Authentication and Engineering - Cyber Security Informer

Failures in Twitter’s Two-Factor Authentication System

Schneier on Security

NOVEMBER 17, 2022

Twitter is having intermittent problems with its two-factor authentication system: Not all users are having problems receiving SMS authentication codes, and those who rely on an authenticator app or physical authentication token to secure their Twitter account may not have reason to test the mechanism.

Authentication

Authentication Passwords Accountability Media

Problems with Multifactor Authentication

Schneier on Security

OCTOBER 21, 2021

Roger Grimes on why multifactor authentication isn’t a panacea : The first time I heard of this issue was from a Midwest CEO. His organization had been hit by ransomware to the tune of $10M. Operationally, they were still recovering nearly a year later. And, embarrassingly, it was his most trusted VP who let the attackers in.

Authentication

Authentication Ransomware Social Engineering Engineering

GUEST ESSAY: Why it’s high time for us to rely primarily on passwordless authentication

The Last Watchdog

JULY 24, 2023

Today, bad actors are ruthlessly skilled at cracking passwords – whether through phishing attacks, social engineering, brute force, or buying them on the dark web. The next big thing is passwordless authentication. First and foremost, most solutions rely on connected devices like mobile phones to authenticate users.

Authentication

Authentication Passwords Social Engineering Phishing

Crooks bank on Microsoft’s search engine to phish customers

Malwarebytes

NOVEMBER 4, 2024

We identified a new wave of phishing for banking credentials that targets consumers via Microsoft’s search engine. While Microsoft’s Bing only has about 4% of the search engine market share , crooks are drawn to it as an alternative to Google. We have reported the fraudulent sites to Microsoft already.

Engineering

Engineering Phishing Banking Authentication

New Bluetooth Vulnerability

Schneier on Security

SEPTEMBER 17, 2020

When, say, an iPhone is getting ready to pair up with Bluetooth-powered device, CTKD’s role is to set up two separate authentication keys for that phone: one for a “Bluetooth Low Energy” device, and one for a device using what’s known as the “Basic Rate/Enhanced Data Rate” standard.

Authentication

Authentication Social Engineering Firmware Engineering

Threat actor impersonates Google via fake ad for Authenticator

Malwarebytes

JULY 30, 2024

If you were trying to download the popular Google Authenticator (a multi-factor authentication program) via a Google search in the past few days, you may have inadvertently installed malware on your computer. Fake site leads to signed payload hosted on Github The fraudulent site chromeweb-authenticators[.]com

Authentication

Authentication Computers and Electronics Social Engineering Malware

Social engineering attacks target Okta customers to achieve a highly privileged role

Security Affairs

SEPTEMBER 2, 2023

Identity services provider Okta warned customers of social engineering attacks carried out by threat actors to obtain elevated administrator permissions. Okta is warning customers of social engineering attacks carried out in recent weeks by threat actors to obtain elevated administrator permissions.

Social Engineering

Social Engineering Engineering Authentication Accountability

Google Cloud to Enforce Multi-Factor Authentication by 2025 for All Users

The Hacker News

NOVEMBER 5, 2024

Google's cloud division has announced that it will enforce mandatory multi-factor authentication (MFA) for all users by the end of 2025 as part of its efforts to improve account security. "We

Authentication

Authentication Engineering Account Security Accountability

GUEST ESSAY: Why CISOs absolutely must take authentication secrets much more seriously

The Last Watchdog

MARCH 1, 2023

The IT world relies on digital authentication credentials, such as API keys, certificates, and tokens, to securely connect applications, services, and infrastructures. This requires going beyond traditional practices and involving developers, security engineers, and operations in detection, remediation, and prevention.

Authentication

Authentication CISO Passwords Software

FBI, CISA Echo Warnings on ‘Vishing’ Threat

Krebs on Security

AUGUST 21, 2020

” The perpetrators focus on social engineering new hires at the targeted company, and impersonate staff at the target company’s IT helpdesk. Consider using a formalized authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to.

VPN

VPN Social Engineering Authentication Engineering

Microsoft Patch Tuesday, November 2024 Edition

Krebs on Security

NOVEMBER 12, 2024

The second bug fixed this month that is already seeing in-the-wild exploitation is CVE-2024-43451 , a spoofing flaw that could reveal Net-NTLMv2 hashes , which are used for authentication in Windows environments. Narang notes that CVE-2024-43451 is the third NTLM zero-day so far this year.

Authentication

Authentication Engineering Malware Passwords

GUEST ESSAY: How the ‘Scattered Spiders’ youthful ring defeated MFA to plunder Vegas

The Last Watchdog

NOVEMBER 19, 2023

As the companies face nine federal lawsuits for failing to protect customer data, it’s abundantly clear hackers have checkmated multi-factor authentication (MFA). But the coup de gras was how easily they brushed aside the multi-factor authentication protections. How they steamrolled multi-factor authentication is a reason for pause.

Social Engineering

Social Engineering Passwords Authentication Marketing

Windows Hello fingerprint authentication can be bypassed on popular laptops

Malwarebytes

NOVEMBER 24, 2023

Researchers have found several weaknesses in Windows Hello fingerprint authentication on Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X laptops. Microsoft’s Offensive Research and Security Engineering (MORSE) asked the researchers to evaluate the security of the top three fingerprint sensors embedded in laptops.

Authentication

Authentication Manufacturing Engineering Hacking

4 Ways Hackers use Social Engineering to Bypass MFA

The Hacker News

FEBRUARY 12, 2024

When it comes to access security, one recommendation stands out above the rest: multi-factor authentication (MFA). With passwords alone being simple work for hackers, MFA provides an essential layer of protection against breaches. However, it's important to remember that MFA isn't foolproof. It can be bypassed, and it often is.

Social Engineering

Social Engineering Engineering Passwords Authentication

Hackers obtained user data from Twilio-owned 2FA authentication app Authy

Security Affairs

JULY 4, 2024

Twilio states that threat actors have identified the phone numbers of users of its two-factor authentication app, Authy, TechCrunch reported. This week the messaging firm told TechCrunch that “threat actors” identified data of Authy users, a two-factor authentication app owned by Twilio, including their phone numbers.

Authentication

Authentication Social Engineering Phishing Accountability

When Low-Tech Hacks Cause High-Impact Breaches

Krebs on Security

FEBRUARY 26, 2023

GoDaddy described the incident at the time in general terms as a social engineering attack, but one of its customers affected by that March 2020 breach actually spoke to one of the hackers involved. But we do know the March 2020 attack was precipitated by a spear-phishing attack against a GoDaddy employee.

Hacking

Hacking Social Engineering Phishing Scams

Duo Continues to Enhance Partnership With Microsoft on New Entra ID External Authentication Methods

Duo's Security Blog

MAY 2, 2024

We are excited to have partnered closely with Microsoft in the co-development of Microsoft Entra ID External Authentication Methods, available in Public Preview May 2024! External Authentication Methods (EAM) enables frictionless integration of Duo’s full security feature set.

Authentication

Authentication Phishing Passwords Risk

Hackers Stole Access Tokens from Okta’s Support Unit

Krebs on Security

OCTOBER 20, 2023

Okta , a company that provides identity tools like multi-factor authentication and single sign-on to thousands of businesses, has suffered a security breach involving a compromise of its customer support unit, KrebsOnSecurity has learned. He said that on Oct 2.,

Social Engineering

Social Engineering Engineering Accountability Hacking

Multi-factor authentication has proven it works, so what are we waiting for?

Malwarebytes

OCTOBER 6, 2023

Recently, Amazon announced that it will require all privileged Amazon Web Services (AWS) accounts to use multi-factor authentication (MFA) , starting in mid-2024. Multi-factor authentication is so much more secure, and with that a lot more forgiving, than passwords alone. .” So we wholeheartedly agree with Amazon on this.

Authentication

Authentication Passwords Social Engineering Accountability

Patch Tuesday, December 2024 Edition

Krebs on Security

DECEMBER 10, 2024

The zero-day seeing exploitation involves CVE-2024-49138 , a security weakness in the Windows Common Log File System (CLFS) driver — used by applications to write transaction logs — that could let an authenticated attacker gain “system” level privileges on a vulnerable Windows device.

Engineering

Engineering Authentication Software Accountability

FBI Hacker Dropped Stolen Airbus Data on 9/11

Krebs on Security

SEPTEMBER 13, 2023

Credentials stolen by info-stealers often end up for sale on cybercrime shops that peddle purloined passwords and authentication cookies (these logs also often show up in the malware scanning service VirusTotal ). USDoD’s InfraGard sales thread on Breached.

Cybercrime

Cybercrime Passwords Authentication Malware

Docker fixes critical 5-year old authentication bypass flaw

Bleeping Computer

JULY 24, 2024

Docker has issued security updates to address a critical vulnerability impacting certain versions of Docker Engine that could allow an attacker to bypass authorization plugins (AuthZ) under certain circumstances. [.]

Authentication

Authentication Engineering

Alleged Boss of ‘Scattered Spider’ Hacking Group Arrested

Krebs on Security

JUNE 15, 2024

.” In a SIM-swapping attack, crooks transfer the target’s phone number to a device they control and intercept any text messages or phone calls sent to the victim — including one-time passcodes for authentication, or password reset links sent via SMS.

Hacking

Hacking Phishing Cybercrime Passwords

A Closer Look at the LAPSUS$ Data Extortion Group

Krebs on Security

MARCH 23, 2022

Microsoft says LAPSUS$ — which it boringly calls “ DEV-0537 ” — mostly gains illicit access to targets via “social engineering.” ” This involves bribing or tricking employees at the target organization or at its myriad partners, such as customer support call centers and help desks.

Social Engineering

Social Engineering Accountability Mobile Passwords

Voice Phishers Targeting Corporate VPNs

Krebs on Security

AUGUST 19, 2020

Allen said a typical voice phishing or “vishing” attack by this group involves at least two perpetrators: One who is social engineering the target over the phone, and another co-conspirator who takes any credentials entered at the phishing page and quickly uses them to log in to the target company’s VPN platform in real-time.

Phishing

Phishing VPN Social Engineering Media

GUEST ESSAY: Everything you should know about the cybersecurity vulnerabilities of AI chatbots

The Last Watchdog

FEBRUARY 20, 2024

Authentication and authorization vulnerabilities: Weak authentication methods and compromised access tokens can provide unauthorized access. Malicious intent or manipulation: AI chatbots can be exploited to spread misinformation, execute social engineering attacks or launch phishing. Using MFA can prevent 99.9%

Cybersecurity

Cybersecurity Penetration Testing Authentication Social Engineering

GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services

Krebs on Security

NOVEMBER 21, 2020

In response to questions from KrebsOnSecurity, GoDaddy acknowledged that “a small number” of customer domain names had been modified after a “limited” number of GoDaddy employees fell for a social engineering scam. authenticate the phone call before sensitive information can be discussed. and 11:00 p.m.

Cryptocurrency

Cryptocurrency VPN Scams Social Engineering

The FBI Warns About A Google Voice Scam That Is Not New, But Still Finding Plenty Of Victims

Joseph Steinberg

JANUARY 26, 2022

To do so, they ask you to perform a form of Google authentication in which, to confirm your identity, you need to provide them with a number that will be sent to your phone by either text or voice message. As such, the criminal’s request may seem innocuous, when it is anything but.

Scams

Scams Authentication Accountability Artificial Intelligence

Recent ‘MFA Bombing’ Attacks Targeting Apple Users

Krebs on Security

MARCH 26, 2024

Unnerved by the idea that he could have rolled over on his watch while sleeping and allowed criminals to take over his Apple account, Ken said he contacted the real Apple support and was eventually escalated to a senior Apple engineer. “All of my devices started blowing up, my watch, laptop and phone,” Patel told KrebsOnSecurity.

Passwords

Passwords Accountability Engineering Phishing

The Internet is Held Together With Spit & Baling Wire

Krebs on Security

NOVEMBER 26, 2021

And virtually all IRRs have disallowed its use since at least 2012, said Adam Korab , a network engineer and security researcher based in Houston. .” ” Lumen told KrebsOnSecurity that it continued offering MAIL-FROM: authentication because many of its customers still relied on it due to legacy systems.

Internet

Internet Internet Authentication Telecommunications

The Original APT: Advanced Persistent Teenagers

Krebs on Security

APRIL 6, 2022

“They would just keep jamming a few individuals to get [remote] access, read some onboarding documents, enroll a new 2FA [two-factor authentication method] and exfiltrate code or secrets, like a smash-and-grab,” the CXO said. ” Like LAPSUS$, these vishers just kept up their social engineering attacks until they succeeded.

Social Engineering

Social Engineering Phishing Engineering Accountability

Breaking Laptop Fingerprint Sensors

Schneier on Security

NOVEMBER 29, 2023

They’re not that good : Security researchers Jesse D’Aguanno and Timo Teräs write that, with varying degrees of reverse-engineering and using some external hardware, they were able to fool the Goodix fingerprint sensor in a Dell Inspiron 15, the Synaptic sensor in a Lenovo ThinkPad T14, and the ELAN sensor in one of Microsoft’s own (..)

Engineering

Engineering Authentication

Microsoft Patch Tuesday, May 2022 Edition

Krebs on Security

MAY 10, 2022

“This allows attackers to perform a man-in-the-middle attack to force domain controllers to authenticate to the attacker using NTLM authentication,” Wiseman said. Greg Wiseman , product manager for Rapid7 , said Microsoft has rated this vulnerability as important and assigned it a CVSS (danger) score of 8.1 (10

Authentication

Authentication Engineering Internet Internet

Sprint Exposed Customer Support Site to Web

Krebs on Security

JANUARY 29, 2020

KrebsOnSecurity recently contacted Sprint to let the company know that an internal customer support forum called “Social Care” was being indexed by search engines, and that several months worth of postings about customer complaints and other issues were viewable without authentication to anyone with a Web browser.

Social Engineering

Social Engineering Telecommunications Data privacy Engineering

How 1-Time Passcodes Became a Corporate Liability

Krebs on Security

AUGUST 30, 2022

The missives asked users to click a link and log in at a phishing page that mimicked their employer’s Okta authentication page. Those who submitted credentials were then prompted to provide the one-time password needed for multi-factor authentication. On that last date, Twilio disclosed that on Aug.

Mobile

Mobile Phishing Authentication Accountability

Experian’s Credit Freeze Security is Still a Joke

Krebs on Security

APRIL 26, 2021

Last week, KrebsOnSecurity heard from a reader who had his freeze thawed without authorization through Experian’s website, and it reminded me of how truly broken authentication and security remains in the credit bureau space. Dune Thomas is a software engineer from Sacramento, Calif. and $24.99

Authentication

Authentication Accountability Identity Theft Account Security

How to Lose a Fortune with Just One Bad Click

Krebs on Security

DECEMBER 18, 2024

Griffin said a follow-up investigation revealed the attackers had used his Gmail account to gain access to his Coinbase account from a VPN connection in California, providing the multi-factor code from his Google Authenticator app. You may also wish to download Google Authenticator to another mobile device that you control.

Cryptocurrency

Cryptocurrency Accountability Authentication Phishing

GUEST ESSAY: A primer on NIST 207A — guidance for adding ZTNA to cloud-native platforms

The Last Watchdog

MAY 24, 2023

Attendees will include cybersecurity professionals, policy makers, entrepreneurs and infrastructure engineers. Encryption in transit provides eavesdropping protection and payload authenticity. More importantly, it provides message authenticity: a bad actor cannot change the data or instructions being sent.

Authentication

Authentication Banking Architecture Encryption

Fla. Man Charged in SIM-Swapping Spree is Key Suspect in Hacker Groups Oktapus, Scattered Spider

Krebs on Security

JANUARY 30, 2024

2022 that an intrusion had exposed a “limited number” of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials. The missives asked users to click a link and log in at a phishing page that mimicked their employer’s Okta authentication page. Twilio disclosed in Aug.

Social Engineering

Social Engineering Mobile Passwords Cybercrime

Strengths and Weaknesses of MFA Methods Against Cyberattacks: Part 2

Duo's Security Blog

FEBRUARY 27, 2024

The choice of which authentication methods to use is individual to every organization, but it must be informed by a clear understanding of how these methods defend against common identity threats. How MFA methods stand up to threats Threat type #1: Physical compromise Many authentication methods use device possession as a factor (i.e.,

Social Engineering

Social Engineering Authentication Phishing Engineering

Cloning Google Titan 2FA keys

Schneier on Security

JANUARY 12, 2021

Next, an attacker connects the chip to hardware and software that take measurements as the key is being used to authenticate on an existing account. The cloning also requires up to $12,000 worth of equipment and custom software, plus an advanced background in electrical engineering and cryptography.

Accountability

Accountability Authentication Software Engineering

Microsoft Patch Tuesday, November 2023 Edition

Krebs on Security

NOVEMBER 14, 2023

This weakness technically requires the attacker to be authenticated to the target’s local network, but Breen notes that a pair of phished Exchange credentials will provide that access nicely.

Social Engineering

Social Engineering Phishing Internet Internet

Google Announces Passkeys Adopted by Over 400 Million Accounts

The Hacker News

MAY 2, 2024

Google on Thursday announced that passkeys are being used by over 400 million Google accounts, authenticating users more than 1 billion times over the past two years.

Accountability

Accountability Engineering Phishing Authentication

GUEST ESSAY: The case for leveraging hardware to shore up security — via a co-processor

The Last Watchdog

MARCH 31, 2022

Seeing the flaws continue year after year, the industry began linking authentication of valid software components to the underlying hardware, or the “root of trust”. This approach allows for compromised software to be identified during the authentication process.

Artificial Intelligence

Artificial Intelligence Threat Detection Engineering Software

Failures in Twitter’s Two-Factor Authentication System

Problems with Multifactor Authentication

Trending Sources

GUEST ESSAY: Why it’s high time for us to rely primarily on passwordless authentication

Crooks bank on Microsoft’s search engine to phish customers

New Bluetooth Vulnerability

Threat actor impersonates Google via fake ad for Authenticator

Social engineering attacks target Okta customers to achieve a highly privileged role

Google Cloud to Enforce Multi-Factor Authentication by 2025 for All Users

GUEST ESSAY: Why CISOs absolutely must take authentication secrets much more seriously

FBI, CISA Echo Warnings on ‘Vishing’ Threat

Microsoft Patch Tuesday, November 2024 Edition

GUEST ESSAY: How the ‘Scattered Spiders’ youthful ring defeated MFA to plunder Vegas

Windows Hello fingerprint authentication can be bypassed on popular laptops

4 Ways Hackers use Social Engineering to Bypass MFA

Hackers obtained user data from Twilio-owned 2FA authentication app Authy

When Low-Tech Hacks Cause High-Impact Breaches

Duo Continues to Enhance Partnership With Microsoft on New Entra ID External Authentication Methods

Hackers Stole Access Tokens from Okta’s Support Unit

Multi-factor authentication has proven it works, so what are we waiting for?

Patch Tuesday, December 2024 Edition

FBI Hacker Dropped Stolen Airbus Data on 9/11

Docker fixes critical 5-year old authentication bypass flaw

Alleged Boss of ‘Scattered Spider’ Hacking Group Arrested

A Closer Look at the LAPSUS$ Data Extortion Group

Voice Phishers Targeting Corporate VPNs

GUEST ESSAY: Everything you should know about the cybersecurity vulnerabilities of AI chatbots

GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services

The FBI Warns About A Google Voice Scam That Is Not New, But Still Finding Plenty Of Victims

Recent ‘MFA Bombing’ Attacks Targeting Apple Users

The Internet is Held Together With Spit & Baling Wire

The Original APT: Advanced Persistent Teenagers

Breaking Laptop Fingerprint Sensors

Microsoft Patch Tuesday, May 2022 Edition

Sprint Exposed Customer Support Site to Web

How 1-Time Passcodes Became a Corporate Liability

Experian’s Credit Freeze Security is Still a Joke

How to Lose a Fortune with Just One Bad Click

GUEST ESSAY: A primer on NIST 207A — guidance for adding ZTNA to cloud-native platforms

Fla. Man Charged in SIM-Swapping Spree is Key Suspect in Hacker Groups Oktapus, Scattered Spider

Strengths and Weaknesses of MFA Methods Against Cyberattacks: Part 2

Cloning Google Titan 2FA keys

Microsoft Patch Tuesday, November 2023 Edition

Google Announces Passkeys Adopted by Over 400 Million Accounts

GUEST ESSAY: The case for leveraging hardware to shore up security — via a co-processor

Stay Connected