All posts by rocco

Welcome McAfee Forward—the Future of Online Protection Today

Read Time:1 Minute, 47 Second

With digital life-changing so rapidly, it’s time for a new way to protect it. Welcome to McAfee Forward—the future of online protection today. 

As all that change reshapes how we spend our time online, we believe that one thing remains constant: meaningful protection is a personal right. Your right. That’s how we see it here at McAfee, and we want you to go forward and enjoy your digital life with confidence. Confident that you’re safe as you bank and shop online, sure. Yet also confident as you consult your doctor online, track your fitness routines, order a pizza with the sound of your voice, start your car with your smartphone, and simply do what’s next—the umpteen other innovations yet imagined, all thanks to the internet.  

So what does the future of online protection look like? You. While different technologies may come and go, the one thing that won’t change is you. The person using them. That’s why our focus is on you, your privacy, identity, and overall security, no matter what device, app, or platform you’re doing or what you’re doing it on. 

No doubt about it, life online will continue to change how we go about our day in lively and unexpected ways. You have a right to enjoy it all. And you can leave that to us. We thrive on what’s new and different—and then protecting it so you can get the most out of it.  

That future of online protection is indeed here today. We’ve already rolled out major updates and industry firsts that look out for you online, particularly your privacy and identity. There’s much more to come in the weeks and months ahead. Because you have a right to a life that’s always safe and enjoyable online, whatever shape it takes in the days to come.  

Here’s to living that life with confidence, and to what’s on the horizon. Through it all, we have your back. 

The post Welcome McAfee Forward—the Future of Online Protection Today appeared first on McAfee Blogs.

Read More

AT&T teams with Cisco to create new managed SASE offering

Read Time:4 Minute, 23 Second

Whether organizations call it digital transformation or just using technology to create opportunities for new, easier ways to work, one thing is certain.

Businesses increasingly need to find simpler ways to securely build and manage new kinds of connections that support an era of:

frustration-free hybrid work;
meaningful collaboration;
anywhere, anytime access to application data; and
superior user experiences.

This is exactly the drive behind the latest collaboration between the cybersecurity and networking experts at AT&T and Cisco. They teamed up to provide a global managed Secure Access Service Edge (SASE) offering that streamlines the way businesses deliver highly secure, anywhere, anytime access to any application. Named AT&T SASE with Cisco, the service converges network and security management into a single cloud-delivered, integrated service.

AT&T SASE with Cisco: Connect, control, converge

AT&T SASE with Cisco weaves together some of the most important threads necessary for supporting and protecting the branch offices, labs, manufacturing facilities, and remote workers that make up the tapestry of the modern, distributed workforce. The platform that powers the service integrates  SD-WAN, secure remote access, and secure web gateway technology into a single set of consolidated levers and controls for IT and security. Each component offers up crucial functions to enable users to connect to resources while controlling cyber risk along the way:

AT&T SD-WAN with Cisco

Improves network visibility, performance and resilience

AT&T SD-WAN with Cisco is a cloud-delivered overlay WAN architecture that connects branches to headquarters, data centers, and multi-cloud environments. It makes it simpler to build, scale, and extend security and access policies across connections.

AT&T Secure Remote Access with Cisco

Grants prescriptive access to applications and data based on identity.

AT&T Secure Remote Access with Cisco is a comprehensive zero trust network access (ZTNA) solution that verifies user identity and device health before allowing connection to company resources. It provides granular access to specific applications, wherever they are hosted, to users at any location.

AT&T Secure Web Gateway with Cisco

Restricts access to websites, cloud applications, and data sharing based on risk policies

AT&T Secure Web Gateway with Cisco provides integrated cloud-native security that unifies protection against web-based threats through firewall, domain name server (DNS) security, cloud access broker (CASB) and threat intelligence in a single platform.

The biggest value of the offering is the convergence of these components into a SASE framework. SASE is different because it provides a single lens for understanding opportunities to optimize network traffic while managing user access based on risk, no matter the location.

As my colleague from Cisco, Shaila Shankar explains, a SASE platform future-proofs organizations for digital transformation:

Today’s businesses are planning for a cloud-oriented organizational transformation by consolidating vendors and adopting integrated, cloud-first solutions. This consolidation is fully realized through a SASE platform. With SASE, businesses gain better control over every user and any application, over any network – without a degradation in performance or user experience.

AT&T SASE with Cisco takes those advantages to another level by layering in the  skilled resources of AT&T’s networking and cybersecurity professionals into the solution. They help maximize the power of the SASE technology by providing expert SASE planning and deployment, policy design, and 24/7 network monitoring and help desk support. The AT&T SASE with Cisco solution is flexible, with managed and co-managed options available.

Use cases supported by AT&T SASE with Cisco

The unique combination of technology and know-how from AT&T and Cisco makes AT&T SASE with Cisco particularly suited to support some very important use cases for forward-looking organizations.

Secure Connected Edge

This solution is designed to help organizations struggling with inconsistent user experiences with the ability to manage security policies across users depending on the location or cloud service accessed. The optimized WAN architecture connects users to the internet and cloud applications across highest performing links while centralizing the view of health of all network circuits. Meantime, cloud delivered security follows users wherever and however they connect.

Secure Connected Branch

This service helps organizations with distributed branch offices keep up with rising bandwidth requirements by optimizing the network on a site-by-site basis, while at the same time tracking and protecting sensitive data across the network. The solution provides highly secure, direct connections to the web and SaaS applications whether users are working at the branch or from a coffee shop. Regardless of location, security policies are consistently applied across users without the performance problems of VPN connections.

Zero Trust Enabler

This solution is a cornerstone for supporting broader zero-trust security strategies. It provides precise, identity-based permissions to validate the health of devices for every session. The unified security controls, including behavior checks and monitoring, consistently enforce security policy across users and devices. This provides the infrastructure and skilled support to roll out zero-trust security measures within and outside corporate boundaries.

Learn more about how AT&T SASE with Cisco can help your organization continue your transformative journey toward superior user experience and better protection.

Read More

What to Do If You’re Caught Up in a Data Breach

Read Time:6 Minute, 45 Second

It happens with more regularity than any of us like to see. There’s either a headline in your news feed or an email from a website or service you have an account with—there’s been a data breach. So what do you do when you find out that you and your information may have been caught up in a data breach? While it can feel like things are out of your hands, there are actually several things you can do to protect yourself. 

Let’s start with a look at what kind of information may be at stake and why crooks value that information so much (it’s more reasons than you may think). 

What can get exposed in a data breach?  

The fact is that plenty of our information is out there on the internet, simply because we go about so much of our day online, whether that involves shopping, banking, getting results from our doctors, or simply hopping online to play a game once in a while.  

Naturally, that means the data in any given breach will vary from service to service and platform to platform involved. Certainly, a gaming service will certainly have different information about you than your insurance company. Yet broadly speaking, there’s a broad range of information about you stored in various places, which could include:  

Username and password 
E-mail address 
Phone numbers and home address 
Contact information of friends and family 
Date of birth 
Driver’s license number 
Credit card and debit card numbers, bank account details 
Purchase history and account behavior history 
Patient information (in the case of healthcare breaches) 
Social Security Number or Tax ID Number 

As to what gets exposed and when you might find out about it, that can vary greatly as well. One industry research report found that 60% of breaches were discovered in just days from the initial attack while others could take months or even longer to detect. Needless to say, the timeline can get rather stretched before word reaches you, which is a good reason to change your passwords regularly should any of them get swept up in a breach. (An outdated password does a hacker no good—more on that in a bit.) 

What do crooks do with this kind of information? 

The answer is plenty. In all, personal information like that listed above has a dollar value to it. In a way, your data and information are a kind of currency because they’re tied to everything from your bank accounts, investments, insurance payments—even tax returns and personal identification like driver’s licenses.  

With this information in hand, a crook can commit several types of identity crime—ranging from fraud to theft. In the case of fraud, that could include running up a bill on one of your credits cards or draining one of your bank accounts. In the case of theft, that could see crooks impersonate you so they can open new accounts or services in your name. Beyond that, they may attempt to claim your tax refund or potentially get ID issued in your name as well. 

Another possibility is that a hacker will simply sell that information on the dark marketplace, perhaps in large clumps or as individual pieces of information that go for a few dollars each. However it gets sold, these dark-market practices allow other fraudsters and thieves to take advantage of your identity for financial or other gains.  

Most breaches are financially motivated, with some researchers saying nearly 90% of breaches are about the money. However, we’ve also seen hackers simply dump stolen information out there for practically anyone to see. The motivations behind them vary, yet could involve anything from damaging the reputation of an organization to cases of revenge.   

Noteworthy examples of data breaches 

A list of big data breaches is a blog article of its own, yet here’s a quick list of some of the largest and most impactful breaches we’ve seen in recent years: 

Facebook – 2019: Two datasets leaked the records of more than 530 million users, including phone numbers, account names, Facebook IDs, and more. 
Marriott International (Starwood) – 2018. Leakage of 500,000 guest names, emails, actual mailing addresses, phone numbers, passport numbers, Starwood Preferred Guest account information, date of birth, and information about stays. 
Equifax – 2017. Approximately 147 million records, including name, address, date of birth, driver’s license numbers, and Social Security Numbers were leaked, as well as credit card information for a further 200,000 victims. 

Needless to say, it’s not just the big companies that get hit. Healthcare facilities have seen their data breached, along with the operations of popular restaurants. Small businesses find themselves in the crosshairs as well, with one report stating that 43% of data leaks target small businesses. Those may come by way of an attack on where those businesses store their records, a disgruntled employee, or by way of a compromised point-of-sale terminal in their store, office, or location. 

In short, when it comes to data breaches, practically any business is a potential target because practically every business is online in some form or fashion. Even if it’s by way of a simple point-of-sale machine. 

What to do if you think your information may have been exposed by a breach 

When a business, service, or organization falls victim to a breach, it doesn’t always mean that you’re automatically a victim too. Your information may not have been caught up in it. However, it’s best to act as if it was. With that, we strongly suggest you take these immediate steps. 

1. Change your passwords and use two-factor authentication 

Given the possibility that your password may be in the hands of a hacker, change it right away. Strong, unique passwords offer one of your best defenses against hackers. Update them regularly as well. As mentioned above, this can protect you in the event a breach occurs and you don’t find out about it until well after it’s happened. You can spare yourself the upkeep that involves a password manager that can keep on top of it all for you. If your account offers two-factor authentication as part of the login process, make use of it as it adds another layer of security that makes hacking tougher.  

2. Keep an eye on your accounts 

If you spot unusual or unfamiliar charges or transactions in your account, bank, or debit card statements, follow up immediately. That could indicate improper use. In general, banks, credit card companies, and many businesses have countermeasures to deal with fraud, along with customer support teams that can help you file a claim if needed. 

3. Sign up for an identity protection service 

If you haven’t done so already, consider signing up for a service that can monitor dozens of types of personal information and then alert you if any of them are possibly being misused. Identity protection such as ours gives you the added benefit of a professional recovery specialist who can assist with restoring your affairs in the wake of fraud or theft, plus up to $1 million in insurance coverage 

What if I think I’m the victim of identity theft? 

Our advice is to take a deep breath and get to work. By acting quickly, you can potentially minimize and even prevent any damage that’s done. With that, we have two articles that can help guide the way if you think you’re the victim of identity theft, each featuring a series of straightforward steps you can take to set matters right: 

Top Signs of Identity Theft 
How to Report Identity Theft to Social Security 

Again, if you have any concerns. Take action. The first steps take only minutes. Even if the result is that you find out all’s well, you’ll have that assurance and you’ll have it rather quickly. 

The post What to Do If You’re Caught Up in a Data Breach appeared first on McAfee Blogs.

Read More

Technology’s contributions toward safety in healthcare

Read Time:4 Minute, 43 Second

This blog was written by an independent guest blogger.

Technology in healthcare has the potential to make all the difference in terms of safety outcomes. Right now, modern tech is pushing the envelope of what is possible in the doctor’s office and the patient’s home, as telehealth and artificial intelligence transform the landscape of medical care.

But technology isn’t always safe. Experts predict that the healthcare industry will face two to three times more cyberattacks than other industries, making cybersecurity an essential aspect of modern medicine. As we watch ransomware and other malicious cyberattacks disrupt global trade, it’s easy to remember a world less vulnerable to digital threats.

However, technology ultimately is doing more good than bad in healthcare. Tech’s contributions toward safety have revolutionized care accessibility, reach, and potential. In turn, we can look forward to safer treatments and better patient outcomes.

These are some of the most promising contributions of tech in producing more excellent healthcare safety.

Connecting patients with accessible care

Telehealth has been a central aspect of modern care, bridging the needs of patients with safe solutions during the COVID-19 pandemic. Telehealth has proven to be immensely popular, with 65% of consumers now expecting to use it more even after the pandemic. This widespread utilization of telehealth would have been impossible without advancing technology.

Innovations from 5G networks to Internet of Things (IoT) devices are transforming how we connect and assemble data networks, in turn enabling new medical solutions. These innovations power information systems, a market expected to reach $39.7 billion in value by 2025. The value comes in through the power of these systems to collect, categorize, and assess information — all vital parts of any healthcare procedure.

Information systems and the experts that manage them both create and protect vast amounts of valuable healthcare data. With all this information stored and secured through cloud services, patients can be monitored and treated remotely.

For instance, the Michael J. Fox Foundation for Parkinson’s Research is developing web-based sensors on the Internet of Things that can track and report patient movement data and measure severity. This will allow medical professionals to gain a better understanding of their patient’s condition and how to treat it.

By connecting people with care wherever they are, tech is contributing to a safer world. Telehealth means patients don’t have to risk exposure to COVID-19 as often. Information systems are connecting patients and providers with data. And connected devices are improving medical understanding.

The more data care providers have, the better equipped they are to give patients accessible solutions designed to meet their personal needs.

Enhancing diagnostic and treatment potential

When it comes to improving safety, few technological innovations have contributed more than artificial intelligence. This category of computing now allows for all kinds of incredible processes, from machine learning to predictive analytics. AI has enhanced the medical field, given surgeons a useful tool, and revolutionized diagnostic potential.

The power of AI comes in its ability to assist us in our most grueling tasks. For instance, AI has given surgeons robotic assistants like the Da Vinci Surgical System. This robot gives the surgeon magnified vision and built-in tremor filtration that makes any surgery a more risk-free process. With these features, Da Vinci has already enhanced the safety of more than seven million procedures.

AI also excels in diagnosing conditions. CureMetrix in San Diego, for example, has developed a system that assists radiologists in analyzing mammograms. Their tech uses machine learning algorithms paired with computer vision to compare imagery. From its database of examples, the system can then detect breast cancer up to six years earlier than a human professional with as much as a 70% reduction in false positives.

With such promising safety features built into the technological revolution, the health and well-being of humanity can only improve. This might make our bodies safer, but what about our data?

Fortunately, tech has answers for that, too.

Improving security standards

Technology has given the healthcare industry a plethora of safety improvements. The benefits are clear from more equitable, accessible care to electronic medical records like those that helped scientists track and combat the coronavirus. At the same time, however, connected databases of valuable medical data represent a big risk.

This is where AI comes in. Through machine learning functions, AI cybersecurity systems are capable of comparing calls on operating systems to search for anomalies. If a problematic instance is found, the system can classify and flag the call, allowing system administrators to lock out the offender.

Fortunately, the advancement of AI has only improved these functions. Machine learning means systems can analyze vast amounts of data sets, evaluate examples of malicious attacks, and adapt to fight them. In turn, the security of medical data is enhanced.

Additionally, blockchain technology is emerging as a powerful contender in the battle for cybersecurity. These decentralized data systems lock information behind linked cryptographic hash functions. This means that for a hacker to break in, they have to use serious computing power. For storing and recording medical data safely, blockchain just might be the future.

These are just a tiny fraction of the contributions technology has made in healthcare. In the future, cloud data systems, AI diagnostics, and blockchain will all play a larger role in promoting public safety. Accessibility and quality of care will improve as a result.

For now, the role of tech in healthcare cybersecurity is one to watch. Machine learning and blockchain will battle it out for the position of the biggest contributor to healthcare safety. Whichever wins, humanity is the better for it.

Read More

The Internet is for Everyone to Enjoy—We’re Helping See to It

Read Time:5 Minute, 52 Second

The internet is meant for all to enjoy. And that’s who we’re looking out for—you and everyone who wants to enjoy life online. 

We believe it’s important that someone has your back like that, particularly where some of today’s hacks and attacks can leave people feeling a little uneasy from time to time. You’ve probably seen stories about data breaches at big companies pop up in your news feed. Or perhaps you or someone you know had their debit or credit card number hacked. Problems like these are out there, unfortunate thorns in the side of the internet we’ve come to love. Yet while these issues persist, there’s plenty you can do to avoid them. 

That’s where we have your back—doing all we can to make life online enjoyable for everyone, with protection that helps people finally feel safe and stay that way. 

The reality is that nobody wants to deal with hackers, malware, and other attacks crop up on the internet. And while it’s important to be aware of those things, we’d rather that you didn’t have to worry about them. Protection should come easy. Whether it’s keeping your banking, shopping, and streaming secure, along with your privacy and personal info too, protection should feel simple and tailored to you. That’s what we strive for. 

So as you think about protecting your life online, take a moment to consider what you’re protecting. As you do, you’ll see that it means far more than protecting your computers, phones, and other devices. Ultimately, it’s about protecting you, and all the important things connected to you. You can think of it in three ways … 

1) Protect what’s precious  

What’s among the top things people say they want to protect? Their photos. Not far behind photos are all manner of digital treasures that people like to keep close, which ranges anywhere from music they’ve downloaded to old voicemails of their children, nieces, and nephews that they’ve saved over the years. Without a doubt, we have plenty of things stored on our computers and phones that we simply couldn’t do without. 

Protecting these things means protecting the devices you use to store and access them. Installing comprehensive online protection software like ours is the first step. In addition to award-winning antivirus software and firewall protection to help keep hackers at bay (and away from your photos and other precious files), it goes a step further.  

Our new Online Protection Score shows you just how safe you are and guides you through simple steps that can seal up gaps and improve your protection overall. In all, it’s a personalized and simple way to make sure you’re protected as possible and continually make improvements as they’re needed. It’s a way of getting expert protection without being an expert. 

2) Protect what’s vital 

There’s also the “Important Stuff” in life, like our financial records, tax returns, and all the banking that we do on our phones and computers. And let’s throw shopping into mix because shopping’s important too! You can protect the important things like this, which can help hackers out of your business. 

For starters, you can protect your important files three ways with our online protection by using a combination of the McAfee® File Lock and Shredder features to manage your privacy:  

McAfee File Lock allows you to create password-protected encrypted drives on your PC that only appear when you’ve unlocked them, perfect for storing sensitive files like tax returns and financial documents.  
And when you’re looking to dispose of sensitive files, McAfee Shredder securely deletes files so that would-be thieves can’t put the pieces back together. 

You can lock down your privacy even further with a VPN that can shield you automatically from snooping attacks online, whether at home or when using public Wi-Fi. It creates an encrypted connection that works like a private tunnel that hides your IP address and the things you’re doing online from cybercrooks. It’s ideal for keeping your sensitive personal information like your financial data, passwords, and browsing history hidden from both hackers and websites. 

And here’s another big help. A password manager. You likely have dozens of passwords, plus a few more that you’ve probably forgotten about. You can protect your passwords and the accounts associated with them with a password manager that creates and securely stores a strong, unique password for each of your accounts. Plus, you can use it to update those passwords on the regular. Few things make it tougher for hackers than strong, unique passwords that get changed often. In a time of data breaches and account theft, a password manager is a great call. 

3) Protect yourself (and your people) 

While it’s important to focus on protecting things like laptops, phones, photos, files, and data, you’re ultimately protecting something far greater You. Your privacy, your personal information, your accounts, all the things that taken together make you—you. The thing is that our lives are more fluid and mobile than ever before. One moment we’re banking on our laptop, the next we’re splitting the cost of dinner with a payment on our phone. The constant here is you. You’re at the center of all this activity regardless of the device you’re using. The same goes for your family and the people you care about.  

That’s why we protect people, not just their devices.  

McAfee Identity Protection Service monitors the dark web for your personal info such as emails and associated passwords, up to 60 different types of critical info. If we detect that your data was stolen, you’ll get immediate alerts on the devices of your choice and guidance on how to secure your info quickly and effectively. In all, you can keep tabs on your identity any time you’re connected to the internet, and if an issue crops up you can click, solve, and carry on. ​ ​ 

Extended identity protection offers up the extra comfort of knowing that you have licensed recovery pros on the case if identity theft does happen to you. This includes monitoring and restoration services, along with identity theft insurance for lawyer fees, travel expenses, lost wages, and more. 

Protection that runs deep 

While that’s just a few of the ways McAfee has your back, we hope it gives you a good sense of what online protection should do—how it should protect you and all the things connected to you. And on today’s internet, that’s quite a bit. There’s so much to experience online today, and we believe you should enjoy all of it, freely and with the confidence that comes from knowing you’re safe. 

The post The Internet is for Everyone to Enjoy—We’re Helping See to It appeared first on McAfee Blogs.

Read More

Happy 12th Birthday, KrebsOnSecurity.com!

Read Time:2 Minute, 16 Second

KrebsOnSecurity.com celebrates its 12th anniversary today! Maybe “celebrate” is too indelicate a word for a year wracked by the global pandemics of COVID-19 and ransomware. Especially since stories about both have helped to grow the audience here tremendously in 2021. But this site’s birthday also is a welcome opportunity to thank you all for your continued readership and support, which helps keep the content here free to everyone.

More than seven million unique visitors came to KrebsOnSecurity.com in 2021, generating some 12 million+ pageviews and leaving almost 8,000 comments. We also now have nearly 50,000 subscribers to our email newsletter, which is still just a text-based (non-HTML) email that goes out each time a new story is published here (~2-3 times a week).

Back when this site first began 12 years ago, I never imagined it would attract such a level of engagement. Before launching KrebsOnSecurity, I was a tech reporter for washingtonpost.com. For many years, The Post’s website was physically, financially and editorially separate from what the dot-com employees affectionately called “The Dead Tree Edition.” When the two newsrooms finally merged in 2009, my position was eliminated.

Happily, the blog I authored for four years at washingtonpost.com — Security Fix — had attracted a sizable readership, and it seemed clear that the worldwide appetite for in-depth news about computer security and cybercrime would become practically insatiable in the coming years.

Happier still, The Post offered a severance package equal to six months of my salary. Had they not thrown that lifeline, I doubt I’d have had the guts to go it alone. But at the time, my wife basically said I had six months to make this “blog thing” work, or else find a “real job.”

God bless her eternal patience with my adopted occupation, because KrebsOnSecurity has helped me avoid finding a real job for a dozen years now. And hopefully they let me keep doing this, because at this point I’m certainly unqualified to do much else.

I’d be remiss if I didn’t take this opportunity to remind Dear Readers that advertisers do help keep the content free here to everyone. For security and privacy reasons, KrebsOnSecurity does not host any third-party content on this site — and this includes the ad creatives, which are simply images or GIFs vetted by Yours Truly and served directly from krebsonsecurity.com.

That’s a long-winded way of asking: If you regularly visit KrebsOnSecurity.com with an ad blocker, please consider adding an exception for this site.

Thanks again, Dear Readers. Please stay safe, healthy and alert in 2022. See you on the other side!

Read More

Manual and semi-automated testing for IDORs using Burp Suite

Read Time:4 Minute, 2 Second

This blog was written by an independent guest blogger.

This article explores how you can locate Insecure direct object references (IDORs) using Burp Suite. Primarily, there are two ways to test the IDOR flaw, manual and semi-automated. For automation, this article focuses on the Autorize Plugin in Burp Suite.

What are Insecure Direct Object References (IDOR)

Silent Breach discovered an IDOR vulnerability on the US Department of Defense website in November 2020 and discreetly notified it to the DOD’s Vulnerability Disclosure Program. The flaw was solved by including a user session method into the account setup that required initially logging in to the website.

That was one of the IDORs incidents, but what is an Insecure Direct Object Reference?

Insecure Direct Object References (IDOR) occurs when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypass authorization and access resources in the system directly, for example, database records or files.” – owasp.org

Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter that points to an object directly.

Access control challenges are the source of this vulnerability. The word IDOR became famous once it came into the OWASP’s top ten. However, it’s really just some other form of Broken Access Control.

IDORs can cause privilege escalation either horizontally or vertically. To be considered an IDOR, they must meet the preceding requirements:

The request contains an entity identification, whether as a GET or POST option.
There must be an Access Control flaw allowing the individual access to information, for which they shouldn’t be allowed.

Examples:

GET /receipt.php?id=18
POST /privateInfo.php

{userId:03,name:”bob”}

GET /invoice/test.txt

We have POST and a GET request with an identifier. In most cases, user A can only see receipts or private details that belong to him. An attacker can get an IDOR if he modifies this identifier and receives the same information as user A.

It might appear to be a simplistic explanation of IDORs, but that is essentially how they function. The interesting part is how we could automate scanning for this. We may use either a manual or semi-automated technique.

If you are just getting started in bug hunting, I suggest manual testing initially. It’s common practice to learn and grasp the working knowledge of your tool before putting your hands on it. You genuinely get to go into the depths of your capabilities.

Semi-automated test for IDORs

To automate the testing of IDORs, we need Autorize Plugin in Burp Suite.

You can install the Autorize plugin in the Burp suite from the Extender tab -> BApp Store.

After installing the autorize plugin:

Navigate to your target webpage, log in to User A (test2/test), and capture the traffic.
Copy the request (cookie and header details) and paste it on the Autorize tab.

Turn on Autorize.
Go to the target webpage, login with User B (test3/test), and capture the traffic.
Burp then makes the identical request with the given cookies and color-codes the outcomes for us.

Lastly, explore the target Web App and test every feature that requires admin credentials and is not accessible via a regular user; if you receive a Bypass/Enforced response, you have an IDOR vulnerability.

Testing IDORs manually in Burp Suite

To test the IDOR manually, I am using the Port Swigger lab here. Fire up Burp Suite and access the Portswigger Lab.

It’s good practice to set the target scope in Burp Suite. As in our case, you can add the lab URL as the target scope, or you can add only the domain name.

I usually tick the advanced scope control, as it provides us with regex options if necessary.

After setting the target scope, explore the target webshop. Browsing through the webshop reveals a variety of features. By this time, the site map must have clogged up with all the various requests.

We can see various responses, but the one we’re interested in is the download-transcript.

Navigate the webshop, capture the traffic on the proxy tab and send it to the repeater tab.

When we modify this download transcript number, the server will no longer verify that we have permission to download it.

We must be capable of login into username Carlos and the password we just got. We don’t particularly need to be signed in to get the documents because this is an unauthenticated IDOR.

Conclusion

The two ways we can use to test IDORs are:

Manual testing using Burp Suite.
Semi-automated testing using Autorize Plugin from Burp Suite.

Implementing an access control system is the only genuine approach to address this vulnerability. The server must authenticate the user before it can fulfil the request.

Read More

What’s the Difference Between Identity Fraud and Identity Theft?

Read Time:4 Minute, 45 Second

What’s the difference between identity fraud and identity theft? Well, it’s subtle, so much so that it’s easy to use them nearly interchangeably. While both can take a bite out of your wallet, they are different—and knowing the differences can help you know understand what’s at stake. 

Let’s start with an overview and a few examples of each. 

Identity fraud is … 

When someone steals or misuses your personal information to exploit an account or accounts you already have.  
Examples:  
A criminal gets a hold of your debit card information from a data breach and makes purchases with it against your bank account. 
A criminal gains access to one of your accounts via a phishing attack and misuse the funds or otherwise misuses the access associated with that account. 

Identity theft is … 

When someone uses your personal information to open and abuse new accounts or services in your name—or possibly to impersonate you in other ways. 
Examples: 

A criminal uses your personal information to open a new line of credit at a retailer under your name and then makes purchases against the line of credit.  
A criminal uses your Social Security Number to create a driver’s license with their likeness but your name and personal information. 

So there’s that subtle difference we mentioned. Identity fraud involves misuse of an existing account. Identity theft means the theft of your personal information, which is then used to impersonate you in some way, such as opening new accounts in your name. 

Above and beyond those definitions and examples, a couple of real-life examples put the differences in perspective as well. 

Identity fraud in the news 

As for identity fraud, individual cases of fraud don’t always make the headlines, but that’s not to say you won’t hear about it a couple of different ways.  

The first way may be news stories about data breaches, where hackers gain things like names, emails, and payment information from companies or organizations. (ChipotleRobinHood, and T-Mobile being recent examples.) That info can then end up in the hands of a fraudster, who then accesses those accounts to drain funds or make purchases.  

On a smaller scale, you may know someone who has had to get a new credit or debit card because theirs was compromised, perhaps by a breach or by mistakenly making a payment through an insecure website or by visiting a phony login page as part of a phishing attack. These can lead to fraud as well. 

Identity theft in the news 

Identity theft took on new forms during the pandemic, such as was the case of a Rhode Island man charged with nearly half a million dollars in a pandemic unemployment fraud case. Authorities allege that the man-made 85 unemployment claims in 2020 using the identities of several other people.  

Similarly, a Massachusetts man was sentenced for filing fraudulent claims for relief funds, as well as open store credit accounts using fake identities. Court proceedings alleged that the personal information used to commit this fraud came from several sources, including information stolen from a realty company that collected that information from potential renters.  

Identity theft can stem from the workplace as well, such as the sentencing of a Maryland man who used stolen lists of personal information from his former employer. From there, he was found guilty of garnering more than a million dollars in funds from food assistance programs and fraudulent car loans.  

Identity theft can run far deeper than these examples. Because it effectively allows someone else to pose as you, an identity thief can do more than drain your accounts. They can also claim health insurance benefits, file taxes in your name, or possibly purchase the property. Further, an identity thief can potentially get a job, driver’s license, or other forms of ID in your name, which could ruin your credit history, reputation, or even create a police record in your name.  

So while both identity fraud and identity theft are certainly something you want to prevent, identity theft holds the potential to affect far-reaching aspects of your life—which marks a distinct difference between the two. 

Spotting identity fraud and theft (and preventing it too) 

It usually starts with someone saying anything from, “That’s strange …” to “Oh, no!” There’ll be a strange charge on your credit card bill, a piece of mail from a bill collector, or a statement from an account you never opened—just to name a few things. 

With that, I have a few recent blogs that help you spot all kinds of identity crime, along with advice to help keep it from happening to you in the first place: 

Top Signs of Identity Theft 
How to Report Identity Theft to Social Security 
Can Thieves Steal Identities with Only a Name and Address? 
Quizzes and Other Identity Theft Schemes to Avoid on Social Media 

Keep a sharp eye out 

While there are differences between identity fraud and identity theft, they do share a couple of things in common: you can take steps to prevent them, and you can take steps to limit their impact should you find yourself faced with one or the other.  

The articles called out above will give you the details, yet staying safe begins with vigilance. Check on your accounts and credit reports regularly and really scrutinize what’s happening in them. Consider covering yourself with an —and act on anything that looks strange or outright fishy by reporting it to the company or institution in question.  

The post What’s the Difference Between Identity Fraud and Identity Theft? appeared first on McAfee Blogs.

Read More