Microsoft extends passwordless access, a warning to software developers and how an attack started with a compromised website.
Welcome to Cyber Security Today. It’s Friday September 17th I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
 |
 |
 |
Earlier this year Microsoft made it easier for IT departments to allow employees to use alternatives to passwords for logging into their Microsoft accounts. Instead they can log in with their image through a video camera or other multi-factor authentication process. This week Microsoft did the same for home users. This is being done because so many people use weak passwords, and so many threat actors have stolen lists of passwords for breaking into systems. So passwordless login is available now or will shortly be available for home users of Microsoft Outlook, OneDrive, Family Security and other Microsoft products. You first need to download and install the Microsoft Authenticator app on a smartphone and link it to your personal Microsoft account. Then log into that account and in the Advanced Security Options section turn on Passwordless Account. Follow the on-screen prompts which send a notification to the Authenticator app. Approve the notification and you’re done. After that you chose which type of authentication you want – your image, a code or a security key. Just remember if the multi-factor system fails the backup is a password.
Lots of software developers use open-source Java, JavaScript, .Net and Python packages as building blocks for their applications. According to a software tool company called Sonatype, there are over 2 million packages available. That’s attracted the attention of threat actors, the company warned in a report released this week. Hackers are quietly injecting vulnerabilities into these open source projects to later exploit them when installed in organizations’ applications. That makes these applications a software supply chain risk. It’s important that application development teams chose which open source projects are acceptable, the report says. Open source components should come from a trusted supplier.
Some companies don’t realize they can be hacked through their web server. This week McAfee detailed a long-term cyber attack against an unnamed organization that IT professionals should read. There’s a link to the report here. The attacker used a lot of techniques to hide on the organization’s computer network and steal data over a number of years. Some techniques included installing new backdoors, and upping the data access privileges the attacker was entitled to. One way attacks can be stalled if not defeated is the use of multifactor authentication so password access can’t be fooled around with. But the main thing I got from this report is that the attacker first compromised this organization was through a web server vulnerability. That’s a lesson to all IT departments.
Finally, in July I warned that as COVID travel restrictions lift scammers are taking advantage. The number of phony airline, car rental and Airbnb websites is increasing, a report noted. This week another report came out with more details. Palo Alto Networks said there has been a substantial increase in the registration of travel-related phishing URLs this year. These sites are used for phishing scams offering supposed airline and vacation deals. Crooks hope victims will click on links so they can capture passwords, personal information and credit card data. As always, be careful with any message that has a link, especially to so-called deals that need to be acted on fast.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.