Security News

Sophisticated hackers have accessed email accounts of organizations and government agencies via authentication tokens they forged by using an acquired Microsoft account consumer signing key, the company has revealed on Tuesday. "The threat actor Microsoft links to this incident is an adversary based in China that Microsoft calls Storm-0558. We assess this adversary is focused on espionage, such as gaining access to email systems for intelligence collection."

Many organizations agree in theory that passwordless authentication is the future, but getting there represents a significant change management challenge. One way to accomplish this is by communicating the benefits of passwordless authentication to stakeholders with use cases that illustrate how the friction they currently experience in their day-to-day workflows will be eliminated.

Computer scientists at the University of Waterloo have discovered a method of attack that can successfully bypass voice authentication security systems with up to a 99% success rate after only six tries. Voice authentication - which allows companies to verify the identity of their clients via a supposedly unique "Voiceprint" - has increasingly been used in remote banking, call centers and other security-critical scenarios.

An authentication bypass vulnerability in the Arcserve Unified Data Protection enterprise data protection solution can be exploited to compromise admin accounts and take over vulnerable instances, MDSec researchers Juan Manuel Fernández and Sean Doherty have found - and have released a PoC exploit for it."At this time, Arcserve is not aware of any active attempts to exploit this vulnerability," the company said on Tuesday, when it pushed out fixes for the flaw.

Amid an industry migration away from passwords, Okta has launched Okta Device Access, part of its suite of Workforce Identity Cloud products and an effort to unify passkey access across all devices under a single identity and access management platform. Designed to extend identity access management to the point of device login, the Okta Device Access service is also meant to reduce the likelihood that users, faced with the aggravation of having to wrangle repeatedly with logins for each device, will jettison security protocols.

In this Help Net Security video, Michael Crandell, CEO of Bitwarden, discusses the future of passwords and authentication. Although interest in passwordless technology, which aims to eliminate the need for passwords, is relatively low, 65% of consumers are receptive to using new technology that simplifies their lives.

Well-designed MFA methods continue to have a place in an organization's security ecosystem, and MFA is required to comply with many global regulations such as HIPPA, Payment Card Industry Data Security Standards, the Cybersecurity and Infrastructure Security Agency, GDPR, and the EU's Payment Services Directive 2. Organizations need protections that go beyond MFA. But MFA controls also generate considerable friction, causing customer frustration and negatively impacting business revenue.

Google says it has fixed a flaw that allowed a scammer to impersonate delivery service UPS on Gmail, after the data-hoarding web behemoth labeled the phony email as authentic. The problem stemmed from an issue in an email authentication program called Brand Indicators for Message Identification that aims to protect email users from brand spoofing and phishing attacks claiming to be from a trusted org.

The Python Package Index announced last week that every account that maintains a project on the official third-party software repository will be required to turn on two-factor authentication by the end of the year. "Between now and the end of the year, PyPI will begin gating access to certain site functionality based on 2FA usage," PyPI administrator Donald Stufft said.

The report revealed a significant increase in MFA deployment for customers, which jumped to 57% from 45%. "Not all MFA is equal, and even though businesses know legacy MFA tools are not effective to stay secure, we're seeing they're still using them as primary tools of defense," said Ronnie Manning, CMO, Yubico. "Now more than ever, education around the importance of phishing-resistant MFA is critical to officially move away from legacy MFA tools that are leaving thousands of businesses exposed to cyberattacks around the world," Manning continued.