Blog entries about Les Bell and Associates Pty Ltd

Les Bell
Security News: 2023-10-25
by Les Bell - Wednesday, 25 October 2023, 10:18 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Yet Another Bit Flipping Attack

Many readers doubtless remember the consternation caused by the revelation of the RowHammer attack on dynamic RAM (DRAM) modules back in 2015. Dynamic RAM cells consist of a single transistor and a capacitor which is charged up to represent a one, so that its positive end reads 5V or 3.3V, and discharged to 0V to represent a zero. In order to minimize the number of address pins on each chip, the memory cells are organized into rows and columns, and a complete cell address is typically multiplexed, with one half of the complete address being used to identify the row while the other half addresses the column, thereby addressing the cell.

The charge on the capacitor will, however, gradually drain away, so a refresh controller circuit will periodically  - at most every 64 ms - read a row of memory and then rewrite it, recharging the capacitors which need it. But the increasing density of DRAM chips has led to a related problem: the electrostatic field of the capacitor can affect neighbouring cells. This was identified in 2014 by researchers from Carnegie Mellon University and Intel, whp presented a paper - Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors - at that year's Annual International Symposium on Computer Architecture showing that repeated reads of a row can affect the adjacent rows, causing corruption (Kim, et. al, 2014). However, they saw this as a reliability problem, and not specifically a security problem.

The stakes were raised the following year, when a couple of Google Project Zero researchers figured out a way to use this technique in a privilege escalation attack (Seaborn and Dullien, 2015) which they dubbed RowHammer. The attack defeats the page-based memory protection features of the processor; for example, it can be used to flip bits in a 4 KB page which belongs to a privileged process and would not normally be accessible to the attacker.

RowHammer works by performing thousands or even hundreds of thousands of reads of two different rows in the same bank of RAM adjacent to the row which the attacker wants to flip - the victim row. Since a bank of RAM has only a single row buffer for output, each read activates the relevant row to reload the row buffer (repeatedly hammering a single row would only activate it once). Another complication is that the processor's own cache would normally keep a copy of the read values, but a couple of clflush instructions will flush the cached copies, forcing a read of the DRAM.

The result is flipped bits in the target row. Of course, there's a bit more to it, but that's the basic idea, and the Project Zero researchers were able to demonstrate code that broke out of the Chrome Native Client sandbox, as well as a Linux privilege escalation attack which worked by flipping a bit in an x86 page table entry to gain access to the attacking process's own page table, thereby allowing privileged access to all physical memory.

Naturally, the semiconductor industry has not taken this lying down, introducing mitigations into their DRAM circuit designs - and as so often happens in security, this has turned into an escalating arms race as researchers have developed workarounds. For example, DDR3 memory added extra bits onto the rows, using Hamming codes to provide error checking and correction (ECC); ECC used to be a common feature of mainframe and high-end server memory but the reliability of modern chips had led to many dropping it. But once DDR3 became available, it didn't take long for researchers to come up with another RowHammer variant which defeats it.

DDR4 therefore includes an additional feature called Target Row Refresh (TRR). This monitors the number of times a row is accessed and when it exceeds a target threshold, it refreshes adjacent rows to guard against bit flipping. Problem solved, right?

Wrong. A new attack defeats TRR by combining the repeated reads of RowHammer with its own new approach (Luo, wt. al., 2023; Goodin, 2023).

The RowPress attack works by keeping one DRAM row - an aggressor row - open for a long period of time, which disturbs the adjacent rows. This can induce bitflips in the victim row without requiring tens of thousands of activations of the aggressor row, and therefore does not trigger TRR. The researchers concluded:

... with a user-level program on a real DDR4-based Intel system with TRR protection, 1) RowPress induces bitflips when RowHammer cannot, 2) RowPress induces many more bitflips than RowHammer, and 3) increasing tAggON up to a certain value increases RowPress-induced bitflips and number of rows with such bitflips. Thus, read-disturb-based attacks on real systems can leverage RowPress to be more effective despite the existence of periodic auto-refresh and in-DRAM target row refresh mechanisms employed by the manufacturer (Luo et. al., 2023).

In theory, the RowPress technique can achieve bitflipping by holding a row open just once, for an extended period of time. However, this is not really practical, and so an actual attack would combine the RowPress technique with RowHammer, using repeated row activations, but for a longer period of time to keep the number of reads below the TRR threshold, and some experimentation is required to find an optimal combination of the number and duration of activations in order to achieve the desired bitflips.

I dare say a lot of researchers are already working on proof-of-concept exploits, but getting this technique to flip the specific bits required in, say, a page table entry is going to be challenging.

Goodin, Dan, There’s a new way to flip bits in DRAM, and it works against the latest defenses, Ars Technica, 19 October 2023. Available online at https://arstechnica.com/security/2023/10/theres-a-new-way-to-flip-bits-in-dram-and-it-works-against-the-latest-defenses/.

Kim, Y., Daly, R., Kim, J., Fallin, C., Lee, J. H., Lee, D., Wilkerson, C., Lai, K., & Mutlu, O., Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA), 361–372, 2014. https://doi.org/10.1109/ISCA.2014.6853210. Available online at http://users.ece.cmu.edu/~yoonguk/papers/kim-isca14.pdf.

Luo, H., Olgun, A., Yağlıkçı, A. G., Tuğrul, Y. C., Rhyner, S., Cavlak, M. B., Lindegger, J., Sadrosadati, M., & Mutlu, O., RowPress: Amplifying Read Disturbance in Modern DRAM Chips. Proceedings of the 50th Annual International Symposium on Computer Architecture, pp. 1–18, 2023. https://doi.org/10.1145/3579371.3589063. Available online at https://people.inf.ethz.ch/omutlu/pub/RowPress_isca23.pdf.

Seaborn, M., & Dulien, Thomas, Project Zero: Exploiting the DRAM rowhammer bug to gain kernel privileges, Google Project Zero blog, 9 March 2015. Available online at https://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html.

Upcoming Courses

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink
 
Les Bell
Security News: 2023-10-24
by Les Bell - Tuesday, 24 October 2023, 9:47 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Citrix Warns of NetScaler Exploits in the Wild

Ealier this month, Citrix released fixes for CVE-2023-4966, an unauthorized data disclosure vulnerability in the NetScaler ADC (application delivery controller) and NetScaler Gateway products. The vulnerability affects NetScaler ADC if it is configured as a gateway (VPN virtual server, ICA proxy, CVPN or RDP proxy) or as a AAA (authentication, authorization and accounting) virtual server.

The vulnerability was discovered by Citrix's internal team, and at the time they disclosed it, they were not aware of any exploits in the wild.

But we all know how that goes: no sooner are patches or updated builds released than the bad guys get hold of them, do a diff against the unpatched version, find the modified code, reverse-engineer the fix and develop a matching exploit.

And sure enough, Citrix now has reports, via Mandiant, of incidents consistent with session hijacks, and credible reports of targeted attacks exploiting this CVE-2023--4966. CISA has also added this vuln to its Known Exploited Vulnerabilities Catalog. Customers using any of the affected builds should update immediately, and also kill all active and persistent sessions with the following commands:

kill icaconnection -all
kill rdp connection -all
kill pcoipConnection -all
kill aaa session -all
clear lb persistentSessions

Shetty, Anil, CVE-2023-4966: Critical security update now available for NetScaler ADC and NetScaler Gateway, blog post, 23 October 2023. Available online at https://www.netscaler.com/blog/news/cve-2023-4966-critical-security-update-now-available-for-netscaler-adc-and-netscaler-gateway/.

Mandiant, Remediation for Citrix NetScaler ADC and Gateway Vulnerability (CVE-2023-4966), blog post, 17 October 2023. Available online at https://www.mandiant.com/resources/blog/remediation-netscaler-adc-gateway-cve-2023-4966.

Microsoft To Invest $A5 Billion On AI and Cybersecurity In Australia

Timed to coincide with Prime Minister Athony Albanese's visit to the US comes news of Microsoft's investment of an additional $5 billion over the next two years in Australia. The investment was announced by the PM, along with Microsoft President Brad Smith and ANZ Managing Director Steve Worrall, at the Australian Embassy in Washington DC.

A large part of the investment will be in the construction of nine new data centers in Sydney, Melbourne and Canberra, primarily intended to support hyperscale cloud technology, particularly Microsoft's bold strategy to dominate the artificial intelligence market. This will add to an existing 20 data centers the company operates in Australia, and in order to staff these centres, in early 2024 the firm will open a new "Data Centre Academy", in conjunction with TAFE NSW, to train 200 people in two years. The company also proposes to support other programs which will deliver "digital skills training" to 300,000 Australians.

However, the other major part of the announcement related to cybersecurity, with increased collaboration between Microsoft and the Australian Signals Directorate in order to build a "cyber shield" which will boost Australia's protection from online threats. In a statement, the company said that the exchange of cyber threat information leads to better protection for Australian residents, businesses and government. The focus of its activity will be the detection, analysis and defence against the operations of nation-state advanced persistent threats.

ASD Director-General, Rachel Boble, said the investments would strengthen the agency's "strong partnership with Microsoft and ... turbocharge our collective capacity to protect Australians in cyberspace".

Murphy, Katharine and Daniel Hurst, Microsoft to help Australia’s cyber spies amid $5bn investment in cloud computing, The Guardian, 24 October 2023. Available online at https://www.theguardian.com/australia-news/2023/oct/24/microsoft-to-invest-5bn-in-australian-cybersecurity-over-next-two-years.

Ryan, Brad, Microsoft to help Australia build 'cyber shield', Anthony Albanese announces on Washington trip, ABC News, 24 October 2023. Available online at https://www.abc.net.au/news/2023-10-24/anthony-albanese-in-washington-dc-microsoft-deal/103012802.

Upcoming Courses

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink
 
Les Bell
Secrity News: 2023-10-23
by Les Bell - Monday, 23 October 2023, 9:04 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Cybersecurity 'Skills Shortage' a Mirage?

For some years now we have been hearing about a cybersecurity skills shortage, and massive shortfalls in the number of security professionals available to fill the growing number of jobs. YouTube is full of channels offering advice to those entering the field via bootcamp courses, and ISC2 (which has rebranded itself, concluding that (ISC)² is incomprehensible) claims to be well on the way to putting one million candidates through its free online training and certificate, 'Certified in Cybersecurity'.

This has never jelled with my experience as a university lecturer teaching third-year students ('seniors' to those in the US) and Masters students. While more than a few of my students were already in the workforce (it's a joy teaching those who already have some experience) and others had jobs lined up, sometimes via graduate recruitment programs in tech and finance companies, others were struggling, even after graduation. Many of those who graduated with a good Bachelors degree in Computer Science, IT or Cybersecurity often quickly moved on to Masters programs in search of even deeper knowledge.

Now long-term security pro Ben Rothke has blogged on the issue, pointing out that figures such as the claim by Cybersecurity Ventures that there will be 3.5 million unfilled cybersecurity jobs in 2025, a backlog that has continued from 2022, are highly exaggerated. This reflects a number of problems, predominantly in the recruitment process - starting with companies who post job listings with significant security requirements while only offering entry-level salaries.

At this point, there does not seem to be a shortage in the higher-level positions occupied by generalists, middle managers and CISO's. Rather, the shortage is of people with deeper technical knowledge, Quoting top recruitment professional Lee Kushner, Rothke writes:

"What there is a shortage of are computer scientists, developers, engineers, and information security professionals who can code, understand technical security architecture, product security and application security specialists, analysts with threat hunting and incident response skills. And this is nothing that can be fixed by a newbie taking a six-month information security boot camp."

I would have to agree. Gaining deep experience in these fields can take years; gaining experience across several, decades. And while many recruiters simply look for a high-level certification such as CISSP, that certification really only reflects a shallow understanding across multiple domains of security, and not a deep understanding of any one of them, with a requirement for only five years experience in total across all - not much for those moving into the senior and management positions the certification is really intended for.

I have long worried that our 5-day CISSP prep course contains just too much technical information, perhaps diving deeper into some areas than the exam really requires. But increasingly I am glad that it is backed by an 800-page wiki of course notes and other references that do allow our students to gain a more thorough understanding of these areas than just recognising a few buzzwords.

Furthermore, there are very few entry-level jobs in security - at least, that are suitable for entry-level skills. An application security specialist, for example, needs to have a few years of experience in application development in order to have seen - and made - the kinds of mistakes that a security specialist should be hunting for, not to mention an understanding of the development evironment and tools. The idea that a six-month boot camp - or a free online course - can lead to a six-figure salaried job defending a megacorp against thousands of wily hackers is, well, naive.

For most employers, the best way to meet their own demand for security professionals is to recruit from within, cross-training and offering administrators and developers a path into a security stream, and taking advantage of their existing experience. In a sense, this mirrors the experience of the multi-decade security professionals I know, who all ended up in security after many years in other IT fields, which they capitalized upon as the basis of a thorough knowledge of how security really works.

External recruitment will still be necessary, however, and it is time for a shakeout of both recruitment practices and recruitment professionals - the latter, especially need to be able to differentiate the various subfields of infosec and the depth of technical roles in each. Hmmm. Perhaps we should offer a short course for recruitment firms?

Rothke, Ben, Is there really an information security jobs crisis?, blog post, 12 September 2023. Available online at https://brothke.medium.com/is-there-really-an-information-security-jobs-crisis-a492665f6823.

Upcoming Courses

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink
 
Les Bell
Security News: 2023-10-20
by Les Bell - Friday, 20 October 2023, 10:05 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

CISA Updates Its #StopRansomware Guide

The US Cybersecurity and Infrastructure Security Agency (CISA), in conjunction with the NSA, the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC) has released an updated version of the joint #StopRansomware Guide.

The Guide, which is developed through the US Joint Ransomware Task Force, is intended to be a one-stop resource to help organizations mitigate the risks of ransomware through good practices and step-by-step approaches to detect, prevent, respond and recover from attacks. The update includes new tips for prevention, such as hardening the SMB protocol, a revision of the response approaches and additional threat hunting insights.

CISA, #StopRansomware Guide, resource, 19 October 2023. Available online at https://www.cisa.gov/resources-tools/resources/stopransomware-guide. Direct PDF download at https://www.cisa.gov/sites/default/files/2023-10/StopRansomware-Guide-508C-v3_0.pdf.

How Not to Get Hooked by Phishing

Phishing, leading to credential compromise, continues to be a huge problem and, in fact, is getting worse as threat actors take advantage of generative AI to eliminate almost all of the clues, such as grammatical errors and off-pitch phraseology, that would previous alert users to a fake email.

An additional difficulty is the appearance of many new variants:

  • Spear phishing: targeted email phishing
  • Whaling: Executive email phishing
  • Harpoon Whaling: Highly-targeted executive phishing
  • BEC: Business email compromise (CEO fraud)
  • Smishing: Text message (SMS) phishing
  • Vishing: Voice (phone call) phishing
  • Quishing: QR code phishing
  • Angler phishing: Social media phishing

A rather nice piece from Trend Micro examines the current trends in phishing attacks, such as the use of the new top-level domains like .zip (what was Google thinking, there?), the use of multiple phishing variants in tandem to lend credibility and create a sense of urgency, not to mention the use of tools like ChatGPT to research a victim in a so-called AI-enabled harpooning attack.

Although Trend Micro still recommends security education, training and awareness and in particular, phishing simulations to test employees, they also recommend more sophisticated technical approaches, such as authorship analysis on the email gateway, along with the use of cloud access security brokers and secure web gateways - all of which increasingly incorporate AI techniques to escalate the arms race with the attackers.

Clay, Jon, Email Security Best Practices for Phishing Prevention, blog post, 17 October 2023. Available online at https://www.trendmicro.com/en_us/ciso/22/k/email-security-best-practices.html.

AI Comes to Access Control

While the fundamentals of access control still - for good and sound reasons - depend upon decades-old research into security models such as Bell-LaPadula, Clark-Wilson and Role-Based Access Control, in practice many of these (although not BLP) devolve into an access control matrix represented by access control lists - a model that dates back to the early 1970's. Each object in a system - be that a file, API, database table, transformational procedure or something else - carries a list of subjects (users - often aggregated into groups for simplicity), and the types of access each user is granted.

However, attempting to map a high-level access control policy for a complex business application which may have hundreds of objects and thousands of subjects down to a set of ACL entries and their related rules (e.g. if a user is a member of two groups, one allowed access and one denied, how is this resolved?) can be mind-numbingly complex. Generally, this has been done using a policy language like XACML, requiring the policy developer to have a good understanding of application requirements, the security model and the syntax of the specific policy language - not to mention underlying principles like the principle of least privilege and segregation of duties.

People who can do all of that are in short supply.

Now a small team from the Enterprise Security and Access Security organizations at Google have developed a tool, based on the company's PaLM2 large language model, which allows developers to create and modify security policies using plain English instructions. The tool significantly reduces the difficulty of defining access control policies that comply with Google's BeyondCorp zero trust architecture and its identity aware proxy.

The SpeakACL tool can not only generate ACL's, but can also verify the access policies and sports additional safeguards for sensitive information disclosure, data leaking, prompt injections, and supply chain vulnerabilities. Although this is only a prototype, it shows another aspect of the trend towards utilizing AI in security services.

Khandelwal, Ayush, Michael Torres, Hemil Patel and Sameer Ladiwala, Scaling BeyondCorp with AI-Assisted Access Control Policies, blog post, 10 October 2023. Available online at https://security.googleblog.com/2023/10/scaling-beyondcorp-with-ai-assisted.html.

Upcoming Courses

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink
 
Les Bell
Security News: 2023-10-19
by Les Bell - Thursday, 19 October 2023, 10:13 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Really? That's Your Password?

A small study done by Outpost24 makes for scary reading, suggesting that web site administrators may be just as bad as ordinary users when it comes to advice about choosing passwords - especially changing default passwords after intial installation and configuration of software and systems. One of the first rules of system administration is to immediately change any vendor-preset default password, as these are widely known and make even brute force attacks increadibly easy.

In fact, legislation such as the UKs Product Security and Telecommunications Infrastructure Bill and California's Senate Bill 327, the default password law, will ban the use of default passwords, requiring developers to include a password-change step as part of any installation or setup process. But for the time being, default passwords live on - and administrators either do not change them, or change them to one of a few commonly-used variants.

According to the Outpost24 research, performed by mining the data in their Threat Compass threat intelligence backend database, the top 20 popular passwords associated with compromised accounts are:

  1. admin
  2. 123456
  3. 12345678
  4. 1234
  5. Password
  6. 123
  7. 12345
  8. admin123
  9. 123456789
  10. adminisp
  11. demo
  12. root
  13. 123123
  14. admin@123
  15. 123456aA@
  16. 01031974
  17. Admin@123
  18. 111111
  19. admin1234
  20. admin1

Oh, come on, people - it's like you're not even trying! Isn't anyone even using a password safe?

But while it's all very well to blame users, developers have to shoulder some of the blame here, too. For example, while I've recently railed against password complexity rules, it's obvious that many systems are not even enforcing an adequate minimum passphrase length, let alone requirements for multiple character types (and the even worse prohibition on repeated characters). And even when systems do enforce such requirements, administrators are complying in a very few predictable ways that barely increase the search space for attackers.

Developers should be incorporating stronger authentication mechanisms, ideally based on cryptographic techniques, with a view to abandoning passwords completely in due course. We've been doing this for command-line administration for decades now; in fact, the default for most IaaS cloud-based systems is to log in using an SSH private key, and the SSH authentication agent (e.g. PuTTY's Pageant) makes this extremely convenient by eliminating password prompts completely for the working day. For web access, FIDO2 authentication via passkeys is similarly easy, or even easier.

Remember, these passwords are from stolen credentials, which also suggests that complementary controls, such as multi-factor authentication, were also not implemented - or, perhaps, were easily circumvented by a man-in-the-middle or proxy attack. And of course, this list says nothing about credentials which were not stolen, so we know that not all admins are this bad. But all the same, we can see how easy it is for even script kiddies to compromise some systems.

Outpost24, IT admins are just as culpable for weak password use, blog post, 17 October 2023. Available online at https://outpost24.com/blog/it-admins-weak-password-use/.

Multiple Agencies Update "Secure By Design" Principles

A large coalition of national cybersecurity agencies - rather than listing them all, it's easiest just to say that Russia, China, North Korea and Iran are not on the list - has updated the guidance issued earlier this year on principles and approaches for designing software which is secure by design. Citing the need to shift the balance of security risk - specifically, the impact of threats - from customers to developers and manufacturers, the guidance revolves around three fundamental principles for tech firms:

  • Take ownership of customer security outcomes
  • Embrace radical transparency and accountability
  • Build organizational structure and leaderhip to achieve these goals - lead from the top

In order to achieve each of these objectives, the publication outlines a number of practices. For example, in support of that first principle, the practices include:

  • Eliminate default passwords (surprise!)
  • Conduct security-centric user field tests
  • Reduce hardening guide size
  • Actively discourage use of unsafe legacy features
  • Implement attention grabbing alerts
  • Create secure configuration templates
  • Document conformance to a secure SDLC framework
  • Document Cybersecurity Performance Goals (CPG) or equivalent conformance
  • Vulnerability management
  • Responsibly use open source software
  • Provide secure defaults for developers
  • Foster a software developer workforce that understands security
  • Test security incident event management (SIEM) and security orchestration, automation, and response (SOAR) integration
  • Align with Zero Trust Architecture (ZTA)
  • Provide logging at no additional charge
  • Eliminate hidden taxes (do not charge for security and privacy features or integrations)
  • Embrace open standards
  • Provide upgrade tooling

There's a lot more, for the other principles.

At only 36 pages, this guide is primarily aimed at senior managers - it is certainly much smaller than any of the many textbooks on correctness-by-construction and secure programming intended for architects and programmers. This is not to say that developers don't need to at least skim it - there are some useful ideas in there.

CISA et. al., Secure By Design - Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software, technical report, 16 October 2023. Available online at https://www.cisa.gov/resources-tools/resources/secure-by-design.

Upcoming Courses

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink
 
Les Bell
Security News: 2023-10-18
by Les Bell - Wednesday, 18 October 2023, 11:35 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

New Scheme Could Improve on Shor's Algorithm

Back in the mid-1990's, mathematician Peter Shor came up with an algorithm for factoring composite numbers much faster than was possible with previous methods. This would, of course, break the RSA public-key cryptosystem, which relies upon the difficulty of factoring large composite numbers; in fact, the RSA key-generation algorithm starts by generating two large probably-prime numbers, \(p\) and \(q\), and then multiplying them to create a modulus, \(N\), which forms part of the public key and is therefore known to any attacker. If an attacker can quickly figure out \(p\) and \(q\) by factoring \(N\), it's game over, and they can easily derive the private key. And since RSA is widely used for exchange of the secret session keys used by symmetric cryptoprimitives like AES, this would break a lot of Internet communications.

But there's one problem: Shor's algorithm specifically needs a quantum computer to run. Specifically, it uses a quantum circuit to effectively perform a Fourier transform, in order to find the period of a function; a function is said to be periodic when it repeatedly returns the same value as the input value is incremented - something that must happen when performing the modular arithmetic that underlies public-key cryptograpy (remember, \(N\) is a modulus).

To date, the development of quantum computers has been beset by difficulties, such as noise causing errors in the calculation, which have only gradually been overcome by a variety of techniques, such as using additional qubits (quantum bits) for error correction. To date, only relatively small numbers have been factored; for example, the factoring of 143 (11 x 13) using a 4-qubit nuclear magnetic resonance quantum computer in 2012 was considered quite a breakthrough, although later analysis, by other researchers, of the raw data they released indicated that they had simultaneously factored several much large numbers such as 3,599, 11,663 and 56, 153.

As of early 2023, the largest number to be factored using quantum computing is the 48-bit number 261980999226229, which still falls well short of the 2048-bit (617 decimal digit) moduli commonly used for RSA keys today, which by some estimates would require a quantum computer with 20 million qubits.

However, a new variant of Shor's algorithm, developed by NYU computer scientist Oded Regev, massively reduces the number of quantum operations required to factor a number. Ironically, Regev based his technique in what he had learned while trying to find attacks on the lattice-based algorithms and learning-with-errors algorithms which provide one approach to post-quantum, or quantum-resistant, cryptography.

A lattice is a multi-dimensional vector space with integer coordinates; you could think about the integers modulo \N\) as being a one-dimensional lattice, and the fourier transform stage of Shor's algorithm effectively amounts to finding the shortest vector - the period of the function - in that one-dimensional lattice. The post-quantum algorithms, such as NTRU, are based on a similar shortest vector problem, only in a space with hundreds of dimensions, which makes the problem intractably hard - including, it is believed, for quantum computers.

What Regev did was to start by generalizing the algorithm from one dimension to, first two dimensions, and ultimately many dimensions. Rather than repeatedly multiplying a single number, \(g\) with itself, he would try two numbers, \(g_1\) and \(g_2\) and repeatedly mutliply them with themselves and each other in a two-dimensional space, and then \(g_1, g_2, \ldots, g_n\) in an \(n\)-dimensional space. The problem was that although each \(g_i\) did not need to be multiplied as many times, this needed to be repeated for \(n\) different \(g_i\)'s, providing no advantage over Shor's original algorithm.

But musing while waiting for a lift one morning, the solution struck him - with a small number of dimensions, the numbers involved were large, so the algorithm could not benefit from the speedup of multiplying small numbers, but with a large number of dimensions, the quantum part was fast, but the remaining calculations, which have to be performed using a classical computer, required solving a very hard lattice problem. The trick is to find a sweet spot between these two extremes, modifying the algorithm to make it run fast in just a relatively small number of dimensions.

The result is a significant improvement; while Shor's algorithm for factoring an \(n\)-bit number requires \(\tilde{O}(n^2)\) qubits, Regev's requires only \(\tilde{O}(n^{3/2})\).

But wait - there's more. Just two weeks ago, Seyoon Ragavan and Vinod Vaikuntanathan at MIT published a further refinement of Regev's algorithm which reduces the number of qubits required to \(\tilde{O}(n \log{n})\) qubits.

If these results are correct, this makes quantum factorization of RSA keys closer than ever before, and the need for crypographic agility and the replacement of RSA, etc. with post-quantum algorithms more urgent than ever.

Brubaker, Ben, Thirty Years Later, a Speed Boost for Quantum Factoring, Quanta Magazine, 17 October 2023. Available online at https://www.quantamagazine.org/thirty-years-later-a-speed-boost-for-quantum-factoring-20231017/.

Ragavan, Seyoon, and Vinod Vaikuntanathan, Optimizing Space in Regev’s Factoring Algorithm, arXiv preprint, 2 October 2023. Available online at https://arxiv.org/abs/2310.00899.

Regev, Oded, An Efficient Quantum Factoring Algorithm, arXiv preprint, 17 August 2023. Available online at https://arxiv.org/abs/2308.06572.

Upcoming Courses

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink
[ Modified: Wednesday, 18 October 2023, 11:49 AM ]
 
Les Bell
Security News: 2023-10-17
by Les Bell - Tuesday, 17 October 2023, 9:23 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Cisco IOS XE Vulnerability Exploited in the Wild

Cisco has disclosed a 0-day privilege escalation vulnerability which is under active exploitation. The vulnerability, CVE-2023-20198, is in the web user interface of the IOS XE operating system, and sports a CVSS 3.x score of 10.0. If the web UI feature is enabled, and particularly if it exposed to an untrusted network - such as the public Internet - it will allow a remote, unauthenticated attacker to create an account with privilege level 15 access, and thereby gain control of the victim system.

As yet, there is no patch, and so Cisco is recommending that customers disable the HTTP and HTTPS servers on all Internet-facing systems, by issuing the following commands in global configuration mode:

no ip http server
no ip http secure-server

However, this may not be possible if the system runs other services that require HTTP/HTTPS, in which case, access should be carefully restricted to trusted networks.

Cisco's advisory lists a number of indicators of compromise, including the presence of unknown user accounts on the system, such as cisco_tac_admin or cisco_support. The presence of an implant on the system can be detected with a curl command:

curl -k -X POST "https://systemip/webui/logoutconfirm.html?logon_hash=1"

If the system is infected, this request will return a hex string. Adversary interactions with the implant can also be detected by four Snort rules.

Cisco, Cisco IOS XE Software Web UI Privilege Escalation Vulnerability, security advisory, 16 October 2023. Available online at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z.

BEC Scam Nets $A1.2 Million from Small Business

A new twist on a business email compromise scam, combined with social engineering, has cost a small earthworks business almost $A1.2 million.

The company's accounts manager received a phone call from a man claiming to be 'Mike' from the National Australia Bank - and since the firm had previously dealt with a Mike from a nearby branch of the bank, suspicions were allayed. Furthermore, 'Mike' knew details of the previous day's pay run, providing further evidence that he was from the bank.

However, 'Mike' claimed there had been fraudulent activities on the company's bank accounts which he would need to investigate, and tricked the accounts manager into granting him access.

Within minutes, said the business owner, Paul Fuller, the hacker had drained $A1.2 million out of the company accounts. "They (NAB) did get some money back but not nearly as much as went missing", said Mr. Fuller. To date, the bank as been able to recover $A84,000 but there is no prospect of recovering any more.

There are a couple of obvious safeguards which small business workers need to bear in mind. First, an inbound call provides no authentication; you do not know that the person who has called really is from the institution they claim to be. The same applies to text messages; in both cases, caller ID is easy to spoof. Instead, take the caller's details such as their name, department or employee number, and then call the institution using the phone number you already have on file or obtain from a trusted source, and ask for them by name or employee number. If they are unknown to the operator, congratulate yourself on dodging a bullet.

Secondly, stop and think - don't let yourself be panicked into precipitous actions. Is it likely that a customer service person in a rural branch of a huge bank would be investigating suspected fraud, or is it more likely that a specialized investigations department would be involved? And in either case, wouldn't such a bank employee already have the level of access required to perform that investigation?

It's entirely possible that this phone call was preceded by compromise of the company's email accounts, which were mined to obtained details of the banking relationship - for example, earlier emails involving the legitimate 'Mike'. It's possible the email system also contained emails sent to employees with attached payslips, for example - and this would be all the caller needed to sound credible to his victim.

This underscores the need for multi-factor authentication on both email and online banking accounts; email accounts are particularly valuable since the 'forgotten password' procedures for many other online accounts work by simply sending a password reset link to the email address, on the often-invalid assumption that only the account owner will have access to this. I also recommend the use of dedicated thin clients, such as a Chromebook or Chromebox, for online banking and accounting, to minimise the chances of infection by infostealers and other malware.

Saunders, Miranda and Emma Rennie, Warnings about evolving cyber threats after hackers steal $1.2 million from Grafton family business, ABC News, 15 October 2023. Available online at https://www.abc.net.au/news/2023-10-15/cyber-threats-hackers-steal-million-dollars-small-business/102789994.

Upcoming Courses

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink
 
Les Bell
Security News: 2023-10-16
by Les Bell - Monday, 16 October 2023, 9:10 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

NSA Weakening Post-Quantum Crypto, Warns DJB

We have frequently warned of the need for cryptographic agility, a preparedness to replace the public-key algorithms we currently use in protocols like TLS, SSH, PGP & S/MIME as well as other secure protocols with new ones, should quantum computers become capable of breaking them. As part of this effort, the US National Institute of Standards and Technology (NIST) has been running an open competition to select best-of-breed post-quantum cryptographic algorithms, in much the same way as previous competitions produced AES and SHA-3.

But, claims Dan Bernstein of the University of Illinois Chicago, NIST is deliberately obscuring the level of involvement of the NSA in this process. Speaking to New Scientist magazine, he said,

"NIST isn’t following procedures designed to stop NSA from weakening PQC ... People choosing cryptographic standards should be transparently and verifiably following clear public rules so that we don’t need to worry about their motivations. NIST promised transparency and then claimed it had shown all its work, but that claim simply isn’t true."

Even worse, says Bernstein, calculations performed by NIST for the Kyber512 arlgorithm are "glaringly wrong", leading to an erroneous conclusion that it is more secure than it really is. NIST multiplied two numbers together, rather than adding them, which he claims would have given a more realistic assessment of Kyber-512's robustness to attack.

NIST spokesperson Dustin Moody rejects Bernstein's analysis, stating that "It’s a question for which there isn’t scientific certainty and intelligent people can have different views. We respect Dan’s opinion, but don’t agree with what he says". In any case, while Kyber-512 meets NIST's level one criteria, the agency recommends that in practice users should adopt the stronger Kyber-768 algorithm.

Moody also argues that NIST has followed tight guidelines to ensure transparency and security, and would never knowingly agree to weaken any of these cryptographic standards. He also states that the NSA has, as far as it can, tried to be more open.

But Bernstein claims that NIST has not been open about the level of NSA input, and has used freedom of information requests and court action to force the agency to release internal documents which show that NSA employees are members of the "Post Quantum Cryptography Team. National Institute of Standards and Technologies", as well as undisclosed meetings with personnel from both the NSA and the UK's GCHQ.

The NSA has a checkered past with allegations of attempts to weaken cryptographic algorithms, dating back to unexplained requests to IBM and NIST to change the values in S-boxes (substitution boxes, a type of lookup table) in the algorithm that eventually became DES, the Data Encryption Standard. There were allegations from some cryptologists that this was done to deliberately weaken the algorithm; however, many years later, after Eli Biham developed the differential cryptanalysis attack on DES and similar cryptosystems, it was revealed that NSA had known of this attack decades earlier - they called it the 'T-attack" - and the suggested changes actually made DES more resistant to this attack.

On the other hand, documents released by Edward Snowden alleged that the NSA had subverted the NIST standard for pseudo-random number generation, the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG). There followed a period of intense debate amongst cryptologists culminating in a note by the Director of Research at the NSA, Dr. Michael Wertheimer, published in the Notices of the American Mathematical Society, in which he expressed regret that the agency continued to support Dual_EC_DRBG after researchers had discovered the potential for a trapdoor. He further pointed out that Dual_EC_DRBG was only one of four standards and that no-one was obliged to use it - in fact, because it was incredibly slow, they would be wise not to - but there are suggestions that NSA asked RSA Inc. to make it the default PRNG in their BSAFE software library, and compensated the company for doing so.

So, there you have it - something of a mixed bag. As for the case of Dual_EC-DRBG, expect a debate to erupt in the cryptologic community over the correct technique to use in assessing the strength of these algorithms (add? Or multiply?) as well as the ethics of engagement by agencies which have a dual role in both breaking the cryptosystems of adversaries and strengthening their own. Set a thief to catch a thief?

Bernstein, Daniel J., The inability to count correctly: Debunking NIST's calculation of the Kyber-512 security level, The cr.yp.to blog, 3 October 2023. Available online at https://blog.cr.yp.to/20231003-countcorrectly.html.

Green, Matthew, Hopefully the last post I'll ever write on Dual EC DRBG, blog post, 14 January 2015. Available online at http://blog.cryptographyengineering.com/2015/01/hopefully-last-post-ill-ever-write-on.html.

Sparks, Matthew, Mathematician warns US spies may be weakening next-gen encryption, New Scientist, 10 October 2023. Available online at https://www.newscientist.com/article/2396510-mathematician-warns-us-spies-may-be-weakening-next-gen-encryption/.

Wertheimer, M., Encryption and the NSA Role in International Standards, Notices of the AMS, Vol. 62(No. 2), 165–167, February 2015.

Upcoming Courses

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink
[ Modified: Monday, 16 October 2023, 9:10 AM ]
 
Les Bell
Security News: 2023-10-13
by Les Bell - Friday, 13 October 2023, 9:22 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

WordPress Plugins Problems Persist

The web content management system marketplace is dominated by WordPress, largely on account of its large number of plugins which make it an extremely versatile platform for corporate web site development. However, WordPress security news is dominated by problems not in the platform itself but in the plugins, which often have a very large installed base.

One example, initially brought to light by WPScan, is a vulnerability in the Composer plugin from tagDiv, which is a companion to the firm's Newspaper and Newsmag themes. CVE-2023-3169, which surfaced in August, is a cross-site scripting vulnerability which is exploitable via an exposed RESTful API which allowed unauthenticated access. The vuln was partially fixed in tagDiv Composer 4.1 (which at least required admin authentication), and fully fixed in version 4.2. However, according to Sucuri, at least one malware gang was making use of it to inject malware onto vulnerable sites - and that may remain after the sites updated the plugin.

The Balada malware gang has a history of exploiting tagDiv's premium themes, having run a massive campaign targeting the Newspaper and Newsmag themes back in 2017, when the themes had only 40,000 paid users - that number has grown to over 135,000 for Newspaper alone. Their current campaign has run through six distinct waves:

  • Wave 1: Initial script injections
  • Wave 2: Autogenerated malicious WordPress users
  • Wave 3: Backdoors in Newspaper’s 404.php file
  • Wave 4: Malicious wp-zexit plugin installation
  • Wave 5: Three new Balada Injector domains
  • Wave 6: Even more obfuscated injections

During this campaign, the Balada crew have been diligent in varying their techniques in order to evade detection and to make it harder to find indicators of compromise in locations like logs and the WordPress database. According to Sucuri, they achieved considerable success with this approach - in September, their SiteCheck scanner detected various types of Balada Injector on over 17,000 sites, almost twice the number seen in August. Over 9,000 of these detections were related to the Newspaper theme vulnerability.

Apart from a detailed analysis and some IOC's, the Sucuri blog post also provides a specific list of mitigation actions for site admins using the Newspaper theme.

In other WordPress plugin news, specialist firm Wordfence has revealed a sophisticated backdoor which is posing as a legitimate plugin. Like any other plugin, this backdoor has access to all the normal WordPress functionality, and uses it to create a new admin account called superadmin (which it can also delete when the attacker is finished with the backdoor).

The backdoor adds several filters which modify pages as they are being rendered - unless the pages are being viewed by an administrator, in which case they will appear normal - allowing the insertion of malicious content, spam links an buttons. The backdoor code can also detect pages being fetched by bots and search engine spiders, using keyword stuffing to increase the search engine ranking of pages serving malicious content. Other code allows the remote activation and deactivation of arbitrary plugins.

The result of all this is that the backdoor operators can remotely control and monetize the victim site; users may - or may not see - the malicious content, and admins may not even realize that the site has been infected.

Wordfence have included a signature for this backdoor in the free version of their product since 1 September 2023, and the commercial versions protect users via a firewall rule as of 9 October 2023. They also provide incident response services at a premium.

Phan, Truoc, tagDiv Composer < 4.2 - Unauthenticated Stored XSS, vulnerability description, 17 August 2023. Available online at https://wpscan.com/vulnerability/e6d8216d-ace4-48ba-afca-74da0dc5abb5/.

Sinegubko, Denis, Balada Injector Targets Unpatched tagDiv Plugin, Newspaper Theme & WordPress Admins, blog post, 6 October 2023. Available online at https://blog.sucuri.net/2023/10/balada-injector-targets-unpatched-tagdiv-plugin-newspaper-theme-wordpress-admins.html.

Wotschka, Marco, Backdoor Masquerading as Legitimate Plugin, blog post, 10 October 2023. Available online at https://www.wordfence.com/blog/2023/10/backdoor-masquerading-as-legitimate-plugin/.

Upcoming Courses

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink
 
Les Bell
Security News: 2023-10-12
by Les Bell - Thursday, 12 October 2023, 10:22 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

More Shoes Drop on HTTP/2 Rapid Reset

A number of other stakeholders have now provided responses to the massive 'Rapid Reset' DDoS attack on the streams feature of HTTP/2 which we reported on yesterday. Google was obviously not the only large service provider affected by the attack; both Cloudflare and Amazon observed it, too, and have published their own analyses.

For Cloudflare, the attack peaked at just over 201 million requests per second - nearly three times more than their biggest previous attack. The attack was generated by a botnet of just 20,000 machines, which is much smaller than many other botnets, which can number up to millions of machines. This raises the prospect of a single attack delivering as much traffic as the entire web - around one to three billion requests per second - against a small group of targets.

Like Google - with whom both Cloudflare and Amazon collaborated - the firm was able to absorb the initial attacks and then introduce mitigations to limit the impact on their systems. One difficulty is that this attack effectively has no ramp-up period, meaning that for a few seconds, the network infrastructure has absorb the traffic before the client IP address can be quarantined in Cloudflare's 'IP Jail' system. To overcome this, the firm expanded the 'IP Jail' system to block such IP's from using HTTP/2 to connect to any domain on Cloudflare for some time. This will limit the attack, while any legitimate client on the same IP will see only a small performance decrease during that time.

Amazon Web Services has also implemented mitigations, and has also recommended that customers operating their own web servers running HTTP/2 should apply relevant patches as soon as possible. The company has also blogged with advice on building DDoS-resistant architectures using AWS edge services such as Amazon CloudFront, AWS Shield, Amazon Route 53 and Route 53 Application Recovery Controller.

On the server side, NGINX has blogged with advice on how to configure that web server to minimize its attack surface and has released a patch for the server's ngx_http_v2_module which imposes a limit on the number of new streams that can be introduced within one event loop. The developers are continuing to experiment with mitigation strategies.

There seems to be no word on Rapid Reset from the Apache project, but according to online forums, a few admins have disabled HTTP/2 as a precaution.

Pardue, Lucas and Julien Desgats, HTTP/2 Rapid Reset: deconstructing the record-breaking attack, blog post, 10 October 2023. Available online at https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/.

Scholl, Tom and Mark Ryland, How AWS protects customers from DDoS events, blog post, 10 October 2023. Available online at https://aws.amazon.com/blogs/security/how-aws-protects-customers-from-ddos-events/.

Vernik, Michael and Nina Forsyth, HTTP/2 Rapid Reset Attack Impacting NGINX Products, blog post, 10 October 2023. Available online at https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/.

Microsoft Moves: Die, NTLM! Die!

Microsoft has long been burdened by the need to maintain backward compatibility with older product versions which were originally designed in an era when the world generally - and Microsoft in particular - was more . . . naive . . . about security. Although the Redmond giant has always tended to favour, first glitz and glamour, then functionality, and finally security, when it has bitten the bullet and moved to new architectures that compromised that backward compatibility, the results have been painful for at least some of its customer base. Remember Windows Vista? Nothing much changed as Microsoft waited for the market to catch up, with compatible versions of applications and - especially - device drivers, and when an effectively-updated Vista was relaunched as Windows 7, customers loved it.

Now it looks like the firm is preparing to bite the bullet again, this time addressing the problems surrounding legacy authentication, specifically the NTLM authentication protocol. NTLM replaced the very weak original LanMan hashes that date back to the days of Microsoft LAN Manager, but is still essentially a simple protocol which hashes a password and then sends the hash over the wire. Hardly any enterprise networks rely on NTLM, having adopted Active Directory - which is based on Kerberos - many, many years ago, but NTLM lives on for a few reasons:

  • NTLM doesn’t require local network connection to a Domain Controller
  • NTLM is the only protocol supported when using local accounts
  • NTLM works when you don’t know who the target server is

As a result, some applications and services continue to rely on NTLM, rather than switching to Kerberos. As a result, it is often not possible to disable NTLM; even some enterprise scenarios require it as a fallback when Kerberos is not available. And, of course, many SME's and microbusinesses rely on NTLM, as it is used by many third-party network accessible storage (NAS) products as well as Microsoft's own Workgroups feature and Remote Desktop Protocol in these non-AD environments.

In order to be able to finally dispense with NTLM, Microsoft is introducing two new features for Windows 11. The first is 'Initial and Pass Through Authentication Using Kerberos' (IAKerb), which the company describes as "a public extension to the industry standard Kerberos protocol that allows a client without line-of-sight to a Domain Controller to authenticate through a server that does have line-of-sight." As I first read that word, "public", a small daemon on my shoulder urgently whispered, "Embrace-Extend-Extinguish!", but I am prepared to wait and see - both Micosoft and the market have evolved since those days, I hope.

IAKerb works through a 'Negotiate' extension and will allow the Windows authentication stack to proxy Kerberos messages through the server on behalf of a client in a firewall-segmented or remote access scenario. As it does this, it will rely on the confidentiality and authenticity of origin services of Kerberos itself to protect its messages against relay and replay attacks.

The second new feature is perhaps more significant for non-AD sites and scenarios. In order to support local (as opposed to domain) remote logons, a local Kerberos KDC will be added to Windows 11, built on top of the Security Account Manager. This will leverage IAKerb and allow Windows to pass Kerberos messages between machines without having to add support, and open ports, for such services as DNS, netlogon or DCLocator. In addition, Microsoft is removing hard-coded references to NTLM from other Windows components, changing them to use the Negotiate protocol instead, allowing an easy transition to Kerberos.

These changes will be enabled by default and will not require configuration in most scenarios, although NTLM will continue to be available as a fallback for the time being. However, another set of changes coming to Windows 11 include additional service information being recorded in event logs, coupled with more granular policies, to allow domain admins to track and block NTLM on a service-by-service basis. The same telemetry info will be used by Microsoft itself to eventually pull the plug on NTLM for good - although even once it is disabled by default, users will be able to re-enable it. Somehow, I do not think it will go gentle into that good night.

So, for those of us who manage small networks, expect a few pain points in times to come. On balance, though, it will be worth it; an entire category of dictionary, rainbow tables and pass-the-hash attacks will eventually be consigned to the scrap heap of history.

Palko, Matthew, The evolution of Windows authentication, blog post, 11 October 2023. Available online at https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-evolution-of-windows-authentication/ba-p/3926848.

Upcoming Courses

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink