SAML Attacks can break down Single Sign-On(SSO)

Area41 Defconswitzerland had an interesting video about attacking Single Sign-on technology SAML – Security Assertion Markup Language  (basic tutorial on SAML)

There are a few ways an attack can happen, while the initial connections are made (and all certificate info is exchanged or other info needed.

Or after the initial connection was made and now the single sign on conditions are set. I.e. the auth server will store cookies, and redirects on next ask for access.

The image above is from auth0.com

So when the attacker tries to inject an attack they are mimicking the tokens. or the XML .

check out the following from the defconswitzerland video:

SAML Attacks Certificate Tampering

  • Clones a certificate, generate a new key material
  • Use a certificate signed by other official CA

SAML Attacks XML

  • signature Exclusion(simply delete Signature)
  • XML signature Wrapping
    • Paper on breaking SAML(Be whoever you want to be 2012)

SSO is supposed to be a technology which makes accessing multiple network systems easier and safer. So if there is a way to attack it and have access then it defeats the purpose of all this defense.

 

Contact Us to discuss auditing your network environment

You are Good, But Neighbor is not… Now What?

Let’s set this up…

You have paid attention to some Cyber security efforts, and have a number of defenses, maybe not “all of them” but your risk management matrix has shown you where to focus. What is impact on a device if having Cyber security problems?

Assuming you set up the probability matrix of all of your devices failure impact… Did you think of everything?

What about this:

Internet Storm center has  a story “More malspam pushing Lokibot”  

The post is about when an email attachment RTF(Rich Text Format) runs and then downloads an exploit for CVE-2017-11882 which installs Loki the information stealer.

Once Loki is on the machine it will contact home base and more.

Loki is an especially bad malware software, as it steals FTP credentials, SMTP credentials, Browser data, database information, and keylogger abilities.

So how do we defend against this malware? we need to deny the entry points. Because if once the malware is in one of your systems or one of your partners then it is a different game.

 

So what happens when  you think the neighbor is infected?  The firewall is no longer in play, as all internal machines are now open to attack. All it takes is another payload to be dropped into the infected machine that will take advantage of other machines with weak defenses.

So the problem is that any machine that you allow into your network (with vpn or otherwise) also can make your network systems weaker.

Coming back to our neighbor, if the neighbor does not have the same methods to security as you do, they are now a liability if you do not take the neighbor threat seriously.

I want to give an example in an apartment building that has been setup with a well known ISP internet service. So you get an apartment  and the service for internet is built-in to the price of your apartment(or at least is a minor add-on).

The Apartment people tell you to just plug into the wall and voila you have internet service.

So when i plug in, do i get my own router? Or am I connected within a switch with every other apartment first? So now I have to run a discovery scan, and check all other IP addresses first?

This is why one runs a discovery scan, to see all the machines that are on the network and that can see you. This is all part of the risk management of your company.

 

Contact Us to discuss Risk management and more.

Smart Cameras have Cybersecurity Problems

Everything has cybersecurity problems if it is not built with some security in mind at least. One should not build security after building the product, it tends to be ad-hoc or kluge.

Tom’s Guide has a good article of several cameras, it happens that AV-TEST evaluated 8 IP(Internet Protocol) cameras.

Only 3 cameras received 3 stars out of 3 (best stat): Logitech Circle, Myfox Security Camera, and the Netgear Arlo.  D-Link and Hanhwa Techwin need to get updates. Samsung Smartcam had  a new vulnerability that was found in March. And the unknown brands should just be thrown out.

 Logitech’s Circle above.  (a new one Circle 2 is available now)

Why focus on cameras? because they are easy to set up but not as easy to keep up and secure.

What happens when new firmware is released? How long until you update the camera? the camera requires a password and then upload the file – update, and ‘reboot’.

These new cameras also have cloud accounts or mobile apps, which may need updating too.

MyFox security camera is also a good option. (Made by Somfy protect, here is Somfy tech support page).

The other “top camera” in the review is:

Netgear Arlo has many options in cameras

Security light, Pro2, Pro, regular, Go, Q, Q plus, and baby

So you bought a nice camera, set up the Wifi, and the app on your phone.  Now you can keep an eye on a certain area from anywhere you have phone service. Pretty good right?

Now in a year or so, a new vulnerability comes out, and you have to upgrade the firmware. Where was that password again?

this year’s top product become next years liabilities (remember the Intel/AMD security problem in all processors).

So better do some documentation of the camera devices, and keep track of the vulnerabilities just like all the other computer devices on your network.

 

Contact Us to discuss your security policy needs.

Achieve True Privacy Protections

Your data and your customer data must be protected and in such a manner that even a breach in an area is not making it easy for the criminal to get the last link and thus the whole database.  Losing a portion of customer data is bad, but losing all of it is much worse.

So just like we have a layered defense in our network a layered defense of the database  is essential.

Before we  discuss technical details it is good to lay out how we intend to use the customer and employee data.

Because the technical people should look at a document that says how you will use data so that  customers, vendors, and employees know what is happening(or supposed to happen).

Also knowing what to do when there is a failure is important.

So we need to answer the following:

  1. Where is the data?
  2. Who has data?
  3. Why is data kept?
  4. What data is kept?
  5. How is data kept is a technical issue, and should be answered if encryption is answered.
  6. When will data be kept til? Forever? or is there a time lapse?
  7. How much data will be kept? (similar to what?) but can clarify the amount and size.

 

The new data privacy compliance law in the EU is GDPR(General Data protection regulation) and we have discussed this before at “Can European Regulation Help You Design Data Privacy”

In the us there are NIST(National Institute of Standards & Technology) standards – specifically 800-171. Which this company (Imprimis) has a video and discusses the complete process to go through to get yourself compliant for government oversight/ contracts.

The interesting slide is the next one that discusses the continuous compliance state one must build into any program

 

continuous monitoring, training and improvements must be done while performing quarterly periodic scans, and annual assessments.

 

We have discussed periodic scans before: our recon scan and vulnerability assessments

NIST 800-171 is the defacto standard of the US government and all of the contractors, sub-contractors, and anyone who is handling classified or CUI(Controlled Unclassified Information) data.  there are 110 items that one has to write an assessment on. So if your data is classified/unclassified one has a framework to work in.

PCI Payment card industry has a new version out (as of May 2018)  Summary of changes link

basically this latest compliance update is just a confirmation of TLS v1.1 or higher and some errata fixes.  Our post: Internet insecure without TLS

So although everyone has different data to place in the  Who, What, When, Why, Where, and how/how much we need to review and constantly improve our data storage and redemption states.

 

Contact Us to review this.