This Week in Security: U2F, Unleash the KRACKen, TPM Woes

Security For The Masses

“2FA All The Things”, the resounding war cry of this generation’s InfoSec experts, has been bellowed out from tops of security towers for as long as two factor authentication has been available for users to take advantage of. This week Google has refactored and revised their security offerings for Gmail to allow all users to utilize hardened security features to ensure prying eyes aren’t reading their sensitive email.

As part of Google’s Advanced Protection Program and in celebration of National Cyber Security Awareness Month, Google has opened their once closed enhanced protection offerings to the public. These new offerings help protect a user’s Gmail account by offering a three-pronged approach to countering typical account hijacking methods.

The first enhancement is by offering enhanced 2FA protections to a user’s account by introducing support for Security Keys. These keys are physical security devices in the form of a USB key or wireless device that store certificates implementing Universal 2nd Factor (U2F) Protocol to protect accounts from phishing and password stealing. U2F keys come in a variety of flavors from vendors such as Yubikey Neo or Feitian FIDO BioPass; just make sure they aren’t vulnerable to the new TPM flaw (see below for more information).

The second enhancement Google has introduced is restricting access to the users Google data from 3rd party applications. In several compromises, users were tricked into giving malicious applications access to their Google data such as Gmail and Google Drive access. The new controls restrict access to only Google apps. This may come as a hindrance to some users as it will restrict applications such as Apple iMail and Microsoft Outlook from accessing their Gmail account; however, Google has stated they will expand support to additional applications in the future.

The third prong in (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Cylance Research and Intelligence Team. Read the original post at: Cylance Blog