Auckland Transport is fighting off a suspected ransonware attack, that’s hit its electronic travel cards.
At the moment, travellers can’t top up their HOP cards with eftpos or credit cards at the stations or online.
Some machines have gone offline completely, showing a blank purple screen.
AT suspects it’ll take til next week to get the problem sorted.
Its chief executive Dean Kimpton speaks to Lisa Owen.
This is part four of our MFA blog series for Cybersecurity Awareness Month. You can read up on blog one here, blog two here, and blog three here.
We already know the importance of multi-factor authentication (MFA) to secure access to resources for users in a world where passwords are the single largest attack vector. In a recent study, it was found that 81% of hacking-related breaches leveraged either stolen and/or weak passwords.
When thinking about MFA, many people automatically think about using mobile push notifications, SMS one time passcodes (OTP), and other mobile-centric authentication methods. But what about when frontline or field employees need access to critical resources and systems and don’t have access to a mobile device or where mobile devices are not allowed due to the sensitive nature of the data being accessed? Here are some scenarios where the use of mobile devices is not feasible:
How do you enable MFA for these employees?
One way is the use of Physical keys like FIDO keys. But these can prove to be too expensive and inefficient to support. Keys can be lost or damaged and have to be replaced. When employees quit or new employees join, they need to be wiped and reconfigured.
What are Grid cards and how do they work?
Grid cards are an easy to use and cost effective way to provide MFA for users that cannot use mobile devices to log in to the required systems and applications. The Entrust Grid Card is a paper-based card that can be printed from a PDF file and contains a grid of rows and columns that consist of numbers and characters. As part of the MFA process, users are presented with a coordinate challenge and must respond with the information in the corresponding…
(Bloomberg) — One user offered hacking services, both ethical and not. Another claimed to be able to change school grades. And several others peddled stolen credit cards and IDs.
Such illegal products and services have long been offered on the dark web, a murky section of the internet that’s populated with illicit forums. But these offers were being made on Facebook, despite repeated efforts by the social media giant to curb illegal behavior on its site.
A Bloomberg News analysis found more than 45 groups and pages — with more than 1 million combined members — where the spoils of cyber crimes and the tools needed to carry them out were offered for sale. Some of the sites were revealed by Facebook’s own discovery mechanism, which recommends groups based on those who have already joined, but Bloomberg discovered others through keyword searches and referrals from other groups.
Among the most common were hacking-for-hire services, with 11 of the groups and pages specifically dedicated to facilitating the practice, including three with more than 100,000 members. Those groups averaged between 12,000 and 18,000 posts per month, according to data from the Facebook-owned analytics platform CrowdTangle. One tool, listed on a group called Hacker Hub, promises to deliver credentials for popular social media sites and victims’ financial information.
Alexander Leslie, a researcher at the threat intelligence firm Recorded Future Inc., said the volume of illicit offers on Facebook “way, way overshadows what we see on the dark web in other forums that deal with similar content.”
While hardly definitive given Facebook’s massive size, the Bloomberg analysis indicates the social media platform’s efforts to stop illicit behavior haven’t kept pace. The company now known as Meta Platforms Inc. removed the content in question when reached by Bloomberg News.
“We take significant steps to stop criminal activity on our platforms and have removed this content,” a spokesperson said via email. “We invest heavily in technology to tackle illegal content and we encourage people to report activity like this to us and the police, so we can take action.”
Since its earliest…
Federal IT managers who have been thinking about zero trust and how it relates to existing FICAM compliant authentication systems need to know about advances in the commercial space that may affect them.
Let’s take a few seconds to review how PIV cards work. PIV cards contain digital certificates and, more important, private keys assigned to each user.
The digital certificate, issued by some certification authority (CA) within the federal PKI tree, describes the user’s identity. The private key is used with public/private cryptography to prove that the user is in control of the PIV card and has it at the moment of authentication.
This certificate-based authentication is widely supported in most enterprise web applications, desktop and laptop operating systems, and VPN applications.
As any PIV user knows, this method of authentication is extremely resistant to credential theft, which makes it very secure.
The main issue with PIV-based authentication is that it is based on a walled garden within the federal PKI tree. This makes enrollment in PIV a cumbersome and time- consuming process, and one which is not friendly to contractors or other third parties.
PIV cards have other limitations that affect both usability and security. They are poorly supported on mobile devices, require some additional reader hardware, and the physical user must be present.
EXPLORE: How agencies are implementing zero trust and modernization.
While PIV is dominant in the federal private infrastructure, cloud and enterprise application vendors are exploring new ways to combine the passwordless security of certificate-based authentication with other enrollment models.
The FIDO2 standards, coordinated by the Fast Identity Online (FIDO) Alliance, and their interoperability with , coordinated by the World Wide Web Consortium, are the most important new technologies to know about.
The FIDO Alliance made a big splash earlier this year when Microsoft, Apple and Google, along with the Cybersecurity and Infrastructure Security Agency, announced their commitment to pushing FIDO2 into desktop and mobile…