Authentication bypass | Breaking Cybersecurity News | The Hacker News

A number of D-Link routers reportedly have an issue that makes them susceptible to unauthorized backdoor access . The researcher Craig, specialized on the embedded device hacking - demonstrated the presence of a backdoor within some DLink routers that allows an attacker to access the administration web interface of network devices without any authentication and view/change its settings. He found the backdoor inside the firmware v1 . 13 for the DIR-100 revA . Craig found and extracted the SquashFS file system loading firmware's web server file system (/bin/webs) into IDA.  Giving a look at the string listing, the Craig's attention was captured by a modified version of thttpd , the thttpd - alphanetworks /2.23, implemented to provide the rights to the administrative interface for the router.  The library is written by Alphanetworks, a spin-off company of D-Link, analyzing it Craig found many custom functions characterized by a name starting with suffix "alpha"

Google being one of the top web based service provider, has huge number of Internet users availing the free and paid services for their day-to-day personal and/or professional needs. Many of them have configured their mobile phone number for their account password recovery options. Certainly, when comes the mobility, many of these users prefer Google's android based smart phones and tablets to access these services anytime, anywhere. In case of issues in accessing GMAIL services, user is been provided with the option to reset the account password by simply asking Google to send a verification code on the pre-registered mobile number. On the other hand, Android (mobile operating system from Google) based devices are bundled with security features to keep the privacy of user data/information intact. The user can opt to set the security level from none to Password (High), this ensures that, to access the mobile device and information within it, the user needs to pass through

As a vCISO, you are responsible for your client's cybersecurity strategy and risk governance. This incorporates multiple disciplines, from research to execution to reporting. Recently, we published a comprehensive playbook for vCISOs, "Your First 100 Days as a vCISO – 5 Steps to Success" , which covers all the phases entailed in launching a successful vCISO engagement, along with recommended actions to take, and step-by-step examples.  Following the success of the playbook and the requests that have come in from the MSP/MSSP community, we decided to drill down into specific parts of vCISO reporting and provide more color and examples. In this article, we focus on how to create compelling narratives within a report, which has a significant impact on the overall MSP/MSSP value proposition.  This article brings the highlights of a recent guided workshop we held, covering what makes a successful report and how it can be used to enhance engagement with your cyber security clients.

Apple is beefing up the security of its iCloud and Apple ID accounts by adding two-factor authentication to the account login process. Users who activate the option will be required to enter a four-digit code they may receive via SMS message, aside from the usual password. Two-factor authentication is gaining popularity because it makes login to online services significantly more secure compared to regular process. Apple has rolled out this functionality for Apple ID and iCloud users. " Turning on two-step verification reduces the possibility of someone accessing or making unauthorized changes to your account information at My Apple ID or making purchases using your account ," Apple said . Apple will be using both the app and SMS versions, providing security codes through texts as well as the FindMyiPhone app. As long as users are able to remember their password, they will have the ability to generate a new recovery key from the My Apple ID website. You

Duo Security found a loophole in Google's authentication system that allowed them to Google's two factor authentication and gain full control over a user's Gmail account by abusing the unique passwords used to connect individual applications to Google accounts. Duo Security itself a two-factor authentication provider and the flaw is located in the auto-login mechanism implemented in Chrome in the latest versions of Android, that allowed them to use an ASP to gain access to a Google account's recovery and 2-step verification settings.  Auto-login allowed users who linked their mobile devices or Chromebooks to their Google accounts to automatically access all Google-related pages over the Web without ever seeing another login page. " Generally, once you turn on 2-step verification, Google asks you to create a separate Application-Specific Password for each application you use (hence "Application-Specific") that doesn't support logins using 2-step verif