@insiderua насправді це дійсно проблема. Голосовий зв'язок то таке, а от sms, який багато хто використовує для #MFA (Multi-factor authentication) це біда. Перекинути гроші з картки на картку стало неможливим для деяких банків.
Ну і не працюючі системи повітряної тривоги (якщо це правда) теж серйозна проблема.
Challenge based MFA applications are more secure than the push notification based MFA.
A careless admin might tap on the Approve button easily on push notification based MFA, whereas challenge requires the user to know the number to be submitted. Since s/he doesn't know it (because someone else triggerrd the MFA), challenge-response can't be completed and the account will not be able to accessed.
Draadje van @wskamphuis op die "andere" maar wel #educatie benieuwd. Welke #docent gaat per 1 januari ook zijn #mobiel de hele dag in de ban doen. Dus geen #mfa#2fa dus geen Office meer, #Magister alles wat twee factor authenticatie heeft.
My #InfoSec friends, for years I have given these three recommendations to end users as my top tips for security. Do you have any others that you use as your top three instead?
#Patch all your devices when patches are available.
Use #MFA - any kind, even SMS, is better than nothing, but an authenticator app or hardware token (like a yubikey) is even better.
Use a #PasswordManager to generate and store unique passwords for every account. I personally use 1Password, but there are other good ones out there.
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #45/2023 is out! It includes the following and much more:
➝ 🔓 ✈️ #Boeing breach: LockBit leaks 50 GB of data
➝ 🇨🇳 World’s largest commercial bank #ICBC confirms #ransomware attack
➝ 🔓 ☁️ Sumo Logic alerts customers about #securityincident; advises rotate Sumo Logic API access keys
➝ 🔓 🇮🇪 Electric Ireland admits data breach that could see customer financial data compromised
➝ 🔓 🇨🇦 #TransForm says ransomware data breach affects 267,000 patients
➝ 🔓 🇸🇬 #Singapore Marina Bay Sands reward members data breached, over 650k people exposed
➝ 🇮🇱 🇵🇸 🇮🇷 Cyber ops linked to #Israel-#Hamas conflict largely improvised, researchers say
➝ 🧨 🤖 #OpenAI confirms #DDoS attacks behind ongoing #ChatGPT outages
➝ 🛍️ 💸 Fake Ledger Live app in #Microsoft Store steals $768,000 in #crypto
➝ 🔓 🐰 ‘Looney Tunables’ #Glibc Vulnerability Exploited in #Cloud Attacks
➝ 🇺🇸 🇷🇺 US Sanctions Russian National for Helping Ransomware Groups Launder Money
➝ 🇮🇷 🇮🇱 Iranian Hackers Launch Destructive Cyber Attacks on Israeli #Tech and #Education Sectors
➝ 🇫🇷 🇬🇧 #France, #UK Seek Greater Regulation of Commercial #Spyware
➝ 🇪🇺 🤐 #Europe is trading security for digital #sovereignty
➝ 🇷🇺 🇺🇦 Russian Hackers Used #OT Attack to Disrupt Power in #Ukraine Amid Mass Missile Strikes
➝ 🦠 🚪 Highly invasive #backdoor snuck into #opensource packages targets developers
➝ 🦠 🇰🇵 N. Korea's #BlueNoroff Blamed for Hacking #macOS Machines with ObjCShellz #Malware
➝ 🫣 #Signal tests usernames that keep your phone number private
➝ 🔐 Microsoft Authenticator now blocks suspicious #MFA alerts by default
➝ ☁️ 💰 Researchers Uncover Undetectable #CryptoMining Technique on #Azure Automation
➝ 👥 💰 Data Brokers Expose Sensitive US Military Member Info to Foreign Threat Actors: Study
➝ 🩹 Microsoft Says Exchange ‘Zero Days’ Disclosed by #ZDI Already Patched or Not Urgent
➝ 🐛 Veeam warns of critical bugs in #Veeam ONE monitoring platform
📚 This week's recommended reading is: "How the F*ck Did This Happen?: A guide for executives who need to understand Cyber Security in plain, actionable language" by Dr Darryl Carlton
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️
Only do you type some obscure hashtag on #Tusky, and app restarts. My writing is all gone. Automatic drafts could prevent the loss that took me THE SECOND TIME to realize it wasn't a slip of my finger! 🙄😤
Does official #MastodonApp suffer from this or I'm safe to try it?
Even though Everybody Says that you need to use #MFA on all the things, you've probably been avoiding this because of how annoying punching in a code everytime you want to log into a thing... at least if you're like me.
Something to consider: hardware keys (Nitrokey, Yubikey, etc.) make this much, much less painful.
Combine this with using a password manager to create 20-character random passwords, and you have a lot less need to MFA all the things. Much less painful.
My gripe today is every website I use suddenly requiring 2FA when there would be little/if any info that could be gained from them.
Does my boardgame collection management site REALLY need to email me a code "JUST TO MAKE SURE IT'S ME"? I am pretty sure they cannot transfer a game from my collection to someone else's with the click of a button.
This becomes even more irksome when it's some random website that I signed up for with a user/pass and NOW it wants to send me emails to confirm it's me. Maybe I'm the only one on the planet however I'm not staring at my inbox 24/7 just waiting for a code. Let me opt out of this junk.
I am NOT against security. #MFA all the things for financial, healthcare, identity and other high risk targets (or their tangential sites) but at some point it's just a pain in the ass going back and forth between sites, #SMS#2FA (which is bad -anyway-), Email, the authenticator app, etc.
That's not even address the fact that these 2FA solutions often seem like security theater, which means it's making my chore longer for zero actual benefit.
Vulnerable endpoints are a cybercriminal's delight. Ransomware accounts for two-thirds of incidents reported to our threat response team and 36% of these attacks stem from vulnerabilities on endpoint devices.
Basic steps can rectify #EndpointSecurity failings, Daniel Thomas reports in SC Media. Regularly scheduled patch management for all network endpoints can provide base-level peace of mind, while #MFA puts up an additional barrier of defense. At the same time, services like XDR provide round-the-clock vigilance. Learn more: https://bit.ly/3PXT7OV
Okay! #Microsoft#MFA protected email account number two, breached. Just now. MFA is looking to be worthless. So, how many people use O365 as their primary email domain? Maybe, oh I don’t know, a few? MFA is wet cardboard. Mark my words, MFA is vulnerable. Something can force-skip it. My bet is an XSS vulnerability. Black hats are phishing MFA. #alarms#dangerous#infosec#infotech#ThisIsVeryVeryBad
Eventuell habe ich die Verwendung von #YubiKey oder #NitroKey missverstanden. Aber unter #Linux ist das nicht für die alltägliche Benutzung geeignet.
Meine Vorstellung an diese Key's: Login mittels MFA, damit ich diese #MFA Codes nicht mehr eingeben muss sowohl am #Smartphone und #Comupter - einfach an tippen und fertig, dachte ich. Die Realität sieht anders aus.
I received another email from #StandardBank, advising me to stop using a password to log into Internet Banking, and switch to scanning a QR code from within the Mobile App. No, Standard Bank, I'm not going to do that. Because it's stupid, and here's why:
The whole reason for me to visit Internet Banking on my computer is because I do not WANT to log into the banking app on my phone. But in order for me to use Internet Banking on my computer, they want me to open the app on my phone, log in, then navigate to the menu item for QR code scanning, and then scan the code I see on my PC monitor. At which point, I may as well use the mobile app. Which I didn't want.
Why can't they just use one of the many many Authenticator apps, like a normal company? I'd be more than happy to open my authenticator app, find Standard Bank, and punch the code in. It's good enough for Google, Microsoft, Github....
Juilliard announced that the Drama Division’s Master of Fine Arts in Acting will join the school’s growing list of tuition-free programs starting in the 2024-25 academic year, becoming funded through scholarships in perpetuity. This milestone achievement furthers the school’s ambition to continue to remove financial...
I found out that andOTP is now unmaintained, so I decided to find a new home for my OTP for multi-factor authentication or MFA in Android. I wanted to give a try to FreeOTP but I couldn't just restore a backup from one to the other, so I made a migration script from andOTP to FreeOTP (for now only URI format work). Give it a try https://codeberg.org/adelgado/andotp2freeotp #andOTP#FreeOTP#OTP#MFA#Android#Python
Juilliard’s MFA in Acting Becomes Tuition-Free Starting Fall 2024 (www.juilliard.edu)
Juilliard announced that the Drama Division’s Master of Fine Arts in Acting will join the school’s growing list of tuition-free programs starting in the 2024-25 academic year, becoming funded through scholarships in perpetuity. This milestone achievement furthers the school’s ambition to continue to remove financial...