Posts tagged Authentication

3 min Application Security

OWASP Top 10 Deep Dive: Identification and Authentication Failures

Security pros have made progress in mitigating identification and authentication failures — but that doesn't mean we can takes our eyes off the ball.
3 min InsightAppSec

Login Authentication Goes Automated With New InsightAppSec Improvements

With our new automated login for InsightAppSec, even the most complex, modern applications can be accessed and scanned quickly and easily. Learn more.
3 min InsightIDR

InsightIDR Now Supports Multi-Factor Auth and Data Archiving

InsightIDR is now part of the Rapid7 platform. Learn more about our platform vision and how it enables you to have the SIEM solution you've always wanted.
8 min Vulnerability Disclosure

Multiple vulnerabilities in Wink and Insteon smart home systems

Today we are announcing four issues affecting two popular home automation solutions: Wink's Hub 2 and Insteon's Hub. Neither vendor stored sensitive credentials securely on their associated Android apps. In addition, the Wink cloud-based management API does not properly expire and revoke authentication tokens, and the Insteon Hub uses an unencrypted radio transmission protocol for potentially sensitive security controls such as garage door locks. As most of these issues have not yet been addres
5 min Authentication

R7-2017-07: Multiple Fuze TPN Handset Portal vulnerabilities (FIXED)

This post describes three security vulnerabilities related to access controls and authentication in the TPN Handset Portal, part of the Fuze platform. Fuze fixed all three issues by May 6, 2017, and user action is not required to remediate. Rapid7 thanks Fuze for their quick and thoughtful response to these vulnerabilities: * R7-2017-07.1, CWE-284 (Improper Access Control) [https://cwe.mitre.org/data/definitions/284.html]: An unauthenticated remote attacker can enumerate through MAC addr
7 min Haxmas

The Twelve Pains of Infosec

One of my favorite Christmas carols is the 12 Days of Christmas [https://www.youtube.com/watch?v=oyEyMjdD2uk]. Back in the 90's, a satire of the song came out in the form of the 12 Pains of Christmas [https://www.youtube.com/watch?v=h4NlR5KQLQ8], which had me rolling on the floor in laughter, and still does. Now that I am in information security, I decided it is time for a new satire, maybe this will start a new tradition, and so I am presenting, the 12 Pains of Infosec. ----------------------
2 min Authentication

Credential Status in Reporting Data Model

The new version of Reporting Data Model (1.3.1) allows Nexpose [https://www.rapid7.com/products/nexpose/] users to create CSV reports providing information about credential status of their assets, i.e. whether credentials provided by the user (global or site specific) allowed successful login to the asset during a specific scan. Credential Status Per Service The new Reporting Data Model version contains fact_asset_scan_service enhanced with the new column containing the information about creden
3 min InsightIDR

Detect Corporate Identity Theft with a New Intruder Trap: Honey Credentials

If you're only looking through your log files, reliably detecting early signs of attacker reconnaissance can be a nightmare. Why is this important? If you can detect and react to an intruder early in the attack chain, it's possible to kick the intruder out before he or she accesses your critical assets. This is not only good for you (no monetary data is stolen), but it's also critical because this is the only time in the chain that the intruder is at a disadvantage. Once an attacker has an i
4 min Authentication

Brute Force Attacks Using US Census Bureau Data

Currently one of the most successful methods for compromising an organization is via password-guessing attacks. To gain access to an organization using brute force attack [https://www.rapid7.com/fundamentals/brute-force-and-dictionary-attacks/] methods, there are a minimum of three things a malicious actor needs: A username, a password, and a target. Often the targets are easy to discover, and typically turn out to be email systems such as Outlook Web Access (OWA) or VPN solutions that are expo
3 min Authentication

Simple Network Management Protocol (SNMP) Best Practices

By Deral Heiland, Research Lead, and Brian Tant, Senior Consultant, of Rapid7 Global Services Over the past several years while conducting security research in the area of Simple Network Management Protocol (SNMP) and presenting those findings at conferences around the world we are constantly approached with the same question: “What are the best practices for securing SNMP”? The first thing to remember about SNMP versions 1, 2, and 2c is that the community strings used for authentication are c
2 min Authentication

Understanding User Behavior Analytics

Hey everyone! I'm pleased to announce that we've put together another pretty fun research report here in the not-terribly-secret overground labs here at Rapid7: Understanding User Behavior Analytics. You can download it over here [https://information.rapid7.com/understanding-user-behavior-analytics-report.html] . Modern enterprise breaches tend to make heavy use of misbehaving user accounts. Not the users -- the people typing at keyboards or poking at their smartphones -- but user accounts.

3 min Authentication

Patch CVE-2014-6324 To Avoid A Complete Domain Rebuild When UserInsight Detects Its Exploit

On Tuesday, November 18th, Microsoft released an out-of-band security patch affecting any Windows domain controllers that are not running in Azure. I have not yet seen any cute graphics or buzzword names for it, so it will likely be known as MS14-068, CVE-2014-6324, or "that Kerberos vulnerability that is being exploited in the wild to completely take over Windows domains" because it rolls off the tongue a little better. There is a very informative description of the vulnerability, impact, and

2 min Authentication

Protect Your Service Accounts: Detecting Service Accounts Authenticating from a New Host

IT professionals set up service accounts to enable automated processes, such as backup services and network scans. In UserInsight, we can give you quick visibility into service accounts by detecting which accounts do not have password expiration enabled. Many UserInsight subscribers love this simple feature, which is available the instant they have integrated their LDAP directory with UserInsight. In addition, UserInsight has several new ways to detect compromised service accounts. To do their

1 min Windows

Mitigating Service Account Credential Theft

I am excited to announce a new whitepaper, Mitigating Service Account Credential Theft [https://hdm.io/writing/Mitigating%20Service%20Account%20Credential%20Theft%20on%20Windows.pdf] on Windows. This paper was a collaboration between myself, Joe Bialek of Microsoft, and Ashwath Murthy of Palo Alto Networks. The executive summary is shown below, Over the last 15 years, the Microsoft Windows ecosystem has expanded with the meteoric rise of the internet, business technology, and computing in gene
2 min Metasploit

Feedback on Rapid7's Tech Preview Process and Metasploit Pro 4.10

By guest blogger Sean Duffy, IS Team Lead, TriNet Rapid7 invited me to participate in pre-release testing of Metasploit 4.10, a process they call Tech Preview. They asked me to openly share my thoughts with the community. Preparation and Logistics I always enjoy working with Rapid7. Preparatory meetings and documentation made the installation and testing process a breeze. Rapid7 was also kind enough to extend my testing and feedback sessions when work so rudely intruded on the fun. Zero comp

Popular Topics

Tags