Last week was a pretty busy one and had less time than usual to stay on top of industry developments. Though, I managed to sneak a few interesting reads on attacking two-factor authentication, a nasty vulnerability of Apple AirTag, and a major data breach missed for no less than 17 months. Here is my take from last week:
Two-factor authentication quickly becomes the norm (Recently CISA declared single-factor authentication a bad practice). But multi-factor authentication is not bullet proof as cyber-attackers are also evolving their techniques: https://www.zdnet.com/article/telegram-bots-are-trying-to-steal-your-one-time-passwords/
“While 2FA can improve upon the use of passwords alone to protect our accounts, threat actors were quick to develop methods to intercept OTP, such as through malware or social engineering.
According to Intel 471, since June, a number of 2FA-circumventing services are abusing the Telegram messaging service. Telegram is either being used to create and manage bots or as a ‘customer support’ channel host for cybercriminals running these types of operations.”
This one is for the gadget-lovers. A new zero-day targets the Apple AirTag to deliver malware and steal credentials. The moral of the story: literally ALL smart devices can potentially be used to do harm: https://threatpost.com/apple-airtag-zero-day-trackers/175143/
An unpatched stored cross-site scripting (XSS) bug in Apple’s AirTag “Lost Mode” could open up users to a cornucopia of web-based attacks, including credential-harvesting, click-jacking, malware delivery, token theft and more.
That’s according to Bobby Rauch, an independent security researcher who said that it’s possible to use the zero-day to fully weaponize an AirTag, with the ability to attack random strangers (or specific targets) should they interact with it.
Breaches like this one simply leave me with no comments. The US luxury-retailer Neiman Marcus Group missed a cyber-attack for… 17 months, and lost 3.1 million customer card details: https://threatpost.com/neiman-marcus-customers-breach/175284/
“The lack of both prevention and detection capabilities at many organizations is simply staggering,” Clements said. “I try as much as possible to shy away from victim blaming, but in many circumstances, organizations have been grossly negligent in securing customer data.”
“Despite the press releases that almost never fail to describe the attackers or attack methods as ‘highly sophisticated,’ the reality is that most breaches aren’t some ‘super cyber heist plot’ out of a bad movie, but rather akin so some guy walking in the front door and wheeling out a file cabinet and no one is around to notice.”
And for the end, here is an interesting read on technology/security and society, specifically on Facebook, that more and more behaves like a nation (a not a friendly one): https://www.theatlantic.com/magazine/archive/2021/11/facebook-authoritarian-hostile-foreign-power/620168/
“1947, Albert Einstein, writing in this magazine, proposed the creation of a single world government to protect humanity from the threat of the atomic bomb. His utopian idea did not take hold, quite obviously, but today, another visionary is building the simulacrum of a cosmocracy.
Mark Zuckerberg, unlike Einstein, did not dream up Facebook out of a sense of moral duty, or a zeal for world peace. This summer, the population of Zuckerberg’s supranational regime reached 2.9 billion monthly active users, more humans than live in the world’s two most populous nations—China and India—combined.”