Mobile Passwords–Tricks & Treats

 

Mobile Passwords–Tricks
& Treats

The NCCoE Buzz: Mobile Security Edition is a recurring email on
timely topics in mobile device cybersecurity and privacy from the National
Cybersecurity Center of Excellence’s (NCCoE’s) Mobile Device Security project
team


 

NCCoE Buzz MDS Halloween Passwords

With Halloween around the corner, the National Cybersecurity
Center of Excellence (NCCoE) wants to share a few “tricks” and tips for mobile
passwords that result in the “treat” of protecting your mobile device from
compromise. 

Potential Threats

Below is a list of several potential mobile password threats that
can impact you or your organization:

  • Lost/Stolen
    Phone
    – If an unauthorized user
    obtains a lost or stolen mobile phone that has no password, they may have
    easy access to sensitive information on the device (e.g., messages,
    photos, or email)
  • Brute-Force
    Attack
    – If a mobile phone has a weak
    password, a malicious attacker may be able to easily obtain the password
    and gain access to information on the mobile phone
  • Phishing – If a password is captured by texting or emailing to
    convince a user or subscriber into thinking the attacker is a verifier or
    reliable party, the attacker can gain access to a user’s account(s) and
    access sensitive information

Password Protections

To protect against mobile password threats, here are a few tips:

1. Apply multi-factor authentication.

If a password is compromised, requiring a second factor for
authentication can help protect against threats such as phishing attacks. 

Multi-factor authentication can be any combination of the
following:

  • Something you know – Password, pin, etc.
  • Something you have – Authenticator app, hardware token, etc.
  • Something you are – Biometrics (e.g., fingerprint or face recognition)

For example, if an attacker has acquired your password (something
you know) through a phishing attack, but your account requires a password +
your fingerprint (something you are) to grant access, then the attacker will
not be able to access your account because they do not have access to the
second factor.

2. Choose a password with a minimum length of 8 characters.

A common misconception is that complexity is the key to having a
strong password. NIST SP 800-63B highlights that complexity can actually make
it difficult for the user to remember their password and can deter them from
developing a strong memorable password.

Instead, 800-63B recommends creating a memorable password that is
at least 8 characters in length to help prevent against brute-force attacks,
while also ensuring the user can remember their password/pin/passphrase.

We hope these mobile password tricks and treats were helpful.

Additional Resources

More information about how to use and apply specific
authenticators can be found in NIST Special Publication 800-63B Digital Identity Guidelines: Authentication and Lifecycle Management.

More information on how to protect against other potential mobile
threats can be found in NIST SP 1800-22 Mobile Device Security: Bring Your Own Device.

 

CISA Upgrades to Version 2.0 of Traffic Light Protocol in One Week – Join Us

 On Nov. 1, 2022, CISA will upgrade from Traffic Light Protocol (TLP) 1.0 to
TLP 2.0 in accordance with the recommendation by the Forum of Incident Response Security Teams
(FIRST)
 that organizations move to 2.0 by the end of 2022. TLP Version
2.0 brings the following key updates:

  • TLP:CLEAR replaces TLP:WHITE for publicly releasable
    information.
  • TLP:AMBER+STRICT supplements TLP:AMBER, clarifying when
    information  may be shared with the recipient’s organization only.

CISA encourages all network defenders and partners to upgrade to TLP Version
2.0 to facilitate greater information sharing and collaboration. For more
information see:

Last Chance! Register for Today’s NCCoE Healthcare Community of Interest Update

Back in August, the NCCoE Healthcare team released the final
project description
Mitigating
Cybersecurity Risk in Telehealth Smart Home Integration
.

This project’s goal is to provide health delivery organizations (HDOs) with
practical solutions for securing an ecosystem that incorporates consumer-owned
smart home devices into an HDO-managed telehealth solution.

Register now to hear an update from the NCCoE Healthcare team on
the following topics:

  • The Smart Home Integration
    Project Description
  • The Federal Register Notice
    (FRN) Status
  • The NCCoE project approach and
    potential collaboration opportunities
  • Next steps for the NCCoE
    Healthcare team

There will be 45 minutes of presentation and 15 minutes of Q&A
at the end of the webinar.

This event takes place at 2 PM today. The
event page includes details on the overview of the call as well as a link to
the registration page. If you have any questions, please email our team at hit_nccoe@nist.gov.

Event
Page

CMVP Security Policy Requirements: NIST SP 800-140B Rev. 1 (Second Public Draft)

 The second public draft of NIST Special Publication (SP)
800-140Br1 (Revision 1),
CMVP Security
Policy Requirements: CMVP Validation Authority Updates to ISO/IEC 24759 and
ISO/IEC 19790 Annex B
, is now available for public
comment.

The initial public draft introduced four significant changes to
NIST SP 800-140B:

  1. Defines a more detailed
    structure and organization for the Security Policy
  2. Captures Security Policy
    requirements that are defined outside of ISO/IEC 19790 and ISO/IEC 24759
  3. Builds the Security Policy
    document as a combination of the subsection information
  4. Generates the approved
    algorithm table based on lab/vendor selections from the algorithm tests

This second draft addresses the comments made on the initial
draft, including concerns with the structure of the Security Policy and the
process for creating it. Appendix B provides details on these changes.

The NIST SP 800-140x series supports Federal Information
Processing Standards (FIPS) Publication 140-3, Security Requirements for Cryptographic Modules,
and its associated validation testing program, the Cryptographic Module
Validation Program (CMVP). The series specifies modifications to ISO/IEC 19790
Annexes and ISO/IEC 24759 as permitted by the validation authority.

The public comment period is open through December 5, 2022. See
the publication
details
for instructions on submitting comments.

Read
More

Public Comment Period Extended to 10/5 | Implementing the HIPAA Security Rule: Draft NIST SP 800-66, Rev. 2

 The public comment period has been extended for the initial public
draft of NIST Special Publication (SP) 800-66r2 (Revision 2),
Implementing the
Health Insurance Portability and Accountability Act (HIPAA) Security Rule
: A Cybersecurity Resource Guide.
The new comment deadline
is October 5, 2022.

The HIPAA Security Rule specifically focuses on protecting the
confidentiality, integrity, and availability of electronic protected health
information (ePHI), as defined by the Security Rule. All HIPAA-regulated
entities must comply with the requirements of the Security Rule.

This draft:

  • Includes a brief overview of
    the HIPAA Security Rule
  • Provides guidance for regulated
    entities on assessing and managing risks to ePHI
  • Identifies typical activities
    that a regulated entity might consider implementing as part of an
    information security program
  • Lists additional resources that
    regulated entities may find useful in implementing the Security Rule

Please submit comments to sp800-66-comments@nist.gov through October 5, 2022.
See the publication
details
for a copy of the draft and instructions for submitting
comments.

NOTE: A call for patent claims is included on page v of this
draft. For additional information, see the
Information Technology Laboratory (ITL) Patent Policy –
Inclusion of Patents in ITL Publications
.

Read
More

New York Metro Joint Cyber Security Conference

 Created in 2014, this collaborative event is cooperatively
developed, organized and sponsored by the leading information security industry
organizations and chapters, including NY Metro ISSA. The strength of
organizational membership, the provision of desirable CPE credits and the
concurrence of National Cyber Security Awareness Month, is always well-attended
by members of the information technology, information security, audit,
academic, and business communities.










Agenda is at InfoSecurity.NYC 

Register for free Infosecurity-NYC-2022.EventBrite.com

Hurricane-Related Scams

CISA warns users to remain on alert for malicious cyber activity targeting
potential disaster victims and charitable donors following a hurricane. Fraudulent
emails—often containing malicious links or attachments—are common after major
natural disasters. Exercise caution in handling emails with hurricane-related
subject lines, attachments, or hyperlinks. In addition, be wary of social media
pleas, texts, or door-to-door solicitations relating to severe weather
events. 

To avoid becoming victims of malicious activity, users and administrators
should review the following resources and take preventative measures. 

Staying
Alert to Disaster-related Scams
 

Before Giving to
a Charity 

Staying Safe on
Social Networking Sites
  

Avoiding Social
Engineering and Phishing Attacks
 

Using Caution with
Email Attachments 

If you believe you have been a victim of cybercrime, file a complaint with
Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) at www.ic3.gov. 

Recommendation for Random Bit Generator Constructions: Third Public Draft of NIST SP 800-90C Available for Comment

 The National Institute of Standards and Technology (NIST) has
released the third public draft of NIST Special Publication (SP) 800-90C,
Recommendation for Random Bit Generator (RBG) Constructions.

The NIST SP 800-90 series of documents supports the generation of
high-quality random bits for cryptographic and non-cryptographic use. SP
800-90A specifies several deterministic random bit generator (DRBG) mechanisms
based on cryptographic algorithms. SP 800-90B provides guidance for the
development and validation of entropy sources. SP 800-90C specifies
constructions for the implementation of random bit generators (RBGs) that
include DRBG mechanisms as specified in SP 800-90A and that use entropy sources
as specified in SP 800-90B.

This draft includes constructions for three classes of RBGs:

  • An RBG1 construction provides
    random bits from a device that is initialized from an external RBG.
  • An RBG2 construction includes
    an entropy source that is available on demand.
  • An RBG3 construction includes
    an entropy source that is continuously accessed to provide output with
    full entropy.

SP 800-90C includes a note to readers, guidance for accessing and
handling the entropy sources in SP 800-90B, specifications for the
initialization and use of the three RBG constructions that incorporate the
DRBGs from SP 800-90A, and guidance on health testing and implementation
validation using NIST’s Cryptographic Algorithm Validation Program (CAVP) and
the Cryptographic Module Validation Program (CMVP) that is jointly operated by
NIST and the Canadian Centre for Cyber Security (CCCS).

Note that an initial public draft of an associated document, NIST
IR 8427, Discussion on the Full Entropy Assumption of the SP 800-90
Series
, is also available for public comment.

The public comment period for NIST SP 800-90C is open through
December 7, 2022.
See the publication
details
for a copy of the draft and instructions for submitting
comments.

NOTE: A call for patent claims is included on page iv of this
draft. For additional information, see the 
Information Technology Laboratory (ITL) Patent Policy –
Inclusion of Patents in ITL Publications
.

Read
More

Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight: NIST IR 8286C

 NIST has released NIST Internal
Report (IR) 8286C,
Staging Cybersecurity Risks for Enterprise Risk Management and
Governance Oversight
. This report completes the
cybersecurity risk management (CSRM) and enterprise risk management (ERM)
integration cycle described throughout the NIST IR 8286 series.

NIST IR 8286C describes methods for combining risk information
from across the enterprise, including notional examples for aggregating and
normalizing the results from cybersecurity risk registers (CSRRs) while considering
risk parameters, criteria, and business impacts. The resulting integration and
normalization of risk information informs enterprise-level risk decision-making
and monitoring, which helps create a comprehensive picture of the overarching
cyber risk. The report describes the creation of an enterprise risk profile
(ERP) that supports the comparison and management of cyber risks along with
other risk types.

NIST IR 8286C pairs with several other reports:

The NIST IR 8286 series enables risk practitioners to integrate
CSRM activities more fully into the broader enterprise risk processes. Because
information and technology comprise some of the enterprise’s most valuable
resources, it is vital that directors and senior leaders have a clear
understanding of cybersecurity risk posture at all times. It is similarly vital
that those identifying, assessing, and treating cybersecurity risk understand
enterprise strategic objectives when making risk decisions.

The authors of the NIST IR 8286 series hope that these
publications will spark further industry discussion. As NIST continues to
develop frameworks and guidance to support the application and integration of
information and technology, many of the series’ concepts will be considered for
inclusion.

Read
More

Rewards plus: Fake mobile banking rewards apps lure users to install info-stealing RAT on Android devices

 Our analysis of a recent version of a previously reported info-stealing Android malware, delivered through an ongoing SMS campaign, demonstrates the continuous evolution of mobile threats. Masquerading as a banking rewards app, this new version has additional remote access trojan (RAT) capabilities, is more obfuscated, and is currently being used to target customers of Indian banks. The SMS campaign sends out messages containing a link that points to the info-stealing Android malware. The malware’s RAT capabilities allow the attacker to intercept important device notifications such as incoming messages, an apparent effort to catch two-factor authentication (2FA) messages often used by banking and financial institutions. The malware’s ability to steal all SMS messages is also concerning since the data stolen can be used to further steal users’ sensitive info like 2FA messages for email accounts and other personally identifiable information (PII).

This diagram illustrates the typical infection chain of this Android malware. The infection starts from an SMS message that contains a malicious link that leads to the malicious APK.
Figure 1. Typical SMS campaign attack flow

Our investigation of this new Android malware version started from our receipt of an SMS message containing a malicious link that led us to the download of a fake banking rewards app. The fake app, detected as TrojanSpy:AndroidOS/Banker.O, used a different bank name and logo compared to a similar malware reported in 2021. Moreover, we found that this fake app’s command and control (C2) server is related to 75 other malicious APKs based on open-source intelligence. Some of the malicious APKs also use the same Indian bank’s logo as the fake app that we investigated, which could indicate that the actors are continuously generating new versions to keep the campaign going.

This blog details our analysis of the recent version’s capabilities. We strongly advise users never to click on unknown links received in SMS messages, emails, or messaging apps. We also recommend seeking your bank’s support or advice on digital options for your bank. Further, ensure that your banking apps are downloaded from official app stores to avoid installing malware.

To read the full article at Microsoft click here