Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
How To Avoid Sloppy Authentication
Newest First  |  Oldest First  |  Threaded View
GarretG022
50%
50%
GarretG022,
User Rank: Apprentice
5/15/2014 | 8:28:53 PM
Re: critical requirements
What is detailed, is correct and effective way to validate the authentication.   And the real key is, once the identity is validated, to insure that this identity is delivered to ALL the relying parties:   Web Resource, Thick Apps, Network Resources, Cloud Apps.    

The solution to this is a 2-Factor solutoin (utilizing strong authentication, as detailed) and then cryptographically assrt, with bi-lateral confirmation to all relevant resources.

Otherwise the hackers just attack where the authentication is done "sloppily".

   
macker490
50%
50%
macker490,
User Rank: Ninja
5/2/2014 | 8:05:09 AM
critical requirements
critical requirements of authentication:    recognition, integrity, security.

authentication must be valid 1 time only: on the instant transaction.   not like a cfredit card number which is used over, and over and over again.

authentication must be recognizable: i.e. it must be possible to verify who authored the authentication i.e. who made the signature.     attacker cannot create forgeries.

authentication validates the integrity of the transaction it is affixed to.    i.e. if attacker attempts to alter the transaction or substitute a different transaction he will invalidate the signature (integrity)

PGP or GnuPG provides these capabilitites as well as encryption (security).    this is proven software; there is no need to re-invent the wheel.   just learn to use it.

note

all computer security depends on a secure operating system.     these are available although not commonly used.


Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27581
PUBLISHED: 2021-03-05
The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.
CVE-2021-28042
PUBLISHED: 2021-03-05
Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
CVE-2021-28041
PUBLISHED: 2021-03-05
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
CVE-2021-3377
PUBLISHED: 2021-03-05
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.
CVE-2021-3420
PUBLISHED: 2021-03-05
A flaw was found in newlib in versions prior to 4.0.0. Improper overflow validation in the memory allocation functions mEMALIGn, pvALLOc, nano_memalign, nano_valloc, nano_pvalloc could case an integer overflow, leading to an allocation of a small buffer and then to a heap-based buffer overflow.