web analytics

Microsoft tries to knife passwords once and for all – at least for consumers – Source: go.theregister.com

microsoft-tries-to-knife-passwords-once-and-for-all-–-at-least-for-consumers-–-source:-gotheregister.com
Rate this post

Source: go.theregister.com – Author: Brandon Vigliarolo

Infosec In Brief Microsoft has decided to push its consumer customers to dump password in favor of passkeys.

The software giant announced the move Thursday, May 1, traditionally known as “World Password Day,” with a declaration it had joined forces with the Fast Identity Online (FIDO) Alliance to re-name the pseudo-holiday “World Passkey Day.”

Redmond’s not just playing with words as the company has also decided that all new Microsoft accounts will use passkeys by default. Passkeys, which involve the use of biometric identification like a fingerprint or face scan, PIN, and the like, will be the de facto new way to set up an account, and existing Microsoft users are being encouraged to visit their account settings page to delete their passwords and start using passkeys.

Microsoft has also sign in UI to prioritize passwordless methods and, perhaps most controversially, will start to decide which is the best login choice for users.

“For example, if you have a password and ‘one time code’ set up on your account, we’ll prompt you to sign in with your one time code instead of your password,” Microsoft wrote. “After you’re signed in, you’ll be prompted to enroll a passkey.”

Microsoft’s passkey push is not new. As we noted late last year, Microsoft isn’t giving its customers an option to continue using passwords, saying that opting out of passkey invitations wasn’t possible.

The Windows giant has argued that passkeys are faster, more secure and less likely to end in a user not being able to login, and it’s intent on making sure everyone transitions to its preferred authentication technique.

“Although passwords have been around for centuries, we hope their reign over our online world is ending,” Microsoft said.

Maybe this will help rehabilitate the company’s poor record on security?

Critical vulnerabilities: NetWeaver under exploit

Remember that 10.0 CVSS vulnerability we found in SAP NetWeaver in late April? We suspected at the time that it might have been exploited before news of the issue emerged.

Now we know for sure that it was exploited, thanks to the addition of CVE-2025-31324 to CISA’s known exploited vulnerabilities catalog.

Elsewhere in actively exploited critical vuln news:

  • CVSS 9.8 – CVE-2025-42599: There’s a stack-based buffer overflow vulnerability in Active! Mail 6 6.60.05008561 and earlier versions.
  • CVSS 9.1 – CVE-2024-38475: Apache HTTP Server 2.4.59 and earlier allows for improper escaping of output in mod_rewrite, allowing attackers to map URLs to filesystem locations, resulting in code execution or source code disclosure.
  • CVSS 8.8 – CVE-2025-3928: An unspecified vulnerability in Commvault Web Server can allow exploitation of affected systems by a bad actor via webshell.
  • CVSs 8.6 – CVE-2025-1976: Brocade’s FabricOS versions 9.1.0 through 9.1.1d6 contain a code injection vulnerability because root access was removed without proper accompanying restrictions for local users with admin privilege.

Raytheon settles charges it lied to feds about cybersecurity compliance

Defense contractor Raytheon and one of its former subsidiaries have settled with the US government to resolve claims they failed to comply with federal cybersecurity regulations.

Raytheon agreed to the settlement after it was accused of not implementing required security controls on a system it developed to handle unclassified work for 29 different contracts with the Department of Defense between 2015 and 2021. Nightwing, a cybersecurity and intelligence company that bought a Raytheon subsidiary called Raytheon Cyber Solutions after the time of the alleged infractions, was also part of the settlement agreement.

The Department of Justice said in the settlement order [PDF] that Raytheon failed to meet all the cybersecurity requirements of federal acquisition regulation 52.204-21 and NIST special publication 800-171 [PDF]. By failing to comply with those requirements, Raytheon and Nightwing also allegedly violated defense federal acquisition regulation 252.204-7012, which covers the security of DoD information and cyber incident reporting, the DoJ said.

Raytheon and Nightwing have agreed to pay out $8.4 million to resolve the matter, $1.5 million of which will go to a former Raytheon Director of Engineering who blew the whistle on the alleged misconduct.

Apple AirPlay protocol vulnerable to exploitation

A group of security researchers have found a series of vulnerabilities in Apple’s AirPlay protocol and the AirPlay SDK that could allow an attacker to do a variety of nasty things on any device – both Apple’s and third-party kit – that uses the media streaming feature.

Dubbed “AirBorne” by researchers at cybersecurity firm Oligo, the exploitation allows a potential attacker to dump malware, perform zero-click RCE, read files, cause denial of service conditions, or conduct MITM attacks. What’s worse, all it takes to spread is an infected device joining a network with other AirPlay-compatible hardware.

“Because AirPlay is a fundamental piece of software for Apple devices as well as third-party devices that leverage the AirPlay SDK, this class of vulnerabilities could have far-reaching impacts,” the Oligo team noted.

Patches are available now for Apple devices, but Oligo expects the vulnerabilities to linger for years thanks to the many third-party devices that use AirPlay. Oligo recommends that anyone with vulnerable, unpatched AirPlay devices on their network restrict AirPlay communication on port 7000 to trusted devices only, disable AirPlay endpoints not in use, and restrict AirPlay settings to only allow current users.

FBI publishes list of LabHost domains

The FBI has released a CSV file containing a list of some 42,000 domains used by defunct dark web phishing-as-a-service site LabHost in a bid to raise awareness, the agency said.

Law enforcement took down LabHost was last year after several years of tracking the folks behind it, 35 of whom were arrested around the world following the seizure of the platform.

Given the platform has remained down, the FBI noted [PDF] that the 42,000 domains in the list “are historical in nature”. While those domains are no longer a threat, cybersecurity pros and threat intelligence experts may still find the list a useful source of info on threat actor tactics and techniques.

Six-year old ecommerce backdoor roars to life around the world

Breach detection firm Sansec found a fresh wave of attacks directed at a six-year old backdoor in a number of popular ecommerce packages that use the open source Magento platform, leaving between 500 and 1,000 online stores running backdoored software.

The companies hit by the attacker are Tigren, Magesolution, and Meetanshi. Sansec said their servers appear to have been breached six years ago in a supply chain attack that infected a collective 21 packages from the three vendors. Any ecommerce site running one of those packages downloaded in the last six years is presumably now affected.

Sansec didn’t mention any victims by name, but noted that “a $40 billion multinational” firm had fallen prey to the attack, which hides its backdoor in License.php or LicenseApi.php files.

Anyone using software from one of the three firms is advised to investigate their systems immediately for signs of the backdoor’s presence. ®

Original Post URL: https://go.theregister.com/feed/www.theregister.com/2025/05/04/security_news_in_brief/

Category & Tags: –

Views: 2

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Codrut Andrei
Secure Software Development Lifecycle Fundamentals by Codrut Andrei
Secure Software Development Lifecycle Fundamentals...
BUTTERWORTH-HEINEMANN
Security Operations Center Guidebook – A Practical Guide for a Successful SOC
Security Operations Center Guidebook –...
CISO Forum
CISO’s – First 100 Days Roadmap – Your success as a security leader is determined largely by your first 100 days in the role.
CISO’s – First 100 Days...
RedHat
State of Kubernetes Security Report 2022 by RedHat
State of Kubernetes Security Report...
National Cyber Security
Cyber Security Toolkit for Boards – Helping board members to get to grips with cyber security by NCSC
Cyber Security Toolkit for Boards...
Harvard Business Review
Boards Are Having the Wrong Conversations About Cybersecurity – Board interactions with the CISO are lacking – by Lucia Millica and Keri Pearlson – Harvard Business Review
Boards Are Having the Wrong...
Vendict
The 2024 CISO Burnout Report by Vendict
The 2024 CISO Burnout Report...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...

LASTEST PUBLISHED POSTS

Cyberint
Retail Threat Landscape Report Q1-Q3 – November 2024 Summary by Cyberint a Check Point Company
Retail Threat Landscape Report Q1-Q3...
NCSC
Protecting Critical Supply Chains – A Guide to Securing your Supply Chain Ecosystem
Protecting Critical Supply Chains –...
Culture AI
Time to Adapt – The State of Human Risk Management in 2024 by Culture AI.
Time to Adapt – The...
National Cyber Security Centre
Engaging with Boards to improve the management of cyber security risk.
Engaging with Boards to improve...
Microsoft Security
2024 State of Multicloud Security Report by Microsoft Security
2024 State of Multicloud Security...
bugcrowd
Inside the Mind of a CISO 2024 The Evolving Roles of Security Leaders 2024 by bugcrowd
Inside the Mind of a...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Lacework
CISO’s Playbookto Cloud Security by Lacework
CISO’s Playbookto Cloud Security by...
MITRE - Carson Zimmerman
Ten Strategies of a World-Class Cybersecurity Operations Center by MITRE
Ten Strategies of a World-Class...
SILVERFRONT - AIG
Identity Has Become the Prime Target of Threat Actors by Silverfort AIG.
Identity Has Become the Prime...
CYZEA.IO
Enterprise Information Security
Enterprise Information Security
IGNITE Technologies
ENCRYPTED REVERSE
ENCRYPTED REVERSE

More Latest Published Posts

WORLD BANK GROUP
Global Cybersecurity Capacity Program
Global Cybersecurity Capacity Program
Gary Hinson
Getting started withsecurity metrics
Getting started withsecurity metrics
EDPS
Generative AI and the EUDPR.
Generative AI and the EUDPR.
Bright
2024 Guide to Application Security Testing Tools
2024 Guide to Application Security Testing Tools
HADESS
Hacker Culture
Hacker Culture
Quuensland Govermment
RISK ASSESSMENT PROCESS HANDBOOK
RISK ASSESSMENT PROCESS HANDBOOK
Ministry of MOS Security
HIPAA SIMPLIFIED
HIPAA SIMPLIFIED
Hacker Combat
How Are Passwords Cracked?
How Are Passwords Cracked?
CIS - Center for Internet Security
How to Plan a Cybersecurity Roadmap in Four Steps
How to Plan a Cybersecurity Roadmap in Four Steps
ACSC Australia
Information Security Manual
Information Security Manual
Kaspersky
Incident Response Playbook: Dark Web Breaches
Incident Response Playbook: Dark Web Breaches
ninjaOne
Endpoint Hardening Checklist
Endpoint Hardening Checklist
HADESS
Important Active Directory Attribute
Important Active Directory Attribute
ISA GLOBAL CYBERSECURITY ALLIANCE
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
Rajneesh Gupta
IAM Security CHECKLIST
IAM Security CHECKLIST
sqrrl
Hunt Evil
Hunt Evil
Searchinform
How to protect personal data and comply with regulations
How to protect personal data and comply with regulations
Giuseppe Manco
Threat Intelligence Platforms
Threat Intelligence Platforms
CSA Cloud Security Alliance
Hardware Security Module(HSM) as a Service
Hardware Security Module(HSM) as a Service
IGNITE Technologies
CREDENTIAL DUMPING FAKE SERVICES
CREDENTIAL DUMPING FAKE SERVICES
IGNITE Technologies
A Detailed Guide on Covenant
A Detailed Guide on Covenant
NIST
Computer Security Incident Handling Guide
Computer Security Incident Handling Guide
IGNITE Technologies
DIGITAL FORENSIC FTK IMAGER
DIGITAL FORENSIC FTK IMAGER
Accedere
Cloud Security Assessment
Cloud Security Assessment
YL VENTURES
CISO Reporting Landscape 2024
CISO Reporting Landscape 2024
CISO Edition
Reporting Cyber Risk to Boards
Reporting Cyber Risk to Boards
CIOB
CIOB Artificial Intelligence (AI) Playbook 2024
CIOB Artificial Intelligence (AI) Playbook 2024
INCIBE & SPAIN GOVERNMENT
Nuevas normativas de 2024 de ciberseguridad para vehículos
Nuevas normativas de 2024 de ciberseguridad para vehículos