Roku got stuffed

Over a week ago, Roku was hit by another cyberattack that compromised the accounts of 576,000 users. This is the second one the company suffered since March.

According to Roku, the malicious actors used a method called credential stuffing. Credential stuffing is when you have account information, usually usernames, email addresses, and passwords from another breach and you try them at another site. It’s like stealing the keys from a janitor and trying all the keys until a door opens in another building.

The hackers were unable to gain access to sensitive information like credit cards and addresses. However, the possibility that they already have it is greater than zero to begin with due to the style of attack.

Roku did take proactive steps after the breach. They have reset the passwords for accounts that were affected. Also, all charges made will either be reversed or refunded to those who were affected.

The big move the company did (which should have been done ages ago) is enable two-factor authentication for all 80 million accounts.

What can you do?

While this type of attack couldn’t have been prevented by users, the scope of the attack could have been lowered. In order to decrease your chances of being a victim of credential stuffing, using different passwords for different accounts is a giant step.

You may say that that is a lot of different passwords to keep up with. Then, I recommend a password manager. Most are free and even provide a password generator to make sure your passwords are random and diverse amongst your websites. I recommend Bitwarden as that’s what I use for myself and my family. Whatever you do, please avoid LastPass at all costs! I CANNOT STRESS THIS ENOUGH!!!!!

Next up, if a site or service offers two-factor authentication, enable it. Some have their own methods like Microsoft and Google. Others, like banks, will use SMS or email verification. Everyone else may require the use of another app like Google Authenticator or Authy. If you can, please avoid SMS authentication for two-factor as hackers are known to hijack your SIM and intercept your SMS messages.

Also, if you are ever curious if you were the victim of a breach, you can check out Have I Been Pwned? to see if your accounts have ever shown up. Also, some password managers and even iOS will notify if your data has been leaked somewhere.

Now you have the tools to secure yourself. What you do with that information is up to you!

Source: The Verge

The post Roku hit by credential stuffing attack appeared first on Desk Chair Analysts.

Tech

• Authy moved its desktop EOL to March
• Walmart is acquiring Vizio to better get to know you
• Apple releases a sports app
• Apple seems to have joined Signal in future-proofing encryption
• Nvidia driver updates no longer need a login thanks to new app

Gaming

• Microsoft opened up about the future of Xbox
  • Microsoft revealed which games are going where
• Xbox won’t release cloud app because it’s all about the money
• Sony is looking to bring PS VR2 to PC
• Sony is making it easier to sign into your PlayStation
• The DICE Awards gave Spider-Man 2 its due
• Epic Games gave way nearly $2000 in games in 2023

Streaming

• Twitch is increasing sub prices in select countries next month

Please check out the shows live on Twitch, Thursday at 8:00pm ET!

If there are any topics you’d like to see covered, email us at ttt@majorshouse.com or join the MajorsHouse Discord server!

You can follow us at:
@MajorLinux
@SynxiecBeta
@kevikevshow

Sub to the audio podcast here

The post Tech Talk Thursdays Episode #108 (02/22/2024) appeared first on Desk Chair Analysts.

Earlier, we mentioned that Twilio was planning to drop support for its desktop app in August. It seems the owner of Authy has decided to push that time table up a bit.

According to an updated support article, the new date is set for March 19, 2024. It has not been confirmed that the app will cease to function. However, according to an email I received as a user, any Authy-based account tokens will not work.

So, this means you have an even shorter time to get Authy working on a mobile device or switch to another MFA app. If you go the latter route, you’ll have to start the MFA registration process for every account from scratch. Authy lacks an export feature to make it easier.

For such a vital tool in online security, rushing to remove a MFA app doesn’t seem like its in the best interest of the internet.

Source: MacRumors

The post Authy moved its desktop EOL to March appeared first on Desk Chair Analysts.

SEC was SIM swapped

The Securities and Exchange Commision (SEC) has stated that a SIM swap attack was behind the Twitter account hack. The attack led to a fake post being made to suggest Bitcoin ETFs had been approved. That led to an increase in the cryptocurrency’s price. The federal agencies said that an “unauthorized party obtained control of the SEC cell phone number associated with the account in an apparent ‘SIM swap’ attack.”

The SEC claims that it had MFA access up until July of 2023. MFA disabled due to issues getting access to the account. It was disabled by Twitter support. It was left disabled until the SEC noticed that the account was compromised. All other social accounts for the SEC have MFA active, according to the agency.

What is SIM swapping?

For those who do not know, SIM swapping occurs when a malicious actor acts on behalf of a cellular customer. They then use social engineering to gain access to an account. At that point, they can switch a number to a different SIM card in their possession and intercept phone calls and SMS/MMS messages. This is especially useful when trying to acquire MFA codes that are sent via SMS. While it may be a long while for a regular customer to notice, it would probably be longer for a federal agency to notice if they are using a random phone nobody uses.

While the Tech Talk Commandments say use MFA as much as possible, we do have a footnote. We do not condone the use of SMS-based MFA for this very reason.

Source: The Verge

The post SEC says its Twitter account was the victim of a SIM Swap attack appeared first on Desk Chair Analysts.

The Securities and Exchange Commission (SEC) was recently hacked on Twitter. When the account was compromised, it started sharing news about bitcoin ETFs being approved. While it apparently was going to happen, no news was officially shared at that time. This caused the price of bitcoin to bump up a bit. However, a day later, the SEC did approve 11 ETFs noting that “bitcoin is primarily a speculative, volatile asset that’s also used for illicit activity.”

The hack itself raised some questions. When US Senators started looking into it, Twitter was quick to speak up. The social media company immediately pointed out that the SEC was not securing its account with multi-factor authentication. Senator Ron Wyden, in his letter to the SEC, said that it was “inexcusable” for the SEC to not have locked the account down more.

Given the obvious potential for market manipulation, if X’s statement is correct, the SEC’s social media accounts should have been secured using industry best practices. Not only should the agency have enabled MFA, but it should have secured its accounts with phishing-resistant hardware tokens, commonly known as security keys, which are the gold standard for account cybersecurity. The SEC’s failure to follow cybersecurity best practices is inexcusable, particularly given the agency’s new requirements for cybersecurity disclosure.”

Senator Ron Wyden in letter to SEC

So, while I don’t know anything about bitcoin ETFs, what I do know is that using MFA will cover your ass in situations like this. It may be a nuisance, especially when sharing the account on a team, but consider the alternative.

It could land you in a congressional hearing.

Source: Engadget

The post SEC is in trouble for not following a Tech Talk Commandment appeared first on Desk Chair Analysts.

They state that users that “setting builds live on the default/public branch of a released app” will be required to have a phone number associated with that account. This is so Steam will be able to text you an MFA code in order to login. The change will be taking place on October 24, 2023.

While no specific event has been cited to trigger this change, many are speculating that this may be due to the recent uptick of projects being hijacked by bad actors who have then upload malicious code. Valve is working to purge the projects that have been affected by these hacks along with the aforementioned security additions.

While the move overall is a good one for Valve to protect its users, it does raise some questions as to why they are using SMS verification instead of something more secure like using an MFA tool like Google Authenticator, Authy, or even iOS’ built-in code generator. Also, Steam has SteamGuard which can be used to both login users and be used as a MFA. SMS has been known to be very insecure as someone would only need to socially engineer a carrier to get access to the phone number, send it to a new SIM, and take codes.

The post Valve adding SMS verification to Steamworks accounts appeared first on Desk Chair Analysts.