Authentication, InfoSec and Passwords - Cyber Security Informer

Still Using Passwords? Get Started with Phishing-Resistant, Passwordless Authentication Now!

Cisco Security

NOVEMBER 2, 2022

Going beyond the hype, passwordless authentication is now a reality. Cisco Duo’s passwordless authentication is now generally available across all Duo Editions. “ Cisco Duo simplifies the passwordless journey for organizations that want to implement phishing-resistant authentication and adopt a zero trust security strategy.

Authentication

Authentication Passwords Phishing Mobile

World Password Day and the importance of password integrity

Webroot

MAY 3, 2022

Passwords have become a common way to access and manage our digital lives. Having a password allows you to securely access your information, pay bills or connect with friends and family on various platforms. However, having a password alone is not enough. Your passwords also need to be managed and protected.

Passwords

Passwords Identity Theft Password Management Antivirus

How Spoutible’s Leaky API Spurted out a Deluge of Personal Data

Troy Hunt

FEBRUARY 4, 2024

” This one, as far as infosec stories go, had me leaning and muttering like never before. That's not unprecedented, but this is: password: "$2y$10$B0EhY/bQsa5zUYXQ6J.NkunGvUfYeVOH8JM1nZwHyLPBagbVzpEM2", No way! Is that genuinely a bcrypt hash of my own password? Weak passwords like. "spoutible"

Passwords

Passwords Accountability Backups Data breaches

Webinars

How to Avoid Pitfalls In Automation: Keep Humans In the Loop

MORE WEBINARS

Hacking Grindr Accounts with Copy and Paste

Troy Hunt

OCTOBER 2, 2020

I asked for technical detail so I could validated the authenticity of his claim and the info duly arrived. The account takeover all began with the Grindr password reset page: I entered Scott's address, solved a Captcha and then received the following response: I've popped open the dev tools because the reset token in the response is key.

Accountability

Accountability Hacking Passwords InfoSec

"Pwned", the Book, is Finally Here!

Troy Hunt

SEPTEMBER 8, 2022

Captivating stuff, apart from infosec, you really feel as though you’ve been taken on a journey with Troy through the years of living in paradise a.k.a. Great to see a book deliver this authenticity - we're all only human after all! I haven't been able to put the book down. This book has it all.

InfoSec

InfoSec Password Management Passwords IoT

SolarWinds blaming intern for leaked password is symptom of ‘security failures’

SC Magazine

MARCH 2, 2021

House Oversight and Homeland Security committees last week, SolarWinds’s former and current CEOs blamed an intern for creating a weak FTP server password and leaking it on GitHub – an act which may or may not have contributed to a supply chain hack that impacted users of the tech firm’s Orion IT performance monitoring platform.

Passwords

Passwords Password Management CISO InfoSec

Authy Breach: What It Means for You, RockYou 2024 Password Leak

Security Boulevard

JULY 14, 2024

In episode 338, we discuss the recent breach of the two-factor authentication provider Authy and its implications for users. We also explore a massive password list leak titled ‘Rock You 2024’ that has surfaced online. The post Authy Breach: What It Means for You, RockYou 2024 Password Leak appeared first on Security Boulevard.

Passwords

Passwords Authentication Social Engineering Data privacy

No Password Microsoft Accounts, Facebook Smart Glasses, Security.txt Internet Standard

Security Boulevard

SEPTEMBER 26, 2021

The post No Password Microsoft Accounts, Facebook Smart Glasses, Security.txt Internet Standard appeared first on The Shared Security Show. The post No Password Microsoft Accounts, Facebook Smart Glasses, Security.txt Internet Standard appeared first on The Shared Security Show.

Internet

Internet Internet Passwords Accountability

The Race to the Bottom of Credential Stuffing Lists; Collections #2 Through #5 (and More)

Troy Hunt

FEBRUARY 11, 2019

rows of email addresses and passwords in total, but only 1.6B Incidentally, Lorenzo who wrote that Motherboard piece is a top-notch infosec journo I've worked with many times before and he reported accurately in that piece.) The exposed data included email addresses and passwords stored as salted MD5 hashes. There were 2.7B

Passwords

Passwords Data breaches Media InfoSec

Records of 45 million+ travelers to Thailand and Malaysia surfaced in the darkweb

Security Affairs

JULY 13, 2020

Records of 45 Million+ travelers to Thailand and Malaysia Leaked on #Darkweb (Blog Link) [link] #infosec #leaks #CyberSecurity pic.twitter.com/zHOujQ8CMm — Cyble (@AuCyble) July 12, 2020. The huge trove of data was discovered by the researchers during their regular Deepweb and Darkweb monitoring activity.

Mobile

Mobile InfoSec Data breaches Advertising

Password Managers Under Attack, Shady Reward Apps on Google Play, Meta Account Center 2FA Bypass

Security Boulevard

FEBRUARY 5, 2023

The attacks on password managers and their users continue as Bitwarden and 1Password users have reported seeing paid ads for phishing sites in Google search results for the official login page of the password management vendors.

Password Management

Password Management Passwords Accountability Phishing

Veridium Named Winner in the Coveted Global InfoSec Awards During RSA Conference 2021

CyberSecurity Insiders

MAY 22, 2021

NEW YORK–( BUSINESS WIRE )– Veridium , a leading developer of frictionless, passwordless authentication solutions, is proud to announce that it’s won the 2021 Global InfoSec Award in the category of Next-Gen in Passwordless Authentication. “We Veridium is thrilled to be a member of this coveted group of winners.

InfoSec

InfoSec B2C B2B Authentication

I'm Testifying in Front of Congress in Washington DC about Data Breaches - What Should I Say?

Troy Hunt

NOVEMBER 21, 2017

Obviously, the work I've been doing with Have I Been Pwned (HIBP) has given me a heap of insight into this specific area of infosec over the last 4 years and the folks from DC felt my views on things might be helpful. That was all great and I was happy to share my thoughts from the other side of the world.

Data breaches

Data breaches InfoSec Backups IoT

Bot list with Telnet credentials for more than 500,000 servers and IoT devices leaked online

Security Affairs

JANUARY 19, 2020

This is the biggest leak of Telnet passwords even reported. The list includes the IP address, username and password for the Telnet service for each device. The list appears to be the result of an Internet scan for devices using default credentials or easy-to-guess passwords. ” reported ZDNet. ” reported ZDNet.

IoT

IoT DDOS InfoSec Internet

OAuth: Your Guide to Industry Authorization and Authentication

eSecurity Planet

APRIL 20, 2021

Nearly a decade ago, the cyber industry was toiling over how to enable access for users between applications and grant access to specific information about the user for authentication and authorization purposes. and authentication-focused OpenID Connect (OIDC). Also Read: Passwordless Authentication 101. Not visible to user.

Authentication

Authentication Mobile Accountability Encryption

HP Device Manager flaws expose Windows systems to hack

Security Affairs

OCTOBER 4, 2020

The vulnerabilities have been reported to HP by the infosec researchers Nick Bloor, an attacker could chain the three issues to achieve SYSTEM privileges on targeted devices and potentially take over them. The issue does not impact customers who use Active Directory authenticated accounts. ” reads the HP’s advisory.

Hacking

Hacking Accountability Passwords Advertising

Expert discloses 4 zero-days in IBM Data Risk Manager

Security Affairs

APRIL 21, 2020

“The IDRM Linux virtual appliance was analysed and it was found to contain four vulnerabilities, three critical risk and one high risk: Authentication Bypass Command Injection Insecure Default Password Arbitrary File Download. The latest version Agile InfoSec has access to is 2.0.3, ” the expert wrote on GitHub.

Risk

Risk Authentication Advertising InfoSec

Happy 13th Birthday, KrebsOnSecurity!

Krebs on Security

DECEMBER 29, 2022

I seem to be doing most of that activity now on Mastodon , which appears to have absorbed most of the infosec refugees from Twitter, and in any case is proving to be a far more useful, civil and constructive place to post such things. For a variety of reasons, I will no longer be sharing these updates on Twitter. ” SEPTEMBER.

Cryptocurrency

Cryptocurrency Cybercrime Computers and Electronics Scams

Hackers Could Cause ‘Fake Earthquakes’ by Exploiting Vulnerable Seismic Equipment, Researchers Warn

Hot for Security

FEBRUARY 16, 2021

Non-encrypted data, insecure protocols and poor user authentication mechanisms are among the security issues that leave seismological networks open to breaches, the authors note.

IoT

IoT InfoSec Data collection Encryption

Charting a Course to Zero Trust Maturity: 5 Steps to Securing User Access to Apps

Duo's Security Blog

OCTOBER 6, 2023

Threat actors have dramatically escalated their attacks – targeting security controls like multi-factor authentication (MFA), conducting wily social engineering attacks and extorting businesses large and small with ransomware. Since then, teams have had years to adjust to this new reality, yet the attackers have as well.

Authentication

Authentication Risk Social Engineering InfoSec

Cisco was hacked by the Yanluowang ransomware gang

Security Affairs

AUGUST 10, 2022

The user had enabled password syncing via Google Chrome and had stored their Cisco credentials in their browser, enabling that information to synchronize to their Google account.” cybersecurity #infosec #ransomware pic.twitter.com/kwrfjbwbkT — CyberKnow (@Cyberknow20) August 10, 2022.

Ransomware

Ransomware Hacking VPN Phishing

Kia Security Flaw Exposed, NIST’s New Password Guidelines

Security Boulevard

OCTOBER 6, 2024

Also covered are NIST’s updated password guidelines, eliminating complexity rules and […] The post Kia Security Flaw Exposed, NIST’s New Password Guidelines appeared first on Shared Security Podcast. The post Kia Security Flaw Exposed, NIST’s New Password Guidelines appeared first on Security Boulevard.

Passwords

Passwords Authentication Data privacy Cyber threats

SonicWall issues firmware patch after attackers exploited critical bugs

SC Magazine

FEBRUARY 3, 2021

x firmware, which malicious actors exploited in a cyberattack against the infosec firm last month. . Those who do upgrade the firmware are advised to “reset the passwords for any users who may have logged in to the device via the web interface” as well as enable multi-factor authentication. 31 and Feb.

Firmware

Firmware Mobile InfoSec Passwords

Protect IT—A Combination of Security Culture and Cyber Hygiene Good Practices

Thales Cloud Protection & Licensing

OCTOBER 24, 2019

These guidelines should include the following: Set up a Strong Password Policy. One of the most common ways by which malicious actors perpetrate account takeover (ATO) fraud is via password brute forcing attacks. Infosec personnel should also help employees store those passwords safely such as via the use of a password manager.

Security Awareness

Security Awareness InfoSec Passwords Accountability

Evolving Identity: Why Legacy IAM May Not Be Fit for Purpose

CyberSecurity Insiders

APRIL 21, 2021

Most home users have their computer configuration set to allow full access to everything once a password is entered. Every information security professional has been on the receiving end of a frustrated person who does not understand the reasons for password complexity. The InfoSec Perspective. Beyond The Yes And No.

Passwords

Passwords Information Security Engineering Authentication

Threat actors found a way to bypass mitigation F5 BIG-IP CVE-2020-5902 flaw

Security Affairs

JULY 8, 2020

This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the TMUI, through the BIG-IP management port and/or Self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.” reads the advisory published by F5.

Advertising

Advertising InfoSec Government Healthcare

Spotlight Podcast: Breaking Bad Password Habits to Fight Advanced Threats

The Security Ledger

SEPTEMBER 26, 2019

Also: Breaking Bad Security Habits Spotlight Podcast: Security Automation is (and isn’t) the Future of Infosec Spotlight Podcast: Rethinking Your Third Party Cyber Risk Strategy. The world has changed tremendously since then, as has authentication. Stronger authentication is a good first step.

Passwords

Passwords Authentication InfoSec Accountability

CISA adds Plex Media Server bug, exploited in LastPass attack, to Known Exploited Vulnerabilities Catalog

Security Affairs

MARCH 13, 2023

The three-year-old high-severity flaw is a deserialization of untrusted data in Plex Media Server on Windows, a remote, authenticated attacker can trigger it to execute arbitrary Python code. CISAgov added #CVE -2020-5741 & CVE-2021-39144 to the Known Exploited Vulnerabilities Catalog. in May 2020.

Media

Media InfoSec Password Management Engineering

The LLM Misinformation Problem I Was Not Expecting

SecureWorld News

DECEMBER 21, 2023

False authentication protocols Another example of non-vetted AI results includes how some online content inaccurately describes authentication, creating misinformation that continues to confuse students. For instance, some AI LLM results describe Lightweight Directory Access Protocol (LDAP) as an authentication type.

Artificial Intelligence

Artificial Intelligence Architecture Authentication Education

Scattered Spider x RansomHub: A New Partnership

Digital Shadows

OCTOBER 23, 2024

Figure 3: Scattered Spider attack timeline Social Engineering: Fool Me Once, Fool Me Twice To gain initial access to the target network, the threat actor called the organization’s IT help desk and persuaded staff to reset the CFO’s account password. This isn’t the first time we’ve seen Scattered Spider target password managers.

Social Engineering

Social Engineering Engineering Accountability Backups

Episode 145: Veracode CTO Chris Wysopal and Life After Passwords with Plurilock

The Security Ledger

MAY 8, 2019

Also: we continue our series on life after the password by speaking to Ian Paterson, the CEO of behavioral authentication vendor Plurilock. Also: we continue our series on life after the password by speaking to Ian Paterson, the CEO of behavioral authentication vendor Plurilock. The Persistence of Passwords.

Passwords

Passwords Password Management Authentication InfoSec

Spotlight on Cybersecurity Leaders: Randy Raw

SecureWorld News

MARCH 31, 2022

Randy is a CISSP and is active in the Central Missouri InfoSec community. Answer: Use multi-factor authentication everywhere (preferably better than what we have now). Randy is a proponent of risk-based, layered security measures that utilize both preventative and detective approaches to achieve the right solution for the organization.

Cybersecurity

Cybersecurity InfoSec Authentication DDOS

Celebrate Identity Management Day by Taking Identity Security Seriously

CyberSecurity Insiders

APRIL 8, 2022

When InfoSec people refer to the CIA of cybersecurity, they’re usually talking about the Confidentiality, Integrity, and Availability of the data we work to protect and not the three-letter government entity. Those steps can become overwhelming for small businesses with staff shortages, small budgets or limited time.

Small Business

Small Business InfoSec Password Management Data breaches

Is India's Aadhaar System Really "Hack-Proof"? Assessing a Publicly Observable Security Posture

Troy Hunt

JANUARY 10, 2018

But getting onto the title of this section, the page in question is the E-Aadhaar authentication page (also geo-blocked). This is poor form as it can break tools that encourage good security practices such as password managers. Let them paste passwords! Why do websites do this? link] — NCSC UK (@ncsc) January 8, 2018.

Hacking

Hacking Government Encryption Risk

Ransomware gang hits 49ers’ network before Super Bowl kick off

Malwarebytes

FEBRUARY 14, 2022

infosec #cybersecurity #threatintel #cyber #NFL pic.twitter.com/tl7OWM2Aqf — CyberKnow (@Cyberknow20) February 12, 2022. The BlackByte ransomware gang has already claimed responsibility for the attack by leaking a small number of files it claims to have been stolen. Smart marketing tbh.

Ransomware

Ransomware Backups Encryption InfoSec

News Alert: Adaptive Shield to showcase new ITDR platform for SaaS at Black Hat USA

The Last Watchdog

JULY 30, 2024

On May 27, a threat group announced the sale of 560 million stolen records from targeted attacks on single-factor authentication users in Snowflake. While these public links were password protected, had expiration dates, and usage tracking, they were still accessible to unauthorized users.

Threat Detection

Threat Detection Accountability InfoSec Technology

US Cyber Command warns of Iran-linked hackers exploiting CVE-2017-11774 Outlook flaw

Security Affairs

JULY 2, 2019

Malware is currently delivered from: 'hxxps://customermgmt.net/page/macrocosm' #cybersecurity #infosec — USCYBERCOM Malware Alert (@CNMF_VirusAlert) July 2, 2019. The alert refers to an ongoing activity aimed at infecting government networks by exploiting the CVE-2017-11774 Outlook vulnerability. The attacks are targeting U.S.

Energy and Utilities

Energy and Utilities Malware Advertising InfoSec

RCE vulnerability in OpenSSH – RegreSSHion (CVE-2024-6387)

Pen Test Partners

JULY 1, 2024

There has been a lot of talk on various infosec news feeds about the RegreSSHion vulnerability. Use Strong Authentication: Enhance security by using key-based authentication and disabling password-based logins where possible. The flaw results from importer input validation in OpenSSH’s handling of SSH connections.

InfoSec

InfoSec Authentication VPN Firewall

RSA Conference 2021: Resilience

Duo's Security Blog

APRIL 5, 2021

Ask three infosec pros and you’ll get three different answers. Presented by Duo Head of Advisory CISOs Wendy Nather, and Partner and Co-Founder at the Cyentia Institute, Wade Baker, this keynote explores the survey answers of 4,800 infosec professionals evaluating security program performance. What makes a successful security program?

CISO

CISO InfoSec Financial Services Marketing

I’d TAP That Pass

Security Boulevard

MARCH 29, 2023

Read First: Configure a Temporary Access Pass in Azure AD to register Passwordless authentication methods - Microsoft Entra Microsoft identity platform and OAuth2.0 On our red team engagements and penetration tests, conditional access policies (CAP) often hinder our ability to directly authenticate as a target user.

Authentication

Authentication VPN Passwords Social Engineering

CSO of the Year | Dan Meacham helps Legendary Entertainment’s movie magic live safely in the cloud

SC Magazine

MAY 3, 2021

Godzilla vs. Kong may be an epic match-up, but it’s nothing compared to the ongoing battle between infosec professionals and emerging cloud-based threats. If they can pass this authentication process, then they don’t even need a password to log in. Kong and other popular films such as The Dark Knight and Jurassic World.

CSO

CSO InfoSec Media Authentication

OSINT in 60 seconds. Mind reading on TV

Pen Test Partners

JANUARY 29, 2024

Some easily accessible breaches are over a decade old and hold passwords which are no longer in use, were invalid at time of capture, or have been incorrectly cross referenced to accounts that the users have no knowledge of. A grand day out We really enjoyed working with Alexis.

Passwords

Passwords Scams Media Accountability

Project Svalbard, Have I Been Pwned and its Ongoing Independence

Troy Hunt

MARCH 2, 2020

These were companies spanning all sorts of different industries; big tech, general infosec, antivirus, hosting, finance, e-commerce, cyber insurance - I could go on. I built and launched the authenticated API and payment process (I really should have doe this earlier, I'm so happy with it!) The point is the net was cast very wide.

Data breaches

Data breaches Marketing Cyber Insurance InfoSec

Personal Cybersecurity Concerns for 2023

Security Through Education

JANUARY 18, 2023

The Cybersecurity & Infrastructure Security Agency , lists the following 4 steps to protect yourself: Implement multi-factor authentication on your accounts and make it significantly less likely you’ll get hacked. Use strong passwords, and ideally a password manager to generate and store unique passwords.

Cybersecurity

Cybersecurity Social Engineering Scams IoT

Still Using Passwords? Get Started with Phishing-Resistant, Passwordless Authentication Now!

World Password Day and the importance of password integrity

Webinars

Trending Sources

How Spoutible’s Leaky API Spurted out a Deluge of Personal Data

Webinars

Hacking Grindr Accounts with Copy and Paste

"Pwned", the Book, is Finally Here!

SolarWinds blaming intern for leaked password is symptom of ‘security failures’

Authy Breach: What It Means for You, RockYou 2024 Password Leak

No Password Microsoft Accounts, Facebook Smart Glasses, Security.txt Internet Standard

The Race to the Bottom of Credential Stuffing Lists; Collections #2 Through #5 (and More)

Records of 45 million+ travelers to Thailand and Malaysia surfaced in the darkweb

Password Managers Under Attack, Shady Reward Apps on Google Play, Meta Account Center 2FA Bypass

Veridium Named Winner in the Coveted Global InfoSec Awards During RSA Conference 2021

I'm Testifying in Front of Congress in Washington DC about Data Breaches - What Should I Say?

Bot list with Telnet credentials for more than 500,000 servers and IoT devices leaked online

OAuth: Your Guide to Industry Authorization and Authentication

HP Device Manager flaws expose Windows systems to hack

Expert discloses 4 zero-days in IBM Data Risk Manager

Happy 13th Birthday, KrebsOnSecurity!

Hackers Could Cause ‘Fake Earthquakes’ by Exploiting Vulnerable Seismic Equipment, Researchers Warn

Charting a Course to Zero Trust Maturity: 5 Steps to Securing User Access to Apps

Cisco was hacked by the Yanluowang ransomware gang

Kia Security Flaw Exposed, NIST’s New Password Guidelines

SonicWall issues firmware patch after attackers exploited critical bugs

Protect IT—A Combination of Security Culture and Cyber Hygiene Good Practices

Evolving Identity: Why Legacy IAM May Not Be Fit for Purpose

Threat actors found a way to bypass mitigation F5 BIG-IP CVE-2020-5902 flaw

Spotlight Podcast: Breaking Bad Password Habits to Fight Advanced Threats

CISA adds Plex Media Server bug, exploited in LastPass attack, to Known Exploited Vulnerabilities Catalog

The LLM Misinformation Problem I Was Not Expecting

Scattered Spider x RansomHub: A New Partnership

Episode 145: Veracode CTO Chris Wysopal and Life After Passwords with Plurilock

Spotlight on Cybersecurity Leaders: Randy Raw

Celebrate Identity Management Day by Taking Identity Security Seriously

Is India's Aadhaar System Really "Hack-Proof"? Assessing a Publicly Observable Security Posture

Ransomware gang hits 49ers’ network before Super Bowl kick off

News Alert: Adaptive Shield to showcase new ITDR platform for SaaS at Black Hat USA

US Cyber Command warns of Iran-linked hackers exploiting CVE-2017-11774 Outlook flaw

RCE vulnerability in OpenSSH – RegreSSHion (CVE-2024-6387)

RSA Conference 2021: Resilience

I’d TAP That Pass

CSO of the Year | Dan Meacham helps Legendary Entertainment’s movie magic live safely in the cloud

OSINT in 60 seconds. Mind reading on TV

Project Svalbard, Have I Been Pwned and its Ongoing Independence

Personal Cybersecurity Concerns for 2023

Stay Connected