Cyber Victor – a leading blog on cyber security

Google stated that it hasn’t had any account takeover from its 85,000 employees for more than a year.

How did they do it ? They deployed a physical security key – a $20 USB gadget. Google employees that wish to login, need to provide their username and password, and insert this USB device into their workstation. This is an example of the use of two-factor authentication. The idea behind a two-factor authentication is that even is thieves were able to phish your password, they still wouldn’t be able to login to your account, unless they also hack or posses the second factor – the USB key device in this case.

Job well done, Google!

Read more about it here.

TCM Bank announced that a Web site misconfiguration exposed applicant data for 16 months

TCM Bank, a subsidiary of ICBA Bancard, issues credit cards for more than 750 small and community U.S. banks who prefer not to issue cards themselves. TCM announced the a web site misconfiguration exposed applicant data for 16 months, between early March 2017 and mid-July 2018. Exposed data includes names, addresses, dates of birth and Social Security numbers.

The number of affected customers was less than 10,000, which is less than 25% of the applications processed during that time period, and less than 1% of the TCM cardholder base.

The breach was reportedly discovered on July 16, 2018, then fixed the following day.

Read more about it here.

Code hosting service GitHub added Python to the list of programming languages that it is able to auto-scan for known vulnerabilities.

In October 2017, GitHub introduced the Dependency Graph, a feature that lists all the libraries used by a project, and all the projects that rely on a certain project. The feature supports JavaScript and Ruby. GitHub is now extending this feature to include Python code. This feature allows developers to receive alerts when including certain flawed software libraries in their projects, and provide advice on how to address the issue.

Code scanning is enabled by default on public repositories.

Read more about it here.

As reported July 2, 2018 on Gizmodo, Samsung Messages, the default texting app on Galaxy devices, is erroneously sending pictures stored on the devices to random contacts via SMS. This was reported by several users on current model devices, such as the Galaxy Note 8 and Galaxy S9. Reportedly, this doesn’t leave any evidence of it doing so, which means that people may be unaware that their photos were sent.

The theory is that the bug is caused by interaction between Samsung Messages and recent RCS profile updates that were rolled out by carriers, including T-Mobile.

One workaround is to revoke Samsung Messages’ ability to access storage. Another workaround is to switch to a different texting app, such as Android Messages.

Read more about it here.

The Wi-Fi Alliance introduced on June 25, 2018 WPA3, a new Wi-Fi security standard that will address all known security issues affecting the previous Wi-Fi standards.

WPA3 adds new features to simplify Wi-Fi security, enable more robust authentication, and deliver increased cryptographic strength for highly sensitive data markets.

WPA3 offer two distinct modes of operation: WPA3-Personal and WPA3-Enterprise. WPA3-Personal is more resilient, password-based authentication. WPA3-Enterprise offers the equivalent of 192-bit cryptographic strength.

Read more about it here.

Cybersecurity firm Chronicle, owned by Alphabet, announced the launch of a new VirusTotal service that promises to reduce false positives.

VirusTotal Monitor is a new service that allows software developers to upload their creations, before they are published, to a private cloud store in VirusTotal. Files in this private bucket are scanned with all 70+ antivirus engines in VirusTotal on a daily basis, using the latest detection signature sets. As soon as a file is detected as malicious by an engine, both the software developer and anti-virus vendors are notified.

This is a big win for anti-virus vendors, who now have context about a detected file: Who is the company behind it, when was it released etc.

This is equally a big win for software developers, as they can upload their creations to Monitor at pre-publish stage, to ensure a release without issues.

Read more about it here.

Google Groups is a service from Google that provides discussion groups for people sharing common interests. By default, Google Groups are set to private; there have been a number of instances, however, where G Suite Administrators have accidentally shared sensitive information as a result of misconfigured Google Groups privacy settings. Google has published a G Suite update here.

According to a recent research by Kenna Security, thousands of organizations seem to be inadvertently leaking internal or customer information. Examples of real e-mails found during the research are past due invoices, password recovery information and GitHub credentials.

Read more about it here.

Microsoft and Google have jointly disclosed a new side-channel CPU flaw, called Speculative Store Bypass. It is similar to the Spectre exploit that was reported in January 2018. This new exploit would require firmware update to the affected CPU’s. Intel has already released a beta firmware update.

Read more about it here.

Chili’s Grill & Bar, a popular restaurant chain, learned on May 11, 2018 that some guests’ payment card information was compromised at certain Chili’s restaurants. The data incident was limited to between March and April of 2018.

Read more about it here.

Cybersecurity enthusiast Kushagra Pathak discovered a vulnerability in the Trello web management, allowing to mine credentials from doznes of public Trello boards with simple Google queries.

Trello is the project collaboration tool for enterprise and personal use. By default, Trello boards are set to either private or team-visible only. That doesn’t stop users from manually sharing personal boards that include confidential information, which may later by indexed by search engines. The credentials include usernames, passwords, API keys and more.

User should never store credentials on public boards.

Read more about it here.