Cloudbleed – More Bad News For Using Passwords Alone

A new internet security vulnerability was announced last week, and it is “a scary big deal“.  Cloudbleed, the name given to this vulnerability, has led to a potentially wide-spread leak of passwords and other data all over the internet.  And, while announced just last week, the leak could have started as early as September 2016.  Websites that use Cloudflare are affected, and that numbers in the thousands, including Uber, Fitbit, and others.

In plain English, Cloudflare’s software tried to save user data in the right place. That place got full. So Cloudflare’s software ended up storing that data elsewhere, like on a completely different website. Again, the data included everything from API keys to private messages. The data was also cached by Google and other sites, which means that Cloudflare now has to hunt it all down before hackers find it. (source)

In this case, no matter how complex a password was, they are vulnerable.  And as usual, two-factor authentication (2FA) is recommended.

As we’ve argued in the past, you might as well enable two-factor authentication on everything, too, since it’s your best first defense against hackers. (source)

Implementing 2FA within your organization does not have to be difficult.  In fact, with GreenRADIUS, implementation can take as little as 15-30 minutes.  And our customers find it easy to manage and easy to use for both admins and users.  Contact us today to learn more.

DROWN Vulnerability — GreenRADIUS Already Protected

Another potentially serious and widespread vulnerability was announced last week.  The DROWN vulnerability was discovered jointly by several universities and Google and is specific to the legacy SSLv2 protocol.  Even though clients may never use the protocol, servers allowing SSLv2 connections are vulnerable.

The current available version of GreenRADIUS (v2.0.8.5 at the time of this post) is already protected against this vulnerability.  In fact, all versions from v2.0.2.2 and onward are protected.

As always, Green Rocket Security keeps GreenRADIUS updated against known vulnerabilities.  Contact us today to learn more.

GNU glibc Vulnerability

A new GNU C library vulnerability was announced a couple of weeks ago and exposes a critical flaw affecting almost all Linux machines.  Discovered independently by Google and Red Hat, the flaw is described as “extremely severe”.

The flaw is a stack-based buffer overflow in the glibc DNS client-side resolver that leaves Linux systems and other software vulnerable to remote code execution.

Experts urge admins to patch immediately.

“It qualifies as an urgent ‘patch today’ vulnerability,” said Kenneth White, security researcher and director of the Open Crypto Audit Project (OCAP). (source)

Anyone who is in a position to update should do so as soon as possible. (source)

A GreenRADIUS update was released last week to protect against this vulnerability.  The latest full build is also updated and is available now.  As always, Green Rocket Security is focused on making sure GreenRADIUS is always updated against known threats.  Contact us today to learn more.

OpenSSH Vulnerable to Unlimited Authentication Attempts

Possibly the biggest security news this past week was the announcement of a bug in OpenSSH that opens it to password cracking. Normally, OpenSSH restricts the number failed authentication attempts that can occur on an account, but the recently discovered bug can allow 10,000 authentication attempts within a 2 minute window, regardless of the OpenSSH settings.

Now high-security configurations of OpenSSH usually would usually require authentication by a private key from the client, but this isn’t always used for various reasons, and ssh brute-force hacking attempts are a common occurrence on the Internet.

So how do you enable high security when you can’t use private key authentication? Well the great thing about OpenSSH is that is supports the use of a RADIUS Server for authentication requests. Using this integration it is possible to easily implement 2FA authentication in OpenSSH using GreenRADIUS. Brute-force password hacking solved, whether OpenSSH is vulnerable or not.

Don’t Let the GHOST Catch You

Yesterday, Qualys announced a new vulnerability called GHOST.  (Since Shellshock, everyone thinks vulnerabilities need to be named.)  This vulnerability is in a critical library, glibc, and is a library used by the Linux kernel and common to all distributions.

The vulnerability potentially allows for remote execution in the kernel space (i.e. highly privileged) without any user credentials, meaning complete control over the system.  Obviously, this is a very serious vulnerability, and was readily patched on all the major Linux distributions quickly.  Luckily, based on the analysis at this point, it seems as though this is a fairly tough hack as it needs a service running that is vulnerable (and so far, most common services have proven not to be).

Green Rocket Security treats these vulnerabilities seriously and strives to ensure you have the most secure 2FA environment available.  To that end, today we have released GreenRADIUS v1.2.1.1 which patches this vulnerability, and it is available for immediate download.

A Skeleton Key to Your Network

There is a new report on a serious piece of malware called Skeleton Key that allows Active Directory logins using a single factor (i.e. password) to be bypassed.  This malware, when active on a domain controller, allows a malicious user to log in as any user without impacting normal user access (so it isn’t readily detectable).  This can be used for both local authentication as well as remote access such as VPNs and webmail.

This threat allows the hacker to use any password to log in successfully to any account, regardless of privilege, from user to admin.  While the current version does not survive a reboot of the domain controller, it would seem to be only a matter of time before it is persistent (and also likely that Microsoft will issue some sort of patch).

Importantly, the primary mitigation at this point is to implement multi-factor authentication.  By implementing 2FA, you prevent the ability to bypass the password login and prevent the malware from accomplishing its goal even if it is present.  While local logins may still be threatened, remote access is a much larger threat and should be the primary concern.

This is also an example of where you should ensure that your 2FA can’t be bypassed.  In this case, 2FA isn’t implemented, but if the implementation wasn’t complete or has gaps (such as the admin can still log in remotely with his password even though all the users must have 2FA), you would still be vulnerable.  Holistically looking at your network is always important.

Remote access threats are the primary focus of Green Rocket Security.  Our products provide simple, cost-effective solutions for 2FA.

The Asymmetric Costs of Security

I ran across a great article here the other day about a presentation at the Kiwicon in New Zealand. What really caught my eye was the asymmetry in terms of costs to the attacker and the attacked. The title of the article says that it takes about $3M in security infrastructure (software/hardware/people) to defend against an attacker who can spend $100K on the attack. 30 to 1. That’s huge.

Now of course most of us will hopefully never have to face an attacker with those kinds of resources (but it sure seems Sony was, though given the reports about their security, it probably wasn’t necessary to spend that much), but at a 30-1 ratio, it doesn’t take much from the attacker to make you have to spend a lot of resources to be safe.

It’s important to remember that security is really all about trade-offs. You accept a certain amount of risk for a certain amount of cost to security. Where the line is drawn will vary with each organization, but there is always a line because you can never get to absolute security (and if you try, the costs go up way more than the incremental security you get). But what this really means is that you should always have a clear target for your security level. You can’t just throw security solutions at your IT environment and expect the organization to be secure. If you don’t have the people to run and maintain the systems you put in place, they aren’t going to provide any extra security, just extra cost.

Given the asymmetry of the costs between what you have to spend for protection and the hackers out there have to spend to attack you, cost-effective, and ideally low-cost security solutions are extremely critical for any organization. GreenRADIUS was specifically designed with this in mind, to provide the most cost-effective solution for managing 2FA, to bring down the cost asymmetry to something closer to cost parity, and thereby take back the advantage.

Now that the line has been crossed, where will it end?

About all I can say is WOW. Earlier this month, I mentioned that Sony didn’t have the best security practices as evidenced by some of the information leaking out after the large hack.  And to see what came out, we are seeing full movies, scripts, emails, salary information, contracts, etc.  An absolute mess for Sony, to be sure, but one left to the digital/virtual world.  But now it seems that the culprit really is North Korea, as had been suspected, and their target was the movie (“The Interview”) they thought disparaged their “great leader” (Ok, it does disparage him, but it’s a comedy, it’s supposed to).  Not satisfied with just attacking Sony’s digital infrastructure, they are threatening to bomb theaters that show the movie.  And now Sony has announced they are cancelling the release completely.

This marks the first time, at least in a more general way, that a digital attack has been directly linked to a physical threat.  Not only did the attack fully take control of the digital infrastructure and cause major damage, but it was then followed by a physical threat, one tied to specific actions with, if followed up on, dire consequences.  And, maybe the most important thing here, is that they succeeded in getting what they wanted — the picture won’t be released and shown (at least not for quite a while, anyway).

Now of course they could have made the threat without the digital attack, but it may not have carried the same weight, given all the press the breach has brought.  The real downside to all this, since it is unlikely anyone will take direct action against North Korea for the digital attack and there hasn’t been (and since the movie is cancelled, shouldn’t be an opportunity) a physical attack (assuming they actually could carry such an attack out), is that it shows a possible way for dissident groups (think Anonymous or similar) to try and get their way.  Cause a major breach on someone they don’t like, and then threaten if they don’t do something more, they will bomb them.  How long before someone actually follows through?  What happens when the threat comes from someone like ISIS, or Iran, or even Russia?

We may be seeing a very uncomfortable convergence between digital violence and physical threats that hasn’t existed (at least on a large scale).  Not a very pleasant thought.

Now we know that Sony doesn’t have good security inside as well as outside

“Wow” is about all I can say to this article about the recent Sony hack.  Along with all the other data that was taken, it now appears that a large number of documents contained passwords to all kinds of things, from websites to documents to internal services, all listed in unencrypted files.  Under what security best practice do you store your passwords in plain text files on servers?

Now not every website or service supports 2FA, so you can’t just replace passwords completely, but come on!  Passwords stored en masse in plain text files?  Do we need to send in security experts to train Sony about security?  This isn’t the first hack to hit Sony, but it seems like they haven’t learned from their experience.

Security is a brutal business.  There is little forgiveness for mistakes, and it can be tough to know what to do.  GreenRADIUS can help provide simple, easy to use 2FA to help secure your systems.  With good 2FA, you can protect your access points and prevent a Sony hack on your systems.

So even parking services need 2FA

So after a nice Thanksgiving holiday here in the U.S. last week, we come back to news of yet another hack involving credentials to remotely access a network.  As detailed here, SP+, a parking facilities operator, announced that their systems had been hacked by an unauthorized party using a remote access tool which was apparently only secured with a username and password.

As I have said before, you need to be able to ensure that entry points to your network are well secured.  Providing remote access to your network, whether for users to gain access to internal services or third party maintenance or partners, is a critical point of vulnerability.  These are authorized holes in your network perimeter and you need to have high assurance of their protection.

As always though, it is critical to provide security which is cost effective and easy to manage.  While long considered the gold standard, tokens such as the RSA SecurID are generally quite expensive and always the easiest to manage.  Providing expensive tokens to every user that needs remote access is usually a game stopper to the solution, leaving organizations more vulnerable than they need to be due to the costs involved.  GreenRADIUS, paired with YubiKey tokens, provides the simplest, most cost-effective solution to providing secure remote access.  Simple-to-use tokens that are cheap enough to almost be considered disposable (not to mention without a battery that limits their useful lifespan) combined with a streamlined RADIUS solution can bring security to any organization.