Multi-Factor Authentication not very secure
If you thought you were safe because you use multi-factor authentication (MFA), there is bad news for you: MFA can be broken.
While MFA is still a recommended practice and is much safer than having just a password, it does not, however, guarantee your safety. You cannot afford to be complacent.
There are multiple ways to work around MFAs:
- For example, like how the Twitter account of Jack Dorsey was hacked, your SIM too can be swapped.
- Or if the site using MFA is not securely developed, an attacker can bypass MFA anyway and get at your private data.
- Finally, the ubiquitous ‘social engineering attacks’ can get you to divulge your information to an attacker voluntarily enabling them to inject themselves into the MFA cycle.
I do not want you to panic unnecessarily – after all, the FBI still says "Multifactor authentication continues to be a strong and effective security measure to protect online accounts, as long as users take precautions to ensure they do not fall victim to these attacks, …". I would only ask you to make note of the caveat.
- Sridhar Parthasarathy
|
Last month, the FBI issued a warning to private companies about MFA. The agency said that there is a rising threat of attacks against organizations and their employees that can bypass MFA solutions.
A massive security loophole at Just Dial has just been discovered. The flaw, discovered by an independent security researcher, has exposed almost 156 million unique users across the Just Dial ecosystem, that includes its web, mobile website, app and voice
JustDial claims to have addressed this issue.
|
|
The NCSC is investigating the exploitation, by Advanced Persistent Threat (APT) actors, of known vulnerabilities affecting Virtual Private Network (VPN) products from vendors Pulse Secure, Fortinet and Palo Alto. The Cybersecurity and Infrastructure Security Agency (CISA) encourages administrators to review NSA's Cybersecurity Advisory and CISA's Current Activity on Vulnerabilities in Multiple VPN Applications for more information.
The Microsoft Threat Intelligence Center (MSTIC) has released a blog post describing an increase in malicious cyber activity from the Iranian group known as Phosphorus. These threat actors are exploiting password reset or account recovery features to take control of targeted email accounts.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users to review the Microsoft blog for additional information.
Vulnerabilities have been discovered in MAC OS Terminal Emulator iTerm2, as per US-CERT information on vulnerability (CVE-2019-9535). Visit iTerm2’s downloads page for patch information and additional details for more information.
|
Microsoft has released a new version of the Windows 10 Update Assistant in order to fix a local privilege escalation vulnerability. The update is critical to cover the flaw.
Dozens of Amazon workers based in India and Romania review select clips captured by Cloud Cam, according to five people who have worked on the program or have direct knowledge of it. Those video snippets are then used to train the AI algorithms to do a better job distinguishing between a real threat and a false alarm.
Twitter admitted to ‘inadvertently’ using data provided for multi-factor authentication for targeting ads. The company did not divulge how long this has been going on or the extent of the misuse of data.
The NCSC is investigating the exploitation, by Advanced Persistent Threat (APT) actors, of known vulnerabilities affecting Virtual Private Network (VPN) products from vendors Pulse Secure, Fortinet and Palo Alto. The Cybersecurity and Infrastructure Security Agency (CISA) encourages administrators to review NSA's Cybersecurity Advisory and CISA's Current Activity on Vulnerabilities in Multiple VPN Applications for more information.
|
|
In Other News …
NIST & FBI have released an article out lining defences that can be employed against phishing attacks. Comments & information are invited for the article.
FBI Director Christopher Wray shared cases where the support of technology companies helped law enforcement rapidly identify and save children being sexually abused. He followed by asking for the renewed and ongoing support of the industry in investigations into child pornography, terrorism, and other crimes.
A ransomware victim that paid Bitcoin to unlock his files has enacted sweet vengeance on his attackers, by hacking them right back. As part of his retaliation, German programmer Tobias Frömel (aka “battleck”) released almost 3,000 decryption keys to assist others hit by the Muhstik ransomware, along with free decryption software.
New Initiatives – Participation Invited
Snippets
Updates on previous news
- Two mitigations have been issued for Interpeak’s IPNet vulnerability reported last week.
- Apple, Intel & Juniper issue security updates. Please update
|
|
|
|