Tag • #security

chevron_right

Roku forcing 2-factor authentication after 2 breaches of 600K accounts

news.movim.eu / ArsTechnica · Yesterday - 17:09

Enlarge (credit: Getty Images)

Everyone with a Roku TV or streaming device will eventually be forced to enable two-factor authentication after the company disclosed two separate incidents in which roughly 600,000 customers had their accounts accessed through credential stuffing.

Credential stuffing is an attack in which usernames and passwords exposed in one leak are tried out against other accounts, typically using automated scripts. When people reuse usernames and passwords across services or make small, easily intuited changes between them, actors can gain access to accounts with even more identifying information and access.

In the case of the Roku attacks, that meant access to stored payment methods, which could then be used to buy streaming subscriptions and Roku hardware. Roku wrote on its blog , and in a mandated data breach report , that purchases occurred in "less than 400 cases" and that full credit card numbers and other "sensitive information" was not revealed.

Read 3 remaining paragraphs | Comments

chevron_right

LastPass users targeted in phishing attacks good enough to trick even the savvy

news.movim.eu / ArsTechnica · 2 days ago - 18:42 · 1 minute

LastPass users targeted in phishing attacks good enough to trick even the savvy

Enlarge (credit: Getty Images)

Password-manager LastPass users were recently targeted by a convincing phishing campaign that used a combination of email, SMS, and voice calls to trick targets into divulging their master passwords, company officials said.

The attackers used an advanced phishing-as-a-service kit discovered in February by researchers from mobile security firm Lookout. Dubbed CryptoChameleon for its focus on cryptocurrency accounts, the kit provides all the resources needed to trick even relatively savvy people into believing the communications are legitimate. Elements include high-quality URLs, a counterfeit single sign-on page for the service the target is using, and everything needed to make voice calls or send emails or texts in real time as targets are visiting a fake site. The end-to-end service can also bypass multi-factor authentication in the event a target is using the protection.

LastPass in the crosshairs

Lookout said that LastPass was one of dozens of sensitive services or sites CryptoChameleon was configured to spoof. Others targeted included the Federal Communications Commission, Coinbase and other cryptocurrency exchanges, and email, password management, and single sign-on services including Okta, iCloud, and Outlook. When Lookout researchers accessed a database one CryptoChameleon subscriber used, they found that a high percentage of the contents collected in the scams appeared to be legitimate email addresses, passwords, one-time-password tokens, password reset URLs, and photos of driver’s licenses. Typically, such databases are filled with junk entries.

Read 11 remaining paragraphs | Comments

chevron_right

All the pieces are in place for the first crew flight of Boeing’s Starliner

news.movim.eu / ArsTechnica · 2 days ago - 12:26 · 1 minute

Technicians inside United Launch Alliance's Vertical Integration Facility connect Boeing's Starliner spacecraft to the top of its Atlas V rocket Tuesday.

Enlarge / Technicians inside United Launch Alliance's Vertical Integration Facility connect Boeing's Starliner spacecraft to the top of its Atlas V rocket Tuesday. (credit: United Launch Alliance )

Ground teams on Florida's Space Coast hoisted Boeing's Starliner spacecraft atop its United Launch Alliance Atlas V rocket this week, putting all the pieces in place for liftoff next month with two veteran NASA astronauts on a test flight to the International Space Station.

This will be the first time astronauts fly on Boeing's Starliner crew capsule, following two test flights without crew members in 2019 and 2022. The Starliner Crew Flight Test (CFT) next month will wrap up a decade and a half of development and, if all goes well, will pave the way for operational Starliner missions to ferry crews to and from the space station.

Starliner is running years behind schedule and over budget. SpaceX's Crew Dragon spacecraft has flown all of NASA's crew rotation missions to the station since its first astronaut flight in 2020. But NASA wants to get Boeing's spacecraft up and running to have a backup to SpaceX. It would then alternate between Starliner and Crew Dragon for six-month expeditions to the station beginning next year.

Read 19 remaining paragraphs | Comments

chevron_right

Kremlin-backed actors spread disinformation ahead of US elections

news.movim.eu / ArsTechnica · 3 days ago - 21:55

Kremlin-backed actors spread disinformation ahead of US elections

Enlarge (credit: da-kuk/Getty )

Kremlin-backed actors have stepped up efforts to interfere with the US presidential election by planting disinformation and false narratives on social media and fake news sites, analysts with Microsoft reported Wednesday.

The analysts have identified several unique influence-peddling groups affiliated with the Russian government seeking to influence the election outcome, with the objective in large part to reduce US support of Ukraine and sow domestic infighting. These groups have so far been less active during the current election cycle than they were during previous ones, likely because of a less contested primary season.

Stoking divisions

Over the past 45 days, the groups have seeded a growing number of social media posts and fake news articles that attempt to foment opposition to US support of Ukraine and stoke divisions over hot-button issues such as election fraud. The influence campaigns also promote questions about President Biden’s mental health and corrupt judges. In all, Microsoft has tracked scores of such operations in recent weeks.

Read 13 remaining paragraphs | Comments

Sl chevron_right

Contact publication

pubsub.blastersklan.com / slashdot · 3 days ago - 21:03 edit · 1 minute

An anonymous reader quotes a report from Futurism: In a new blog post from LastPass, the password management firm used by countless personal and corporate clients to help protect their login information, the company explains that someone used AI voice-cloning tech to spoof the voice of its CEO in an attempt to trick one of its employees. As the company writes in the post, one of its employees earlier this week received several WhatsApp communications -- including calls, texts, and a voice message -- from someone claiming to be its CEO, Karim Toubba. Luckily, the LastPass worker didn't fall for it because the whole thing set off so many red flags. "As the attempted communication was outside of normal business communication channels and due to the employee's suspicion regarding the presence of many of the hallmarks of a social engineering attempt (such as forced urgency)," the post reads, "our employee rightly ignored the messages and reported the incident to our internal security team so that we could take steps to both mitigate the threat and raise awareness of the tactic both internally and externally." While this LastPass scam attempt failed, those who follow these sorts of things may recall that the company has been subject to successful hacks before. In August 2022, as a timeline of the event compiled by the Cybersecurity Dive blog detailed, a hacker compromised a LastPass engineer's laptop and used it to steal source code and company secrets, eventually getting access to its customer database -- including encrypted passwords and unencrypted user data like email addresses. According to that timeline, the clearly-resourceful bad actor remained active in the company's servers for months, and it took more than two months for LastPass to admit that it had been breached. More than six months after the initial breach, Toubba, the CEO, provided a blow-by-blow timeline of the months-long attack and said he took "full responsibility" for the way things went down in a February 2023 blog post.

Read more of this story at Slashdot.

Hackers Voice Cloned the CEO of LastPass For Attack

chevron_right

Billions of public Discord messages may be sold through a scraping service

news.movim.eu / ArsTechnica · 3 days ago - 19:42 · 1 minute

Enlarge (credit: Getty Images)

It's easy to get the impression that Discord chat messages are ephemeral, especially across different public servers, where lines fly upward at a near-unreadable pace. But someone claims to be catching and compiling that data and is offering packages that can track more than 600 million users across more than 14,000 servers.

Joseph Cox at 404 Media confirmed that Spy Pet, a service that sells access to a database of purportedly 3 billion Discord messages, offers data "credits" to customers who pay in Bitcoin, Ethereum, or other cryptocurrency. Searching individual users will reveal the servers that Spy Pet can track them across, a raw and exportable table of their messages, and connected accounts, such as GitHub. Ominously, Spy Pet lists more than 86,000 other servers in which it has "no bots," but "we know it exists."

An example of Spy Pet's service from its website. Shown are a user's nicknames, connected accounts, banner image, server memberships, and messages across those servers tracked by Spy Pet. [credit: Spy Pet ]

As Cox notes, Discord doesn't make messages inside server channels, like blog posts or unlocked social media feeds, easy to publicly access and search. But many Discord users many not expect their messages, server memberships, bans, or other data to be grabbed by a bot, compiled, and sold to anybody wishing to pin them all on a particular user. 404 Media confirmed the service's function with multiple user examples. Private messages are not mentioned by Spy Pet and are presumably still secure.

Read 3 remaining paragraphs | Comments

Sl chevron_right

Contact publication

pubsub.blastersklan.com / slashdot · 3 days ago - 16:23 edit · 1 minute

404 Media: An online service is scraping Discord servers en masse, archiving and tracking users' messages and activity across servers including what voice channels they join, and then selling access to that data for as little as $5. Called Spy Pet, the service's creator says it scrapes more than ten thousand Discord servers, and besides selling access to anyone with cryptocurrency, is also offering the data for training AI models or to assist law enforcement agencies, according to its website. The news is not only a brazen abuse of Discord's platform, but also highlights that Discord messages may be more susceptible to monitoring than ordinary users assume. Typically, a Discord user's activity is spread across disparate servers, with no one entity, except Discord itself, able to see what messages someone has sent across the platform more broadly. With Spy Pet, third-parties including stalkers or potentially police can look up specific users and see what messages they've posted on various servers at once. "Have you ever wondered where your friend hangs out on Discord? Tired of basic search tools like Discord.id? Look no further!" Spy Pet's website reads. It claims to be tracking more than 14,000 servers, 600 million users, and includes a database of more than 3 billion messages.

Read more of this story at Slashdot.

A Spy Site Is Scraping Discord and Selling Users' Messages

Sl chevron_right

Contact publication

pubsub.blastersklan.com / slashdot · 3 days ago - 14:03 edit · 1 minute

Cloudflare, in a blog post: Key insights from the first quarter of 2024 include: 1. 2024 started with a bang. Cloudflare's defense systems automatically mitigated 4.5 million DDoS attacks during the first quarter -- representing a 50% year-over-year (YoY) increase. 2. DNS-based DDoS attacks increased by 80% YoY and remain the most prominent attack vector. 3. DDoS attacks on Sweden surged by 466% after its acceptance to the NATO alliance, mirroring the pattern observed during Finland's NATO accession in 2023. We've just wrapped up the first quarter of 2024, and, already, our automated defenses have mitigated 4.5 million DDoS attacks -- an amount equivalent to 32% of all the DDoS attacks we mitigated in 2023. Breaking it down to attack types, HTTP DDoS attacks increased by 93% YoY and 51% quarter-over-quarter (QoQ). Network-layer DDoS attacks, also known as L3/4 DDoS attacks, increased by 28% YoY and 5% QoQ. When comparing the combined number of HTTP DDoS attacks and L3/4 DDoS attacks, we can see that, overall, in the first quarter of 2024, the count increased by 50% YoY and 18% QoQ. In total, our systems mitigated 10.5 trillion HTTP DDoS attack requests in Q1. Our systems also mitigated over 59 petabytes of DDoS attack traffic -- just on the network-layer.

Read more of this story at Slashdot.

Cloudflare DDoS Threat Report For 2024 Q1

Sl chevron_right

Contact publication

pubsub.blastersklan.com / slashdot · 4 days ago - 22:53 edit

A crypto wallet maker claimed this week that hackers may be targeting people with an iMessage "zero-day" exploit -- but all signs point to an exaggerated threat, if not a downright scam. From a report: Trust Wallet's official X (previously Twitter) account wrote that "we have credible intel regarding a high-risk zero-day exploit targeting iMessage on the Dark Web. This can infiltrate your iPhone without clicking any link. High-value targets are likely. Each use raises detection risk." The wallet maker recommended iPhone users to turn off iMessage completely "until Apple patches this," even though no evidence shows that "this" exists at all. The tweet went viral, and has been viewed over 3.6 million times as of our publication. Because of the attention the post received, Trust Wallet hours later wrote a follow-up post. The wallet maker doubled down on its decision to go public, saying that it "actively communicates any potential threats and risks to the community."

Read more of this story at Slashdot.

A Crypto Wallet Maker's Warning About an iMessage Bug Sounds Like a False Alarm