RIT set to Roll out MFA 10/24/18

    RIT is rolling out Multi Factor Authentication very soon. Multi Factor Authentication is adding an extra factor to validate your credentials. For example, when you log into RIT services you are prompted your username and password; with the new multi factor authentication, you will need to provide an extra form of authentication. These methods include: Using the DUO mobile app, text, phone call, office phone call, and email. RIT has been experiencing more attacks than ever before, and this is their attempt at mitigating the risk of attacks. Last year MFA was put into effect for faculty, staff, and student employees. This was because many Ebiz accounts became compromised. The attackers then changed direct deposit numbers to be routed somewhere else. Luckily no one lost money because controllers saw the change in numbers and knew what was happening because another university was attacked in the same manner.

Image result for multi factor authentication

Why does this matter to us?

If we do not enroll in MFA by the 24th of October, there will be a hold on your account and you will not be able to enroll for classes next semester.

Possible Problems:

With MFA comes the use of another device to authenticate yourself on RIT services. For example, if you signed up and planned on using the DUO app, DO NOT forget your phone. ITS will have to give you a Bypass until you can get access to your phone, which would be unfortunate if you need to log onto something ASAP. I personally don’t see why the students need MFA, but I have no choice but to enroll into it.

Image result for locked out

By: Alejandro Juarez

 

An Overlooked Way of Getting Malware Onto Mac’s

By: John Schnaufer

This article was about malware targeted against Macs that can be hidden in the Mac app store. The writer of the article says that although they found the vulnerability, no one has used it yet from what they can see.

This attack could be used by bypassing the code signing done before submission to the app store. The code signature checks or code signing is basically virtual security checks, to make sure the app is safe and stable. It was noticed that the code only gets checked once, and then the signature doesn’t get checked again. This means that an attacker can make a clean app, submit it to the app store, and then once it gets downloads from users, release an update infected with malware for the users to download. They can also steal or buy real code signatures and put them into their malicious app and it has the possibility of getting published to the app store for everyone to download.

The writer of the main article says, “As a result of this research, Reed himself added code signature verification to Malwarebytes Mac products so they now perform a check every time they launch.” Reed works at the company Malwarebytes and he put out an update to their software to check the code signature again of updates to apps. He even says, “A script kiddie could pull off something like this.” This shows how something should be done to fix this problem before others catch on and start infecting peoples computers with malware. This was released recently, so hopefully, it gets fixed soon. I remember when I made my app for the app store and I do not ever remember any checks being done to my updates after the initial release.

 

Source:

https://www.wired.com/story/mac-malware-hide-code-signing/

 

First Internet of Things Security Laws Set for 2020 in California

California Governor Jerry Brown is the first governor to sign a bill to protect against the very prevalent cyber attacks on Internet of Things (IoT) devices. CNET tells:

The law mandates that any maker of an Internet-connected, or “smart,” device ensure the gadget has “reasonable” security features that “protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”

Since this bill is the first of its kind, it is expected that many other states will begin to follow California’s example and implement some sort of protection against IoT attacks. Although the bill requires manufacturers to assign a password to each device, many of the stipulations are non-specific, like many cyber laws. It is hard to be specific in a case like this, as attacks could easily find a loophole not covered within the bill. With a vague bill, it in a way could deter an attacker who knows the law could be translated in a number of ways to point to what he or she might have been doing as illegal.

This need of security was demonstrated most by the WannaCry ransomware attacks that hit hospitals across the nation. Hospitals have been increasingly using devices connected to their networks to aid in caring for patients. The attacks locked up devices that were in use, potentially threatening the lives of patients. An attack like this is more alarming than many ransomware attacks, as it takes the attacker’s morals (or in this case, lack of morals) into account more than other attacks.

The lack of security on IoT devices has desperately needed to be addressed, as over 8.4 billion IoT devices are out in the world on networks with little to no security. The law goes into effect at the beginning of 2020. California’s status as the most populated state in the U.S. is part of the reason the bill was signed into effect and is also the hope for cyber security experts to be influential in persuading others to join in the fight against attacks.

-Chevy Bolay

Crypto-jacking on Government Official Websites.

About a month ago it was discovered that there was a vulnerability being exploited on a browser plug-in called, Browsealoud. Browsealoud is a website plugin, developed by the company TextHelp, that adds speech, reading, and translation to websites, in an effort  to help those with dyslexia and other conditions.  Hackers injected a crypto-mining script on a Java file within the Browsealoud library. The script would mine the currency ‘monero’. Since the hackers attacked Browsealoud itself and not the individual websites, all the websites that were using Browsealoud (nearly 4000) were infected.  Some of the websites included  UK’s ICO (Information Commissioner’s Office) and NHS (National Health Service) and US’ federal judiciary. When someone visited a website using the plugin, the script would run and use the visitors CPU to begin mining.

Crytpo-mining is something to be wary about especially with the rise of Bitcoin and other cryptocurrencies. The hackers simply just wanted an easy way to mine more currency for themselves whether or not it was legally. There reason for doing this comes back to the acronym ‘MEECES’ which stands for money, ego, entertainment, cause, entrance, status. The attackers were just looking for some money in this case because as of now it is unknown who injected the script. It was very fortunate, with the information as of now, that no information of the users who used the website was stolen, and only were used to mine cryptocurrency.

Websites now should use more caution when implementing plugins to there website. Every company should have people testing for vulnerabilities within their services and should submit proof of this to their customers. In the future we need to become more aware of ways our websites and services can become vulnerable and the risks we take using them.

– Jordan Disciglio

Souces:
https://viraldocks.com/cryptojacking-attack-hits-4000-websites/

https://www.theguardian.com/technology/2018/feb/12/cryptojacking-attack-hits-australian-government-websites

Quantum Computing’s Impact on Cyber Security

With more and more technological advancements every day, our vision of quantum computing is turning more into a reality than a theory. Companies like IBM and Microsoft are accelerating forward and becoming closer than ever to build the first fully functioning quantum computer. Seemingly on the edge of an almost quantum revolution, it’s important to ask questions about how integral parts of our lives like cyber security will be affected by this change.

First, let’s understand what quantum computing is. Comparing it to modern computing, which relies on discrete values of a bit being either a 0 or a 1, quantum computing would allow both of these possibilities to exist simultaneously in something called qubits, and these values only truly form when they are observed. This allows quantum computers to handle operations and equations at speeds that are exponentially higher than what we are used to in modern computers and their energy costs are far less.

How does this effect today’s security? Many of today’s security systems rely on cryptography, this is because normal computers struggle at factoring large numbers. This means that cryptography based on factoring numbers would be a safe bet against our technology today, but with the introduction of quantum computing, these practices would be useless. This isn’t the end of cryptography though because there are some approaches in use today that will be safe against the power of a quantum computer. That doesn’t mean that important companies and governments are using them though, and if quantum computing is to take off faster than anticipated they could run into some trouble. Other security strategies that are used today, like two-factor authentication, will still be just as effective after the introduction of quantum computing, due to multiple steps being taken by the person to log into a system.

Tomorrow’s security will be something almost unfathomable with quantum-based security implementations. Techniques like theoretically unbreakable cryptography, encrypting data to stop working if anyone attempts to uncover them and guaranteeing a safe passage to send data no matter what attacks are being used against it can all be potentially achieved with quantum computing. It’s not all positive though because with the power to develop secure techniques comes the power to exploit older strategies. An almost quantum arms race has begun between intelligence agencies and this is because the first agency to gain access to quantum computing power will have an incredible edge over all other counties.

Although quantum computers may never be a household item, their impact in the world will definitely be historical. While many of their advancements will benefit society and the internet infrastructure as we know it, it is still important to make sure what the world is ready for a step this large.

-Jeremy McGrath

Sources:

https://www.technative.io/how-will-quantum-computing-impact-cyber-security/

https://www.nasdaq.com/article/quantum-computing-what-it-is-and-who-the-major-players-are-cm939998