In this weeks’ Security Snacks:
- Zero-Day Chrome Vulnerability; Patchy, Patchy, Quickly, Quickly
- Why Are So Few People Using Multi-Factor Authentication?
- How Do Two Billion Records Get Exposed!?
Zero-Day Chrome Vulnerability; Patchy, Patchy, Quickly, Quickly
Google Chrome exploit requires immediate attention. All your endpoints’ browser should be updated to the latest and greatest
Mac, Windows, Linux. It doesn’t matter what OS you are running. This vulnerability impacts each and every one of us. The Google Threat Analysis Group identified it as a high-risk vulnerability which impacts the browser on all major operating systems and requires you to close the hole to avoid problems.
The vulnerability is another one of those that could potentially allow remote hackers to execute code and take over the target device. Google’s announcement stated the issue resided around the FileReader API, which allows developers to access users local file contents without uploading them to a server.
Closing the loop hole is a case of upgrading Chrome to version 72.0.3626.121 for all OSes.
For ConfigMgr admins, this could be a case of pushing out latest Enterprise MSI to endpoints. However, it’s worth investing time in the new third-party updates feature, introduced in ConfigMgr 1806 and getting hold of the Google Chrome catalogs to manage the patching of the product in your environment.
Full details of the vulnerability are available in this The Hacker News article, New Google Chrome Zero-Day Vulnerability Found Actively Exploited in the Wild.
Why Are So Few People Using Multi-Factor Authentication?
Academics at the RSA Conference tell us there’s limited uptake on multi-factor authentication to protect our logins, and it’s ridiculous.
It’s time for us to wake up and take notice. We are being slow to implement multi-factor authentication (MFA) and protect our endpoints in this online world. So says Dr. L Jean Camp, a professor at Indiana University Bloomington in the US, and her doctoral candidate Sanchari Das. This all comes via their presentation at the RSA Conference in San Francisco in March.
Why aren’t we using it? Apparently, we are either too stupid or we can’t use the technology. Millennials are even less concerned about the problem, since they are storing so much data online. Ultimately being educated about the solutions and raising awareness about the associated risks are key to adoption. In particular, they were talking about Yubico security keys or Google’s hardware tokens for multi-factor authentication (MFA).
Windows Hello for Business is a well-supported way forward in corporate Windows environments, replacing passwords with strong two-factor authentication on PCs and mobile devices by the way of biometric or PIN. This can be implemented in cloud or on-premise environments.
The Register has all the details on the findings from the RSA Conference presentation in an article titled, How to make people sit up and use 2-factor auth: Show ’em a vid reusing a toothbrush to scrub a toilet – then compare it to password reuse. You can start to onboard Windows Hello for Business by taking a look at the Microsoft Docs on the technology.
How Do Two Billion Records Get Exposed!?
Security slip overwhelmingly underestimated as over two-billion records are exposed in the unprotected MongoDB database held by Verifications.io—not the 809 million initially reported.
Weren’t we supposed to feel a bit more confident about the handling of our data since GDPR was implemented back in 2018? This doesn’t seem to be case as 2,069,145,043 records were exposed in an unprotected database.
Verifications.io provides an email validation service. Marketing teams can tap into the lists to ensure email addresses are valid before sending out a pitch. Their data was exposed. While the information stored included date of birth fields, experts believe the breach will have less impact than initially feared as the database did not contain any credit-card, medical or sensitive data.
Details have not yet emerged on how the breach occurred, so IT departments will have to wait to see if there are lessons they can learn to protect their databases. On the other side of the equation—for people who want to not become a part of these databases—there’s no silver bullet. However, it is always a good idea to be extra skeptical of unexpected communications. One also should never give out sensitive information except to known, trusted entities who actually need the information.
For more information read ZDNet’s article, 809 million records exposed by email marketing giant.