STE WILLIAMS

Researchers investigating Microsoft’s Windows Hello for Business have discovered new attack vectors, including a persistent Active Directory backdoor that they say current security tools don’t detect.

Windows Hello for Business (WHfB) was introduced in Windows 10 and Windows Server 2016 to bring password-less authentication into Active Directory-based environments and lessen the risk of password theft. Users can authenticate to a Microsoft, Active Directory, or Azure Active Directory account with a credential that is tied to the device and uses a biometric or PIN. WHfB is built on top of common industry standards including Kerberos PKINIT, JWT, WS-Trust, or FIDO2, and it relies on cryptographic mechanisms like TPM key attestation or token binding.

Michael Grafnetter, IT security researcher and trainer for CQURE and GOPAS, was intrigued by WHfB and began to research the tool so he could better understand its internal workings. What he found was a lack of official documentation regarding how the feature works in Windows, making WHfB a “black box” for most administrators, security auditors, and pentesters, he says.

“This is something I was a little bit disappointed in,” Gafnetter admits, noting there are other Windows security features lacking technical documentation: how Windows stores passwords, for one, or how passwords are encrypted. “This was always like smoke and mirrors,” he adds.

To learn more about how WHfB operates, Grafnetter has spent the past year studying the feature and the past two months doing a deep dive. He will present his findings at the upcoming Black Hat Europe show in a briefing entitled “Exploiting Windows Hello for Business.” His research yielded three different attack vectors against WHfB. One has already been fixed; another is currently under review. He hopes it will be complete by the time Black Hat rolls around.

Grafnetter warns of a vector in a security-critical AD attribute called msDS-KeyCredentialLink, which can store data related to Windows Hello, FIDO2, or BitLocker Drive Encryption. It holds references to devices that users register with Active Directory for authentication. If someone registers a notebook or YubiKey with WHfB, data is logged with msDS-KeyCredentialLink.

This is a relatively new attribute, Grafnetter says, and it can potentially be used or misused for persistence by an attacker. If someone gets hold of a domain, they can hide and maintain access to the same domain – even if all the passwords for the account are reset, he explains. Because it’s new, the attribute and its values are rarely properly audited by security teams.

The problem is, few people understand this feature and don’t know to look for issues, even though WHfB is part of AD in Windows Server 2016 and cannot be turned off. While he admits not many administrators or everyday users of these tools and features ask the same deep-dive questions a security researcher does, Grafnetter says he has spoken with Active Directory experts who don’t know exactly how the technology works, “which really took me by surprise.”

Even if companies don’t actively use tools like Windows Hello for Business every day, they should audit these attributes and raise an alert if they notice any changes on admin accounts, he notes.

msDS-KeyCredentialLink lacks proper documentation of its behavior and security implications, Grafnetter explains. The AD Schema documentation only says “this attribute contains key material and usage information.” While this is true, “I think that this is simply not enough and that its behavior and security implications deserve to be documented properly,” he says. Knowing how this feature works can help discover when it’s being maliciously used.

Microsoft is on the right track with WHfB, which Grafnetter says “really seems to be the future of authentication.” Still, the threat of persistence is relevant to many Windows users, and it’s clear as soon as they begin to audit the values to the msDS-KeyCredentialLink attribute. At Black Hat Europe in London, he plans to release a tool designed to scan corporate environments for these issues and provide needed visibility into Windows Hello for Business usage in Active Directory. Grafnetter developed the tool over the past year to aid him in his research, he notes.

In addition to his briefing on Windows Hello for Business, Grafnetter will be doing a live demonstration of DSInternals PowerShell Module at Black Hat Europe 2019.

Related Content:

• 10 Tips for Building Compliance by Design into Cloud Architecture
  
• 12 Tips for Dealing with a Manipulative Security Manager
• Attackers’ Costs Increasing as Businesses Focus on Security
• DevSecOps: The Answer to the Cloud Security Skills Gap

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/cloud/windows-hello-for-business-opens-door-to-new-attack-vectors/d/d-id/1336396?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

That didn’t take long: stolen user accounts for the new Disney+ streaming service began appearing on Dark Web sites just hours after it went live on November 12.

ZDNet found some credentials for sale in the underground for $3 to $11 per account and others, for free, as attackers took advantage of users who share their accounts. Some victims were locked some out of their accounts entirely.

While no single mechanism for the credential theft has been identified, it seems that some victims re-used credentials from other sites — credentials that had previously been breached and posted on the Dark Web. Disney+ did not offer strong authentication options for its streaming service accounts.

“What is missing from the Disney+ security service is multi-factor-authentication,” says Jonathan Deveaux, head of enterprise data protection at comforte AG. “MFA does not guarantee that only the authorized user is indeed accessing the service, but it does help slow down or reduce the likelihood of bad-actors gaining access with only user ID and password credentials.”

Another factor is that some users opted for short or weak passwords for their accounts. “If you have ever had to enter a complex password on a streaming app, you can see why someone would want to use something easy,” says Lamar Bailey, senior director of security research at Tripwire. 

As of today, Disney+ officials had no comment.

For more, read here and here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “How Medical Device Vendors Hold Healthcare Security for Ransom.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/disney+-credentials-land-in-dark-web-hours-after-service-launch/d/d-id/1336395?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The majority of American citizens believe that they are pervasively monitored and that their data is regularly collected and used in concerning ways that they cannot control and don’t fully understand, according to a new Pew Research Center study.

The report, based on a nationally representative panel of randomly selected US adults, shows that 62% of Americans feel they cannot prevent companies from collecting data on their activities, while 63% feel the same about government data collection.

Roughly eight out of every 10 Americans say they have very little or no control over how companies use their data, but are very concerned about how companies are using it. The vast majority conclude that the risks of data collection outweigh the benefits, the study found. 

“Clearly this survey adds up to a portrait of distress and a willingness to hear about policy options,” says Lee Rainie, director of Internet and technology research at the Pew Research Center. “The panoramic picture it paints is a society that is not happy … they are concerned. They don’t feel that they have control. They don’t think the benefits outweigh the risks anymore.”

The survey comes a year-and-a-half after the discovery that Cambridge Analytic used data from Facebook to create profiles on Americans to help the Trump campaign target ads against susceptible groups of Americans, and six years after Edward Snowden, a former contractor for the National Security Agency, leaked documents on the surveillance efforts of US intelligence agencies.

American feel that they have not benefited from the data economy and they don’t trust the companies who collect their data, according to the Pew report.

“[L]arge shares are worried about the amount of information that entities, like social media companies or advertisers, have about them,” the report said. “At the same time, Americans feel as if they have little to no control over what information is being gathered and are not sold on the benefits that this type of data collection brings to their life.”

Different segments of Americans have differing thresholds for gauging what is acceptable data use. Almost half — 49% — of American find it acceptable that the government collects data on people to determine if they pose a terrorist threat, while only 25% think it’s okay for a smart-speaker manufacturer to give law enforcement access to recording for law enforcement  

Overall, however, Americans appear to think that companies have not delivered on the trust given to them. 

Consumers “don’t know how to intervene in the system to make it work better,” says Pew’s Rainie. “They don’t think that the companies who collect the data are good stewards of the data.”

Who Reads Those Privacy Notices?

The current system of turning every data relationship between a consumer and a company into a contractual exchange where the customer purportedly reads a notice of how the company intends to use the data and consents to those terms has largely failed, according to the Pew data. While more than half of respondents (57%) encounter a privacy notice at least every week, only one in five (22%) claim they read the notices all the way through before agreeing.

Pew’s Rainie believes that people are likely exaggerating their diligence. “We don’t fact check, so the way we read that (the 22% data point) is that is a high-water mark,” he says. “The overview answer is: A lot of people admit that they don’t read the policies. A third do not read them at all.”

Perhaps, unsurprisingly, Americans are open to new approaches to privacy and data-protection laws. Currently, 63% of those surveyed do not understand current privacy laws, but three-quarters (75%) say that companies should be more regulated than they are now.

However, in potentially good news for companies, more people are in favor of better tools to manage data collection (55%) than are in favor of legislation.

But because citizens do not seem to have the same opinions over where the privacy lines should be drawn, policies continue to be difficult to form, Rainie says. 

“The policymakers would love to know where are the right lines — what seems legitimate to some people is not legitimate to others … The fact that Americans’ view of privacy ends up as a conditional set of judgements makes it hard to say, for every circumstance, this is where the line is. These data do not give that kind of clarity.”

Related Content

• Privacy 2019: We’re Not Ready
• The California Consumer Privacy Act’s Hidden Surprise Has Big Legal Consequences
• FTC Reportedly Ready to Sock Facebook with Record $5 Billion Fine
• A Year Later, Most Americans Think Snowden Did The Right Thing

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “How Medical Device Vendors Hold Healthcare Security for Ransom.’“

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/endpoint/privacy/americans-fed-up-with-lack-of-data-privacy/d/d-id/1336397?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Business depends on flawless digital experiences. This is true for the enterprise — to communicate, collaborate, and produce at the highest level. And it’s true of core business offerings like seamless online retail and financial transactions, OTT video delivery, online healthcare portals, and for connected devices on the manufacturing floor. The problem is, the secure perimeter as we know it is dissolving. So how do you protect your crown jewels when the castle has no walls? The answer is to deploy security at the edge, where you can protect your assets closer to the attack itself while moving digital experiences closer to ours.

(Registration required.)

Article source: https://www.darkreading.com/edge/theedge/new-everything-you-always-wanted-to-know-about-security-at-the-edge-but-were-afraid-to-ask/b/d-id/1336373?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

There is no one-size-fits-all approach to building a security career, as evidenced by the diverse range of educational, professional, and personal experiences that its many practitioners have.

It’s also impossible to predict which projects will teach you lessons you’ll use later in a future security role. You could learn to better communicate with clients while working a help desk, or maybe you could gain the confidence to present your first security talk from a mentor at one of your first jobs.

When asked about his most valuable experience, Yair Silbermintz, lead backend developer at Aon, pointed to the time he implemented a new OAuth provider from scratch in an earlier role. He had implemented authentication before in a couple of systems, he says, but typically that involved wiring premade components or tweaking a small part of the authentication scheme.

“There were definitely roadblocks and also just a huge amount of small features I never really thought of the importance before,” Silbermintz says. “Things like a nonce, which was just noise to me before, suddenly played a key role in keeping it secure.” There were several items, he says, which he had “glazed over” as a developer but covered a pitfall in the auth process. He walked away from the experience knowing he could no longer ignore small features.

“If someone asked me for something small, even just a random string added to the end of a payload, I needed to fully understand why,” he continues. “That extra level of understanding that I go for when working has really shaped my career.”

We asked the cybersecurity community which experiences have been the most valuable in teaching them lessons they carried throughout their careers and what those lessons were. Here, 12 more infosec practitioners share their responses.

What was your most educational experience? Feel free to share your thoughts in the Comments section, below.

(Image: Kasto – stock.adobe.com)

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/13-security-pros-share-their-most-valuable-experiences/d/d-id/1336368?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Rumors of a quantum technology breakthrough were confirmed last month with the release of a report by Google’s AI Quantum team, University of California, and others. Quantum computing, a complex technology that had been predicted to take years to come to market, suddenly gained urgency thanks to this breakthrough.

Quantum computing is a complicated concept but, in simple terms, it’s a way of encoding and correlating information at massive scale. Achieving quantum computing will change the way the world communicates as well as how it manages and protects data — it’s an advancement that will radically change the cybersecurity landscape.

Quantum supremacy or true quantum computing is best demonstrated by running a mathematical algorithm that a classical computer would take years to complete. In its report, Google claims that the research team ran an algorithm that would take a classical computer 10,000 years to complete with 30 seconds of quantum processing time. If proven to be true, it’s a strong indication that we are getting much closer to quantum computing becoming a reality rather than a theoretical possibility.

Even if this figure is disproven — IBM immediately refuted the “10,000 years” figure with an estimate of 2.55 days — it’s just a matter of time. Since the cost of classical computation roughly doubles for every qubit added, IBM’s own extrapolation indicates that with just six more qubits, it would take the classical computer over a year. Advancements pioneered by Google and others make the arrival of 60-qubit machines inevitable, and, regardless of advancements, 2.55 days versus 30 seconds is still a difference offour orders of magnitude.

Why Crypto-Agility Is Key
The cryptographic algorithms we use today will rapidly degrade with the onset of quantum compute capability. The SHA-1 to SHA-2 migration in recent years is an excellent comparison: When it became widely accepted that SHA-1 was no longer safe to use, most began migrating their public key infrastructure (PKI) to SHA-2. Technically speaking, SHA-1 presented significant security risk because of the ease of access a spoofed certificate and key presents to an attacker. Like many of the certificate-based attacks we’ve seen in recent years, attackers can successfully spoof a trusted certificate authority’s signature, replacing a legitimate certificate with their own, granting them entryway to the target network. Even newer manipulation techniques mean some digital identities can be compromised by rederiving the associated private key. Keyfactor researchers demonstrated this year that over 400,000 certificates found on the Internet could be compromised due to insufficient entropy when generating RSA private keys.

The SHA-2 migration was a massive undertaking for IT teams and highlighted the critical nature of an enterprise’s ability to track and manage its cryptographic keys. Today, an average enterprise holds upward of hundreds of thousands of certificates and keys — and that number continues to grow. With so many certificates, it is essential that automated methods are deployed to quickly replace these certificates if the cryptography they rely on becomes insecure.

Operationally speaking, even without quantum advancements, managing PKI is challenging, time consuming, and expensive. Our research shows that 71% of businesses don’t know how many certificates and keys they have. Introducing a crypto-agile framework  — which enables cryptography like PKI to adapt quickly to advancements, from SHA-1 to SHA-2, for example — is essential to manage not only today’s PKI demands but also to manage the automation and transformation that quantum computing will demand. Adopting a single, automated platform provides complete visibility to every certificate and key, complementing the crypto-agile framework. 

Future-Proofing PKI with Quantum-Safe Certificates
In addition to PKI automation to support management, quantum-safe certificates are critical to future-proofed PKI that can scale and transform with quantum computing advancements. This is critically important for companies manufacturing Internet of Things and connected devices. 

Consider that a business that builds devices with a life span of four to seven years (for example, pacemakers, insulin pumps, automobiles, planes, and trains) has an obligation to design the ability to update the cryptography on its devices. Some may argue that not doing so is willful negligence, which puts the company at risk of unnecessary product recalls and may pose massive liabilities in life-critical systems.

When it comes to sensitive communications across connected devices, it’s not enough to rely on existing algorithms until quantum computers can break them. Due to limited use of communication protocols with a property called forward secrecy — a feature of key agreement protocols that requires the use of a new key to encrypt a session, giving the user assurances their session keys will not be compromised — stored communications can often be decrypted after the fact, allowing potential access to massive amounts of sensitive data. With quantum computers, these stored communications without forward secrecy will be exposed.

The reality of this breakthrough means that quantum advancements are closer than we think. PKI is a foundational security tool and form of cryptography that has stood the test of time and evolved to become a critical base for advancements to come. Today’s generation of PKI can be coupled with quantum-resistant algorithms that can extend the lifespan of digital certificates for decades to come.  

Overwhelmed IT leaders must look at PKI and other cryptography as critical infrastructure, and, like every other element within their security framework, evaluate the tools they can adopt to help them streamline and automate PKI management. Future-proofing PKI today means enterprises can integrate tomorrow’s technologies with confidence.

Related Content:

• What CISOs Should Know About Quantum Computing
• ‘Harvesting Attacks’ the Quantum Revolution
• Quantum-Safe Cryptography: The Time to Prepare Is Now
• Cryptography the Hype Over Quantum Computing
• Start Preparing Now for the Post-Quantum Future

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “8 Backup Recovery Questions to Ask Yourself.”

Kevin von Keyserling is Chief Strategy Officer at Keyfactor. In this role, Kevin is responsible for company operations and oversees Keyfactor’s organic and acquisition growth strategy.  JD Kilgallin is a Senior Integration Engineer at Keyfactor. In this role, he works to … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/quantum-computing-breakthrough-accelerates-the-need-for-future-proofed-pki-/a/d-id/1336317?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A severe vulnerability in the WhatsApp messenger could enable attackers to achieve remote code execution by sending target users a specially crafted MP4 video file, Facebook reports.

The stack-based buffer overflow bug (CVE-2019-11931) exists in the way WhatsApp parses the elementary stream metadata of MP4 files. If successfully exploited, it could result in a denial-of-service or remote code execution attack, the company said in a disclosure. Users can update to a patched version of the software. It’s unclear whether the flaw has been exploited in the wild.

This vulnerability affects a range of corporate and consumer devices. Affected versions include:

• Android versions prior to 2.19.274
• Business for Android versions prior to 2.19.104
• iOS versions prior to 2.19.100
• Business for iOS versions prior to 2.19.100
• Enterprise Client versions prior to 2.25.3
• Windows Phone versions before and including 2.18.368

Read more details here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Soft Skills: 6 Nontechnical Traits CISOs Need to Succeed.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/facebook-discloses-whatsapp-mp4-video-vulnerability/d/d-id/1336390?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple