Georgiana Brummell<p>First, they shut down the Basic HTML site, forcing many of us to switch to clients such as Thunderbird. Now, they're using qr codes which are not only inaccessible to the blind but also to those who don't use smartphones! This is ridiculous! Yes, they do still have the option to click whether it's you trying to sign in or not (which still requires a smartphone and a carrier, which they claim to be concerned about), but how long before they remove that, too?</p><p><a href="https://www.pcmag.com/news/google-is-replacing-sms-codes-with-qr-codes-for-gmail-authentication" rel="nofollow noopener noreferrer" target="_blank">pcmag.com/news/google-is-repla…</a></p><p><a href="https://friendica.world/search?tag=accessibility" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>accessibility</span></a> <a href="https://friendica.world/search?tag=Android" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Android</span></a> <a href="https://friendica.world/search?tag=authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>authentication</span></a> <a href="https://friendica.world/search?tag=blind" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>blind</span></a> <a href="https://friendica.world/search?tag=Google" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Google</span></a> <a href="https://friendica.world/search?tag=GMail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GMail</span></a> <a href="https://friendica.world/search?tag=IOS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IOS</span></a> <a href="https://friendica.world/search?tag=Narrator" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Narrator</span></a> <a href="https://friendica.world/search?tag=NVDA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NVDA</span></a> <a href="https://friendica.world/search?tag=sms" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>sms</span></a> <a href="https://friendica.world/search?tag=Talkback" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Talkback</span></a> <a href="https://friendica.world/search?tag=technology" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>technology</span></a> <a href="https://friendica.world/search?tag=Voiceover" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Voiceover</span></a> <a href="https://friendica.world/search?tag=Windows" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Windows</span></a></p>
Recent searches
No recent searches
Search options
Only available when logged in.
donphan.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
This generalist Mastodon server welcomes enthusiasts of the Pokémon franchise, to talk about it or anything else. Join the federation!
Administered by:
Server stats:
129active users
donphan.social: About · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.2+glitch.donphan.social
#authentication
0 posts · 0 participants · 0 posts today
Aral Balkan<p>New Kitten release</p><p>• Fixes redirection from sign-in page when person is already authenticated.</p><p><a href="https://kitten.small-web.org" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">kitten.small-web.org</span><span class="invisible"></span></a></p><p>To learn more about how Kitten automatically implements authentication for your Small Web sites and apps using public-key cryptography (so even your own server doesn’t know your secret)¹, please see the Authentication tutorial:</p><p><a href="https://kitten.small-web.org/tutorials/authentication/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">kitten.small-web.org/tutorials</span><span class="invisible">/authentication/</span></a></p><p>Enjoy!</p><p>:kitten:💕</p><p>¹ The security (and privacy) of Domain/Kitten are based on a 32-byte cryptographically random secret string that only the person who owns/controls a domain knows.</p><p>This is basically a Base256-encoded ed25519 secret key where the Base256 alphabet is a set of curated emoji surrogate pairs without any special modifiers chosen mainly from the animals, plants, and food groups with some exceptions (to avoid common phobias or triggers, etc.) that we call KittenMoji.</p><p>…</p><p>When setting up a Small Web app via Domain, this key is generated in the person’s browser, on their own computer, and is never communicated to either the Domain instance or the Kitten app being installed. Instead the ed25519 public key is sent to both and signed token authentication is used when the server needs to verify the owner’s identity (e.g., before allowing access to the administration area).</p><p>The expected/encouraged behaviour is for the person to store this secret in their password manager of choice.</p><p>More: <a href="https://kitten.small-web.org/reference/#cryptographic-properties" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">kitten.small-web.org/reference</span><span class="invisible">/#cryptographic-properties</span></a></p><p><a href="https://mastodon.ar.al/tags/Kitten" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Kitten</span></a> <a href="https://mastodon.ar.al/tags/SmallWeb" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SmallWeb</span></a> <a href="https://mastodon.ar.al/tags/SmallTech" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SmallTech</span></a> <a href="https://mastodon.ar.al/tags/authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>authentication</span></a> <a href="https://mastodon.ar.al/tags/publicKeyCryptography" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>publicKeyCryptography</span></a> <a href="https://mastodon.ar.al/tags/web" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>web</span></a> <a href="https://mastodon.ar.al/tags/dev" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dev</span></a> <a href="https://mastodon.ar.al/tags/NodeJS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NodeJS</span></a> <a href="https://mastodon.ar.al/tags/JavaScript" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>JavaScript</span></a> <a href="https://mastodon.ar.al/tags/HTML" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>HTML</span></a> <a href="https://mastodon.ar.al/tags/CSS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CSS</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://worldkey.io/@NadCee" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>NadCee</span></a></span> : that may convince *some* people to change their behavior/behaviour.</p><p>However, for most Joe/Jill Average's, the risk that a possibly authoritarian government will harm them personally, is actually quite low.</p><p>I'm a lot more worried (for them) about the risk of "meeting" criminals.</p><p>For example, most people use weak passwords, or reuse one single password, or both - including for their email account - because they believe that they have nothing to hide. Some are now using an Authenticator app because they were made to believe it'll save their a** (see <a href="https://infosec.exchange/@ErikvanStraten/113906668541621372" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/113906668541621372</span></a>). Why would *anyone* be interested in their "how're you" emails with pictures of their cat?</p><p>Here's what happens: after criminals obtain access to their email account (and/or social media), those criminals start posing as them.</p><p>The criminals will get to learn the tone the naive people (aka idiots) use to communicate with their friends and family, and may ask them (friends and family) to send money (btw they just changed banks) or install malware. The criminals often will be able take over all of the other online accounts of the naives. They may use such accounts (or create new ones in your name) to exchange illegal stuff, including child pornography.</p><p>It's called impersonation aka identity theft.</p><p>Every peace of information about you may be valuable to a criminal. Knowing your email address, they'll send you phishing mails. They may plant a photo of your head on pornography and extort you. They may clone your voice to impersonate you, using that to obtain access to vulnerable people you know - such as your parents or kids.</p><p>If they know that you are (or one of your contacts is) old and/or vulnerable (like Alzheimers), and find out your/their contact details, they may phone claiming they're an employee from the bank. They'll say that the bank just noticed that criminals obtained access to your bank account, and that you must act *now* to prevent losing all of your savings. They'll offer help. Like installing "security software" (typically AnyDesk) to prevent further damage, or guide you through moving your savings to a "vault" account. And/or they'll tell you that they're sending a courier to pick up your bank cards (and PIN's).</p><p>Drag queens and other "non-standard" people, like pro-climate, anti-genocide (often called pro-Palestinian) protestors, typically *know* that they're at risk - from authorities.</p><p>I'm more worried about naive people who lack any security awareness and typically have nothing to fear from even the most authoritarian governments. They'll install *any* app (like <a href="https://infosec.exchange/tags/DeepSeek" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DeepSeek</span></a>) because it's a lot of phun, thereby sharing details like their location and/or the address books on their phone. They'll make their home "smart" by automating it with hackable electronics. They'll pay for "cheap" things from dropshipping or plain fake websites.</p><p>Awareness includes knowing things like this: <a href="https://www.bleepingcomputer.com/news/security/unitedhealth-now-says-190-million-impacted-by-2024-data-breach/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/secu</span><span class="invisible">rity/unitedhealth-now-says-190-million-impacted-by-2024-data-breach/</span></a>. From <a href="https://www.bleepingcomputer.com/news/security/ransomware-gang-claims-they-stole-6tb-of-change-healthcare-data/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/secu</span><span class="invisible">rity/ransomware-gang-claims-they-stole-6tb-of-change-healthcare-data/</span></a> (condensed):<br>"the sensitive data stolen from Change Healthcare contains a wide range of information on millions of people, including their: medical records, insurance records, dental records, payments information, claims information, patients' PII data (i.e., phone numbers, addresses, SSNs/SOCIAL SECURITY NUMBERS, email addresses, and more), and active U.S. military/navy personnel PII data".</p><p>It's a long list. Protect your identity, assume breach!</p><p><span class="h-card" translate="no"><a href="https://social.wildeboer.net/@jwildeboer" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>jwildeboer</span></a></span> </p><p><a href="https://infosec.exchange/tags/PrivacyAwareness" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PrivacyAwareness</span></a> <a href="https://infosec.exchange/tags/SecurityAwarenes" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityAwarenes</span></a> <a href="https://infosec.exchange/tags/RiskAwareness" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RiskAwareness</span></a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/Fraud" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Fraud</span></a> <a href="https://infosec.exchange/tags/BankFraud" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BankFraud</span></a> <a href="https://infosec.exchange/tags/Impostors" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impostors</span></a> <a href="https://infosec.exchange/tags/SmartHome" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SmartHome</span></a> <a href="https://infosec.exchange/tags/SmartWhatever" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SmartWhatever</span></a> <a href="https://infosec.exchange/tags/CSAM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CSAM</span></a> <a href="https://infosec.exchange/tags/Identity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Identity</span></a> <a href="https://infosec.exchange/tags/Awareness" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Awareness</span></a> <a href="https://infosec.exchange/tags/CyberSecurityAwareness" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurityAwareness</span></a></p>
Erik van Straten<p>Kirat Assi (<a href="https://www.bbc.com/news/articles/c20m3g1kdpvo?utm_source=press.coop" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bbc.com/news/articles/c20m3g1k</span><span class="invisible">dpvo?utm_source=press.coop</span></a>) is a perfectly normal human being; trust, honesty and authenticity are essential building blocks of our societies.</p><p>Unfortunately, online communication and the increasing use of AI make impersonation easier every day.</p><p>We can and should do more to create awareness about this (e.g. you're not impolite by demanding reliable proof of authenticity, online in particular), and more importantly, find ways to better conquer impersonation.</p><p><span class="h-card" translate="no"><a href="https://press.coop/@BBCNews" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>BBCNews</span></a></span> </p><p><a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Authenticity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authenticity</span></a> <a href="https://infosec.exchange/tags/Trust" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Trust</span></a> <a href="https://infosec.exchange/tags/AbuseOfTrust" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AbuseOfTrust</span></a></p>
Flipboard Tech Desk<p>Are passwords on the way out? Researchers are announcing two projects that will make passkeys easier for organizations to offer — and easier for everyone to use. Read more at <span class="h-card" translate="no"><a href="https://flipboard.com/@WIRED" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>WIRED</span></a></span>. <a href="https://flipboard.social/tags/Passwords" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Passwords</span></a> <a href="https://flipboard.social/tags/Authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authentication</span></a> <a href="https://flipboard.social/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cybersecurity</span></a> <a href="https://flipboard.social/tags/Passkeys" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Passkeys</span></a> <a href="https://flipboard.social/tags/Tech" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Tech</span></a> <a href="https://flipboard.social/tags/Technology" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Technology</span></a> <a href="https://flip.it/l-yryY" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">flip.it/l-yryY</span><span class="invisible"></span></a></p>
AmyFou 🕊️<p>Um, I signed into the OED online through our University Library, which uses our SSO credentials and passes them thru to external resources and...</p><p>...I don't know who ROY PARKER is, but I'm pretty sure I'm not him?</p><p>HOW??</p><p><a href="https://lingo.lol/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://lingo.lol/tags/authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>authentication</span></a> <a href="https://lingo.lol/tags/fail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>fail</span></a> <a href="https://lingo.lol/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://eupolicy.social/@edri" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>edri</span></a></span> : apart from the privacy risks you describe, the internet is way to insecure for citizens to strongly authenticate online.</p><p>The reason is that internet users have no reliable means to distinguish between fake and authentic websites [1].</p><p>This makes AitM (Attacker in the Middle) attacks easy: the citizen is made to believe that they have to prove their minimum age (and probably more PII) on fake website F.</p><p>When they do that, software on F will forward their identity proofs to real website R and obtain a grant to access R.</p><p>If that grant is a webbased cookie or anything else that can be copied, it will be sold to children and people who want to remain anonymous - while using someone else's identity.</p><p>BTW, the same will happen to users of EDIW/EUDIW [2]. Credit cards and loans will carry their name while they won't receive even a Eurocent themselves, but likely they will have to pay "back".</p><p>From [0]: «Authentication mandates a trustworthy verifier. The first step to find out whether a verifier is trustworthy, is to know *who exactly* they are. A domain name simply does not suffice.»</p><p>[2] <a href="https://ec.europa.eu/digital-building-blocks/sites/display/EUDIGITALIDENTITYWALLET/Security+and+privacy" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">ec.europa.eu/digital-building-</span><span class="invisible">blocks/sites/display/EUDIGITALIDENTITYWALLET/Security+and+privacy</span></a><br>[1] <a href="https://infosec.exchange/@ErikvanStraten/113079966331873386" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/113079966331873386</span></a><br>[0] <a href="https://infosec.exchange/@ErikvanStraten/113138678307912960" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/113138678307912960</span></a></p><p><span class="h-card" translate="no"><a href="https://respublicae.eu/@EU_Commission" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>EU_Commission</span></a></span> </p><p><a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/OnlineAuthentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OnlineAuthentication</span></a> <a href="https://infosec.exchange/tags/WeakAuthentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>WeakAuthentication</span></a> <a href="https://infosec.exchange/tags/Verifier" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Verifier</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MitM</span></a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DV</span></a> <a href="https://infosec.exchange/tags/Certificates" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Certificates</span></a> <a href="https://infosec.exchange/tags/Trust" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Trust</span></a></p>
yaggadagga<p>I hear really good things about <a href="https://fosstodon.org/tags/authentik" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>authentik</span></a> and from what I can tell from reviews and the documentation, it is very flexible and can do a lot. </p><p>But man, if it’s not confusing. <a href="https://fosstodon.org/tags/Authelia" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authelia</span></a> has worked so well for the last few years, but development has slowed and I haven’t had the time to dig into the code base. </p><p>We’ll see how far I get, but it hasn’t been a good start. I can’t setup my <a href="https://fosstodon.org/tags/ldap" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ldap</span></a> outpost because my <a href="https://fosstodon.org/tags/ldap" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ldap</span></a> application doesn’t show up as an available app. 🤷🏼 <a href="https://fosstodon.org/tags/SelfHosting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SelfHosting</span></a> <a href="https://fosstodon.org/tags/authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>authentication</span></a></p>
Harry W.<p>First day of the holiday, and I'm thinking about my personal project. </p><p>I've got a seriously annoying problem with the <a href="https://mstdn.social/tags/authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>authentication</span></a>, which i need to solve. </p><p>I'll reward myself with other fun "programming bits" once that's finished. </p><p>Am i holidaying correctly?? 🤔</p>
The Matrix.org Foundation<p>Authentication is almost always the most frustrating step of interacting with a service. Matrix is no different, but Quentin is about to dramatically improve the situation.</p><p>Get a glimpse of all the goodness awaiting to be unlocked once his project lands!</p><p><a href="https://youtu.be/dmUi4ZoYRWc" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">youtu.be/dmUi4ZoYRWc</span><span class="invisible"></span></a></p><p><a href="https://mastodon.matrix.org/tags/authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>authentication</span></a> <a href="https://mastodon.matrix.org/tags/ux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ux</span></a> <a href="https://mastodon.matrix.org/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>security</span></a></p>
Erik van Straten<p>In *2019*, Alex Weinert of Microsoft wrote in <a href="https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/all-your-creds-are-belong-to-us/ba-p/855124" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">techcommunity.microsoft.com/t5</span><span class="invisible">/microsoft-entra-azure-ad-blog/all-your-creds-are-belong-to-us/ba-p/855124</span></a>:</p><p>«<br> MFA had failed.</p><p> [...]<br> All Authenticators Are Vulnerable<br> [...]<br>»</p><p>Today, as echoed in <a href="https://www.bleepingcomputer.com/news/microsoft/microsoft-enable-mfa-or-lose-access-to-admin-portals-in-october/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/micr</span><span class="invisible">osoft/microsoft-enable-mfa-or-lose-access-to-admin-portals-in-october/</span></a>, Microsoft still insists that using weak MFA is a good idea.</p><p>In <a href="https://azure.microsoft.com/en-us/blog/announcing-mandatory-multi-factor-authentication-for-azure-sign-in/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">azure.microsoft.com/en-us/blog</span><span class="invisible">/announcing-mandatory-multi-factor-authentication-for-azure-sign-in/</span></a> Microsoft writes (on August 15):</p><p>«<br>As recent research [1] by Microsoft shows that multifactor authentication (MFA) can block more than 99.2% of account compromise attacks, making it one of the most effective security measures available, today’s announcement brings us all one step closer toward a more secure future.<br>»</p><p>From that same article, "solutions" with (nearly as weak as SMS) "Microsoft Authenticator" is at the TOP of their list:</p><p>«<br>Organizations have multiple ways to enable their users to utilize MFA through Microsoft Entra:</p><p>• Microsoft Authenticator [...]<br>• FIDO2 security keys [...]<br>• Certificate-based authentication [...]<br>• Passkeys [...]<br>• Finally, and this is the least secure version of MFA, you can also use a SMS or voice approval [...]<br>»</p><p>From [1] (PDF) = <a href="https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW166lD?culture=en-us" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">query.prod.cms.rt.microsoft.co</span><span class="invisible">m/cms/api/am/binary/RW166lD?culture=en-us</span></a> , no date of the "investigation period" to be seen *anywhere*, and one of the authors being Alex Weinert, more extreme percentages (approved by Microsoft's marketing dept):</p><p>« <br>Our findings reveal that MFA implementation offers outstanding protection, with over 99.99% of MFA-enabled accounts remaining secure during the investigation period. Moreover, MFA reduces the risk of compromise by 99.22% across the entire population and by 98.56% in cases of leaked credentials.<br>»</p><p>Dear reader: please stop buying Microsoft BS that completely ignores PhaaS.</p><p>To name a few examples:</p><p>🚨 "Experts agree [*] that setting up two-factor authentication (2FA) İs one of the most powerful ways to protect your account from getting hacked. However, hackers like COLDRIVER and COLDWASTREL may try to trick you into entering your second factor; we have seen attackers successfully compromise a victim who had enabled 2FA." - (PDF) <a href="https://www.accessnow.org/wp-content/uploads/2024/08/Spearphishing-cases-in-Eastern-Europe-2022-2024-technical-brief.pdf" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">accessnow.org/wp-content/uploa</span><span class="invisible">ds/2024/08/Spearphishing-cases-in-Eastern-Europe-2022-2024-technical-brief.pdf</span></a></p><p>[*] Not me. My tip is here: <a href="https://infosec.exchange/@ErikvanStraten/112724966066248808" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/112724966066248808</span></a></p><p>🚨 EvilGinx2: "Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication" - <a href="https://github.com/kgretzky/evilginx2" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">github.com/kgretzky/evilginx2</span><span class="invisible"></span></a> (there are more, like Modlishka, Muraena, CredSniper, EvilProxy (Phaas), NakedPages etc.)</p><p>🚨 Not even a fake website needed: <a href="https://www.bleepingcomputer.com/news/security/new-greatness-service-simplifies-microsoft-365-phishing-attacks/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/secu</span><span class="invisible">rity/new-greatness-service-simplifies-microsoft-365-phishing-attacks/</span></a></p><p>🚨 From <a href="https://mrd0x.com/attacking-with-webview2-applications/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">mrd0x.com/attacking-with-webvi</span><span class="invisible">ew2-applications/</span></a>:<br>«<br>Bypass 2FA<br>WebView2 also provides built-in functionality to extract cookies. This allows an attacker to extract cookies after the user authenticates into the legitimate website. This technique removes the need of having to spin up Evilginx2 or Modlishka but the obvious trade-off is that the user must execute the binary and authenticate.<br>»<br>In addition, from <a href="https://www.bleepingcomputer.com/news/security/clever-phishing-method-bypasses-mfa-using-microsoft-webview2-apps/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/secu</span><span class="invisible">rity/clever-phishing-method-bypasses-mfa-using-microsoft-webview2-apps/</span></a>:<br>«<br>"Yubikeys can't save you because you're authenticating to the REAL website not a phishing website."<br>mr.d0x<br>»<br>AND:<br>«<br>However, as mr.d0x admits and Microsoft pointed out in their response to our questions, this attack is a social engineering attack and requires a user to run a malicious executable.<br>»<br>Correct, but a local compromise does'nt protect you when you're using FIDO2 hardware keys or passkeys.</p><p>🚨 From 2022: <a href="https://microsoft.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">microsoft.com/en-us/security/b</span><span class="invisible">log/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/</span></a>:<br>«<br>A large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites stole passwords, hijacked a user’s sign-in session, and skipped the authentication process even if the user had enabled multifactor authentication (MFA).<br>»</p><p>🚨 "Phishing with Cloudflare Workers: Transparent Phishing and HTML Smuggling" - <a href="https://www.netskope.com/blog/phishing-with-cloudflare-workers-transparent-phishing-and-html-smuggling" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">netskope.com/blog/phishing-wit</span><span class="invisible">h-cloudflare-workers-transparent-phishing-and-html-smuggling</span></a></p><p>🚨 "New EvilProxy Phishing Service Allowing Cybercriminals to Bypass 2-Factor Security" - <a href="https://thehackernews.com/2022/09/new-evilproxy-phishing-service-allowing.html" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">thehackernews.com/2022/09/new-</span><span class="invisible">evilproxy-phishing-service-allowing.html</span></a></p><p>🚨 From <a href="https://www.europol.europa.eu/media-press/newsroom/news/international-investigation-disrupts-phishing-service-platform-labhost" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">europol.europa.eu/media-press/</span><span class="invisible">newsroom/news/international-investigation-disrupts-phishing-service-platform-labhost</span></a>:<br>«<br>The investigation uncovered at least 40 000 phishing domains linked to LabHost, which had some 10 000 users worldwide.<br>[...]<br>LabRat was designed to capture two-factor authentication codes and credentials, allowing the criminals to bypass enhanced security measures.<br>»</p><p>🚨 "Security and Privacy Failures in Popular 2FA Apps" by Gilsenan et al. (USENIX 2023): <a href="https://www.usenix.org/conference/usenixsecurity23/presentation/gilsenan" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">usenix.org/conference/usenixse</span><span class="invisible">curity23/presentation/gilsenan</span></a><br>The PDF can also be found here: <a href="https://github.com/blues-lab/totp-app-analysis-public" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/blues-lab/totp-app-</span><span class="invisible">analysis-public</span></a> (Aegis was one of the least problematic apps, and don't use Authy).</p><p>This is what is wrong with weak MFA/2FA:</p><p> You<br> o<br> /|\ [device + browser]<br> / \ |<br> v<br> [login.microsoftonline-aitm.com]<br> |<br> v<br> [login.microsoftonline.com]</p><p>(no thanks to DV-certificates).</p><p><a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MitM</span></a> <a href="https://infosec.exchange/tags/EvilProxy" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EvilProxy</span></a> <a href="https://infosec.exchange/tags/PhaaS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PhaaS</span></a> <a href="https://infosec.exchange/tags/Authenticator" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authenticator</span></a> <a href="https://infosec.exchange/tags/TOTP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>TOTP</span></a> <a href="https://infosec.exchange/tags/OTP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OTP</span></a> <a href="https://infosec.exchange/tags/MicrosoftAuthenticator" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MicrosoftAuthenticator</span></a> <a href="https://infosec.exchange/tags/Authy" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authy</span></a> <a href="https://infosec.exchange/tags/Aegis" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Aegis</span></a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/WebView" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>WebView</span></a> <a href="https://infosec.exchange/tags/AitB" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AitB</span></a> <a href="https://infosec.exchange/tags/MitB" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MitB</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Trust" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Trust</span></a> <a href="https://infosec.exchange/tags/TrustWorthyNess" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>TrustWorthyNess</span></a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DV</span></a> <a href="https://infosec.exchange/tags/PasswordManager" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PasswordManager</span></a> <a href="https://infosec.exchange/tags/CheckDomainName" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CheckDomainName</span></a> <a href="https://infosec.exchange/tags/DomainNameCheck" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DomainNameCheck</span></a></p>
Erik van Straten<p>In <a href="https://www.security.nl/posting/852814/DV+certs%3A+de+maat+is+vol" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">security.nl/posting/852814/DV+</span><span class="invisible">certs%3A+de+maat+is+vol</span></a> schreef ik (in het Nederlands) waarom het internet één grote criminele bende is geworden, refererend naar een eerdere serie (van 3) Engelstalige toots van mijn hand (<a href="https://infosec.exchange/@ErikvanStraten/112914047006977222" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/112914047006977222</span></a>).</p><p>In de tweede helft van <a href="https://security.nl/posting/852741" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">security.nl/posting/852741</span><span class="invisible"></span></a> beschrijf ik een oplossing voor een deel van het probleem: dat websites, omwille van winstbejag van Big Tech, tot *eenheidsworst* zijn gemaakt.</p><p>Als bezoeker kunt u namelijk *nergens* meer uit opmaken of een website authentiek is, of dat er sprake is van inpersonatie van de echte website - door cybercriminelen.</p><p>Dat wordt veroorzaakt door browsermakers en certificaatuitgevers die alle mogelijke moeite hebben gedaan om u de informatie te onthouden *WIE* VERANTWOORDELIJK is voor een website (de domeinnaam daarvan om precies te zijn, die u ziet in de adresbalk van uw browser).</p><p>De *suggestie* van Big Tech dat het voor *u* goed genoeg is als u weet wat de domeinnaam is van een website, is absurd.</p><p>Dat is, in de praktijk, totale onzin omdat mensen uiterst slecht zijn in het exact (noodzakelijkerwijs 100% foutloos) kunnen herkennen van *volledige* domeinnamen - en eenvoudig gefopt kunnen worden (zelfs als zij begrijpen waar zij op moeten letten en hoe domeinnamen zijn opgebouwd).</p><p>Bij voor mensen nieuwe websites (zoals van een gegooglde loodgieter of een sandalenwebshop) zegt een domeinnaam meestal ofwel niets *betrouwbaars* over wie de eigenaar is, of is pure misleiding - terwijl elke pagina van de website zelf hartstikke nep kan zijn.</p><p>Kom in opstand tegen de geldwolven op internet!</p><p><a href="https://infosec.exchange/tags/Certs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Certs</span></a> <a href="https://infosec.exchange/tags/Misissuance" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Misissuance</span></a> <a href="https://infosec.exchange/tags/Mis_issuance" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Mis_issuance</span></a> <a href="https://infosec.exchange/tags/Revocation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Revocation</span></a> <a href="https://infosec.exchange/tags/Revoked" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Revoked</span></a> <a href="https://infosec.exchange/tags/Weaknessess" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Weaknessess</span></a> <a href="https://infosec.exchange/tags/WeakCertificates" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>WeakCertificates</span></a> <a href="https://infosec.exchange/tags/WeakAuthentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>WeakAuthentication</span></a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/Identification" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Identification</span></a> <a href="https://infosec.exchange/tags/Infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Infosec</span></a> <a href="https://infosec.exchange/tags/DNS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DNS</span></a> <a href="https://infosec.exchange/tags/DNSHijacks" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DNSHijacks</span></a> <a href="https://infosec.exchange/tags/SquareSpace" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SquareSpace</span></a> <a href="https://infosec.exchange/tags/Authorization" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authorization</span></a> <a href="https://infosec.exchange/tags/UnauthorizedChanges" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>UnauthorizedChanges</span></a> <a href="https://infosec.exchange/tags/UnauthorizedModifications" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>UnauthorizedModifications</span></a> <a href="https://infosec.exchange/tags/DeFi" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DeFi</span></a> <a href="https://infosec.exchange/tags/dydx_exchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dydx_exchange</span></a> <a href="https://infosec.exchange/tags/CryptoCoins" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CryptoCoins</span></a></p>
Erik van Straten<p>🌘DV-CERT MIS-ISSUANCE INCIDENTS🌒<br>🧵#3/3</p><p>Note: this list (in reverse chronological order) is probably incomplete; please respond if you know of additional incidents!</p><p>2024-07-31 "Sitting Ducks" attacks/DNS hijacks: mis-issued certificates for possibly more than 35.000 domains by Let’s Encrypt and DigiCert: <a href="https://blogs.infoblox.com/threat-intelligence/who-knew-domain-hijacking-is-so-easy/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blogs.infoblox.com/threat-inte</span><span class="invisible">lligence/who-knew-domain-hijacking-is-so-easy/</span></a> (src: <a href="https://www.bleepingcomputer.com/news/security/sitting-ducks-dns-attacks-let-hackers-hijack-over-35-000-domains/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/secu</span><span class="invisible">rity/sitting-ducks-dns-attacks-let-hackers-hijack-over-35-000-domains/</span></a>)</p><p>2024-07-23 Let's Encrypt mis-issued 34 certificates,revokes 27 for dydx.exchange: see 🧵#2/3 in this series of toots</p><p>2023-11-03 jabber.ru MitMed/AitMed in German hosting center <a href="https://notes.valdikss.org.ru/jabber.ru" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">notes.valdikss.org.ru/jabber.r</span><span class="invisible">u</span></a></p><p>2023-11-01 KlaySwap en Celer Bridge BGP-hijacks described <a href="https://www.certik.com/resources/blog/1NHvPnvZ8EUjVVs4KZ4L8h-bgp-hijacking-how-hackers-circumvent-internet-routing-security-to-tear-the" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">certik.com/resources/blog/1NHv</span><span class="invisible">PnvZ8EUjVVs4KZ4L8h-bgp-hijacking-how-hackers-circumvent-internet-routing-security-to-tear-the</span></a></p><p>2023-09-01 Biggest BGP Incidents/BGP-hijacks/BGP hijacks <a href="https://blog.lacnic.net/en/routing/a-brief-history-of-the-internets-biggest-bgp-incidents" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blog.lacnic.net/en/routing/a-b</span><span class="invisible">rief-history-of-the-internets-biggest-bgp-incidents</span></a></p><p>2022-09-22 BGP-hijack mis-issued GoGetSSL DV certificate <a href="https://arstechnica.com/information-technology/2022/09/how-3-hours-of-inaction-from-amazon-cost-cryptocurrency-holders-235000/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">arstechnica.com/information-te</span><span class="invisible">chnology/2022/09/how-3-hours-of-inaction-from-amazon-cost-cryptocurrency-holders-235000/</span></a></p><p>2022-09-09 Celer Bridge incident analysis <a href="https://www.coinbase.com/en-nl/blog/celer-bridge-incident-analysis" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">coinbase.com/en-nl/blog/celer-</span><span class="invisible">bridge-incident-analysis</span></a></p><p>2022-02-16 Crypto Exchange KLAYswap Loses $1.9M After BGP Hijack <a href="https://www.bankinfosecurity.com/crypto-exchange-klayswap-loses-19m-after-bgp-hijack-a-18518" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bankinfosecurity.com/crypto-ex</span><span class="invisible">change-klayswap-loses-19m-after-bgp-hijack-a-18518</span></a></p><p>🌘BACKGROUND INFO🌒<br>2024-08-01 "Cloudflare once again comes under pressure for enabling abusive sites<br>(Dan Goodin - Aug 1, 2024) <a href="https://arstechnica.com/security/2024/07/cloudflare-once-again-comes-under-pressure-for-enabling-abusive-sites/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">arstechnica.com/security/2024/</span><span class="invisible">07/cloudflare-once-again-comes-under-pressure-for-enabling-abusive-sites/</span></a></p><p>2018-08-15 Usenix-18: "Bamboozling Certificate Authorities with BGP" <a href="https://www.usenix.org/conference/usenixsecurity18/presentation/birge-lee" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">usenix.org/conference/usenixse</span><span class="invisible">curity18/presentation/birge-lee</span></a></p><p><a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DV</span></a> <a href="https://infosec.exchange/tags/LE" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>LE</span></a> <a href="https://infosec.exchange/tags/LetsEncrypt" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>LetsEncrypt</span></a> <a href="https://infosec.exchange/tags/Certificates" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Certificates</span></a> <a href="https://infosec.exchange/tags/Certs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Certs</span></a> <a href="https://infosec.exchange/tags/Misissuance" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Misissuance</span></a> <a href="https://infosec.exchange/tags/Mis_issuance" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Mis_issuance</span></a> <a href="https://infosec.exchange/tags/Revocation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Revocation</span></a> <a href="https://infosec.exchange/tags/Revoked" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Revoked</span></a> <a href="https://infosec.exchange/tags/Weaknessess" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Weaknessess</span></a> <a href="https://infosec.exchange/tags/WeakCertificates" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>WeakCertificates</span></a> <a href="https://infosec.exchange/tags/WeakAuthentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>WeakAuthentication</span></a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/Identification" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Identification</span></a> <a href="https://infosec.exchange/tags/Infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Infosec</span></a> <a href="https://infosec.exchange/tags/DNS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DNS</span></a> <a href="https://infosec.exchange/tags/DNSHijacks" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DNSHijacks</span></a> <a href="https://infosec.exchange/tags/SquareSpace" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SquareSpace</span></a> <a href="https://infosec.exchange/tags/Authorization" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authorization</span></a> <a href="https://infosec.exchange/tags/UnauthorizedChanges" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>UnauthorizedChanges</span></a> <a href="https://infosec.exchange/tags/UnauthorizedModifications" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>UnauthorizedModifications</span></a> <a href="https://infosec.exchange/tags/DeFi" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DeFi</span></a> <a href="https://infosec.exchange/tags/dydx_exchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dydx_exchange</span></a> <a href="https://infosec.exchange/tags/CryptoCoins" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CryptoCoins</span></a></p>
Erik van Straten<p>🌘DV-CERT MIS-ISSUANCES & OCSP ENDING🌒<br>🧵#1/3</p><p>On Jul 23, 2024, Josh Aas of Let's Encrypt wrote, while his nose was growing rapidly:</p><p><<< Intent to End OCSP Service<br>[...]<br>We plan to end support for OCSP primarily because it represents a considerable risk to privacy on the Internet.<br>[...]<br>CRLs do not have this issue. >>><br><a href="https://letsencrypt.org/2024/07/23/replacing-ocsp-with-crls.html" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">letsencrypt.org/2024/07/23/rep</span><span class="invisible">lacing-ocsp-with-crls.html</span></a></p><p>🚨 On THAT SAME DAY, Jul 23, 2024, LE (Let's Encrypt) issued at least 34 certs (certificates) for [*.]dydx.exchange to cybercriminals, of which LE revoked 27 mis-issued certs approximately 6.5 hours later.</p><p>Note that falsified DNS records may instruct DNS caching servers to retain entries for a long time; therefore speedy revocation helps reducing the number of victims.</p><p>Apart from this mis-issuance *blunder*, CRL's have HUGE issues that Josh does not mention: they are SSSLLLOOOWWW and files are potentially huge - while OCSP is instantaneous and uses little bandwith.</p><p>🌘NO OCSP INCREASES INTERNET RISKS🌒<br>If LE quits OCSP support, the average risk of using the internet will *increase*.</p><p>🌘LIES🌒<br>Furthermore, the privacy argument is mostly moot, as nearly every website makes people's browsers connect to domains owned by Google (and even let's those browsers execute Javascript from third party servers, allowing nearly unlimited espionage). In addition, IP-addresses are sent in the plain anyway (📎).</p><p>(📎 When using a VPN, source and destination IP-addresses *within the tunnel* are not visible for anyone with access to the *outside* of the tunnel - but they are sent in the plain between the end of the tunnel and the actual server.)</p><p>Worse, the remote endpoint of your E2EE https connection increasingly often is *not* the actual server (that website was moved to sombody else's server in the cloud anyway), but a CDN proxy server which has the ability to monitor everything you do (unencrypting your data: three letter agencies love it, FISA section 702 grants them unlimmited access - without anyone informing you).</p><p>🤷 LE may try to blame others for their mis-issuance blunder, but *THEY* chose to use old, notoriously untrustworthy, internet protocols (BGP and DNS, including database records - that DNSSEC will never protect) as the basis for authentication. By making that choice, LE and other DV cert suppliers were simply ASKING for trouble.</p><p>🔓 In fact, the promise that Let's Encrypt would make the internet safer was misleading from the start: domain names are mostly meaningless to users, 100% fault intolerant, unpredictable and easily forgotten. If your browser is communicating with a malicious server, encryption is pointless.</p><p>Josh, stop lying to us; your motives are purely economical.</p><p>🌘CORRUPT: BIG TECH FACILITATES CRIME🌒<br>DV-certs were heavily promoted by Google (not for phun but for profit) after their researchers "proved" that it was possible to show misleasing identification information in the browser's address bar after certificate mis-issuance (the "Stripe, Inc" incident, <a href="https://arstechnica.com/information-technology/2017/12/nope-this-isnt-the-https-validated-stripe-website-you-think-it-is/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">arstechnica.com/information-te</span><span class="invisible">chnology/2017/12/nope-this-isnt-the-https-validated-stripe-website-you-think-it-is/</span></a>).</p><p>This message was repeated by many specialists (e.g. <a href="https://www.troyhunt.com/paypals-beautiful-demonstration-of-extended-validation-fud/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">troyhunt.com/paypals-beautiful</span><span class="invisible">-demonstration-of-extended-validation-fud/</span></a>) with stupid arguments: certificates do NOT directly warrant reliable websites.</p><p>OV and EV certificates, and QWAC's, more or less reliably, warrant *WHO OWNS* a domain name. That means that users know *who* they're doing business with, can depend on their reputation and can sue them if they violate laws.</p><p>"Of course" Google recently lost trust in Entrust for mis-issuing certificates (<a href="https://security.googleblog.com/2024/06/sustaining-digital-certificate-security.html" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">security.googleblog.com/2024/0</span><span class="invisible">6/sustaining-digital-certificate-security.html</span></a>).</p><p>Meanwhile the internet has become a corrupt and criminal mess; its users get to see misleading identification info in their browser's address bar WAY MORE OFTEN, e.g. https:⁄⁄us–usps–ny.com (for loads of examples see <a href="https://www.virustotal.com/gui/ip-address/188.114.96.0/relations" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">virustotal.com/gui/ip-address/</span><span class="invisible">188.114.96.0/relations</span></a>; tap ••• a couple of times).</p><p>Supporting DN's like "ing–movil.com" and "m–santander.de" *is* facilitating cybercrime, by repeatedly mis-issuing certs for them (see <a href="https://crt.sh/?q=ing-movil.com" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">crt.sh/?q=ing-movil.com</span><span class="invisible"></span></a> and <a href="https://crt.sh/?q=m-santander.de" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">crt.sh/?q=m-santander.de</span><span class="invisible"></span></a>) and by letting them hide behind a CDN (see <a href="https://www.virustotal.com/gui/domain/ing-movil.com/details" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">virustotal.com/gui/domain/ing-</span><span class="invisible">movil.com/details</span></a> and <a href="https://www.virustotal.com/gui/domain/m-santander.de/details" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">virustotal.com/gui/domain/m-sa</span><span class="invisible">ntander.de/details</span></a>).</p><p>In addition, *thousands* of DV-certs have been mis-issued - without *their* issuers getting distrusted by Google, Microsoft, Apple and Mozilla.</p><p>People have their bank accounts drained and companies get slammed with ransomware because of this.</p><p>But no Big Tech company (including the likes of Cloudflare) takes ANY responsibility; they make Big Money by facilitating cybercrime. Not by issuing "free" DV-certs, but by selling domain names, server space and CDN functionality, and by letting browsers no longer distinguish between useful and useless certs. They've deliberately made the internet insecure *FOR PROFIT*.</p><p>🌘CERT MIS-ISSUANCE ROOT CAUSE🌒<br>The mis-issuance of LE certs was caused by the unauthorized modification of customer DNS records managed by SquareSpace; this incident was further described in <a href="https://www.bleepingcomputer.com/news/security/defi-exchange-dydx-v3-website-hacked-in-dns-hijack-attack/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/secu</span><span class="invisible">rity/defi-exchange-dydx-v3-website-hacked-in-dns-hijack-attack/</span></a>.</p><p>Note that a similar attack, also affecting SquareSpace customers, occurred on July 11, 2024 (see <a href="https://www.bleepingcomputer.com/news/security/dns-hijacks-target-crypto-platforms-registered-with-squarespace/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/secu</span><span class="invisible">rity/dns-hijacks-target-crypto-platforms-registered-with-squarespace/</span></a>). Even if it *looks like* that no certs were mis-issued during the July 11 incident, because (AFAIK) none of them have been revoked, this does not warrant that none of them were mis-issued; such certs can still be abused by attackers, albeit on a smaller scale.</p><p>🌘MORE INFO🌒<br>Please find additional information in two followups of this toot:</p><p>🧵#2/3 Extensive details regarding Mis-issued dydx.exchange certs on 2024-07-23;</p><p>🧵#3/3 Links to descriptions of multiple other DV-cert mis-issuance issues.</p><p>🌘DISCLAIMER🌒<br>I am not (and have never been) associated with any certificate supplier. My goal is to obtain a safer internet, in particular for users who are not forensic experts. It is *way* too hard for ordinary internet users to destinguish between 'fake' and 'authentic' on the internet. Something that, IMO, can an must significantly improve ASAP.</p><p>Edited 08:16 UTC to add people:<br><span class="h-card" translate="no"><a href="https://infosec.exchange/@troyhunt" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>troyhunt</span></a></span> <br><span class="h-card" translate="no"><a href="https://infosec.exchange/@dangoodin" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>dangoodin</span></a></span> <br><span class="h-card" translate="no"><a href="https://infosec.exchange/@BleepingComputer" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>BleepingComputer</span></a></span> <br><span class="h-card" translate="no"><a href="https://infosec.exchange/@agl" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>agl</span></a></span> </p><p><a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DV</span></a> <a href="https://infosec.exchange/tags/LE" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>LE</span></a> <a href="https://infosec.exchange/tags/LetsEncrypt" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>LetsEncrypt</span></a> <a href="https://infosec.exchange/tags/Certificates" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Certificates</span></a> <a href="https://infosec.exchange/tags/Certs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Certs</span></a> <a href="https://infosec.exchange/tags/Misissuance" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Misissuance</span></a> <a href="https://infosec.exchange/tags/Mis_issuance" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Mis_issuance</span></a> <a href="https://infosec.exchange/tags/Revocation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Revocation</span></a> <a href="https://infosec.exchange/tags/Revoked" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Revoked</span></a> <a href="https://infosec.exchange/tags/Weaknessess" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Weaknessess</span></a> <a href="https://infosec.exchange/tags/WeakCertificates" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>WeakCertificates</span></a> <a href="https://infosec.exchange/tags/WeakAuthentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>WeakAuthentication</span></a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/Identification" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Identification</span></a> <a href="https://infosec.exchange/tags/Infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Infosec</span></a> <a href="https://infosec.exchange/tags/DNS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DNS</span></a> <a href="https://infosec.exchange/tags/DNSHijacks" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DNSHijacks</span></a> <a href="https://infosec.exchange/tags/SquareSpace" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SquareSpace</span></a> <a href="https://infosec.exchange/tags/Authorization" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authorization</span></a> <a href="https://infosec.exchange/tags/UnauthorizedChanges" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>UnauthorizedChanges</span></a> <a href="https://infosec.exchange/tags/UnauthorizedModifications" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>UnauthorizedModifications</span></a> <a href="https://infosec.exchange/tags/DeFi" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DeFi</span></a> <a href="https://infosec.exchange/tags/dydx_exchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dydx_exchange</span></a> <a href="https://infosec.exchange/tags/CryptoCoins" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CryptoCoins</span></a></p>
SleepyCatten<p>You need to get an authentication code, so you open the relevant authenticator app.</p><p>As you open the app, the code countdown timer is down to about 1 quarter remaining time.</p><p>What action do you take?</p><p><a href="https://cultofshiv.wtf/tags/poll" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>poll</span></a> <a href="https://cultofshiv.wtf/tags/polls" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>polls</span></a> <a href="https://cultofshiv.wtf/tags/authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>authentication</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://westergaard.social/users/kasperd" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>kasperd</span></a></span> : using Windows for sensitive tasks poses *way* more security risks than doing that on smartphones.</p><p>Side note: I've been trying to secure Windows desktops and servers for more than 25 years, and I can tell you this: YOU CAN'T. It's a huge legacy mess exposing an enormous attack surface. Properly fixing things would break too much. No way that throwing ISO 27k* at it will help - those are not even different worlds, but rather distant solar systems.</p><p>For most people, even using a Linux distro for critical tasks means taking more security risks than if they'd use a smartphone to do that.</p><p>On smartphones, users can still do stupid things, but -because of app separation- it is usually not the OS that introduces most security risks. Those risks are concentrated around installing apps with too many privileges (aka permissions) "to break the basic rules", such as required by RAT's (Remote Access Tools) like TeamViewer and AnyDesk.</p><p>Even knowing that there will always be risks that we're not (yet) aware of: in particular for ordinary users, Android and iOS significantly reduce risks compared to "desktop" operating systems.</p><p>Having said all that, IMO the risks of letting a smartphone represent our full identity is insane (such as when using eID/EDIW/EUDIW). Not primarily smartphones are to blame for that, but the internet is.</p><p>Authenticating mandates fully trusting the party that verifies and confirms your identity (*). The first step for trust is exactly knowing *which party* is verifying your identity. On the current internet, for most users it is impossible to distinguish between fake and authentic parties.</p><p>(*) For three reasons:<br>1) They won't let anyone in who claims to be you;<br>2) They won't, as an AitM, abuse your identity and verification data to authenticate as you elsewhere;<br>3) They *really* protect, and remove ASAP, all verification data immediately the verification took place (<a href="https://www.404media.co/id-verification-service-for-tiktok-uber-x-exposed-driver-licenses-au10tix/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">404media.co/id-verification-se</span><span class="invisible">rvice-for-tiktok-uber-x-exposed-driver-licenses-au10tix/</span></a>).</p><p><a href="https://infosec.exchange/tags/Windows" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Windows</span></a> <a href="https://infosec.exchange/tags/Linux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Linux</span></a> <a href="https://infosec.exchange/tags/Smartphones" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Smartphones</span></a> <a href="https://infosec.exchange/tags/Risks" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Risks</span></a> <a href="https://infosec.exchange/tags/SecurityRisks" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityRisks</span></a> <a href="https://infosec.exchange/tags/CyberSecurityRisks" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurityRisks</span></a> <a href="https://infosec.exchange/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://infosec.exchange/tags/Android" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Android</span></a> <a href="https://infosec.exchange/tags/iOS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>iOS</span></a> <a href="https://infosec.exchange/tags/Linux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Linux</span></a> <a href="https://infosec.exchange/tags/Identity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Identity</span></a> <a href="https://infosec.exchange/tags/Identification" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Identification</span></a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/eID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>eID</span></a> <a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EDIW</span></a> <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EUDIW</span></a> <a href="https://infosec.exchange/tags/Wallet" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Wallet</span></a> <a href="https://infosec.exchange/tags/UsabilitySecurityBalance" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>UsabilitySecurityBalance</span></a> <a href="https://infosec.exchange/tags/SecurityUsabilityBalance" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityUsabilityBalance</span></a> <a href="https://infosec.exchange/tags/Fake" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Fake</span></a> <a href="https://infosec.exchange/tags/Authentic" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authentic</span></a> <a href="https://infosec.exchange/tags/IdentityVerification" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IdentityVerification</span></a></p>
EN
Kritieke beveiligingslek ontdekt in juniper networks session smart router en conductor https://www.trendingtech.news/trending-news/2024/07/19944/kritieke-beveiligingslek-ontdekt-in-juniper-networks-session-smart-router-en-conductor #CVE-2024-2973 #Juniper Networks #Session Smart Router #Authentication Bypass #Veiligheidsupdate #Trending #News #Nieuws
Tech Nieuws · Kritieke beveiligingslek ontdekt in juniper networks session smart router en conductorBy V.A. (Victor) Angelier BSCyS
EN
Kritieke beveiligingslek in juniper networks session smart technologie ontdekt https://www.trendingtech.news/trending-news/2024/06/19399/kritieke-beveiligingslek-in-juniper-networks-session-smart-technologie-ontdekt #CVE-2024-2973 #Juniper Networks Kwetsbaarheid #Session Smart Router Beveiliging #Authentication Bypass Vulnerability #Netwerken Beveiligingsupdate #Trending #News #Nieuws
Tech Nieuws · Kritieke beveiligingslek in juniper networks session smart technologie ontdektBy V.A. (Victor) Angelier BSCyS
EN
Kritieke beveiligingslek in progress moveit transfer veroorzaakt authenticatie omzeiling https://www.trendingtech.news/trending-news/2024/06/18825/kritieke-beveiligingslek-in-progress-moveit-transfer-veroorzaakt-authenticatie-omzeiling #CVE-2024-5806 #Progress MOVEit Transfer #Authentication Bypass #Beveiligingskwetsbaarheid #Cybersecurity #Trending #News #Nieuws
Tech Nieuws · Kritieke beveiligingslek in progress moveit transfer veroorzaakt authenticatie omzeilingBy V.A. (Victor) Angelier BSCyS
EN
Kritieke beveiligingslek in asus routers maakt ongeautoriseerde toegang mogelijk https://www.trendingtech.news/trending-news/2024/06/17257/kritieke-beveiligingslek-in-asus-routers-maakt-ongeautoriseerde-toegang-mogelijk #CVE-2024-3080 #ASUS router beveiligingslek #authentication bypass #kritieke kwetsbaarheid #cybersecurity update ASUS #Trending #News #Nieuws
Tech Nieuws · Kritieke beveiligingslek in asus routers maakt ongeautoriseerde toegang mogelijkBy V.A. (Victor) Angelier BSCyS
SearchLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload