CyberSecurityRecap: Vulnerability: Apache Tomcat Remote Execution of Arbitrary Code

Apache Tomcat has a remote execution vulnerability that allows for remote code execution. See CVE-2019-0232. Suggested mitigation is to disallow the passing of command line arguments. Disassow is the default setting from v.9.0.18 forward.

Keywords: CyberSecurityRecap, Apache Tomcat remote code execution vulnerability.

Troy Frericks.
blog 16-Apr-2019
troyf<at>CyberSecurityRecap.com
=
Copyright 2015-2019 by Troy Frericks, http://cybersecurityblog1.frericks.us/.
#

Friday CyberSecurityRecap, Better Than 2FA: SQRL Authenticator

SQRL Authentication is the new kid on the block as far as insanely secure authentication goes. It allows you to log into your web sites by pointing your smart phone’s camera at the screen. Just unlock your phone with the SQRL Authenticator App running and point your smart phone’s camera at the computer screen and you are logged in. No password required, but it can be combined with a password to make 2FA (Two Factor Authentication). That’s really not necessary as a strong password is required to unlock the functionality of SQRL on the client smart phone.

SQRL works as a username/password replacement by scanning a QR Code on the home page of a web site. A QR Code is just a different way of moving data (that contains a unique URL) from the computer screen to the smart phone. SQRL could have moved the URL via USB, Near Field Communications (NFC), Bluetooth, or any other way to get a string of characters from the computer to the smart phone but choose the QR Code is it was most convenient.

Once the smart phone app receives the URL from the computer, it (the smart phone app) connects to the URL from the computer screen. The connection is made via the Internet. The app and the web site then exchange and validates each-other via public key cryptography type cyphertext and a hashing functions to complete the authentication.

Many of the other authenticator algorithms have a choice of applications that implement the algorithm. For example the TOTP algorithm is implemented in applications from Google and Last Pass, just to name a couple. Applications are also available on multiple platforms.

SQRL is no different. Search your app store for “sqrl” to obtain a choice of the latest SQRL client apps. If you’re looking to implement SQRL on your web site, in your framework, or in your identity management tool, see grc.com for one of their many reference implementations written in any programming language you would need.

SQRL was created my Steve Gibson of GRC in conjunction with a team of thousands of security researchers.

Keywords: CyberSecurityRecap, Better Than 2FA SQRL Google Authenticator Okta Verify Windows Hello Windows Authentication Microsoft Authenticator two factor authentication multi factor authentication MFA Web Authentication for U2F Duo Dueo Yubikey Yubakey Yubekey On-Prem MFA RSA SecurID SQRL Authentication Security Question Security Questions Windows Hello Windows Authentication Microsoft Authenticator SMS Authentication MMS Authentication U2F Security Key FIDO Two Step Authentication TSA Multi Step Authentication MSA Email Authentication E-mail Authentication Symantec VIP Voice Call Authentication Phone Call Authentication


Troy Frericks.

blog 22-Mar-2019
troyf<at>CyberSecurityRecap.com
=
Copyright 2015-2019 by Troy Frericks, http://cybersecurityblog1.frericks.us/.
#