Cyberthieves Train Their Sights on US Mobile Phone Customers
This article talks about the following: New form of cybercrime focuses on hijacking mobile phone account number then transferring services to a different device, there is a vulnerability in today’s security protocols where companies are text message as multifactor identification, so attackers are using social engineering techniques to abuse a mobile phone provider business process, password resets are as secure as the destination of the reset, and finally the reason why mobile phones are become a target is because companies are using phones as multifactor identification.
It will be interesting to see how things unfold in the future. With the rise of smartphones being used as a primary device, will hacker focus their attention on hacking smartphones? How secure are smartphones? If they are secure, can hacker take advantage of mobile phone providers and their process?
This is a very interesting and troubling trend. Smartphones could be very useful to attackers not only for the information stored on them, but also as springboard to launch attacks on bigger targets. This gives the attackers another level (or levels in the case of going through multiple devices) of anonymity and obscurity, making them more difficult or nearly impossible to track.
This article talks about the following: face id debut was underwhelming as it failed to work as promised during the on stage demonstration, the iPhone X features a TrueDepth camera that allows the face id system to ensure that the face looking at the screen is that of the actual owner, face id works by sending out 30,000 invisible dots that pinpoint the curves of the head and other facial features, face id will be one of those things that when they are good they are really good and when they bad they are really bad, people wear makeup or they might change overtime and it’s unclear how that will affect the face id, finally this might be the first use of face id technology.
It will be interesting to see how things unfold in the future. Will apple start implementing the Face ID on their other technologies? Will it be hard to hack into your iPhone if you take a 3D?
Deloitte, a ‘big four’ accounting firm and one of the largest cyber security consulting firms, was breached. Attackers got into their global email server, which contained sensitive client data. Deloitte does a lot of work not only for major companies, but also government agencies. The found the breach in March 2017 but it is possible the breach began as early as October 2016. The attackers got in using the administrators account. Deloitte uses Azure cloud service to store their emails, which is Microsoft’s cloud solution. They have notified the few large clients that they believe had information compromised but are still investigating. Because the attacker used the administrator account they had access to every email which means, in theory, any client could be affected. They are still investigating the source of the attack. I find it ironic that a company that makes a lot of money advising others how to best protect themselves from cyber attacks was, themselves, breached.
I think I recall hearing a bit about this recently. The most glaring mistake to me was that this compromised administrator account seemed to have such unrestricted access to a myriad of areas, which, to me, seems like blatant disregard for the concepts of least privilege and segregation of duties. The other thing is, with such a high-level and potentially dangerous account in existence, the company took no extra steps to better secure it, requiring only one kind of authentication (a password) to gain full, unmitigated access to all their data. This is the same amount of protection for a low-level user account. This breach highlights the need for more secure, in-depth authentication and access protocols for high-level accounts in large systems.
The part about lacking 2FA stuck out to me as well. Not only is it bad to have an admin account access everything, but to then not properly secure it at the most minimum possible level is crazy.
http://www.technewsworld.com/story/84772.html
Cyberthieves Train Their Sights on US Mobile Phone Customers
This article talks about the following: New form of cybercrime focuses on hijacking mobile phone account number then transferring services to a different device, there is a vulnerability in today’s security protocols where companies are text message as multifactor identification, so attackers are using social engineering techniques to abuse a mobile phone provider business process, password resets are as secure as the destination of the reset, and finally the reason why mobile phones are become a target is because companies are using phones as multifactor identification.
It will be interesting to see how things unfold in the future. With the rise of smartphones being used as a primary device, will hacker focus their attention on hacking smartphones? How secure are smartphones? If they are secure, can hacker take advantage of mobile phone providers and their process?
This is a very interesting and troubling trend. Smartphones could be very useful to attackers not only for the information stored on them, but also as springboard to launch attacks on bigger targets. This gives the attackers another level (or levels in the case of going through multiple devices) of anonymity and obscurity, making them more difficult or nearly impossible to track.
http://www.technewsworld.com/story/84808.html
How Many Ways Might iPhone X’s Face ID Go Wrong?
This article talks about the following: face id debut was underwhelming as it failed to work as promised during the on stage demonstration, the iPhone X features a TrueDepth camera that allows the face id system to ensure that the face looking at the screen is that of the actual owner, face id works by sending out 30,000 invisible dots that pinpoint the curves of the head and other facial features, face id will be one of those things that when they are good they are really good and when they bad they are really bad, people wear makeup or they might change overtime and it’s unclear how that will affect the face id, finally this might be the first use of face id technology.
It will be interesting to see how things unfold in the future. Will apple start implementing the Face ID on their other technologies? Will it be hard to hack into your iPhone if you take a 3D?
https://www.theguardian.com/business/2017/sep/25/deloitte-hit-by-cyber-attack-revealing-clients-secret-emails
Deloitte, a ‘big four’ accounting firm and one of the largest cyber security consulting firms, was breached. Attackers got into their global email server, which contained sensitive client data. Deloitte does a lot of work not only for major companies, but also government agencies. The found the breach in March 2017 but it is possible the breach began as early as October 2016. The attackers got in using the administrators account. Deloitte uses Azure cloud service to store their emails, which is Microsoft’s cloud solution. They have notified the few large clients that they believe had information compromised but are still investigating. Because the attacker used the administrator account they had access to every email which means, in theory, any client could be affected. They are still investigating the source of the attack. I find it ironic that a company that makes a lot of money advising others how to best protect themselves from cyber attacks was, themselves, breached.
I think I recall hearing a bit about this recently. The most glaring mistake to me was that this compromised administrator account seemed to have such unrestricted access to a myriad of areas, which, to me, seems like blatant disregard for the concepts of least privilege and segregation of duties. The other thing is, with such a high-level and potentially dangerous account in existence, the company took no extra steps to better secure it, requiring only one kind of authentication (a password) to gain full, unmitigated access to all their data. This is the same amount of protection for a low-level user account. This breach highlights the need for more secure, in-depth authentication and access protocols for high-level accounts in large systems.
The part about lacking 2FA stuck out to me as well. Not only is it bad to have an admin account access everything, but to then not properly secure it at the most minimum possible level is crazy.