controlgap.com

Posts about:

MFA

MFA, offensivesecurity, plextrac

A PlexTrac Story

Sep 7, 2022 12:00:00 AM

Businesses of all sizes have increasingly been developing and deploying complex internet-facing web applications to provide consumers with richer experiences. While richer web experiences represent an opportunity for businesses to interact with and provide value to consumers in new and exciting ways, they also represent new attack surface for hackers. Many applications today exist to facilitate the storage, processing, and presentation of some variety of data, which is often compartmentalized through the use of roles and user accounts. Unauthorized access to web applications can often provide hackers with valuable information to sell on the darkweb or to use in future attacks against the organization or that organization’s users/clients. It’s important for developers building web applications to understand common web application attacks, their implications, and corresponding defences to architect robust and secure web applications that consumers can trust to keep their data secure.

In this article we’ll explore three authentication-related vulnerabilities we discovered in the PlexTrac platform (now described by CVE-2022-37144 through CVE-2022-37146), outline how these vulnerabilities could be combined to potentially bypass each step of the authentication process to gain access to sensitive data, and discuss how to build web applications that defend against such vulnerabilities.

Konrad Haase

MFA, Ransomware, NIST, payments, [in]security, Cybercrime, Crypto, Ukraine, Russia, Laws and regulations

This Week's [in]Security - Issue 266

May 8, 2022 12:00:00 AM

Welcome to This Week’s [in]Security. PCI and payments: Skimmers. Payments: New breaches: Anonymous, DeFi, Ikea. New Ransomware, Major outages, Follow-ups & Fall-out. Privacy: Health Canada, Facial recognition. Laws & Regs - Canada: Copyright. US: ISPs, Insurance. World: India. Standards: NIST, definitions. Defense - Training & events: space-cybersecurity. Password day. Kill-switch. Tools: MFA. Vulnerabilities, Advisories: Patching: F5, Cisco. Other: mental health apps, AV bugs, uClibc IoT, DNS poisoning, No MFA? Vulnerability research: Zero-Knowledge. Crypto-research: Quantum crypto. Cybercrime: Trends: Event log malware, Doh! Crime & Enforcement: BEC impact. Nation States and mercenaries. false-flags, sanctions, Spain & Pegasus, China. espionage, Other. Other Risks: General: Airtags, deepfakes, web3. Health, Safety, Environment, Disinformation, Economy. Russia v. Ukraine. NATO. Quantum computing, Innovation and more.

CG Blogger

COVID-19, MFA, TLS, [in]security, MD5, Log4J, SHA, Alexa

This Week's [in]Security - Issue 248 | insecurity | Control Gap

Jan 3, 2022 12:00:00 AM

Welcome to This Week’s [in]Security. Big-Hacks: Log4J, new RCE, the long road. New breaches: T-Mobile, Redline Stealer, Lastpass. New Ransomware: Saskatchewan, Norway, Shutterfly, Law Enforcement. Major outages: Backup Failure. Privacy: Spying toys, EFF's 2021. Laws & Regs - US: Missouri, Morgan Stanley. World: India. Defense: Krebs, TLS deprecates SHA1 & MD5. Vulnerabilities, Netgear, MS Exchange Y2K22 bug. Cybercrime: Trends: 2fa interception, Galaxy store, SSDs, Online courses. Nation States: Hackers-4-hire, Poland. Crime & Enforcement: Butter? Other Risks: Science, Cyber-due-diligence, ANOM, Blackberry EOL, Double Fake NFTs. Health, Safety & Environment: Alexa lethal challenge. Fireworks, winter driving, recall, 5G, Satellites. Covid-19: Spread, Curves, Waves, and Variants; Response; Treatments; Immunity; Learned; Impact; Covid Compliance. And more.

CG Blogger

GDPR, COVID-19, MFA, Ransomware, Revil, [in]security, Crypto

This Week's [in]Security - Issue 238 | insecurity | Control Gap

Oct 24, 2021 12:00:00 AM

Welcome to This Week’s [in]Security. PCI and payments: PCI & Ransomware, 3DS RFCs, PCI Halloween, AI shoulder surfing, Rapid Dispute, V-cards, UP Express. New breaches: Argentina!, CoinMarketCap, Durham police. New Ransomware: New Ransomware, Challenges, Revil (Strikeback), BlackMatter. Follow-ups & Fall-out. Privacy: ISPs, Alexa, Lunch Money. Laws & Regs - Canada, Online Harms. US: Export restrictions, Sanctions & Crypto, Notifications, Supplychains, Missouri, Facebook, World: GDPR bypass. Standards: NIST KDF, HTTPA. Defense: Detection, Blackhat, L0PHTcrack, Win11. Vulnerabilities, Zerodays: Apple. Other Vulnerabilities: Chrome, CVEs, MFA, Chinese hacking contest, Kerberos, DCOM, Gummy Browser attack, Tesla, Health Apps. Cybercrime: Trends: Fake pentest contracts, more fakes, Discord, Microsoft, Buggy malware, Obfuscation, NPM JavaScript, Youtube. Nation States. Crime: $35M deepfake heist, no honor among thieves, jail. Other Risks: IoT, third-parties, economic supply-chains, bias, Health, Safety & Environment. Covid-19: Spread, Curves, Waves, and Variants; Response; Treatments; Immunity; Covid Ugly; Covid Compliance. And more.

CG Blogger

MFA, NIST, [in]security, NSA, Crypto

This Week's [in]Security - Issue 220 | insecurity | Control Gap

Jun 20, 2021 12:00:00 AM

Welcome to This Week’s [in]Security. DSSv4 timelines. Magecart. New breaches: CVS, Carnival Cruises, Wegmans. New Ransomware: G7 vs. Russia, Bitcoin?, ICS Software, Nukes, source released. Major outages: Puerto Rico, Follow-ups & Fall-out: Avaddon quits, 5B records, Lessons learned, US fines. Privacy: Trusting VPN providers, Pseudonymity, Phones, Cartoon App. Laws & Regs - Canada: Copyright. US: Web Scraping, DPA, Facial recognition, Section 230, Massachusetts and Google app installation. The world: Crypto-wars, USA-EU, Compelling Passwords, Apple-EU. Standards: NIST & NSA. Defense: MFA list, Supply chain, ScriptWatch, Free book. Vulnerabilities: Chrome & Apple ZD, Utility Sector, Cisco, Linux, Defibrillators, Peleton. FPE weaker, 2G/GPRS backdoor. Cybercrime - Trends: Vigilante malware? PDFs, SEO poison, Google Docs, Fake cryptocurrency devices, Ransomware ops, Nation States. Crime. Other Risks: Undersea cables, email risks, BadBots, Win10 EOS, Mainframes. Health, Safety & Environment: Bio-labs, Makeup, Pollution, More mRNA, Smart meters, Tesla crashes, Extremism. Covid-19: Spread, Curves, Waves, and Variants. Response, Vaccine passports, Borders, Immunity, Delta & Gamma, Canada, Learned, Covid Ugly. And more.

CG Blogger

MFA, NIST, Deepfake, [in]security

This Week's [in]Security - Issue 190 | insecurity | Control Gap

Nov 22, 2020 12:00:00 AM

Welcome to This Week’s [in]Security. PIN Requirement Future Date Changes. FAQ Update. Magecart. Cardbreaches. New breaches. New Ransomware. Facial Recognition. Right to be forgotten. NIST. MFA. Deepfakes. @New Tools. Pluton. New free CA. Encrypt only. New browser. LidarPhone. Cyber AI. AWS. ICS. Cisco. Citrix. Oldies. Tesla. Fixes. Trends. Nation States. Legal actions. Health, Safety & Environment. Covid-19: Spread, Curves, Spikes, Waves, & reinfections. Contact Tracing. Vaccine Progress. And more.

CG Blogger

MFA, [in]security, Skimmers, Magecart

This Week's [in]Security - Issue 169 | insecurity | Control Gap

Jun 28, 2020 12:00:00 AM

Welcome to This Week’s [in]Security. Fallout from US Unrest. Covid-19: Spread & Curve. Lockdown, Reopening, & The New Normal. More of the Good, Bad, and Ugly. PCI SPOC v1.1. POS ransomware. Smile and say Magecart. e-Skimmers and IFRAMES. Breaches: BlueLeaks, Twitter, e-learning, Brazil, Preen.me, Contact tracing app problems. Tim's Privacy Violation. New nosier Edge. Tech Fines. More crypto-wars. Taxing Links? One year certificates. Crims lock in with MFA. Insecurity included. PDF Safety. Banking backdoor. All your ~~base~~ printer are belong to us? Denial. AI is gullible, biased, misunderstood, and misapplied. Unintended Cyber-consequences. And more.

CG Blogger

MFA, [in]security, cyberinsurance

This Week’s [in]Security – Issue 143 | insecurity | Control Gap

Dec 29, 2019 12:00:00 AM

Welcome to This Week’s [in]Security. A slow week in payments. Incidents at Wyze, Factual, Honda, Bank of England, and Synoptek. Wawa and LifeLabs sued. Top security screwups and threats of 2019. Bypassing 2FA. Disinformation and your brain. When is data publlic? Did location tracking just get worse? Government back-doors. Taxes and social media. Facial recognition and surveillance. Holiday phishing and scams. ToTok spyware. Cyberinsurance pull-back. Revenge porn law challenged. AI. Huawei and Google. Risks of DNA kits. Mushroom identification. And more.

CG Blogger

MFA, [in]security, pci, Crypto

This Week’s [in]Security – Issue 115 | insecurity | Control Gap

Jun 10, 2019 12:00:00 AM

Welcome to This Week’s [in]Security. This week: a quiet week for PCI, RDP MFA bypass, make SSNs public, AMCA (Quest, LabCorp, OPKO) breach, Data Protection Authority exposure, privacy and politics in Canada, 33% of breaches caused by 6% of bugs, impersonating doctors, rescuing vulnerable crypto-currency, Baltimore and Norsk Hydro, how Apple finds offline things and more.

CG Blogger

GDPR, MFA, [in]security, privacy

This Week’s [in]Security – Issue 99 | insecurity | Control Gap

Feb 18, 2019 12:00:00 AM

Welcome to This Week’s [in]Security. This week: PCI PIN and 3DS-SDK reporting templates, new RFC process, EMV still cutting fraud, breaches at Instagram and Facebook 3rd parties, breaches at CoffeeMeetsBagel, 500px, Eyeem, and more. Privacy-not-included list updated for Valentines day. More tech company scrutiny. US GDPR a step closer? Password hashes cracked much faster, massive Japanese mobile payment app fraud, suing Apple over 2FA, and more.

CG Blogger