Category Archives: Opinion

The Eternal Battle over Active Directory between OT and IT

29 October 2020

On October 13th I moderated the anapur Virtual Dialog “Network Monitoring and Anomaly Detection”. During the breaks, some participants from industry talked about a really concerning issue: IT, IT-Security and GRC groups in their companies urge them to integrate their so far isolated production active directories in the corporate directory.

I have been involved in these discussion for 10 years and I never changed my answer:

Don’t do it!

This integration is dangerous. Active Directory simplifies lateral movement once an attacker created a foothold in your network. And it simplifies the distribution of malware through login scripts. Remind the Norsk Hydro attack from March 2019: Divisions with high vertical integration were more affected from LockerGoga than the Alumina production.

In their paper “Seven Strategies to Defend ICSs” from December 2016, DHS ICS-CERT, FBI and NSA provide a very clear active directory strategy:

Never share Active Directory, RSA ACE servers, or other trust stores between corporate and control networks.

For details see chapter 5, “Manage Authentication”.

Hope this helps in discussions with IT, IT-Security and GRC.


In his poem Ulysses, Alfred Tennyson brings it to the point:

Tho‘ much is taken, much abides;
and though we are not now that strength
which in old days moved earth and heaven;
that which we are, we are;
one equal temper of heroic hearts,
made weak by time and fate,
but strong in will to strive, to seek, to find.
And not to yield.

The Boothole Vulnerability – Need to Panic?

23 August 2020

CVE-2020-10173 (aka BootHole(1)) got much attention in the media in the past weeks  because this flaw in GRUB 2 may be used to tamper the boot process. But the worst is yet to come. “This flaw also allows the bypass of Secure Boot protections.”(2)

From the description in the NIST NVD we learn: “In order to load an untrusted or modified kernel, an attacker would first need to establish access to the system such as gaining [a] physical access, [b] obtain the ability to alter a pxe-boot network, or have [c] remote access to a networked system with root access.”(2)

Options [b] and [c] do not really matter. Once an attacker gets the opportunity to modify the network boot capabilities of your system, or has root access to your system, the game is over. In this case, exploiting BootHole is rather counterproductive because the probability of detection goes up.

Fedora32 EFI Partion

Fedora EFI Partition

But BootHole becomes a serious issue if an attacker gets physical access (option [a]) to an unpatched system. These so-called Evil Maid attacks work even on secured Linux systems because the EFI (FAT) partition is easy to modify after the computer is booted from a Linux Live System.

In the case, you followed the industry best practices and secured the BIOS of your computer with a password, the attacker must extract the hard disk and run the change on another system. This is not uncommon when it comes to espionage, terrorism, or sabotage.

But the group of persons in focus of such activities is already vulnerable against Evil Maid attacks. So, the additional risk that stems from BootHole is neglectable. No need to panic!

Nevertheless, install the patch as soon as possible. And secure the BIOS of your computer with a password.

Dell Vostro Laptop with Fedora32/EFI

Dell Vostro Laptop with Fedora Linux/EFI

But the best advice is: Don’t leave your devices unattended. Even the hotel safe is no safe place.

My preferred solution to Evil Maid attacks, the lightweight version, is Fedora Linux on a micro SD-Card.

Have a great week.


References

  1. Eclypsium. There’s a Hole in the Boot [Internet]. Eclypsium. 2020 [cited 2020 Aug 18]. Available from: https://eclypsium.com/wp-content/uploads/2020/08/Theres-a-Hole-in-the-Boot.pdf
  2. NIST Information Technology Laboratory. NVD – CVE-2020-10713 [Internet]. NATIONAL VULNERABILITY DATABASE. 2020 [cited 2020 Aug 23]. Available from: https://nvd.nist.gov/vuln/detail/CVE-2020-10713

CIS Password Policy Guide – A Quantum Leap in User Experience and Security

8 August 2020

The Password Policy Guide(1) published by the Center for Internet Security (CIS) on 29 July 2020 drowned in the omnipresent noise of vulnerabilities and data breaches.

Wrongly, because the CIS guide puts an end to the commonly accepted practice of complex passwords, namely those that are easy to crack but hard to remember.

The guide recommends:

  • The use of passphrases because users will select longer, more-secure passwords.
  • Event-based password expiration with an annual change as a backstop.
  • And the use of password managers.

Especially for password managers the guide recommends:

Use of these should be actively encouraged for use with password-only authentication systems (especially if the user needs to manage access to multiple of these systems)”

And, where “feasible, using MFA instead of just a master password to gain access to the Password Manager is preferred”

Yubikey for MFA and KeePassXC

For some months now I mainly work on a Linux desktop. Unfortunately, I often must switch to Windows because of Word and Powerpoint. So, I use KeePassXC to allow easy switching between the operating systems.

My cloud account is secured with Yubikey, and so is my KeePassXC database. Works fine on Windows and Linux.

To boost user experience and password security, please give the CIS Password Policy Guide the attention it deserves.

Have a great weekend.


References

  1. White Paper: CIS Password Policy Guide [Internet]. Center for Internet Security. [cited 2020 Aug 8]. Available from: https://www.cisecurity.org/white-papers/cis-password-policy-guide/.

The most important questions to ask in a firewall rule assessment

25 June 2020

Regular firewall rule assessments are basic IT/OT security housekeeping procedures. Security staff challenges every rule after well-known industry best practice like ANY Computer or ANY Port rules, bi-directional rules, use of unsecure protocols like ftp, telnet, smb, not used rules, etc.

Nervennahrung for firewall assessment. Own work.

Picture 1: Nervennahrung for firewall rule assessments

Compliance to industry best practice can be achieved with a plain checklist. Thus the check can be automated to a far extent. The nerve-racking work starts afterwards, when each finding is discussed with the users.

But, in general, the security staff does not challenge the rule itself. Or it’s direction. Or the ports used.

These questions are asked after the rule has passed the best practice checks. No automation possible. They require in-depth knowledge of the services accessed through the firewall, and, they belong to the nerve-racking category. But it’s worth to ask these questions because

The best firewall rule is the one that not exists.

You must not care of such rules in the case of a security incident, no regular review required, no discussion with users. Entrepreneurs should be interested in cleaning up the rule base because it saves costs, and increases security.

More about this in the next post.


Picture credits

Picture 1: Vienna 2020. Own work

Australia Fights Sophisticated State-Backed Copy-Paste Attack with The Essential Eight!

20 June 2020

Reports on a wave of sophisticated nation state sponsored cyber-attacks against Australian government agencies and critical infrastructure operators spread like wild-fire through international media the day before yesterday.

From an IT security point of view, the access vector is really interesting. In Advisory 2020-008 (1) , the Australian Cyber Security Centre (ACSC) states that the actor leverages mainly a remote code execution vulnerability in unpatched versions of Telerik UI, a deserialization vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability, and the 2019 Citrix vulnerability.

The name Copy-Paste for the attacks comes from the actor’s “capability to quickly leverage public exploit proof-of-concepts to target networks of interest and regularly conducts reconnaissance of target networks looking for vulnerable services, potentially maintaining a list of public-facing services to quickly target following future vulnerability releases. The actor has also shown an aptitude for identifying development, test and orphaned services that are not well known or maintained by victim organizations.” (1)

The Essential Eight

The Essential Eight (Click to enlarge)

In the advisory the ACSC recommends some really basic preventive measures like patching or multi-factor authentication. These are two controls of “The Essential Eight”(2). I like the name “The Essential Eight”. It reminds me on the 1960 Western-film “The Magnificent Seven”, reinforced by Chuck Norris 😉

The Essential Eight focus on very basic strategies to reduce the likelihood and the impact of an attack. Without them, UEBA, SIEM, Threat Intelligence, Deep Packet Inspection, PAM, etc. make few sense.

Except of multi-factor authentication, The Essential Eight are part of the feature-rich Windows and Linux OS or already (backup solution) in place. So, only some internal effort and leadership is required to dramatically increase the resilience against cyber-attacks.

The Essential Eight are a prefect weekend reading. Have fun.


References

  1. Advisory 2020-008: Copy-paste compromises – tactics, techniques and procedures used to target multiple Australian networks | Cyber.gov.au [Internet]. [cited 2020 Jun 19]. Available from: https://www.cyber.gov.au/threats/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks
  2. Australian Cyber Security Center. Essential Eight Explained | Cyber.gov.au [Internet]. Australian Signals Directorate. 2020 [cited 2020 Jun 19]. Available from: https://www.cyber.gov.au/publications/essential-eight-explained

An endless stream of SMB vulnerabilities …

11 June 2020

SMBleed, SMBLost, and SMBGhost/CoronaBlue are the vulnerabilities detected in the Microsoft SMB V3 protocol this year.

Critical SMB Vulnerabilities

Critical SMB Protocol Vulnerabilities

SMBleed/SMBGhost can be used to compromise a company network by attacking a system in the DMZ with port 445 open to the internet. Fortunately, SMBleed and SMBGhost impact only the latest Windows 10 versions. The number of Windows 10 systems directly accessible from the internet is still small.

Vulnerable Windows 10 1909 Pro Systems

Vulnerable Windows 10 1909 Pro Systems

Like EternalBlue, SMBLost impacts all Windows versions but is less critical because authentication (PR:L) is required.

The good news is that patches were available at the time the vulnerabilities were published. But it takes some weeks to implement them. During this time companies remain vulnerable against cyber-attacks.

Vulnerability management / priority patching is the standard approach to this kind of vulnerabilities. IT staff is kept busy, IT security solution and service providers make a good bargain, but the company’s resilience against cyber-attacks stays low. Companies can only hope that also the next SMB vulnerability is disclosed after a patch is available.

From an entrepreneurial point of view the obvious solution is to remove such systems from the internet. A risk assessment is imperative to evaluate the potential loss of sales and the costs of recovering from a cyber-attack. If the recovery costs exceed the potential loss of sales the system should be removed. This will slightly reduce IT costs but increase the resilience against such kind of cyber-attacks.

It is high time to evaluate IT[-security solutions] from an entrepreneurial point of view, in terms of Loss of Sales and Loss of EBIT.

Have a great weekend.

New study shows: Vulnerabilities in popular open source projects doubled in 2019. No need to panic!

9 June 2020

Catalin Cimpanu’s (1) post on the RiskSense study “The Dark Reality of Open Source” is well worth reading. Open source software is used everywhere. A critical vulnerability in an application that is based on open source software can lead to a data breach. But this holds also for commercial software. We can also expect that the number of flaws in open source and commercial software is roughly the same.

The main difference is that the number of open source software reviews is much higher than the number of commercial software reviews. So the results of the study are not really surprising.

In the case of TomCat, 7 of the 72 published vulnerabilities were weaponized. A quick check against the latest Coverity scan results for Apache TomCat (2) shows that the software has 987 defects, thereof 290 not yet fixed.

High impact defects are very valuable for attackers because their exploitation results in a full loss of integrity. The number of high impact defects in TomCat yet not fixed is 171. So we can expect that the number of vulnerabilities that can be weaponized is high.

In the case of Puppet, none of the 72 published vulnerabilities were weaponized. The latest Coverity scan for Puppet (3) shows no high impact vulnerabilities. So the result is not surprising.

What is the difference between Puppet and TomCat? Puppet is written in PHP/Python/Ruby with a defect density of 0.20. The defect density is the number of defects in 1000 LoC. TomCat is written in Java with a defect density of 1.19. Thus, software reviews will definitely detect more vulnerabilities in TomCat than in Puppet.

This has direct impact on your security strategy. If you use TomCat as middle-ware in the DMZ you should design your application to allow frequent patching, means, more robust against changes in the middle-ware. In addition, automated testing is required to ensure operability in the case a patch must be implemented. Finally, your operations team must be prepared to install patches within few hours upon release by the vendor.

Have you ever seen such details for commercial software? Like IIS?

Have a great week.


References

1. Cimpanu C. Vulnerabilities in popular open source projects doubled in 2019 [Internet]. ZDNet. 2020 [zitiert 8. Juni 2020]. Available at: https://www.zdnet.com/article/vulnerabilities-in-popular-open-source-projects-doubled-in-2019/

2. Synopsys. Coverity Scan – Static Analysis for Apache TomCat [Internet]. 2020 [zitiert 9. Juni 2020]. Available at: https://scan.coverity.com/projects/apache-tomcat

3. Synopsys. Coverity Scan – Static Analysis for Puppet [Internet]. [zitiert 9. Juni 2020]. Available at: https://scan.coverity.com/projects/puppetlabs-puppet

ComRAT V4 got an upgrade: On the value of Threat Intelligence

30 May 2020

Popular IT security media and threat intelligence services reported this week that the ComRAT V4 malware used by Turla APT got an upgrade. (1)(2)(3)

The big question for all businesses is: Do we have an increased risk resulting from this upgrade? Are the existing security controls still mitigating the risk stemmed from the ComRAT upgrade? Or do we have to upgrade our security controls as well.

The businesses in focus of the Turla APT should answer this question as soon as possible. Detailed information about the feature upgrade as well as the existing security controls are required to answer this question. This is nothing new. “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” says Tzu Sun in the “Art of War” about 500 BC.

Are you prepared to answer this question? Your invest in threat intelligence is uneconomic if you cannot evaluate the threat details in the context of your environment.

What about ComRAT? The way command and control is performed changed. But the primary installation method has not changed: “ComRAT is typically installed via PowerStallion, a lightweight PowerShell backdoor used by Turla to install other backdoors.”(1)

PowerShell 5.0 Icon (5)

PowerShell 5.0 Icon. Picture Credits (5)

So, if you already implemented security controls, that deal with malware which uses PowerShell, your risk will not change. Otherwise, the publication “Securing PowerShell in the Enterprise” (4) of the Australian Cyber Security Center is a good starting point for a systematic approach to PowerShell security.

My advice: Disable PowerShell on all standard user computers. For administrative purposes, use hardened systems without email and internet access and implement PowerShell Endpoints.

Have a great Weekend.


References

  1. Lakshmanan R. New ComRAT Malware Uses Gmail to Receive Commands and Exfiltrate Data [Internet]. The Hacker News. 2020 [zitiert 28. Mai 2020]. Verfügbar unter: https://thehackernews.com/2020/05/gmail-malware-hacker.html

  2. Robinson T. Turla’s ComRAT v4 uses Gmail web UI to receive commands, steal data [Internet]. SC Media. 2020 [zitiert 30. Mai 2020]. Verfügbar unter: https://www.scmagazine.com/home/security-news/malware/turlas-comrat-v4-uses-gmail-web-ui-to-receive-commands-steal-data/

  3. Gatlan S. Russian cyberspies use Gmail to control updated ComRAT malware [Internet]. BleepingComputer. 2020 [zitiert 30. Mai 2020]. Verfügbar unter: https://www.bleepingcomputer.com/news/security/russian-cyberspies-use-gmail-to-control-updated-comrat-malware/

  4. Australian Cyber Security Center. Securing PowerShell in the Enterprise | Cyber.gov.au [Internet]. Australian Signals Directorate. 2019 [zitiert 6. März 2020]. Verfügbar unter: https://www.cyber.gov.au/publications/securing-powershell-in-the-enterprise

Picture credits

  1. PowerShell 5.0 Icon. Microsoft / Public domain. https://commons.wikimedia.org/wiki/File:PowerShell_5.0_icon.png

Windows malware Sarwent got an upgrade. Thou shalt not work with permanent administrative privileges!

23 May 2020

Catalin Cimpanu (1) reports in his post „Windows malware opens RDP ports on PCs for future remote access“ published on ZDNET that the Windows malware Sarwent got an upgrade: It is now capable of using the windows command line and PowerShell, adding users, and opening ports in the Windows firewall for RDP access from remote. Since the latter features require administrative privileges on the victims machine, it is very likely that the victims worked with permanent administrative privileges.

To mitigate the risk, the best approach is to revoke any administrative privileges from standard users. This will not reduce the likelihood of occurrence, but it will reduce the severity of impact of an infection with Sarwent. Furthermore, since the attacker is forced to download tools to fully compromise the victims computer, the likelihood of detectability is increased.

Revoking administrative privileges from standard users is a low-cost, high-impact means to enhance resiliency against cyber-attacks, thus should be part of each security strategy.

But it is hard to implement. Managers will face lots of discussions if users must give up beloved habits. It is very important to keep the number of exceptions as small as possible because every exception lowers the overall security level of the company.

Have a great weekend.


  1. Cimpanu C. Windows malware opens RDP ports on PCs for future remote access [Internet]. ZDNet. 2020 [zitiert 22. Mai 2020]. Verfügbar unter: https://www.zdnet.com/article/windows-malware-opens-rdp-ports-on-pcs-for-future-remote-access/

Thunderspy – Don‘t panic!

19 May 2020

Björn Ruytenberg‘s (1) publication about 7 vulnerabilities in Intel’s Thunderbolt interface justifiably attracts a lot of media attention. Ruytenberg writes in the summary:

“Thunderspy targets devices with a Thunderbolt port. If your computer has such a port, an attacker who gets brief physical access to it can read and copy all your data, even if your drive is encrypted and your computer is locked or set to sleep.”

In Nazmus Sakib’s (2) post in the Microsoft Security Blog this sounds more dramatically:

“An attacker with physical access to a system can use Thunderspy to read and copy data even from systems that have encryption with password protection enabled.”

For the record: Full Disk Encryption (FDE) like BitLocker or LUKS only protects against theft if the computer is in shutdown or hibernation mode. In these cases, the system asks for the passphrase to encrypt the device. If the computer is booted or in sleep mode full disk encryption is useless.

This also holds for Thunderspy. The facts in brief. Thunderspy is a classic “evil maid DMA” attack. The attacker has to flash the Thunderbolt firmware with malicious code and wait for the victim to boot his computer. Once the computer is left unattended the attacker plugs in a specially crafted Thunderbolt device and copies data from the disk.

This is nothing new. The bad news is that all Thunderbolt-equipped computers built between 2011 and 2020 are affected. And that the vulnerabilities cannot be fixed; a hardware redesign is required.

So, everyone with a Thunderbolt-equipped computer should be concerned? No, absolutely not.

Risk for Consumers
The risk for consumers is unchanged because, in general, these devices are not secured, neither with a BIOS password nor with FDE, thus easy to compromise, e.g., with a Linux Live System, if left unattended.

Risk for Business people
The risk for business people is slightly increased. Business computers in general are secured with FDE, so the attacker must wait until the computer is left unattended to plug in the malicious device. Mitigation in this case requires a change in our habits: Put the computer in hibernation mode, instead in sleep mode, if you leave you workplace. The other important rule, “Don’t attach unknown devices to your computer” is already followed in the business domain.

Risk for Executives
The risk for business executives, military, government officials, etc. is unchanged. This group is always under attack, thus hopefully well protected.

Picture credit: Setreset (1)

Picture credit: Setreset (1)

Dan Goodin (3) sums it up:

“Readers who are left wondering how big a threat Thunderspy poses should remember that the high bar of this attack makes it highly unlikely it will ever be actively used in real-world settings, except, perhaps, for the highest-value targets coveted by secretive spy agencies. Whichever camp has a better case, nothing will change that reality.”

Don’t panic!


References

  1. Ruytenberg B. Thunderspy – When Lightning Strikes Thrice: Breaking Thunderbolt 3 Security [Internet]. Thunderspy. 2020 [zitiert 18. Mai 2020]. Verfügbar unter: https://thunderspy.io/
  2. Sakib N. Secured-core PCs help customers stay ahead of advanced data theft [Internet]. Microsoft Security Blog. 2020 [zitiert 18. Mai 2020]. Verfügbar unter: https://www.microsoft.com/security/blog/2020/05/13/secured-core-pcs-help-customers-stay-ahead-of-advanced-data-theft/
  3. Goodin D. Thunderspy: What it is, why it’s not scary, and what to do about it [Internet]. Ars Technica. 2020 [zitiert 13. Mai 2020]. Verfügbar unter: https://arstechnica.com/information-technology/2020/05/thunderspy-what-is-is-why-its-not-scary-and-what-to-do-about-it/

PIcture credit

  1. Setreset / CC BY-SA (https://creativecommons.org/licenses/by-sa/3.0), https://commons.wikimedia.org/wiki/File:Spy_silhouette.svg