Category Archives: Security

ATP Attacks and Single Point of Failure

Posted on by

We are all following the development of the “SolarWinds incident” but one comment comes to my mind (see also this Advisory from NSA).

There is a very difficult trade-off between management of IT in general but also of IT security, and security itself. To manage IT, from network to servers to services, and IT security it is definitively more effective to be able to do it from a central point, adopting a single strategy to manage and control everything in the same way and at the same time (the “holistic” approach). This means to have a single/central console/point to manage and control all of our IT systems and services, a single point in which to authenticate all users (eg. Federated Single Sign-On) etc. This approach is becoming more and more a requirement as we are moving  towards a service-based IT where services can be anywhere in Internet, access requires a Zero Trust approach, and security is applied at a very granular level to all systems and services.

Doing this we can vastly improve the security of each single system or service, and gives the possibility to monitor each single access or transaction. But in doing so we concentrate in single points activities crucial in particular for security: What can happen to systems and services if the central management console is taken over? What can happen to systems and services if the central authentication service is infiltrated?   

Malware, Ransomware & co.

Posted on by

These days, apart from reading about major incidents like the SolarWinds one, I keep hearing directly from people I know about malware incidents, ransomware incidents and so on. My personal statistics have never been so high. I do not know if this is a personal unlucky end of an unlucky year or a very bad end of an already bad year. I wish to everybody a pandemic-free (in all senses) 2021!  

Thoughts on Blue/Red/Purple Teams and defending from Targeted Attacks

Posted on by

Defending against Targeted Attacks (and even more against Advanced Persistent Threats, APT) is difficult and usually quite expensive. 

We all know the basis of IT security, from cybersecurity awareness and training to anti-malware, firewall and network segmentation, hardening and patching, monitoring and vulnerability assessments / penetration tests (VA/PT),  third-party cybersecurity contract clauses, etc.

But this is not enough. We need also Single-Sign-On (SSO, or even Federated Authentication) and Multi-Factor-Authentication (MFA), Zero Trust architectures, tracing of all local, remote and mobile activities (networks and hosts), SIEM data collection/management and SOC analysis, a cybersecurity Incident Team and an Incident Response plan.

But to defend against Targeted Attacks we need to go another step further. We have designed and implemented all security measures we could think of, but are they enough? Did we forget something? For sure we are ready against an everyday malware attack, but a Targeted Attack which could take months to study us and be implemented?

To answer this question it seems that the only possibility is to think and act as the attacker and look at our IT environment from this point of view. It is here that Blue, Red and Purple teams enter into play as they play the roles of attackers and defenders on our IT environment to test our cybersecurity standing to its limits. They will find holes and access paths we did not think about or even believe possible, but also smarter ways to defend ourselves.

But … what about a Risk Based approach to Security?

In other words, how much is it going to cost us?

Can we afford it?

Finally, is it worth going “all out” or, by accepting some risks, we can continue to do what we have been doing all along in cyber/IT-security? And in this case, how do we evaluate these “Risks” we need to accept?

PS. The last is partly a rhetorical question on my side.

Another Example of how Implementing Cryptography is Tricky (and a Score 10 CVE)

Posted on by

It has recently been published the description of Zerologon, CVE-2020-1472 (see here for a summary and here for the technical paper), and do not worry since the bug has already been patched by Microsoft in August (see here). 

The bug allows anyone who can connect in TCP/RPC/Netlogon to an unpatched Active Directory domain controller to become a domain administrator, nothing else needed. The cause of this bug is a minor glitch in the implementation of the cryptographic algorithm AES-CFB8: the Initialisation Vector has been kept fixed at zero instead to be unique and randomly generated (more details are provided in the technical paper mentioned above). 

Zero Trust and Dynamical Perimeters based on Identity

Posted on by

NIST has recently published the final version of SP 800 207 “Zero Trust Architecture” which is a recommended reading.

This gives me the opportunity to consider how vastly the IT architecture has changed in the last 20 years. From the concept of a single IT physical perimeter, we now have multiple physical or virtual perimeters which can be dynamic due for example to Software Defined Networks or Cloud services.

But most importantly who and what is inside a perimeter, which can be even a single application, depends not only on the physical and/or virtual location of the device (both server and/or client) but on the identification / authentication / authorisation of the user and/or the device. So, given the proper identification / authentication / authorisation, a user and its device can be admitted inside a high security perimeter even when connecting from any network in the world. 

Moreover, authentication and authorisation are not “once for ever” but each, even tiny, perimeter should perform them again. This requires strong authentication processes which both authenticate the user and also her/his device and its security. Often this process can be done in two steps: the user authenticates her/him-self to the local (portable) device typically with MFA / Biometrics etc., and the device then manages the authentication to the remote services thus providing a simpler user experience.

This is the development we see every day in most major IT / Cloud services, and which, sooner or later, will also lead to decrease our dependency on the use of Passwords. 

Subject Matter Experts On Artificial Intelligence and IT Crime

Posted on by

Artificial Intelligence (AI), in all its different fields from Machine Learning to Generative Adversarial Networks, has been subject to a study (here the link to the paper), or probably better an evaluation, by a group of Subject Matter Experts (SMEs) to identify the most risky scenarios in which attackers could use it, abuse it or defeat it. The scenarios include cases in which AI is used for security purposes and an attacker is able to defeat it, or AI is used for other purposes and an attacker is able to abuse it to commit a crime, or an attacker uses AI to build a tool to commit a crime.

Overall the SMEs have identified 20 high level scenarios and ranked them by multiple criteria including the harm / profit of the crime, and how difficult it could be to stop or defeat this type of crime.

It is very interesting to see which are the six scenarios considered having highest risk:

  • Audio/video impersonation
  • Driverless vehicles as weapons
  • Tailored phishing
  • Disrupting AI-controlled systems
  • Large-scale blackmail
  • AI-authored fake news.

More details can be found in the above mentioned paper.

Phishing in the Clouds

Posted on by

Again on Phishing, this time with a new twist.

We all know and by now use complex SaaS Cloud services, like Microsoft’s Office 365, Google’s G Suite, Amazon services and so on. They are all very modular, meaning that there are multiple data storage services and multiple application services from which to choose and use. Often a user must authorise a Cloud App to access her/his own data, and the App can be also by an external provider (a “partner” of the service). The Authorisation is usually implemented with OAuth which, in a few words, is a secure delegation access protocol based on the exchange of cryptographic keys.

So what is the scam? Simple: you receive an email which looks like coming from [name your Cloud provider here] and asks you to authorise an App (which looks authentic) to access your data. You do not need to insert any password since you are already logged-in your Cloud service platform, but just to click on the button, and that’s it!

You have given access to all your Cloud data and services to a fraudster, who can get your data and act as you!

For more details read for example this article by ArsTechnica.

Always about Security Patching and Updates

Posted on by

These days I keep coming back to the “security patching and updates” issue. So I am going to add another couple of comments.

The first is about Ripple 20 (here the official link but the news is already wide spread) which carries an impressive number of “CVSS v3 base score 10.0” vulnerabilities. The question is again:

how can we secure all of these Million/Billion vulnerable devices since it seems very likely that security patching is not an option for most of them?

The second one is very hypothetical, that is in the “food for thought” class.

Assume, as some says, that in 2030 Quantum Computers will be powerful enough to break RSA and other asymmetrical cryptographic algorithms, and that at the same time (or just before) Post Quantum Cryptography will deliver us new secure algorithms to substitute RSA and friends. At first sight all looks ok: we will have just to do a lot of security patching/updating of servers, clients, applications, CA certificates, credit cards (hardware), telephone SIMs (hardware), security keys (hardware), Hardware Security Modules (HSM) and so on and on… But what about all those micro/embedded/IoT devices in which the current cryptographic algorithms are baked into? And all of those large devices (like aircrafts but also cars) which have been designed with cryptographic algorithms baked into them (no change possible)? We will probably have to choose between living dangerously or buy a new one. Or we could be forced to buy a new one, if the device will not be able to work anymore since its old algorithm will not be accepted by the rest of the world.

PS. Concerning Quantum Computers,  as far as I know nobody claims that a full Quantum Computer will be functioning by 2030, this is only the earliest possible estimate of arrival, but it could take much much longer, or even never!

PS. I deliberately do not want to consider the scenario in which full Quantum Computers are available and Post Quantum Cryptography is not.