Phone: (0) 1858 438800
Email: [email protected]
Computer Research
Computer Research
If you already have an account, use the link below to log in.
If you have any problems with your account or would like to request an individual account, please contact our visitor service.
Phone: (0) 1858 438800
Email: [email protected]
Access key deployments across Google, Amazon, and Microsoft for AitM attacks and searches
According to FIDO [Fast Identity Online] standards, passwords are designed to update passwords. They are the equivalent of hardware keys, the best known being the Yubikey, but they are provided on the device itself. As with a Yubikey, the clues are personal. key to cryptographically flag a challenge from an online page to reveal a user’s identity.
They are more secure than classic passwords, which can be forgotten or used on multiple sites, and provide effective coverage against phishing attacks, if implemented correctly.
But like any security tool, they’re not perfect, and you can be sure that malicious actors will look for weak spots.
Joe Stewart, senior security researcher in eSentire’s Threat Response Unit, has reviewed the implementation of passkey generation through leading software vendors. In a blog post documenting his team’s findings, Stewart said cybercriminals can gain access to password-protected accounts on online platforms. adding banks and social networks, employing Adversary in the Middle (AitM) phishing attacks.
“Looking at the implementation of various password authentication flows from the most popular software services, at most all of them can still pass through AitM’s phishing and authentication approach write attacks,” he wrote.
AitM phishing attacks take advantage of the fact that maximum online page passkey implementations continue to offer less secure backup authentication methods, even when a passkey has been added to the account. AitM attackers can manipulate the login page the user sees, severing references. to password authentication to convince the user to use alternative methods. This can be achieved by modifying the HTML, CSS, images or JavaScript of the login page as it is proxied to the end user.
eSentire researchers demonstrated this approach through open-source Evilginx AitM software to simulate an anti-GitHub phishing attack. Evilginx sits between the user and GitHub, presenting the user with a modified login page for the service, with password references removed. If you forget that you regularly log in through a password, you will most likely enter the username and password backup method. These credentials can be retrieved through the attacker.
And it’s not just GitHub that’s vulnerable. Google Gmail, Amazon e-commerce (not AWS), eBay, Microsoft Outlook email (the loose version), Docusign, CVS Pharmacy and Coinbase all have insecure alternatives, Stewart told Computing.
“It’s not that those corporations have implemented password generation poorly, but rather the way they offer the user less secure login options and methods. And AitM allows the attacker to decide the method for them. “
By offering chosen login methods, those providers, many of whom have actively promoted passwords, inadvertently sacrifice security for convenience.
“I think from the beginning, when generation providers and online stores were deploying their passkey, they just didn’t think about the other tactics that a cybercriminal could just bypass the login flow of your passkey, because the passkeys were supposed to be just secure by default because of the security of the passkeys to their functions,” Stewart told Computing.
“When they designed their process, they just didn’t think about how a hacker could use an AitM attack to take a user’s internet query and manipulate everything the user sees in the browser tab when they log into their online account. “
AitM password attacks are easy to perform, he added, “especially with the large number of proxy-as-a-service phishing responses being sold on the underground hacker market. ”
Unfortunately, there is no undeniable solution, other than adding more secure authentication factors, such as a hardware key. Stewart recommends that installations remove the password option entirely.
“The most productive practice organizations can implement for critical and sensitive online accounts is to get rid of passwords altogether and only provide the account holder with the ability to use keys for their account,” he said.
“However, to prevent users from being excluded from their account, platforms will have to make it mandatory for the user to have at least two passwords for each online account, stored separately. “
But this places a burden on the user that many corporations probably wouldn’t consider. A little less secure, but even bigger than the existing scenario and providing a solution in case you lose all passwords, is to send a “monitoring link” via email or SMS. ” This is similar to a magic link that would naturally allow the user to exit the AitM attack session, but is also protected by other multi-factor authentication strategies for added security,” Stewart said.
There is currently no better approach to recovery that is secure and easy to use, but understanding how AitM attacks work instead of passwords, assuming that each and every login query is compromised, and improving workflows to reduce the likelihood of compromise can help the security of teams. without sacrificing usability.
Microsoft to build hyperscale datacenter in Yorkshire
Other app that passwords
The essay can be considered a milestone in the long demise of passwords
Passkeys differ from passwords in that they can only exist on the user’s devices and can be inadvertently typed or leaked to malicious actors.
The news, stories, articles and images of the day in a perfectly written email.
“Operation MORPHEUS” unlicensed versions of the valid security tool
Exploits weaknesses in two key components
The failures were constant last October and had existed for nine years.