Still using authenticators for MFA? Software for sale can hack you anyway
news.movim.eu / ArsTechnica · Tuesday, 14 March - 20:09
Microsoft on Tuesday profiled software for sale in online forums that makes it easy for criminals to deploy phishing campaigns that successfully compromise accounts, even when they’re protected by the most common form of multi-factor authentication.
The phishing kit is the engine that’s powering more than 1 million malicious emails each day, researchers with the Microsoft Threat Intelligence team said . The software, which sells for $300 for a standard version and $1,000 for VIP users, offers a variety of advanced features for streamlining the deployment of phishing campaigns and increasing their chances of bypassing anti-phishing defenses.
One of the most salient features is the built-in ability to bypass some forms of multi-factor authentication. Also known as MFA, two-factor authentication, or 2FA, this protection requires account holders to prove their identity not only with a password but also by using something only they own (such as a security key or authenticator app) or something only they are (such as a fingerprint or facial scan). MFA has become a major defense against account takeovers because the theft of a password alone isn’t sufficient for an attacker to gain control.
The time has come: GitHub expands 2FA requirement rollout March 13
news.movim.eu / ArsTechnica · Friday, 10 March - 22:36
Software development tool GitHub will require more accounts to enable two-factor authentication (2FA) starting on March 13 . That mandate will extend to all user accounts by the end of 2023.
GitHub announced its plan to roll out a 2FA requirement in a blog post last May. At that time, the company's chief security officer said that it was making the move because GitHub (which is used by millions of software developers around the world across myriad industries) is a vital part of the software supply chain. Said supply chain has been subject to several attacks in recent years and months, and 2FA is a strong defense against social engineering and other particularly common methods of attack.
When that blog post was written, GitHub revealed that only around 16.5 percent of active GitHub users used 2FA—far lower than you'd expect from technologists who ought to know the value of it.
I’m a security reporter and got fooled by a blatant phish
news.movim.eu / ArsTechnica · Thursday, 11 August, 2022 - 22:57 · 1 minute
There has been a recent flurry of phishing attacks so surgically precise and well-executed that they've managed to fool some of the most aware people working in the cybersecurity industry. On Monday, Tuesday, and Wednesday, two-factor authentication provider Twilio, content delivery network Cloudflare, and network equipment maker Cisco said phishers in possession of phone numbers belonging to employees and employee family members had tricked their employees into revealing their credentials. The phishers gained access to internal systems of Twilio and Cisco. Cloudflare's hardware-based 2FA keys prevented the phishers from accessing its systems.
The phishers were persistent, methodical and had clearly done their homework. In one minute, at least 76 Cloudflare employees received text messages that used various ruses to trick them into logging into what they believed was their work account. The phishing website used a domain (cloudflare-okta.com) that had been registered 40 minutes before the message flurry, thwarting a system Cloudflare uses to be alerted when the domains using its name are created (presumably because it takes time for new entries to populate). The phishers also had the means to defeat forms of 2FA that rely on one-time passwords generated by authenticator apps or sent through text messages.
Creating a sense of urgency
Like Cloudflare, both Twilio and Cisco received text messages or phone calls that were also sent under the premise that there were urgent circumstances—a sudden change in a schedule, a password expiring, or a call under the guise of a trusted organization—necessitating that the target takes action quickly.
Coinbase erroneously reported 2FA changes to 125,000 customers
news.movim.eu / ArsTechnica · Monday, 30 August, 2021 - 22:47
Cryptocurrency exchange Coinbase sent an automated message to a large number of its customers on Friday, saying "your 2-step verification settings have been changed." Unfortunately, the message was sent in error—by Coinbase's count, 125,000 of those messages were sent (via email and SMS text) to customers whose 2FA settings had not changed.
According to Coinbase's own acknowledgment Saturday, its system began sending the erroneous messages at 1:45PM Pacific time on Friday, and kept sending them until the error was mitigated at 3:07PM.
In that Twitter thread, Coinbase acknowledges the mistaken 2FA messages' potential for confusion—confusion which retiree Don Pirtle told CNBC led him to panic-sell more than $60,000 of cryptocurrency. Pirtle was holding this large wallet as an investment for his grandson, so the panicked sale may have been as much blessing as curse—he now questions whether cryptocurrency was a safe investment in the first place.
Biden signs executive order to strengthen US cybersecurity
news.movim.eu / ArsTechnica · Thursday, 13 May, 2021 - 15:31
Joe Biden signed an executive order on Wednesday in an attempt to bolster US cybersecurity defenses, after a number of devastating hacks including the Colonial pipeline attack revealed vulnerabilities across business and government.
“Recent cybersecurity incidents... are a sobering reminder that US public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals,” the White House said.
Under the order, federal agencies will be required to introduce multi-factor authentication to their systems and encrypt all data within six months in a bid to make it harder for hackers to penetrate their IT infrastructure.
Hackers can clone Google Titan 2FA keys using a side channel in NXP chips
news.movim.eu / ArsTechnica · Friday, 8 January, 2021 - 12:59 · 1 minute
There’s wide consensus among security experts that physical two-factor authentication keys provide the most effective protection against account takeovers. Research published today doesn’t change that, but it does show how malicious attackers with physical possession of a Google Titan key can clone it.
There are some steep hurdles to clear for an attack to be successful. A hacker would first have to steal a target’s account password and to also gain covert possession of the physical key for as many as 10 hours. The cloning also requires up to $12,000 worth of equipment, custom software, and an advanced background in electrical engineering and cryptography. That means the key cloning—were it ever to happen in the wild—would likely be done only by a nation-state pursuing its highest-value targets.
“Nevertheless, this work shows that the Google Titan Security Key (or other impacted products) would not avoid [an] unnoticed security breach by attackers willing to put enough effort into it,” researchers from security firm NinjaLab wrote in a research paper published Thursday. “Users that face such a threat should probably switch to other FIDO U2F hardware security keys, where no vulnerability has yet been discovered.”