Tag Archives: Home Depot

The Good and the Evil of Auto-Updaters

7 March 2015

This week I had a lot of delightful discussions with software developers during some security assessments.

Software development in very dynamic sectors thrives of rapid deployment of new functions and bug fixes. In particular in large IT organizations, the classic software rollout concept based on software packaging and distribution is often too slow to meet the needs of this users.

Often, developers try to solve this deployment challenge with auto-updaters. For the initial rollout classic software packaging and distribution is used. Once a bug fix or new function is regression tested a new version is build and pushed to the update server.

At every program startup the auto-updater checks the update server. If a newer program version is available the auto-updater installs them on the user’s computer and starts the new version.

This is a very charming concept. Users and developers love it, because it is fast and reliable. And help desk staff loves it because it ensures, that all users work with the same version.

Unfortunately auto-updaters are popular targets for attackers. For example, in the Home Depot data breach, which became public in November 2014, cyber criminals attacked the company’s software deployment system and deployed custom-built malware to point-of-sales devices.

It is very important that developers become aware of those attack vectors. Update servers, build servers, source control systems are very valuable targets for attackers. The mass rollout of malicious software is easy if an attacker gets access to a build or update server. And anti-malware or task virtualization software is largely useless because the attack is initiated by the end-user.

Spring is near

Spring is near

In my opinion it is very important that organizations secure their software development infrastructure and development processes, accompanied by regular security awareness trainings for developers. If possible enforce the Separation-of-Duties principle for all critical processes.

This is also true for the very popular PowerShell scripts which simplify the job of administrators. If an attacker injects some code in scripts which are used for administration of a company’s servers … Don’t panic!

That’s it for this week. Have a good weekend.

The new first line of defence?

22 November 2014

In his latest post at ComputerWeekly.com Warwick Ashford reviews the CyberArk Report ‘Exploits of Privileged Accounts Shift the Front Lines of Security’. His post is absolutely worth reading.‘

‘“One of the reasons for this is smaller, less well-defended organisations have become a prime target for attackers who are ultimately aiming at larger partners in the supply chain,” said Mokady.’

That’s definitely true. Perhaps you remember the Home Depot data breach? This breach was caused by stolen credentials of a third-party vendor.

‘“Securing privileged accounts represents the new first line of defence in the ongoing cyber battle companies are fighting,” he added.’

Very well said. But what really confuses me is that Udi Mokady talks about the new first line of defense. 

The majority of the big data breaches have been caused by stolen credentials. With a Two Factor Authentication (TFA) most of this breaches could have been prevented.

It’s definitely very important to secure privileged accounts. With admin privileges it is very easy to change log settings or tamper audit records. But it is definitely not enough to secure only privileged accounts. Because even with standard user privileges you may have access to business critical data to do your job.

Let me give you an example. Oracle Transparent Data Encryption and SQL*Net encryption and integrity checking are easy to implement measures to secure an Oracle database. This will prevent man-in-middle attacks, eavesdropping of the data traffic and direct access to the database files.

Sounds pretty secure, doesn’t it? Unfortunately it isn’t. Even an unprivileged user, and even more a malicious insider with stolen credentials, is able to install an oracle instant client and use Excel and ODBC to create a copy of all data he could use with his standard user rights.

With TFA enabled, at least on all business critical systems, and for all users, the probability of such an event is dramatically reduced.

Securing accounts with TFA is the very first line of defense.

In addition you should decide about granting privileged access on a per task basis. For business critical infrastructure and applications an administrator should receive an authorization and one-time-password for just one task. At log off the authorizations are dropped. In the best case the admin group for a windows servers is empty. Only the local admin could always logon, but his password is in a safe place.

The authorization process should be implemented with strict application of the separation-of-duties principle, and the permissions should be granted with strict Application of the principle of least privilege. Important: The employees who grant authorizations and privileges should never have the possibility to grant whatever privileges to themselves.

Moreover the consistent application of the principle of least privileges even for standard users and processes will significantly reduce the attack surface of your company.

Nothing really new, just the same old story.

Glacier near by Grächen, Switzerland

Glacier near by Grächen, Switzerland

Have a good Weekend.

The Home Depot Story

13 November 2014

After two month of investigation the reason for the Home Depot data breach appears to be clear: Cyber criminals used stolen credentials from a third-party vendor to enter the Home Depot network. In a report by Mike Davin from November 7, 2014 one could read some more details: ‘The hackers then acquired elevated rights that allowed them to navigate portions of Home Depot’s network and to deploy “unique, custom-built malware” on its self-checkout systems in the U.S. and Canada.’

It’s a complete mystery to me why companies do not secure the access to business critical data with Two Factor Authentication. TFA would severely hamper such data breaches. I am not overly surprised that the attacker could acquire elevated privileges.

But what really worries me is that the attackers we able deploy software to the company’s point-of-sales devices. It is quite obvious that the software deployment process is not sufficiently secured and could be easily tampered.

From my point of view Home Depot’s IT should invest some time in threat modelling of the software deployment process to avoid such incidents in future. In particular the strict enforcement of the Separation-of-Duties principle will prevent unplanned deployment of critical Software.

Have a good day!