Login

Recent searches

No recent searches

Search options

Only available when logged in.
fosstodon.org is one of the many independent Mastodon servers you can use to participate in the fediverse.
Fosstodon is an invite only Mastodon instance that is open to those who are interested in technology; particularly free & open source software. If you wish to join, contact us for an invite.

Administered by:

Server stats:

9.9K
active users

fosstodon.org: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

Replied in thread
Public
Erik van Straten

@bert_hubert : nog enkele "puntjes":

• Elke medewerker die op een cloud- in plaats van een locaal account moet inloggen, wordt een SPOF (Single Point Of Failure) voor informatiebeveiliging (voorbeeld: security.nl/posting/859906/Spe).

• Microsoft's Authenticator app beschermt niet tegen steeds meer phishingsites ("evil proxies"): techcommunity.microsoft.com/t5

• SOC's (Security Operations Centres) kunnen bij het vuilnis en je bent afhankelijk van de cloudprovider voor jouw logs (security.nl/posting/862564/Mic).

www.security.nlSpeculatie over Politie-hack - Security.NL
#Cloud#SPOF#2FAFail
Replied in thread
Public
Erik van Straten

Don't rely on 2FA!

Instead use a trustworthy & secure pwmgr (password manager) that checks the domain name (like passkeys do implicitly) and, based on that, offers to autofill credentials.

And:
• Let the pwmgr generate random long unique passwords for each account;

• Back up the pw db (database) after each change (and have multiple physical locations where those back ups are stored);

• Know what to do when logging in to a website and your pwmgr comes up with *NOTHING* : don't search for credentials in de pw db for the website you were made to *believe* it is - it's fake.

<<< The phishing page, for its part, urges the victim to sign in with Microsoft Outlook or Office 365 (now Microsoft 365) to view a purported PDF document. Should they follow through, fake sign-in pages hosted on Cloudflare Workers are used to harvest their credentials and multi-factor authentication (MFA) codes. >>> thehackernews.com/2024/05/new-

@patrickcmiller

The Hacker NewsNew Tricks in the Phishing Playbook: Cloudflare Workers, HTML Smuggling, GenAICybercriminals are exploiting Cloudflare Workers to host phishing sites targeting major email providers.
#2FA#MFA#2FAFail
Public
Stef Walter

Another day, another 2FA UX fail. Sony's site, on mobile, if you want to use an authenticator app for 2FA, you can either scan the QR code (not really I'm on the same mobile), or copy and paste the key. Except, they disable user selection with CSS. Well, here we are.
That CSS line looks very generic, but, like, why disable select at all on mobile? It's a mess for accessibility anyway, and, it's becoming a mess for those “edge cases” where people need to copy paste.
#UXFails #2FAFail

ExploreLive feeds
About