Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Types of two-factor ...

 Tips

In our last post, we covered what two-factor authentication is and why you need it. In a nutshell, its an access validation mechanism that relies on two essentially different authentication methods. Users need two-factor authentication for more reliable protection of their accounts: while each individual   show more ...

authentication method is vulnerable, two (or more) of them used together make account-takeover a lot more difficult. In this post, I cover the available multi-factor authentication options, give you the pros and cons of each, and recommend the most secure ones for you to keep your accounts safe. One-time codes delivered by SMS, email or voice call One of the most common two-factor authentication mechanisms for sign-in validation are one-time codes. These are usually sent in a text message to the phone number specified during registration. Email can be used for it as well but is less popular. Major services usually also provide the option of a voice call to the phone number specified upon registration. Whatever the delivery channel used, the idea is the same: to verify your ability to get access to some other account or phone number you specified when signing up for the service. Thus, if someone steals your password while having no access to your phone, this protection will work just fine. Most common two-factor authentication option: one-time code delivered by text message But this two-factor authentication mechanism has its downsides. If email is used to confirm the login, and the password for logging into it is the same as for the account youre trying to protect, youll get very limited extra security. An attacker who knows the accounts password is certain to try that password to sign in to your email too — thus getting the one-time validation code. Validation through phone number — whether by SMS or voice call — has a different problem: its easy to lose access to it. Sometimes users simply forget to top up their phone account, or they lose the phone or change the number. Its also not uncommon for criminals to persuade the telecom operators to give them a SIM card with the victims phone number, thus getting access to validation codes. Also, the text messages can be intercepted — such cases were already reported. Summary: this two-factor authentication option gets the job done, but to protect the most valuable accounts — especially those related to finances — its better to use something more reliable. Password as second factor Sometimes the password is not the first but the second factor. This is what messengers often do: by default, to sign in its enough to enter the one-time code from the SMS. The password is usually optional. Optional but necessary, if you ask me. It will safeguard you against a whole bunch of potential problems in one go. Most importantly, it will protect your correspondence from accidental loss of access to the phone number you used to register in WhatsApp or Telegram. Suppose you changed your main phone number and put your old SIM card into a drawer and didnt pay for it for a long time. The operator will resell your number after a while, thus enabling the new owner to sign in to the messenger under your name — unless its additionally protected with a password, of course. And sure enough, the password will give your messenger account at least some protection from hijackers who have — one way or another — gained access to your phone number. Pre-generated list of one-time codes Another option you can come across is a list of pre-generated one-time codes. Banks sometimes issue such lists to their clients to confirm transactions, while some internet services (such as Google) allow using them for account recovery. This can be considered a reliable mechanism: such codes are transmitted to the user extremely rarely, so theres a minimum of opportunities for interception. The codes are random, meaning theyre unique, so guessing them is almost impossible. But theres the storage issue: if attackers manage to steal your list of pre-generated codes, hijacking your account or stealing money from it will be extremely easy. List of pre-generated one-time codes for verification of bank transactions Therefore one-time confirmation codes should be stored in a strongbox or in its electronic counterpart. For example, there are encrypted notes in Kaspersky Password Manager. If you save the list of one-time codes in these notes, theyll be securely protected, provided, of course, that you set a good and unique master password for Kaspersky Password Manager itself. However, the main inconvenience of this authentication method is that if you need verifications often, youll quickly run out of your pre-generated codes. Which means youll have to generate and save more and more new ones. If maintaining multiple accounts, youll easily get confused by all those lists. Therefore, pre-generated codes as the main authentication method have been replaced by codes generated upon request — just as you need them. One-time codes from an authenticator app On the fly generation of one-time codes is done by authenticators. These can sometimes be stand-alone devices with a small screen that displays the current code — some banks give such authenticators to their clients. But these days special authenticator apps run on smartphones are more popular than stand-alone devices. We have a number of posts about them: Authenticator apps and how they work Best authenticator apps for Android, iOS, Windows and macOS Authentication with one-time codes: pros and cons What to do if you lose your phone with an authenticator app So if looking for information on how this authentication method works, how to select an authenticator app, and what to keep in mind once you have one, follow the links above. Meanwhile here, Ill just briefly state that authenticator apps offer an optimal trade-off between convenience and security — making them more and more popular. Google Authenticator: the most well-known but by far not the only authenticator app out there Biometrics: fingerprint, face or voice Not so long ago, for most people, biometric authentication was something exotic. However, things changed rather quickly: most smartphones now have the ability to authenticate either by fingerprint or face recognition — and it comes as no surprise. But some biometrics methods can strike you as unusual: voice-, iris-, walk- and typing habit-based authentication. As to the most original ones, we could recall research into odor-based authentication (though it doesnt work too well)! Biometric authentication has a couple of serious drawbacks. First: all the characteristics it relies upon are the users permanent properties. You can change a compromised password — you can even do it multiple times for safetys sake. But a registered fingerprint can be changed only a limited number of times — the attempts can literally be counted on the fingers of two hands. The second important issue consists in the fact that biometric data is extremely sensitive — both for being unalterable and because it allows not only to authenticate a user, but also to identify a person. So collection and transfer of this data to digital services should be treated with extreme caution. This is why biometric data is normally used for local authentication: stored and processed on the device to avoid transmitting it anywhere. For remote biometric authentication, the digital service would have to trust the device vendor, which services normally dont want to do. The net result is this: only Apple has a full-value remote biometric authentication mechanism, because the company is in full control its ecosystem — from software development through to device fabrication. Fingerprint sign-in: a common thing these days But biometric authentication has one important advantage overriding its downsides. If properly implemented, it makes the users life much simpler: no more typing — just press your finger to the sensor or show your face to the camera. And its fairly reliable too — again, if properly implemented. Location One more user authentication type is location. You dont have to activate this method: its on by default. Thats why it usually goes unnoticed, with the person getting alerted only if its unsuccessful: that is, if a sign-in attempt comes from a location the service didnt expect. In which case the service may require using an additional verification method. Of course, location is not a very reliable authentication factor. Firstly, its not very unique: lots of other people can be at the same place at any given time. Secondly, its quite easy to manipulate, especially when speaking of IP-based location — not proper GPS geolocation. However, location can be used as one of the authentication factors, and many services do that. Hardware keys FIDO U2F (aka YubiKey) The authentication options described above have one major downside to them: they allow authenticating the user, but not the service. Which makes them vulnerable to the MitM (man-in-the-middle) attacks. Attackers can build a fake page closely imitating the sign-in mechanism of the actual service. Once the user submits their login and password, criminals promptly use those to sign in to the real website. The verification code will be the next thing the user is asked to provide — and in no time it will be used to take over the victims account. To deal with this kinds of threats, FIDO U2F keys were created, also known by the name of their most popular model — YubiKey. The main advantage of this method consists in the fact that, during registration, the service and the U2F key remember certain information thats unique for each service as well as each user. Later during authentication, the service must send a specific request to the key, to which the key will respond only if this request is correct. Thus, both sides of this communication understand whether or not its legitimate. Moreover, this authentication mechanism is based on open key cryptography, so the whole process is well protected against falsification, interception and similar threats. A pair of FIDO U2F keys: Yubico YubiKey (left) and Google Titan (right) One more advantage on top of that: even though the technology is rather sophisticated and uses hardcore cryptography under the hood, it all looks very simple on the surface — from the users point of view. Just plug the key into a USB socket (or hold to your smartphone — such keys often support NFC) and touch a sensor pad on the key with your finger to complete authentication. Using U2F hardware keys is the most reliable authentication method available today and a recommended option for valuable accounts. Thats what they do at Google: all company employees have been using such keys for their corporate accounts for over five years now. FIDO Passkeys: future present without passwords Its not easy but still possible to make all employees within your organization use hardware keys for authentication. Yet the method is hardly suitable for millions of regular internet users. Ordinary folks are often annoyed with the mere idea of two-factor authentication, let alone paying money for some special equipment. That is why the same FIDO Alliance, the creator of U2F keys, has developed a new authentication standard that uses passkeys in place of passwords. In simple terms, the technology is about the same as with U2F keys, except you dont need any special device to store the authentication data. You can store passkeys basically anywhere — smartphone, computer, browsers user profile or — the old fashioned way — a USB key. You can choose to synchronize them through the cloud or not to synchronize them at all, if opting for the unique passcode mode. This long list of storage options makes passkeys somewhat less secure, obviously. Just how much less — that depends on what combination of equipment and services you use. To compensate, users get this valuable advantage: passkeys dont complement account passwords, they replace them. On top of that, such authentication is still a multi-factored one: in addition to owning a device used to store your passkeys, you have to validate sign-in either using biometrics (if your gadget supports it) or PIN to unlock your device. As you can see, you cannot go completely without passwords in some cases, but at least passkeys greatly reduce their number. The initiatives key problem is that so far its like a patchwork quilt. Different platforms and services use very different approaches to data storage, user authentication and security as a whole. So instead of just one method, a number of different ones are used, varying greatly in terms of reliability. So it would be a bit premature to switch to passkeys completely. But you can experiment with them already: a while ago Google announced full support of passkeys by Google accounts, so if interested, anyone can see how it works in real life. Which two-factor authentication methods are better, and other things to remember To conclude, the key points: In 2023, two-factor authentication is no longer a luxury but rather a vital necessity. Use it wherever possible. Any two-factor authentication method is way better than none at all. Authenticator apps are optimal for two-way authentication. A FIDO U2F hardware key — Yubico YubiKey, Google Titan or other — is an even better option. Especially for high-value accounts. You can experiment with passkeys already, but it seems a bit early to fully embrace the technology. Therefore, its still vital to use passwords with care: go for complex ones, dont reuse them for multiple services, and keep them safe using a password manager. And of course, dont forget that most two-factor authentication methods (other than U2F and passkeys) are vulnerable to phishing. Therefore, use a reliable solution that automatically removes this threat, such as Kaspersky Premium.

 Malware and Vulnerabilities

Security experts at ESET stumbled across an updated version of the Android GravityRAT spyware being distributed under the disguise of messaging applications such as BingeChat and Chatico. The BingeChat campaign is ongoing since August 2022, whereas the Chatico campaign doesn't seem active anymore. GravityRAT can extract WhatsApp backups and receive commands for file deletion.

 Trends, Reports, Analysis

Cyberattacks using malicious lookalike domains, email addresses, and other types of registered identifiers are rising, domain name system (DNS) security provider Infoblox found.

 Govt., Critical Infrastructure

The United Kingdom on Sunday announced a “major expansion” to its Ukraine Cyber Program, which has seen British experts provide remote incident response support to the Ukrainian government following Russian cyberattacks on critical infrastructure.

 Incident Response, Learnings

The US Department of State has offered a $10 million reward for information linking members of a Clop affiliate responsible for a recent data extortion campaign to a foreign government.

 Malware and Vulnerabilities

Progress Software has reported a third vulnerability in its MOVEit Transfer application. The bug, which still awaits a CVE identifier, is an SQL injection vulnerability. The company strongly advised customers to disable all HTTP and HTTPS traffic to MOVEit Transfer on ports 80 and 443. This precautionary measure is recommended until a patch is prepared to address the identified weakness and provide enhanced security.

 Malware and Vulnerabilities

The malicious Android apps were discovered by Cyfirma, who attributed the operation with medium confidence to the Indian hacking group "DoNot," also tracked as APT-C-35, which has targeted high-profile firms in Southeast Asia since at least 2018.

 Breaches and Incidents

The EIB‘s main site is currently down, and the bank has just released a Tweet acknowledging the issue as a ‘cyber attack.’ The EIB interconnection infrastructure has been allegedly disrupted.

 Malware and Vulnerabilities

The DcRAT malware is being distributed using explicit lures for OnlyFans pages and other adult content. DcRAT offers multiple methods of monetizing infected systems, file stealing, credential theft, and ransomware.

 Feed

Ubuntu Security Notice 6177-1 - It was discovered that Jettison incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service.

 Feed

The automatic and mandatory-by-default reordering of OpenBSD kernels is not transactional and as a result, a local unpatched exploit exists which allows tampering or replacement of the kernel. Arbitrary build artifacts are cyclically relinked with no data integrity or provenance being maintained or verified for the   show more ...

objects being consumed with respect to the running kernel before and during the execution of the mandatory kernel_reorder process in the supplied /etc/rc and /usr/libexec scripts. The reordering occurs at the end of installation process and also automatically every reboot cycle thereafter unless manually bypassed by a knowledgeable party.

 Feed

Ubuntu Security Notice 6083-2 - USN-6083-1 fixed a vulnerability in cups-filters. This update provides the corresponding update for Ubuntu 16.04 LTS. It was discovered that cups-filters incorrectly handled the beh CUPS backend. A remote attacker could possibly use this issue to cause the backend to stop responding or to execute arbitrary code.

 Feed

Ubuntu Security Notice 6166-2 - USN-6166-1 fixed a vulnerability in libcap2. This update provides the corresponding update for Ubuntu 14.04 ESM, Ubuntu 16.04 ESM and Ubuntu 18.04 ESM. Richard Weinberger discovered that libcap2 incorrectly handled certain long input strings. An attacker could use this issue to cause libcap2 to crash, resulting in a denial of service, or possibly execute arbitrary code.

 Feed

Ubuntu Security Notice 6176-1 - It was discovered that PyPDF2 incorrectly handled certain PDF files. If a user or automated system were tricked into processing a specially crafted file, an attacker could possibly use this issue to consume system resources, resulting in a denial of service.

 Feed

Ubuntu Security Notice 6167-1 - It was discovered that QEMU did not properly manage the guest drivers when shared buffers are not allocated. A malicious guest driver could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 20.04   show more ...

LTS, Ubuntu 22.04 LTS and Ubuntu 22.10. It was discovered that QEMU did not properly check the size of the structure pointed to by the guest physical address pqxl. A malicious guest attacker could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 22.10.

 Feed

Ubuntu Security Notice 6175-1 - Patryk Sondej and Piotr Krysiuk discovered that a race condition existed in the netfilter subsystem of the Linux kernel when processing batch requests, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary   show more ...

code. Gwangun Jung discovered that the Quick Fair Queueing scheduler implementation in the Linux kernel contained an out-of-bounds write vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

 Feed

Ubuntu Security Notice 6174-1 - Jordy Zomer and Alexandra Sandulescu discovered that the Linux kernel did not properly implement speculative execution barriers in usercopy functions in certain situations. A local attacker could use this to expose sensitive information. It was discovered that the Human Interface Device   show more ...

support driver in the Linux kernel contained a type confusion vulnerability in some situations. A local attacker could use this to cause a denial of service.

 Feed

The expressiveness of Turing-complete blockchains implies that verifying a transaction's validity requires executing it on the current blockchain state. Transaction fees are designed to compensate actors for resources expended on transactions, but can only be charged from transactions included in blocks. In this   show more ...

work, the authors show that adversaries can craft malicious transactions that decouple the work imposed on blockchain actors from the compensation offered in return by introducing three attacks.

 Feed

Debian Linux Security Advisory 5432-1 - Jurien de Jong discovered that the parsing of KeyInfo elements within the XMLTooling library may result in server-side request forgery.

 Feed

Governmental entities in the Middle East and Africa have been at the receiving end of sustained cyber-espionage attacks that leverage never-before-seen and rare credential theft and Exchange email exfiltration techniques. "The main goal of the attacks was to obtain highly confidential and sensitive information, specifically related to politicians, military activities, and ministries of foreign

 Feed

Microsoft on Friday attributed a string of service outages aimed at Azure, Outlook, and OneDrive earlier this month to an uncategorized cluster it tracks under the name Storm-1359. "These attacks likely rely on access to multiple virtual private servers (VPS) in conjunction with rented cloud infrastructure, open proxies, and DDoS tools," the tech giant said in a post on Friday. Storm-#### (

 Feed

Cybersecurity researchers have uncovered a set of malicious artifacts that they say is part of a sophisticated toolkit targeting Apple macOS systems. "As of now, these samples are still largely undetected and very little information is available about any of them," Bitdefender researchers Andrei Lapusneanu and Bogdan Botezatu said in a preliminary report published on Friday. The Romanian firm's

 Feed

While the use of Infrastructure as Code (IaC) has gained significant popularity as organizations embrace cloud computing and DevOps practices, the speed and flexibility that IaC provides can also introduce the potential for misconfigurations and security vulnerabilities.  IaC allows organizations to define and manage their infrastructure using machine-readable configuration files, which are

 Feed

A new information-stealing malware called Mystic Stealer has been found to steal data from about 40 different web browsers and over 70 web browser extensions. First advertised on April 25, 2023, for $150 per month, the malware also targets cryptocurrency wallets, Steam, and Telegram, and employs extensive mechanisms to resist analysis. "The code is heavily obfuscated making use of polymorphic

2023-06
Aggregator history
Monday, June 19
THU
FRI
SAT
SUN
MON
TUE
WED
JuneJulyAugust