Cybersecurity researchers have disclosed details of a now-patched bug in Box's multi-factor authentication mechanism that could be abused to completely sidestep SMS-based login verification. "Using this technique, an attacker could use stolen credentials to compromise an organization's Box account and exfiltrate sensitive data without access to the victim's phone," Varonis researchers said in a report shared with The Hacker News.
Zoho has addressed a new critical severity vulnerability that affects the company's Desktop Central and Desktop Central MSP unified endpoint management solutions. ManageEngine Desktop Central is an endpoint management platform that allows admins to deploy patches and software over the network and troubleshoot them remotely.
The FBI is seeing so much activity around malicious Google Voice activity, where victims are associated with fraudulent virtual phone numbers, that it sent out an alert this week. So they tell you they will send you a Google authentication code in the form of a voice call or a text message, and then ask you to repeat the number back to them to prove you're real.
The Federal Bureau of Investigation says Americans who share their phone number online are being targeted by Google Voice authentication scams. If successful, they will set up a Google Voice account in their victims' names or hijack their Gmail accounts which will later be used in other fraud schemes or in phishing attacks.
While this new report outlines authentication requirements for government agencies, they are also excellent guidelines for all fields and user levels. On the strength of passwords, NIST underlines that the requirements of using special characters, for example !$#%&, are obsolete since users still tend to add something that will keep the password memorable.
AWS previewed new developer resources at its Re:invent conference, including new SDKs for Rust, Swift, and Kotlin, as well as Amplify Studio for rapid web applications, integrated with the Figma design tool. The SDKs provide a language wrapper for APIs to AWS services.
How can you be sure that someone is who they say they are, if they're not standing in front of you? In a digital world, how can organizations be sure that an individual attempting to access online services is who they claim to be? Or that they exist at all - are they a fake identity created for fraud or malicious intent? Online biometric authentication enables governments, banks and other enterprises to securely verify user identity.
Using survey responses the cost of economic efficiencies from the use of passwordless technologies was calculated and suggests cost savings of $1.9M over conventional password-based MFA. "Enterprises continue to feel threatened in the pandemic with many feeling targeted, and this along with remote work and associated loss of productivity from password problems is driving increased adoption of passwordless technologies," said Dr Larry Ponemon. Organizations with passwordless authentication have significantly lower help desk calls pertaining to passwords.
Microsoft 365, formerly called Office 365, is Microsoft's cloud strategy flagship product with major changes ahead, such as the deprecation of their legacy authentication protocols. These authentication protocols do not support modern authentication mechanisms like multi-factor authentication, which means that enabling MFA won't suffice.
Hardware-based security tokens or dongles have gained popularity, particularly at the enterprise level. Tiny hardware devices are not without their challenges.