Security Newsletter
7 October 2019
New 0-Day Flaw Affecting Most Android Phones Being Exploited in the Wild
Another day, another revelation of a critical unpatched zero-day vulnerability, this time in the world's most widely used mobile operating system, Android. What's more? The Android zero-day vulnerability has also been found to be exploited in the wild by the Israeli surveillance vendor NSO Group—infamous for selling zero-day exploits to governments—or one of its customers, to gain control of their targets' Android devices.
Discovered by Project Zero researcher Maddie Stone, the details and a proof-of-concept exploit for the high-severity security vulnerability, tracked as CVE-2019-2215, has been made public today—just seven days after reporting it to the Android security team.
According to the researcher, since the issue is "accessible from inside the Chrome sandbox," the Android kernel zero-day vulnerability can also be exploited remotely by combining it with a separate Chrome rendering flaw. "The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device. If the exploit is delivered via the Web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox," Stone says in the Chromium blog.
Read More on TheHackerNews
Even More on BleepingComputer
 
Microsoft: MFA bypass attacks are so rare we don't have good statistics on them
Attacks on Microsoft user accounts that are capable of bypassing multi-factor authentication (MFA) protections are so rare that the Redmond-based company doesn't even have stats for them. "When we evaluate all the tokens issued with MFA claims, we see that less than 10% of users use MFA per month in our enterprise accounts (and that includes on premises and third party MFA)". The Microsoft security expert claims that this slow rate of adoption among Microsoft users is what's kept attackers from evolving and deploying tools that can intercept MFA operations.
But he also warns Microsoft users that tools and methods for bypassing multi-factor authentication exist. For example Modlishka or the educational tool EvilGinx. But the Microsoft security expert doesn't want users to get discouraged from enabling MFA for their accounts just because these tools and techniques exist. As he said before, these attacks are so rare that Microsoft barely sees any. Instead, he recommends that users enable MFA for their accounts, with the strongest authentication factor available, as detailed in the table above in this article.
The only solutions with no known real time hijacking capabilities are the use of smartcards, FIDO token (security keys) or Windows Hello.
Read More on ZDNet
 
Google’s Password Manager now checks for breached credentials
Google launched today a new service called Password Checkup that will check a user's saved passwords if they've been leaked and compromised in breaches at other services. The service is currently available for the Google web dashboard and Android devices, but will also be added to the Chrome browser later this year.
On the web, Password Checkup will be available at passwords.google.com. If Chrome users ever choose to use a Google account with the Chrome browser and then saved passwords in Chrome, this is the website where those passwords are synced to.
To use the new feature, a new button that says "Check Passwords" will be available. Once pressed, Google will take all the user's passwords and check them against an internal database of over four billion user credentials that have been leaked online via breaches at other companies. If a username & password combo is found in this database, Google will warn the user that they need to change the password for that account, as they're at risk of having the account hijacked by hackers.
Read More on NakedSecurity
Even More on ZDNet
 
More #News
 
#Patch Time!
 
#Tech and #Tools
Kingred Group is growing, so does the Group Security team! We're looking for new talented professionals to come join us: Kindred is one of the largest online gambling companies in the world with over 24 million customers across 100 markets. You can find all our open vacancies on our career page.
This content was created by Kindred Group Security. Please share if you enjoyed!
Kindred Group in brief
Kindred is one of the largest online gambling companies in the world with over 24 million customers across 100 markets. We offer pre-game and live Sports betting, Poker, Casino and Games through 11 brands across our markets. We are committed to offer our customers the best deal and user experience possible, while ensuring a safe and fair gambling environment. Kindred is a pioneer in the online gambling industry and as an innovation driven company that builds on trust.
You can access the previous newsletters at https://news.infosecgur.us
If you no longer wish to receive this newsletter, you can unsubscribe from this list.