Protecting Accounts from Credential Stuffing
At USENIX Security 2019, researchers from Google and Stanford presented a paper which...
Try Duo's trusted access solution now.
Free Trial
If the world is run by little ones and zeroes and little bits of data, the Duo Labs team are the mad scientists putting ‘em to work. Not only do we have our customers’ backs by serving up deep knowledge, we’re also dedicated to protecting the Internet more generally by identifying and fixing vulnerabilities on a broader scale. What does that look like? We build, we break, we reason. Our work spans the breadth of product prototyping, Internet scale research and analysis, vulnerability research and exploit development, and applications of data science and machine learning to address security problems. As a group our core goals are to Disrupt, to Derisk, and to Democratise complex security topics and to share our innovations in ways that make the greatest possible impact.
Biometrics are great, but it’s not always clear whether a given implementation is secure. In this article, Duo looks at what properties of biometrics make them good or bad at defending against one...
Duo Labs’ CRXcavator tool used to uncover and remove a large scale campaign of malvertising Chrome extensions.
Data analysis skills are useful for anyone in a data-driven organization. Learn about how Duo’s data science team used gamification to teach data analysis skills in an interactive workshop.
Developers often have to perform cryptographic tasks without deep knowledge of the topic. We take a look at what can go wrong when bad advice on the internet turns into common implementations.
Publishing sensitive information to version control systems like GitHub is a common risk for organizations. This post explores the extent of this problem, showing multiple ways to monitor GitHub...
Duo Labs explores the communication channel between macOS and the new T2 secure boot chip. We illuminate the XPC messaging protocol and provide tools to explore it for yourself.
Duo Labs study on amplification bots: what they are and how they operate.
An in-depth look at the new secure boot feature found in T2 enabled Apple devices.
Duo Labs researchers show how an authentication weakness in Apple's Device Enrollment Program can be used to leak information and potentially enroll rogue devices in MDM servers.
With all the reports about criminals lifting information off credit cards, access cards, and even passports, does it make sense to buy one of those RFID-blocking sleeves and wallets? Duo Labs finds...
Duo Labs releases their results of a three-month long research project on identifying Twitter bots and botnets at a large scale ahead of their talk at Black Hat USA 2018, along with plans to...
The security research team at Duo known as Duo Labs has published a research paper on Apple’s EFI firmware security - learn more about their findings and recommendations, including a link to...
It's not just S3 buckets that are exposed. Duo's security research team found a number of other publicly available Amazon Web Services (AWS) resources, including cloud backup and misconfigured...
Duo's security team explores how the T2 coprocessor is being used by Apple and how it fits into the larger system security model, as well as how this may evolve in the future.
Duo Labs security researchers show how to bypass microcontroller interfaces used for internet of things (IoT) devices - these invasive attacks require physical access to typical microcontrollers.
Duo Labs performed an analysis of Objective-C binaries running on managed macOS endpoints in enterprise environments, using the Interactive Disassembler (IDA Pro) to perform disassembly and...
An examination of 12 popular web services show distinct differences in how different providers implement account recovery. They all have different options, but Facebook and GitHub offers some of...
The Duo Labs team analyzes the Bluetooth security of several different personal protection devices to shed light on how secure these devices are, and if they can be tracked remotely or reveal...
When it comes to Internet of Things (IoT) security research, you may run into roadblocks examining Bluetooth pairing and encryption between older devices and new ones - this blog post explains what...
In a technical paper released today, Duo Labs details research into two personal protection devices based on ARM Cortex M microcontrollers. These devices allow wearers to notify people of their...
Duo Labs conducted a U.S.-census-representative survey to learn more about two-factor authentication (2FA) usage, how people learned about it, which technologies they’ve used as as a second factor,...
In a technical paper released today, Duo Labs details the results of a month-long experiment in which we hunted and analyzed over 3,200 unique phishing kits.
The Duo Labs security research team compares the features and capabilities of several Bluetooth scanners and software to best assist you in your security and IoT research.
Duo Labs analyzes npm packages and how attackers can use malicious packages to gain access to and control over systems.
We're excited to announce two new open-source tools designed to help administrators prevent, manage, and respond to phishing attacks against their organization - IsThisLegit and Phinn.
In his latest bit of odd research, Duo Labs' Mark Loveless takes a closer look at IoT as he pulls apart a wireless drill, bit by bit.
Back in April, Google announced that it will be shipping Headless Chrome in Chrome 59. Since the respective flags are already available on Chrome Canary, the Duo Labs team thought it would be fun...
Here we explore the implementation of a legacy, but still actively marketed, wireless physical security system as well as how it undermines more advanced security controls. Several vulnerabilities...
This peach pit implements the HTTP/2 protocol RFC-7540 and is targetted at Microsoft Edge. It has been run through about 150,000 iterations and traffic samples within this release were generated...
This summer during DEF CON 24, Duo traveled to the Mojave Desert to launch a tricked-out weather balloon in pursuit of the first two-factor authentication push from the boundary of space. Find out...
Shovelware, crapware, bloatware, “value added” - it goes by a lot of names - whatever you call it, most of it is junk (please, OEMs, make it stop). The worst part is that OEM software is making us...
Security research team, Duo Labs, dissects OEM laptops to find out how secure they are - learn more about the privacy and security issues they found with laptop default settings, data collection...
X-Ray is an app anyone can download that safely scans for vulnerabilities on your Android phone or tablet, allowing you to assess your current mobile security risk.
Recently, Duo Labs security researchers found a few sketchy certificates on a Dell Inspiron 14 laptop we purchased last week to conduct a larger research project. And we weren’t the only ones - a...
Today, the Duo Labs team is publishing a research paper on the limitations of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) when applied to processes running under WoW64. Time and time...
The vulnerability disclosure debate has been raging since as far back as the 19th century - and the solution can't be solved simply. But here's some of the more notable disclosure moments in...
A new and serious vulnerability has been identified in a popular software library. How do we know it's serious? Because the vulnerability has a clever name, sweet logo, and as much hype as we can...
We’ve set up a site where you can check the leaked Adobe data for affected users in your organization. If you haven’t already, it would be a good idea to reset the passwords for any affected users,...
Duo Security Researchers Uncover Bypass of PayPal’s Two-Factor Authentication
Earlier this month, RFP from BlueBox published a sneak preview of his upcoming BlackHat talk, detailing a vulnerability in the Android platform that affects nearly all Android devices. Soon after,...
An attacker can bypass Google's two-step login verification, reset a user's master password, and otherwise gain full account control, simply by capturing a user's application-specific password (ASP).
VPN Hunter is a service that discovers and classifies the VPNs and other remote access services of any organization. Given their nature, remote access services inherently must hang off the public...
If you're an administrator who runs a website or service where your users are logging in with only a password, now is the time to beef up your security with some strong two-factor authentication....
What else is Duo Labs thinking about? Find out at our Tech Talks, where our security researchers give the inside scoop on their latest projects and host experts from across the industry showcasing their own cutting-edge work.
At USENIX Security 2019, researchers from Google and Stanford presented a paper which...
Noise is a framework that can be used to construct secure channel protocols. Noise...
In this article we explore some of the context of threshold cryptography while also...
Do you like tinkering with tech and deconstructing it for discovery’s sake? Think security can make a serious impact but you don’t take yourself too seriously? Want to work on wild, unthinkable ideas? You might be the right match for Duo Labs’ band of misfits. Visit the Duo careers page to see how we’re looking to grow our team.
Eldridge Alexander is a Manager of Duo Labs where he focuses on next generation authentication and authorization technologies. Before Duo, he had a diverse work history across security, enterprise IT, web design and video production. He graduated from Middle Tennessee State university with a degree in Electronic Media Communications.
Olabode is a Data Scientist at Duo Security where he wrangles data, prototypes data-related features, and makes pretty graphs to support engineering, product management, and marketing efforts. Prior to Duo, Olabode studied usable security at the University of Florida. When he’s not at work, he spends his time exploring data involving topics such as sports analytics, relative wages and cost of living across the United States.
Developers often have to perform cryptographic tasks without deep knowledge of the topic. We take a look at what can go wrong when bad advice on the internet...
Duo Labs study on amplification bots: what they are and how they operate.
Duo Labs releases their results of a three-month long research project on identifying Twitter bots and botnets at a large scale ahead of their talk at Black...
Duo Labs conducted a U.S.-census-representative survey to learn more about two-factor authentication (2FA) usage, how people learned about it, which...
James Barclay was formerly a Senior R&D Engineer at Duo Labs, the advanced security research and analysis team at Duo Security. Prior to joining Duo, James was a Tools Engineer at Pinterest, and an IT consultant focused on endpoint security before that. He's contributed to a handful of open-source projects, and has been called an Apple nerd once or twice.
Developers often have to perform cryptographic tasks without deep knowledge of the topic. We take a look at what can go wrong when bad advice on the internet...
Duo Labs researchers show how an authentication weakness in Apple's Device Enrollment Program can be used to leak information and potentially enroll rogue...
Ernest is a Data Scientist at Duo. He works on building and prototyping machine learning features. Previously he was a Data Scientist at Civitas Learning, an Edtech start-up based in Austin. In his free time he enjoys climbing, playing guitar, reading, and lecturing his mother on why it's a bad idea to share passwords over unencrypted chat apps (she never listens).
Data analysis skills are useful for anyone in a data-driven organization. Learn about how Duo’s data science team used gamification to teach data analysis...
From launching high altitude balloons into near-space to developing automated crash dump analysis tools for DARPA, Mikhail has been making and breaking things for the majority of his life. Acting as a Principal Security Researcher at Duo Labs Mikhail brings a wealth of reverse engineering and security consulting experience to bear looking at interesting attack surfaces in new and emerging technologies while blowing a few things up along the way.
Duo Labs explores the communication channel between macOS and the new T2 secure boot chip. We illuminate the XPC messaging protocol and provide tools to...
An in-depth look at the new secure boot feature found in T2 enabled Apple devices.
Duo Labs security researchers show how to bypass microcontroller interfaces used for internet of things (IoT) devices - these invasive attacks require...
We're excited to announce two new open-source tools designed to help administrators prevent, manage, and respond to phishing attacks against their...
Maggie is a Data Scientist at Duo Security as part of the Duo Labs team. Prior to Duo, Maggie worked for various security organizations in both the private and public sector, most recently at a cyber risk startup in the Bay Area. She studied electrical engineering and applied mathematics at Stanford University.
Jeremy is a researcher on the Duo Labs team who enjoys working towards the death of the password. He believes usability is just as important as strong security. He prefers understanding and education to security-by-checkbox.
Biometrics are great, but it’s not always clear whether a given implementation is secure. In this article, Duo looks at what properties of biometrics make...
Duo Labs explores the communication channel between macOS and the new T2 secure boot chip. We illuminate the XPC messaging protocol and provide tools to...
Adam is Principal Security Architect at Duo Security, where he is responsible for leading Duo's security engineering practice. He has spent nearly a decade building secure systems, protocols, and culture (and occasionally veering into security research) at a variety of start-ups.
A new and serious vulnerability has been identified in a popular software library. How do we know it's serious? Because the vulnerability has a clever name,...
An attacker can bypass Google's two-step login verification, reset a user's master password, and otherwise gain full account control, simply by capturing a...
Mike leads all security research, development and operations functions at Duo. Prior to Duo, Mike was a senior member of the technical staff at CERT/CC, working on applied R&D programs for the US Department of Defense and the Intelligence Community. He has a master’s degree in information security policy and management from Carnegie Mellon University and a bachelor’s degree in economics from Michigan State University.
Brian Lindauer leads Duo Security’s Data Science & Engineering organization, developing new data-driven approaches to improve security and usability for Duo’s users. Previously, he was a research scientist in the CERT Division of Carnegie Mellon University's Software Engineering Institute.
Steve is the Director of Security Research at Duo Labs, where he is responsible for our team of crazy researchers. Steve brings more than 20 years of Information Security experience including roles at various product companies, consultancies and research teams.
X-Ray is an app anyone can download that safely scans for vulnerabilities on your Android phone or tablet, allowing you to assess your current mobile...
Ed has seemingly always been drawn to technology like a moth to flame, and is now happily the Senior Technical Project Manager for Duo Labs. He has previously spent time at Google, and his own consulting business. Ed has written books focusing on the underbelly of Mac management, and is a frequent speaker at tech conferences around the world. He is waiting for the day that the Internet connects the human race in peace and harmony.
Stefano is a Senior Data Scientist at Duo Labs. He comes from the world of astrophysics, where he hunted for exoplanets, built Star Wars-like planetary systems, and smashed virtual cosmic orreries from the relative safety of his laptop/supercomputer. At Duo, he works on solving equally astronomically difficult problems in security armed with machine learning models and a data-driven mindset.
Nick Mooney is a Senior R&D Engineer at Duo Security as part of the Duo Labs team. Prior to arriving at Duo, Nick studied Computer Science at the University of Washington in Seattle. Outside of security research, Nick is passionate about boats, islands, and youth outdoor/wilderness education.
Developers often have to perform cryptographic tasks without deep knowledge of the topic. We take a look at what can go wrong when bad advice on the internet...
Publishing sensitive information to version control systems like GitHub is a common risk for organizations. This post explores the extent of this problem,...
Jon is the co-founder and CTO of Duo Security, responsible for leading product vision and the Duo Labs advanced research team. Before starting Duo, Jon was a self-loathing academic, completing his PhD at the University of Michigan in the realm of cloud security. In a prior life, Jon enjoyed offensive security research and generally hacking the planet. Jon was recently named to Forbes "30 under 30" list for his mobile security hijinks.
VPN Hunter is a service that discovers and classifies the VPNs and other remote access services of any organization. Given their nature, remote access...
If you're an administrator who runs a website or service where your users are logging in with only a password, now is the time to beef up your security with...
Baron Oldenburg is a Senior Security Researcher as part of the Duo Labs team. From his early years developing skill acceleration engines for video games to his later years working on DARPA projects, Baron has variously done security consulting, run research teams, and been the technical lead for a product stack that ranged from x86 to Java and everything in between. Outside of security research, Baron's interests include Argentine tango, robots, and making substandard electronic music.
Rich Smith is the Director of Duo Labs and leads Duo Security's advanced research and development agenda. Prior to joining Duo Rich was the Director of Security at Etsy and co-founder of Icelandic security startup Syndis, he has also held various roles on security teams at Immunity, Kyrus, Morgan Stanley, and HP Labs. Rich has worked professionally in the security space since the late 90’s in a number of roles including building security organizations, security consulting, penetration testing, red teaming, exploit development and attack tooling. Rich is a regular speaker at security conferences worldwide and spends his time between Detroit, Reykjavik, and NYC.
The security research team at Duo known as Duo Labs has published a research paper on Apple’s EFI firmware security - learn more about their findings and...
Nick Steele has been making and breaking things on wide area networks for 10 years. Since finishing his degree in cognitive science, he has worked on a range of projects, all mostly related to computers. He is interested in user authentication and behavior, web development, and anchovy pizza.
Bronwyn is a Senior Data Scientist at Duo, where she tries to understand the world through data, and teach machine learning models to do the same. Prior to joining Duo she worked as a research scientist in the security, natural language processing, and neuroscience domains. She earned her PhD in Statistics and Neural Computation at Carnegie Mellon University before leaving academia to throw data and statistics at any problem that wanders by.
Jordan Wright is Principal R&D Engineer at Duo Security as a part of the Duo Labs team. He has experience on both the offensive and defensive side of infosec. He enjoys contributing to open-source software and performing security research.
Publishing sensitive information to version control systems like GitHub is a common risk for organizations. This post explores the extent of this problem,...
Duo Labs study on amplification bots: what they are and how they operate.
In a technical paper released today, Duo Labs details the results of a month-long experiment in which we hunted and analyzed over 3,200 unique phishing kits.
Duo Labs analyzes npm packages and how attackers can use malicious packages to gain access to and control over systems.
