Tag Archive for: Authentication

Multi-Factor Authentication Fatigue Key Factor in Uber Breach

/in


Earlier this week, Uber disclosed that the recent breach it suffered was made possible through a multi-factor fatigue (MFA) attack where the attacker disguised themselves as Uber IT.

MFA attacks are a form of social engineering consisting in spamming a target with repeated MFA requests until they eventually authorize access. This kind of attacks is possible when the threat actor has gained access to corporate login credentials but cannot access the account due to multi-factor authentication.

According to Uber,

It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware.

To make sense of the likeliness of an MFA fatigue attack to succeed, security researcher Kevin Beaumont recalled on Twitter this is the same technique used in the recent LAPSUS$ attacks, about which the attacker allegedly explained: “call the employee 100 times at 1AM while he is trying to sleep and he will more than likely accept it”.

In Uber’s case, the approach was different, though. As reported by Lawrence Abrams for Bleeping Computer, security researcher Corben Leo got in touch with the hacker behind the breach and learned they contacted the targeted contractor on WhatsApp claiming they were from Uber IT and that the only way to get rid of the unstopping notifications was to accept one.

Once the attacker got their device authorized for access to Uber intranet, they began scanning the corporate network until they found a PowerShell script with admin credentials for the platform Uber uses to manage its login secrets, including DA, DUO, Onelogin, AWS, and Gsuite. This allowed them to grab source code and, more worryingly, to get access to Uber’s HackerOne bug bounty program. This in turn gave the attacker information about vulnerability reports that have not been fixed yet.

In conversation with InfoQ, Cerby’s chief trust officer Matt Chiodi stated that “if what’s being reported is true, this would be an unprecedented level of access, even when compared to SolarWinds”. One way to mitigate the impact of such incidents, according to Chiodi, is applying a Zero Trust strategy,…

Source…

Multi-factor authentication cuts risk of getting hacked by 99%

/in


ST. LOUIS, Mo. – You can lower the chances of hacking your personal internet content by 99 percent with multi-factor authentication. Phil Kirk is the Regional Director of The Cybersecurity and Infrastructure Security Agency. He says hackers increasingly harvest credentials through phishing emails or identifying passwords reused from other systems.

MFA increases security because even if one credential is compromised, unauthorized users will be challenged to meet the second authentication requirement, largely thwarting their ability to access the targeted device, network, or database.

There are many ways you may be asked to provide a second form of authentication:

  • Text Message or Email: When you log in to an account, you’ll be asked to provide a code sent to you by text message or email.
  • Authenticator App: An authenticator app is an app that generates MFA login codes on your phone.
  • Push Notification: Instead of using a numeric code, the service “pushes” a request to your phone to ask if it should let you in.
  • FIDO Key: FIDO stands for “Fast Identity Online” and is considered the gold standard of multi-factor authentication.

For more information, visit: http://www.cisa.gov/MoreThanAPassword

Source…

A Problem Like API Security: How Attackers Hack Authentication

/in


There is a sight gag that has been used in a number of movies and TV comedies that involves an apartment building lobby. It shows how people who don’t live there, but who want to get in anyway, such as Girl Guides looking to sell cookies to the tenants – simply run their fingers down every call button on the tenant directory, like a pianist performing a glissando, knowing that at least one of the dozens of apartments being buzzed will let them in simply out of reflex or laziness.

This is a fitting example of broken authentication in the analogue world: an automated system designed to keep non-residents out and to allow them in only by granting individual manual permission that is easily overrun and exploited, without any need for sophisticated tools.

Cybersecurity Live - Boston

Broken authentication is a term that is used in the world of infosec to describe similar types of outcomes. Organizations of all types that have internet-facing media such as websites and APIs use some form of authentication to prevent the wrong people from “buzzing themselves in,” but these too, are woefully not up to the task.

Attacks that exploit APIs

One of the most common points of weakness is the API attack, in which bad actors force their way in through a variety of techniques, all of which essentially abuse the construction of the APIs own interface, after which they can deposit malware, steal data, or perform other types of crime and sabotage.

One of these techniques is credential stuffing, which involves using stolen usernames and passwords – obtained through data breaches, for example – to fool the API into recognizing a valid ID. This, by the way, is one of many reasons why everyone should change their passwords regularly.

A related technique involves brute (Read more…)

Source…

Mobile User Authentication Market Upcoming Trends, Segmented by Type, Application, End-User and Region -CA TECHNOLOGIES, EMC, GEMALTO, SYMANTEC, VASCO DATA SECURITY INTERNATIONAL, AUTHENTIFY, ENTRUST DATACARD, SECUREAUTH, SECURENVOY, TELESIGN

/in


A market study Global examines the performance of the Mobile User Authentication 2022. It encloses an in-depth analysis of the Mobile User Authentication state and the competitive landscape globally. The Global Mobile User Authentication can be obtained through the market details such as growth drivers, latest developments, Mobile User Authentication business strategies, regional study, and future market status. The report also covers information including Plastic Additive industry latest opportunities and challenges along with the historical and Mobile User Authentication future trends. It focuses on the Mobile User Authentication dynamics that is constantly changing due to the technological advancements and socio-economic status.

Pivotal players studied in the Mobile User Authentication report:

CA TECHNOLOGIES, EMC, GEMALTO, SYMANTEC, VASCO DATA SECURITY INTERNATIONAL, AUTHENTIFY, ENTRUST DATACARD, SECUREAUTH, SECURENVOY, TELESIGN

Get free copy of the Mobile User Authentication report 2022: https://www.mraccuracyreports.com/report-sample/380320

Recent market study Mobile User Authentication analyses the crucial factors of the Mobile User Authentication based on present industry situations, market demands, business strategies adopted by Mobile User Authentication players and their growth scenario. This report isolates the Mobile User Authentication based on the key players, Type, Application and Regions. First of all, Mobile User Authentication report will offer deep knowledge of company profile, its basic products and specification, generated revenue, production cost, whom to contact. The report covers forecast and analysis of Mobile User Authentication on global and regional level.

COVID-19 Impact Analysis:

In this report, the pre- and post-COVID impact on the market growth and development is well depicted for better understanding of the Mobile User Authentication based on the financial and industrial analysis. The COVID epidemic has affected a number of Mobile User Authentication is no challenge. However, the dominating players of the Global Mobile User Authentication are adamant to adopt new strategies and look for new funding resources to overcome the…

Source…