Data Safety and Information Security

Attached: 4 images Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices. TL;DR: Don't turn it on. The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices. We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user. Why is this bad? Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access .... 🧵 #Privacy #Cybersecurity #InfoSec #2FA #Google #Security

Search engine of Internet-connected devices. Create a free account to get started.

The transition from traditional logins to cryptographic passkeys is getting messy. But don’t worry—there’s a plan.

Salt Security finds It's well past time for us to lock down our application programming interfaces.

Entitle has raised $15 million in seed funding for a solution designed to automate identity permissions management in the cloud.

Were you supposed to sign an electronic document? Come look deeper into what makes your electronic signature as secure as it should be.

In this guide, we will explain what SSRF attacks are and how you can protect against them with open-source Svix

Lots of companies are eager to provide their identity provider: Twitter, Facebook, Google, etc. For smaller businesses, not having to manage identities is a benefit. However, we want to avoid being locked into one provider. In this post, I want to demo how to use OpenID Connect using Google underneath and then switch to Azure. OpenID Connect The idea of an authorization open standard started with OAuth around 2006. Because of a security issue, OAuth 2.0 superseded the initial version. OAuth 2

The Biden administration today issued its vision for beefing up the nation's collective cybersecurity posture, including calls for legislation establishing liability for software products and services that are sold with little regard for security. The White House's new national cybersecurity…

In secure website connections, a message authentication code (MAC) helps authenticate a message and its data integrity so you know its legit.

Following our popular article explaining what Adobe did wrong with its users’ passwords, a number of readers asked us, “Why not publish an article showing the rest of us how to do it ri…

I try to explain how attackers would guess your password, should they get their hands on your encrypted data. There are some thoughts on the strength of real-world passwords and suggestions for your new password.

Leaders will draw lessons from Ukraine for years, but one is already clear: delivering cyber defense assistance must be a key national security capability.

Today's adventure: DIY whole hog data exfiltration

Attackers have sophisticated, automated methods of prodding GraphQL deployments for security weaknesses, so stay alert about threats.

A woman shares her story on TikTok of almost being scammed by someone pretending to be a caller from her bank.

The botnet exploits flaws in various routers, firewalls, network-attached storage, webcams, and other products and allows attackers to take over affected systems.

Active in dozens of advanced hacks since 2009, Billbug is still going strong.

Shining a light on information threats

A modern, secure and privacy-friendly platform to establish your decentralized online identity

glibc 2.3.4 introduced _FORTIFY_SOURCE in 2004 to catch security errors due to misuse of some C library functions. The initially supported functions was fprintf, gets, memcpy, memmove, mempcpy, memset

D3FEND is a knowledge base of cybersecurity countermeasure techniques. In the simplest sense, it is a catalog of defensive cybersecurity techniques and their relationships to offensive/adversary techniques. The primary goal of the initial D3FEND release is to help standardize the vocabulary used to describe defensive cybersecurity technology functionality.

A number of financial institutions in and around New York City are dealing with a rash of super-thin "deep insert" card skimming devices designed to fit inside the mouth of an ATM's card acceptance slot. The card skimmers are paired…

Communities like Craigslist, OfferUp, Facebook Marketplace and others are great for finding low- or no-cost stuff that one can pick up directly from a nearby seller, and for getting rid of useful things that don't deserve to end up in…

Denial of Service (DoS) attacks always have been the easiest way to inflict maximum financial damages without requiring advanced skills or techniques. With the advent of cloud computing, website owners can now deploy more resources than the attackers and gracefully handle these primitive attacks. It led to the development of