AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 11/16/2020

Microsoft says it’s time for you to stop using SMS and voice calls for multi-factor authentication

Multi-factor authentication makes it much harder for hackers to break their way into your online accounts, even if they already know your password. An online account protected by MFA will prompt you to enter a separate one-time code – often constructed out of six random digits that expire after a short period of time – after you have entered your password. But having MFA enabled is not a guarantee that your account will never get hacked, and that’s especially true if you are using phone-based MFA – which is often delivered via an SMS message. And it’s for that reason that Alex Weinert, Microsoft’s director of identity security, has this week urged users to stop using telephone voice messages and SMS text messages for MFA. Weinert argues that you would be better off using a smartphone authentication app to generate your one-time-password.


PayPal now lets all US users buy, sell and hold cryptocurrency

PayPal is bringing its newly-announced support for cryptocurrency to all US accounts. It first announced plans to open cryptocurrency trading to US-based users in October, but until now it was only available to a small subset of PayPal account holders. That’s now changing, though, as PayPal says all eligible users can start buying, selling and holding bitcoin, litecoin, ethereum and bitcoin cash.  Beginning next year, PayPal also plans to bring cryptocurrency into Venmo and will allow users to pay merchants with their cryptocurrency holdings (the digital currency will be converted to fiat currency). The company hasn’t detailed its plans to make cryptocurrency trading available in other countries, but says it will come to “select international markets in the first half of 2021.”


Python creator Guido van Rossum joins Microsoft

Guido van Rossum, the creator of the Python programming language, today announced that he has unretired and joined Microsoft’s Developer Division. Van Rossum, who was last employed by Dropbox,  retired last October after six and a half years at the company. Clearly, that retirement wasn’t meant to last. At Microsoft, van Rossum says, he’ll work to “make using Python better for sure (and not just on Windows).” A Microsoft  spokesperson told us that the company also doesn’t have any additional details to share but confirmed that van Rossum has indeed joined Microsoft. “We’re excited to have him as part of the Developer Division. Microsoft is committed to contributing to and growing with the Python community, and Guido’s on-boarding is a reflection of that commitment,” the spokesperson said.


Google still needs you to label photos for its ML

Google this week ended its free unlimited Google Photos storage offer, effective June 1, 2021 (photos uploaded before then will not count against the 15GB cap). The internet collectively lost its mind. Some called the move a classic bait and switch (lure users into uploading their entire photo library with the promise of free storage, and then start charging). Others had antitrust concerns (price out competition like Everpix, Loom, Ever, Picturelife, and then start charging). Then came the machine learning and surveillance jokes. Having finished training its ML models and mining our photo data, Google was merely adjusting its business model. In fact, 9to5Google this week spotted a new Google Photos feature that asks you to train its ML.


Computer Scientists Achieve ‘Crown Jewel’ of Cryptography

In 2018, Aayush Jain, a graduate student at the University of California, Los Angeles, traveled to Japan to give a talk about a powerful cryptographic tool he and his colleagues were developing. As he detailed the team’s approach to indistinguishability obfuscation (iO for short), one audience member raised his hand in bewilderment. “But I thought iO doesn’t exist?” he said. At the time, such skepticism was widespread. Indistinguishability obfuscation, if it could be built, would be able to hide not just collections of data but the inner workings of a computer program itself, creating a sort of cryptographic master tool from which nearly every other cryptographic protocol could be built. It is “one cryptographic primitive to rule them all,” said Boaz Barak of Harvard University. But to many computer scientists, this very power made iO seem too good to be true.


Hackers steal 8.3M user records from 123RF

Hackers have stolen 8.3 million user data records from royalty-free stock photo website 123RF. The cyber criminals breached a server belonging to 123RF’s parent company, Inmagine Group, to access the data. According to a report from Bleeping Computer, a known data breach broker began selling the data containing user information last weekend. The data reportedly includes 123RF members’ full names, email addresses, MD5 hashed passwords, company names, phone numbers, addresses, PayPal emails and IP addresses. However, it’s not thought to contain financial information, such as credit card numbers. Inmagine Group said, “We are actively notifying the necessary authorities and 123RF.com members to work with them to remedy the situation. We are also tightening the security policies to include tighter passwords and IP detection to combat suspicious log-ins.”

Related Posts