Infosecurity.US

Information Security & Occasional Forays Into Adjacent Realms

  • Web Log

Instagram 2FA Bypass, A Tale of Superlative Bug Hunting Skills & Indolent Multi-Factor Authentication

July 19, 2019 by Marc Handelman in Facebookery, 2FA Flaws, Information Security, Bugs, Bug Bounty, Bug Hunting

Via Tara Seals writing at the Threatpost Blog, detailing the highly competent bug hunting skill set of Laxman Muthiyah, examining - if you will - the lackadaisical 2FA data flow promulgated by Facebook, Inc. (Nasdaq: FB) on the company's owned Instagram.

"Independent researcher Laxman Muthiyah took a look at Instagram’s mobile recovery flow, which involves a user receiving a six-digit passcode to their mobile number for two-factor account authentication (2FA). So, with six digits that means there are 1 million possible combinations of digits making up the codes." - Via Tara Seals writing at the Threatpost Blog

July 19, 2019 /Marc Handelman
Facebookery, 2FA Flaws, Information Security, Bugs, Bug Bounty, Bug Hunting

DREAD, The Pirate Approach →

June 05, 2018 by Marc Handelman in Code, Bugs, Bug Bounty

via the inimitable Adam Shostack (author of The New School of Information Security) and Threat Modeling; a leader in the Threat Modeling arena), whilst writing at his fascinating blog, comes a sterling discussion of the DREAD method; or How To Name A Bug Bounty Program. Certainly, today's MustRead, enjoy!

June 05, 2018 /Marc Handelman
Code, Bugs, Bug Bounty

Crowdfence, Bug and Exploit Mercantile →

April 26, 2018 by Marc Handelman in Business of Security, Bugs, Exploitation, Information Security

Peter Cao, writing at 9to5Mac, has penned a particularly interesting article, detailing Crowdfence, an Emirati based company, poised to garner beucoup dinero in the Windows, Android, iOS and macOS bug and exploitation marketplace, the legal marketplace that is; ostensibly selling to governments, law enforcement and intelligence agancies. Today's MustRead!

April 26, 2018 /Marc Handelman
Business of Security, Bugs, Exploitation, Information Security

The Factor Circumstance →

October 17, 2017 by Marc Handelman in Bugs, Cryptography, Information Security

News, via Dan Goodin, writing at our beloved ArsTechnica, detailing an enormous factorization flaw within Infeneon-based 2048-bit RSA keys tied to a widening number of encryption products worldwide. The implications are equally enormous. H/T

'The researchers who uncovered the Infineon library flaw questioned whether the secrecy required by some of the certification process played a role. They wrote: Our work highlights the dangers of keeping the design secret and the implementation closed-source, even if both are thoroughly analyzed and certified by experts. The lack of public information causes a delay in the discovery of flaws (and hinders the process of checking for them), thereby increasing the number of already deployed and affected devices at the time of detection.' - via Dan Goodin at ArsTechnica

October 17, 2017 /Marc Handelman
Bugs, Cryptography, Information Security

BSides Nashville 2017, Ryan Goltry's 'Springtime for Code Reviews' →

May 17, 2017 by Marc Handelman in All is Information, BSides, Bugs, Code, Information Security, Code Review
May 17, 2017 /Marc Handelman
All is Information, BSides, Bugs, Code, Information Security, Code Review

O'Reilly Security 2016, Katie Moussouris' 'Lessons Learned...' →

December 05, 2016 by Marc Handelman in All is Information, Conferences, Information Security, Education, Wipe Out Cruft, Cruft, Bugs
December 05, 2016 /Marc Handelman
All is Information, Conferences, Information Security, Education, Wipe Out Cruft, Cruft, Bugs