The State of Security

JULY 14, 2022

Microsoft has shared details of a widespread phishing campaign that not only attempted to steal the passwords of targeted organisations, but was also capable of circumventing multi-factor authentication (MFA) defences. Read more in my article on the Tripwire State of Security blog.

Authentication 141

Authentication Phishing Passwords 141

Schneier on Security

JANUARY 21, 2020

Phone companies have added security measures since this attack became popular and public, but a new study (news article ) shows that the measures aren't helping: We examined the authentication procedures used by five pre-paid wireless carriers when a customer attempted to change their SIM card.

Authentication 263

Authentication Wireless Backups Accountability 263

Schneier on Security

MAY 26, 2020

The Bluetooth standard includes a legacy authentication procedure and a secure authentication procedure, allowing devices to authenticate to each other using a long term key. Such vulnerabilities include the lack of mandatory mutual authentication, overly permissive role switching, and an authentication procedure downgrade.

Authentication 232

Authentication Wireless Manufacturing Technology 232

Schneier on Security

AUGUST 15, 2024

EDITED TO ADD: Good article : One – ML-KEM [PDF] (based on CRYSTALS-Kyber) – is intended for general encryption, which protects data as it moves across public networks.

Encryption 334

Encryption Backups Authentication Technology 334

CSO Magazine

SEPTEMBER 22, 2022

Credential compromise has been one of the top causes for network security breaches for a long time, which has prompted more organizations to adopt multi-factor authentication (MFA) as a defense. To read this article in full, please click here

Authentication 141

Authentication Network Security Accountability 141

Schneier on Security

MAY 30, 2023

It’s neither hard nor expensive : Unlike password authentication, which requires a direct match between what is inputted and what’s stored in a database, fingerprint authentication determines a match using a reference threshold. Other news articles. Research paper.

Authentication 282

Authentication Encryption Passwords 282

CSO Magazine

JANUARY 4, 2023

Every business needs a secure way to collect, manage, and authenticate passwords. Storing passwords in the browser and sending one-time access codes by SMS or authenticator apps can be bypassed by phishing. To read this article in full, please click here Unfortunately, no method is foolproof.

Authentication 129

Authentication Password Management Backups Passwords 129

Schneier on Security

JANUARY 19, 2023

As one example, we present a cross-protocol attack which breaks authentication in Threema and which exploits the lack of proper key separation between different sub-protocols. We provide an extensive cryptographic analysis of Threema, a Swiss-based encrypted messaging application with more than 10 million users and 7000 corporate customers.

Encryption 337

Encryption Authentication Advertising Government 337

Schneier on Security

JUNE 15, 2022

The attack shows that pointer authentication can be defeated without leaving a trace, and as it utilizes a hardware mechanism, no software patch can fix it. Another news article. It’s not obvious how to exploit this vulnerability in the wild, so I’m unsure how important this is. Research paper.

Artificial Intelligence 280

Artificial Intelligence Authentication Software Malware 280

Schneier on Security

APRIL 15, 2019

The first category consists of downgrade attacks against WPA3-capable devices, and the second category consists of weaknesses in the Dragonfly handshake of WPA3, which in the Wi-Fi standard is better known as the Simultaneous Authentication of Equals (SAE) handshake. News article. All attacks are against home networks (i.e.

Passwords 277

Passwords Authentication 277

Duo's Security Blog

MAY 23, 2024

When reading the title of this blog, you might be wondering to yourself why RADIUS is being highlighted as a subject — especially amidst all of the advancements of modern authentication we see taking place recently. Instead, it supports a variety of authentication protocols , including EAP, PAP, CHAP, and others. What is RADIUS?

Authentication 111

Authentication Wireless Passwords Encryption 111

Schneier on Security

MAY 20, 2022

Locks that use Bluetooth Low Energy to authenticate keys are vulnerable to remote unlocking. Another news article. The research focused on Teslas, but the exploit is generalizable.

Technology 272

Technology Authentication Hacking 272

Schneier on Security

MARCH 19, 2021

Too many networks use SMS as an authentication mechanism. Don’t focus too much on the particular company in this article. But as Lucky225 showed, a user can just sign up with someone else’s number and receive their text messages instead. This is much easier than SMS hijacking, and causes the same security vulnerabilities.

Authentication 336

Authentication Accountability Advertising Mobile 336

Krebs on Security

JULY 23, 2018

Security Keys are inexpensive USB-based devices that offer an alternative approach to two-factor authentication (2FA), which requires the user to log in to a Web site using something they know (the password) and something they have (e.g., “Users might be asked to authenticate using their security key for many different apps/reasons. .

Phishing 245

Phishing Authentication Mobile Passwords 245

Schneier on Security

DECEMBER 8, 2023

news articles. New attack breaks forward secrecy in Bluetooth. The vulnerability has been around for at least a decade.

Authentication 323

Authentication 323

Schneier on Security

NOVEMBER 15, 2019

We further highlight the impact of these vulnerabilities by demonstrating a remote attack against a StrongSwan IPsecVPN that uses a TPM to generate the digital signatures for authentication. News articles. These are real attacks, and take between 4-20 minutes to extract the key. Intel has a firmware update. Attack website.

Firmware 250

Firmware Authentication Manufacturing 250

eSecurity Planet

NOVEMBER 6, 2024

Don’t forget: You can read the full article on eSecurity Planet. They could even conceal dangerous malware in photos or links on secure websites you visit, and a single click can activate the code, even overcoming multifactor authentication. In this video, we’ll show you how to stay safe. What Are Cookies?

Identity Theft 110

Identity Theft Passwords Phishing Accountability 110

Joseph Steinberg

JANUARY 26, 2022

To do so, they ask you to perform a form of Google authentication in which, to confirm your identity, you need to provide them with a number that will be sent to your phone by either text or voice message. As such, the criminal’s request may seem innocuous, when it is anything but. What if you already were scammed?

Scams 321

Scams Authentication Accountability Artificial Intelligence 321

SecureWorld News

JANUARY 10, 2024

A quick intro to security keys: A security key can work in place of other forms of two-factor authentication such as receiving a code through SMS or pressing a button in an authentication app. Seriously, if anyone knows, please comment on this article about it. When it came to authenticating, both keys worked just fine.

Authentication 104

Authentication Password Management Passwords Mobile 104

Schneier on Security

DECEMBER 4, 2018

There are lots of articles about there telling people how to better secure their computers and online accounts. While I agree with some of it, this article contains some particularly bad advice: 1. Two-factor authentication is important, and I use it on some of my more important online accounts.

Accountability 274

Accountability Passwords VPN Mobile 274

Schneier on Security

AUGUST 24, 2020

You can then use that key to derive master passwords for password managers, as the seed to create a U2F key for two-factor authentication, or even as the secret key for cryptocurrency wallets. Another news article. Here's the DiceKeys website and app. Here's a short video demo. Here's a longer SOUPS talk. Preorder a set here.

Passwords 251

Passwords Cryptocurrency Password Management Authentication 251

Schneier on Security

AUGUST 7, 2023

The hackers used forged authentication tokens to access user email, using a stolen Microsoft Azure account consumer signing key. News articles. A bunch of networks, including US Government networks , have been hacked by the Chinese. Congress wants answers. Master signing keys are not supposed to be left around, waiting to be stolen.

Authentication 246

Authentication Government Hacking Accountability 246

The Last Watchdog

FEBRUARY 20, 2024

Authentication and authorization vulnerabilities: Weak authentication methods and compromised access tokens can provide unauthorized access. Multi-factor authentication: Implement multi-factor authentication for administration and privileged users to enhance access control and prevent unauthorized entry.

Cybersecurity 273

Cybersecurity Penetration Testing Authentication Social Engineering 273

Krebs on Security

MARCH 16, 2021

But Lucky225 said the class of SMS interception he’s been testing targets a series of authentication weaknesses tied to a system developed by NetNumber , a private company in Lowell, Mass. Usually, this is a mobile app like Authy or Google Authenticator that generates a one-time code.

Telecommunications 363

Telecommunications Mobile Accountability Wireless 363

Schneier on Security

FEBRUARY 3, 2021

Once the attackers had that initial foothold, they used a variety of complex privilege escalation and authentication attacks to exploit flaws in Microsoft’s cloud services. The New York Times has repeated this attribution — a good article that also discusses the magnitude of the attack.)

Computers and Electronics 363

Computers and Electronics Malware Software Government 363

Daniel Miessler

MAY 14, 2020

I wrote an article recently on how to secure your home network in three different tiers of protection. Enable two-factor authentication on all critical accounts. Go to each of those high-priority accounts and ensure two-factor authentication (often called strong authentication) is turned on. Everything.

Risk 345

Risk Passwords Password Management Accountability 345

Schneier on Security

JANUARY 5, 2021

The New York Times has an in-depth article on the latest information about the SolarWinds hack (not a great name, since it’s much more far-reaching than that). Interviews with key players investigating what intelligence agencies believe to be an operation by Russia’s S.V.R.

Hacking 357

Hacking System Administration Software Surveillance 357

Joseph Steinberg

JANUARY 20, 2022

And, of course, they must know, and be able to strongly authenticate, any human users as well. I will discuss in a future article what roadmaps should contain in order to be most likely to yield successful Zero Trust adoption efforts.

Cybersecurity 363

Cybersecurity Artificial Intelligence Ransomware Social Engineering 363

SecureWorld News

JANUARY 16, 2025

This article delves deeper into the challenges faced by the oil and gas industry, highlighting practical strategies to safeguard critical infrastructure through cybersecurity, data analytics, and regulatory compliance. Enhanced authentication protocols: Using MFA could have prevented unauthorized access.

Energy and Utilities 109

Energy and Utilities IoT Artificial Intelligence Backups 109

Schneier on Security

MARCH 24, 2020

Such a system could violate protections guaranteeing a secret ballot, as outlined in Section 2, Article II of the Puerto Rico Constitution. The ACLU agrees.

Internet 268

Internet Internet Technology Cybersecurity 268

Schneier on Security

SEPTEMBER 20, 2019

This article discusses new types of biometrics under development, including gait, scent, heartbeat, microbiome, and butt shape (no, really).

Authentication 219

Authentication 219

Security Affairs

NOVEMBER 3, 2024

Every week the best security articles from Security Affairs are free in your email box. A new round of the weekly SecurityAffairs newsletter arrived! Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.

Cryptocurrency 108

Cryptocurrency Hacking Phishing Cyber Attacks 108

Joseph Steinberg

JANUARY 4, 2023

Zero Trust is a term that is often misunderstood and misused, which is why I wrote an article not long ago entitled Zero Trust: What These Overused Cybersecurity Buzz Words Actually Mean – And Do Not Mean. Because the attacker may be listening to the data moving across the network, all traffic must be encrypted.

Architecture 361

Architecture Artificial Intelligence Encryption Cybersecurity 361

eSecurity Planet

FEBRUARY 6, 2025

Single sign-on” (SSO) is an authentication method that allows users to enter one set of authentication credentials to access multiple websites, applications, and services. The goal of SSO is to streamline the authentication process by eliminating the need to enter different usernames and passwords for each resource.

Authentication 58

Authentication Passwords Mobile Encryption 58

SecureWorld News

FEBRUARY 4, 2025

In this article, I will show how website localization can be tackled with a cybersecurity mindset, both as a source of potential vulnerabilities to prevent and as a tool to strengthen the security of your website and your business. Additional measures like Google Authentication, QR code, etc.,

Marketing 100

Marketing Cybersecurity eCommerce Data breaches 100

Krebs on Security

APRIL 27, 2023

Customers can access a Salesforce Community website in two ways: Authenticated access (requiring login), and guest user access (no login required). “Additionally, we suggest reviewing the following Help article, Best Practices and Considerations When Configuring the Guest User Profile.” ” . ”

Banking 346

Banking Government Information Security Authentication 346

Graham Cluley

MARCH 27, 2024

Hardware wallet manufacturer Trezor has explained how its Twitter account was compromised - despite it having sensible security precautions in place, such as strong passwords and multi-factor authentication. Read more in my article on the Hot for Security blog.

Accountability 120

Accountability Cryptocurrency Manufacturing Passwords 120