NSA urges system administrators to replace obsolete TLS protocols

ZDNet

The US National Security Agency has issued a security advisory this month urging system administrators in federal agencies and beyond to stop using old and obsolete TLS protocols.

NSA recommends that only TLS 1.2 or TLS 1.3 be used; and that SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 not be used, the agency said.

Using obsolete encryption provides a false sense of security because it seems as though sensitive data is protected, even though it really is not, the agency added.


Below is the NSA security advisory:

Full article

How to secure your Google account and keep it safe from attacks

ZDNet

If your online life revolves around Gmail, Chrome, and other Google software and services, your Google account is one of your most precious online resources. That’s especially true if you use the Gmail address associated with that account as your primary email address.

An online criminal who gets hold of those credentials can cause chaos and do catastrophic damage to your online life, which is why it’s important to protect your Google account from being compromised.

Full article

Linux Mint fixes screensaver bypass discovered by two kids

ZDNet

The Linux Mint project has patched this week a security flaw that could have allowed a threat actor to bypass the OS screensaver and its password and access locked desktops.

This particularly nasty security flaw was discovered by two kids playing on their dad’s computer, according to a bug report on GitHub.

A few weeks ago, my kids wanted to hack my Linux desktop, so they typed and clicked everywhere while I was standing behind them looking at them play, wrote a user identifying themselves as robo2bobo.

According to the bug report, the two kids pressed random keys on both the physical and on-screen keyboards, which eventually led to a crash of the Linux Mint screensaver, allowing the two access to the desktop.

I thought it was a unique incident, but they managed to do it a second time, the user added.

Full article

NSA warns against using DoH inside enterprise networks

ZDNet

The US National Security Agency has published today a guide on the benefits and risks of encrypted DNS protocols, such as DNS-over-HTTPS (DoH), which have become widely used over the past two years.

The US cybersecurity agency warns that while technologies like DoH can encrypt and hide user DNS queries from network observers, they also have downsides when used inside corporate networks.

DoH is not a panacea, the NSA said in a security advisory published today, claiming that the use of the protocol gives companies a false sense of security, echoing many of the arguments presented in a ZDNet feature on DoH in October 2019.

The NSA said that DoH does not fully prevent threat actors from seeing a user’s traffic and that when deployed inside networks, it can be used to bypass many security tools that rely on sniffing classic (plaintext) DNS traffic to detect threats.

Full article

Iranian cyberspies behind major Christmas SMS spear-phishing campaign

ZDNet

An Iranian cyber-espionage group known as Charming Kitten (APT35 or Phosphorus) has used the recent winter holiday break to attack targets from all over the world using a very sophisticated spear-phishing campaign that involved not only email attacks but also SMS messages.

Charming Kitten has taken full advantage of this timing to execute its new campaign to maximum effect, said CERTFA, a cybersecurity organization specialized in tracking Iranian operations.

The group started the new round of attacks at a time when most companies, offices, organizations, etc. were either closed or half-closed during Christmas holidays and, as a result, their technical support and IT departments were not able to immediately review, identify, and neutralize these cyber incidents, it added.

CERTFA said it detected attacks targeting members of think tanks, political research centers, university professors, journalists, and environmental activists.

The victims were located in countries around the Persian Gulf, Europe, and the US.

Full article

State Department creates bureau to reduce ‘likelihood of cyber conflict’

ZDNet

Secretary of State Mike Pompeo announced on Thursday the creation of a new bureau inside the US Department of State dedicated to addressing cybersecurity as part of the US’ foreign policy and diplomatic efforts.

The new bureau will be named the Bureau of Cyberspace Security and Emerging Technologies (CSET).

The CSET bureau will lead US government diplomatic efforts on a wide range of international cyberspace security and emerging technology policy issues that affect US foreign policy and national security, including securing cyberspace and critical technologies, reducing the likelihood of cyber conflict, and prevailing in strategic cyber competition, the State Department said yesterday.

Efforts to get the bureau on its feet began in June 2019, as a replacement for a previous office tasked with addressing cyber-security policies as part of US foreign diplomatic efforts had been shuttered as part of a reorganization in the summer of 2017, under Secretary of State Rex Tillerson.

Full article

Investigation launched into vulnerabilities found within US Judiciary case file system

ZDNet

The United States Judiciary has announced an audit into its systems, following concerns its case file system has been compromised.

In making the announcement, the Judiciary said the Administrative Office of the US Courts was working with the Department of Homeland Security on a security audit relating to vulnerabilities in the Judiciary’s Case Management/Electronic Case Files system (CM/ECF) that greatly risk compromising highly sensitive non-public documents, particularly sealed filings.

Full article

New side-channel attack can recover encryption keys from Google Titan security keys

ZDNet

A duo of French security researchers has discovered a vulnerability impacting chips used inside Google Titan and YubiKey hardware security keys.

The vulnerability allows threat actors to recover the primary encryption key used by the hardware security key to generate cryptographic tokens for two-factor authentication (2FA) operations.

Once obtained, the two security researchers say the encryption key, an ECDSA private key, would allow threat actors to clone Titan, YubiKey, and other keys to bypass 2FA procedures.

Full article