• chevron_right

      4 Okta customers hit by campaign that gave attackers super admin control

      news.movim.eu / ArsTechnica · Tuesday, 5 September, 2023 - 20:28

    4 Okta customers hit by campaign that gave attackers super admin control

    Enlarge (credit: Getty Images)

    Authentication service Okta said four of its customers have been hit in a recent social-engineering campaign that allowed hackers to gain control of super administrator accounts and from there weaken or entirely remove two-factor authentication protecting accounts from unauthorized access.

    The Okta super administrator accounts are assigned to users with the highest permissions inside an organization using Okta’s service. In recent weeks, Okta customers’ IT desk personnel have received calls that follow a consistent pattern of social engineering, in which attackers pose as a company insider in an attempt to trick workers into divulging passwords or doing other dangerous things. The attackers in this case call service desk personnel and attempt to convince them to reset all multi-factor authentication factors assigned to super administrators or other highly privileged users, Okta said recently .

    Two-factor authentication and multi-factor authentication, usually abbreviated as 2FA and MFA, require a biometric, possession of a physical security key, or knowledge of a one-time password in addition to a normally used password to access an account.

    Read 7 remaining paragraphs | Comments

    • chevron_right

      Still using authenticators for MFA? Software for sale can hack you anyway

      news.movim.eu / ArsTechnica · Tuesday, 14 March, 2023 - 20:09

    Software for sale is fueling a torrent of phishing attacks that bypass MFA

    Enlarge (credit: Getty Images)

    Microsoft on Tuesday profiled software for sale in online forums that makes it easy for criminals to deploy phishing campaigns that successfully compromise accounts, even when they’re protected by the most common form of multi-factor authentication.

    The phishing kit is the engine that’s powering more than 1 million malicious emails each day, researchers with the Microsoft Threat Intelligence team said . The software, which sells for $300 for a standard version and $1,000 for VIP users, offers a variety of advanced features for streamlining the deployment of phishing campaigns and increasing their chances of bypassing anti-phishing defenses.

    One of the most salient features is the built-in ability to bypass some forms of multi-factor authentication. Also known as MFA, two-factor authentication, or 2FA, this protection requires account holders to prove their identity not only with a password but also by using something only they own (such as a security key or authenticator app) or something only they are (such as a fingerprint or facial scan). MFA has become a major defense against account takeovers because the theft of a password alone isn’t sufficient for an attacker to gain control.

    Read 8 remaining paragraphs | Comments

    • chevron_right

      The time has come: GitHub expands 2FA requirement rollout March 13

      news.movim.eu / ArsTechnica · Friday, 10 March, 2023 - 22:36

    A GitHub-made image accompanying all the company's communications about 2FA.

    Enlarge / A GitHub-made image accompanying all the company's communications about 2FA. (credit: GitHub )

    Software development tool GitHub will require more accounts to enable two-factor authentication (2FA) starting on March 13 . That mandate will extend to all user accounts by the end of 2023.

    GitHub announced its plan to roll out a 2FA requirement in a blog post last May. At that time, the company's chief security officer said that it was making the move because GitHub (which is used by millions of software developers around the world across myriad industries) is a vital part of the software supply chain. Said supply chain has been subject to several attacks in recent years and months, and 2FA is a strong defense against social engineering and other particularly common methods of attack.

    When that blog post was written, GitHub revealed that only around 16.5 percent of active GitHub users used 2FA—far lower than you'd expect from technologists who ought to know the value of it.

    Read 7 remaining paragraphs | Comments

    • chevron_right

      I’m a security reporter and got fooled by a blatant phish

      news.movim.eu / ArsTechnica · Thursday, 11 August, 2022 - 22:57 · 1 minute

    This is definitely not a Razer mouse—but you get the idea.

    Enlarge / This is definitely not a Razer mouse—but you get the idea. (credit: calvio via Getty Images )

    There has been a recent flurry of phishing attacks so surgically precise and well-executed that they've managed to fool some of the most aware people working in the cybersecurity industry. On Monday, Tuesday, and Wednesday, two-factor authentication provider Twilio, content delivery network Cloudflare, and network equipment maker Cisco said phishers in possession of phone numbers belonging to employees and employee family members had tricked their employees into revealing their credentials. The phishers gained access to internal systems of Twilio and Cisco. Cloudflare's hardware-based 2FA keys prevented the phishers from accessing its systems.

    The phishers were persistent, methodical and had clearly done their homework. In one minute, at least 76 Cloudflare employees received text messages that used various ruses to trick them into logging into what they believed was their work account. The phishing website used a domain (cloudflare-okta.com) that had been registered 40 minutes before the message flurry, thwarting a system Cloudflare uses to be alerted when the domains using its name are created (presumably because it takes time for new entries to populate). The phishers also had the means to defeat forms of 2FA that rely on one-time passwords generated by authenticator apps or sent through text messages.

    Creating a sense of urgency

    Like Cloudflare, both Twilio and Cisco received text messages or phone calls that were also sent under the premise that there were urgent circumstances—a sudden change in a schedule, a password expiring, or a call under the guise of a trusted organization—necessitating that the target takes action quickly.

    Read 14 remaining paragraphs | Comments

    • chevron_right

      Coinbase erroneously reported 2FA changes to 125,000 customers

      Jim Salter · news.movim.eu / ArsTechnica · Monday, 30 August, 2021 - 22:47

    On Friday afternoon, Coinbase sent email and SMS text messages to 125,000 customers, erroneously telling them that their 2FA settings had been changed.

    Enlarge / On Friday afternoon, Coinbase sent email and SMS text messages to 125,000 customers, erroneously telling them that their 2FA settings had been changed. (credit: SOPA Images )

    Cryptocurrency exchange Coinbase sent an automated message to a large number of its customers on Friday, saying "your 2-step verification settings have been changed." Unfortunately, the message was sent in error—by Coinbase's count, 125,000 of those messages were sent (via email and SMS text) to customers whose 2FA settings had not changed.

    According to Coinbase's own acknowledgment Saturday, its system began sending the erroneous messages at 1:45PM Pacific time on Friday, and kept sending them until the error was mitigated at 3:07PM.

    In that Twitter thread, Coinbase acknowledges the mistaken 2FA messages' potential for confusion—confusion which retiree Don Pirtle told CNBC led him to panic-sell more than $60,000 of cryptocurrency. Pirtle was holding this large wallet as an investment for his grandson, so the panicked sale may have been as much blessing as curse—he now questions whether cryptocurrency was a safe investment in the first place.

    Read 5 remaining paragraphs | Comments

    • chevron_right

      Biden signs executive order to strengthen US cybersecurity

      Financial Times · news.movim.eu / ArsTechnica · Thursday, 13 May, 2021 - 15:31

    Biden signs executive order to strengthen US cybersecurity

    Enlarge (credit: Getty Images | Photographer is my life )

    Joe Biden signed an executive order on Wednesday in an attempt to bolster US cybersecurity defenses, after a number of devastating hacks including the Colonial pipeline attack revealed vulnerabilities across business and government.

    “Recent cybersecurity incidents... are a sobering reminder that US public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals,” the White House said.

    Under the order, federal agencies will be required to introduce multi-factor authentication to their systems and encrypt all data within six months in a bid to make it harder for hackers to penetrate their IT infrastructure.

    Read 10 remaining paragraphs | Comments

    • chevron_right

      Hackers can clone Google Titan 2FA keys using a side channel in NXP chips

      Dan Goodin · news.movim.eu / ArsTechnica · Friday, 8 January, 2021 - 12:59 · 1 minute

    Hackers can clone Google Titan 2FA keys using a side channel in NXP chips

    Enlarge (credit: Google)

    There’s wide consensus among security experts that physical two-factor authentication keys provide the most effective protection against account takeovers. Research published today doesn’t change that, but it does show how malicious attackers with physical possession of a Google Titan key can clone it.

    There are some steep hurdles to clear for an attack to be successful. A hacker would first have to steal a target’s account password and to also gain covert possession of the physical key for as many as 10 hours. The cloning also requires up to $12,000 worth of equipment, custom software, and an advanced background in electrical engineering and cryptography. That means the key cloning—were it ever to happen in the wild—would likely be done only by a nation-state pursuing its highest-value targets.

    “Nevertheless, this work shows that the Google Titan Security Key (or other impacted products) would not avoid [an] unnoticed security breach by attackers willing to put enough effort into it,” researchers from security firm NinjaLab wrote in a research paper published Thursday. “Users that face such a threat should probably switch to other FIDO U2F hardware security keys, where no vulnerability has yet been discovered.”

    Read 15 remaining paragraphs | Comments