Infosecurity.US

Information Security & Occasional Forays Into Adjacent Realms

  • Web Log

DEF CON 27, Blue Team Village, @Lak5hmi5udheer's, @dhivus & @NarayanGowraj's 'Who Dis Who Dis: The Right Way To Authenticate' →

December 28, 2019 by Marc Handelman in Blue Team, Conferences, Education, Information Security, Authentication, DEF CON 27

Thanks to Def Con 27 Volunteers, Videographers and Presenters for publishing their superlative conference videos via their YouTube Channel for all to see, enjoy and learn.

December 28, 2019 /Marc Handelman
Blue Team, Conferences, Education, Information Security, Authentication, DEF CON 27

via the comic delivery system monikered Randall Munroe at XKCD!

XKCD, Machine Learning Captcha

November 16, 2019 by Marc Handelman in XKCD, Satire, Sarcasm, Authentication
November 16, 2019 /Marc Handelman
XKCD, Satire, Sarcasm, Authentication

The GoDaddy Hole or Exploiting The Insecurity Event Horizon

February 07, 2019 by Marc Handelman in Authentication, Information Security

Via the inimitable Brian Krebs, writing at Krebs On Security, comes further reportage detailing the continued authentication-flaw-exploitation of the GoDaddy, Inc. (NYSE: GDDY) Hole - a seemingly irrepairable flaw in their Registrar Line of Business systems, with a never-ending Exploitable Event Horizon.

February 07, 2019 /Marc Handelman
Authentication, Information Security

GrrCON Augusta 2018, Spencer Brown's 'Over The Phone Authentication' →

September 20, 2018 by Marc Handelman in Conferences, Education, Information Security, GrrCon Augusta, Irongeek, Authentication

Videography Credit: Irongeek (Adrian Crenshaw).

September 20, 2018 /Marc Handelman
Conferences, Education, Information Security, GrrCon Augusta, Irongeek, Authentication

BSides Leeds, Jonathon Brookfield and Fraser Winterborn's 'Security OAuth 2.0' →

March 09, 2018 by Marc Handelman in Conferences, BSides, Education, Information Security, OAuth, Authentication
March 09, 2018 /Marc Handelman
Conferences, BSides, Education, Information Security, OAuth, Authentication

SAML Flaws Discovered With SSO Implications →

February 28, 2018 by Marc Handelman in SAML, Security, Secure Coding, Security Architecture, Authentication, SSO

Kelby Ludwig - writing at Duo Lab's has just posted a fascinating blog entry detailing their recent discovery of SAML vulns potentially affecting a range of implementations and deployments. In this case, the vulnerability appears to be a zero knowledge scenario (of the attributes of the target's password). H/T

"This blog post describes a new vulnerability class that affects SAML-based single sign-on (SSO) systems. This vulnerability can allow an attacker with authenticated access to trick SAML systems into authenticating as a different user without knowledge of the victim user’s password. - via Duo Lab's Kelby Ludwig

Oops.

February 28, 2018 /Marc Handelman
SAML, Security, Secure Coding, Security Architecture, Authentication, SSO

Web Tracker Purloins Passwords, The Hidden Login Field Gambit →

January 15, 2018 by Marc Handelman in Information Security, Authentication, Web Security

Via the inimitable Catalin Cimpanu, comes this tale of web-based subterfuge that should enrage all legitimate users on our vaunted interwebs. In this case, the use of hidden login fields (and their parent forms) used by evil usage trackers on seemingly legit sites. Is it any wonder that the effort to block both web advertising and the evil cousin to such: Web Trackers (both nefarious and otherwise) is a growth business in the browser addon market? Read it and Weep My Friends, for the demise of both privacy and your personal authentication data.

"The two services are Adthink (audienceinsights.net) and OnAudience (behavioralengine.com), and Princeton researchers said they identified scripts from these two that collected login info on 1,110 sites found on the Alexa Top 1 Million sites list.' - via Catalin Cimpanu writing at Bleeping Computer

January 15, 2018 /Marc Handelman
Information Security, Authentication, Web Security

FaceID Data, The Oversharing of →

December 06, 2017 by Marc Handelman in Identity Management, Information Security, Authentication

via JC Torres - writing at Slashgear - comes this anecdotal testament to the oversharing of FaceID data from Cupertino, CA software and hardware behemoth Apple Inc. (NasdaqGS: AAPL). Not the best of news, for Apple Fanboi(s).

December 06, 2017 /Marc Handelman
Identity Management, Information Security, Authentication

Kicking the Certificate Habit →

March 07, 2017 by Marc Handelman in All is Information, Simplicity, Web Security, WebTrust, Trust, TOFU, Information Security, Authentication, Must Read

Dr. Jaap-Henk Hoepman's security posts (via his blog), detailing his provocative yet fundamentally sound thoughts on the subject of terminating the utilization of certificates is today's absolute MustRead.

The basic idea - A few days ago I explained the idea including a mechanism to detect phishing attacks. This makes the protocol more complex, and creates confusion. So let’s try again, explaining the basic idea first. Whenever a browser sets up a new TLS connection with a domain, the web server serving that domain respond with its public key (instead of a certificate, as is currently the case) in the initial TLS handshake. (This is more precise than saying that the web server sends its public key in the header of every page it sends.)... Read more at Dr. Hoepman' blog

March 07, 2017 /Marc Handelman
All is Information, Simplicity, Web Security, WebTrust, Trust, TOFU, Information Security, Authentication, Must Read

NAND'd

September 26, 2016 by Marc Handelman in Attack Analysis, Authentication, Information Security

Apple Inc. (NasdaqGS: AAPL) iPhone passcode protection defeated by NAND Mirroring... Ooops.

September 26, 2016 /Marc Handelman /Source
Attack Analysis, Authentication, Information Security

The Untrustworthy Chronicles: Password Strength Meters →

September 06, 2016 by Marc Handelman in All is Information, Authentication, Common Sense, Complexity, Information Security

via Sophos' Naked Security Blog, come this tell-all targeting password strength meters; perhaps, why caveat emptor is good advice, when testing the strength of password choices.

September 06, 2016 /Marc Handelman
All is Information, Authentication, Common Sense, Complexity, Information Security

New National-eID-card [PHOTO: amediaagency]

MasterCard Assists Nigeria, New National IDs Mandated →

September 05, 2014 by Marc Handelman in All is Information, Authentication, Government, Intelligence, Information Security, Physical Security, Security, Identity Theft

Perhaps a good idea for the Nigerians. Nevertheless, it is doubtful the Nigerian spammers will be hampered by the newly implemented national ID system... The interesting news, of course was announced via a press release, is the assistance bestowed on the Federal Republic of Nigeria by MasterCard Incorporated (NYSE:MA) .

September 05, 2014 /Marc Handelman
All is Information, Authentication, Government, Intelligence, Information Security, Physical Security, Security, Identity Theft

DARPA's 7 →

August 18, 2014 by Marc Handelman in All is Information, Information Security, Authentication

In which, the magickal number seven is the sum total of methods utilized to authenticate under considerable contemplation at DARPA.

 

August 18, 2014 /Marc Handelman
All is Information, Information Security, Authentication