WinMagic Discovered a Flaw in TLS and FIDO

WinMagic Discovered a Flaw in TLS and FIDO

Introduction In the ever-evolving landscape of cybersecurity, SSL/TLS has emerged as the preeminent security protocol, fortifying trillions of daily interactions through HTTPS across web browsers. The TLS protocol, meticulously developed by some of the brightest minds in the industry, stands as the bedrock of internet security, setting the gold standard for safeguarding data during transmission.…

Open Letter Addressing NSA and CISA New IAM Guidance Document

WinMagic applauds the joint NSA and CISA effort in creating the document “Developer and Vendor Challenges: Identity and Access Management.” The file provides pragmatic help to the community of vendors and developers and will benefit them greatly. For our part, we’d like to offer the below suggestions. We’ve categorized our suggestions into two sections —…

Tackling the Caesars and MGM Hacks with Secure Authentication Fallback

Early September 2023, two of the world’s largest casino hotel companies — MGM Resorts and Caesars — were struck by ransomware attacks. In the week after, Caesars stated that the company had been a victim of “a social engineering attack on an outsourced IT support vendor used by the Company.” The hackers exploited a weak…
MFA and Zero-Trust Misconceptions Prevent Effective Solutions

MFA and Zero-Trust Misconceptions Prevent Effective Solutions

The WinMagic team believes we can revolutionize the cybersecurity of the world. Our latest authentication solution, MagicEndpoint, is ready to deliver the most secure authentication with the best user experience. Incredible? Unbelievable? Yes. Not because we can do magic, but because we recognized some misconceptions that prevented previous solutions from being effective. What are these…
new passwordless authentication

A more secure “client” for passwordless authentication

In this article, I’ll introduce a new passwordless authentication thought process: an entirely new “entity” that advanced passwordless solutions should use to achieve maximum security for businesses. If you’ve followed my past blogs, you might have noticed that I’ve addressed how using multi-device FIDO key authentication weakens FIDO security. The National Institute of Standards and…
The "Self-driving" endpoint frees users from Authentication to online services

The “Self-driving” endpoint frees users from Authentication to online services

Cybersecurity is top of mind for IT users. Among all the participants in the authentication chain – networks, applications, servers, endpoints, and users – users seem to be the weakest link, having caused account takeover, which cost organizations millions of dollars. Businesses spend on the helpdesk, password reset, password managers, MFA, and IdP/IAM to mitigate…
I like passwords

I LIKE PASSWORDS

Like you, I want freedom, I want control of my life… and I like passwords. They give me the freedom to use what only I know, independent of what I am or what I have. I can change my password often, and to the extent that no one can guess what I use as my…
Solutions for the SolarWinds Attackers

Proposing Solutions for the SolarWinds Attackers’ MFA Bypass (Part 2)

In our previous article in this series, we highlighted a very serious threat to networks of all kinds: The hackers presumed to be behind the large-scale breach of SolarWinds’ Orion platform have also been linked to an attack that compromised a multi-factor authentication system. By gaining read access to  the MFA server, it’s possible for…
Can we prevent the SolarWinds attacks’ associated MFA bypass?

Can the SolarWinds’ MFA bypass attacks be prevented?

The SolarWinds attack has been in the news a lot lately. In short, bad actors managed to inject an update to the SolarWinds Orion platform with malware, compromising the popular network software. Since Orion runs on thousands of internal networks worldwide, attackers potentially gained privileged access to countless servers. While SolarWinds has since scrubbed the…
keyboard_arrow_up