Security News

Verifiable credentials provide a tamper-secure way for users to prove their identity online, without sacrificing their safety, privacy, or security during the process. Based on a new web standard approved by the W3C in 2019, verifiable credentials are the digital equivalents of the paper documents we carry in our wallets and use to prove who we are in the physical world.

Palo Alto Networks' global threat intelligence team, Unit 42, has detailed the tactics ransomware group REvil has employed to great impact so far this year - along with an estimation of the multimillion-dollar payouts it's receiving. REvil threat actors often encrypted the environment within seven days of the initial compromise.

A set of nine malicious Android apps that steal Facebook credentials were found on Google Play, which racked up a collective 5.9 million installations before Google removed them. The malicious apps were detected as trojans called Android.

Continuing its commitment to providing these options, HID Global announced the implementation of the latest MIFARE DESFire EV3 credential. "Our credential based on NXP MIFARE DESFire EV3 delivers this technology's full range of advanced security and privacy capabilities and reinforces them with HID's powerful model for identity data protection," said Harm Radstaak, Senior Vice President and Head of Physical Access Control Solutions with HID Global.

Researchers warn hackers can snoop on email messages by exploiting a bug in the underlying technology used by the majority of email servers that run the Internet Message Access Protocol, commonly referred to as IMAP. The bug, first reported in August 2020 and patched Monday, is tied to the email server software Dovecot, used by over three-quarters of IMAP servers, according to Open Email Survey. "The vulnerability allows a MITM attacker between a mail client and Dovecot to inject unencrypted commands into the encrypted TLS context, redirecting user credentials and mails to the attacker," according to research linked to from a bug bounty page and dated August 2020.

Entrust announced a partnership with Yubico allowing U.S. federal agencies to issue YubiKey 5 Series and YubiKey 5 FIPS Series with Entrust derived PIV credentials to employees instantly, remotely and at scale. "The ability to issue derived PIV credentials from a credential management system directly to an alternative hardware token is a real game changer, providing strong security without the logistical challenges presented by physical PIV card issuance," said Suresh Kewalramani, Security Engineer, Department of Justice, Identity, Credential, and Access Management Services.

Law enforcement agencies in the United States, Germany, the Netherlands, and Romania have taken down the stolen login credentials marketplace Slilpp, the U.S. Department of Justice announced on Thursday. Active since 2012, the crime shop has been selling stolen credentials associated with a variety of online accounts, including banking, payment, and retail accounts, among others.

GitHub this week announced that it has started scanning code hosted on its platform for package registry credentials, including RubyGems and PyPI secrets. The scanning is performed via GitHub secret scanning, a service meant to identify exposed secrets in pushes to repositories.

Agari researchers entered unique credentials belonging to fake personas into phishing sites posing as widely used enterprise applications, and waited to see what the phishers would do next with the compromised accounts. They found that 23% of all accounts were accessed almost immediately, 50% of the accounts were accessed manually withing 12 hours after compromise, and that 91% of the compromised accounts were accessed manually within the first week.

If a sloppy internet service stores your password in plaintext and then gets breached, the crooks acquire your actual password directly, regardless of how complex it is. Keylogging malware on your computer can capture your passwords as you type, thus obtaining them "At source", no matter how long or weird they might be.