Encrypted URLS in LastPass

Summary: LastPass announced it will start encrypting URLs stored in user vaults next month for enhanced privacy and protection against data breaches and unauthorized access. This move is part of their effort to reinforce a zero-knowledge architecture, ensuring that even LastPass cannot access users’ data.

The encryption of URLs requires refactoring both client and back-end components, a task that LastPass says is progressing well. Starting in June 2024, the first phase will automatically encrypt primary URL fields for all existing and new accounts. The second phase will focus on encrypting the remaining six URL-related fields. LastPass will provide step-by-step instructions for business plan admins. As of now, no immediate action is required for users and admins.

Why it matters: LastPass is enhancing user security by encrypting URLs stored in password vaults, a measure that was previously impractical due to processing power limitations in 2008. With modern hardware capable of handling the encryption/decryption process seamlessly, this update will bolster the company’s zero-knowledge architecture, ensuring even LastPass cannot access users’ data. Encrypting URLs is crucial because they can reveal sensitive information about the nature of accounts, such as banking or email services. This change comes in response to past security breaches, including incidents in 2022 where unencrypted URLs in stolen data helped attackers target specific accounts, resulting in significant financial losses.

Gift Card Scam Attacks

Summary: The FBI recently issued a warning to retail companies in the United States regarding a financially motivated hacking group dubbed Storm-0539. This group has been targeting employees in gift card departments through sophisticated phishing attacks since at least January 2024.  “After gaining access to an initial session and token, Storm-0539 will register its own malicious devices to victim networks for subsequent secondary authentication prompts, effectively bypassing multifactor authentication protections and persisting in an environment using the now fully compromised identity,” Microsoft said. Once inside an employee’s account, the hackers move laterally through the network, aiming to identify and exploit the gift card business process.

In response to these attacks, affected corporations have been urged to remain vigilant and implement robust security measures to mitigate the risks posed by Storm-0539. The FBI’s Private Industry Notification highlights the importance of detecting and preventing fraudulent activity in gift card departments, emphasizing the need for proactive security measures to safeguard against such threats.

Why it matters: The FBI’s warning highlights the pressing need for heightened cybersecurity measures within the retail sector, emphasizing the sophisticated tactics employed by financially motivated hacking groups like Storm-0539. By targeting specific vulnerabilities, such as gift card departments, these attacks pose significant risks beyond financial losses, including reputational damage and regulatory repercussions. Through proactive measures, including enhanced awareness and robust security protocols, retail companies can better protect their valuable assets and maintain trust among customers and stakeholders in an increasingly digital landscape. As hackers continue to evolve their tactics, it is imperative for organizations to prioritize cybersecurity awareness and invest in defensive strategies to protect their assets and sensitive information from exploitation.

Apple iTunes For Windows Flaw Let Attackers Execute Malicious Code

Summary: A new arbitrary code execution vulnerability has been discovered in iTunes version 12.13 and earlier that could allow a threat actor to perform malicious activities. This vulnerability is tracked via CVE-2024-27793 and the severity is rated as “critical” by TenableApple has released a security advisory and encourages users to update affected versions of iTunes as soon as possible. This malware impacts the CoreMedia framework which defines the media pipeline used ultimately to “process media samples and manage queues of media data,” according to Apple. More specifically, it affects the H.264 video decoder in iTunes and allows the application to execute arbitrary code during video playback of a compromised file.

In other words, an attacker could trigger a maliciously crafted request while parsing a file that could enable them to execute arbitrary code. The attacker doesn’t need local access to the Windows machine in question. The vulnerability’s ability to lead to remote code execution is the primary reason for the CVSS v3 critical rating of 9.1 out of 10. Apple says it has fixed this issue by with “improved checks” during the execution of CoreMedia.

Why it matters: According to the Vulnerability Database resource, CVE-2024-27793 can be exploited easily, remotely and without any form of authentication. Successful exploitation does, however, require user interaction. This can be accomplished by the user clicking on a link or visiting a site where the malicious file can be parsed by CoreMedia. For any user that utilizes iTunes for media management or connecting Apple devices to their PC (such as iPads or iPhones) should be aware of this vulnerability and update as soon as possible.

Apache OFBiz Vulnerability Allows Remote Code Execution

Summary: This issue affects Apache OFBiz: before 18.12.13. Users are recommended to upgrade to version 18.12.13, which fixes the issue. Apache OFBiz is an open-source product for the automation of enterprise processes. It includes framework components and business applications for ERP, CRM, E-Business/E-Commerce, Supply Chain Management and Manufacturing Resource Planning. Successful exploitation of this vulnerability could allow for  remote code execution in the context of the affected service account.

Depending on the privileges associated with the service account, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Services whose accounts are configured with less rights on the system could be less impacted than those who operate with administrative user rights.

Why it matters: Apache OFBiz constructs pathnames to identify files within a restricted directory. However, special elements can be used to provide attackers with unauthorized access to files outside the intended directory. Due to the high risk for the potential of exploitation, Apache recommends patching immediately to version 18.12.13 to correct this issue.

Unprotected Session Tokens Can Undermine FIDO2 Security

Summary: FIDO2 (Fast Identity Online 2) authentication has been hailed for its security, protecting users from phishing, session hijacking, and some forms of MITM (Man-in-the-Middle) attacks. However, identity protection platform Silverfort suggests attackers might be able to  bypass FIDO2 phishing-resistant protections under certain conditions using a sophisticated MITM technique. While the protocol has made passwordless authentication a reality, token-binding is key to prevent against token theft and reuse.

Typical MITM attacks intercept user communication and steal login credentials but FIDO2 was designed to be immune to these attacks by using physical security keys, USB tokens, or biometrics. However, Silverfort’s security researcher Dor Segal discovered that FIDO2 isn’t immune to these threats. The problem occurs because most Web applications fail to protect session tokens after successful authentication, allowing attackers to steal them, impersonate the victim, and gain access to all applications via single sign-on (SSO).

Why it matters: FIDO2 is based on public key cryptography in which a user registers with an online service and chooses an authentication mechanism like a USB token. The client device generates a public and private key pair. The public key is encrypted and shared with the service, and the private key is securely stored on the user’s device. Third-party SSO solutions can create authentication sessions without protecting tokens and traffic sessions, which can linger for hours, unlike Transport Layer Security (TLS) mechanisms that encrypt traffic. If the subsequent session is not protected, the adversary can steal tokens, perform session hijacking, and impersonate the victim. Organizations using FIDO2 to secure SSO authentication should ensure they are not using a default disabled setting and enable token-binding when possible.

Security Tip of the Month –Identity and Access Management (IAM)

Summary: IAM, or Identity and Access Management, is a framework that enables organizations to manage and control access to their resources. It involves processes and technologies for identifying users and determining what resources they are authorized to access. IAM solutions typically include features such as authentication, authorization, user provisioning, and password management. By implementing IAM, organizations can enhance security, ensure regulatory compliance, streamline operational processes, improve user experience, and mitigate the risk of insider threats. Overall, IAM plays a critical role in protecting sensitive information and maintaining the integrity of an organization’s digital ecosystem.

Why it matters: Identity and Access Management (IAM) is pivotal for organizations, offering myriad benefits. IAM ensures data security by limiting access to authorized personnel, reducing the risk of breaches. It aids regulatory compliance by enforcing access controls aligned with data protection regulations. IAM also manages risk by detecting insider threats through vigilant monitoring. Additionally, IAM enhances operational efficiency by automating identity and access management tasks, saving time and reducing administrative burden. Scalable IAM solutions accommodate organizational growth while maintaining effective access controls. Lastly, IAM improves user experience with seamless authentication methods like single sign-on and multi-factor authentication, enhancing security without sacrificing usability.