← Hacking Humans![OWASP identification and authentication failures (noun) [Word Notes] — Hacking Humans cover](https://megaphone.imgix.net/podcasts/51fc6892-29c8-11f0-a837-efef7ddf8855/image/441b0ca2db080b93b935568d381ce462.png?ixlib=rails-4.3.1&max-w=3000&max-h=3000&fit=crop&auto=format,compress)
Loading summary
Transcript14 lines
- [00:02]
Dave
You're listening to the Cyberwire Network powered by N2K. Worried about cyber attacks? Cyber Care from Storm Guidance is a comprehensive cyber incident response and resilience service that helps you stay prepared and protected. A unique onboarding process integrates your team with industry leading experts, so if an incident occurs, your response is is optimal. Get priority access to deeply experienced responders, digital investigators, legal and crisis PR experts, ransom negotiators, trauma counselors and much more. The best part? 100% of unused response time can be repurposed for a range of proactive resilience activities. Find out more at Cyber Care Cyberwire.
- [01:05]
Rick Howard
The word is OWASP Identification and authentication failures spelled O for open, W for Web, A for application, S for security, P for project identification for recognizing a legitimate user, authentication for validating that the legitimate user has permission to access the resource, and failures for lack of success Definition Ineffectual confirmation of a user's identity or authentication in session management Example Sentence Most identification and authentication failures occur due to the continued use of passwords as the sole identity factor origin and context Dave Wickers and Jeff Williams, working for Aspect Security, a software consultant company, published an education piece in 2003 on the top software security coding issues of the day that eventually turned into The OWASP Top 10, a reference document describing the most critical security concerns for web applications. Today, OWASP is an international team of security professionals led by the Foundation Executive director and top 10 project leader Andrew Vanderstock. OWASP ranked identification and authentication failures as number seven on their 2021 top 10 list. Hackers attempt to leverage these failures with techniques like credential stuffing and brute force attacks by taking advantage of poor password recovery processes, the storage of unencrypted passwords, the lack of two factor authentication systems, and reusing session IDs or incorrectly using them after a successful login. To counter these attacks, developers Best practices installing a multi factor authentication system, not shipping default admin credentials, checking for weak passwords, and logging failed access attempts. Nerd Reference in season one, episode one of the Best Hacker TV Show Ever, Mr. Robot Elliot, played by Rami Malek, uses a social engineering and brute force password attack to take advantage of bank of E Security's identification and authentication failures.
- [04:03]
Sam
This is Sam from Bank of E Security Fraud Department. Unfortunately, I have to inform you that your account's been compromised.
- [04:10]
Caller
What? What happened?
- [04:12]
Sam
First, before I can answer any questions, I need to verify some information. Are you still at 306 Hawthorne Avenue?
- [04:18]
Caller
Yes, apartment 2C.
- [04:20]
Dave
Great.
- [04:21]
Sam
And your security question? Favorite baseball Yankees.
- [04:26]
Caller
I don't remember this being a security.
- [04:27]
Sam
Lastly, your pet's name, Flipper.
- [04:31]
Caller
Who am I speaking to? Can I get your name and number?
- [04:35]
Sam
With those details plus a dictionary brute force attack, it'll take my program maybe two minutes to crack his password.
- [04:46]
Rick Howard
Wordnotes is written by Nyla Genoi, executive produced by Peter Kilpe and edited by John Petrick and me, Rick Howard. The mix, sound design and original music have all been crafted by the ridiculously talented Elliot Peltzman. Thanks for listening.
- [05:19]
Dave
Hey, everybody, Dave here. I've talked about Delete Me before and I'm still using it because it still works. It's been a few months now, and I'm just as impressed today as I was when I signed up. Deleteme keeps finding and removing my personal information from data broker sites, and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The Deleteme team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. Deleteme also offers solutions for businesses, helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special deal. 20% off your delete me plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K.