Tag: Headache | SpinSafe

Contrast Protect eliminates another zero-day headache

June 4, 2022/in Mobile Security

On June 2nd, Atlassian released a security advisory about another remote code execution vulnerability (CVE-2022-26134) affecting all on- premises versions of Confluence Server and Confluence Data Center. The initial report to Atlassian came from Veloxity after they discovered it in a forensics investigation. After the Atlassian release and discussion about active exploitation in the wild, the Cybersecurity & Infrastructure Security Agency (CISA) issued a warning for users to immediately block all traffic to affected systems.

The vulnerability could be exploited by an anonymous/unauthenticated attacker to inject malicious Object-Graph Navigation Language (OGNL) commands. This carries a very high-risk exposure—as the CVE is still in a RESERVED state, there is currently no mapped CVSS score, but Contrast Labs expects this to be critical and 9.8 or above (like the previously discovered OGNL issue released last year CVE-2021-26084). This pre-authenticated nature of this vulnerability itself and the fact that there are a lot of older, unpatched, on-premises versions of Confluence floating around make this a very serious problem.

What Does the Exploit Look Like?

CVE-2022-26134 is an OGNL injection vulnerability that allows an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.

An attacker can exploit this vulnerability—easily bypassing web application firewall (WAF) defenses—to take control of an unpatched system. When this happens, an attacker gains “godlike” access to Confluence. They can access anything else stored on that box—including data, tickets, attachments, and keys to things like AWS infrastructure. Lateral movement beyond the server, across the network and other applications, is even possible.

Has the Confluence Vulnerability Been Patched?

The vulnerability was recently discovered by Veloxity over the Memorial Day weekend during a forensics investigation. I, it was immediately reported to Atlassian. In this case Atlassian reported to the general public before a fix was released, most likely due to the criticality of the vulnerability, ease of exploit, and the fact it was under active exploitation….

Source…

How to comply with PSD2 authentication without a headache

September 15, 2021/in Mobile Security

The European Union’s Payment Services Directive 2 (PSD2) regulation finally came into full force in most countries this year, putting the burden on companies to meet authentication requirements for payments. Regulations like these often come with additional security hoops consumers have to jump through. But it doesn’t have to be that way.

With the right strategy, companies can provide frictionless online experiences while remaining compliant with constantly changing regulations, including PSD2. Using passive behavioral biometrics, you can seamlessly verify that the right person is behind the device, meeting requirements without the need for additional authentication steps. Find that hard to believe? Well, read on.

How not to do PSD2: knowledge questions

While PSD2 has technically been on the books since September 2019, one rule didn’t actually go into effect until December 31, 2020: the requirement that payment service providers (PSPs) use Strong Customer Authentication (SCA). Using SCA means a payment must satisfy two of three authentication factors:

Knowledge: Something the consumer knows (e.g., PIN or password)
Possession: Something the consumer has (e.g., device or credit card)
Inherence: Something the consumer inherently is (e.g., fingerprint or facial recognition)

To remain PSD2-compliant, many companies are using one-time passcodes (OTPs) to verify logins and payments. With OTPs, users receive a code on their device to ensure it’s in their possession — fulfilling the possession requirement for SCA. But that leaves one verification step unfulfilled. Most companies opt to have users fulfill the knowledge requirement by typing in a password. But this adds an extra step — and unnecessary friction — to the user experience.

The looming question: What will the second authentication factor be?

This is where passive behavioral biometrics comes into play by verifying user identity without the need for additional step-ups. Imagine you are logging in to your mobile banking app. When you enter the OTP code sent to your device, instead of having to manually verify your credentials a second time, there’s technology that can detect whether it’s you just by the way you…

Source…

Simpson: Hybrid warfare NATO’s next headache – The London Free Press

February 29, 2020/in Internet Security

Simpson: Hybrid warfare NATO’s next headache The London Free Press
“cyber warfare news” – read more

Israel’s Iron Dome Headache (As In China Might Have Stolen the Specs On It) – The National Interest Online

May 6, 2019/in Internet Security

Israel’s Iron Dome Headache (As In China Might Have Stolen the Specs On It) The National Interest Online

Tiny Israel has an enormous cybersecurity industry and a deep pool of hackers and anti-hackers who learned their trade in the Israeli military. So if China can …

“chinese hackers” – read more

Tag Archive for: Headache

What Does the Exploit Look Like?

Has the Confluence Vulnerability Been Patched?

How not to do PSD2: knowledge questions

The looming question: What will the second authentication factor be?