Connect with us

Tech

Google Adds Account Sync for Authenticator Without E2EE The Register

Google Adds Account Sync for Authenticator Without E2EE The Register


You may have heard the news this week that Google finally updated its authenticator app to add Google account syncing. Before you rush to make sure your two-factor secret is secure if you lose your device, be aware of the following: The sync process is not end-to-end encrypted.

The lack of synchronous encryption was pointed out in a tweet by two developers and a security research team, Mysk, who said they found the problem by analyzing network traffic during the covert synchronization process.

According to this pair I’ve discovered in the past, this means that the seed used to generate the 2FA code is sent without E2EE and will likely be visible to Google when stored on their servers. increase. The seed is synced to your Google account, so if your account is compromised, all of these his second factors will be compromised as well.

Christiaan Brand, product manager for identity and security at Google, said on Twitter, “We have always focused on the safety and security of our users, and the latest update to Google Authenticator was no exception.” We reassured users that they had nothing to worry about.

According to Brand, Google encrypts data in transit and at rest across its products. He argued that E2EE offers additional protection, but at the cost of potentially being locked out of data with no recovery options. Brand added that Google has started rolling out E2EE in some products and has plans to add it to Authenticator in the future, but a Google spokesperson told The Register when that will be. Aside from that statement, Google took Brand’s comment as a reference.

In addition to these claims, the brand also said that Google believes “the current product strikes the right balance for most users and offers significant advantages over offline use.” The offline alternative was how the app worked before the update.

Brand said the offline option remains an alternative “for those who want to be in control of their backup strategy.”

Especially if you’re using Google Authenticator for work-related 2FA, we recommend taking advantage of its offline options. At the very least, I wouldn’t leave the shed unlocked until Google could make sure they tried to “make it more durable” for the one-time code.

Salesforce community users, please check their user permissions

There is a problem for users of Salesforce Communities, a cloud-based tool that enables businesses to quickly create customer-facing websites. Many users do not properly configure their user rights, resulting in personal data leaks.

Community websites allow administrators to set separate permissions for authenticated users and guests. The latter allows access to limited features without signing in. As reported by Krebs on Security, security researchers have found a “shocking number” of community websites leaking data. An administrator has mistakenly allowed guests to access internal resources.

This is also not the exclusive problem. Multiple banks, healthcare providers and even state governments have been found to expose sensitive patient and customer data, said security researcher Charan Akiri. Akiri claims he created a program to identify hundreds of poorly configured sites. So now is the perfect time to revisit the management console.

Critical Vulnerabilities of the Week

Perhaps all cybercriminals had their eyes on RSA. Because RSA has been somewhat quiet in terms of vulnerabilities.

Several ICS vulnerabilities were reported to CISA.

Multiple CVEs in CVSS 10.0: Illumina’s universal copy service for many products contains a set of flaws that allow attackers to take arbitrary actions at the OS level. CVSS 9.8 CVE-2023-1967: The Keysight N8844A Data Analytics Web Service improperly deserializes untrusted data and allows remote code execution. The vulnerable product has been discontinued.

CISA said this week that the service location protocol, also commonly used by network-enabled printers and VMware software, allows unauthenticated, remote attackers to register arbitrary services and use them to perform denial-of-service attacks. , warned that it contains vulnerabilities that have not yet been evaluated. SLP to spoof UDP traffic for attack amplification. CISA recommends disabling or limiting network access to the SLP server to avoid this issue.

Speaking of VMware, another significant exploit was reported this week.

Multiple CVEs in CVSS 9.3: VMware Workstation Pro and VMware Fusion contain a stack-based buffer overflow vulnerability in the way they share Bluetooth devices with virtual machines, allowing an attacker to execute code as a VMX process in the VM. it might work. A patch is available.New Intel CPU side-channel attack discovered

Just when we thought it was safe to put it back in the water, another meltdown side-channel attack was discovered.

report [PDF] According to an international team of researchers from the US and China, the attack affects multiple generations of Intel CPUs and uses transient execution flaws to target the EFLAGS register and alter context execution times. By reading changes in time, researchers say they were able to decipher the data.

Worse, the researchers show that their attack doesn’t rely on the CPU’s caches and doesn’t need to reset the EFLAGS register to its initial state. Both can mean that they are harder to detect or mitigate than the other side. channel attack.

Experiments with Ubuntu 22.04 machines show 100% data retrieval on machines with Intel i7-6700 and i7-7700 CPUs, with more limited success on Intel i9-10980XE CPUs. researchers argue.

Researchers have changed the way condition code (JCC) instruction jumps are implemented (JCC timing instructions are subject to exploitation), and require some to force the EFLAGS register to be rewritten after temporary execution. It suggests that mitigation strategies are possible. .

“To our knowledge, this is the first time the EFLAGS register has been used as a side channel,” the researchers wrote. Applying a patch is recommended, but there’s only so much you can do about it.

Sources

1/ https://Google.com/

2/ https://www.theregister.com/2023/05/01/google_adds_account_sync_for/

The mention sources can contact us to remove/changing this article

What Are The Main Benefits Of Comparing Car Insurance Quotes Online

LOS ANGELES, CA / ACCESSWIRE / June 24, 2020, / Compare-autoinsurance.Org has launched a new blog post that presents the main benefits of comparing multiple car insurance quotes. For more info and free online quotes, please visit https://compare-autoinsurance.Org/the-advantages-of-comparing-prices-with-car-insurance-quotes-online/ The modern society has numerous technological advantages. One important advantage is the speed at which information is sent and received. With the help of the internet, the shopping habits of many persons have drastically changed. The car insurance industry hasn't remained untouched by these changes. On the internet, drivers can compare insurance prices and find out which sellers have the best offers. View photos The advantages of comparing online car insurance quotes are the following: Online quotes can be obtained from anywhere and at any time. Unlike physical insurance agencies, websites don't have a specific schedule and they are available at any time. Drivers that have busy working schedules, can compare quotes from anywhere and at any time, even at midnight. Multiple choices. Almost all insurance providers, no matter if they are well-known brands or just local insurers, have an online presence. Online quotes will allow policyholders the chance to discover multiple insurance companies and check their prices. Drivers are no longer required to get quotes from just a few known insurance companies. Also, local and regional insurers can provide lower insurance rates for the same services. Accurate insurance estimates. Online quotes can only be accurate if the customers provide accurate and real info about their car models and driving history. Lying about past driving incidents can make the price estimates to be lower, but when dealing with an insurance company lying to them is useless. Usually, insurance companies will do research about a potential customer before granting him coverage. Online quotes can be sorted easily. Although drivers are recommended to not choose a policy just based on its price, drivers can easily sort quotes by insurance price. Using brokerage websites will allow drivers to get quotes from multiple insurers, thus making the comparison faster and easier. For additional info, money-saving tips, and free car insurance quotes, visit https://compare-autoinsurance.Org/ Compare-autoinsurance.Org is an online provider of life, home, health, and auto insurance quotes. This website is unique because it does not simply stick to one kind of insurance provider, but brings the clients the best deals from many different online insurance carriers. In this way, clients have access to offers from multiple carriers all in one place: this website. On this site, customers have access to quotes for insurance plans from various agencies, such as local or nationwide agencies, brand names insurance companies, etc. "Online quotes can easily help drivers obtain better car insurance deals. All they have to do is to complete an online form with accurate and real info, then compare prices", said Russell Rabichev, Marketing Director of Internet Marketing Company. CONTACT: Company Name: Internet Marketing CompanyPerson for contact Name: Gurgu CPhone Number: (818) 359-3898Email: [email protected]: https://compare-autoinsurance.Org/ SOURCE: Compare-autoinsurance.Org View source version on accesswire.Com:https://www.Accesswire.Com/595055/What-Are-The-Main-Benefits-Of-Comparing-Car-Insurance-Quotes-Online View photos