Hardened Azure logins, softened containers, leaky encrypted images on Macs – and more

Plus: Crypto-cash and keeping up with McAfee

Broken container photo via Shutterstock

Roundup This week you had to deal with AI security panic, fake Fortnite, and, if you use OpenBSD, the end of Intel HyperThread support

Here are a few more bits of security news that you might have missed.

Ready or not, here comes two-factor Azure log-in

Microsoft is going to get its customers using best practices, even if it has to drag them kicking and screaming.

The Redmond software house has begun tests of a baseline security policy for admin accounts on Azure Active Directory.

The baseline policy will be the default setting on Azure AD accounts and will, among other things, require multi-factor authentication for privileged accounts. In this case, a privileged account will be anything that has an admin role in Sharepoint, Exchange, and security, as well as global administrator and conditional access administrator accounts.

Why are they doing this? If you have to ask that question we only hope you're not in any of those admin roles. But the reason behind the move is simple: passwords are easy to steal via phishing or malware operations. Multi-factor is much harder to lift.

"Identity attacks have increased by 300 per cent in the last year," notes Microsoft Identity program management director Alex Simons.

For now, the 'test' phase means customers will have to opt in, but as this is a blindingly obvious and simple way to avoid a catastrophic breach of your Azure setup, there's really no good reason why you shouldn't do this ASAP.

MacOS cache can leak your 'secret' pics

Thought that encrypting your Mac's files would keep them away from prying eyes? Maybe not.

Apple-focused researcher Patrick Wardle has posted his latest findings on the operating systems formerly known as OS X and he has shown that a crafty attacker could use the OS' preview functions to pry open the contents of encrypted files.

Wardle explains how the MacOS 'QuickLook' function caches images to use with the 'preview' and thumbnail features on Macs. Because the function does not encrypt the preview and thumbnail pictures themselves, a file that has been encrypted could still potentially be viewed (albeit in a much smaller form) by an attacker who knew where to look on the MacOS Terminal console.

Even worse, Wardle says, the technique also works on APFS encrypted containers, meaning even entire volumes you thought were encrypted could be seen by sufficiently motivated parties.

There are, however, some fairly easy ways to clear out the temporary cache where the images are stored. You can either power off the drive, unmount the container, or simply use the command 'qlmanage -r cache' to purge the cache.

Ahem... you, er, left your container open, and everyone can see what's in it

It turns out S3 storage buckets aren't the only things companies are leaving sitting around unlocked.

Researchers with Lacework recently issued a report (PDF) explaining how they managed to find more than 20,000 private container interfaces and APIs had been left sitting open to the general public.

The vulnerable points include things like Kubernetes and OpenShift management consoles, pages that admins are able to use to remotely manage their containers based on cloud services.

"These nodes are essentially openings to these organization’s cloud environments to anyone with basic skills at searching the web," Lacework writes.

"Although the vast majority of these management interfaces have credentials set up, there is little reason why they should be world-accessible and are far more vulnerable than they should be."

The company recommends admins take some simple measures to lock down their admin tools like enabling multi-factor authentication, requiring SSL and, if possible, lock down admin tools with VPN or reverse proxy connections.

GZipDe-doo-dah

Researchers with AlienVault have spotted a particularly nasty new piece of malware spreading throughout parts of the Middle East and Asia.

AlienVault says the malware disguises itself as a .doc file, a common infection tactic, the middle steps it goes through are particularly interesting and appear to take great pains to hide themselves.

In particular, they say that during key portions of the infection process the malware encrypts itself and carefully manages its threads and processes to make as little noise as possible and evade detection.

"Although the final goal seems to be the installation of a Metasploit backdoor, we found an interesting .NET downloader which uses a custom encryption method to obfuscate process memory and evade antivirus detection," AlienVault researcher Jose Manuel Martin explains.

As always, it's a good idea to keep a trusted AV suite running and up to date, and of course avoid opening any unsolicited or suspicious emails.

Hackers leave cryptocoin holders with a sore Bithumb

Yes, it happened again. A cryptocoin exchange has had to suspend operations as it deals with the loss of tens of millions of dollars worth of currency via hackers.

This time, it's Korea's Bithumb that had to close up shop temporarily after what it said was a breach that ended up costing it around $31m worth of funbux.

Bithumb maintains it can cover the losses and is working with other exchanges to track and hopefully recover the stolen funds. The attack did, however, prompt it to halt all deposits and withdrawals for a time earlier this week.

Unfortunately, these sort of attacks have become increasingly common as cryptocurrencies have grown in value and hackers have been able to uncover and target the soft spots in popular exchanges.

Those who are significantly invested in cryptocoins should know by now that the best place for storage is an offline, cold wallet, and any exchange should be carefully vetted before you give it any of your money, fiat or otherwise.

Unlock my iPhone? You brute!

One of the key pieces of Apple's iOS security setup is the limit it places on PIN entries. Users can set their iPhones to automatically erase their stored data after 10 failed PIN number tries. This prevents "brute force" attacks that try random strings of numbers until one works.

UK infosec bod Matthew Hickey of Hacker House claimed to have found a way around that. He created a demo of the technique, carried out by pairing the iPhone, via its Lightning-USB cable, with a computer and then sending the PIN tries as a single string of commands. Because the string is only counted as one "attempt", a huge number of sequences can be sent to the phone and, if one were to be correct, unlock the iPhone without ever triggering the data erase function.

It was thought Hickey's technique could be one of the tricks used by the controversial GrayKey unlock appliances that law enforcement agencies use to skirt Apple security.

However, Apple reckoned it may be nothing to worry about – the device's security systems appear to be working as expected. The long string of PINs was probably treated as one failed attempt, keeping the would-be attacker out. iOS would eventually erase the phone's files after too many bad tries.

"The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing," the iGiant told iMore.

Totally sane John McAfee survives 'poisoning' attempt

Antivirus pioneer turned outlaw and cryptocurrency baron John McAfee continues to make headlines for his.. umm.. eventful life.

This time, the completely stable security guru is coming to us from a hospital in North Carolina, USA, after spending two two days unconscious from what he says was an attempt on his life.

This from the man himself:

Well, it certainly sounds like he's already back to his old self, for better or worse. ®

Sponsored: Minds Mastering Machines - Call for papers now open




Biting the hand that feeds IT © 1998–2018