Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Login Security. Show all posts
Password
2FA Data Breach Identity Protection Login Security Password

Four Steps to Steer Clear of Data Leaks

 



Within the last few months, we have witnessed the scale of data breaches soar to millions of victims. The most vulnerable victims are usually major companies that process individual data; National Public Data, Medicare, and MC2 Data are all illustrative examples where hundreds of billions of records were leaked and several people become a victim of identity theft, fraud, and other destructive scandals.

Although data leaks are getting alarming day by day, there is also something you can do to protect your personal information. The four key actions that you can undertake to strengthen your online defences and not be a target will be discussed in the following:


Strengthen Your Login Security

As more and more passwords leak out on the web, hackers can use weak or reused passwords much more easily. Since a leaked password leaves cybercriminals with the same password, it can be used to perform credential stuffing attacks, trying the same password combination against different accounts. Risk can be minimised by using different strong passwords for all accounts. This can be achieved using a password manager that keeps them safe.

However, the best password ever designed can still be cracked or guessed, so there is a need for extra layers of security. Two-factor authentication, or 2FA, places a huge barrier to entry, requiring a second form of verification before an account access is given. Two most popular means of 2FA are by email or SMS, but those forms of verification can be intercepted. However, more secure methods include authentication apps or hardware security keys such as YubiKey, whereby gaining possession of the device requires one to log in to any of their accounts.

Other ways to log in include passkeys, which will eventually outpace the usage of passwords. The passkeys are encrypted, specific to your device, and not vulnerable to phishing attacks, thus adding more protection for your accounts. You will also have the opportunity to backup your passkeys or create a back login like the 2FA in case your account loses your device


Secure Your Financial Information

Examples of typical personal information that would be exposed and increase the risk of identity theft in a data breach include a Social Security number. Protecting your financial life comes down to freezing your credit and banking reports. This will prevent someone else from opening accounts in your name. You should check regularly for any suspicious activity on your credit report.

Locking an Identity Protection PIN on the IRS will put further layers of security on your tax filings, so that no one except you can file under your name. It's something that you can get done in days, and a few hours of your time to pay to save yourself from costly and time-consuming fraud.


Be on Your Guard About Communications

The dark web contains so much stolen personal information, making it pretty easy for scammers to write very convincing messages and dial numbers in your name. They could also call pretending to be your bank or a credit card company, as well as someone you know to try and get some more sensitive details. It's really important that you don't have any trust towards unsolicited communications, no matter how truthful they may sound.

If you do receive a message that says an account has been breached, do not click any links and do not provide sensitive personal data over the phone. Reach out to the organisation using official contact channels.

If you are receiving messages supposedly from family or friends, use other communication channels to confirm the request as their accounts may have been hacked.


Don't Rely on Trust Alone

As advanced scams with the aid of artificial intelligence rise, be doubly careful with all your dealings in the digital world. Because scammers are evolving their patterns all the time, it would be even more challenging to distinguish the real one from the fake. Such proactive steps, like securing all accounts, protecting financial information, and confirming any communication, can reduce the danger a person has to face when becoming victimised by cybercrime.

Nothing is foolproof in this changing digital world, but by doing all these, you are making it very difficult for hackers to access your information. Self-protection today may save you from the costly and stressful aftermaths in the future.


Read more »
Privacy
Apple iCloud iOS18 Login Security Online Security Passwords Privacy

Say Goodbye to Login Struggles with Apple’s New ‘Passwords App’

 


With its much-awaited iOS 18, Apple is now launching an app called Passwords, created to help improve one of the oldest but least-tampered-with needs when it comes to digital security: password management. Now, the 'Passwords' app is downloadable on iPhones, iPads, and Macs. In an effort to make the habits of how users store and protect their digital credentials seem less mysterious, Apple is hoping to bring about better password security to millions of people with this long-standing feature being moved into a dedicated application.


All New Standalone Password Manager

Years ago, Apple's Keychain system stealthily protected its users' passwords, so they never had to remember complex login information for every app and website. But with iOS 18, Keychain is revamped and placed into an app that is not only visible but friendly to users: the new passwords app gathers all login credentials and passkeys in one place, thus making them easier to control. And this finally speaks to the increasing focus of Apple on usability as well as security- the app promises to be easier to use than ever before for consumers who are hardly familiar with password managers.

Apple's new app was warmly welcomed by Talal Haj Bakry and Tommy Mysk from the security firm Mysk because it represented a far easier approach toward password management. According to them, it will also make users realise that password management is quite essential by giving users a secure default tool preinstalled on every Apple device. Interestingly, Passwords makes use of end-to-end encryption, meaning no one, including Apple, knows what is saved in your credentials.


Password Manager Features and Design

In terms of design, the Passwords app presents a minimal interface with six main sections: All, Passkeys, Codes, Wi-Fi, Security, and Deleted. All these can be used to securely store several types of information. It's particularly noteworthy in the Security section, as this would identify weak or compromised passwords so that one can work out improved login credentials.

Apple saves all the login details synchronised through iCloud, hence a user can always access his or her account in whichever device he may be using. However, users who want to maintain their privacy are given the option of turning off the syncing feature for certain devices. With Face ID protection, the app is secured from unauthorised access by others.

All the information previously saved will automatically migrate from Keychain to Passwords, including sign-in details from the Sign In feature from Apple.


Why Improve Your Password Habits?

Part of that effort is Apple's Passwords, introducing passwords with the goal of streamlining and encouraging better password practices among users. According to cybersecurity expert Siamak Shahandashti, making the Passwords app more notable is encouraging users to start embracing stronger passwords and be more meticulous in the digital sphere in general. To Shahandashti, existing authentication systems are too complex for everyday folks, and that's what he sees the Apple app doing- filing in the gap.

The other feature is that the app supports passkeys, which are considered to be the next-generation replacement for passwords. Passkeys provide better security without having you remember such long, convoluted passwords. To promote the passwordless security feature, Apple automatically activated an option available in the security setting that enables existing accounts to be updated to utilise passkeys when possible.


Impact on the Password Management Industry

With its entry into the password management space, Apple holds high potential to seriously disrupt long-standing players in this area, namely third-party apps. As the new Passwords app on Apple is integrated throughout its ecosystem and synced through iCloud, it can easily attract many users searching for an easy included solution instead of seeking third-party apps. Critics instead point out that Apple locks users into the system when it constrains ease of exporting data to other platforms.

Ultimately, with so many options in the market for password management, this new application from Apple can turn out to be the "one stop shop" for millions of users. It simplifies password management and strengthens security, and hence forms a great option for those who haven't adopted a password manager yet or are looking for an integrated solution.

All in all, Apple's Passwords app is a meaningful step forward in digital security, letting people manage their passwords and passkeys in a streamlined and secure way. For many, it may be the perfect solution toward solving log-in issues while also amplifying online security.


Read more »
Web
Google Internet Login Security Technology Web

OAuth and XSS Bugs: Exposing Data of Millions of Users

OAuth and XSS Bugs: Exposing Data of Millions of Users

The cyberspace landscape changes frequently, sometimes the change is good, while sometimes we stumble across challenges. 

One such problem surfaced recently when Salt Labs experts found OAuth (Open Authorization) implementation flaws and cross-site scripting (XSS) vulnerabilities in the Hotjar service, a tool used by websites for tracking user behavior, and in the code of famous global news website Business Insider. 

These loopholes highlight the urgent need for strong security measures and constant lookout for protecting important user data.

About OAuth and XSS

OAuth (Open Authorization) is a commercial protocol allowing third-party applications to access user info without showing passwords. It offers a safe and systematic way for users to access their data on different platforms. But, in case of incorrect use, malicious actors can exploit OAuth vulnerabilities and gain unauthorized access to user profiles. 

XSS vulnerability allows threat actors to deploy malicious scripts into web pages that other users access. These scripts can steal important information such as cookies, session tokens, and other details, allowing the takeover of accounts and data breaches. 

The Attack Vector

In these attacks combining OAuth bugs and XSS vulnerabilities, threat actors can create a specially designed URL containing the XSS payload. If a user clicks on this URL, the malicious script is loaded in the form of a user's session. It lets threat actors hijack the OAuth token, allowing them unauthorised access to the user's account, as if they are the user themselves. The consequences of such an attack are severe, causing the leak of sensitive data, including emails, bank details, names, and addresses. 

Impact in Real-World

The possible implications of such an attack vector can be far-reaching. Millions of internet users who depend on services like Business Insider and Hotjar are exposed to the risks of account hijacking. The stolen OAuth tokens can be used to mimic users, access their personal data, and perform unauthorized actions on their behalf. 

The risk is the same for businesses, a successful attack can result in a data breach, reputation damage, and financial losses. User trust in these services can fade, leading to loss of customers and profits. Additionally, regulatory agencies may stick to heavy fines and penalties for failure to protect user data. 

How to stay safe: Mitigation strategies 

  • Make sure OAuth implementations have followed best practices and ensure regular audits for security loopholes. Encourage token storage mechanisms and implement robust security controls to avoid unauthorized entries. 
  • CSP (Control Security Policy): Use a strong CSP to avoid the execution of suspicious scripts. CSP can help in controlling the impact of XSS attacks by avoiding malicious script executions. 
  • Frequent security audits and penetration testing to track and patch bugs. 
  • User education: Avoid clicking suspicious links and use strong passwords. Also, use MFA (multi-factor authentication) for an extra security level. 
  • Use strong input validation and sanitization techniques to stay safe from XSS attacks. Validate and sanitize all user inputs before processing and display. 

Read more »
User Security
Cyber Security data security Login Security Okta User Security

Okta: October Data Breach Impacts All User Across Customer Support Systems

Okta

The latest investigation

Okta’s recent investigation into the exploit of its Help Center environment in October disclosed that the threat actors stole the data that belonged to all customer support system users. Okta mentioned that the hackers also stole extra reports and support cases with contact info for all contact of all certified Okta users. 

“We have determined that the threat actor ran and downloaded a report that contained the names and email addresses of all Okta customer support system users. All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in our FedRamp High and DoD IL4 environments (these environments use a separate support system NOT accessed by the threat actor). The Auth0/CIC support case management system was also not impacted by this incident,” mentioned Okta

Hackers gain unauthorized access

Early in November, the company announced that a threat actor had obtained unauthorized access to files within its customer support system, indicating a small data breach. 

Based on facts revealed at the time, the hacker acquired HAR files containing cookies and session tokens for 134 clients - fewer than 1% of the company's customers - which might be used to disrupt legitimate users' Okta sessions.

Let us take a deep dive into the incident 

A deeper look into the incident found that the threat actor also "downloaded a report that contained the names and email addresses of all Okta customer support system users."

Okta, on the other hand, adds that the only contact information accessible for 99.6% of the users identified in the study was their full name and email address. Okta ensured that no credentials had been compromised.

According to Okta's announcement, most exposed users are administrators, and 6% have not enabled multi-factor authentication security against fraud login attempts.

According to Okta, the hackers also obtained data from "Okta certified users and some Okta Customer Identity Cloud (CIC) customer contacts" and Okta personnel information.

A lot of the time, names and email addresses are sufficient for a hacker to carry out phishing or social engineering scams that may act as espionage or help them collect more information to construct a more sophisticated attack.

Okta recommends the following measures to protect against potential attacks:

  • Implement multi-factor authentication (MFA) for admin access, preferably utilizing phishing-resistant technologies such as Okta Verify FastPass, FIDO2 WebAuthn, or PIV/CAC Smart Cards.
  • Configure admin session binding to make new IP addresses require re-authentication for admin sessions.
  • As per NIST recommendations, set up admin session timeouts to a limit of 12 hours with a 15-minute idle time.
  • Raise phishing awareness by being alert to phishing efforts and reinforcing IT Help Desk verification processes, particularly for high-risk behaviors.

“We also identified additional reports and support cases that the threat actor accessed, which contain the contact information of all Okta-certified users and some Okta Customer Identity Cloud (CIC) customer contacts, and other information. Some Okta employee information was also included in these reports. This contact information does not include user credentials or sensitive personal data,” wrote Okta in a statement. 

Over the previous two years, Okta has been the victim of credential theft and social engineering attacks, with attackers gaining access to source code from the company's private GitHub repositories last December.


Read more »
Subscribe to: Posts (Atom)