Access control and authentication

News

• Citadel malware now targets password management applications

  Attackers have started using the Citadel Trojan program to steal master passwords for password management applications and other authentication programs.

• 

  USB Armory is the Swiss army knife of security devices

  "Where's Andrea?" That was the question on the lips of attendees at this week's No Such Con security conference.

• Cyberespionage group launches sophisticated phishing attacks against Outlook Web App users

  A cyberespionage group has been using advanced spear-phishing techniques to steal email log-in credentials from the employees of military agencies, embassies, defense contractors and international media outlets that use Office 365's Outlook Web App.

• Facebook and Yahoo prevent use of recycled email addresses to hijack accounts

  Facebook and Yahoo have developed a mechanism to prevent the owners of recycled email addresses from hijacking accounts that were registered on other sites using those addresses in the past.

• Abandoned subdomains pose security risk for businesses

  Many companies set up subdomains for use with external services, but then forget to disable them when they stop using those services, creating a loophole for attackers to exploit.

• Google extends two-factor authentication with physical USB keys

  Google is letting users protect their accounts against password compromises by adding support for two-factor authentication based on physical USB keys.

• Dropbox dismisses claims of hack affecting 7 million accounts

  Hackers claim to have stolen a database of almost 7 million Dropbox log-in credentials, but the company says its service was not hacked and that unrelated websites are the data source.

• What you should consider when choosing a password manager

  Many security experts feel that passwords are no longer sufficient to keep online accounts safe from hackers, but we're still a long way from widespread adoption of biometrics and alternative methods of authentication.

• Critical Bugzilla vulnerability could give hackers access to undisclosed software flaws

  Hackers could have had an inside track on unpatched flaws in major software projects because of a critical vulnerability in Bugzilla, a system that many developers use to track and discuss bugs in their code.

• OpenVPN servers can be vulnerable to Shellshock Bash vulnerability

  Virtual private network servers based on OpenVPN might be vulnerable to remote code execution attacks through Shellshock and other recent flaws that affect the Bash Unix shell.

• Apple's iOS 8 fixes enterprise Wi-Fi authentication hijacking issue

  Apple's iOS 8 addresses a serious weakness that could allow attackers to hijack the wireless network authentication of Apple devices and gain access to enterprise networks.

• Salesforce warns customers of malware attack

  Salesforce.com users are being targeted by a new version of a computer Trojan that has typically attacked online banking customers until now.

• Hackers launch Apple ID phishing campaign playing on iCloud security worries

  The hackers behind the Kelihos botnet are trying to capitalize on users' increased awareness about the security of Apple online accounts through a new phishing campaign.

• LinkedIn beefs up account security with session management, detailed alerts

  Professional networking site LinkedIn is rolling out new features that allow users to easily manage authenticated sessions across multiple devices and better understand what caused security-related changes on their accounts.

• Firefox OS to outdo Android on granular application permissions

  Future versions of the Firefox OS mobile platform will allow users to control application-specific permissions, a feature with both privacy and security benefits that's missing on Android.