White label SOS panic buttons can be hacked via SMS

By John E Dunn

A widely used panic alarm handed out to at least 10,000 thousand elderly people in the UK can be remotely controlled by sending it simple SMS commands, researchers at Fidus Information Security have discovered.

The alarm – a small plastic pendant device with an SOS button in the middle – connects to 2G/GPRS cellular networks, which means it can be used anywhere without the need for an intermediary base station and provides a live status feed.

As well as being able to locate the wearer via GPS, it can also detect whether the wearer has taken a fall and comes with a microphone and speaker for two-way communication should an emergency be detected.

On the face of it, a potentially life-saving device, but also one whose unnamed maker doesn’t appear to have factored in even basic security.

Read more at https://nakedsecurity.sophos.com/2019/05/14/white-label-sos-panic-buttons-can-be-hacked-via-sms/

Windows 10 brings password-free access another step closer

By Danny Bradbury

Microsoft hammered another nail in the password’s coffin by winning a certification for Windows Hello that will make it easier for people to log into Windows machines. 

Windows Hello is the authentication system in Windows 10, and Microsoft introduced it to wean us off password-based access. It enables machines with the right hardware reader or camera to scan your fingerprint or face to access Windows 10 and your Microsoft account. You can also use it to access third-party services.

This month, the company earned FIDO2 certification for Windows Hello. By becoming a FIDO2 certified authenticator, Microsoft has just enabled 800million Windows 10 users to use a hardware security key with Windows Hello’s password-free system.

FIDO aims to make logins easier and more secure

To understand why this is important, we need to dig into FIDO, which stands for Fast IDentity Online. The FIDO Alliance is an industry group backed by large tech players that aims to make logins easier and more secure. 

Since the FIDO Alliance started in 2013, it has released three specifications. The first, announced in 2014, was the Universal Authentication Framework (UAF). That standard focused on using biometrics like your fingerprint for password-free authentication.

The second standard was Universal Second Factor (U2F). This let people authenticate themselves using hardware devices like USB keys that you could plug into your computer, or near-field communication (NFC) devices that you could tap on a hardware-based reader. Google and Yubico developed this technology for two-factor authentication, meaning you’d use it as an extra layer of protection on top of your regular password.

Read more at https://nakedsecurity.sophos.com/2019/05/14/windows-10-brings-password-free-access-another-step-closer/

Feds hook ELECTRICFISH, new Windows malware from North Korea

By Danny Bradbury

The FBI and Department of Homeland Security have identified (Malware Analysis Report AR19-129A) a new strain of malware from North Korea, the latest in a long line of cyber attacks from the country.

The Windows malware, dubbed ELECTRICFISH, sets up a tunnel between a machine on the victim’s network and the attacker’s system, enabling the attacker to receive network traffic from the victim.

Once it has a foothold, it then tries to connect to a source IP address within the victim’s network, and a destination address owned by the attacker. The attacker can also configure a proxy to act as an intermediary between the infected computer and the destination IP, avoiding the need for authentication to get outside the victim’s network. The US CERT advisory says:

If a connection is made to both the source and destination IPs, this malicious utility will implement a custom protocol, which will allow traffic to rapidly and efficiently be funneled between two machines.

Read more at https://nakedsecurity.sophos.com/2019/05/14/dhs-fbi-spot-north-korean-traffic-tunnelling-malware/