When trying to come up with something to post about today I started thinking about the biggest problems I run into when doing security assessment for my clients. A bunch of things started running through my head - lack of web or email filtering, lack of sufficient monitoring, poor web security, no security awareness training and bad patch management all came to mind. I don't think anyone can argue that these all can be problems but that doesn't mean they actually are.
When dealing with information security, we all use a bunch of cliche terms, sayings and phrases but often fail to put them into actual practice. We discuss "defense in depth" but then focus almost all of our efforts on protective controls, ignoring detection, response and recovery. Similarly, we all say that eliminating risk is not our goal. In fact, we say, the elimination of risk is not possible. At the same time, we do penetration testing, scanning and assessments that identify all conceivable vulnerabilities and recommend that they be eliminated. What happened to "risk acceptance". In theory, an organization should be able to review the likelihood that a threat exploits a vulnerability causing harm in terms that can be translated into a dollar amount. Taking a page from the CISSP or SANS Security Essentials class - we should be able to identify an annualized loss expectancy. If the ALE for a given risk is $10,000, it makes sense to spend $1,000 per year to mitigate while it doesn't make sense to spent $20,000 per year. This is infosec theory 101. The question however, becomes how do we actually put this theory into practice? I believe the answer relates directly to the concept of asset ownership.
Many times when I talk to my clients I ask them who "owns" data assets. They reply that IT does. I then ask if IT has the authority to permanently modify or destroy the data assets they "own". The response, in most cases, is that no, they don't. Business decisions about data assets (such as the data in a database) are made by the owner of the business unit that uses that data. This fact alone means that the business unit, and not IT, is the asset owner. So what does that have to do with security and why is it a big problem? Good question!
In these same organizations, I ask how involved the business unit owner is in making security decisions. The response is almost always the same; the business unit simply expects that IT or the infosec group will provide them with security. Unfortunately, what "security" means is often not well defined. Generally, from a business unit perspective, "security" means that their assets will never get compromised with a focus on confidentiality and integrity. As a result, there is no concept of "acceptable risk" and this IT/security is left with the unenviable task of attempting to accomplish "perfect" security with a limited budget and limited resources. Because this is not possible, IT/security is left with the responsibility of determining acceptable risk when may business owners intuitively feel all risk is acceptable (when it comes to allocating budget) while no risk is acceptable (after a compromise has occurred).
So what is the solution to this problem? The answer is easy to say but difficult to do. Business owners (the true data asset owners) must take responsibility for accepting risk. IT/security thus moves into the role of providing risk information to business owners. The information provided should include a description of threats, vulnerabilities and some metric that describes the likelihood and level of harm (perhaps the aforementioned ALE). IT/security should also make recommendations as to risk mitigation steps including cost estimates. If the business owner determines the risk is unacceptable, they should be willing to allocate budget or other resources to mitigate. If the business owner determines the risk is acceptable, they should sign off on the fact and be held accountable for the results. IT/security should not be held accountable for compromise that took advantage of accepted risk. Rather, IT/security would be held accountable if the information they provided to the asset owners was bad or if they failed to effectively implement approved control.
This balance ensures that those ultimately responsible for the assets (the owners) play an active role in making security-related business decisions. It also ensures that budgets are tied, at lease in some way, to risk. Finally, it puts IT/security personnel in a position where they have the capability of successfully doing their jobs rather than staying in the "no win" situation they currently are.
Friday, January 6, 2012
Thursday, August 4, 2011
The Scary Truth Behind Hacking Gone Wild
Over the past few months we've seen an unbelievable amount of successful hacking going on. Big names like Sony, Lockheed Martin, RSA Security, NATO and the International Monetary Fund have been in the headlines having suffered massive security breaches at the hands of groups like Anonymous and Lulzsec.
Adding to the madness, a recent article in the Wall Street Journal (http://online.wsj.com/article/SB10001424052702304567604576454173706460768.html) highlighted the fact that in a 2010 the U.S. Secret Service and Verizon Communications's forensic analysis unit responded to a combined 761 data breaches (up from 141 in 2009). Of those, 63% were at companies with 100 employees or less. As also stated in the WSJ article, Visa estimates that about 95% of credit card data breaches involve its smallest business customers.
Yesterday, Fox News reported that "The world's most extensive case of cyber-espionage, including attacks on U.S. government and U.N. computers, was revealed Wednesday by online security firm McAfee" (http://www.foxnews.com/scitech/2011/08/03/massive-global-cyberattack-targeting-us-un-discovered-experts-blame-china/)
What is going on? It feels like a significant paradigm shift is happening in the information security industry and it is not a good one. But why is this happening? In my opinion, what is going on is very simple. Highly publicized hacks followed by named groups like "Anonymous" and "Lulzsec" create the unfortunately all to correct impression that hacking computers is easy. The fact that these attacks are not followed up by highly publicized arrests and convictions creates the unfortunately all to correct impression that you can hack computers and get away with it. Given the likelihood of success and of not getting caught, the situation, from a potential criminal's perspective, boils down to a quote from last week's PaulDotCom podcast - "If you can't do the time, do cybercrime".
The state of cyber security is poor, to say the least. Simple attacks such as spear-phishing and SQL injection are far too successful in far too many circumstances and the bad guys pull further and further ahead. Former L0pht member and current DARPA project manager Peiter Zatko (a.k.a. Mudge) gave a presentation at the most recent ShmooCon stating that the average piece of malware has 125 lines of code while the average piece of defensive software has around 10 million. This disparity creates a problem. Attackers can generate 80,000 different pieces of malware for the effort it takes us to create a single defensive application. And because their malware is much simpler, they would still win that race.
Our biggest problem is that we continue to think of information security in evolutionary terms. We have started with a fairly basic castle model - build big walls around our stuff. As we discovered that doesn't really work by itself, we added some monitoring capabilities and shifted, in thought if not in deed, to the mantra "protection is ideal but detection is a must". In fact, my friend Winn Schwartau wrote a great book called "Time Based Security" that basically stated that the level of security could be measured by the time it takes to detect and then respond to security threats. As we continued to tear holes in out "castles" as a result of third-party connectivity needs, remote workers, web application proliferation, etc. our model started to break again so we again shifted. Now we try to focus on the endpoint by deploying host-based IDS/IPS, endpoint protection, etc. We create walls using VPN tunnels and SSL encryption. Unfortunately, we are still stuck within the same castle - only now the castle just happens to move with us.
The castle was the major defensive military structure throughout the middle ages. The walls withstood prolonged attack and sieges were expensive and dangerous. Breaking castle walls required digging under them using sappers or employing complex siege machines like catapults and trebuchets. Both of these methods were complex, dangerous, expensive and had to be built at the scene of the battle. The came gunpowder and the state of warfare was changed. Now cannon could be deployed to break down castle walls. Those cannon could be build off-site and hauled to the battle by horses, could be fired at range and could be moved to knock down the next castle after the first was rubble. In modern information security, we still use castles - the bad guys use gunpowder.
As I mentioned, I believe a paradigm shift is necessary. One of the best ideas I saw was a posting by Lenny Zeltser entitled "Reflections on Deception and Protean Tactics" - http://blog.zeltser.com/post/7385712192/deception-and-protean-security-tactics. In this article, Lenny postulates about the use of technologies that are easy for us to deploy but that significantly disrupt or delay the attackers. Examples of these include the LaBrea Tarpit, honeypots and “Sparse” files that would look normal on the file system, but would be huge in size when being downloaded.
I don't know if this is the right approach, part of a right approach or if it is going in the wrong direction entirely. I do know that the approach we currently use is resulting in defenders falling further behind each day. While as an industry, I don't believe we have all the answers, I do believe that the first step is identifying the problem. After all, as they used to say on the G.I. Joe cartoons in the 80's, "knowing is half the battle".
Adding to the madness, a recent article in the Wall Street Journal (http://online.wsj.com/article/SB10001424052702304567604576454173706460768.html) highlighted the fact that in a 2010 the U.S. Secret Service and Verizon Communications's forensic analysis unit responded to a combined 761 data breaches (up from 141 in 2009). Of those, 63% were at companies with 100 employees or less. As also stated in the WSJ article, Visa estimates that about 95% of credit card data breaches involve its smallest business customers.
Yesterday, Fox News reported that "The world's most extensive case of cyber-espionage, including attacks on U.S. government and U.N. computers, was revealed Wednesday by online security firm McAfee" (http://www.foxnews.com/scitech/2011/08/03/massive-global-cyberattack-targeting-us-un-discovered-experts-blame-china/)
What is going on? It feels like a significant paradigm shift is happening in the information security industry and it is not a good one. But why is this happening? In my opinion, what is going on is very simple. Highly publicized hacks followed by named groups like "Anonymous" and "Lulzsec" create the unfortunately all to correct impression that hacking computers is easy. The fact that these attacks are not followed up by highly publicized arrests and convictions creates the unfortunately all to correct impression that you can hack computers and get away with it. Given the likelihood of success and of not getting caught, the situation, from a potential criminal's perspective, boils down to a quote from last week's PaulDotCom podcast - "If you can't do the time, do cybercrime".
The state of cyber security is poor, to say the least. Simple attacks such as spear-phishing and SQL injection are far too successful in far too many circumstances and the bad guys pull further and further ahead. Former L0pht member and current DARPA project manager Peiter Zatko (a.k.a. Mudge) gave a presentation at the most recent ShmooCon stating that the average piece of malware has 125 lines of code while the average piece of defensive software has around 10 million. This disparity creates a problem. Attackers can generate 80,000 different pieces of malware for the effort it takes us to create a single defensive application. And because their malware is much simpler, they would still win that race.
Our biggest problem is that we continue to think of information security in evolutionary terms. We have started with a fairly basic castle model - build big walls around our stuff. As we discovered that doesn't really work by itself, we added some monitoring capabilities and shifted, in thought if not in deed, to the mantra "protection is ideal but detection is a must". In fact, my friend Winn Schwartau wrote a great book called "Time Based Security" that basically stated that the level of security could be measured by the time it takes to detect and then respond to security threats. As we continued to tear holes in out "castles" as a result of third-party connectivity needs, remote workers, web application proliferation, etc. our model started to break again so we again shifted. Now we try to focus on the endpoint by deploying host-based IDS/IPS, endpoint protection, etc. We create walls using VPN tunnels and SSL encryption. Unfortunately, we are still stuck within the same castle - only now the castle just happens to move with us.
The castle was the major defensive military structure throughout the middle ages. The walls withstood prolonged attack and sieges were expensive and dangerous. Breaking castle walls required digging under them using sappers or employing complex siege machines like catapults and trebuchets. Both of these methods were complex, dangerous, expensive and had to be built at the scene of the battle. The came gunpowder and the state of warfare was changed. Now cannon could be deployed to break down castle walls. Those cannon could be build off-site and hauled to the battle by horses, could be fired at range and could be moved to knock down the next castle after the first was rubble. In modern information security, we still use castles - the bad guys use gunpowder.
As I mentioned, I believe a paradigm shift is necessary. One of the best ideas I saw was a posting by Lenny Zeltser entitled "Reflections on Deception and Protean Tactics" - http://blog.zeltser.com/post/7385712192/deception-and-protean-security-tactics. In this article, Lenny postulates about the use of technologies that are easy for us to deploy but that significantly disrupt or delay the attackers. Examples of these include the LaBrea Tarpit, honeypots and “Sparse” files that would look normal on the file system, but would be huge in size when being downloaded.
I don't know if this is the right approach, part of a right approach or if it is going in the wrong direction entirely. I do know that the approach we currently use is resulting in defenders falling further behind each day. While as an industry, I don't believe we have all the answers, I do believe that the first step is identifying the problem. After all, as they used to say on the G.I. Joe cartoons in the 80's, "knowing is half the battle".
Wednesday, July 13, 2011
Back to Basics
I tend to lurk on a bunch of email based discussion groups where I watch threads that talk about "what should we used instead of the broken MD5 hash" or "what the alternatives to broken SSL". I see lots of focus on the new 0-day sploit and techniques involving intercepting communications, cracking something or other, then using that to compromise something else. There is no question that when it comes to "cyber security", it is an extremely dangerous world and getting more so. Unfortunately, I think the industry of computer security has lost its way.
A article about recent Booz Allen Hamilton compromise, Anonymous was quoted as saying "We infiltrated a server on their network that basically had no security measures in place. We were able to run our own application, which turned out to be a shell and began plundering some booty. Most shiny is probably a list of roughly 90,000 military emails and password hashes (md5, non-salted of course!). We also added the complete sqldump, compressed 50MB, for a good measure." Yesterday, a colleague of mine stated that he found a basic authentication bypass SQL injection bypass vulnerability in a clients payroll server and found that the username/password combination of GUEST/GUEST worked on that same client's VPN. From what I saw or could infer from news about many of the Lulzsec compromises, they seemed to be using SQL injection or similar attacks.
I know 0-day compromises are possible and a threat. I know there are ways to break different types of encryption. I also know that people, generally, can tend to be a little lazy. I don't mean lazy in a bad way but if given the choice between cracking passwords and typing 'or 1=1 into a password field, which would you do? Would you rather research and use an new 0-day exploit or leverage the fact that the target hasn't patched Adobe Reader in 3 years.
As a penetration tester, there are some basic techniques that make my life a lot harder:
• Good patching practice, not only for Microsoft but for all technologies
• Basic hardening, particularly something as simple as changing default passwords
• Security focused web and email filtering.
• Strong firewall rules for both ingress and egress
• Network segmentation and access controls between segments
• A decent web application firewall
• Updated endpoint protection
How many recent (publicized or otherwise) attacks could have been prevented by these fairly basis measures? Am I saying that this is all that is necessary for security? Absolutely not, but I do think that as security professionals, we tend to miss the obvious and focus on the complicated leaving the bad guys with big holes to walk right through. Perhaps we should spend a little time getting back to basics and make sure that the foundation of our security program, the policies and the security infrastructure, are in place because all too often when doing risk assessments for my customers, I find that is not even close to being the case.
A article about recent Booz Allen Hamilton compromise, Anonymous was quoted as saying "We infiltrated a server on their network that basically had no security measures in place. We were able to run our own application, which turned out to be a shell and began plundering some booty. Most shiny is probably a list of roughly 90,000 military emails and password hashes (md5, non-salted of course!). We also added the complete sqldump, compressed 50MB, for a good measure." Yesterday, a colleague of mine stated that he found a basic authentication bypass SQL injection bypass vulnerability in a clients payroll server and found that the username/password combination of GUEST/GUEST worked on that same client's VPN. From what I saw or could infer from news about many of the Lulzsec compromises, they seemed to be using SQL injection or similar attacks.
I know 0-day compromises are possible and a threat. I know there are ways to break different types of encryption. I also know that people, generally, can tend to be a little lazy. I don't mean lazy in a bad way but if given the choice between cracking passwords and typing 'or 1=1 into a password field, which would you do? Would you rather research and use an new 0-day exploit or leverage the fact that the target hasn't patched Adobe Reader in 3 years.
As a penetration tester, there are some basic techniques that make my life a lot harder:
• Good patching practice, not only for Microsoft but for all technologies
• Basic hardening, particularly something as simple as changing default passwords
• Security focused web and email filtering.
• Strong firewall rules for both ingress and egress
• Network segmentation and access controls between segments
• A decent web application firewall
• Updated endpoint protection
How many recent (publicized or otherwise) attacks could have been prevented by these fairly basis measures? Am I saying that this is all that is necessary for security? Absolutely not, but I do think that as security professionals, we tend to miss the obvious and focus on the complicated leaving the bad guys with big holes to walk right through. Perhaps we should spend a little time getting back to basics and make sure that the foundation of our security program, the policies and the security infrastructure, are in place because all too often when doing risk assessments for my customers, I find that is not even close to being the case.
Wednesday, June 29, 2011
Cisco Identity Services Engine: What it Means To You
The recent introduction of Cisco’s next generation network access control system (ISE) raises the bar for internal network security controls and should make you examine whether this system is appropriate for your organization.
ISE is an integrated network access control system. The system is designed to restrict network access based on criteria defined by the organization. These criteria typically includes any combination of the following:
· Correct user ID & password authentication
· Windows group membership
· Up-to-date operating system patches
· Antivirus software functioning & up-to-date
· Machine owned and managed by the organization
· Operating system and/or browser
Based on these criteria, the level of network access is defined commensurate with risk. For example, machines that do not have updated patches might be permitted to only “talk” to the patch server so that updates can be installed. Further, network access can be defined dynamically based on the users role (i.e., only Human Resources users are permitted access to the servers containing personnel data.) Restricted network access for guest users is a natural extension of this technology, allowing visitors to access the Internet using existing infrastructure while protecting internal resources.
In legacy NAC systems, this control is implemented through dynamic VLAN assignment in conjunction with a separate control point, typically a dedicated firewall or NAC appliance acting as a primitive firewall. More modern 802.1x NAC systems control access at the switch-port level, but have proven difficult to implement and maintain, requiring multiple disparate systems to manage.
Cisco ISE is innovative in that it implements everything mentioned above in a single integrated platform with a rich, flexible set of policy controls. ISE has broad hardware support, including the most common Cisco switches & wireless devices. Further, tools to accommodate non-NAC and/or non-802.1x compatible devices, such as printers, IP phones, or CCTV systems, are cohesive and mature, requiring minimal effort to maintain.
Employing security consultants and engineers with broad cross-functional experience, NWN STAR is uniquely qualified to design and implement Cisco ISE systems. Our engineers have implemented NAC systems across a variety of industries, including government, education, banking, retail, and healthcare environments. NWN recently became one of the first Cisco partners to be trained and certified to implement these systems for both small- and large-scale environments.
Tuesday, June 28, 2011
Gmail Users Beware
Recently I discovered that a Gmail account I use for subscriptions to newsletters and similar non-critical content had been hacked by someone in China. That, by itself, isn't that interesting but there were some interesting aspects of the "attack".
I would like to think that I am fairly security savvy, given that is what I do for a living but this event has opened my eyes to how vigilant we must be as defenders and the true advantage attacker have over us.
I first discovered that this Gmail account had been compromised when I started receiving bounce-back messages from a strange email address - 451231738@qq.com. I know I didn't send any email address so I did some digging. It turns out that QQ is a popular instant messaging site in China. Hmmmm, that's not good. I then checked out the setting on my Gmail account and discovered what actually happened.
Typically, I view the email from this particular Gmail account on any of various other devices (iPad, laptop, etc.). As a result, I don't usually log in to Gmail itself. When I did, I was presented with a big, red flashy sign that said, basically, Danger Will Robinson, someone has recently logged into your account from China - click here to see what happened. I clicked there and found that my account had been accessed at least 3 times from China starting around 10 days before I detected the problem. That, of course, prompted additional investigation.
I looked in the setting of my Gmail account and found a lot of bad things. I first noticed that someone had set up the QQ email address as an address that mail sent to the Gmail account could be forwarded to. Next, I discovered that the password recovery email address was also set to the QQ email address. Finally, I found a number of filters set up to forward any email containing the words "password", "info", "account" and "paypal" would be sent automatically to the QQ account. Also, any email from @blizzard.com or @battle.net would be forwarded.
Given that I don't use this Gmail account for anything critical, I'm not terribly concerned about the impact of this hack. I suppose someone in China could steal my subscription to a newsletter or discussion group but that's not that big of a deal. There are a couple of things that really do have me concerned.
First, how did the attacker manage to compromise my account without me knowing about it? Perhaps my password could have been better but doesn't Google have a setting to prevent brute force attacks?
Second, it scares me that the attacker was able to modify the settings of my Gmail account such that I would not have found out about the attack if the QQ address hadn't been shut down. How many others don't log into the Gmail web site but rely on Mail.app, phone mail clients, Outlook or similar mail clients to get their mail?
Third, how many people use their Gmail accounts to conduct real business (either professional or personal)? How many people use Gmail to reset the passwords on their bank accounts, to pay bills, etc. This type of attack had little real negative impact on me but that we partially dumb luck in that I don't use Gmail for anything really important.
Finally, is this problem specific to Gmail? Are other web-based mail services less vulnerable? Equally vulnerable? More vulnerable?
To wrap things up, if you are reading this and use a web-based email service like Gmail, check you settings as soon as you can. I'm not saying you've been hacked but it is better to be safe than sorry. Remember to check the settings and change your password to these sites regularly.
And Google, if you are by any chance listening, please include an account lockout function (if you don't already have one) and please allow me to include a setting that alerts me if settings are changed. It doesn't have to be fancy - just a quick email stating that "we just wanted to let you know that your settings have been changed - if you didn't do this, you've been hacked!".
I would like to think that I am fairly security savvy, given that is what I do for a living but this event has opened my eyes to how vigilant we must be as defenders and the true advantage attacker have over us.
I first discovered that this Gmail account had been compromised when I started receiving bounce-back messages from a strange email address - 451231738@qq.com. I know I didn't send any email address so I did some digging. It turns out that QQ is a popular instant messaging site in China. Hmmmm, that's not good. I then checked out the setting on my Gmail account and discovered what actually happened.
Typically, I view the email from this particular Gmail account on any of various other devices (iPad, laptop, etc.). As a result, I don't usually log in to Gmail itself. When I did, I was presented with a big, red flashy sign that said, basically, Danger Will Robinson, someone has recently logged into your account from China - click here to see what happened. I clicked there and found that my account had been accessed at least 3 times from China starting around 10 days before I detected the problem. That, of course, prompted additional investigation.
I looked in the setting of my Gmail account and found a lot of bad things. I first noticed that someone had set up the QQ email address as an address that mail sent to the Gmail account could be forwarded to. Next, I discovered that the password recovery email address was also set to the QQ email address. Finally, I found a number of filters set up to forward any email containing the words "password", "info", "account" and "paypal" would be sent automatically to the QQ account. Also, any email from @blizzard.com or @battle.net would be forwarded.
Given that I don't use this Gmail account for anything critical, I'm not terribly concerned about the impact of this hack. I suppose someone in China could steal my subscription to a newsletter or discussion group but that's not that big of a deal. There are a couple of things that really do have me concerned.
First, how did the attacker manage to compromise my account without me knowing about it? Perhaps my password could have been better but doesn't Google have a setting to prevent brute force attacks?
Second, it scares me that the attacker was able to modify the settings of my Gmail account such that I would not have found out about the attack if the QQ address hadn't been shut down. How many others don't log into the Gmail web site but rely on Mail.app, phone mail clients, Outlook or similar mail clients to get their mail?
Third, how many people use their Gmail accounts to conduct real business (either professional or personal)? How many people use Gmail to reset the passwords on their bank accounts, to pay bills, etc. This type of attack had little real negative impact on me but that we partially dumb luck in that I don't use Gmail for anything really important.
Finally, is this problem specific to Gmail? Are other web-based mail services less vulnerable? Equally vulnerable? More vulnerable?
To wrap things up, if you are reading this and use a web-based email service like Gmail, check you settings as soon as you can. I'm not saying you've been hacked but it is better to be safe than sorry. Remember to check the settings and change your password to these sites regularly.
And Google, if you are by any chance listening, please include an account lockout function (if you don't already have one) and please allow me to include a setting that alerts me if settings are changed. It doesn't have to be fancy - just a quick email stating that "we just wanted to let you know that your settings have been changed - if you didn't do this, you've been hacked!".
Saturday, June 4, 2011
Nessus Parser V0.10
Cody Dumont from the NWN STAR team just release the latest version of his Nessus Parser. The parser can be found at www.melcara.com. Here is an expert from his blog posting.
Nessus Parser v0.10 – This is a program to parse a series of Nessus XMLv2 files into a XLSX file. The data from the XML file is placed into a series of tabs to for easier review and reporting. New features with this edition are better reporting of policy plugin families, user account reporting, summary graphs, and a home page with summary data. For more information and questions please contact Cody Dumont from the NWN STAR team.
Email – cdumont”AT”nwnit.com
Nessus Parser v0.10 – This is a program to parse a series of Nessus XMLv2 files into a XLSX file. The data from the XML file is placed into a series of tabs to for easier review and reporting. New features with this edition are better reporting of policy plugin families, user account reporting, summary graphs, and a home page with summary data. For more information and questions please contact Cody Dumont from the NWN STAR team.
Email – cdumont”AT”nwnit.com
Friday, May 27, 2011
Access Granted
Back in April, I discussed the March breach in security at RSA. After I posted my article, I was contacted by a friend of mine that works for a certain “Three Letter Acronym” agency whose name and organization will remain un-named. My friend asked me if I might happen to know exactly what was compromised at RSA? While I couldn’t be certain, I suggested what I (and maybe most of you) had already heard via news channels, media, and security contacts. While I know more details on what actually happened, I don’t know specifics. From my knowledge, what was known to be compromised was possibly the algorithm seed, and maybe the key generation time. The algorithm itself, has been publically known for years. From a security standpoint, this is like having a key, but not sure which lock it fits into.I told my friend that there shouldn’t be too much to worry about, because while there’s enough pieces compromised to launch a brute force attack (basically, an educated guess that is retried until you succeed), there shouldn’t be enough to do a more damaging attack. Brute force attempts are fairly easy to spot, mitigate, and deny access. My friend was put, at least a little, at ease. That was until last week…
I received notification that sometime last week, a very large U.S defense contractor that uses SecureID tokens from RSA to provide two-factor authentication (something you have, and something you know; think of your Bank Card and your PIN) for remote VPN access to their corporate networks. Before Monday morning an alert went out, and all remote access to the internal corporate network was shutdown. Employees were notified that remote access could be down upwards of a week, possibly more. For telecommuters, this meant you either came into a branch office, or you simply could no longer work. Two days ago, my friend told me, a notification that every person who had an RSA SecureID token, would be getting a new one. This process, as I discussed in my earlier article, would take at least a few weeks to funnel out to everyone.
Along with this, all users (over 100,000 of them) would be required to change their passwords. The amount of help desk related issues this causes, simply means that administrative level files and access have almost assuredly been compromised.
From what I can tell, whomever hacked RSA, had now come into possession of the algorithm for the current tokens, and had then managed to install a key-stroke logger somewhere on the network. With both of these pieces, that unknown lock I discussed earlier in this article was now known.
While this was an expected outcome (most security folks like myself, have been awaiting such a breach), it was not enough to circumvent this from occurring. Shortly after the RSA breach became public knowledge, most companies that relied on SecureID for authentication, started requiring a second form of password before access to the network was granted. This, though as you can probably tell, would not resolve the issue if a key-logger was in place, as the hacker would know the password the minute it was typed.
I am a “Glass Half Full” sort of person, so I guess the silver lining in this story is that my friend and his staff were able to spot the intrusion, and acted appropriately to mitigate any further incidents. Kudos are warranted for such a feat as this is not an easy task. Although the aftershocks caused by this incident will be many, and far into the future.
While I am sure this is not an isolated incident, it is a major one, and one of the first public ones. At the time of this writing, I can state I know of others as well. This is not the first successful hacking attempt using the compromised SecureID technology. It certainly won’t be the last…
What concerns me most though, is that RSA has not been as forthwith in providing full disclosure about what was compromised and how vulnerable we are. RSA, if you’re listening, pretending like this didn’t happen and keeping it all secret, does not help things, it only makes them harder to track.
Even given all of the issues raised in this article, I don’t see anyone abandoning RSA or the SecureID product it sells. While most networks exchange token information over a secured and encrypted network path, this is only a false sense of security. My friend, and his organization can now attest to this.
If this can happen to a very secure network, employing some really talented security staff and products, it can happen to others as well. How far this will lead, and what sort of national secrets will be exposed now that such an attack has publically been proven to work, only time will tell.
Subscribe to:
Posts (Atom)
Posts
