Authentication and Engineering - Cyber Security Informer

Failures in Twitter’s Two-Factor Authentication System

Schneier on Security

NOVEMBER 17, 2022

Twitter is having intermittent problems with its two-factor authentication system: Not all users are having problems receiving SMS authentication codes, and those who rely on an authenticator app or physical authentication token to secure their Twitter account may not have reason to test the mechanism.

Authentication

Authentication Passwords Accountability Media

Crooks bank on Microsoft’s search engine to phish customers

Malwarebytes

NOVEMBER 4, 2024

We identified a new wave of phishing for banking credentials that targets consumers via Microsoft’s search engine. While Microsoft’s Bing only has about 4% of the search engine market share , crooks are drawn to it as an alternative to Google. We have reported the fraudulent sites to Microsoft already.

Engineering

Engineering Phishing Banking Authentication

Problems with Multifactor Authentication

Schneier on Security

OCTOBER 21, 2021

Roger Grimes on why multifactor authentication isn’t a panacea : The first time I heard of this issue was from a Midwest CEO. His organization had been hit by ransomware to the tune of $10M. Operationally, they were still recovering nearly a year later. And, embarrassingly, it was his most trusted VP who let the attackers in.

Authentication

Authentication Ransomware Social Engineering Engineering

Microsoft Patch Tuesday, November 2024 Edition

Krebs on Security

NOVEMBER 12, 2024

The second bug fixed this month that is already seeing in-the-wild exploitation is CVE-2024-43451 , a spoofing flaw that could reveal Net-NTLMv2 hashes , which are used for authentication in Windows environments. Narang notes that CVE-2024-43451 is the third NTLM zero-day so far this year.

Authentication

Authentication Engineering Malware Passwords

OT Cybersecurity and the Evolving Role of Controls Engineers

SecureWorld News

JANUARY 23, 2025

The expectations placed on control engineers have evolved significantly due to the growth in required customer requirements, stronger cybersecurity, and increasing complexity of OT environments. I am an industrial networking professional, not a controls engineer. Sure, but I do not pretend to be a controls engineer.

Engineering

Engineering Cybersecurity Manufacturing Firewall

Cisco addressed two critical flaws in its Identity Services Engine (ISE)

Security Affairs

FEBRUARY 6, 2025

Cisco addressed critical flaws in Identity Services Engine, preventing privilege escalation and system configuration changes. and CVE-2025-20125 (CVSS score of 9.1), in Identity Services Engine (ISE). In a single-node deployment, new devices will not be able to authenticate during the reload time.” Not vulnerable.

Engineering

Engineering Authentication Software Hacking

GUEST ESSAY: Why it’s high time for us to rely primarily on passwordless authentication

The Last Watchdog

JULY 24, 2023

Today, bad actors are ruthlessly skilled at cracking passwords – whether through phishing attacks, social engineering, brute force, or buying them on the dark web. The next big thing is passwordless authentication. First and foremost, most solutions rely on connected devices like mobile phones to authenticate users.

Authentication

Authentication Passwords Phishing Social Engineering

A Day in the Life of a Prolific Voice Phishing Crew

Krebs on Security

JANUARY 7, 2025

Lookout researchers discovered multiple voice phishing groups were using a new phishing kit that closely mimicked the single sign-on pages for Okta and other authentication providers. Each participant in the call has a specific role, including: -The Caller: The person speaking and trying to social engineer the target. “ Annie.”

Phishing

Phishing Cryptocurrency Accountability Social Engineering

Threat Modeling Google Cloud (Threat Model Thursday)

Adam Shostack

JANUARY 2, 2025

The list of threat actors includes both internal attacker, internal malicious user, and Google engineers. T02 Guessing of Google Cloud Platform credentials" is an action, T04 Authenticated access to Google Cloud Storage bucket is an impact. I think that means the first two are internal to the GCP customer. What can go wrong?

Engineering

Engineering Authentication

New Bluetooth Vulnerability

Schneier on Security

SEPTEMBER 17, 2020

When, say, an iPhone is getting ready to pair up with Bluetooth-powered device, CTKD’s role is to set up two separate authentication keys for that phone: one for a “Bluetooth Low Energy” device, and one for a device using what’s known as the “Basic Rate/Enhanced Data Rate” standard.

Authentication

Authentication Social Engineering Firmware Engineering

Microsoft Patch Tuesday, February 2025 Edition

Krebs on Security

FEBRUARY 11, 2025

Tenable senior staff research engineer Satnam Narang noted that since 2022, there have been nine elevation of privilege vulnerabilities in this same Windows component — three each year — including one in 2024 that was exploited in the wild as a zero day (CVE-2024-38193).

Artificial Intelligence

Artificial Intelligence Engineering Software Internet

GUEST ESSAY: Why CISOs absolutely must take authentication secrets much more seriously

The Last Watchdog

MARCH 1, 2023

The IT world relies on digital authentication credentials, such as API keys, certificates, and tokens, to securely connect applications, services, and infrastructures. This requires going beyond traditional practices and involving developers, security engineers, and operations in detection, remediation, and prevention.

Authentication

Authentication CISO Passwords Software

FBI, CISA Echo Warnings on ‘Vishing’ Threat

Krebs on Security

AUGUST 21, 2020

” The perpetrators focus on social engineering new hires at the targeted company, and impersonate staff at the target company’s IT helpdesk. Consider using a formalized authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to.

VPN

VPN Social Engineering Authentication Engineering

Understanding the Deepfake Threat

SecureWorld News

FEBRUARY 13, 2025

Evolution of social engineering Social engineering exploits human psychology to manipulate individuals into revealing sensitive information or taking harmful actions. Attacks on identity verification systems Bypassing biometric security: Many organizations use facial and voice recognition for authentication.

Social Engineering

Social Engineering Authentication Identity Theft Education

Feds Charge Five Men in ‘Scattered Spider’ Roundup

Krebs on Security

NOVEMBER 21, 2024

The targeted SMS scams asked employees to click a link and log in at a website that mimicked their employer’s Okta authentication page. Some SMS phishing messages told employees their VPN credentials were expiring and needed to be changed; other phishing messages advised employees about changes to their upcoming work schedule.

Identity Theft

Identity Theft Phishing Cryptocurrency Accountability

Opening the Black Box of Risk-Based Authentication

Duo's Security Blog

JUNE 25, 2024

Duo’s Risk-Based Authentication (RBA) helps solve this by adapting MFA requirements based on the level of risk an individual login attempt poses to an organization. Risky authentications are stepped-up, and users are required to authenticate with a more secure factor. Will users get blocked?

Authentication

Authentication Risk Artificial Intelligence Engineering

Google Cloud to Enforce Multi-Factor Authentication by 2025 for All Users

The Hacker News

NOVEMBER 5, 2024

Google's cloud division has announced that it will enforce mandatory multi-factor authentication (MFA) for all users by the end of 2025 as part of its efforts to improve account security. "We

Authentication

Authentication Engineering Account Security Accountability

FBI: Spike in Hacked Police Emails, Fake Subpoenas

Krebs on Security

NOVEMBER 9, 2024

“This is social engineering at the highest level and there will be failed attempts at times. “In terms of overall social engineering attacks, the more you have a relationship with someone the more they’re going to trust you,” Donahue said. Don’t be discouraged.

Hacking

Hacking Accountability Government Social Engineering

GUEST ESSAY: How the ‘Scattered Spiders’ youthful ring defeated MFA to plunder Vegas

The Last Watchdog

NOVEMBER 19, 2023

As the companies face nine federal lawsuits for failing to protect customer data, it’s abundantly clear hackers have checkmated multi-factor authentication (MFA). But the coup de gras was how easily they brushed aside the multi-factor authentication protections. How they steamrolled multi-factor authentication is a reason for pause.

Social Engineering

Social Engineering Passwords Authentication Marketing

U.S. CISA adds CyberPanel flaw to its Known Exploited Vulnerabilities catalog

Security Affairs

DECEMBER 6, 2024

Remote attackers could bypass authentication and execute arbitrary commands by exploiting a flaw in secMiddleware , which only validates POST requests. “the threat intel search engine LeakIX reported that 21,761vulnerable CyberPanel instances were exposed online, and nearly half (10,170) were in the United States.”

DNS

DNS Authentication Ransomware Hacking

Understanding MFA Fatigue: Why Cybercriminals Are Exploiting Human Behaviour

IT Security Guru

FEBRUARY 25, 2025

A prime example is multi-factor authentication (MFA), a security process that requires users to verify their identity in two or more ways, such as a password, a code sent to their phone, or a fingerprint. Other Ways Threat Actors Exploit Human Behaviour In addition to fatigue attacks, malefactors weaponise social engineering.

Social Engineering

Social Engineering Authentication Risk Accountability

Hackers Stole Access Tokens from Okta’s Support Unit

Krebs on Security

OCTOBER 20, 2023

Okta , a company that provides identity tools like multi-factor authentication and single sign-on to thousands of businesses, has suffered a security breach involving a compromise of its customer support unit, KrebsOnSecurity has learned. He said that on Oct 2.,

Social Engineering

Social Engineering Engineering Accountability Hacking

Duo Continues to Enhance Partnership With Microsoft on New Entra ID External Authentication Methods

Duo's Security Blog

MAY 2, 2024

We are excited to have partnered closely with Microsoft in the co-development of Microsoft Entra ID External Authentication Methods, available in Public Preview May 2024! External Authentication Methods (EAM) enables frictionless integration of Duo’s full security feature set.

Authentication

Authentication Phishing Passwords Risk

When Low-Tech Hacks Cause High-Impact Breaches

Krebs on Security

FEBRUARY 26, 2023

GoDaddy described the incident at the time in general terms as a social engineering attack, but one of its customers affected by that March 2020 breach actually spoke to one of the hackers involved. But we do know the March 2020 attack was precipitated by a spear-phishing attack against a GoDaddy employee.

Hacking

Hacking Social Engineering Phishing Scams

Hackers obtained user data from Twilio-owned 2FA authentication app Authy

Security Affairs

JULY 4, 2024

Twilio states that threat actors have identified the phone numbers of users of its two-factor authentication app, Authy, TechCrunch reported. This week the messaging firm told TechCrunch that “threat actors” identified data of Authy users, a two-factor authentication app owned by Twilio, including their phone numbers.

Authentication

Authentication Social Engineering Phishing Accountability

Secure Identities on Any Device, Anywhere: Introducing Duo Desktop Authentication

Duo's Security Blog

OCTOBER 23, 2024

Available now in all paid Duo subscriptions The launch of Duo Mobile in the early 2010s changed how businesses enabled secure authentication. Other means of authentication outside of smartphones — hardware tokens, phone call authentication, SMS, etc. have proven to be either antiquated, expensive or vulnerable.

Authentication

Authentication Mobile Manufacturing Risk

4 Ways Hackers use Social Engineering to Bypass MFA

The Hacker News

FEBRUARY 12, 2024

When it comes to access security, one recommendation stands out above the rest: multi-factor authentication (MFA). With passwords alone being simple work for hackers, MFA provides an essential layer of protection against breaches. However, it's important to remember that MFA isn't foolproof. It can be bypassed, and it often is.

Social Engineering

Social Engineering Engineering Passwords Authentication

AI-Powered Phishing: Defending Against New Browser-Based Attacks

SecureWorld News

JANUARY 22, 2025

Additionally, these conventional tools lack the contextual awareness needed to identify sophisticated social engineering tactics employed by AI-powered phishing campaigns. Multi-factor authentication (MFA) : Enforce robust MFA protocols to add an extra layer of security.

Phishing

Phishing Threat Detection Social Engineering DNS

Glove Stealer bypasses Chrome’s App-Bound Encryption to steal cookies

Security Affairs

NOVEMBER 15, 2024

The malware could harvest a huge trove of data from infected systems, including cookies, autofill, cryptocurrency wallets, 2FA authenticators, password managers, and email client information. Researchers from Gen Digital who discovered the threat, believe it is in its early development phase.

Encryption

Encryption Password Management Cryptocurrency Social Engineering

FBI Hacker Dropped Stolen Airbus Data on 9/11

Krebs on Security

SEPTEMBER 13, 2023

Credentials stolen by info-stealers often end up for sale on cybercrime shops that peddle purloined passwords and authentication cookies (these logs also often show up in the malware scanning service VirusTotal ). USDoD’s InfraGard sales thread on Breached.

Cybercrime

Cybercrime Passwords Authentication Malware

News alert: SquareX discloses ‘Browser Syncjacking’ – a new attack to hijack browser

The Last Watchdog

JANUARY 30, 2025

The extension then silently authenticates the victim into a Chrome profile managed by the attackers Google Workspace. Once this authentication occurs, the attacker has full control over the newly managed profile in the victims browser, allowing them to push automated policies such as disabling safe browsing and other security features.

Social Engineering

Social Engineering Engineering Authentication Media

Docker fixes critical 5-year old authentication bypass flaw

Bleeping Computer

JULY 24, 2024

Docker has issued security updates to address a critical vulnerability impacting certain versions of Docker Engine that could allow an attacker to bypass authorization plugins (AuthZ) under certain circumstances. [.]

Authentication

Authentication Engineering

Alleged Boss of ‘Scattered Spider’ Hacking Group Arrested

Krebs on Security

JUNE 15, 2024

.” In a SIM-swapping attack, crooks transfer the target’s phone number to a device they control and intercept any text messages or phone calls sent to the victim — including one-time passcodes for authentication, or password reset links sent via SMS.

Hacking

Hacking Phishing Cybercrime Passwords

Columbus Ransomware Attack Exposes 500,000+ Residents’ Data: How to Stay Safe

eSecurity Planet

NOVEMBER 6, 2024

Rhysida went so far as to publish sample files to verify the authenticity of the data, revealing access to a trove of information, including city databases, employee credentials, cloud management files, and even the city’s traffic camera feeds.

Ransomware

Ransomware Authentication Identity Theft Penetration Testing

Voice Phishers Targeting Corporate VPNs

Krebs on Security

AUGUST 19, 2020

Allen said a typical voice phishing or “vishing” attack by this group involves at least two perpetrators: One who is social engineering the target over the phone, and another co-conspirator who takes any credentials entered at the phishing page and quickly uses them to log in to the target company’s VPN platform in real-time.

Phishing

Phishing VPN Social Engineering Media

Zero Trust: Your Best Friend in the Age of Advanced Threats

SecureWorld News

NOVEMBER 6, 2024

Google moved away from VPNs, instead using device-based authentication and continuous access verification, ensuring that each access request is authenticated. Deepfake social engineering: Deepfakes can mimic legitimate users to manipulate access. Take Google's BeyondCorp as an example.

Social Engineering

Social Engineering Authentication Architecture Ransomware

The Front Door Just Got a Lot Harder to Break Into: Announcing Passwordless Authentication for Windows Logon

Duo's Security Blog

MAY 15, 2024

We’ve heard some version of this phrase many times over, whether it pertains to a bad actor physically breaking into a secured building or socially engineering an unsuspecting victim to provide access to protected information. “The best way to break in is through the front door.” a password) and something you have (i.e., a registered device).

Authentication

Authentication Social Engineering Passwords Engineering

A Closer Look at the LAPSUS$ Data Extortion Group

Krebs on Security

MARCH 23, 2022

Microsoft says LAPSUS$ — which it boringly calls “ DEV-0537 ” — mostly gains illicit access to targets via “social engineering.” ” This involves bribing or tricking employees at the target organization or at its myriad partners, such as customer support call centers and help desks.

Social Engineering

Social Engineering Accountability Mobile Passwords

GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services

Krebs on Security

NOVEMBER 21, 2020

In response to questions from KrebsOnSecurity, GoDaddy acknowledged that “a small number” of customer domain names had been modified after a “limited” number of GoDaddy employees fell for a social engineering scam. authenticate the phone call before sensitive information can be discussed. and 11:00 p.m.

Cryptocurrency

Cryptocurrency VPN Scams Social Engineering

LW ROUNDTABLE: Predictive analytics, full-stack visualization to solidify cyber defenses in 2025

The Last Watchdog

DECEMBER 18, 2024

Organizations face rising risks of AI-driven social engineering and personal device breaches. Our research reveals 69% of breaches are rooted in inadequate authentication and 78% of organizations have been targeted by identity-based attacks. As compute costs decrease, autonomous operations and AI-discovered zero-day exploits loom.

Risk

Risk Threat Detection Technology Phishing

The FBI Warns About A Google Voice Scam That Is Not New, But Still Finding Plenty Of Victims

Joseph Steinberg

JANUARY 26, 2022

To do so, they ask you to perform a form of Google authentication in which, to confirm your identity, you need to provide them with a number that will be sent to your phone by either text or voice message. As such, the criminal’s request may seem innocuous, when it is anything but.

Scams

Scams Authentication Accountability Artificial Intelligence

Recent ‘MFA Bombing’ Attacks Targeting Apple Users

Krebs on Security

MARCH 26, 2024

Unnerved by the idea that he could have rolled over on his watch while sleeping and allowed criminals to take over his Apple account, Ken said he contacted the real Apple support and was eventually escalated to a senior Apple engineer. “All of my devices started blowing up, my watch, laptop and phone,” Patel told KrebsOnSecurity.

Passwords

Passwords Accountability Engineering Phishing

Microsoft Patch Tuesday, May 2022 Edition

Krebs on Security

MAY 10, 2022

“This allows attackers to perform a man-in-the-middle attack to force domain controllers to authenticate to the attacker using NTLM authentication,” Wiseman said. Greg Wiseman , product manager for Rapid7 , said Microsoft has rated this vulnerability as important and assigned it a CVSS (danger) score of 8.1 (10

Authentication

Authentication Engineering Internet Internet

Breaking Laptop Fingerprint Sensors

Schneier on Security

NOVEMBER 29, 2023

They’re not that good : Security researchers Jesse D’Aguanno and Timo Teräs write that, with varying degrees of reverse-engineering and using some external hardware, they were able to fool the Goodix fingerprint sensor in a Dell Inspiron 15, the Synaptic sensor in a Lenovo ThinkPad T14, and the ELAN sensor in one of Microsoft’s own (..)

Engineering

Engineering Authentication

Failures in Twitter’s Two-Factor Authentication System

Crooks bank on Microsoft’s search engine to phish customers

Trending Sources

Problems with Multifactor Authentication

Microsoft Patch Tuesday, November 2024 Edition

OT Cybersecurity and the Evolving Role of Controls Engineers

Cisco addressed two critical flaws in its Identity Services Engine (ISE)

GUEST ESSAY: Why it’s high time for us to rely primarily on passwordless authentication

A Day in the Life of a Prolific Voice Phishing Crew

Threat Modeling Google Cloud (Threat Model Thursday)

New Bluetooth Vulnerability

Microsoft Patch Tuesday, February 2025 Edition

GUEST ESSAY: Why CISOs absolutely must take authentication secrets much more seriously

FBI, CISA Echo Warnings on ‘Vishing’ Threat

Understanding the Deepfake Threat

Feds Charge Five Men in ‘Scattered Spider’ Roundup

Opening the Black Box of Risk-Based Authentication

Google Cloud to Enforce Multi-Factor Authentication by 2025 for All Users

FBI: Spike in Hacked Police Emails, Fake Subpoenas

GUEST ESSAY: How the ‘Scattered Spiders’ youthful ring defeated MFA to plunder Vegas

U.S. CISA adds CyberPanel flaw to its Known Exploited Vulnerabilities catalog

Understanding MFA Fatigue: Why Cybercriminals Are Exploiting Human Behaviour

Hackers Stole Access Tokens from Okta’s Support Unit

Duo Continues to Enhance Partnership With Microsoft on New Entra ID External Authentication Methods

When Low-Tech Hacks Cause High-Impact Breaches

Hackers obtained user data from Twilio-owned 2FA authentication app Authy

Secure Identities on Any Device, Anywhere: Introducing Duo Desktop Authentication

4 Ways Hackers use Social Engineering to Bypass MFA

AI-Powered Phishing: Defending Against New Browser-Based Attacks

Glove Stealer bypasses Chrome’s App-Bound Encryption to steal cookies

FBI Hacker Dropped Stolen Airbus Data on 9/11

News alert: SquareX discloses ‘Browser Syncjacking’ – a new attack to hijack browser

Docker fixes critical 5-year old authentication bypass flaw

Alleged Boss of ‘Scattered Spider’ Hacking Group Arrested

Columbus Ransomware Attack Exposes 500,000+ Residents’ Data: How to Stay Safe

Voice Phishers Targeting Corporate VPNs

Zero Trust: Your Best Friend in the Age of Advanced Threats

The Front Door Just Got a Lot Harder to Break Into: Announcing Passwordless Authentication for Windows Logon

A Closer Look at the LAPSUS$ Data Extortion Group

GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services

LW ROUNDTABLE: Predictive analytics, full-stack visualization to solidify cyber defenses in 2025

The FBI Warns About A Google Voice Scam That Is Not New, But Still Finding Plenty Of Victims

Recent ‘MFA Bombing’ Attacks Targeting Apple Users

Microsoft Patch Tuesday, May 2022 Edition

Breaking Laptop Fingerprint Sensors

Stay Connected