CatsCrdl

CatsCrdl

Daniel's thoughts on infosec and trading

Regarding SMS 2FA

Responding to Tavis Ormandy's comments on SMS 2FA

Daniel Wyleczuk-Stern

4-Minute Read

Two Factor Authentication

I think an important question that Tavis either explicitly or accidentally omitted is “for whom”. I am not sure why he did not include this as it’s a critical component to his argument. If Tavis is stating that “SMS 2FA is ineffective for an enterprise”, then I would agree. The threat model that he is operating from is that an organization is being explicitly targeted by a motivated (though not necessarily extremely capable) attacker, who only needs minimal access…

Open Source SaaS Reconnaissance Utilizing Subdomains

Investigations into enumeration of an organization's SaaS tooling

Daniel Wyleczuk-Stern

4-Minute Read

SaaS

On a recent Purple Team engagement, I was accessing the client’s Splunk cloud instance. Being my normal typo-filled self, I fat fingered the URL and went to clieent.splunkcloud.com instead of the correct client.splunkcloud.com. Instead of being redirected to the login portal, I received a DNS resolution error, fixed the typo, and moved on. A little while later, I was thinking about the typo again and wondered how this information leakage could be utilized by an attacker. To backup a little, a…

Recent Posts

Category

About

A random collection of thoughts on cybersecurity and finance.