Authentication and Software - Cyber Security Informer

Leaving Authentication Credentials in Public Code

Schneier on Security

NOVEMBER 16, 2023

Seth Godin wrote an article about a surprisingly common vulnerability: programmers leaving authentication credentials and other secrets in publicly accessible software code: Researchers from security firm GitGuardian this week reported finding almost 4,000 unique secrets stashed inside a total of 450,000 projects submitted to PyPI, the official code (..)

Authentication

Authentication Cryptocurrency Accountability Software

MY TAKE: Businesses gravitate to ‘passwordless’ authentication — widespread consumer use up next

The Last Watchdog

MAY 24, 2022

Perhaps not coincidently, it comes at a time when enterprises have begun adopting passwordless authentication systems in mission-critical parts of their internal operations. Fortifications, such as multi-factor authentication (MFA) and password managers, proved to be mere speed bumps. Coming advances.

Authentication

Authentication Passwords Banking Digital transformation

Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own Software

Krebs on Security

JULY 8, 2021

The attackers exploited a vulnerability in software from Kaseya , a Miami-based company whose products help system administrators manage large networks remotely. “It’s a patch for their own software. “This is worse because the CVE calls for an authenticated user,” Holden said. And it’s not zero-day.

Software

Software Ransomware System Administration Authentication

Passwordless Authentication without Secrets!

Thales Cloud Protection & Licensing

OCTOBER 11, 2024

Passwordless Authentication without Secrets! This highlights an increasing demand for advanced authentication methods like passkeys and multi-factor authentication (MFA), which provide robust security for most use cases. Similarly, in retail and manufacturing, delays caused by authentication procedures reduce overall efficiency.

Authentication

Authentication Retail Healthcare Manufacturing

RSAC insights: Software tampering escalates as bad actors take advantage of ‘dependency confusion’

The Last Watchdog

JUNE 3, 2022

If that wasn’t bad enough, the attack surface companies must defend is expanding inwardly, as well – as software tampering at a deep level escalates. This now includes paying much closer attention to the elite threat actors who are moving inwardly to carve out fresh vectors taking them deep inside software coding. Obfuscated tampering.

Software

Software Internet Internet System Administration

GUEST ESSAY: Where we stand on mitigating software risks associated with fly-by-wire jetliners

The Last Watchdog

AUGUST 29, 2023

Related: Pushing the fly-by-wire envelope This is especially true because systems are more interconnected and use more complex commercial software than ever before, meaning a vulnerability in one system could lead to a malicious actor gaining access to more important systems. Risks delineated Still, there have been many other incidents since.

Software

Software Risk Artificial Intelligence Engineering

Threat actor impersonates Google via fake ad for Authenticator

Malwarebytes

JULY 30, 2024

If you were trying to download the popular Google Authenticator (a multi-factor authentication program) via a Google search in the past few days, you may have inadvertently installed malware on your computer. Fake site leads to signed payload hosted on Github The fraudulent site chromeweb-authenticators[.]com

Authentication

Authentication Computers and Electronics Social Engineering Malware

ASUS Patches Critical Authentication Bypass Flaw in Multiple Router Models

The Hacker News

JUNE 17, 2024

ASUS has shipped software updates to address a critical security flaw impacting its routers that could be exploited by malicious actors to bypass authentication. Certain ASUS router models have authentication bypass vulnerability, allowing unauthenticated remote attackers to log in the device," out of a maximum of 10.0.

Authentication

Authentication Software

GUEST ESSAY: Why CISOs absolutely must take authentication secrets much more seriously

The Last Watchdog

MARCH 1, 2023

The IT world relies on digital authentication credentials, such as API keys, certificates, and tokens, to securely connect applications, services, and infrastructures. According to BetterCloud, the average number of software as a service (SaaS) applications used by organizations worldwide has increased 14x between 2015 and 2021.

Authentication

Authentication CISO Passwords Software

Critical Veeam Backup Enterprise Manager authentication bypass bug

Security Affairs

MAY 22, 2024

A critical security vulnerability in Veeam Backup Enterprise Manager could allow threat actors to bypass authentication. A critical vulnerability, tracked as CVE-2024-29849 (CVSS score: 9.8), in Veeam Backup Enterprise Manager could allow attackers to bypass authentication.

Backups

Backups Authentication Accountability Software

How to Offer Secure IVR Banking and Authenticate Callers

Tech Republic Security

AUGUST 8, 2024

Discover how to safeguard IVR banking from hackers and implement secure authentication methods for customer protection. Find out how these digital alternatives benefit both customers and agents.

Banking

Banking Authentication Software Network Security

Proof-of-Concept Exploit Released for Progress Software OpenEdge Vulnerability

The Hacker News

MARCH 10, 2024

Technical specifics and a proof-of-concept (PoC) exploit have been made available for a recently disclosed critical security flaw in Progress Software OpenEdge Authentication Gateway and AdminServer, which could be potentially exploited to bypass authentication protections. on the CVSS scoring system.

Software

Software Authentication

CVE-2024-4985 (CVSS 10): Critical Authentication Bypass Flaw Found in GitHub Enterprise Server

Penetration Testing

MAY 20, 2024

GitHub, the world’s leading software development platform, has disclosed a critical security vulnerability (CVE-2024-4985) in its self-hosted GitHub Enterprise Server (GHES) product.

Authentication

Authentication Penetration Testing Software

FBI Hacker Dropped Stolen Airbus Data on 9/11

Krebs on Security

SEPTEMBER 13, 2023

Info-stealers like RedLine typically are deployed via opportunistic email malware campaigns, and by secretly bundling the trojans with cracked versions of popular software titles made available online. Also, unless you really know what you’re doing, please don’t download and install pirated software.

Cybercrime

Cybercrime Passwords Authentication Malware

Scammers can easily phish your multi-factor authentication codes. Here’s how to avoid it

Malwarebytes

MAY 16, 2024

More and more websites and services are making multi-factor-authentication (MFA) mandatory, which makes it much harder for cybercriminals to access your accounts. A type of phishing we’re calling authentication-in-the-middle is showing up in online media. Use security software. That’s a great thing.

Authentication

Authentication Phishing Password Management Scams

VMware Flaw a Vector in SolarWinds Breach?

Krebs on Security

DECEMBER 18, 2020

government cybersecurity agencies warned this week that the attackers behind the widespread hacking spree stemming from the compromise at network software firm SolarWinds used weaknesses in other, non-SolarWinds products to attack high-value targets. National Security Agency (NSA) warned on Dec. ” Indeed, the NSA’s Dec.

Software

Software Authentication Hacking Government

Ivanti fixed a maximum severity flaw in its Endpoint Management software (EPM)

Security Affairs

SEPTEMBER 11, 2024

The software firm released security updates to address a maximum security vulnerability, tracked as CVE-2024-29847, in its Endpoint Management software (EPM). The software firm released security updates to address a maximum security vulnerability, tracked as CVE-2024-29847, in its Endpoint Management software (EPM).

Software

Software Authentication IoT Hacking

Email Security Flaw Found in the Wild

Schneier on Security

NOVEMBER 21, 2023

TAG has observed four different groups exploiting the same bug to steal email data, user credentials, and authentication tokens. To ensure protection against these types of exploits, TAG urges users and organizations to keep software fully up-to-date and apply security updates as soon as they become available.

Authentication

Authentication Government Software

Cell Phone Location Privacy

Schneier on Security

JANUARY 15, 2021

Monthly: The user pays their bill to the MVNO (credit card or otherwise) and the phone gets anonymous authentication (using Chaum blind signatures) tokens for each time slice (e.g., If it’s valid, the MVNO tells the MNO that the user is authenticated, and the user receives a temporary random ID and an IP address.

Surveillance

Surveillance Mobile Authentication VPN

Using Fake Reviews to Find Dangerous Extensions

Krebs on Security

MAY 29, 2021

Here’s the story of how bogus reviews on a counterfeit Microsoft Authenticator browser extension exposed dozens of other extensions that siphoned personal and financial data. A counterfeit version of CapCut , a professional video editing software suite, claimed nearly 24,000 downloads over a similar time period.

Accountability

Accountability Authentication Scams Software

Progress Software fixed critical RCE CVE-2024-6327 in the Telerik Report Server

Security Affairs

JULY 25, 2024

Progress Software addressed a critical remote code execution vulnerability, tracked as CVE-2024-6327, in the Telerik Report Server. Progress Software addressed a critical remote code execution flaw, tracked as CVE-2024-6327 (CVSS score of 9.9), in the Telerik Report Server that can be exploited to compromise vulnerable devices.

Software

Software Authentication Hacking Accountability

Latest on the SVR’s SolarWinds Hack

Schneier on Security

JANUARY 5, 2021

Initial estimates were that Russia sent its probes only into a few dozen of the 18,000 government and private networks they gained access to when they inserted code into network management software made by a Texas company named SolarWinds. The October files, distributed to customers on Oct.

Hacking

Hacking System Administration Software Surveillance

Ivanti fixed a maximum severity flaw in its Endpoint Management software (EPM)

Security Affairs

SEPTEMBER 11, 2024

The software firm released security updates to address a maximum security vulnerability, tracked as CVE-2024-29847, in its Endpoint Management software (EPM). The software firm released security updates to address a maximum security vulnerability, tracked as CVE-2024-29847, in its Endpoint Management software (EPM).

Software

Software Authentication IoT Hacking

M1 Chip Vulnerability

Schneier on Security

JUNE 15, 2022

The attack shows that pointer authentication can be defeated without leaving a trace, and as it utilizes a hardware mechanism, no software patch can fix it.

Artificial Intelligence

Artificial Intelligence Authentication Software Malware

10 Behaviors That Will Reduce Your Risk Online

Daniel Miessler

MAY 14, 2020

A password manager is a piece of software that creates all these for you, keeps them stored safely, and then fills them in for you automatically when you need to log in. Keep your firmware and software updated. Keep all of your software and hardware religiously updated. Enable two-factor authentication on all critical accounts.

Risk

Risk Password Management Passwords Accountability

Microsoft Patch Tuesday, November 2024 Edition

Krebs on Security

NOVEMBER 12, 2024

Microsoft today released updates to plug at least 89 security holes in its Windows operating systems and other software. The second bug fixed this month that is already seeing in-the-wild exploitation is CVE-2024-43451 , a spoofing flaw that could reveal Net-NTLMv2 hashes , which are used for authentication in Windows environments.

Authentication

Authentication Engineering Malware Passwords

On the Insecurity of ES&S Voting Machines’ Hash Code

Schneier on Security

MARCH 16, 2021

Andrew Appel and Susan Greenhalgh have a blog post on the insecurity of ES&S’s software authentication system: It turns out that ES&S has bugs in their hash-code checker: if the “reference hashcode” is completely missing, then it’ll say “yes, boss, everything is fine” instead of reporting an error.

Authentication

Authentication Software

More SolarWinds News

Schneier on Security

FEBRUARY 3, 2021

Once the attackers had that initial foothold, they used a variety of complex privilege escalation and authentication attacks to exploit flaws in Microsoft’s cloud services. I don’t want to hype this defense too much without knowing a lot more, but I like the approach of verifying the software build process.

Computers and Electronics

Computers and Electronics Malware Software Government

FBI, CISA Echo Warnings on ‘Vishing’ Threat

Krebs on Security

AUGUST 21, 2020

” “The actors then convinced the targeted employee that a new VPN link would be sent and required their login, including any 2FA [2-factor authentication] or OTP [one-time passwords]. Employ the principle of least privilege and implement software restriction policies or other controls; monitor authorized user accesses and usage.

VPN

VPN Social Engineering Authentication Engineering

Data From The Emotet Malware is Now Searchable in Have I Been Pwned, Courtesy of the FBI and NHTCU

Troy Hunt

APRIL 26, 2021

Prepared in conjunction with the FBI, following is the recommended guidance for those that find themselves in this collection of data: Keep security software such as antivirus up to date with current definitions. Turn on 2 factor authentication wherever available. Keep operating systems and software patched.

Malware

Malware Passwords Banking Password Management

Trio of Apache Tomcat Flaws Disclosed: Authentication Bypass, HTTP/2 Request Mix-Up, and XSS Flaw

Penetration Testing

NOVEMBER 18, 2024

The Apache Software Foundation has recently disclosed three new vulnerabilities affecting Apache Tomcat, a widely-used open-source web server and servlet container.

Authentication

Authentication Software Cybersecurity

Patch Tuesday, December 2024 Edition

Krebs on Security

DECEMBER 10, 2024

Microsoft today released updates to plug at least 70 security holes in Windows and Windows software, including one vulnerability that is already being exploited in active attacks. The security firm Rapid7 notes there have been a series of zero-day elevation of privilege flaws in CLFS over the past few years.

Engineering

Engineering Authentication Software Accountability

Microsoft Patch Tuesday, June 2020 Edition

Krebs on Security

JUNE 9, 2020

Microsoft today released software patches to plug at least 129 security holes in its Windows operating systems and supported software, by some accounts a record number of fixes in one go for the software giant.

Authentication

Authentication Software Backups Accountability

Adobe, Apple, Google & Microsoft Patch 0-Day Bugs

Krebs on Security

SEPTEMBER 12, 2023

Microsoft today issued software updates to fix at least five dozen security holes in Windows and supported software, including patches for two zero-day vulnerabilities that are already being exploited. Also, Adobe , Google Chrome and Apple iOS users may have their own zero-day patching to do. More details are at Adobe’s advisory.

Spyware

Spyware Software Surveillance Authentication

Alleged Boss of ‘Scattered Spider’ Hacking Group Arrested

Krebs on Security

JUNE 15, 2024

.” In a SIM-swapping attack, crooks transfer the target’s phone number to a device they control and intercept any text messages or phone calls sent to the victim — including one-time passcodes for authentication, or password reset links sent via SMS.

Hacking

Hacking Phishing Cybercrime Passwords

A Closer Look at the LAPSUS$ Data Extortion Group

Krebs on Security

MARCH 23, 2022

For a fee, the willing accomplice must provide their credentials and approve the MFA prompt or have the user install AnyDesk or other remote management software on a corporate workstation allowing the actor to take control of an authenticated system. ” LAPSUS$ recruiting insiders via its Telegram channel. .

Social Engineering

Social Engineering Accountability Mobile Passwords

Microsoft: Chinese Cyberspies Used 4 Exchange Server Flaws to Plunder Emails

Krebs on Security

MARCH 2, 2021

today released software updates to plug four security holes that attackers have been using to plunder email communications at companies that use its Exchange Server products. Web shells are essentially software backdoors that allow attackers to steal data and perform additional malicious actions that lead to further compromise.

Internet

Internet Internet Software Education

Ubiquiti All But Confirms Breach Response Iniquity

Krebs on Security

APRIL 4, 2021

But some of that shine started to come off recently for Ubiquiti’s more security-conscious customers after the company began pushing everyone to use a unified authentication and access solution that makes it difficult to administer these devices without first authenticating to Ubiquiti’s cloud infrastructure. And on Jan.

Authentication

Authentication IoT Accountability Passwords

Seized Genesis Market Data is Now Searchable in Have I Been Pwned, Courtesy of the FBI and "Operation Cookie Monster"

Troy Hunt

APRIL 5, 2023

We implement two factor authentication. Use multifactor authentication. Never download or install illegal software. When installing legal software, always check that the website is genuine. Cybercriminals then use this data for purposes ranging from identity theft to phishing attacks to credential stuffing.

Marketing

Marketing Passwords Authentication Accountability

Microsoft Patch Tuesday, November 2023 Edition

Krebs on Security

NOVEMBER 14, 2023

Microsoft today released updates to fix more than five dozen security holes in its Windows operating systems and related software, including three “zero day” vulnerabilities that Microsoft warns are already being exploited in active attacks.

Social Engineering

Social Engineering Phishing Internet Internet

Data From The Qakbot Malware is Now Searchable in Have I Been Pwned, Courtesy of the FBI

Troy Hunt

AUGUST 29, 2023

Guidance for those impacted by this incident is the same tried and tested advice given after previous malware incidents: Keep security software such as antivirus up to date with current definitions. Enable multi-factor authentication where supported, at least for your most important services (email, banking, social, etc.)

Malware

Malware Passwords Password Management Antivirus

Experian’s Credit Freeze Security is Still a Joke

Krebs on Security

APRIL 26, 2021

Last week, KrebsOnSecurity heard from a reader who had his freeze thawed without authorization through Experian’s website, and it reminded me of how truly broken authentication and security remains in the credit bureau space. Dune Thomas is a software engineer from Sacramento, Calif. and $24.99

Authentication

Authentication Accountability Identity Theft Account Security

Microsoft Patch Tuesday, May 2022 Edition

Krebs on Security

MAY 10, 2022

Microsoft today released updates to fix at least 74 separate security problems in its Windows operating systems and related software. “This allows attackers to perform a man-in-the-middle attack to force domain controllers to authenticate to the attacker using NTLM authentication,” Wiseman said.

Authentication

Authentication Engineering Internet Internet

GUEST ESSAY: An assessment of how ‘Gen-AI’ has begun to transform DevSecOps

The Last Watchdog

NOVEMBER 14, 2023

Combining DevSecOps with Generative Artificial Intelligence (Gen-AI) holds the potential to transform both software development and cybersecurity protocols. This frees up the DevSecOps teams to focus on higher-order tasks, such as testing and developing new authentication features.

Artificial Intelligence

Artificial Intelligence Software Engineering Cybersecurity

Leaving Authentication Credentials in Public Code

MY TAKE: Businesses gravitate to ‘passwordless’ authentication — widespread consumer use up next

Trending Sources

Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own Software

Passwordless Authentication without Secrets!

RSAC insights: Software tampering escalates as bad actors take advantage of ‘dependency confusion’

GUEST ESSAY: Where we stand on mitigating software risks associated with fly-by-wire jetliners

Threat actor impersonates Google via fake ad for Authenticator

ASUS Patches Critical Authentication Bypass Flaw in Multiple Router Models

GUEST ESSAY: Why CISOs absolutely must take authentication secrets much more seriously

Critical Veeam Backup Enterprise Manager authentication bypass bug

How to Offer Secure IVR Banking and Authenticate Callers

Proof-of-Concept Exploit Released for Progress Software OpenEdge Vulnerability

CVE-2024-4985 (CVSS 10): Critical Authentication Bypass Flaw Found in GitHub Enterprise Server

FBI Hacker Dropped Stolen Airbus Data on 9/11

Scammers can easily phish your multi-factor authentication codes. Here’s how to avoid it

VMware Flaw a Vector in SolarWinds Breach?

Ivanti fixed a maximum severity flaw in its Endpoint Management software (EPM)

Email Security Flaw Found in the Wild

Cell Phone Location Privacy

Using Fake Reviews to Find Dangerous Extensions

Progress Software fixed critical RCE CVE-2024-6327 in the Telerik Report Server

Latest on the SVR’s SolarWinds Hack

Ivanti fixed a maximum severity flaw in its Endpoint Management software (EPM)

M1 Chip Vulnerability

10 Behaviors That Will Reduce Your Risk Online

Microsoft Patch Tuesday, November 2024 Edition

On the Insecurity of ES&S Voting Machines’ Hash Code

More SolarWinds News

FBI, CISA Echo Warnings on ‘Vishing’ Threat

Data From The Emotet Malware is Now Searchable in Have I Been Pwned, Courtesy of the FBI and NHTCU

Trio of Apache Tomcat Flaws Disclosed: Authentication Bypass, HTTP/2 Request Mix-Up, and XSS Flaw

Patch Tuesday, December 2024 Edition

Microsoft Patch Tuesday, June 2020 Edition

Adobe, Apple, Google & Microsoft Patch 0-Day Bugs

Alleged Boss of ‘Scattered Spider’ Hacking Group Arrested

A Closer Look at the LAPSUS$ Data Extortion Group

Microsoft: Chinese Cyberspies Used 4 Exchange Server Flaws to Plunder Emails

Ubiquiti All But Confirms Breach Response Iniquity

Seized Genesis Market Data is Now Searchable in Have I Been Pwned, Courtesy of the FBI and "Operation Cookie Monster"

Microsoft Patch Tuesday, November 2023 Edition

Data From The Qakbot Malware is Now Searchable in Have I Been Pwned, Courtesy of the FBI

Experian’s Credit Freeze Security is Still a Joke

Microsoft Patch Tuesday, May 2022 Edition

GUEST ESSAY: An assessment of how ‘Gen-AI’ has begun to transform DevSecOps

Stay Connected