The MFA Vulnerability You May Be Missing
With the first major outbreak of malware used to exploit BlueKeep (CVE-2019-0708) on the horizon, companies need to ensure their perimeter is secure now more than ever. If you are reading this and have not yet heard about BlueKeep, you should stop right now and start submitting emergency change requests. This blog post will be here when you get back.
Ok, now that you've patched your Windows hosts and blocked RDP access externally (right?), we can finally get to the point of this article: bypassing multi-factor authentication (MFA) and gaining access to your internal network. We want to walk you through a recent exploit chain we discovered during an external penetration test that allowed us to take advantage of a common misconfiguration and bypass the client's Duo Security MFA solution to gain access to their Outlook Web Access (OWA) service. Wait, we can go farther than Outlook – doesn't your VPN also implement MFA? I thought so.
Here at Focal Point, we also use Duo as our Office365 and VPN MFA solution. Thankfully, the Focal Point IT department was gracious enough to temporarily turn on a certain feature in the Duo Admin console, so I could demonstrate a valid exploit chain against an otherwise secure MFA configuration. So, what's the big fuss about? Allowing employees to self-enroll devices. That's it. Go ahead and submit yet another change request to make sure it's disabled. Grab a coffee while you're at it.
Beyond the CCPA: Nevada’s New Internet Privacy Law, SB 220
As of October 1, 2019, Nevada's New Internet Privacy Law, SB 220, officially went into effect.
Nevada has marked itself as a pioneer, becoming the first state to follow California’s lead and enact its own privacy legislation. On May 29, 2019, Nevada’s governor approved SB 220, which amends the state’s existing online privacy law for owners and operators of Internet websites or online commercial providers. Since the new law did not provide a specific effective date, under Nevada ruling, it will automatically become effective on October 1, 2019. This means the law will take effect in just over 90 days, three months prior to the CCPA’s effective date. In this post, we’ll take a look at the newly approved Nevada law and how it compares to the CCPA.