Information Security News
Implementing password resets is hard. The problem comes down to how we authenticate a user who forgot the common secret(s) we shared. We all know, that password reset questions are often just weak password bypassquestions, and can not be used to authenticate a user reliably.
[OK OK OK... I see the comments already: But I dont answer them correctly. Sure: you do. but you are also reading a blog about password reset questions. ...]
Lets talk about resetting passwords. In my opinion, password reset questions should never be considered as an authentication mechanism. Lets call them a rate-limiting tool: They prevent an attacker from flooding a victim with password reset e-mails. But this is about all they are good for.
So what else can we do? SMS or automated phone calls can be a reasonable option for some sites, but NIST in recent guidance regarding two-factor authentication pointed out that it is certainly possible for an attacker to obtain access to someones SMS traffic. To do so, an attacker has to convince a phone company to add a new phone to the account. The process usually involves answering some questions similar to password reset questions, or some social engineering. The phone/SMS authentication isnt any better than theweak password reset questions we try to get rid off.
There is another method I have seen implemented a coupleof times. I call it password buddy. When you set up an account, you select a few individuals that may approve password resets on your behalf. In a corporate environment, these may be coworkers or your boss. But it could also be a family member. For this to work, both parties need to have an account at the same site.
Here is a quick workflow how this works:
So this is the rough outline of the process. There are some possible problems with it:
If there is something else that doesnt work in security, then it is central anonymous help desks. They can almost always be social engineered. The idea behind this system is that you authenticate to someone who you work with daily, maybe you can even just walk over to them and ask them for help in person. Or a family member that knows you very well.
The buddy will never see your password. They just approve the fact that you changed it. They will also not know your password reset questions and any other details about your account. How they authenticate you is up to them, but in a corporate environment, you may want to set up some rules around how the authentication should happen (in person, over the phone...)
A major battle is underway for control over hundreds of millions of network-connected digital video recorders, cameras, and other so-called Internet of Things devices. As Ars has chronicled over the past two weeks, hackers are corralling them into networks that are menacing the security news site KrebsOnSecurity and other Web destinations with some of the biggest distributed denial-of-service attacks ever recorded.
Johannes B. Ullrich, a researcher and chief technology officer for the SANS Internet Storm Center, wanted to know just how vulnerable these devices are to remote takeover, so he connected an older DVR to a cable modem Internet connection. What he saw next—a barrage of telnet connection attempts so dizzying it crashed his device—was depressing.
"The sad part is, that I didn't have to wait long," he wrote in a blog post published Monday. "The IP address is hit by telnet attempts pretty much every minute. Instead of having to wait for a long time to see an attack, my problem was that the DVR was often overwhelmed by the attacks, and the telnet server stopped responding. I had to reboot it every few minutes."
by Sean Gallagher
Digital Defense announced today that it privately revealed a set of five zero-day vulnerabilities in Dell EMC's vApp Manager for Unisphere for VMAX, a Web application used to manage all of EMC's storage platforms. The flaws would allow an attacker with access to the network storage devices to send malicious Adobe Flash Action Message Format (AMF) messages to the Web application server running on the storage system. That means attackers could run arbitrary commands against the storage system and potentially gain complete control of the storage devices or shut them down. The flaws have been patched by EMC via security advisories on the vulnerabilities available only to Dell EMC customers.
Weaknesses were found in how Unisphere for VMAX, which usually runs on a "virtual appliance" on a VMware server, used the AMF protocol to send messages to five different interfaces on the Unisphere Web application server, sometimes without requiring authentication. The worst of these is a vulnerability that allows "arbitrary command execution with root privileges, complete compromise of the virtual appliance," Digital Defense reported in a post on the vulnerabilities. That includes the capability of creating new user credentials to give attackers unfettered access.
Over 3,300 companies worldwide use Symmetrix VMAX to manage storage systems, including T-Mobile and a number of major financial institutions. While attacks would have likely required access to the data center LANs that the systems run on, that sort of access isn't out of the question. Attackers that managed to exploit a connected Web server or other system in the data center would be able to take advantage. In a worst-case scenario, an attacker could both steal large amounts of corporate data and bring storage systems offline.