Security News
A severe authentication bypass vulnerability has been reported in Bouncy Castle, a popular open-source cryptography library. The.NET version of Bouncy Castle alone has been downloaded over 16,000,000 times, speaking to the seriousness of vulnerabilities in Bouncy Castle, a library relied on by developers of mission-critical applications.
A severe authentication bypass vulnerability has been reported in Bouncy Castle, a popular open-source cryptography library. The.NET version of Bouncy Castle alone has been downloaded over 16,000,000 times, speaking to the seriousness of vulnerabilities in Bouncy Castle, a library relied on by developers of mission-critical applications.
Toward the end of the second incident that Volexity worked involving Dark Halo, the actor was observed accessing the e-mail account of a user via OWA. This was unexpected for a few reasons, not least of which was the targeted mailbox was protected by MFA. Logs from the Exchange server showed that the attacker provided username and password authentication like normal but were not challenged for a second factor through Duo. The logs from the Duo authentication server further showed that no attempts had been made to log into the account in question.
This week, Mattermost, in coordination with Golang has disclosed 3 critical vulnerabilities within Go language's XML parser. The XML round-trip vulnerabilities listed below lurk in Golang's XML language parser encoding/xml which doesn't return reliable results when encoding and decoding XML input.
This is a weird story of a building owner commissioning an artist to paint a mural on the side of his building - except that he wasn't actually the building's owner. The fake landlord met Hawkins in person the day after Thanksgiving, supplying the paint and half the promised fee.
Tom Merritt lists five reasons why SMS should not be used for MFA. Multi-factor authentication, or as we used to call it two-factor authentication, is essential-it means you don't rely on your password alone for security. SMS is the most frequently used additional factor because almost everybody has it, and it's a little easier to manage for developers-but it's also the least secure.
Using SMS as an additional means to authenticate your password is better than nothing, but it's not the most reliable. Tom Merritt lists five reasons why SMS should not be used for MFA.
cPanel, a provider of popular administrative tools to manage web hosting, has patched a security vulnerability that could have allowed remote attackers with access to valid credentials to bypass two-factor authentication protection on an account. cPanel and WHM offers a Linux-based control panel for users to handle website and server management, including tasks such as adding sub-domains and performing system and control panel maintenance.
Microsoft last week released an out-of-band update for Windows to address authentication issues related to a recently patched Kerberos vulnerability. The issue is related to the PerformTicketSignature registry subkey value in CVE-2020-17049, a security feature bypass bug in Kerberos Key Distribution Center that Microsoft fixed on November 2020 Patch Tuesday.
Microsoft has released out-of-band optional updates to fix a known issue that causes Kerberos authentication problems on enterprise domain controllers after installing security updates released earlier this month to address CVE-2020-17049. This OOB update comes after Microsoft started investigating the Kerberos authentication issue over the weekend, on November 14.