Tanawts

"Identity is the new Perimeter "

I should have raged against this nonsense when it started to become a buzz phrase

Web-based Session management is the emperor's new clothes and identity based controls are left naked as a result.

Aug 29, 2023 at 11:07pmWeb
Show threadMatthew HacklingAug 30, 2023
@Enigma MFA is only target hardening. Malware on the endpoint will always be able to snag a session token post AuthN . Hence privileged access management solutions and PAWs
Show threadMatthew HacklingAug 30, 2023
@Enigma I have “thoughts” about session token security in SPAs too. There doesn’t seem to be similar controls to standard web apps. All the serious players like Microsoft apply hardware based encryption on their JWTs aka PRTs
Show threadJ Wolfgang GoerlichAug 30, 2023

@Enigma @wendynather

Identity is the new perimeter.

Web session management compromise is the new stateful firewall bypass.

SAML assertions and JSON web tokens? These are the new pass-the-hash attacks.

The new is now. Same as it ever was.

Show thread Shlee fooled around &Aug 30, 2023
@Enigma I'm joining a large expensive "zero trust" platform project.. and my lord. buzzzzzzzy
Show threadHcInfosecAug 30, 2023
@shlee @Enigma Of all is well zero trust just means more defense in depth
Show threadBálint SzilaksziAug 30, 2023
@Enigma yeah it’s frighteningly easy to bypass an idp with mfa just by phishing initated endpoint compromise and stealing all the session cookies
Show threadShutterBuggedAug 30, 2023
@Enigma Explain it like I'm new to infosec?
Show threadTanawtsAug 30, 2023

@developing_agent

Sure, happy to:
"Someone licks the stamp on my hand, and smooshes the ink onto the top of their hand so that they can get into the club without being checked for ID."

Authentication (logging in) even with MFA only takes place during the initial login. After that, modern Web Apps issue a 'Session' and 'Cookie' to tell the systems that you have already proven your identity, so there is no need to check again - this is why you can reopen Firefox, go to gmail.com and be looking at your email without having to re-enter your username/password/mfa.

When someone steals that session data (sometimes as simple as a copy paste) they can impersonate you and access all those fun "zero trust" services that have Strong Passwords, and Multi-Factor Auth, and Biometrics, and Conditional Access -- since all of these protections only come into play during that first login, everything after that bypasses the checks.