For quite a while now, we provide the option to use a time-based one-time password as a second factor to authenticate to your ISC account. The implementation we picked was RFC 6238 as it is also implemented by Googles popular Authenticator app. But so far, we havent had a good solution for the lost authenticator problem. It required an administrator to manually reset the particular account.

To help with password and authenticator resets in the future, we are now also supporting SMS and Voice Call based authentication. To enable this feature, you will need to provide one or more phone numbers that can be used to authenticate you. If you lost your authenticator app (e.g. if you get a new phone), or if you need to reset your password, this number is used to authenticate you.

This *should* work with phone numbers globally, not just US numbers. But of course, we can only test a couple of countries. Please let us know if you run into any problems.

At this point, I dont think it makes sense to make two-factor authentication mandatory for our site. Many users do not have any personal information stored with us. But I think it does make sense to provide the option and allow users to decide if they feel it is necessary or not.

To configure your phone number, see http://isc.sans.edu/pwresetinfo.html (you will have to log in first of course)

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
[SECURITY] [DSA 3371-1] spice security update

(credit: PhotoAtelier)

Apple has purged its iOS App Store of several titles that it said had the ability to compromise encrypted connections between end users and the servers they connect to. The company advised users to uninstall the apps from their iPhones and iPads to prevent potentially harmful monitoring, but it has yet to name any of the offending titles.

"Apple has removed a few apps from the App Store that install root certificates that could allow monitoring of data," company officials wrote in an advisory posted Friday. "This monitoring could be used to compromise SSL/TLS security solutions. If you have one of these apps installed on your device, delete both the app and its associated configuration profile to make sure your data remains protected."

Apple representatives didn't respond to an e-mail seeking the names of the offending apps and an explanation of why they weren't identified. This post will be updated if they reply later.

Read 4 remaining paragraphs | Comments

PayPal Inc Bug Bounty #119 - URL Redirect Web Vulnerability
W150D Wireless N 150 ADSL2 Modem Router - Cross Site Request Forgery Vulnerability
FreeYouTubeToMP3 Converter 4.0.1 - Buffer Overflow Vulnerability
Advanced Information Security Corporation, Security Advisory (MYSQL v5.6.24 Buffer Overflows)
WebComIndia CMS 2015Q4 - Auth Bypass Vulnerability
Veeam Backup & Replication Local Privilege Escalation Vulnerability
Internet Storm Center Infocon Status