Posts tagged Authentication

3 min Application Security

OWASP Top 10 Deep Dive: Identification and Authentication Failures

Security pros have made progress in mitigating identification and authentication failures — but that doesn't mean we can takes our eyes off the ball.
3 min InsightAppSec

Login Authentication Goes Automated With New InsightAppSec Improvements

With our new automated login for InsightAppSec, even the most complex, modern applications can be accessed and scanned quickly and easily. Learn more.
3 min InsightIDR

InsightIDR Now Supports Multi-Factor Auth and Data Archiving

InsightIDR is now part of the Rapid7 platform. Learn more about our platform vision and how it enables you to have the SIEM solution you've always wanted.
8 min Vulnerability Disclosure

Multiple vulnerabilities in Wink and Insteon smart home systems

Today we are announcing four issues affecting two popular home automation solutions: Wink's Hub 2 and Insteon's Hub. Neither vendor stored sensitive credentials securely on their associated Android apps. In addition, the Wink cloud-based management API does not properly expire and revoke authentication tokens, and the Insteon Hub uses an unencrypted radio transmission protocol for potentially sensitive security controls such as garage door locks. As most of these issues have not yet been addres
5 min Authentication

R7-2017-07: Multiple Fuze TPN Handset Portal vulnerabilities (FIXED)

This post describes three security vulnerabilities related to access controls and authentication in the TPN Handset Portal, part of the Fuze platform. Fuze fixed all three issues by May 6, 2017, and user action is not required to remediate. Rapid7 thanks Fuze for their quick and thoughtful response to these vulnerabilities: * R7-2017-07.1, CWE-284 (Improper Access Control) [https://cwe.mitre.org/data/definitions/284.html]: An unauthenticated remote attacker can enumerate through MAC addr
1 min Authentication

Better Credential Management for Better Vulnerability Results

Often the first time the security team knows that credentials have expired is when their scans start to return dramatically fewer vulnerabilities. We all know getting credentialed access yields the best results for visibility. Yet, maintaining access can be difficult. Asset owners change credentials. Different assets have different frequencies for credential updates. Security teams are often left out of the loop. Between the original scan run time, the time it takes the security team to pinpoi
3 min Authentication

Under the Hoodie: Actionable Research from Penetration Testing Engagements

Today, we're excited to release Rapid7's latest research paper, Under the Hoodie: Actionable Research from Penetration Testing Engagements [https://www.rapid7.com/research/under-the-hoodie/], by Bob Rudis [https://twitter.com/hrbrmstr], Andrew Whitaker [https://www.linkedin.com/in/drewwhitaker/], Tod Beardsley [https://twitter.com/todb], with loads of input and help from the entire Rapid7 pentesting team. This paper covers the often occult art of penetration testing, and seeks to demystify the

7 min Haxmas

The Twelve Pains of Infosec

One of my favorite Christmas carols is the 12 Days of Christmas [https://www.youtube.com/watch?v=oyEyMjdD2uk]. Back in the 90's, a satire of the song came out in the form of the 12 Pains of Christmas [https://www.youtube.com/watch?v=h4NlR5KQLQ8], which had me rolling on the floor in laughter, and still does. Now that I am in information security, I decided it is time for a new satire, maybe this will start a new tradition, and so I am presenting, the 12 Pains of Infosec. ----------------------
3 min Authentication

Avoiding Default Fail

As the Internet of Things (IoT) quickly flood into the market place, into our homes and into our places of employment, my years of pen testing experience and every research project I spin up reminds me IoT has weak defaults -- especially default passwords, which will be the undoing of all of us. You would think after pointing out the issues with default password for years most of us would learn to start changing those passwords before deployment. Unfortunately that's not the case. I think we

4 min Nexpose

InsightIDR & Nexpose Integrate for Total User & Asset Security Visibility

Rapid7's Incident Detection and Response [https://www.rapid7.com/solutions/incident-detection/] and Vulnerability Management [https://www.rapid7.com/solutions/vulnerability-management.jsp] solutions, InsightIDR [https://www.rapid7.com/products/insightidr/] and Nexpose [https://www.rapid7.com/products/nexpose/], now integrate to provide visibility and security detection across assets and the users behind them. Combining the pair provides massive time savings and simplifies incident investigation
2 min Authentication

800 Million Compromised Credentials Were Exposed This Month. Were You Notified?

In our previous post on third party breaches [/2016/06/01/if-employee-passwords-get-compromised-by-third-party-breach-does-your-system-make-a-sound] , we talked about the risk of public compromised credential leaks providing attackers with another ingress vector. This August, InsightIDR [https://www.rapid7.com/products/insightidr/?CS=blog], armed with knowledge from a partner, identified a “Very Large Credentials Dump”. Very large? Over 800 million compromised credentials [https://www.rapid7.com
2 min Authentication

Credential Status in Reporting Data Model

The new version of Reporting Data Model (1.3.1) allows Nexpose [https://www.rapid7.com/products/nexpose/] users to create CSV reports providing information about credential status of their assets, i.e. whether credentials provided by the user (global or site specific) allowed successful login to the asset during a specific scan. Credential Status Per Service The new Reporting Data Model version contains fact_asset_scan_service enhanced with the new column containing the information about creden
2 min Authentication

Passwords and the Devolution of Computer Users

This is a guest post from our frequent contributor Kevin Beaver [/author/kevinbeaver]. You can read all of his previous guest posts here [/author/kevinbeaver]. Recently, I wrote about my thoughts on why we feel like we have to force short-term password changes in the name of “security.” [/2016/04/28/why-do-we-keep-forcing-short-term-password-changes] Since that time, Microsoft made an announcement to step in and help set its users (and itself) up for success [https://blogs.technet.microsoft.com
3 min Authentication

If Employee Passwords Get Compromised, Does Your System Make a Sound?

Compromised credentials [https://www.rapid7.com/resources/compromised-credentials.jsp] are the number one attack vector behind breaches, according to the Verizon Data Breach Investigations Report. Armed with an employee username and password, attackers can stealthily gain a foothold on the network, perform reconnaissance, and move laterally to critical targets – all without malware. Phishing and malware are great ways to steal credentials, but there's another much easier way that's largely outsi
3 min InsightIDR

Detect Corporate Identity Theft with a New Intruder Trap: Honey Credentials

If you're only looking through your log files, reliably detecting early signs of attacker reconnaissance can be a nightmare. Why is this important? If you can detect and react to an intruder early in the attack chain, it's possible to kick the intruder out before he or she accesses your critical assets. This is not only good for you (no monetary data is stolen), but it's also critical because this is the only time in the chain that the intruder is at a disadvantage. Once an attacker has an i

Popular Topics

Tags