SANS Stormcast Monday, May 5th: Steganography Challenge; Microsoft Makes Passkeys Default and Moves Away from Authenticator as Password Manager; Magento Components Backdoored.
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 696 Ratings
🗓️ 5 May 2025
⏱️ 6 minutes
🧾️ Download transcript
Summary
Steganography Challenge
Didier published a fun steganography challenge. A solution will be offered on Saturday.
https://isc.sans.edu/diary/Steganography+Challenge/31910
Microsoft Makes Passkeys Default Authentication Method
Microsoft is now encouraging new users to use Passkeys as the default and only login method, further moving away from passwords
https://www.microsoft.com/en-us/security/blog/2025/05/01/pushing-passkeys-forward-microsofts-latest-updates-for-simpler-safer-sign-ins/
Microsoft Authenticator Autofill Changes
Microsoft will no longer support the use of Microsoft authenticator as a password safe. Instead, it will move users to the password prefill feature built into Microsoft Edge. This change will start in June and should be completed in August at which point you must have moved your credentials out of Microsoft Authenticator
https://support.microsoft.com/en-gb/account-billing/changes-to-microsoft-authenticator-autofill-09fd75df-dc04-4477-9619-811510805ab6
Backdoor found in popular e-commerce components
SANSEC identified several backdoored Magento e-commerce components. These backdoors were installed as far back as 2019 but only recently activated, at which point they became known. Affected vendors dispute any compromise at this point.
https://sansec.io/research/license-backdoor
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Monday, May 5th, 2025 edition of the Sands Internet Storm Center's Stormcast. |
| 0:07.8 | My name is Johannes Ulrich and today I'm recording from San Diego, California. |
| 0:13.0 | And as promised this weekend, DDA released his steganography challenge. |
| 0:18.3 | So this is a further evolution of a couple diaries that |
| 0:22.9 | did he recently published regarding steganography and how to use his Python scripts in order |
| 0:28.2 | to help you extract hidden messages from images. This is a sample image using a slightly |
| 0:34.7 | different methodology here, but the tools should still work. |
| 0:39.9 | I think I may give away a couple of stickers or so to some of the solutions left to figure out |
| 0:46.0 | how to exactly do that. But if you're interested, submit your answer to either our handler's email or to DDIT directly and, well, |
| 0:57.6 | we'll see what we can do with regards to prizes for this challenge. There's also a little hint |
| 1:03.9 | there that is Rod 13 encoded, so give you a little bit more of a hint if you are just stuck with this particular |
| 1:13.3 | challenge. Then we have a couple of news items related to Microsoft and passwords. First of all, |
| 1:21.6 | Microsoft is now starting to offer pass keys by default. If you're setting up a new Microsoft account, |
| 1:29.8 | you'll be offered to use pass keys. And as a result, well, you will no longer have a password |
| 1:36.2 | for your Microsoft account. So this is further sort of pushing the agenda here of getting |
| 1:42.8 | rid of passwords, replacing them with |
| 1:45.3 | pass keys. |
| 1:46.4 | Certainly a solid security decision that many organizations have sort of embraced on, but |
| 1:54.1 | this is probably pushing it further than others have done in the past, but just making that |
| 1:58.1 | the default. |
| 1:59.2 | The only issue here, apparently, is that this really only works |
| 2:03.4 | if you're using the Microsoft Authenticator. |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.