GitHub joins WebAuthn club

By Danny Bradbury

Source code management site GitHub is the latest company to support WebAuthn – a new standard that makes logging into online services using a browser more secure.

WebAuthn is short for Web Authentication and it’s a protocol that lets you log into an online service by using a digital key. It’s a core part of FIDO2, a secure login protocol from the FIDO Alliance, which encourages industry support for these secure login standards.

GitHub, which Microsoft bought for $7.5bn last year, has been doing its best to secure peoples’ accounts with more secure logins for a while now. Back in 2013, it announced support for two-factor authentication (2FA) via SMS text messages and 2FA apps on a mobile phone. Then, in October 2015, it launched support for universal second factor (U2F) authentication. This was a FIDO specification that allowed the use of a hardware key as a 2FA mechanism.

WebAuthn supersedes U2F and offers everything the older standard did along with some additional benefits:

• It upgrades GitHub’s 2FA support to the latest industry standard. The World Wide Web Consortium (W3C), which oversees many of the standards that make up the web, approved WebAuthn as an official standard in March 2019.
• While you can use a third-party hardware security key to use WebAuthn, in many cases you don’t need to. You can also use a digital key stored on your phone instead, turning the phone itself into your hardware key.
• WebAuthn can be a primary access factor. U2F still needed a password to gain access, meaning that it could only ever be a second factor in your login process. The U2F-based physical key effectively said “yes, the person entering that password is legit, because I am in their possession”.

Read more at https://nakedsecurity.sophos.com/2019/08/27/github-joins-webauthn-club/

Hostinger upgrades password security after 14m accounts breached

By John E Dunn

Over the weekend, millions of customers of web hosting company Hostinger started receiving emails bearing the bad news that their passwords were being reset after a data breach.

According to Hostinger, 14 million of its users are affected by the reset, which became necessary after attackers gained access to an API server on 23 August 2019.

This server contained an authorization token [for a database], which was used to obtain further access and escalate privileges to our system RESTful API Server.

This database contained details of customer accounts, including usernames, email addresses, first names, IP addresses, and hashed passwords.

What this means in practical terms is that anyone whose accounts were among those 14 million will need to reset their Hostinger Client password before they can log in.

Hostinger has said it has sent password reset instructions to all its Client users.

These are hosting accounts for numerous business and personal websites (including their domain and email management), so it’s critical that this is done without delay. So far at least:

Hostinger Client accounts and data stored on those accounts (websites, domains, hosted emails, etc.) remained untouched and unaffected.

Read more at https://nakedsecurity.sophos.com/2019/08/27/hostinger-upgrades-password-security-after-14m-accounts-breached/

Court squeezes $1 million back from convicted phisher

By Lisa Vaas

Wooo, fancy – a guy who phished more than 100 companies out of nearly £1m (around $1.1m) in cryptocurrency used some of that money to sit his butt down in a first-class carriage on the train. That’s how they caught him, actually – with “his fingers on the keyboard” as he was logging in to a dark web account on a train between Wales and London back in September 2017.

Flash forward two years, and Wooo-HOOOOO, it’s payback time!

As in, literal payback. London’s Metropolitan Police announced on Friday that Grant West, who was 25 when police arrested him on that train and who is now 27, has not only been jailed for fraud after carrying out attacks on more than 100 major brands worldwide, including Apple, Uber, Sainsbury’s, Groupon, T-Mobile, Ladbrokes, Vitality, the British Cardiovascular Society and the Finnish Bitcoin exchange.

He’s also been ordered to pay back the money he ripped off.

Goodbye, cryptocurrency: when Southwark Crown Court gave West ten years and eight months jail time, the judge also said that his ill-gotten loot would be sold and that the victims will receive compensation.

I therefore order a confiscation of that amount, £915,305.77, to be paid as a way of compensation to the losers.

Some of it’s frozen and being held by the FBI, and all of it’s fluctuating madly, as cryptocurrencies do, which has made it tough to figure out exactly how much to give victims.

West has to agree to release the funds from his accounts, but there’s not much of a choice there: he’d be looking at four additional years in jail if he were to refuse, the judge said.

West did, in fact, agree to give up the money, which reportedly included ethereum, bitcoin and other cryptocurrencies. Unfortunately, victims won’t be able to claw back the money West blew on his fancy travel: besides his first-class train habits, he also blew the money on holidays, food, shopping and household goods.

Read more at https://nakedsecurity.sophos.com/2019/08/27/court-squeezes-1-million-back-from-convicted-phisher/