Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label API Keys. Show all posts
Troy Hunt
API Keys Credential Phishing Cyber Attacks CyberCrime Cybersecurity CyberThreat Have I Been Pwned Troy Hunt

HaveIBeenPwned Founder Compromised in Phishing Incident

 


The cybersecurity expert Troy Hunt, who founded the data breach notification platform Have I Been Pwned, recently revealed that he had been the victim of a phishing attack that was intended to compromise his subscriber list for the attacker to gain access to his data. Hunt explained the circumstances surrounding this incident in a detailed blog post, and provided screenshots of the deceptive email which enabled the attack to succeed.

In the fraudulent message, the author impersonated Mailchimp, a legitimate email marketing company, and embedded a hyperlink that was directed to a nearly identical, but fraudulent domain, which was a common phishing attack. It was very difficult to distinguish at a glance between the spoofed and authentic domains, which is why MailChimp-sso.com (now deactivated) is so closely similar. In Hunt's case, he acknowledged that he was severely fatigued at the time of the attack, which made it harder for him to act correctly. He also mentioned that he was experiencing jet lag at the time of the attack. 

In response to the email, he accidentally entered his credentials along with the one-time password, which was used for authentication. However, the fraudulent webpage did not proceed to the expected interface as he expected, signalling that the attack had been carried out. As a result of this incident, phishing scams represent a very prevalent risk, which underscores the importance of maintaining constant vigilance, even among cybersecurity professionals.

As soon as Troy Hunt discovered that he had been victimized by a phishing scam, he reset his password and reviewed his account activity immediately. However, since the phishing attack was highly automated, his credentials were already exfiltrated by the time he could respond. Although Hunt has extensive cybersecurity experience, this particular phishing attempt proved to be extremely successful. 

Hunt attributes the success to both his exhaustion after a long flight, as well as the sophistication of the email that was intended to fool others. According to him, the phish was "well-crafted" and was subtly manipulating psychological triggers. In the email, rather than utilizing overt threats or excessive urgency, it was suggested that he would not be able to send newsletters unless he took action. It was thus possible to send the email with just the right amount of apprehension to prompt action without creating suspicions. 

As a result, Hunt, the founder of the Have I Been Pwned platform, a platform that alerts people to compromised credentials, has taken steps to ensure that the information exposed in this incident will be incorporated into his platform in the future, which he hopes will lead to improved performance. A direct notification will be sent to individuals who have been affected by the breach, including both current subscribers and those who have already unsubscribed but are still impacted by the breach. 

Troy Hunt, a cybersecurity expert who runs a blog dedicated to cyber security and privacy, was targeted on March 25, 2018, by a phishing attack that compromised subscriber data from his blog. The attack originates from an email that impersonates Mailchimp, the platform he uses for sending out blog updates via email. According to the fraudulent message, his account had been suspended temporarily because of a spam complaint and he was required to login in order to resolve it.

The fake email made it look authentic by threatening disruption of service and creating a sense of urgency. Hunt was unable to distinguish this attack despite his extensive experience in identifying similar scams, as he was fatigued and jet lag affected his judgment in the process. In his attempt to log in with the email's link, he noticed an anomaly-his password manager did not automatically fill in his credentials. As a result, this could indicate that the website is fraudulent, but this is not a definitive indication, since legitimate services sometimes require a login from a different domain in some cases. 

As a result of the attack, approximately 16,000 email records were successfully exfiltrated, including those of active and unsubscribed readers alike. It is the result of Mailchimp's policy of retaining unsubscribed user information, a practice that is now being reviewed. There were emails, subscription statuses, IP addresses, location metadata and email addresses included in the compromised data, though the geolocation data did not pinpoint subscriber locations specifically. 

When the breach was discovered, immediate steps were taken to prevent further damage from occurring. It was determined that the attacker's API key would be revoked by Mailchimp, and the phishing website would be taken offline once the password was reset. Founder of Have I Been Pwned, a platform that tracks data breaches, Hunt has now added this incident to its database, making sure that affected users have been made aware of the incident. 

As phishing has become increasingly sophisticated over the years, it has moved beyond stereotypical poorly worded emails and implausible requests, moving into new levels of complexity. Cybercriminals today employ extremely sophisticated tactics that take advantage of human psychology, making it more and more difficult for consumers to distinguish between legitimate and fraudulent communications. The recent incident highlights the growing risks associated with targeted phishing attacks, as well as the importance of cybersecurity awareness and defense. 

Key Insights and Takeaways:

Psychological Manipulation and the Subtle Use of Urgency 

The majority of phishing emails are crafted to create a feeling of immediate panic, such as threats of account suspension or urgent payment requests, causing immediate panic within the target. However, modern attackers have honed their strategies, utilizing subtle psychological strategies to weaken the defences of their targets. As a matter of fact, in this case, the fraudulent email implied a very minor yet urgent issue: that the newsletter could not be sent. To manipulate the recipient into taking action, the email created just enough concern without raising suspicions, which led the recipient to respond to the email effectively. It is therefore imperative to recognize psychological manipulation in social engineering attacks, even for small requests that are relatively urgent, especially when it comes to logging into an account or updating one's credentials, to be viewed with suspicion. 

Password Manager Behavior as a Security Indicator 

In this attack, several red flags were pointing at Hunt's password manager's behaviour. Password managers are designed to recognize and auto-fill credentials only when they are used on legitimate websites. It should have been a warning sign in this case that the credentials of the user failed to automatically populate on the website, which could have indicated the website was fraudulent. By paying close attention to their password manager behaviour, users will be able to become more aware of security risks associated with their password manager. The site may be a spoofed one if the credentials are not automatically filled. Instead of entering the login details manually, users should double-check the source of the website and confirm it is authentic before proceeding with the transaction. 

The Limitations of One-Time Passwords (OTPs) in Phishing Attacks 

The multi-factor authentication (MFA) technique is widely considered to be one of the best security measures available, but it is not immune to phishing attacks. In this case, the attackers also requested Hunt to provide a password along with an OTP after he provided his username and password. Once he provided the password, the attackers gained access to his legitimate account immediately. 

A major weakness of OTP-based authentication is the inability to protect against real-time phishing attacks, where credentials are stolen and used instantly. The risk can be mitigated by requiring users to enter OTPs when they see sites that look suspicious or differ slightly from their usual login flow. Users are advised to be cautious when they are asked to enter OTP.

Passkeys as a Stronger, Phishing-Resistant Alternative There is no better way to authenticate a user than using passkeys, which are cryptographic credentials linked to the device of a user instead of traditional passwords. Passkeys are based on biometric authentication, for example, fingerprints, facial recognition, or even on-device authentication mechanisms. 

As passkeys are not associated with manually entering credentials, they have a much higher resistance to phishing attacks than traditional passwords. Passkeys work on the trust-based model, unlike passwords and OTPs, where they require physical access to the device registered for authentication. In contrast to traditional login methods, passkeys are a powerful alternative that can be used in place of traditional login methods and can serve as a valuable defence against phishing attempts as well. 

The Importance of Continuous Security Awareness 


Despite their expertise, even cybersecurity experts can be susceptible to sophisticated attacks, highlighting the importance of maintaining constant vigilance. The best way to enhance your security is to verify URLs carefully – Keep an eye out for slight misspellings or variations in URLs, as attackers are often able to create a lookalike URL by using security keys or passkeys. By using hardware-based authentication, such as YubiKeys, or passkeys, you can be assured that your information will be secure. If anyone receives a suspicious email asking for login credentials, security updates, or sensitive actions, be cautious and verify the message separately. 

Using Advanced Threat Protection – Organizations should take advantage of tools powered by artificial intelligence that are capable of detecting phishing attempts and blocking them in real-time. Educating Employees and Individuals – By attending regular cybersecurity training, you can become aware of the ever-evolving tactics used by phishing websites, minimizing the chances of human error. 

Although it is not possible to ensure complete protection against phishing attacks with just one security measure, adopting a multi-layered approach, a combination of awareness, technological safeguards, and behavioural vigilance, can greatly reduce your chances of becoming a victim of the attack. Despite being an experienced cybersecurity professional, even the most experienced individuals are not immune to social engineering techniques as demonstrated by the Troy Hunt incident. 

There was a significant contribution of fatigue and reduced attentiveness in this case, leading to a misjudgment that was essentially avoidable. It is known that social engineering can be extremely effective when it is employed in the right circumstances to reach the right people at the right time, resulting in a misjudgment that could have been avoided if it had been implemented correctly. The incident illustrates the way cybercriminals are using human weaknesses to achieve their objectives by exploiting human vulnerabilities. 

According to Aditi Gupta, a principal security consultant at Black Duck, attackers use a variety of tactics to manipulate unsuspecting victims, such as fear, urgency, and fatigue, to fool inexperienced people, reinforcing the theory that no one can escape sophisticated phishing schemes altogether. However, Hunt has been praised for being transparent in sharing his experience, which has served as a powerful tool for educating others about the risks associated with cybersecurity, despite the setbacks he has experienced. 

Despite admitting that he had made mistakes, he also expressed concern about Mailchimp’s security practices, especially the fact that the company did not offer two-factor authentication that is phishing resistant and kept intact for years to come. Cyber threats are not only mitigated through continuous vigilance, robust authentication mechanisms, and organizational responsibility, but also through continuous vigilance, robust authentication mechanisms, and organizational responsibility. 

The threat of social engineering attacks continues to increase and to remain protected from these attacks, it is imperative to strengthen security protocols, eliminate conventional authentication methods, and maintain cybersecurity awareness throughout the organization.
Read more »
iOS
API Keys App security cloud storage Cybersecurity Data Breach Data Leak Encryption Hardcoded Secrets iOS

Thousands of iOS Apps Expose Sensitive Data Through Hardcoded Secrets, Researchers Warn

 

Cybersecurity researchers have uncovered alarming vulnerabilities in thousands of iOS applications, revealing that hardcoded secrets in their code have put users' sensitive information at risk.

A recent analysis by Cybernews examined over 156,000 iOS apps and detected more than 815,000 hardcoded secrets—some of which are highly sensitive and could potentially lead to security breaches or data leaks.

The term "secret" broadly refers to sensitive credentials like API keys, passwords, and encryption keys. These are often embedded directly into an app’s source code for convenience during development, but developers sometimes fail to remove them before release. According to Cybernews, the average iOS app exposes 5.2 secrets, and 71% of apps contain at least one leaked credential.

While some of these hardcoded secrets pose minimal risk, the report highlights serious threats. Researchers identified over 83,000 cloud storage endpoints, with 836 exposed without authentication, potentially leaking more than 400TB of data. Additionally, 51,000 Firebase endpoints were discovered, thousands of which were accessible to outsiders. Other exposed credentials include API keys for platforms like Fabric API, Live Branch, and MobApp Creator.

Among the most critical findings were 19 hardcoded Stripe secret keys, which directly control financial transactions. Cybernews researchers emphasized the severity of this issue, stating: “Stripe is widely used by e-commerce and even fintech companies to handle online payments.”

This vulnerability could allow cybercriminals to manipulate transactions or gain unauthorized access to payment infrastructure.

The findings challenge the common belief that iOS apps offer stronger security compared to other platforms.

“Many people believe that iOS apps are more secure and less likely to contain malware. However, our research shows that many apps in the ecosystem contain easily accessible hardcoded credentials. We followed the trail and found open databases with personal data and accessible infrastructure,” said Aras Nazarovas, a security researcher at Cybernews.

This study underscores the importance of secure coding practices and urges developers to adopt better security protocols to prevent data breaches and unauthorized access.


Read more »
User Privacy
API Keys Apple Cryptography Cyber Security Google Passkey Password Phishing Scams Platforms Technology User Privacy

Revolutionizing Security: Passkeys by Google and Apple

Online security has grown to be of utmost importance in a digital environment that is always changing. Passkeys, a cutting-edge authentication system that is poised to transform how we protect our accounts, are being pushed for by Google and Apple, who are leading the effort.

Passkeys, also known as cryptographic keys, are a form of authentication that rely on public-key cryptography. Unlike traditional passwords, which can be vulnerable to hacking and phishing attacks, passkeys offer a more robust and secure method of verifying user identity. By generating a unique pair of keys – one public and one private – passkeys establish a highly secure connection between the user and the platform.

One of the key advantages of passkeys is that they eliminate the need for users to remember complex passwords or go through the hassle of resetting them. Instead, users can rely on their devices to generate and manage these cryptographic keys. This not only simplifies the login process but also reduces the risk of human error, a common factor in security breaches.

Google and Apple have been at the forefront of this innovation, integrating passkey technology into their platforms. Apple, for instance, has introduced the Passkeys API in iOS, making it easier for developers to implement this secure authentication method in their apps. This move signifies a significant shift towards a more secure and user-friendly digital landscape.

Moreover, passkeys can play a pivotal role in thwarting phishing attacks, which remain a prevalent threat in the online realm. Since passkeys are tied to specific devices, even if a user inadvertently falls victim to a phishing scam, the attacker would be unable to gain access without the physical device.

While passkeys offer a promising solution to enhance online security, it's important to acknowledge potential challenges. For instance, the technology may face initial resistance due to a learning curve associated with its implementation. Additionally, ensuring compatibility across various platforms and devices will be crucial to its widespread adoption.

Passkeys are a major advancement in digital authentication. Google and Apple are leading a push toward a more secure and frictionless internet experience by utilizing the power of public-key cryptography. Users might anticipate a time in the future when the laborious practice of managing passwords is a thing of the past as this technology continues to advance. Adopting passkeys is a step toward improved security as well as a step toward a more user-focused digital environment.

Read more »
Reddit
API Keys Blackout Privacy Private Data Reddit

Reddit Blackout: Subreddits Protest New Pricing Policy

 

In a show of protest against Reddit's new pricing policy, thousands of subreddits are planning to go private for 48 hours starting on Monday. This move aims to bring attention to concerns about the platform's recent changes and their potential impact on the Reddit community.

The protest comes in response to Reddit's decision to introduce a new premium membership tier called "Reddit Premium Platinum," which offers additional features and benefits to users for a monthly fee. This move has sparked controversy and criticism from many Reddit users who fear that it will create a two-tier system and undermine the platform's core principles of free and open discussion.

The blackout is organized by moderators of various subreddits who are concerned about the direction Reddit is taking. By making their communities private, they hope to raise awareness among users and encourage discussions about the potential consequences of the new pricing policy.

The protest is not limited to specific types of subreddits; a wide range of communities across various topics are expected to participate. This includes popular subreddits such as r/AskReddit, r/pics, and r/movies, among others. The blackout is expected to significantly impact the overall activity and engagement on the platform for the duration of the protest.

Critics argue that the new pricing policy could lead to a more commercialized Reddit, potentially favoring large corporations and diminishing the influence of individual users. They express concerns that the platform's sense of community and democratic nature could be eroded as a result.

In response to the planned blackout, Reddit released a statement acknowledging the concerns and stating that they are committed to engaging with users to address their feedback. They emphasized the importance of user input in shaping the platform's future and pledged to continue refining their offerings based on community feedback.

The blackout serves as a reminder of the power of online communities and their ability to mobilize for a common cause. Reddit has a history of user-driven protests that have influenced policy changes in the past. The collective action by subreddit moderators highlights the significance of their role in shaping the platform and the importance of user voices in discussions about its future direction.

As the blackout unfolds, it is yet to be seen how Reddit users and the platform's management will navigate this period of heightened tensions. It will likely serve as a critical moment for both sides to engage in open dialogue and find common ground to address the concerns raised by the community.

Read more »
Zero Trust
API Keys Firewall IoT devices Microsoft Azure Privacy Threat actors VPN Zero Trust

A Zero-Trust Future Encourage Next-Generation Firewalls

The future of Zero Trust security relies greatly on next-generation firewalls (NGFWs). NGFWs are classified by Gartner Research as "deep packet inspection firewalls that incorporate software inspection, intrusion prevention, and the injection of intelligence from outside the firewall  in addition to protocol inspection and blocking."  As per Gartner, an NGFW should not be mistaken for a standalone network intrusion prevention system (IPS) that combines a regular firewall and an uncoordinated IPS in the same device.

Significance of Next-Generation Firewalls

1. Substantial expense in ML and AI

As part of zero-trust security management goals, NGFW providers are boosting their assets in ML and AI to distinguish themselves from competitors or provide higher value. Analytical tools, user and device behavior analysis, automated threat detection and response, and development are all focused on identifying possible security issues before they happen. NGFWs can continuously learn and react to the shifting threat landscape by utilizing AI and ML, resulting in a more effective Zero Trust approach to defending against cyberattacks.

2. Contribution of a Zero Trust 

By removing implicit trust and regularly confirming each level of a digital transaction, the zero trust approach to cybersecurity safeguards a business. Strong authentication techniques, network segmentation, limiting lateral movement, offering Layer 7 threat prevention, and easing granular, least access restrictions are all used to defend modern settings and facilitate digital transformation. 

Due to a lack of nuanced security measures, this implicit trust means that once on the network, users, including threat actors and malevolent insiders, are free to travel laterally and access or exfiltrate sensitive data. A Zero Trust strategy is now more important than ever as digitalization accelerates in the shape of a rising hybrid workforce, ongoing cloud migration, and the change of security operations. 

3. Threat monitoring to enforce least privilege access

Device software for NGFWs, such as Patch management tasks can be handled by IT teams less frequently because updates are distributed in milliseconds and are transparent to administrators.

NGFWs that interface with Zero Trust environments has automated firmware patch updates, IPS, application control, automated malware analysis, IPsec tunneling, TLS decryption, IoT security, and network traffic management (SD-WAN) patch updates.  

NGFWs used by Microsoft Azure supply Zero Trust

By enabling businesses to impose stringent access rules and segment their networks into distinct security zones, Microsoft Azure leverages next-generation firewalls (NGFWs) to deliver zero-trust security. This enhances the overall network security posture.

Azure Firewall can be set up to monitor traffic in addition to regulating it, looking for risks and anomalies, and taking appropriate action. In an effort for this, malicious communications can be blocked, infected devices can be quarantined, and security staff can be made aware of potential dangers.


NGFW firms are investing more in AI and ML to further distinguish their solutions. Companies must continue to enhance API connections, particularly with IPS, SIEM systems, and Data Loss Prevention (DLP) solutions. They must also concentrate on how software-defined networking (SDN) might increase adaptability while supplying finer-grained control over network traffic. A well-implemented Zero Trust architecture not only produces improved overall security levels but also lower security intricacy and operational overhead.
Read more »
Safety
API Keys Cyber Data data security malware PyPI Package Safety

This Fraudulent ‘SentinelOne’ PyPI Package Steals Data from Developers

 

Researchers discovered criminals spoofing a well-known cybersecurity firm in an attempt to steal data from software developers. ReversingLabs researchers recently discovered a malicious Python(opens in new tab) package called "SentinelOne" on PyPI. 

The package, named after a well-known cybersecurity firm in the United States, masquerades as a legitimate SDK client, enabling easy access to the SentinelOne API from within a separate project. 

However, the package also includes "api.py" files that contain malicious code and allow threat actors to steal sensitive data from developers and send it to a third-party IP address (54.254.189.27). Bash and Zsh histories, SSH keys,.gitconfig files, hosts files, AWS configuration information, Kube configuration information, and other data are being stolen.

According to the publication, these folders typically store auth tokens, secrets, and API keys, granting threat actors additional access to target cloud services and server endpoints.

Worse, the package does provide the functionality that the developers expect. In reality, this is a hijacked package, which means that unsuspecting developers may use it and become victims of their own ignorance. The good news is that ReversingLabs confirmed the package's malicious intent and had it removed from the repository after reporting it to SentinelOne and PyPI.

The malicious actors were very active in the days and weeks leading up to the removal. The package was first submitted to PyPI on December 11, and it has been updated 20 times in less than a month.The researchers discovered that one of the issues fixed with an update was the inability to exfiltrate data from Linux systems.

The researchers concluded that it is difficult to say whether anyone fell for the scam because there is no evidence that the package was used in an actual attack. Nonetheless, all of the published versions were downloaded over 1,000 times.
Read more »
Subscribe to: Posts (Atom)