Stop using email as a trusted authentication source.
This is a case where using it was super convenient because you could have a personal identifier, an easy way to contact the user, and be reasonably sure that password resets would only reach the intended user all in one convenient plaintext string.
However it's also a single point of failure and if a malicious actor can get access to your email account, they can get access to most of your other accounts that use that same address
Edit: MFA being available in more places has reduced the risk of this happening, assuming that you use it and it's also deployed correctly. ie: it can't be reset from the same email address that your password resets go to.
Top down design of protocols by a security- and privacy-conscious organization rather than leaving security to corporations as a side item or PR campaign topic when their primary focuses are marketing, advertising, data collection, and intellectual property.
An Android version was also uncovered with even more capabilities. However, the malware isn’t circulating on official app stores. Nor does it exploit any iOS vulnerabilities. Instead, the creators of the malware have been tricking victims into installing the malicious app and then granting all the necessary configurations, including powerful device permissions via Apple's TestFlight or Mobile Device Management profile system.
So… not malware or a Trojan. Just a regular app that people are being tricked into installing, then tricked into setting up MDM…
I thought for sure this was going to be a security flaw. Turns out the security is fine
What?? That’s a month away. That feels really unprofessional and doesn’t foster trust in the company, which is really important when you’re in the security field.
When I heard the news about killing the desktop apps in August I immediately started transitioning my accounts to use the TOTP authenticator built into Bitwarden. Now I’m really glad I did.
Long-time Bitwarden customer, and I did the exact same thing. Prior to that I hadn't even been aware of the OTP functionality in the BW desktop app. Glad I made the move early and don't have to scramble now. This new deadline is going to be a real pain for a lot of Authy desktop users. Weird that the company didn't even feel the need to explain to users the reason for the drastic EOL change. I've used some of their voice/sms services in the past but if I need that kind of thing in the future I'm going to have a good look around at the competitors before I write a line of code or open my wallet again.
Payments outfits Viamedis and Almerys both experienced breaches of their systems in late January, the National Commission on Informatics and Liberty (CNIL) revealed, leading to the theft of data belonging to more than 33 million customers.
"This is the first time that there has been a violation of this magnitude [in France]," Yann Padova, digital data protection lawyer and former secretary general of the CNIL told French radio network Franceinfo.
The CNIL said that it's working with Viamedis and Almerys to ensure those affected are informed – as is required under the EU's General Data Protection Regulation – but it'll likely take some time to get the word out to nearly half the country.
The government plans to pursue "all avenues to ban devices used to steal vehicles by copying the wireless signals for remote keyless entry, such as the Flipper Zero," Canadian public safety officials declared after a summit this week on combating auto theft.
Dennis was sentenced in Florida in 2022 for using fake IDs populated with real information to open bank accounts and take out fraudulent loans, in one case making off with $20k in cash using another person's identity.
Dennis didn't just buy and use stolen PII, though – he also crafted it into profiles to sell to other criminals, and offered guidance on how to use the dodgy dossiers to commit bank fraud.
The original article contains 720 words, the summary contains 228 words. Saved 68%. I'm a bot and I'm open source!
although unfortunately:
"Forward secrecy is designed to prevent the compromise of a long-term secret key from affecting the confidentiality of past conversations. However, forward secrecy cannot defend against a successful cryptanalysis of the underlying ciphers being used, since a cryptanalysis consists of finding a way to decrypt an encrypted message without the key, and forward secrecy only protects keys, not the ciphers themselves.[7] A patient attacker can capture a conversation whose confidentiality is protected through the use of public-key cryptography and wait until the underlying cipher is broken (e.g. large quantum computers could be created which allow the discrete logarithm problem to be computed quickly). This would allow the recovery of old plaintexts even in a system employing forward secrecy. "
Dutch authorities are lifting the curtain on an attempted cyberattack last year at its Ministry of Defense (MoD), blaming Chinese state-sponsored attackers for the espionage-focused intrusion.
According to the MIVD and AIVD, the RAT operates outside of traditional detection measures and acts as a second-stage malware, mainly to establish persistent access for attackers, surviving reboots and firmware upgrades.
In the cybersecurity advisory published today, authorities said the malware was highly stealthy and difficult to detect using default FortiGate CLI commands, since Coathanger hooks most system calls that could identify it as malicious.
"MIVD and AIVD emphasize that this incident does not stand on its own, but is part of a wider trend of Chinese political espionage against the Netherlands and its allies," the advisory reads.
After gaining an initial foothold inside the network, which was used by the MOD's research and development division, the attackers performed reconnaissance and stole a list of user accounts from the Active Directory server.
For those worried about whether Chinese cyberspies are lurking in their firewall, the Joint Signal Cyber Unit of the Netherlands (JCSU-NL) published a full list of indicators of compromise (IOCs) and various detection methods on its GitHub page.
The original article contains 731 words, the summary contains 197 words. Saved 73%. I'm a bot and I'm open source!
Security
Newest