成人小说亚洲一区二区三区,亚洲国产精品一区二区三区,国产精品成人精品久久久,久久综合一区二区三区,精品无码av一区二区,国产一级a毛一级a看免费视频,欧洲uv免费在线区一二区,亚洲国产欧美中日韩成人综合视频,国产熟女一区二区三区五月婷小说,亚洲一区波多野结衣在线

立即打開
網(wǎng)絡(luò)驚現(xiàn)新型釣魚技術(shù),可通過雙重驗(yàn)證

網(wǎng)絡(luò)驚現(xiàn)新型釣魚技術(shù),可通過雙重驗(yàn)證

Alyssa Newcomb 2019年06月11日
安全專家已經(jīng)證實(shí),某種自動(dòng)化的釣魚攻擊可以穿透這層被稱作2FA的額外防護(hù),它可能會(huì)欺騙沒有疑心的用戶,讓他們共享自己的私有憑據(jù)。

雙重驗(yàn)證是一種要求用戶輸入發(fā)送到他們手機(jī)或郵件中的驗(yàn)證碼的額外安全防護(hù)步驟,歷來被用于防止釣魚攻擊獲取用戶名和密碼。

然而,安全專家已經(jīng)證實(shí),某種自動(dòng)化的釣魚攻擊可以穿透這層被稱作2FA的額外防護(hù),它可能會(huì)欺騙沒有疑心的用戶,讓他們共享自己的私有憑據(jù)。

這種攻擊最早在上個(gè)月阿姆斯特丹舉辦的Hack in the Box安全大會(huì)上得到了證實(shí)。6月2日,一段演示的視頻發(fā)布在YouTube上,再次引起了人們的關(guān)注:盡管有了2FA等更加強(qiáng)大的安全工具,但黑客在突破額外安全防護(hù)屏障上也變得更加?jì)故臁?/p>

黑客會(huì)協(xié)同使用Muraena和NecroBrowser,實(shí)現(xiàn)攻擊的自動(dòng)化。這兩項(xiàng)工具就像完美的犯罪二人組。你可以把Muraena看作是聰明的銀行搶劫者,而NecroBrowser則是負(fù)責(zé)犯罪后逃跑的司機(jī)。

Muraena會(huì)截獲用戶和目標(biāo)網(wǎng)站之間的流量,充當(dāng)受害者與合法網(wǎng)站之間的代理。一旦Muraena讓受害人訪問形似真正登錄頁面的假冒網(wǎng)站,就會(huì)讓他們和往常一樣輸入登錄憑證和2FA驗(yàn)證碼。確認(rèn)了會(huì)話cookie的真實(shí)性后,它就會(huì)將數(shù)據(jù)傳輸給NecroBrowser,后者可以建立窗口,追蹤數(shù)萬個(gè)受害者的私人賬戶。

開源編碼網(wǎng)站GitHub上也發(fā)布了攻擊演示,讓開發(fā)者看看攻擊的作用機(jī)制。

與會(huì)上展示無關(guān)的Synopsys的高級(jí)首席顧問阿米特·塞提表示,盡管針對(duì)2FA的攻擊在過去就已經(jīng)得到證實(shí),但這些工具“可以讓水平較低的攻擊者更輕易地發(fā)動(dòng)攻擊”。

安全專家表示,盡管可以被黑客攻破,但2FA仍然被視為最好的安全措施,比單純依靠用戶名和強(qiáng)密碼要好得多。

塞提表示:“當(dāng)然,這并不意味著人們就不用擔(dān)心了。我們現(xiàn)在需要更加努力地檢測網(wǎng)絡(luò)釣魚行為?!?/p>

研究人員和塞提都表示,如果可用,通用第二因素(U2F)是一種強(qiáng)大的方案。U2F密鑰是一種輔助性物理設(shè)備,可以插入電腦的USB接口,作為用戶在輸入用戶名或密碼后確認(rèn)其身份的額外手段。

塞提還指出,如果無法采用這種方案,保持警惕有助于避免潛在的2FA釣魚攻擊,例如不要點(diǎn)擊可疑郵件中的連接,輸入憑證前檢查瀏覽器中的網(wǎng)址,避免在接入公共Wi-Fi時(shí)輸入敏感信息。

塞提說:“如果懷疑自己登錄某網(wǎng)站的憑證已經(jīng)被盜,請迅速修改密碼,并把情況報(bào)告給該網(wǎng)站。(財(cái)富中文網(wǎng))

譯者:嚴(yán)匡正

Two-factor authentication, the added security step that requires people enter a code sent to their phone or email, has traditionally worked to keep usernames and passwords safe from phishing attacks.

However, security experts have demonstrated an automated phishing attack that can cut through that added layer of security—also called 2FA—potentially tricking unsuspecting users into sharing their private credentials.

The attack was first demonstrated at the Hack in the Box Security Conference in Amsterdam last month. A video of the presentation was posted on YouTube on June 2, bringing renewed attention to how hackers are getting better at penetrating extra layers of security, despite people using stronger tools, like 2FA.

The hack employs two tools, called Muraena and NecroBrowser, which work in tandem to automate the attacks. The two tools work together like the perfect crime duo. Think of Muraena as the clever bank robber, and NecroBrowser as the getaway driver.

Muraena intercepts traffic between the user and the target website, acting as a proxy between the victim and a legitimate website. Once Muraena has the victim on a phony site that looks like a real login page, users will be asked to enter their login credentials, and 2FA code, as usual. Once the Muraena authenticates the session’s cookie, it is then passed along to NecroBrowser, which can create windows to keep track of the private accounts of tens of thousands of victims.

A demonstration of the attack was also released on GitHub, an open source coding site, to provide developers an opportunity to see how it works.

Amit Sethi, senior principal consultant at Synopsys, who was not affiliated with the presentation, says that while attacks against 2FA have been demonstrated in the past, these tools “make one of these attacks easier to execute for lower-skilled attackers.”

Despite this hack, 2FA is still considered a best security practice—far better than the alternative of simply relying on a username and strong password, according to security experts.

“Of course this does not mean that people should not worry,” says Sethi. “We now need to be even more diligent about detecting phishing attempts.”

The researchers, and Sethi, both say that universal second factor is a strong solution, when available. A U2F key is a secondary, physical device that can be plugged into a computer port as an additional way of verifying a person’s identity after they enter their username or password.

If that’s not an option, Sethi also says being vigilant can help thwart potential 2FA phishing attacks. That includes not clicking on links in suspicious emails, checking the a web address in the browser before entering credentials, and avoiding entering sensitive information when using public Wi-Fi.

“If you suspect that your credentials for a website have been compromised, act quickly to change your password, and report the event to the website,” says Sethi.

掃碼打開財(cái)富Plus App
国产在线观看精品国产| 亚洲日韩第一页涩涩涩| 国产高清无码免费| 久久亚洲色www成人欧美| 麻豆高清免费国产一区| 精品国产一区二区三区香蕉| 久久综合伊人99麻豆| 国产AV无码专区国产乱码| 欧洲欧美人成视频在线| 中文字幕亚洲一区二区VA在线| 成全动漫视频在线观看免费播放| 成人欧美亚洲另类综合| 日韩一本之道一区中文字幕| 国偷自产一区二区三区在线观看| 久久99国产热这里只有精品| 亚洲一区二区国产精品无l| 久久99精品九九九久久婷婷| 玩50岁四川熟女大白屁股直播国产精品久久久久久久久电影网| 国产AV无码专区亚洲精品| 久久久久亚洲AV综合仓井空| 无套内谢少妇毛片免费看看| 国产亚洲精品无码不卡| 久久久国产精品萌白酱免费| 一级特黄女人18毛片免费视频| 99久久国语露脸精品国产| 国产高清国内精品福利| 夫目前侵犯一区二区三区| 一级黄色网站免费在线观看| 国产福利91精品一区二区三区| 色狠狠色噜噜Av天堂一区| 男人的天堂AⅤ一区二区| 久久久久人妻精品区一| 久久久精品波多野结衣?v| 国产91久久九九免费精品无码| 久久亚洲中文字幕精品有坂深雪| 99久热RE在线精品99 6热视频| 久久精品久久久久观看99水蜜桃| 1080P 国产麻豆剧传媒精品国产AV| 狠狠综合久久AV一区二区| 男人j进入女人j内部免费网站| 欧美VA亚洲VA在线观看日本|