Search the Community

Security is one of the biggest issues facing businesses of all sizes today, with new threats and cyberattacks hitting the headlines seemingly every day. It may sound obvious, but using a strong and unique password remains one of the most effective ways to keep your systems and data safe and secure, providing stringent safeguards to keep hackers and criminals at bay. But with so many different passwords to remember for so many different online services, dealing with passwords can sometimes feel like a huge amount of pressure, and might lead your workers to taking the easy-to-remember route, potentially putting your business at risk of attack. So if you're looking to lessen password fatigue across your organization, you need a password manager that's not only well-protected, but easy to use and intuitive as well - and Passwork could be the partner for you. (Image credit: Passwork) Passwork is specifically designed to solve workplace password woes, targeting pain points around security that keep IT admins awake at night. The platform stores all data on your company servers, meaning nothing is transferred to the cloud, where it might fall victim to attack or breach. Data is secured using the super-secure AES-256 algorithm, and can run across PHP and MongoDB, and installed on Windows or Linux, either with or without Docker. Access is governed by administrators who are able to manage and grant permissions, track password changes and usage, and can even conduct security audits, meaning your protections are all managed in-house, without external systems or figures being involved. (Image credit: Passwork) Once set up, your administrator can control exactly who has access to which systems, with the ability to invite colleagues and add access rights across different services where required. If a new employee joins your business, you can quickly set them up with the tools and passwords they need, without needing to carry out lengthy onboarding, allowing them to get up to speed quickly. And if an employee leaves the business, their access to your files and systems can be easily and quickly restricted, with affected passwords quickly flagged to be changed, this will eliminate possible risks in such a situation. (Image credit: Passwork) Passwork looks to be incredibly accessible and flexible too — a browser extension means administrators and users alike can quickly access the platform while working, while a mobile app also gives access on the go for those workers who may be travelling a lot. Passwork has already been trusted by hundreds of businesses around the world, and also prides itself on its openness — the company's source code is open, meaning it can be examined for any flaws or vulnerabilities. So if you're looking to upgrade your security protections, Passwork could be the ideal first step — to find out more, visit its website here. View the full article

Retro tech enthusiast Bob Pony recently shared an image of an old Toshiba Satellite laptop’s parallel port sprouting a tangle of contorted paperclips - showcasing an unofficial BIOS reset method. View the full article

Disney plans to start cracking down on Disney+ password sharing starting in June, Disney CEO Bob Iger said in an interview with CNBC earlier this week. Iger said that Disney needs to turn its streaming business into a growth business, and one way to do that is to force households that are sharing passwords to sign up for their own accounts. "In June, we'll be launching our first real foray into password sharing," said Iger. "Just a few countries and a few markets, but then it will grow significantly with a full rollout in September." Iger did not clarify where the password sharing lockdown will start, but it sounds like it will be largely worldwide when September rolls around. Disney+ competitor Netflix put a stop to multi-household password sharing in 2023, and it ended up being a major revenue driver for the company. Netflix saw strong subscriber growth, gaining 8.8 million new subscribers in Q3 2023 after cracking down on password sharing. Iger said that he admires what Netflix has done, calling the company the "gold standard in streaming." Netflix is the gold standard in streaming. They've done a phenomenal job in a lot of different directions. I actually have very, very high regard for what they've accomplished. If we can only accomplish what they've accomplished, that would be great. Disney+ launched in 2019, and since then it has grown into the number two streaming service in terms of subscribers after Netflix. Prior to when Iger returned to Disney 2022, Disney+ was bleeding money as Disney focused on subscriber growth. Disney+ will see its first profitable quarter in the fourth fiscal quarter of 2024 under Iger's leadership. Disney's streaming service has more than 110 million subscribers worldwide, and it has been integrating Hulu content into Disney+ in order to boost customer engagement. Disney+ is now priced at $10.99 per month for an ad-free subscription, or $7.99 for a subscription with ads.Tags: Disney, Disney Plus This article, "Disney+ Password Sharing Crackdown to Start in June" first appeared on MacRumors.com Discuss this article in our forums View the full article

The White House put out an official letter warning of severe cyberattacks directed at water and wastewater infrastructure across the country. The post Strong Passwords: A Keystone of Cybersecurity for Water and Wastewater Infrastructure appeared first on Enzoic. The post Strong Passwords: A Keystone of Cybersecurity for Water and Wastewater Infrastructure appeared first on Security Boulevard. View the full article

AT&T has initiated a mass reset of millions of customer account passcodes following a reported data breach. The post Millions Impacted in Mass Passcode Reset of AT&T Accounts appeared first on Enzoic. The post Millions Impacted in Mass Passcode Reset of AT&T Accounts appeared first on Security Boulevard. View the full article

American telecommunications behemoth AT&T has finally confirmed the authenticity of the 2021 data breach that spilled sensitive user information on the dark web, and has initiated a mass reset of user passcodes. Roughly three years ago, privacy blog RestorePrivacy broke the news of a hacker selling sensitive data belonging to more than 70 million AT&T customers. The data allegedly contained people’s names, phone numbers, postal addresses, email addresses, social security numbers, and dates of birth. While AT&T initially denied the breach, saying the data wasn’t from the company, the hacker, going by the name “ShinyHunters” said the organization will likely continue denying until they leak it all. Mass reset Surely enough, last month, a seller published the full database, affecting 73 million people - and TechCrunch analyzed the database, confirming its authenticity, and also establishing that it contained user passcodes, prompting a swift alert towards AT&T. Passcodes are four-digit numbers that work as the second security layer, and are used to access user accounts. Even though they were encrypted, some researchers argued that it is something that can be worked around. Apparently, there is not enough randomness in the encrypted data, which means that in theory, a threat actor could guess the passcode. It seems the threat is more than just theoretical, as AT&T initiated a mass-reset of the passcodes over the weekend. “AT&T has launched a robust investigation supported by internal and external cybersecurity experts,” the company said in a statement published on Saturday. “Based on our preliminary analysis, the data set appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders.” “AT&T does not have evidence of unauthorized access to its systems resulting in exfiltration of the data set,” the statement said. While the telco did confirm the breach, it says that it still doesn’t know where the data came from, whether it was directly from its servers, or from its vendors. More from TechRadar Pro Hot Topic confirms multiple new cyberattacks — customer details and payment info exposed onlineHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

Networking giant Cisco has warned its users of an ongoing attack against its business VPN services. In a security advisory, Cisco said it had been notified of an ongoing password-spraying attack against different third-party VPN concentrators. In this instance, it was Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall that were affected. Russian attackers “Depending on your environment, the attacks can cause accounts to be locked, resulting in Denial of Service (DoS)-like conditions,” Cisco explained, saying that the activity appears to be a reconnaissance effort. The threat actors were not named. Password spraying is a type of attack in which the threat actor tries the same password with multiple accounts, until one combination works. Listing its set of defenses and mitigations, Cisco recommended enabling logging to a remote syslog server for improved correlation and auditing of network and security incidents across various network devices; securing default remote access VPN profiles by pointing unused default connection profiles to sinkhole AAA servers; leveraging TCP shun to manually bloc dangerous IP addresses, configuring control-place ACLs to block unauthorized public IP addresses from running VPN sessions; and using certificate-based authentication for RAVPN. Security researcher Aaron Martin claims the attack was likely the work of an undocumented malware botnet named Brutus. He made the connection after observing the malware’s targeting scope and attack patterns, it was said. In his analysis of the botnet, Martin said it counts some 20,000 IP addresses worldwide. At first, the attacks targeted SSLVPN appliances from Fortinet, Palo Alto, SonicWall, and Cisco, but have since evolved to include web apps using Active Directory for authentication, too. To avoid raising any flags, Brutus rotates its IPs every six attempts. Although inconclusive, some evidence points to Brutus being the work of APT29, an infamous Russian state-sponsored threat actor. Via BleepingComputer More from TechRadar Pro What is credential stuffing, and how does it work?Here's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

PlayStation account owners will soon be able to start using a passkey as an alternative to a password when logging into a PlayStation account on the web, in an app, or on a PlayStation device. Passkey integration is set to be introduced at some point today, and users will be able to log in and authenticate their accounts with Face ID, Touch ID, or a device passcode on an iPhone. Passkeys are considered more convenient and secure than a traditional password, with sign-ins streamlined through biometric authentication. Passkeys are resistant to online attacks such as phishing because there's no password to steal and no one-time SMS code that can be intercepted. Apple has supported passkeys since 2022, and passkeys are available on iOS 16 and later, iPadOS 16 and later, and macOS Ventura and later. Many companies have been implementing support for passkeys, including Twitter, Google, PayPal, Best Buy, Microsoft, and eBay.Tag: Passkeys This article, "PlayStation Adds Support for Passkeys as Password Alternative" first appeared on MacRumors.com Discuss this article in our forums View the full article

Some of the most popular mobile password managers on Android have a serious security flaw that could cause the worst problem possible for users - leaking their credentials. Known as "Autospill," the vulnerability involves a bug in the autofill function on Android devices. It was discovered by researchers at the International Institute of Information Technology (IIIT) Hyperabad, who presented their findings at the recent Black Hat Europe conference. Autospill security risk The problem arises when an app login page is loaded in WebView, which is Google's engine for letting developers display web content inside an app without going into a browser. This confuses the password manager about where to autofill the password, and instead it can mistakenly "expose the credentials to the base app," Ankit Gangwal, one of the researchers involved, told TechCrunch. What it should do is autofill a user's credentials in the WebView login page that appears in the app. Gangwal cautions that this poses a significant threat in the case of malicious apps, as they could exploit the flaw to gain a user's credentials automatically, without the need to run phishing campaigns. The password managers that the researchers claim to have tested the flaw on include 1Password, LastPass, Keeper, and Enpass - some of the most popular and best password managers around. They also said that the Android devices they used were new and up-to-date. Apparently, most of the aforementioned apps were vulnerable to Autospill, even when JavaScript injection was disabled. When enabled, however, all of them were susceptible to the flaw. Google and the relevant password managers have been notified of the flaw. 1Password told TechCrunch that it will be working to fix the flaw, while Keeper asked for a video demonstration of the flaw in action. After seeing it, Keeper CTO Craig Lurey believed that, "the researcher had first installed a malicious application and subsequently, accepted a prompt by Keeper to force the association of the malicious application to a Keeper password record." Lurey further defended the security posture of Keeper by saying it has, "safeguards in place to protect users against automatically filling credentials into an untrusted application." He also advised the researchers share their findings with Google, as the problem relates to the Android platform specifically. LastPass told TechCrunch that it already had a pop-up warning in place to alert users of potential autofilling dangers, but in light of the research said it will now add "more informative wording" to the notification. The researchers said they will be testing the flaw on iOS devices too. Update 12/8: Since the publication of this article, A Google spokesperson reached out to TechRadar Pro to explain that the flaw, "is related to how password managers leverage the autofill APIs when interacting with WebViews. We recommend third-party password managers be sensitive as to where passwords are being inputted, and we have WebView best practices that we recommend all password managers implement. Android provides password managers with the required context to distinguish between native views and WebViews, as well as whether the WebView being loaded is not related to the hosting app." MORE FROM TECHRADAR PRO These are the best identity theft protection tools aroundiPhone and Mac users beware - this dangerous new iOS and macOS security flaw might see you give up your password without knowingExploring the risks and benefits of password managers View the full article

This Safari vulnerability has not been exploited in the wild. Apple offers a mitigation, but the fix needs to be enabled manually.View the full article

I try not to write about ongoing work—if it is important enough to blog about then it is important enough to write about in the work product, and blog about something else. But every once in a great while, the need overrides my simple rule. After all, zealous adherence to rules is not really a […] The post The Other Reasons for Password Management appeared first on DevOps.com. View the full article

Short for Secure Shell, SSH is a secure network protocol that encrypts traffic between two endpoints. It allows users to securely connect and/or transfer files over a network. SSH is mostly used by network View the full article