• chevron_right

      4 Okta customers hit by campaign that gave attackers super admin control

      news.movim.eu / ArsTechnica · Tuesday, 5 September, 2023 - 20:28

    4 Okta customers hit by campaign that gave attackers super admin control

    Enlarge (credit: Getty Images)

    Authentication service Okta said four of its customers have been hit in a recent social-engineering campaign that allowed hackers to gain control of super administrator accounts and from there weaken or entirely remove two-factor authentication protecting accounts from unauthorized access.

    The Okta super administrator accounts are assigned to users with the highest permissions inside an organization using Okta’s service. In recent weeks, Okta customers’ IT desk personnel have received calls that follow a consistent pattern of social engineering, in which attackers pose as a company insider in an attempt to trick workers into divulging passwords or doing other dangerous things. The attackers in this case call service desk personnel and attempt to convince them to reset all multi-factor authentication factors assigned to super administrators or other highly privileged users, Okta said recently .

    Two-factor authentication and multi-factor authentication, usually abbreviated as 2FA and MFA, require a biometric, possession of a physical security key, or knowledge of a one-time password in addition to a normally used password to access an account.

    Read 7 remaining paragraphs | Comments

    • chevron_right

      Gmail will lock important settings behind a pop-up 2FA challenge

      news.movim.eu / ArsTechnica · Thursday, 24 August, 2023 - 17:31 · 1 minute

    Gmail's security pop-up to change a setting (left) and the more dramatic warning you'll get if someone fails a 2FA attempt.

    Enlarge / Gmail's security pop-up to change a setting (left) and the more dramatic warning you'll get if someone fails a 2FA attempt. (credit: Google)

    Today Gmail only asks for your user credentials during the initial login, and that login session can last for weeks at a time. That's not as secure as it could be, so soon Gmail will start posting two-factor authentication (2FA) challenges if you try to access any "sensitive" settings , even when you're already logged in.

    The newly protected settings are for filters, account forwarding, and IMAP. Soon, poking around in any of these options will boot you into a "Verify it's you" 2FA prompt, and you'll have to pass the challenge on your phone (these settings are only available on the web). If this 2FA challenge is failed or is not answered, you'll get a bright red "Critical security alert" pop-up alerting you to the attempt on all your trusted devices.

    This security pop-up is all about trying to stop attackers that have compromised your account. If someone steals your laptop, or a malicious remote desktop app turns on, and you're already logged in to Gmail, the pop-up should at least keep the attacker away from the worst settings. Filters are a security risk since a lot of other sites notify you of purchases and sensitive changes to your account with an email, and a common first step in an attack is to hide these emails with a filter. Forwarding and IMAP both duplicate your incoming emails to other places and could allow people to quietly spy on you or steal credentials.

    Read 1 remaining paragraphs | Comments

    • chevron_right

      Comment exporter vos codes 2FA depuis Authy ?

      news.movim.eu / Korben · Thursday, 6 April, 2023 - 07:00 · 1 minute

    Si vous utilisez Authy, l’application de génération de codes 2FA, vous avez peut-être remarqué qu’on ne pouvait pas forcement exporter les datas et migrer tout ça vers un autre logiciel 2FA.

    La bonne pratique en général, c’est de conserver le code TOTP ou le QR Code associé pour pouvoir par la suite l’importer dans une autre application. Mais la réalité c’est que peu de monde le fait.

    On scanne le QR Code et basta, jamais on le sauvegarde. Sauf que le jour où on perd son téléphone, c’est la cata. Avec Authy, y’a un backup sur leurs serveurs, mais pas de possibilité de migration.

    Mais j’ai une solution pour vous. Cela s’appelle Authy Export et c’est un logiciel développé en Python qui vous rappellera les anciens cracks des années 90 et qui vous permettra d’exporter l’ensemble de vos codes OTP dans un fichier HTML avec tout ce qu’il faut (URL + QRCode) pour pouvoir à nouveau les scanner.

    Authy : Exporter les codes 2FA en quelques clics

    Pour faire fonctionner Authy Export, vous aurez besoin de la version Desktop d’Authy synchronisé avec votre compte et non verrouillée par un mot de passe. Cliquez ensuite sur le bouton « Click to export TOTP » du logiciel et patientez quelques instants que l’export se fasse.

    Évidemment, faites bien attention ensuite de conserver ce fichier dans un endroit sûr (chiffré de préférence) pour éviter que quelqu’un ne mette la main dessus.

    Voilà, j’espère que ce petit outil de ma confection vous sera utile 🙂

    • chevron_right

      Still using authenticators for MFA? Software for sale can hack you anyway

      news.movim.eu / ArsTechnica · Tuesday, 14 March, 2023 - 20:09

    Software for sale is fueling a torrent of phishing attacks that bypass MFA

    Enlarge (credit: Getty Images)

    Microsoft on Tuesday profiled software for sale in online forums that makes it easy for criminals to deploy phishing campaigns that successfully compromise accounts, even when they’re protected by the most common form of multi-factor authentication.

    The phishing kit is the engine that’s powering more than 1 million malicious emails each day, researchers with the Microsoft Threat Intelligence team said . The software, which sells for $300 for a standard version and $1,000 for VIP users, offers a variety of advanced features for streamlining the deployment of phishing campaigns and increasing their chances of bypassing anti-phishing defenses.

    One of the most salient features is the built-in ability to bypass some forms of multi-factor authentication. Also known as MFA, two-factor authentication, or 2FA, this protection requires account holders to prove their identity not only with a password but also by using something only they own (such as a security key or authenticator app) or something only they are (such as a fingerprint or facial scan). MFA has become a major defense against account takeovers because the theft of a password alone isn’t sufficient for an attacker to gain control.

    Read 8 remaining paragraphs | Comments

    • chevron_right

      The time has come: GitHub expands 2FA requirement rollout March 13

      news.movim.eu / ArsTechnica · Friday, 10 March, 2023 - 22:36

    A GitHub-made image accompanying all the company's communications about 2FA.

    Enlarge / A GitHub-made image accompanying all the company's communications about 2FA. (credit: GitHub )

    Software development tool GitHub will require more accounts to enable two-factor authentication (2FA) starting on March 13 . That mandate will extend to all user accounts by the end of 2023.

    GitHub announced its plan to roll out a 2FA requirement in a blog post last May. At that time, the company's chief security officer said that it was making the move because GitHub (which is used by millions of software developers around the world across myriad industries) is a vital part of the software supply chain. Said supply chain has been subject to several attacks in recent years and months, and 2FA is a strong defense against social engineering and other particularly common methods of attack.

    When that blog post was written, GitHub revealed that only around 16.5 percent of active GitHub users used 2FA—far lower than you'd expect from technologists who ought to know the value of it.

    Read 7 remaining paragraphs | Comments

    • chevron_right

      Twitter’s two-factor authentication change “doesn’t make sense”

      news.movim.eu / ArsTechnica · Monday, 20 February, 2023 - 14:55

    Twitter logo on a buildling

    Enlarge (credit: Bloomberg via Getty Images )

    Twitter announced Friday that as of March 20, it will only allow its users to secure their accounts with SMS-based two-factor authentication if they pay for a Twitter Blue subscription. Two-factor authentication, or 2FA, requires users to log in with a username and password and then an additional “factor” such as a numeric code. Security experts have long advised that people use a generator app to get these codes. But receiving them in SMS text messages is a popular alternative, so removing that option for unpaid users has left security experts scratching their heads.

    Twitter's two-factor move is the latest in a series of controversial policy changes since Elon Musk acquired the company last year. The paid service Twitter Blue—the only way to get a blue verified checkmark on Twitter accounts now—costs $11 per month on Android and iOS and less for a desktop-only subscription. Users being booted off of SMS-based two-factor authentication will have the option to switch to an authenticator app or a physical security key.

    Read 16 remaining paragraphs | Comments

    • chevron_right

      This week’s Reddit breach shows company’s security is (still) woefully inadequate

      news.movim.eu / ArsTechnica · Friday, 10 February, 2023 - 22:01

    This week’s Reddit breach shows company’s security is (still) woefully inadequate

    Enlarge (credit: Getty Images)

    Popular discussion website Reddit proved this week that its security still isn’t up to snuff when it disclosed yet another security breach that was the result of an attack that successfully phished an employee’s login credentials.

    In a post published Thursday, Reddit Chief Technical Officer Chris "KeyserSosa" Slowe said that after the breach of the employee account, the attacker accessed source code, internal documents, internal dashboards, business systems, and contact details for hundreds of Reddit employees. An investigation into the breach over the past few days, Slowe said, hasn’t turned up any evidence that the company’s primary production systems or that user password data was accessed.

    “On late (PST) February 5, 2023, we became aware of a sophisticated phishing campaign that targeted Reddit employees,” Slowe wrote. “As in most phishing campaigns, the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens.”

    Read 14 remaining paragraphs | Comments

    • chevron_right

      Exporter les codes de Google Authenticator pour migrer vers un autre gestionnaire 2FA

      news.movim.eu / Korben · Monday, 26 September, 2022 - 07:00 · 1 minute

    L’authentification double facteur ou 2FA est vraiment une mesure de sécurité que tout le monde doit mettre en place sur ses comptes pour éviter le pire en cas de fuite de mots de passe.

    Cela consiste à obtenir sur son smartphone, un numéro unique qui change toutes les 30 secondes. Les applications 2FA sont nombreuses mais parmi les plus connues, il y a bien sur Authy de Twilio et Google Authenticator.

    Authy dispose d’un module de sauvegarde mais Google Authenticator non. A la place, il y a une possibilité d’export qu’il faut penser à faire et qui vous affiche un unique QR Code contenant l’ensemble de vos comptes. Et il vous faudra bien évidemment le scanner à nouveau avec Google Authenticator pour tout récupérer d’un coup.

    Mais que faire pour obtenir les liens otpauth uniques à chacun des sites importés pour pouvoir les importer dans un autre client 2FA ?

    Et bien il y a un script qui s’appelle Gauth-Export qui permet à partir du QR Code d’export de Google Authenticator ou de son lien otpauth-migration, de récupérer toutes les URI otpauth de chacun de vos sites. C’est super pratique pour faire une migration en douceur vers un autre gestionnaire double facteur comme Authy, Lastpass Authenticator ou d’autres.

    Vous pouvez récupérer ce script directement sur Github ou utiliser cette page statique .