Cloud Security Alliance has unveiled its Top Threats to Cloud Computing: Egregious Eleven report, which lists the top 11 cybersecurity problems facing cloud computing users. In this fourth installment, the CSA surveyed 241 industry experts on security issues in the cloud industry. It is the first major update to the list since 2016, when Alliance released the Treacherous 12. The Top Threats Working Group used the survey results along with its expertise to create the final 2019 report. These issues are inherently specific to the cloud and thus indicate a technology landscape where consumers are actively considering cloud migration.  The following issues are often the result of the shared, on-demand nature of cloud computing.

1. Data Breaches

2. Misconfiguration and Inadequate Change Control

3. Lack of Cloud Security Architecture and Strategy

4. Insufficient Identity, Credential, Access and Key Management

5. Account Hijacking

6. Insider Threat

7. Insecure Interfaces and APIs

8. Weak Control Plane

9. Metastructure and Applistructure Failures

10. Limited Cloud Usage Visibility

11. Abuse and Nefarious Use of Cloud Services

Data breaches top the list

We won’t be surprised to see that Data breaches still top the list, unmoved since 2016. It means that data breach is still the primary objective of a targeted attack or merely the result of human error, application vulnerabilities or inadequate security practices. A data breach involves any kind of information that was not intended for public release, including—but not limited to—personal health information, financial information, personally identifiable information (PII), trade secrets and intellectual property.

Insufficient Identity, Credential, Access and Key Management

Identity, credential, access management systems include tools and policies that allow organizations to manage, monitor, and secure access to valuable resources. Cloud computing introduces multiple changes to traditional internal system management practices related to identity and access management (IAM). The report stated that it isn’t that these are necessarily new issues. Rather, they are more significant issues when dealing with the cloud because cloud computing profoundly impacts identity, credential, and access management. In both public and private cloud settings, CSPs and cloud consumers are required to manage IAM without compromising security.

As a result, Insufficient Identity and access management, number 4 in the list of threats has actually grown up and this report suggests an interesting and somewhat new perspective on cloud security. This new outlook focuses on configuration and authentication, and shifts away from the traditional focus on information security (e.g., vulnerabilities and malware).

These security issues are a call to action for developing and enhancing cloud security awareness as the report stated or to choose an on-premise solution because you can only trust what you control and can audit yourself.

Enterprise Solutions and not Cloud Services

We offer a complete enterprise security solution which should cover the needs for a majority of companies, organizations and individuals. Our solutions are opened but not cloud-based. We do not provide a central security hub that you have to trust blindly. We provide a software product via appliances or installers. It is Linux-based and easy to install and maintain. We prefer that you get the full control on your security infrastructure. Yet this is not limited and you can use our solutions for building security services or for securing cloud applications and hosted systems.

A NATO agency, the North Atlantic Treaty Organization which is an intergovernmental military alliance between 29 North American and European countries tapped RCDevs to implement multi-factor authentication across his infrastructure.

NATO’s purpose is to guarantee the freedom and security of its members through political and military means. NATO is committed to the principle that an attack against one or several of its members is considered as an attack against all. This is the principle of collective defense, which is enshrined in Article 5 of the Washington Treaty. NATO is an alliance of countries from Europe and North America. It provides a unique link between these two continents, enabling them to consult and cooperate in the field of defense and security, and conduct multinational crisis-management operations together.

“NATO is probably the biggest intergovernmental military organisation in the world and we’re honored to be working with them”

Charly Rohart CEO of RCDevs

OpenOTP Security Suite has been selected because it’s a comprehensive tool which provides enterprise-grade security solutions suited for multi-factor authentication with OTP / FIDO, federation, identity management, PSD2 compliant secure transactions, electronic signature and SSH Key Management. OpenOTP Security Suite combines mobile technologies with proven security standards to offer the best alternative for professionals and non-professionals requiring cost-effective solutions compatible with their user’s mobility. The fact that our platform integrates seamlessly into any IT infrastructure to enables a centrally-managed security control center has been a determining factor in the choice of our solution.

Each year the LHoFT release the #Luxembourg #FinTech map which presents the most important companies in different categories related to Fintech. We are proud to be in good company for Cybersecurity and authentication. Thanks to @The_LHoFT with support from @ALFIfunds, @LuxFinance, @ACAluxembourg and @ABBLbanking for this initiative. The next step? Expanding our vision and knowledge across Europe!

There was a time when identity management was limited to controlling access to resources within a single security domain. But internal users now access external resources and external users access internal resources. Traditional approaches to identity management show their limitations.
In this context, many organizations are turning to identity federation to facilitate user work across multiple systems, while reducing the administrative burden of managing access to these systems.

Identity federation links a user’s identity across multiple security domains, each with its own identity management system. When two domains are federated, the user can authenticate to one domain and then access the resources in the other domain without having to authenticate a second time.
Identity federation allows administrators to solve many problems related to access to distributed resources across multiple domains. For example, it is not necessary to set up a specialized system to facilitate access to resources external to the organization.
To take advantage of these benefits, it is necessary to implement a complete management of the identity federation. This generic term covers the process of administering all elements associated with a complete identity federation platform. This includes not only the technologies that make federation possible, but also the agreements, rights management, standards and other elements that define how the service is implemented.
For the federation to work, all parties involved must agree on these elements. They must agree on which identification attributes to include, such as email, name and function title, how to represent these attributes internally, and what standard to use to exchange data. authentication and authorization. In this regard, the Security Assertion Markup Language (SAML) standard is widely used.

Identity federation management can also be applied to a single organization that manages multiple security domains. It is a relatively young technology, and its exact meaning is still evolving, so that the particularities may vary from one source to another.
Finally, if federated and local authentication must coexist, the options must be clear and the procedures must be intuitive and easy to understand.

The federation of identities: an impact multiplier?

In a federation of identities schema one can think that if the identity of one of the users is compromised, its access to all the applications of the perimeter will be affected. If an incident occurs on the authentication brick, all my users will be affected. The walls inside the SI can be seen as thinner, and the weight carried by the authentication heavier. Thus, the federation of identities can be seen as a factor multiplying the impacts of a possible attack. It is therefore essential to strengthen the security of authentication.
In reality, the federation of identities should rather be seen as a simplifier of the IS, and structural or protocol vulnerabilities are rather rare. Identities and entitlements will be administered centrally, and users will no longer be forced to manipulate a multitude of identifiers and passwords (sometimes auto-synchronized). These projects require a great involvement of all the businesses of the company, but will simplify the user experience and can help to enforce certain security constraints specific to sectors and businesses.

The goal of all is to reconcile security, simplicity and technological innovation, the federation of identity is, and will undoubtedly be, at the heart of the unique authentication in the years to come.

Aircraft equipment manufacturer ASCO Industries, located in Zaventem, is at a standstill. The group, which makes parts for the giants Boeing and Airbus, among others, was a victim of hacking on Friday. And all production at the international level is stopped, in Belgium, but also in subsidiaries in Germany, the United States and Canada. Only on the site of Zaventem, there are more than 1000 people who are unemployed, Tuesday and Wednesday.

Unlike aluminum producer Norsk Hydro, who was hit by a similar ransomware attack earlier this year and provided constant updates about the incident, ASCO has been very quiet about its dealings. The name of the ransomware strain that infected the company’s Belgium plant was not made public.

How MFA can prevent ransomware attacks?

Ransomware is the fastest growing attack-vector targeting all sorts of companies, institutions and organizations. Ransomware is a type of malware that accesses a victim’s files, locks and encrypts them and then demands the victim to pay a ransom to get them back. Ransomware is the digital version of mafia demands for protection money or is like the “digital kidnapping” of valuable data – from personal photos and memories to client information, financial records and intellectual property. Most ransomware gain access through hijacking static passwords and among the best practices to mitigate against such attacks adopting stronger authentication with two-factor authentication is one of the best. Passwords are convenient and tried-and-tested when it comes to securing your online accounts and digital data. However, the major downside is their susceptibility to being stolen using spyware or through trickery. The use of two-factor authentication (2FA), however, is a good defense against account compromise because it adds another layer of protection after your password, usually by combining one factor (your password) with a second factor (a text message/verification code sent to your cell phone number or a push).

Microsoft has released a patch to fill the vulnerability BlueKeep for Windows 7 but also, is unusual, Windows XP. This flaw is taken very seriously to the point of getting out of hinges the US National Security Agency (NSA).

In mid-May, Microsoft issued a security alert for a remote code execution vulnerability with the reference CVE-2019-0708, dubbed BlueKeep. This vulnerability can affect Windows 7, Windows XP, Windows 2003, Windows Server 2008 R2, and Windows Server 2008. Microsoft released a BlueKeep patch for Windows 7 and another patch for Windows XP.

“These reproduction conditions are ideal for the propagation of a worm that looks like WannaCry,”

The publisher strongly recommends that users apply it to the designated systems. Indeed, the code designed to exploit the vulnerability could disseminate a pre-authentication, without any intervention of the user. “These reproduction conditions are ideal for the propagation of a worm that looks like WannaCry,” Microsoft warned. In 2017, WannaCry had disabled millions of computers from a single, very broad-spread attack, infecting machines with ransomware. The NSA fears that this will happen again. “This kind of vulnerability is more and more commonly exploited by attackers who use malicious code that specifically targets vulnerability,” the US security agency wrote. “The vulnerability could for example be exploited to conduct denial of service attacks.”

A code of exploit soon spread on a large scale?

The NSA estimates that in a short time, remote exploit code will be widely available for this vulnerability. The agency fears that hackers are using the vulnerability in ransomware and exploit kits containing other known exploits, thus increasing nuisance capabilities against other unpatched systems.

Although the vulnerability was discovered more than two weeks ago, Microsoft notes that cybercriminals rarely act so quickly. For example, two months elapsed between the discovery of the EternalBlue vulnerability, which had set the stage for WannaCry attacks, and the moment when hackers began exploiting it. “Even though they have about 60 days to update their systems, many customers have not yet done so,” said Microsoft. Naturally, the publisher takes the opportunity to encourage customers to migrate from their old operating systems to its latest Windows 10 system.

Windows 8/10 versions not affected

While the Redmond firm has made the unusual decision to deliver a BlueKeep patch for Windows XP, support for Windows 7 comes to an end next January. “Customers running Windows 8 and Windows 10 are not affected by this vulnerability, and it’s no coincidence that later versions of Windows are not affected,” Microsoft wrote opportunely. “Microsoft is investing heavily in enhancing the security of its products, often through major architectural improvements that previous versions of Windows can not take advantage of.”

The banking industry and online merchants are fighting against fraud by developing fraud detection systems that are increasingly subtle and complex.

Because of our online habits and the number of transactions that are done through the internet, they created the concept of digital identity in order to reinforce the level of online protection. In other words, fraud detection systems created digital fingerprints of real users to better recognize fraudsters. The process is a combination of various elements which help to determine your identity. For instance, before validating an online transaction, they do not just check the number, the validity date and the cryptogram of the credit card. They will also comb through the user’s identity and behavior, using statistical analysis and artificial intelligence. Where does it connect? What time is the purchase? Which browser does he use? In which shop, does he shop? What is his order history? What are the technical specificities of his screen and his computer? Etc. If something does not fit, the transaction is rejected or a manual check is triggered (a call, for example).

On March 14, the banks had to have made available a test API portal dedicated to developers.

Cybercriminals naturally reacted to this manoeuvre. To remain under the radar of detection systems, the fraudster has a fake digital identity that is as close as possible to the owner of the credit card: an IP address of the same country or city, the same browser version, the same screen, the same way of navigating, etc. The ideal is obviously to have the identity of a real person. These identities can be purchased on the Darknet. According to Kaspersky’s security researchers, the largest marketplace of its kind is called Genesis, an invitation-only site with more than 60,000 fingerprints for sale.

But going to these API portals is not easy. Thanks to the investigative work of the JDN who contacted the big French banks to know if they have deployed their portal, the address of it and how many APIs have been put online, we have a global overview of the French banking landscape with PSD 2 opening requirements.

Using a Genesis digital identity is not complicated. Just buy it and load a browser extension provided for this purpose, available for Chromium-based browsers. From that moment on, it’s as if the criminal put on a mask. His online behaviour now impersonates the stolen identity. If the mask is of good quality, it will allow him not to raise an alarm when performing a fraudulent purchase. 

It’s in this context and faced with these impersonations, that the notion of strong authentication becomes relevant. Indeed, it would be sufficient for all transactions to be systematically validated by a second authentication factor in order to make the fraudster of digital identities ineffective in its described form. The notion of strong authentication required by the Payment Services Directive 2, therefore, requires banks to set up a procedure that seems to be the only way to really fight against digital identities fraud.

The world of banks is changing and the European Institutions are leading this revolution, but we decided to ask ourselves a simple question: are banks following this movement? We will first take a look at the French banking system

It all started when the European Union adopted two directives on payment services: the PSD 1 adopted on November 13 2007 and the PSD 2 adopted on November 25 2015. The main objectives of the PSD1 were to harmonize the legal framework for payment and the creation of the SEPA space. The PSD 2, for its part, was introduced as part of the implementation of the connected digital single market (one of the top ten priorities of the EC’s working program for the period 2014-2019). The objective is to foster the opening of the payments market, mainly occupied by banks, to new payment service providers (PSPs) while strengthening the security of users. With the PSD 2, the security of the payment must be reinforced with strong authentication (SCA – Strong Customer Authentication) which requires the use of at least two authentication factors.

On March 14, the banks had to have made available a test API portal dedicated to developers.

Before the full implementation of the Directive (in September 2019), the PSD 2 timetable includes a number of intermediate steps. The last deadlines are those already passed on March 14, 2019 and April 14, 2019. On March 14, the banks had to have made available a test API portal dedicated to developers.

This image has an empty alt attribute; its file name is les-API-des-banques.png

But going to these API portals is not easy. Thanks to the investigative work of the JDN who contacted the big French banks to know if they have deployed their portal, the address of it and how many APIs have been put online, we have a global overview of the French banking landscape with PSD 2 opening requirements.

The respect of the calendar by the French banks must not however hide the fact that quantity does not guarantee quality. The JDN points out that the three main French aggregators are not fully satisfied with the proposed APIs, often because they are incomplete. From a technical point of view, it seems that the account is not there either. TPPs have more demanding criteria than banks when it comes to API.

French banks are following the PSD 2’s demanding API schedule but are not yet at the level of market expectations in terms of quality.

This test period was to last one month. Since April 14, 2019, reminds the Prudential Supervisory Authority, the banks had to provide an “API meeting the conditions of extended use as defined by the security standards and guidelines of the EBA (the French banking authority, editor’s note) “. It would therefore seem that French banks are following the PSD 2’s demanding API schedule but are not yet at the level of market expectations in terms of quality.

It’s been a year now that Google has launched a USB key and a Bluetooth security key to increase the level of security of its users when connecting to online services. These keys use the U2F protocol which ensures that a new authentication key is generated each time a service is connected.

This Wednesday, May 15, the firm reveals on its security blog that a security breach had been discovered on the Bluetooth version of the security keys Titan Low Energy (BLE) and proposes to replace the defective units

Google refers to a misconfiguration in Bluetooth pairing protocols that could allow an attacker physically close (10 meters) to communicate with the security key or with the device to which this key is connected.

The Mountain View firm, however, assures that “For the wrong configuration to be exploited, an attacker would have to align a series of events in close coordination”. The idea behind these explanations is to demonstrate that despite the existence of this security vulnerability, a malicious person should combine a certain number of parameters in order to take advantage of the said fault. In other words, it is unlikely that this flaw was exploited. On the other hand, it is indicated that to exploit this flaw, a malicious actor must also have the username and the password of the target.

Google is trying to reassure its users that “This security issue does not affect the primary purpose of security keys, which is to protect against phishing by a remote attacker,” said Google. Then, continue by saying “Security keys remain the most effective protection against phishing; It is always safer to use a key with this problem than to disable 2-step security-based authentication (2SV) on your Google Account or switch to a less phishing-resistant method (SMS or prompts sent to your device, for example). “The firm also insists that this issue does not affect its USB and NFC security keys, but only the Bluetooth Low Energy (BLE) version of its Titan security key.

To conclude, Google offers a replacement key for all holders of a defective unit with a small “T1” or “T2” brand on the back.

1 2 3 8