Security Boulevard

JULY 3, 2023

With the increasing adoption of cloud-based solutions and the growing sophistication of cyber threats, identity has emerged as the ultimate control point for SaaS security programs. Traditional perimeter-based security approaches are no longer sufficient in the face of evolving cyber threats.

Authentication 59

Authentication Accountability Risk Data breaches 59

NetSpi Technical

MARCH 11, 2024

In 2023 NetSPI discovered that Microsoft Outlook was vulnerable to authenticated remote code execution (RCE) via synced form objects. This blog will cover how we discovered CVE-2024-21378 and weaponized it by modifying Ruler , an Outlook penetration testing tool published by SensePost. You can also have multiple files written to disk.

Authentication 145

Authentication Penetration Testing Technology Phishing 145

Duo's Security Blog

JANUARY 8, 2024

While understanding these types of attacks can seem intimidating, it is important to know what an AiTM attack is and how it works to safeguard your users and your organization. What is an AiTM attack? Clicking the link routes the user to a proxy server which is typically identical to the authentic web page, except the URL.

Authentication 67

Authentication Phishing Passwords Encryption 67

Duo's Security Blog

FEBRUARY 6, 2024

However, over the past 18 months, there has been an unprecedented wave of identity-based cyberattacks with devastating consequences. According to Cisco Talos, three of the top five MITRE ATT@CK techniques used in 2023 were identity-based. The idea that “identity is the new perimeter” is not new.

Accountability 77

Accountability Authentication Risk Marketing 77

Troy Hunt

NOVEMBER 14, 2018

Before I do that, a caveat: every single time I see discussion on what these terms mean, it descends into arguments about the true meaning and mechanics of each. For some quick perspective, a password alone is 1FA in that when you authenticate merely by entering a secret, all you require is one factor - "something that you know".

Passwords 259

Passwords Authentication Accountability Mobile 259

The Last Watchdog

APRIL 13, 2021

Sure, a lot think about their users and what types of credentials they’ll need for their various systems. But what about the numerous machines on a company’s network, like mobile devices, servers, applications, and IoT devices? Related: The role of facial recognition.

Authentication 191

Authentication Mobile Technology IoT 191

Security Boulevard

AUGUST 11, 2022

With the proper validation, you can authenticate a user (human or machine) and authorize them to access privileged services, accounts, and applications. As machines and humans both have identities that require authentication, the list of credentials to keep track of and protect can include: Passwords. GitHub tokens.

Authentication 111

Authentication Passwords Password Management Architecture 111

Duo's Security Blog

NOVEMBER 3, 2022

Once you’ve done that though, a critical next step is answering this question: Once you remove the password, what exactly are users going to use to authenticate? Evaluating your authentication options Duo has always focused on providing a variety of authentication options for end users.

Authentication 68

Authentication Mobile Passwords Risk 68

Malwarebytes

MARCH 9, 2022

The issue allows for attackers to grab authentication tokens and grant unauthorised access to accounts. The tokens—used to confirm a user has the correct permissions to access Azure—could be grabbed via automation jobs. The scope of the token’s access is defined in Automation Account’s Managed Identity.

Accountability 99

Accountability Authentication Ransomware 99

Duo's Security Blog

JULY 7, 2023

What is a passkey? A passkey is a phishing-resistant cryptographic keypair you register for web-based authentication. A passkey is a phishing-resistant cryptographic keypair you register for web-based authentication. See the video at the blog post. by Matt Brooks.

Authentication 66

Authentication Passwords Mobile Password Management 66

Duo's Security Blog

DECEMBER 6, 2022

When someone is told that passwords are going away in favor of a new, “password-less” authentication method, a healthy dose of skepticism is not unwarranted. Passwordless authentication refers to a system that does not require the use of passwords at all. What is WebAuthn? What is the difference between CTAP1 and CTAP2?

Architecture 82

Architecture Authentication Passwords Technology 82

Duo's Security Blog

JULY 27, 2023

In this blog, we’ll shed light on exactly how Cisco Duo helps counter and defend against common attack techniques chronicled in MITRE ATT&CK. What is MITRE ATT&CK? MITRE ATT&CK is a "globally accessible knowledge base of adversary tactics and techniques based on real-world observations."

Authentication 72

Authentication Passwords Accountability Firewall 72

NetSpi Technical

NOVEMBER 16, 2023

As we were preparing our slides and tools for our DEF CON Cloud Village Talk ( What the Function: A Deep Dive into Azure Function App Security ), Thomas Elling and I stumbled onto an extension of some existing research that we disclosed on the NetSPI blog in March of 2023.

Encryption 138

Encryption Accountability Penetration Testing Authentication 138

Duo's Security Blog

MARCH 24, 2023

How passwordless solves for password problems Chrysta: What does passwordless mean, and how does that differ from traditional password-based authentication? Christi: Passwordless authentication specifically is any primary factor authentication that is not requiring the user to remember a passphrase or password.

Passwords 83

Passwords Authentication Password Management Technology 83

Duo's Security Blog

JANUARY 27, 2022

Not all multi-factor authentication (MFA) solutions are equal. For a two-factor authentication solution, that may include hidden costs, such as upfront, capital, licensing, support, maintenance, and operating costs. Estimate and plan for how much it will cost to deploy multi-factor authentication to all of your apps and users.

Authentication 71

Authentication Software Mobile Passwords 71

Krebs on Security

FEBRUARY 8, 2021

Cyber cops in Ukraine carried out an arrest and several raids last week in connection with the author of a U-Admin , a software package used to administer what’s being called “one of the world’s largest phishing services.” Qbot) — to harvest one-time codes needed for multi-factor authentication.

Phishing 280

Phishing Scams Banking Mobile 280

Duo's Security Blog

JULY 19, 2021

This blog is part of an ongoing blog series for Duo’s Universal Prompt Project. The project is a major re-architecture and redesign of the Duo multi-factor authentication experience. However, there’s a key difference: You already know your friend, so you don’t need to authenticate them. This is a big no-no! The OAuth 2.0

Authentication 119

Authentication Passwords Banking Architecture 119

Duo's Security Blog

MAY 4, 2023

Today: Nick Steele, research lead at Superlunar, weighs in on the weaknesses of password-based systems, the difference between a traditional login versus a passwordless one, and how WebAuthn is driving passwordless forward. What sort of problem does it solve? See the video at the blog post. What changes?

Passwords 83

Passwords Authentication DNS Technology 83

Duo's Security Blog

MAY 23, 2023

Passwords are a weak point in modern-day secure authentication practices, with Verizon highlighting that almost 50% of breaches start with compromised credentials. What to do when your credentials are compromised How are credentials compromised in the first place? From the OAIC Notifiable Data Breaches Report 2.

Authentication 117

Authentication Passwords Data breaches Phishing 117

Duo's Security Blog

OCTOBER 24, 2023

In this blog, we’ll discuss some of the ways you can use MFA and features like Duo’s Trusted Endpoints to protect against MFA bypass attacks. What is an MFA bypass attack? MFA bypass attacks are techniques attackers use to circumvent the additional layers of security that multi-factor authentication provides.

Social Engineering 82

Social Engineering Education Authentication Engineering 82

Malwarebytes

AUGUST 20, 2021

This blog post was authored by Hossein Jazi. In this blog post we provide on overview of this campaign that uses t wo different UAC bypass techniques and clever obfuscation tricks to remain under the radar. In late July 2021, we identified an ongoing spear phishing campaign pushing Konni Rat to target Russia. Figure 3: Macro.

Malware 144

Malware Encryption Phishing Authentication 144

Duo's Security Blog

NOVEMBER 30, 2022

Supporting OIDC allows us to protect more of the applications that our customers are adopting as we all move towards a mobile-first world and integrate stronger and modern authentication methods (e.g. What is OIDC? protocol adding Authentication to what has historically been used for Authorization purposes. biometrics).

B2C 92

B2C B2B Authentication Mobile 92

Security Boulevard

AUGUST 3, 2022

230 apps were leaking all four 0Auth authentication credentials and could be used to fully take over Twitter accounts to perform critical/sensitive actions. The Twitter API provides direct access to a Twitter account and OAuth tokens are used by the Twitter API for authentication. The vulnerability.

Mobile 98

Mobile Authentication Accountability Identity Theft 98

SiteLock

SEPTEMBER 2, 2021

What is cross site request forgery? Both the strategies behind and the results of these attacks can vary based on the specific type of the attack and the unique target of it. Both the strategies behind and the results of these attacks can vary based on the specific type of the attack and the unique target of it.

Accountability 52

Accountability Social Engineering Authentication Banking 52

Duo's Security Blog

SEPTEMBER 30, 2022

If you are not sure what the new security requirements are or if they affect your business or organization, don’t worry – we put together a webinar to help answer those questions. Specifically, the rule calls out multi-factor authentication (MFA) as a mandatory requirement (regardless of company size) by December of 2022.

Cybersecurity 63

Cybersecurity Authentication CISO Healthcare 63

Security Boulevard

NOVEMBER 18, 2021

The current API top ten are Broken Object-Level Authorization , Broken User Authentication , Excessive Data Exposure , Lack of Resources & Rate Limiting , Broken Function-Level Authorization , Mass Assignment , Security Misconfiguration , Injection , Improper Assets Management , and Insufficient Logging & Monitoring.

Authentication 64

Authentication Accountability Passwords Engineering 64

Duo's Security Blog

FEBRUARY 24, 2023

And then that’s something that they know, and that’s what grants them access to the system. By enabling that, what we’ve done is allowed machines to be able to impersonate humans and try to crack passwords. So to be able to enter a room, knowing the passphrase to enter that.

Passwords 76

Passwords Authentication Technology Marketing 76

Duo's Security Blog

APRIL 20, 2023

Adopting modern authentication standards like OpenID Connect (OIDC) helps organizations to reduce risk of data breaches. OIDC enables devices to verify identities based on authentication done by an authentication server. What is OpenID Connect (OIDC)? But we also have to balance security with employee productivity.

Authentication 52

Authentication Mobile Data breaches Education 52

Webroot

MAY 12, 2021

“What Bitcoin was to 2011, NFTs are to 2021.”. That’s a claim from the highly respected “techno-geek” bible Ars Technica in it’s wonderful explainer on NFTs, or non-fungible tokens. Non- what token? That’s what the “non-fungible” in non-fungible token means: there’s only one, and it’s completely unique.

Cryptocurrency 91

Cryptocurrency Marketing Phishing Authentication 91

Thales Cloud Protection & Licensing

JANUARY 7, 2021

This blog will introduce access management evaluation criteria guidelines and discuss what features you should look for and what vendors to consider for your next employee access management solution. They need to maintain an easy user management access for cloud-based applications and services, without compromising on security.

Authentication 62

Authentication VPN Passwords Risk 62

Centraleyes

MAY 20, 2024

What is An IAM Assessment? Apply segmentation of duties where appropriate Each user should only be able to oversee some security procedures, including authentication, user permission assignment, and account offboarding. Did you know that 80% of breaches exploit legitimate identities and are difficult to detect?

Data breaches 52

Data breaches Accountability Authentication Healthcare 52

Thales Cloud Protection & Licensing

JUNE 16, 2022

Considering the increased cybersecurity risks introduced by digital technologies, what should society do to prevent cyber-attacks, reduce damage, and strengthen trust? In the old days, organizations can build reasonable defense based on physical barriers and pe-rimeter controls.

Encryption 71

Encryption Artificial Intelligence Architecture Digital transformation 71

Duo's Security Blog

MARCH 23, 2023

Today: Wolfgang Goerlich, advisory CISO at Cisco Secure, reflects on the history of passwords, the limitations of human memory and what we can learn from the eternal nature of security. See the video at the blog post. What are some of the problems with passwords? So what do we do? What is it? We’re storytellers.

Passwords 54

Passwords Authentication Technology Internet 54

Elie

DECEMBER 20, 2018

This post looks at two-factor authentication adoption in the wild, highlights the disparity of support between the various categories of websites, and illuminates how fragmented the two factor ecosystem is in terms of standard adoption. Type of 2FA offers : A delve into what type of 2FA (software, SMS, hardware, etc.) Methodology.

Authentication 90

Authentication Internet Internet Software 90

NetSpi Technical

MARCH 11, 2024

In 2023 NetSPI discovered that Microsoft Outlook was vulnerable to authenticated remote code execution (RCE) via synced form objects. This blog will cover how we discovered CVE-2024-21378 and weaponized it by modifying Ruler , an Outlook penetration testing tool published by SensePost. You can also have multiple files written to disk.

Authentication 52

Authentication Penetration Testing Technology Phishing 52

Thales Cloud Protection & Licensing

OCTOBER 28, 2020

How Ransomware attacks leverage unprotected RDPs and what you can do about it. As mentioned in my colleague Charles Goldberg’s blog post earlier this year, “ Stop Ransomware in its Tracks with Strong Data Security ,” ransomware attacks targeting enterprises in a variety of sectors have skyrocketed during the first half of 2020.

Ransomware 83

Ransomware Authentication Passwords Social Engineering 83

Security Boulevard

JULY 11, 2021

What led to the inception of RaaS ? Who are the stakeholders in such a ransomware based supply chain? What is the economics of such an attack from offender and victim’s point of view? Is there an underpinning supply-chain that benefits a RaaS provider? They defined several roles, including. sellers and players (buyers).

Ransomware 119

Ransomware Software Encryption Risk 119