A new paper by the Microsoft Security Response Center explains account pre-hijacking, where attackers open an account with the victim’s email address and then wait for the victim to eventually join the site. Once the victim joins the site and brings the account to life, the attacker takes full control, excluding the victim from their own account. The researchers noted five variations of this attack: classic federated merge attack, unexpired session identifier attack, Trojan identifier attack, email change attack not expired and the IDP attack without verification. For more on each, see beeping computer.
“These are very clever techniques, taking advantage of weak security implementation on some websites,” commented Luis Corrons, Avast’s security evangelist. “Nevertheless, although the problem is not on the user’s side, we can do something to prevent these types of attacks: always enable multi-factor authentication.” By requiring two methods to access your account, MFA maintains user control.
Zola Gift List Accounts Hacked
List of wedding gifts Zola recognized in a Tweeter that the hackers hacked the accounts of several users. The news first emerged a few days ago when Zola users started posting reports on social media about account takeovers and multiple attempts by criminals to make purchases using the information. the victims. hackers used credential stuffing to access the accounts, but the credit card and banking information was thankfully not exposed. “In practice, cash funds have always been held in a separate, protected account,” a Zola spokesperson said. Tech Radar. Following the breach, Zola reset all user passwords.
Fake digital driving licenses are not difficult
A security researcher faults discovered in New South Wales digital driving license (DDL) allowing easy-to-execute counterfeits. The Australian state began using the DDL system in 2019, giving citizens the option to present proof of identity and age at roadside police checks, bars, shops, hotels and other locations . The only attack needed to breach the security of the DDL system is a four-digit brute force pin, of which there are only 10,000 combinations. Once the hacker has come in and changed the driver’s license information, the DDL will still pass all security checks because locally stored data is never checked against the backend database. For more on this story, see Ars-Technica.
Ransomware Task Force Reminds Government There’s More Work to Do
A year after the Ransomware Task Force delivered a overall framework to act against ransomware, the group has translated into a new paper on what has been accomplished and what remains to be done. The task force is made up of more than 60 companies and organizations from government, nonprofits and the private sector. Last May, the group made 48 recommendations to address the ransomware problem. Of these 48, 12 saw tangible progress, 29 saw initial action taken and seven saw no action. For more on this story, see Cyberscoop.
Zoom fixes a flaw allowing remote code execution
A Google Project Zero researcher found a number of flaws in the Zoom client that could potentially allow attackers to initiate remote code execution, but Zoom patched the issue with version 5.10.0. “User interaction is not required for a successful attack,” the researcher said. wrote. “The only capability an attacker needs is to be able to send messages to the victim via Zoom chat over the XMPP protocol.” Using a specially crafted message, attackers could trick Zoom clients into connecting to an intermediary server that pushed a 2019 version of the Zoom client. To learn more, see ZDNet.
The essentials of the week on the Avast blog
While some refugees are able to obtain identity documents when forced to flee their country, others have no proof that they are who they say they are. Can digital identity help tackle the global refugee crisis?