A former Yahoo engineer was sentenced to five years of probation and home confinement for hacking into the personal accounts of more than 6,000 Yahoo Mail users to search for sexually explicit images and videos. Reyes Daniel Ruiz, 34, of Tracy, California, will only be allowed to leave his home for work, religious activities, medical […] More

Microsoft has devised new Azure Active Directory identity and access management capabilities that give organizations a better chance of fending off crafty techniques used by hackers to get around two-factor authentication.Microsoft’s CISO recently explained the identity problem facing most organizations. “People are very focused on taking advantage of identity, it’s become a classic: hackers don’t break in, they log in,” he told CNBC in an interview abut Microsoft’s efforts to kill the password.The software giant is introducing a GPS-based named locations and filters to its Azure AD “Conditional Access” feature, which looks at a range of signals for authorized user access.  “The GPS-based named locations and filters for devices enable a new set of scenarios, such as restricting access from specific countries or regions based on GPS location and securing the use of devices from Surface Hubs to privileged access workstations,” says Vasu Jakkal Corporate vice president or Microsoft Security, Compliance and Identity. Microsoft Security General Manager Andrew Conway gave ZDNet a breakdown of the new GPS-based conditional access feature, which should help organizations lock down their most important business applications. “An IP address may not be enough context to validate the location from which an employee is logging in, especially if that company has strict requirements for a particular application or resource,” Conway says. “In these strict access scenarios, a user will receive a prompt on the Microsoft Authenticator app requesting them to share their location to confirm the country. This could be layered on top of other policies, such as requiring multifactor authentication.”

The recent SolarWinds attack shows how sophisticated attacks are getting in their attempts to get around two-factor authentication. Microsoft president Brad Smith called the SolarWinds incident “a moment of reckoning”, in part because it caught the US’s most important cybersecurity companies off guard.The attack stung Microsoft and FireEye — two of the biggest cybersecurity companies in the world — via a tampered update from SolarWinds network monitoring software, Orion. FireEye’s breach began with the backdoor in the SolarWinds update, and the attackers then used the initial intrusion to acquire employee credentials. FireEye required employees to use a two-factor code to remotely access its VPN, but the attackers used the stolen credentials to enroll a second, non-authorized mobile device for one employee in the company’s two-factor authentication system, at which point it was spotted. For Microsoft’s new system to work, the organization would need to have connected their on-premises identity solution with Microsoft’s Azure AD cloud identity service to use the risk-based capabilities of Conditional Access.These additions to Conditional Access enable you to now target conditional access policies to a set of devices based on certain device attributes, such as whether it is a corporate-managed device or whether the device is in an allowed range says Microsoft.Conditional Access supports Windows, iOS, macOS, and Android devices that have been enrolled into Azure AD. “When using certain attributes as the properties for filters for devices, the device has to meet certain criteria, such as being managed by Microsoft Endpoint Manager, marked compliant, and hybrid Azure AD joined,” Conway adds. Microsoft is rolling out GPS-based conditional access as part of its own shift to hybrid work as more vaccines roll out and people start returning to offices on some days. Key to that strategy is its push for a “zero trust” architecture, where it assumes the company has been breached and that there is no border to the corporate network. But according to Microsoft’s Jakkal, only 18 percent of its own customers have enabled multi-factor authentication. “We saw a significant jump in usage when the pandemic began. And when that happened, we saw a significant decrease in aggregate compromises—people thought they were activating to protect only remote access, but MFA protects the entire network,” she says.  More

Jason Hiner/ZDNETFollow ZDNET: Add us as a preferred source More

Google has released today version 88.0.4324.150 of the Chrome browser for Windows, Mac, and Linux. Today’s release contains only one bugfix for a zero-day vulnerability that was exploited in the wild.

The zero-day, which was assigned the identifier of CVE-2021-21148, was described as a “heap overflow” memory corruption bug in the V8 JavaScript engine.
Google said the bug was exploited in attacks in the wild before a security researcher named Mattias Buelens reported the issue to its engineers on January 24.
Two days after Buelens’ report, Google’s security team published a report about attacks carried out by North Korean hackers against the cyber-security community.
Some of these attacks consisted of luring security researchers to a blog where the attackers exploited browser zero-days to run malware on researchers’ systems.
In a report on January 28, Microsoft said that attackers most likely used a Chrome zero-day for their attacks. In a report published today, South Korean security firm said they discovered an Internet Explorer zero-day used for these attacks as well.
Google did not say today if the CVE-2021-21148 zero-day was used in these attacks, although many security researchers believe it was so due to the proximity of the two events.

But despite how this zero-day was exploited, regular users are advised to use Chrome’s built-in update feature to upgrade their browser to the latest version as soon as possible. This can be found via the Chrome menu, Help option, and About Google Chrome section.
Before today’s patches, Google went through a spell last year where it patched five actively-exploited Chrome zero-days in a span of three weeks. More

Lock My PC is being removed from the public domain and free recovery keys are on offer to combat a wave of complaints concerning the software being abused by tech support scammers.  Lock My PC is software offered on a free and business basis by FSPRO Labs, an organization which has also developed drive encryption […] More