Security News

Virtually every business today is a technology business, relying on digital services in some way to serve and support their customers. The seamlessness of that online experience can make all the difference between a customer who makes a purchase and one who abandons their cart in frustration.

Cisco says that a new authentication bypass flaw affecting multiple small business VPN routers will not be patched because the devices have reached end-of-life. "A successful exploit could allow the attacker to bypass authentication and access the IPSec VPN network," Cisco explained in a security advisory issued on Wednesday.

By verifying your users' identities before they access your network, two-factor authentication protects your applications and data against unauthorized access. It works by requiring multiple factors to be confirmed before permitting access versus just an email and a password.

To protect the victim's account, the organization had implemented Microsoft MFA through the Microsoft Authenticator app, which should have stopped any use of stolen credentials. Microsoft MFA doesn't always require a second form of authentication.

Once authenticated, a session cookie maintains the session state and the user's browsing session stays authenticated. Figure A. Each cookie stored in the browser's database contains a list of parameters and values, including in some cases a unique token provided by the web service once authentication is validated.

We'll look at why companies are concerned about facial recognition as well as some alternatives that are both secure and friendly towards employees' concerns. The most common alternative to facial recognition would be two-factor authentication using an app such as Authy or Google Authenticator.

Active adversaries are increasingly exploiting stolen session cookies to bypass multi-factor authentication and gain access to corporate resources, according to Sophos. "Over the past year, we've seen attackers increasingly turn to cookie theft to work around the growing adoption of MFA. Attackers are turning to new and improved versions of information stealing malware like Raccoon Stealer to simplify the process of obtaining authentication cookies, also known as access tokens," said Sean Gallagher, principal threat researcher, Sophos.

RubyGems, the official package manager for the Ruby programming language, has become the latest platform to mandate multi-factor authentication for popular package maintainers, following the footsteps of NPM and PyPI. To that end, owners of gems with over 180 million total downloads are mandated to turn on MFA effective August 15, 2022. What's more, gem maintainers who cross 165 million cumulative downloads are expected to receive reminders to turn on MFA until the download count touches the 180 million thresholds, at which point it will be made mandatory.

There are a variety of roadblocks associated with moving to passwordless authentication. Further, the app owners will often resist changing them to support passwordless flows.

VMware and experts alike are urging users to patch multiple products affected by a critical authentication bypass vulnerability that can allow an attacker to gain administrative access to a system as well as exploit other flaws. "Given the prevalence of attacks targeting VMware vulnerabilities and a forthcoming proof-of-concept, organizations need to make patching CVE-2022-31656 a priority," Claire Tillis, senior research engineer with Tenable's Security Response Team, said in an email to Threatpost.