Accountability, Authentication, Presentation and Risk

GUEST ESSAY: Where we stand on mitigating software risks associated with fly-by-wire jetliners

The Last Watchdog

AUGUST 29, 2023

Here’s what you should know about the risks, what aviation is doing to address those risks, and how to overcome them. It is difficult to deny that cyberthreats are a risk to planes. Risks delineated Still, there have been many other incidents since. Fortunately, there are ways to address the risks.

Software

Software Risk Artificial Intelligence Engineering

Hacking Grindr Accounts with Copy and Paste

Troy Hunt

OCTOBER 2, 2020

Another demonstration of how valuable Grindr data is came last year when the US gov deemed that Chinese ownership of the service constituted a national security risk. The vulnerability allow an attacker to hijack any account. I asked for technical detail so I could validated the authenticity of his claim and the info duly arrived.

Accountability

Accountability Hacking Passwords InfoSec

Your Google Account allows you to create passkeys on your phone, computer and security keys

Google Security

MAY 2, 2024

Sriram Karra and Christiaan Brand, Google product managers Last year, Google launched passkey support for Google Accounts. Today, we announced that passkeys have been used to authenticate users more than 1 billion times across over 400 million Google Accounts. This post will seek to clarify these topics.

Accountability

Accountability Passwords Authentication Password Management

Webinars

Reimagining Cybersecurity Training: Driving Real Impact on Security Culture

MORE WEBINARS

What Is Two-Factor Authentication (2FA) and Why Should You Use It?

IT Security Guru

OCTOBER 26, 2023

Enter Two-Factor Authentication, or 2FA for short. It’s a security method that requires you to present not one but two forms of ID before granting you access. Then, your account will ask for a secondary code, usually sent via SMS to your phone. Go to your account settings and look for the security section. Sorry, hackers!

Authentication

Authentication Passwords Mobile VPN

Microsoft: Slow MFA adoption presents “dangerous mismatch” in security

Malwarebytes

FEBRUARY 9, 2022

Multi-factor authentication (MFA) has been around for many years now, but few enterprises have fully embraced it. In fact, according to Microsoft’s inaugural “ Cyber Signals ” report, only 22 percent of all its Azure Active Directory (AD) enterprise clients have adopted two-factor authentication (2FA), a form of MFA.

Authentication

Authentication Social Engineering Passwords Accountability

Challenges of User Authentication: What You Need to Know

Security Affairs

SEPTEMBER 7, 2022

In the digital age, authentication is paramount to a strong security strategy. Which are the challenges of user authentication? In the digital age, authentication is paramount to a strong security strategy. User authentication seems easy, but there are inherent challenges to be aware of. User Authentication.

Authentication

Authentication Passwords Risk Education

The Risk of Weak Online Banking Passwords

Krebs on Security

AUGUST 5, 2019

If you bank online and choose weak or re-used passwords, there’s a decent chance your account could be pilfered by cyberthieves — even if your bank offers multi-factor authentication as part of its login process. Crooks are constantly probing bank Web sites for customer accounts protected by weak or recycled passwords.

Banking

Banking Passwords Risk Password Management

Hackers Steal Session Cookies to Bypass Multi-factor Authentication

eSecurity Planet

AUGUST 19, 2022

One new tactic hackers have been using is to steal cookies from current or recent web sessions to bypass multi-factor authentication (MFA). Even cloud infrastructures rely on cookies to authenticate their users. Browsers allow users to maintain authentication, remember passwords and autofill forms. How Hackers Steal Cookies.

Authentication

Authentication Password Management Passwords Malware

Patch now! Ivanti Endpoint Manager Mobile Authentication vulnerability used in the wild

Malwarebytes

JULY 27, 2023

The CVE assigned to this vulnerability is: CVE-2023-35078 ( CVSS score 10 out of 10): Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, allows remote attackers to obtain Personally Identifiable Information (PII) , add an administrative account, and change the configuration because of an authentication bypass, as exploited in the wild.

Mobile

Mobile Authentication Government Software

You get a passkey, you get a passkey, everyone should get a passkey

Malwarebytes

MAY 3, 2024

Microsoft is rolling out passkey support for all consumer accounts. After enabling them in Windows 11 last year, Microsoft account owners can now generate passkeys across multiple platforms including Windows, Android, and iOS. You’ll be presented with a QR code to scan with the selected device. Choose Remove.

Accountability

Accountability Passwords Phishing Authentication

Kroll Employee SIM-Swapped for Crypto Investor Data

Krebs on Security

AUGUST 25, 2023

Countless websites and online services use SMS text messages for both password resets and multi-factor authentication. The unfortunate result of the SIM-swap against the Kroll employee is that people who had financial ties to BlockFi, FTX, or Genesis now face increased risk of becoming targets of SIM-swapping and phishing attacks themselves.

Mobile

Mobile Cyber Risk Cryptocurrency Data breaches

Reachability and Risk: Tools for Security Leaders

Security Boulevard

MAY 19, 2022

It’s a way to understand if, 1) a vulnerability is present, and 2) Can an attacker actually get to it. It is impossible to manage security posture without considering two key factors in any potential vulnerability or security flaw: reachability and risk. In general, without reachability, there is less risk.

Risk

Risk Software Accountability Engineering

Team Liquid’s wiki leak exposes 118K users

Security Affairs

JANUARY 12, 2024

According to researchers, the leak revealed an authentication server with login details and information on Liquipedia’s users along with authentication details for Liquipedia admins. Alongside user information, administrator-level details were also present in the “clients” collection.

Authentication

Authentication Media Accountability Encryption

Why Security Fatigue Is a Huge Cybersecurity Risk

Security Boulevard

JULY 19, 2023

Security fatigue is a major risk for businesses. Overworked admins, who may be managing many thousands of identities and privileges, are often forced to give blanket permissions, which can lead to over-privileged or unauthorized access – an enormous risk in any organization. However, overcomplicating security can be just as damaging.

Risk

Risk Cybersecurity Data breaches Authentication

3 Steps to Prevent a Case of Compromised Credentials

Duo's Security Blog

MAY 23, 2023

Passwords are a weak point in modern-day secure authentication practices, with Verizon highlighting that almost 50% of breaches start with compromised credentials. Until a fully password-free environment is deployed, accepted, and adopted by all users, less secure methods of authentication will still be relied on.

Authentication

Authentication Passwords Data breaches Phishing

Voice Cloning Conundrum: Navigating Deepfakes in Synthetic Media

SecureWorld News

MAY 5, 2024

AI voice cloning enables stunningly realistic impersonation, posing critical fraud and identity theft risks. This technology's capabilities have expanded rapidly, garnering significant attention both for its potential benefits and its risks.

Media

Media Authentication Identity Theft Engineering

The Problem With One-Time Passcodes

Duo's Security Blog

FEBRUARY 15, 2024

Multi-factor authentication (MFA) is a well-known and well-established protection that many organizations rely on. Several common authentication methods include the use of one-time passcodes (OTP). The attacker then calls the user, and says "This is your helpdesk, I need to confirm your account, can you please confirm your OTP?"

Social Engineering

Social Engineering Authentication Passwords Engineering

Your Phone May Soon Replace Many of Your Passwords

Krebs on Security

MAY 7, 2022

Apple , Google and Microsoft announced this week they will soon support an approach to authentication that avoids passwords altogether, and instead requires users to merely unlock their smartphones to sign in to websites or online services. “I worry about forgotten password recovery for cloud accounts.”

Passwords

Passwords Authentication Accountability Mobile

Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials

Elie

NOVEMBER 9, 2017

In this paper, we present the first longitudinal measurement study of the underground ecosystem fueling credential theft and assess the risk it poses to millions of users. Drawing upon Google as a case study, we find 7–25% of exposed passwords match a victim’s Google account. million potential victims of phishing kits; and 1.9

Data breaches

Data breaches Phishing Risk Malware

Top 10 web application vulnerabilities in 2021–2023

SecureList

MARCH 12, 2024

Broken Authentication 5. Broken Authentication 5. Distribution of Broken Access Control vulnerabilities by risk level, 2021–2023 ( download ) Almost half of the Broken Access Control vulnerabilities carried a medium risk level, and 37%, a high risk level. Broken Access Control 2. Broken Access Control 2.

Passwords

Passwords Authentication Architecture Risk

Multiple Brocade SANnav SAN Management SW flaws allow device compromise

Security Affairs

APRIL 28, 2024

An unauthenticated, remote attacker can exploit the vulnerability to log in to a vulnerable device using the root account and execute arbitrary commands. then) and confirmed that all the previously rejected vulnerabilities were still present in the version 2.2.2 Brocade SANnav OVA before v2.3.1, Brocade SANnav OVA before v2.3.1,

Firewall

Firewall Authentication Architecture Backups

GUEST ESSAY: Addressing data leaks and other privacy, security exposures attendant to M&As

The Last Watchdog

JANUARY 27, 2022

Underlying all of this optimism, however, is the ever-present threat of cyberattack. Throughout this period, the risk level of the acquirer is much higher than the acquired company, creating a major cybersecurity gap as they merge their tech stack and security tools together. They can be divided into two categories: Pre-Close Risks.

Marketing

Marketing Data privacy Risk Accountability

CI/CD Pipeline is Major Software Supply Chain Risk: Black Hat Researchers

eSecurity Planet

AUGUST 15, 2022

The presentation at last week’s Black Hat security conference by NCC’s Iain Smart and Viktor Gazdag, titled “RCE-as-a-Service: Lessons Learned from 5 Years of Real-World CI/CD Pipeline Compromise,” builds on previous work NCC researchers have done on compromised CI/CD pipelines. CI/CD Approaches Create Risk.

Software

Software Risk Marketing Encryption

Why TOTP Won’t Cut It (And What to Consider Instead)

NetSpi Technical

JANUARY 18, 2024

In this article we’ll explore security risks of TOTP and an alternative 2FA method to increase security. Time-Based One-Time Password (TOTP) Time-Based One-Time Password (TOTP) is a common two-factor authentication (2FA) mechanism used across the internet. Would the app still let me authenticate? Why yes, it did.

Authentication

Authentication Passwords Accountability Penetration Testing

Github rotated credentials after the discovery of a vulnerability

Security Affairs

JANUARY 17, 2024

We recognize the impact these had on our customers that rely on GitHub and have improved our credential rotation procedures to reduce the risk of unplanned downtime going forward.” The issue also impacts Enterprise Server (GHES), but an authenticated user This vulnerability is also present on GitHub Enterprise Server (GHES).

Authentication

Authentication Encryption Accountability Risk

American Express warns customers about third party data breach

Malwarebytes

MARCH 5, 2024

The account information of some card holders may have fallen into the wrong hands. The accessed information includes account numbers, names, and card expiration dates. American Express is advising customers to carefully review their account for fraudulent activity. Below are some steps you can take to protect your account.

Data breaches

Data breaches Passwords Accountability Identity Theft

The 2024 Duo Trusted Access Report: Navigating Complexity

Duo's Security Blog

FEBRUARY 6, 2024

In partnership with the Cyentia Institute, Duo analyzed data from more than 16 billion authentications, spanning nearly 52 million different browsers, on 58 million endpoints and 21 million unique phones across regions including North America, Latin America, Europe, the Middle East, and Asia Pacific. Why should you care about identity sprawl?

Authentication

Authentication Accountability Threat Detection Risk

9 Possible Ways Hackers Can Use Public Wi-Fi to Steal Your Sensitive Data

Security Affairs

FEBRUARY 12, 2024

Exploring the Risks: Unveiling 9 Potential Techniques Hackers Employ to Exploit Public Wi-Fi and Compromise Your Sensitive Data We’ve all used public Wi-Fi: it’s convenient, saves our data, and speeds up browsing. They might even lock you out of your own accounts by resetting your passwords.

DNS

DNS VPN Encryption Passwords

Cisco IOS XE vulnerability widely exploited in the wild

Malwarebytes

OCTOBER 17, 2023

An authentication bypass affecting Cisco IOS X was disclosed on October 16, 2023. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.

Internet

Internet Internet Wireless Accountability

MY TAKE: Why companies should care about 2.2 billion stolen credentials circulating in easy reach

The Last Watchdog

FEBRUARY 1, 2019

The clear and present risk to the average consumer or small business owner is that his or here stolen account credentials will surface in one or more credential stuffing campaigns. And once they do, they swiftly try to gain access to accounts on other popular services. Two-factor authentication, or even better, FIDO/U2F.”

Small Business

Small Business Passwords Authentication Accountability

A Beginner's Guide to 2FA and MFA

Approachable Cyber Threats

JANUARY 24, 2022

Category Cybersecurity Fundamentals Risk Level. What is Multi-factor Authentication (MFA)?” Today, many people when they sign up for a new account for an internet-based service are asked to pick a password to help secure their account from unauthorized access. Let’s dive in!

Authentication

Authentication Passwords Accountability Mobile

Identity Thieves Bypassed Experian Security to View Credit Reports

Krebs on Security

JANUARY 9, 2023

Normally at this point, Experian’s website would present four or five multiple-guess questions, such as “Which of the following addresses have you lived at?” It’s also worth mentioning that reports of hijacked Experian.com accounts persisted into late 2022. ” Sen.

Identity Theft

Identity Theft Accountability Authentication Web Fraud

Dependabot impersonators cause trouble on GitHub

Malwarebytes

SEPTEMBER 29, 2023

GitHub is experiencing issues of the “breached account and malicious code” variety. ITPro reports that unnamed individuals have been compromising accounts and using them to install malware capable of password theft. Additionally, existing JavaScript files already present in the project are tampered with to add malware.

Accountability

Accountability Scams Social Engineering Passwords

Gamblers’ data compromised after casino giant Strendus fails to set password

Security Affairs

NOVEMBER 15, 2023

The Cybernews research team discovered that Strendus, a Mexican-licensed online casino, had left public access to 85GB of its authentication logs, with hundreds of thousands of entries containing private gamblers’ data. The leaked IP addresses introduce the risk of a takeover of a local network. Amount of leaked data. Amount of IoC.

Passwords

Passwords Identity Theft Social Engineering Spyware

Would You Have Fallen for This Phone Scam?

Krebs on Security

APRIL 28, 2020

But you probably didn’t know that these fraudsters also can use caller ID spoofing to trick your bank into giving up information about recent transactions on your account — data that can then be abused to make their phone scams more believable and expose you to additional forms of identity theft.

Scams

Scams Banking Accountability Financial Services

Taking on the Next Generation of Phishing Scams

Google Security

MAY 11, 2022

Posted by Daniel Margolis, Software Engineer, Google Account Security Team Every year, security technologies improve: browsers get better , encryption becomes ubiquitous on the Web , authentication becomes stronger. As phishing adoption has grown, multi-factor authentication has become a particular focus for attackers.

Phishing

Phishing Scams Authentication Accountability

Free Smartwatches Are Vector to Hit Military Personnel with Malware

SecureWorld News

JUNE 23, 2023

In this economy, no one is sending out free gadgets for funsies, so the arrival of an unexpected package should raise suspicions and warrant investigation into the authenticity or identity of the sender. Malware may be present which accesses both voice and cameras, enabling actors access to conversations and accounts tied to the smartwatches.

Malware

Malware Banking Authentication Accountability

RSAC insights: Software tampering escalates as bad actors take advantage of ‘dependency confusion’

The Last Watchdog

JUNE 3, 2022

They then were able to trick some 18,000 companies into deploying an authentically-signed Orion update carrying a heavily-obfuscated backdoor. Left unpatched, Log4Shell, presents a ripe opportunity for a bad actor to carry out remote code execution attacks, Pericin told me. Obfuscated tampering.

Software

Software Internet Internet System Administration

Google strengthens its Workplace suite protection

Malwarebytes

AUGUST 28, 2023

Late last year, changes were made to try and catch out an attacker rifling through Google accounts and attempting to access certain critical settings or functionality. When an account (any account, not just one offered by Google) is taken over, there’s going to be a specific flow the compromiser makes use of.

Accountability

Accountability Passwords Backups Authentication

PCI DSS 4.0: The Compliance Countdown – A Roadmap Through Phases 1 & 2

Thales Cloud Protection & Licensing

APRIL 10, 2024

presents an opportunity to future-proof your payment card security. Its heightened focus on flexibility and risk-based controls empowers organizations to tailor security measures more closely to their individual needs. Risk Assessment Reevaluation : PCI DSS 4.0 stresses targeted, risk-based controls. PCI DSS 4.0:

Risk

Risk Encryption Firewall Cybersecurity

Why TOTP Won’t Cut It (And What to Consider Instead)

NetSpi Technical

JANUARY 18, 2024

In this article we’ll explore security risks of TOTP and an alternative 2FA method to increase security. Time-Based One-Time Password (TOTP) Time-Based One-Time Password (TOTP) is a common two-factor authentication (2FA) mechanism used across the internet. Would the app still let me authenticate? Why yes, it did.

Authentication

Authentication Passwords Accountability Phishing

Wear your MASQ! New Device Fingerprint Spoofing Tool Available in Dark Web

Security Affairs

JUNE 15, 2021

The Resecurity® HUNTER unit has identified a new tool available for sale in the Dark Web called MASQ , enabling bad actors to emulate device fingerprints thus allowing them to bypass fraud protection controls, including authentication mechanisms. All of that – can be easily be spoofed and bypassed with help of the new MASQ tool.

Mobile

Mobile Authentication Accountability Cyber threats

Watch out, ransomware attack risk increases on holidays and weekends, FBI and CISA

Security Affairs

SEPTEMBER 1, 2021

“Threat actors can be present on a victim network long before they lock down a system, alerting the victim to the ransomware attack. Using multi-factor authentication. The post Watch out, ransomware attack risk increases on holidays and weekends, FBI and CISA appeared first on Security Affairs. Updating OS and software.

Ransomware

Ransomware Risk Encryption Passwords

Financial cyberthreats in 2023

SecureList

MAY 6, 2024

With trillions of dollars of digital payments made every year, it is no wonder that attackers target electronic wallets, online shopping accounts and other financial assets, inventing new techniques and reusing good old ones. Online shopping brands were the most popular lure, accounting for 41.65% of financial phishing attempts.

Phishing

Phishing Banking Mobile Scams

GUEST ESSAY: Where we stand on mitigating software risks associated with fly-by-wire jetliners

Hacking Grindr Accounts with Copy and Paste

Webinars

Trending Sources

Your Google Account allows you to create passkeys on your phone, computer and security keys

Webinars

What Is Two-Factor Authentication (2FA) and Why Should You Use It?

Microsoft: Slow MFA adoption presents “dangerous mismatch” in security

Challenges of User Authentication: What You Need to Know

The Risk of Weak Online Banking Passwords

Hackers Steal Session Cookies to Bypass Multi-factor Authentication

Patch now! Ivanti Endpoint Manager Mobile Authentication vulnerability used in the wild

You get a passkey, you get a passkey, everyone should get a passkey

Kroll Employee SIM-Swapped for Crypto Investor Data

Reachability and Risk: Tools for Security Leaders

Team Liquid’s wiki leak exposes 118K users

Why Security Fatigue Is a Huge Cybersecurity Risk

3 Steps to Prevent a Case of Compromised Credentials

Voice Cloning Conundrum: Navigating Deepfakes in Synthetic Media

The Problem With One-Time Passcodes

Your Phone May Soon Replace Many of Your Passwords

Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials

Top 10 web application vulnerabilities in 2021–2023

Multiple Brocade SANnav SAN Management SW flaws allow device compromise

GUEST ESSAY: Addressing data leaks and other privacy, security exposures attendant to M&As

CI/CD Pipeline is Major Software Supply Chain Risk: Black Hat Researchers

Why TOTP Won’t Cut It (And What to Consider Instead)

Github rotated credentials after the discovery of a vulnerability

American Express warns customers about third party data breach

The 2024 Duo Trusted Access Report: Navigating Complexity

9 Possible Ways Hackers Can Use Public Wi-Fi to Steal Your Sensitive Data

Cisco IOS XE vulnerability widely exploited in the wild

MY TAKE: Why companies should care about 2.2 billion stolen credentials circulating in easy reach

A Beginner's Guide to 2FA and MFA

Identity Thieves Bypassed Experian Security to View Credit Reports

Dependabot impersonators cause trouble on GitHub

Gamblers’ data compromised after casino giant Strendus fails to set password

Would You Have Fallen for This Phone Scam?

Taking on the Next Generation of Phishing Scams

Free Smartwatches Are Vector to Hit Military Personnel with Malware

RSAC insights: Software tampering escalates as bad actors take advantage of ‘dependency confusion’

Google strengthens its Workplace suite protection

PCI DSS 4.0: The Compliance Countdown – A Roadmap Through Phases 1 & 2

Why TOTP Won’t Cut It (And What to Consider Instead)

Wear your MASQ! New Device Fingerprint Spoofing Tool Available in Dark Web

Watch out, ransomware attack risk increases on holidays and weekends, FBI and CISA

Financial cyberthreats in 2023

Stay Connected