Category: Authentication

April 28, 2016
Office 365 Bug Could’ve Allowed Attackers to Login to Virtually Any Account
Security researchers in January discovered a critical vulnerability in the SAML implementation in Microsoft’s Office 365 service that could allow an attacker to log in to a victim’s account and gain full access to email, contacts, and other sensitive data. The vulnerability was present in Office 365 for an unknown amount of time, and there…
Read More →
April 27, 2016
Hear a Real Bank Phone Fraud Call From a Fake Cop
The ongoing problem of fraudsters targeting senior citizens with sophisticated phone scams has taken a new turn, as the criminals have begun using a technique that involves them showing up at victims’ homes to collect their debit cards. The scam is an extension of a common phone fraud technique in which criminals call victims–typically senior…
Read More →
April 26, 2016
Verizon DBIR Shows Focus on Credential Theft in Breaches
Attackers are continuing to refine their tactics and develop new tools, but in a lot of cases they still rely on tried-and-true methods such as phishing, social engineering, malware, keyloggers, and credential theft to achieve their goals. The 2016 Verizon Data Breach Incident Report shows that these tactics and tools are still among the most-used by…
Read More →
April 25, 2016
Massive Bank of Bangladesh Attack Hit SWIFT Payment System
Attackers who pulled off the massive bank fraud at the Bangladesh Bank in February did so by using custom malware and attack tools that were able to monitor the internal messages that conduct financial transactions, delete certain messages, and then insert others to send money to accounts they control, researchers say. The tools targeted the SWIFT…
Read More →
April 18, 2016
GitLab Fixes Authentication Bypass Flaw
GitLab has patched a serious authentication vulnerability that enabled any user to take over another user’s account with two-factor authentication enabled. The vulnerability was a result of the way that GitLab’s authentication flow produced one-time passwords for accounts with 2FA enabled. An attacker who knows a victim’s username and can capture network traffic could sign in…
Read More →
April 14, 2016
Bill Requiring Phone Crypto Backdoors Dies in California Assembly
A California bill that would require backdoors in phone encryption has died in the state assembly after failing to gain enough support to move out of committee. The bill, proposed in January, would have required that device manufacturers have the capability of decrypting and unlocking any phone sold in California after Jan. 1, 2017. A…
Read More →
April 14, 2016
Final Draft of Burr-Feinstein Bill Called ‘Dangerous’
The final version of a proposed bill that would require vendors to have a method for providing plaintext data to law enforcement agencies has been released, and privacy advocates and legislators are calling it “flawed” and “dangerous”. The Burr-Feinstein bill has been making the rounds of Capitol Hill in draft form since last week, and…
Read More →
April 13, 2016
Facebook Releases Account Kit SDK for Authentication Without Passwords
Facebook has released a new SDK called Account Kit that enables app developers and site owners to provide a login experience without passwords. The new system, which the company announced at its developers’ conference yesterday, uses Facebook’s own infrastructure to perform authentication via SMS and email. Account Kit doesn’t require that users have a Facebook…
Read More →
April 11, 2016
WordPress Turns on Encryption for 1 Million Sites
The movement to encrypt as much of the public Web as possible has gotten a major boost, as WordPress has turned on HTTPS connections for all of the more than one million custom domains hosted on The change happened on Friday and significantly, it doesn’t require any work on the part of the site owners.…
Read More →
April 8, 2016
FBI Says Fake CEO Email Scam Losses Hit $2.3 Billion
The FBI says it has seen a huge increase in the volume of business email compromise scams hitting enterprises in the last year, and estimates that losses from the scheme have hit $2.3 billion now. Like normal phishing scams, these kinds of attacks rely on highly believable messages and a healthy dose of social engineering…
Read More →