth, for example. Although this data isn’t publicly accessible, if a hacker were to gain access to one of your accounts, they would be able to see all this information. To avoid this happening, make sure to use only strong, tough-to-hack passwords and that all your accounts have two-factor authentication (2FA) enabled.
  5. Use a VPN on public Wi-Fi — Unprotected Wi-Fi networks are notoriously unsecure. Because no password is required to access them, nearby hackers can steal any data transferred over them. To protect yourself, always use a VPN on public Wi-Fi networks.

Data leaks in 2021 — T-Mobile, LinkedIn, Moncler & CoinMarketCap

The truth is, no matter how well a company abides by data privacy laws and how thoroughly it protects its customers’ data, it can never be 100% data leak-proof. In 2021 alone, a shocking number of companies suffered high-profile data leaks, including T-MobileLinkedInMoncler, and CoinMarketCap. Those leaks resulted in hundreds of millions of people having their sensitive personal data leaked, which is used by criminals to commit all sorts of crimes — with the most concerning of them all being identity theft.

According to the Federal Trade Commission, there were over 1 million reports of identity theft in 2021. Below are some of the things the FTC says criminals can do with your data:

  • Get new credit cards in your name.
  • Open a phone, electricity, or gas account in your name.
  • Steal your tax refund.
  • Get medical care under your name (and leave you with a huge bill!).
  • Pretend to be you if they get arrested.

Cybercriminals often put stolen data up for sale on underground forums on the regular internet, as well as the dark web. And as you can imagine, personal information that is particularly valuable to them can fetch a high price. On average, on the dark web, a driver’s license will go for $205, an ID card for $213, and a passport sells for a whopping $684!

How to stay protected from data leaks

You might be thinking that staying protected from data leaks is an impossible task, but the answer is easy: Trend Micro™ ID Security . Available for Android and iOS, Trend Micro™ ID Security can scan the internet and the dark web 24/7 for your personal information. If your data is leaked, the app notifies you immediately so you can take action to avoid people stealing your identity. If your information is out there, you’ll be the first to know!

Here are some of the features offered by Trend Micro™ ID Security :

  • Personal Data Protection Score — See exactly how safe your online personal data is with your customized Protection Score.
  • 24/7 Comprehensive Personal Data Monitoring — ID Security can scan the internet and the dark web for all your personal information including up to 5 email addresses and bank account numbers, 10 credit card numbers, your Social Security number, and lots more.
  • Social Media Account Protection — Strengthen the security of your social media accounts. Be instantly alerted if your Facebook or Twitter account’s data is leaked by cybercriminals.

To learn more about Trend Micro™ ID Security and claim your free 30-day trial, click the button below.Get ID Security

Source :
https://news.trendmicro.com/2022/01/27/why-you-need-to-care-about-data-privacy-5-tips-for-better-data-security/

Outlook Mobile Server settings you’ll need from your email provider

Outlook for Microsoft 365 Outlook for Microsoft 365 for Mac Microsoft 365 for home More…

Most email apps like Outlook are able to automatically configure email server settings. If you need server settings or help finding your server settings, click on one of the links below:

Find your Exchange mailbox server settings

If you’re connecting to an Exchange mailbox and not using Microsoft 365 email, or if you aren’t sure if you’re using Microsoft 365 email, do the following to look up your settings:

  1. Sign in to your account using Outlook Web App. For help signing in, see Sign in to Outlook Web App.
  2. In Outlook Web App, on the toolbar, select Settings Settings icon > Mail POP and IMAP.
  3. The POP3, IMAP4, and SMTP server name and other settings you may need to enter are listed on the POP and IMAP settings page.

What server settings do I need from my email provider?

To help you get the info you need, we’ve put together a handy chart of the email server settings you should ask for. You will most likely have to set up your email as an IMAP or POP account as well. What are POP and IMAP? Check with your provider if you’re not sure which to use.

Note: When you use an IMAP or POP account, only your email will sync to your device. Any calendar or contacts associated with that account will be stored only on your local computer.

Follow these instructions to get your email settings:

  1. Print out this page and keep it within reach.
  2. Call your email provider and ask them about the settings in the chart below.
  3. Write down the corresponding email server settings in the empty column.
  4. Return to your email app and enter the information to complete your email setup.

Note: You may only need some of the settings on this list. Find out from your email provider what you will need to access your email on your mobile device.

General Email Settings

SettingDescriptionWrite Your Setting HereExample
Email AddressThe email address you want to set up.yourname@contoso.com
PasswordThe password associated with your email account.——–
Display NameThe name you want your email recipients to see.Mike Rosoft
DescriptionAdd a description of your email account.Personal, work, etc.

Incoming Mail Server Settings

These settings are for sending email to your email provider’s mail server.

SettingDescriptionWrite Your Setting HereExample
Host NameYour incoming mail server name.outlook.office365.com
UsernameThe email address you want to set up.yourname@contoso.com
PortThe port number your incoming mail server uses.Most use 143 or 993 for IMAP, or 110 or 995 for POP.
Server or DomainThis is your email provider.yourprovider.com, gmail.com, etc.
SSL?Is your email encrypted using SSL?(SSL is enabled by default in the Outlook mobile app)SSL Enabled

Outgoing Mail Server Settings (SMTP)

These settings are for sending email to your email provider’s mail server.

SettingDescriptionWrite Your Setting HereExample
SMTP Host NameOutgoing mail server name. Most often smtp.yourprovider.comsmtp.office365.com
SMTP UsernameThe email address you want to set up.yourname@contoso.com
SMTP PasswordThe password associated with your email account.——–
SSL?Is your email encrypted using SSL?(SSL is enabled by default in the Outlook mobile app)SSL Enabled

Still having trouble? We’re listening.

  • If you’re using an email provider such as Gmail, Yahoo, etc. Contact them for help in setting up your email account.See Troubleshoot email setup on mobile Outlook mobile apps or check the server status of Outlook.com.
  • If you have a work or school account that uses Microsoft 365 for business or Exchange-based accounts, talk to your Microsoft 365 admin or technical support.

    Source :
    https://support.microsoft.com/en-us/office/server-settings-you-ll-need-from-your-email-provider-c82de912-adcc-4787-8283-45a1161f3cc3
Exit mobile version