Subject: Why MFA alone won’t protect you in the age of adversarial AI
Source: VentureBeat
https://venturebeat.com/security/why-mfa-alone-wont-protect-you-in-the-age-of-adversarial-ai/
For a long time, multi-factor authentication (MFA) — in the way of push notifications, authenticator apps or other secondary steps — was thought to be the answer to the mounting cybersecurity problem.
But hackers are cunning and crafty and come up with new ways all the time to break through the fortress of MFA.
Today’s enterprises need even stronger defenses — while experts say MFA is still critical, it should be just a small piece of the authentication process.
“Traditional MFA methods, such as SMS and push notifications, have proven to be vulnerable to various attacks, making them nearly as susceptible as passwords alone,” said Frank Dickson, group VP for security and trust at IDC. “The growing prevalence of sophisticated threats requires a move towards stronger authentication methods.”
Why isn’t MFA enough?
…
“MFA is here to stay, it’s just the definition now is ‘How good is your MFA’? Is it basic, mature or optimized?,” he said. However, in the end, he emphasized: “There’s never going to be a single factor that in and of itself is completely secure.”
Filed: https://venturebeat.com/category/security/
Source: Android Headlines
https://www.androidheadlines.com/2024/10/googles-captcha-system-fooled-by-an-ai-captcha-solver.html
The classic CAPTCHA system has been the main barrier to internet bot defense. Its main goal is to separate bots from human users through simple tests and usage parameter analysis. Google’s reCAPTCHA is the most widely used on most websites and online platforms. However, an AI-powered captcha solver proved to be able to pass itself off as human to Google’s system 100% of the time.An AI-powered captcha solver bypassed Google’s CAPTCHA with 100% effectiveness
There are multiple AI models available out there for all kinds of goals. YOLO (You Only Look Once) is a model designed for tasks related to image detection and identification. Andreas Plesner, Tobias Vontobel, and Roger Wattenhofer, a group of AI researchers at ETH Zurich (Switzerland), developed a project based on YOLO. They basically tweaked the model to make it able to solve Google’s reCAPTCHAv2 system with perfect accuracy.
The image-based Google’s reCAPTCHA system is a fundamental part of anti-bot security systems on the Internet. These security barriers aim to prevent bots from performing tasks like filling out forms or making online purchases. It is useful, for example, when products or services with limited availability are released and hundreds (or thousands) of bots take action. The system also seeks to prevent online interactions that generate falsified metrics. It can even be a barrier against classic DDOS attacks.
That said, the project by the ETH Zurich researchers showed that the reCAPTCHA system as we know it could have become obsolete.
…
Filed: https://www.androidheadlines.com/category/google-news
Source: Homeland Preparedness News
https://homelandprepnews.com/countermeasures/82399-justice-department-microsoft-disrupt-russian-intelligence-cyber-scheme/
The Justice Department recently unsealed a warrant authorizing the seizure of 41 internet domains used by Russian intelligence agents and their proxies to commit computer fraud and abuse in the United States.“Today’s seizure of 41 internet domains reflects the Justice Department’s cyber strategy in action – using all tools to disrupt and deter malicious, state-sponsored cyber actors,” Deputy Attorney General Lisa Monaco said on Oct. 3. “The Russian government ran this scheme to steal Americans’ sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials.”
…
Filed: https://homelandprepnews.com/countermeasures
Source: Ars Technica
https://arstechnica.com/tech-policy/2024/10/reports-china-hacked-verizon-and-att-may-have-accessed-us-wiretap-systems/
“Hackers apparently exfiltrated some data from Verizon networks by reconfiguring Cisco routers, said one current and one former US official familiar with the matter,” according to the Post. “The fact that they were able to make changes in the routers without detection reflects the sophistication of the adversary but also raises questions about Verizon’s security posture, analysts said.”
[but]
“Whether the hackers got access to actual lists of federal surveillance targets or their communications—or what they might have taken—is not clear, officials said,” the Washington Post wrote. “It is also not clear whether the subjects of the surveillance at issue were targeted in domestic criminal investigations or in national security cases, such as espionage, terrorism, or cybersecurity.”
Source: FedScoop
https://fedscoop.com/login-gov-announces-availability-for-facial-recognition-technology/
Login.gov, the single sign-on platform provided by the General Services Administration, will begin offering a new identity verification option to its partners.GSA’s new option will verify identity with facial recognition technology through the independently certified NIST 800-63 Identity Assurance Level 2 (IAL2), a standard that introduces the need for either remote or physically present identity proofing, according to a Wednesday press release. The agency said this implementation will allow federal agencies to verify users at a higher assurance level.
…
Source: Nextgov/FCW
https://www.nextgov.com/modernization/2024/10/hhs-crack-down-providers-blocking-access-electronic-medical-records/400196/
The Department of Health and Human Services has received more than a thousand claims of blocked or stymied access to electronic health record information in recent years.The Department of Health and Human Services is getting serious about taking on medical providers and organizations engaged in information blocking practices that limit access to electronic health record data, according to a top official with the agency.
In a Tuesday blog post, Micky Tripathi — HHS assistant secretary for technology policy, national coordinator for health information technology and acting chief artificial intelligence officer — said the department is acutely aware that some bad actors are skirting information sharing requirements mandated by federal law.
The 21st Century Cures Act, signed into law by President Barack Obama in December 2016, required, in part, that EHR systems be configured in such a way that patient information can be “accessed, exchanged and used without special effort through the use of application programming interfaces,” or APIs. There are eight specific exceptions to this requirement.
Information blocking, however, has been a particular issue for clinicians trying to access records from other providers’ EHR systems.
“What is abundantly clear is that it is behavior, rather than technology, that is far and away the biggest impediment to progress,” he wrote.
“Certified health IT developers with identified non-conformities in their business practices or certified health IT could face suspension or termination of the affected certification(s),” he wrote. “Termination of certification of one or more of a developer’s health IT modules carries the added consequence of the developer being banned from the certification program.”
…
Topics: