Downclimb: Summit Route’s Weekly Infosec News Recap
2016.09.11 – 2016.09.18: https://SummitRoute.com
To receive a weekly email notification of this newsletter, email scott@summitroute.com
Quotes
“It’s always easier to seem wise if you’re selling pessimism.” Vernor Vinge, Marooned in Realtime
“Always remember the three main authentication factors: what can be easily guessed, what can be left in a cab, and what can be chopped off” Mark Burnett
“Something like 90 percent of cyber intrusions start with phishing… Somebody always falls for it.” DNI (Director of National Intelligence) James Clapper
“an amazing fuzzer that can be competently used by 100 people in the world is worth a lot less than a barely-competent fuzzer that any developer can get running in 30 minutes or so.” Michal Zalewski (lcamtuf), creator of the AFL fuzzer
“You spend months of your life writing hand-crafted protocol emulators that deal with every corner case of a 500 page specification to fuzz the crap out of something and some dude with a reinforcement-learning-based mutation-fuzzer written in 200 lines of C code that doesn’t know anything about any protocol comes up behind you and says "yeah just comment out the checksum, bro."” Andrew Ruef
“It’s so great that we get to read everyone’s email now. And by "great" I mean: the entire field of information security should take a timeout and think about what we’ve done wrong.” Matthew Green
Top stories
Verified Access API
Google announced their Verified Access API for Chrome OS (Link) and Duo discussed their integration with it (Link). What this does is ensure that a device connecting to a corporate resource is a company asset, the signed-in user is part of the corporate domain, and the asset is in compliance with company policy. This means that you can trust that an employee isn’t accessing company resources from their personal laptop, or that they, or something on their laptop, hasn’t messed with the security restrictions the security team has put on it.
To help explain the benefits of this, consider how credentials are constantly leaked, so things like U2F (FIDO) were created, but there is still a concern that the end-point using U2F has been compromised, or that the U2F token has been inserted into an unapproved device. Verified Access helps to alleviate those concerns.
Scalable and secure access with SSH
Contrary to the Verified Access concept of ensuring your end-points are trusted, Facebook has described their architecture for accessing resources via SSH, wherein they minimize trusting the end-points by routing all access to servers through bastion servers. (Link). From the post:
“We do not place SSH certificates on laptops because it is difficult to control everything that individual employees run on them. Even though they are centrally managed, laptops are more prone to vulnerabilities than the bastion servers. Therefore, we do not trust them with SSH private keys.”
Facebook employees SSH using 2FA to the bastion server, which then holds the private keys. There are pros and cons to Facebook’s strategy. On the negative side, if their bastion server is compromised, private SSH keys will be exposed. Another negative is that by avoiding trusting certs on the end-points, it would seem they use passwords plus some second factor, which seems like it could be improved by using a separate set of certs plus a second factor. There are a number of benefits to their strategy though.
This concept and the above Verified Access are two important security architecture strategies that should be considered.
Business
- New York issues cyber regulations for banks, insurers: In a statement from New York Governor Andrew Cuomo (link), he is proposing cybersecurity requirements for financial services companies. The proposed requirements are in-line with best practices, including documenting various policies, 2FA on important accounts, and more. Among the planned requirements: board chairmen would have to file annual certifications with New York State Department of Financial Services, stating, to the best of their knowledge, that their companies’ cyber programs comply with the regulation. This appears to be an attempt to force boards to be held responsible for cybersecurity practices.
- Vendor Security Alliance: A number of tech companies (Atlassian, Docker, Palantir, Uber, Airbnb, Dropbox, GoDaddy, and Twitter) have partnered together to streamline the process of vetting third-party vendors.
Other reads
- Deploying JAMF Server Software: Just Check the Box: JAMF is a common enterprise management solution for Macs to deploy new software and configurations to them (similar in some ways to Domain Controllers in Windows). This article points out that the default configuration of JAMF servers allows for MiTM attacks because the default configuration does not verify SSL certificates. This means an attacker in a position to perform MiTM could deploy arbitrary code to OSX systems that use JAMF.