U.S. Government Says To Avoid Phishing-Resistant MFA

Oct 20, 2021 10:15:13 AM By Roger Grimes

The U.S. government has been pushing people to avoid SMS- and voice call-based multi-factor authentication (MFA) for years, but their most recent warning is to avoid any MFA that is ...

Hackers rob thousands of Coinbase customers using phishing attacks and an MFA flaw

Oct 3, 2021 10:02:42 AM By Stu Sjouwerman

Bleepingcomputer was first to report: "Crypto exchange Coinbase disclosed that a threat actor stole cryptocurrency from 6,000 customers after using a vulnerability to bypass the company's ...

Can the Microsoft 365 Platform Be Trusted to Stop Security Breaches?

Aug 18, 2021 2:00:29 PM By Stu Sjouwerman

Lax security policies, a lack of security measures and solutions in place, and an expectation that Microsoft will address any security issues is putting organizations at risk.

Cyber Insurance Industry Wrongly Hedging Its Bets on MFA

Aug 10, 2021 8:53:19 AM By Stu Sjouwerman

Because of ransomware attacks, I have been covering the cybersecurity insurance industry for a few years, including here. I even have a whole chapter dedicated to cybersecurity insurance ...

Credential Stuffing in the Travel and Retail Sectors

Jun 21, 2021 10:34:53 AM By Stu Sjouwerman

The travel and retail sectors are the top targets for credential stuffing attacks, according to Auth0’s State of Secure Identity report. Credential stuffing is a type of brute-force ...

New BEC Phishing Attack Steals Office 365 Credentials and Bypasses MFA

Jun 15, 2021 2:01:41 PM By Stu Sjouwerman

Leveraging Microsoft Exchange’s Basic Authentication support, scammers were able to use harvested online credentials and bypass any MFA in place, giving them access to mailboxes.

Many Ways To Hack MFA

Mar 22, 2021 10:35:56 AM By Roger Grimes

I have spent a lot of time thinking about how to hack multifactor authentication (MFA) solutions. I have done so my whole career, deploying dozens, if not hundreds, of MFA projects. Also, ...

6 Advanced Email Phishing Attacks

Mar 16, 2021 10:32:51 AM By Roger Grimes

No matter how good your policies and technical defenses are, some amount of phishing will get to your end users in a given month. They must be trained to recognize social engineering ...

The Good, the Bad, and the Ugly About MFA

Mar 8, 2021 11:48:24 AM By Roger Grimes

I have been in computer security for over 34 years now. Yeah, even I cannot believe how long it has been. I have been a penetration tester over 20 of those years and worked on dozens of ...

[On-Demand Webinar] Hacking Multifactor Authentication: An IT Pro’s Lessons Learned After Testing 150 MFA Products

Mar 2, 2021 8:00:00 AM By Stu Sjouwerman

Multi-Factor Authentication (MFA) can be a highly effective way to safeguard your organization’s data, but that doesn’t mean it’s unhackable. And nobody knows that better than ...

[HEADS UP] New Dutch Data Breach Report Warns of Explosive Increase in Cyber Attacks and Stolen Personal Data

Mar 1, 2021 10:39:15 AM By Stu Sjouwerman

The Dutch Data Protection Authority (AP) recently measured the number of reports of data theft in 2020 and the number of attacks skyrocketed. The report documented that it increased no ...

How Can You Be More at Risk With MFA?

Dec 23, 2020 1:43:26 PM By Roger Grimes

In my recent comment on the Solarwinds’ cyber attack, I made the claim that using multifactor authentication (MFA) can sometimes make you more at risk than using a simple login name and ...

Solarwinds MFA Bypass Attack Pushes Limits

Dec 16, 2020 12:59:35 PM By Roger Grimes

Excellent, long-time, tech reporter Dan Goodin reported in Ars Technica that the recent Solarwinds’ supply chain attack involved hackers bypassing a popular multi-factor authentication ...

5 Tips For Consolidating Remote Work Tech Debt

Dec 14, 2020 8:23:30 AM By Javvad Malik

In 2020, nearly every organisation embraced remote working to some extent or another. For some, the transition was smooth and easy, as they already had a mobile workforce and were largely ...

Think Tanks Targeted by APT Actors

Dec 3, 2020 8:28:48 AM By Stu Sjouwerman

The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued a joint advisory warning that nation-state advanced persistent threat (APT) actors are targeting US ...

Credential-Stealing VPN Exploits

Nov 25, 2020 9:43:09 AM By Stu Sjouwerman

A hacker has published an exploit for a critical vulnerability in Fortinet VPN devices, along with a list of 49,577 vulnerable devices, BleepingComputer reports. Fortinet released a patch ...

One-Third of Employees Say Their Company Has No Cybersecurity Measures in Place While Working from Home

Nov 20, 2020 11:15:49 AM By Stu Sjouwerman

At a time when organizations should be implementing additional security measure to ensure the logical perimeter of their network is protected, new research shows companies aren’t prepared.

The Most Common Password Frustrations

Nov 9, 2020 5:01:48 PM By Roger Grimes

We all know the well-worn adage to make our passwords long and complex. Sometimes trying to do so can be completely frustrating.

6 Lessons I Learned from Hacking 130 MFA Solutions

Nov 5, 2020 2:16:43 PM By Roger Grimes

I was fortunate enough to write Wiley’s Hacking Multifactor Authentication. It’s nearly 600-pages dedicated to showing attacks against various multi-factor authentication (MFA) solutions ...

Unfortunate Learning Lessons from Clicking on a Suspicious Phishing Email

Nov 5, 2020 11:19:02 AM By Stu Sjouwerman

Israeli news source YNet released a story about a woman who clicked on a suspicious phishing link, was fired from her job, and was accused of fraud with a criminal indictment.