5 identity priorities for 2021—strengthening security for the hybrid work era and beyond

When I outlined the five identity priorities for 2020, the world was a very different place. Since then, the COVID-19 pandemic has forever changed how organizations run their businesses. It’s also changed the way we work, learn, and collaborate. What hasn’t changed is the critical role identity...

CVE-2020-27178

Apereo CAS 5.3.x before 5.3.16, 6.x before 6.1.7.2, 6.2.x before 6.2.4, and 6.3.x before 6.3.0-RC4 mishandles secret keys with Google Authenticator for multifactor authentication...

CVE-2020-27178

Apereo CAS 5.3.x before 5.3.16, 6.x before 6.1.7.2, 6.2.x before 6.2.4, and 6.3.x before 6.3.0-RC4 mishandles secret keys with Google Authenticator for multifactor authentication...

Authentication flaw

Apereo CAS 5.3.x before 5.3.16, 6.x before 6.1.7.2, 6.2.x before 6.2.4, and 6.3.x before 6.3.0-RC4 mishandles secret keys with Google Authenticator for multifactor authentication...

CVE-2020-27178

Apereo CAS 5.3.x before 5.3.16, 6.x before 6.1.7.2, 6.2.x before 6.2.4, and 6.3.x before 6.3.0-RC4 mishandles secret keys with Google Authenticator for multifactor authentication...

CVE-2020-27178

CVE-2020-27178 affects Apereo CAS in multiple lines: 5.3.x before 5.3.16, 6.x before 6.1.7.2, 6.2.x before 6.2.4, and 6.3.x before 6.3.0-RC4. The root cause is mishandling of secret keys used for Google Authenticator-based multifactor authentication. This can lead to improper handling of MFA secr...

RSA MFA Agent Cross-Site Scripting Vulnerability

RSA MFA Agent is a suite of authentication agent software. A cross-site scripting vulnerability exists in version 2.0 of the RSA MFA Agent for Windows-based platforms, which stems from a lack of proper authentication of client data by a WEB application. A local attacker can exploit this...

Insecure Randomness

Overview org.apereo.cas:cas-server-support-simple-mfa is an is package that allows Apereo CAS to act as a multifactor authentication provider on its own, issuing tokens and sending them to end-users via pre-defined communication channels such as email or text messages. Affected versions of this...

NIST Publishes Multifactor Authentication Practice Guide

The National Institute of Standards and Technology NIST National Cybersecurity Center of Excellence NCCoE has published NIST Cybersecurity Practice Guide: Multifactor Authentication for E-Commerce. The guide provides e-commerce organizations multifactor authentication MFA protection methods they...

Microsoft’s Cyber Defense Operations Center shares best practices

Today, a single breach, physical or virtual, can cause millions of dollars of damage to an organization and potentially billions in financial losses to the global economy. Each week seems to bring a new disclosure of a cybersecurity breach somewhere in the world. As we look at the current state o...

DNS Infrastructure Hijacking Campaign

The National Cybersecurity and Communications Integration Center NCCIC, part of the Cybersecurity and Infrastructure Security Agency CISA, is aware of a global Domain Name System DNS infrastructure hijacking campaign. Using compromised credentials, an attacker can modify the location to which an...

U.S. Ballistic Missile Defense System Rife with Security Holes

The classified networks in the facilities where ballistic missile defense system technical information is housed are vulnerable to a raft of internal and external cyber-threats, according to the Department of Defense Inspector General. In a heavily redacted report issued last week, the DoD issued...

ThreatList: Password Hygiene Remains Lackluster in Global Businesses

When it comes to password behaviors in the workplace, the average business is doing just an okay job, scoring a middling score in a credentials-security benchmarking analysis of organizations’ habits. Notably, the data also shows that password-sharing is still prevalent in the workplace – althoug...

How Microsoft 365 Security integrates with your broader IT ecosystem—part 3

Todays post was coauthored by Debraj Ghosh, Senior Product Marketing Manager, and Diana Kelley, Cybersecurity Field CTO. Customer satisfaction is one of the most important goals for Microsoft 365 Security. In part 1 of this series, we discussed Microsofts overall security strategy for connecting...

P = NP: Cloud data protection in vulnerable non-production environments

Data is the holy grail of your cloud workloads for attackers. Data breaches are the kind of breaches that make the news. With the recent European Union General Data Protection Regulations GDPR, they will make even bigger headlines. From an enterprise point of view, the most challenging aspect of...

Move away from passwords, deploy Windows Hello. Today!

Something we understood from the very beginning with Windows Hello for Business is our customers would approach Windows 10 in a series of phases. The first phase is to simply deploy the platform itself. From there, additional phases would follow to take advantage of optional Windows 10 technologi...

Authentication Bypass

cas-server-core-authentication is vulnerable to authentication bypass. The library does read the correct value when checking for a attribute bypass, causing any principle with the bypass.principalAttributeName attribute to be able to bypass multifactor authentication...

Insider threats in your work inbox

Recently, our friends at Barracuda found a new phishing campaign that banks on the popularity of cloud services used in most businesses, such as Microsoft Office 365. According to their blog post, this latest scheme takes advantage of the natural trust employees place on messages they receive fro...

New Technique to Hijack Social Media Accounts

Access Now has documented it being used against a Twitter user, but it also works against other social media accounts: With the Doubleswitch attack, a hijacker takes control of a victim's account through one of several attack vectors. People who have not enabled an app-based form of multifactor...

Proposed NIST Password Guidelines Soften Length, Complexity Focus

A comment period has closed on NIST’s new password guidelines for federal agencies that challenge the effectiveness of traditional behaviors around authentication such as an insistence on complex passwords and scheduled resets. As more tech companies move away from passwords and toward multistep...