CAS once upon a time contained a specific integration for G Suite, that is now gone. Setting CAS up to use G Suite is not difficult, but finding the right values isn’t easy, even for a SAML 2 veteran. First, if you are migrating to the “new” CAS configuration, or adding SAML 2 to your […]
Author Archives: rfrovarp
Junk it: Office 365, you can be anyone you want
Note: The following is an intuitively obvious result of default configurations note in the public documentation. TLDR: Office 365 turns DMARC reject actions into quarantine actions, and then throws messages in Junk folder. How email works Most of you have probably used email. And you most likely used it via one of the large email […]
Improving Video Conferencing Performance
As we head into a fall of remote learning and meetings, some may experience issues with video conferencing not working well from their home. There are several easy things you can do that can help out a lot. The FCC defines broadband Internet as 25 Mbps (megabits per second) down and 3 Mbps up. Hopefully […]
midPoint Grouper Connector 0.6 setup
midPoint is an IAM solution from Evolveum, and Grouper is a IAM solution from Internet2 that can do wonderful things together. There is a great midPoint/Grouper demo available, with a set of instructions. However, there isn’t a lot of documentation on how to implement what is done in the demo for your own production instance. […]
The Long Con presentation
Yesterday I had the privilege of presenting at The Long Con in Winnipeg. Here are the presentation slides for my Capturing WPA2 Enterprise credentials with a Pi. Later this week I should have a post up describing how to setup a Pi to do the work described in the presentation.
Ambiguous response in Duo Web
Overview Duo Security provides a range of multifactor options for developers to use in their systems. It is popular in many industries, including higher education. Issue The method for performing Duo MFA in a web page is called Duo Web. This is a fairly straightforward JavaScript that is added to a page, which brings in an IFRAME […]
Line number leak in CivicPlus
Overview CivicPlus provides a web platform for local governments. Included in this platform is the ability to send notifications to residents that opt in for those notifications. These notifications can be sent via email or SMS. They have their security FAQ, which answers several questions, except for the important one. My local municipality became a […]
Building a hacking village
NDSU IT, ND Education Technology Council, EduTech, and the ND Information Technology Department are putting on their annual ND Cyber Security conference next Thursday. I’ve spoken at this iteration of the conference twice, and was looking to put something together for this year’s conference. We had an earlier iteration, and at that one of my […]
Social Engineering Toolkit in the Hacking Village
This is the first of a series of posts describing how to perform the various types of attacks that are available to try in the Hacking Village at the ND Cyber Security Conference. These will serve as instructions during the conference, and as a resource after the conference. First up is the Social Engineering Toolkit from Dave Kennedy […]
Username only authentication in T2 Systems Parking
Overview This vulnerability was discovered in May of 2017. T2 Systems is a parking systems provider to multiple different organizations. NDSU uses it via the North Dakota University System contract. NDSU uses it to allow employees and students to buy parking permits for certain lots. According to the T2 webpage, other institutions use it to […]