Cyber Weekly Roundup – May 5, 2017

Weekly Roundup

Cyber Weekly Roundup – May 5, 2017

By Andrew Paulette

1.) New password guidelines say everything we thought about passwords is wrong (April 18, 2017)

https://venturebeat.com/2017/04/18/new-password-guidelines-say-everything-we-thought-about-passwords-is-wrong/

Summary: When I recently discovered a draft of new guidelines for password management from NIST (the National Institute of Standards and Technology), I was amazed about the number of very progressive changes they proposed.

Although NIST’s rules are not mandatory for nongovernmental organizations, they usually have a huge influence as many corporate security professionals use them as base standards and best practices when forming policies for their companies. Thus, another fact I was surprised about was a lack of attention to this document, finalized March 31, from both official media and the blogosphere. After all, those changes are supposed to affect literally everyone who browses the Internet.

Why it matters: The changes to the NIST Password Guidelines at first appear to fly in the face of some conventional password wisdom that is usually taught during end user training – password complexity requirements have been removed, and the organization no longer recommends a periodic password change. These changes, however, make sense. Forcing users to use specific characters in their passwords like numbers and symbols does not create a more clever password (most users will default to standbys like Password1$), and changing passwords on a periodic basis usually result in a number being tacked to the end of a user’s password, which again will only delay an attacker momentarily if they are an advanced threat. Instead, the focus on creating a “blacklist” of common passwords seems to be a much better approach that will allow organizations to weed out the worst and most commonly compromised passwords (such as password or 123456), establishing better password hygiene. If organizations can create databases of compromised passwords from various sources, this will further increase the security of the organization while actually removing some of the burden placed on users in the form of password management.

2.) The US Takes On the World in NATO’s Cyber War Games (April 29, 2017)

https://www.wired.com/2017/04/us-takes-world-natos-cyber-war-games/

Summary: LAST YEAR, CAPT. Sean Ruddy and his team of operator-soldiers from the US Cyber Brigade entered a Locked Shields, a NATO-organized cyber-defense war game that pits teams from dozens of countries against “live-fire” attacks. It was their first time. And of the 19 countries represented, the US finished dead last. This week, they got their shot at redemption.

Why it matters: Possibly one of the most interesting parts of this article is not the detail on how the Cyber Brigade handled the operations of the opposing  red team during the simulation (the US came in 12th out of 25 teams this year), but the fact that the gameplay also included decision making from a legal and diplomatic perspective. Attribution of attacks to a specific threat actor, and then choosing the correct line of action using international law which was not created with cyberspace in mind can be a challenge, and there seems to be a greater focus in recent simulations and exercise to bring policy-makers and leaders up to speed on what calls to make during cyber incidents, and ensuring it is the right call. This will be especially important when serious cyber incidents occur, and any training offered is sure to give these individuals context on when to use diplomacy to solve an issue, and when it is time to drop a “cyber-bomb” on the adversary.

3.) Intel patches remote hijacking vulnerability that lurked in chips for 7 years (May 1, 2017)

https://arstechnica.com/security/2017/05/intel-patches-remote-code-execution-bug-that-lurked-in-cpus-for-10-years/

Summary: Remote management features that have shipped with Intel processors since 2010 contain a critical flaw that gives attackers full control over the computers that run on vulnerable networks, according to advisories published by Intel and the researcher credited with discovering the critical flaw.

Why it matters: Potentially a serious problem, this vulnerability’s saving grace is that the footprint of exploitable servers was fairly small (7,000 based on scans from Shodan, according to the article) due to the services that must be running to successfully carry out an attack.  The problem could have been much more severe if it had affected a larger base of intel’s chipsets, which would have caused headaches for a large portion of the population and businesses, if it would not only include servers, but the workstations we use day to day. As a downside, however, the fact that this vulnerability is in the firmware makes remediating this difficult and risks bricking the device if performed incorrectly.

This vulnerability is a great example of the fact that many vulnerabilities in the codebase for operating systems and firmware can go undetected for years before being addressed and fixed.

4.) Meet Greyhound.com, the site that doesn’t allow password changes (May 1, 2017)

 

Summary: When it comes to websites with bad password policies, there’s no shortage of bad actors. Sites—some operated by banks or other financial services—that allow eight- or even six-character passwords, sometimes even allowing letters to be entered in either upper- or lower-case? Yup. Sites that e-mail forgotten passwords in plaintext? Sadly, all the time. Ars largely stopped reporting on them because they’re better covered by Twitter accounts like this one.

But recently, I saw a site policy so bad I couldn’t stay quiet.

Why it matters: Take note: this is NOT how you enforce passwords.  No password policy like minimum password length or special character requirements; storing a password in plaintext and sending to the user via email should the user forget it; no mechanism for changing a password – this is password policy at its worst.
If this only affected the greyhound site, it may be forgivable, but part of the bigger problem here is that individuals will often reuse passwords across multiple accounts. As a result, this metaphorical weak link in the chain can grant an attacker access to a user’s email, banking, and other accounts if the attacker managed to exfiltrate authentication data from the Grey Hound servers.

 

5.) COMPROMISE SPENDING BILL INCLUDES CYBER GOODIES (May 1, 2017)

 

Summary: A $1 trillion spending bill that would fund the government through September includes cybersecurity spending hikes at the Homeland Security Department, FBI and Secret Service.

 

Why it matters: For anyone in cybersecurity, additional spending for cyber capabilities at departments like DHS and agencies like the Secret Service are always a win. The trick becomes how to spend the money most effectively given the growing landscape of risks and threat actors that the US government must increasingly face on a day-to-day basis.

 

6.) Don’t Open That Google Doc Unless You’re Positive It’s Legit (May 3, 2017)

 

 

Summary: If you get a Google Doc link in your inbox today, scrutinize it carefully before you click—even if it looks like it comes from someone you trust. A nasty phishing scam that impersonates a Google Docs request has swept the internet today, including a decent chunk of media companies. You’ve heard “think before you click” a million times, but it really could save you from a whole lot of hassle.

 

Why it matters: As the average user becomes wiser to phishing attacks due to poor grammar, obvious fake links, and other give-aways, the phishers will have to get more elaborate to make their hoax more convincing – this phishing campaign that occurred on Wednesday is a good indication of that evolution. Utilizing third-party apps masquerading as legitimate google services and mixing with a legitimate looking email ups the ante on this type of attack.
This attack illustrates that social engineering training needs to shift from teaching the user to spot bad links and grammatical errors, and instead focus on teaching the user to be suspicious of unsolicited links and attachments from unknown senders.
If you have been affected by this phishing campaign, ensure that you revoke access to the “Google Docs” service under your Permissions page (it’s not the real Google Docs), and change your password immediately. It may also be worth reviewing how to set up two-factor authentication for any accounts that allow you to enable it.