Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.
TL;DR: Don't turn it on.
The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.
We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.
Why is this bad?
Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access .... 🧵
#cybersecurity zealots often shame humans for writing down their passwords, but as someone who just had to excavate the digital remains of a loved one who died suddenly:
please write down your credentials somewhere a trusted human can find them, especially your phone passcode and any primary passwords (like for email accounts, password manager, etc.)
the humans who care about you will need that access for many reasons; a "badass" threat model will only add helplessness to their grief
We talk about wanting professional journalists to ditch Twitter and come to Mastodon.
When they do we need to make them welcome!
Today Chris Bing @Bing_Chris a distinguished Reuters reporter covering hacking and foreign affairs has joined Mastodon saying "Hi - Twitter is a garbage fire. I am going to try to use this platform more. Love,-Bing."
Genetic testing company 23AndMe confirmed that it suffered a data breach in what appears to be a targeted attack on Jews & Chinese people. Hackers have put up for sale 1 million data points about Ashkenazi Jews, plus hundreds of thousands of Chinese users.
One of the world's largest online travel agencies, Booking.com, is being used by fraudsters to trick hotel guests into handing over their payment card details.
How do I know? The fraudsters tried the trick with me.
hello fediverse, here's my new infographic comparing two dynamics we can nurture when doing #cybersecurity things: security theater vs. #resilience
it's meant as a handy reference to validate that your org's security efforts are nurturing resilience rather than fomenting theater (and I don't mean writing your design docs in iambic pentameter, that's fine)
imo security theater is one of the core pillars holding up the status quo of security-as-gatekeeper... so let's do resilience instead <3
An Israeli technology company has developed the means of delivering spyware via online ad networks. There’s no defense against the spyware and the Israeli government has given the company approval to sell the technology.
For now, take comfort in the fact that it’s a hefty $6.4 million price tag for a single ad infection.
Consumer DNA testing company 23andMe is investigating a potential data breach:
Threat actor used credentials exposed in other leaks to access legitimate 23andMe user accounts and scrape data, including “tailored ethnic groupings,” like 1 million lines of data on Ashkenazi people…
Data for sale includes full names, usernames, profile photos, sex, date of birth, genetic ancestry results, and geographical location.
This post is about cybersecurity, OSINT, and privacy.
REMINDER
Today’s surveillance cameras perform very well in low light conditions. In theaters, or any other public space, never assume that you can’t be seen because it’s dark. You can be seen. You are being seen. You are being recorded.
Mozilla's petition against in-browser censorship law (foundation.mozilla.org)
The French government is considering a law that would require web browsers – like Mozilla's Firefox – to block websites chosen by the government.