Daily Archives: December 10, 2019

Generated Passwords, UX and Security Absolutism

Generated Passwords, UX and Security Absolutism

Last month, Disney launched their new streaming service Disney+; "The best stories in the world, all in one place", apparently. The service was obviously rather popular because within days the tech (and mainstream) headlines were proclaiming that thousands of hacked Disney+ accounts were already for sale on hacking forums. This is becoming an alarmingly regular pattern with online services, the cause of which was soon confirmed by Disney:

Disney says that there is “no indication” of a security breach on Disney+, and that the source of the problem might be a so-called “credential stuffing” attack, in which hackers obtain passwords and usernames from Dark Web databases, and then use a brute force method to see if those passwords and usernames will work on new sites as well.

So the root cause is credential reuse. We've all done it at some time or other and the vast, vast majority of online users still do it today. But what if we could stop this attack dead in its tracks? What if one simple design decision in the auth process could completely rule out any chance of ever suffering a credential stuffing attack?

Generated Passwords, UX and Security Absolutism

Genius! Absolute genius! So why doesn't every site take away the ability for people to choose their own passwords? Why not just generate the password for them thus completely eradicating password reuse? Because it's an absolutely terrible idea, which brings me to the catalyst for this blog post:

I woke up earlier this week to a flood of tweets pointing me at this one with people aghast at the premise of firstly, storing passwords in plain text and secondly, emailing them out to people:

This is largely a practice of a bygone era and it's increasingly rare to see in modern times (and if you do see it, name and shame over at Plain Text Offenders). But how relevant is this criticism when the passwords are system-generated? Whilst the storage and delivery of the password in plain text certainly smells bad, when it's a (pseudo) random string, the risk is very different to when the user chooses their own secret:

For me, the issue isn't really about the storage and delivery of the password, it's about the practice of generating a password for someone that just doesn't add up. There's a fundamental flaw in the logic which I summarised as follows:

The tweet I quoted linked to a blog post titled Pentesting Training Website Challenges Authentication Best Practices and referenced the infosec community doing much "pitchfork raising". Somehow, despite my joining the conversation late, my single-word tweet featured at the beginning of that post which concluded that:

Practical Pentest Labs makes a great case for innovation and not following the pack in the IT security landscape.

So let's go through the registration process and look at why "the pack" doesn't implement things this way. Registration involves entering a username and email address which then delivers the following to your inbox:

Generated Passwords, UX and Security Absolutism

Now, put yourself in the shoes of someone who's just registered - how do you login? Copy and paste the password of course, that's the easy bit. But how do you login next time? Clearly, you're not going to remember the password so you need to record it somewhere, but where? Password manager? Great, which means you also have the ability to do something like this on account creation:

Generated Passwords, UX and Security Absolutism

This is 1Password's password generator and I use it for every new account I create so clearly there's no "uniqueness" value to assigning the user a password when you can generate your own strong password anyway. And if you have no password manager? You're not going to write it down because that would be absolutely painful, as would re-typing it on return to the website. In all likelihood you're simply not going to record the password at all which means then doing a password reset. Except it's not a reset, it's a recovery which is why they store it in plain text in the first place:

Now of course there are very well-established patterns for implementing a password reset so this remains a really odd design decision, but it's one that's tangential to the discussion around generating the password. Using the "forgot password" feature as a primary means of authentication was enthusiastically supported by a number of people who joined in on the conversation:

Let's be clear about the first bit: using this feature as a means of recovering access to an account isn't "genius" due to their decision to generate passwords because you can use exactly the same approach with any site that allows you to choose your own password. This is simply using the password reset feature for auth, pure and simple. And it has a heap of issues.

Firstly, it always involves more steps and more time than entering a username and password either from memory or password manager. It's no longer a matter of entering a username and password, it's enter the email address, wait for the email, go to the mail client, click the link, now you're in.

Secondly, "wait for the email" can be a protracted process. We've all had plenty of occasions where mail delivery is delayed and, in this case, that's a blocking process; you simply cannot log back in until the mail comes.

Thirdly, there's junk. Just this morning I discovered all my Disqus notifications were going direct to the spam box:

Generated Passwords, UX and Security Absolutism

I don't know if that's Disqus' fault or Office 365's fault, but what I do know is that a whole bunch of legitimate emails were no longer being delivered to my inbox (it wasn't just Disqus either). Now imagine you're dependent on that email simply to access a system you're already registered on - it's painful. Of course, you still need successful email delivery for registration verification and the times you genuinely need to perform an account recovery, but making that a dependency on every single authentication attempt is just nonsensical.

Much of the discussion had on this topic centred around the pain imposed on users choosing passwords:

You can argue this two different ways: On the one hand, manually creating a password that meets what is often arbitrary complexity criteria can be painful, and that's before you even begin listening to that nagging voice in the back of your head saying "also make it unique". On the other hand, passwords are one of the simplest security constructs we have and every single person using the web today understands how to use them. Indeed, this is what keeps human-chosen passwords alive today; just last year I wrote how Here's Why [Insert Thing Here] Is Not a Password Killer where I explained that despite the technical merits of alternate approaches, the simple reason we still use passwords the way we do today is because everyone understand them! It's exactly the same reason why I ended up standing in front of US congress testifying about the impact of data breaches on knowledge based authentication; relaying your date of birth as a means of verifying your identity is terrible in terms of security, but it prevails because every single person knows how to do it! You cannot escape these basic security truths and time and time again, usability trumps security.

Which brings me to the "security absolutism" term in the title of this post. Security absolutism - the view that all else is secondary to this one strongly held principle - was rampant throughout the discussion:

This feels like a very sage, grandfatherly thing for me to say, but this is simply not how the world works. If it was, they'd force 2FA on every single user and demand they purchase a U2F key for auth. As it stands, there's not even a self-service means of changing your password:

If security was such an important focus, they wouldn't still be supporting TLS 1.0 and 1.1 (SSL Labs will cap their grade to "B" in a few weeks from now for that faux pas), they'd use DNS CAA and they wouldn't be scoring a failing "F" grade on Security Headers due to no HSTS and no CSP. To be clear, none of these are particularly sensational findings, but the assertion that security is somehow sacrosanct and that everything else must be sacrificed in its pursuit is clearly not what's going on here.

I first used the term security absolutism a few years ago now when writing about responses to folks using Cloudflare to implement HTTPS on their sites. As with this post, I proposed that a myopic focus on security was unhealthy and causes people to miss the many fine nuances involved in protecting online assets whilst still delivering a usable service. For example, this tweet in response to the terrible UX of generating passwords for people:

Clearly this is untrue for Disney and for every other service I can think of that's recently been the victim of credential stuffing (geez that list is getting big). Not a single one I can name has, after being on the receiving end of an attack, turned around and said "You know what? No longer allowing users to choose their own password and instead just assigning one to them sure beats the UX of dealing with a hacked account!". Not. One.

This is also a case where this particular site is by no means a valid reference point for the general online populace. Practical Pentest Labs is targeted at people who want to "take their hacking skills to the next level", which one would assume means the audience is somewhat more security-conscious than your average punter. This audience is better equipped to store secrets such as a generated password but again, they're also more likely to have a password manager in the first place thus negating the uniqueness value proposition of a generated secret.

To be clear, I don't have any personal gripes with Practical Pentest Labs and if this method of auth is working for them then good on 'em, that's their call. But regardless of how much you might like their approach, it's an inescapable reality that their implementation is highly abnormal and that's not by accident - this model is simply a UX nightmare. This approach would completely solve Disney's credential stuffing problem by entirely eradicating password reuse, that part I agree on:

But as for "all sites should generate the user's password", no, you're never going to see it happen at Disney because they actually want customers! This, again, is security absolutism because it places security above and beyond all else and damn the consequences.

By all means, people should robustly debate the merits of alternate auth systems, but you cannot escape the reality that no matter how endorsed you might be in this approach, websites simply don't implement it. There are very good reasons why not and if you're inclined to chime in on the comments section in support of generated passwords, perhaps start with thinking about why this approach is so rarely seen.

Plundervolt! A new Intel Processor ‘undervolting’ Vulnerability

Researchers at the University of Birmingham have identified a weakness in Intel’s processors: by 'undervolting' the CPU, Intel’s secure enclave technology becomes vulnerable to attack.
A little bit of undervolting can cause a lot of problems

Modern processors are being pushed to perform faster than ever before – and with this comes increases in heat and power consumption. To manage this, many chip manufacturers allow frequency and voltage to be adjusted as and when needed – known as ‘undervolting’ or ‘overvolting’. This is done through privileged software interfaces, such as a “model-specific register” in Intel Core processors.

An international team of researchers from the University of Birmingham’s School of Computer Science along with researchers from imec-DistriNet (KU Leuven) and Graz University of Technology has been investigating how these interfaces can be exploited in Intel Core processors to undermine the system’s security in a project called Plundervolt.

Results released today and accepted to IEEE Security & Privacy 2020, show how the team was able to corrupt the integrity of Intel SGX on Intel Core processors by controlling the voltage when executing enclave computations – a method used to shield sensitive computations for example from malware. This means that even Intel SGX's memory encryption and authentication technology cannot protect against Plundervolt.

Intel has already responded to the security threat by supplying a microcode update to mitigate Plundervolt. The vulnerability has a CVSS base score of 7.9. high under CVE-2019-11157.
David Oswald, Senior Lecturer in Computer Security at the University of Birmingham, says: “To our knowledge, the weakness we’ve uncovered will only affect the security of SGX enclaves. Intel responded swiftly to the threat and users can protect their SGX enclaves by downloading Intel’s update.”

Better password protections in Chrome – How it works

Today, we announced better password protections in Chrome, gradually rolling out with release M79. Here are the details of how they work.

Warnings about compromised passwords
Google first introduced password breach warnings as a Password Checkup extension early this year. It compares passwords and usernames against over 4 billion credentials that Google knows to have been compromised. You can read more about it here. In October, Google built the Password Checkup feature into the Google Account, making it available from passwords.google.com.

Chrome’s integration is a natural next step to ensure we protect even more users as they browse the web. Here is how it works:
  • Whenever Google discovers a username and password exposed by another company’s data breach, we store a hashed and encrypted copy of the data on our servers with a secret key known only to Google.
  • When you sign in to a website, Chrome will send a hashed copy of your username and password to Google encrypted with a secret key only known to Chrome. No one, including Google, is able to derive your username or password from this encrypted copy.
  • In order to determine if your username and password appears in any breach, we use a technique called private set intersection with blinding that involves multiple layers of encryption. This allows us to compare your encrypted username and password with all of the encrypted breached usernames and passwords, without revealing your username and password, or revealing any information about any other users’ usernames and passwords. In order to make this computation more efficient, Chrome sends a 3-byte SHA256 hash prefix of your username to reduce the scale of the data joined from 4 billion records down to 250 records, while still ensuring your username remains anonymous.
  • Only you discover if your username and password have been compromised. If they have been compromised, Chrome will tell you, and we strongly encourage you to change your password.
You can control this feature in the “Sync and Google Services” section of Chrome Settings. Enterprise admins can control this feature using the Password​Leak​Detection​Enabled policy setting.

Real-time phishing protection: Checking with Safe Browsing’s blocklist in real time.
Chrome’s new real-time phishing protection is also expanding existing technology — in this case it’s Google’s well-established Safe Browsing.

Every day, Safe Browsing discovers thousands of new unsafe sites and adds them to the blocklists shared with the web industry. Chrome checks the URL of each site you visit or file you download against this local list, which is updated approximately every 30 minutes. If you navigate to a URL that appears on the list, Chrome checks a partial URL fingerprint (the first 32 bits of a SHA-256 hash of the URL) with Google for verification that the URL is indeed dangerous. Google cannot determine the actual URL from this information.

However, we’re noticing that some phishing sites slip through our 30-minute refresh window, either by switching domains very quickly or by hiding from Google's crawlers.

That’s where real-time phishing protections come in. These new protections can inspect the URLs of pages visited with Safe Browsing’s servers in real time. When you visit a website, Chrome checks it against a list stored on your computer of thousands of popular websites that are known to be safe. If the website is not on the safe-list, Chrome checks the URL with Google (after dropping any username or password embedded in the URL) to find out if you're visiting a dangerous site. Our analysis has shown that this results in a 30% increase in protections by warning users on malicious sites that are brand new.

We will be initially rolling out this feature for people who have already opted-in to “Make searches and browsing better” setting in Chrome. Enterprises administrators can manage this setting via the Url​Keyed​Anonymized​Data​Collection​Enabled policy settings.

Expanding predictive phishing protection
Your password is the key to your online identity and data. If this key falls into the hands of attackers, they can easily impersonate you and get access to your data. We launched predictive phishing protections to warn users who are syncing history in Chrome when they enter their Google Account password into suspected phishing sites that try to steal their credentials.

With this latest release, we’re expanding this protection to everyone signed in to Chrome, even if you have not enabled Sync. In addition, this feature will now work for all the passwords you have stored in Chrome’s password manager.

If you type one of your protected passwords (this could be a password you stored in Chrome’s password manager, or the Google Account password you used to sign in to Chrome) into an unusual site, Chrome classifies this as a potentially dangerous event.

In such a scenario, Chrome checks the site against a list on your computer of thousands of popular websites that are known to be safe. If the website is not on the safe-list, Chrome checks the URL with Google (after dropping any username or password embedded in the URL). If this check determines that the site is indeed suspicious or malicious, Chrome will immediately show you a warning and encourage you to change your compromised password. If it was your Google Account password that was phished, Chrome also offers to notify Google so we can add additional protections to ensure your account isn't compromised.

By watching for password reuse, Chrome can give heightened security in critical moments while minimizing the data it shares with Google. We think predictive phishing protection will protect hundreds of millions more people.

SECURITY ALERT: Snatch Ransomware Reboots Your PC in Safe Mode to Avoid Detection

Ransomware is experiencing a resurgence in the second half of 2019 and it will probably grow in 2020, which is about to begin, too. In perhaps the most disturbing ransomware development of the year, a newcomer has developed a novel strategy to bypass Antivirus detection. The Snatch ransomware starts its activity by rebooting Windows computers in Safe Mode.

This allows it to elude Antivirus detection since it only starts behaving like ransomware after rebooting. Unfortunately, most commercial Antivirus programs don’t initialize in Windows Safe Mode, since that type of booting is only used as a temporary state for troubleshooting a malfunctioning system.

It’s not the first time malware has found ways to disable Windows defenses and trick it, but the Snatch ransomware has the potential to be the most damaging attack vector yet. I can’t stress the importance of learning about Snatch and taking all defensive measures against it.

How the Snatch Ransomware Works

After the Snatch ransomware successfully infects a computer, it doesn’t begin behaving like ransomware (encrypting files) right away. This would cause it to get detected by whatever Antivirus software the machine is running.

Instead, Snatch exploits a Windows vulnerability which allows it to reboot the system in safe mode. Once it reaches Windows Safe Mode, the ransomware will finally start doing its expected act of encrypting files. Since by that time the Antivirus software is not turned on, it can proceed with encryption uninterrupted.

Even if you get some wind that you might be infected, there’s little chance of eluding it. This is what makes the Snatch ransomware so dangerous and difficult to disinfect.

From the get-go, it will set itself up as a service within the operating system, making sure it will run even during a system reboot. Then, it simply forces that reboot to take place, effectively making sure the playing field is clear of all adversaries (endpoint security solutions such as Antivirus software).

The reason the Snatch ransomware is able to do this is that its creators found a way to exploit a Windows vulnerability. By using a registry key, Snatch can embed itself in the list of services that survive a Safe Mode reboot.

Sophos Labs, the team of researchers who initially discovered this new ransomware behavior, says this is a major public danger. Other ransomware groups could soon borrow the Safe Mode trick, leaving plenty of Antivirus software virtually useless against them.

Since most consumers and businesses sadly rely only on a regular Antivirus for protection (at best), this could lead to successful ransomware attacks on an unprecedented scale.

More info on the Snatch Ransomware

The ransomware group which created the Snatch ransomware has been active since summer 2018. The Safe Mode trick used by the ransomware now seems to be a recent development, but these guys were clearly remarkable from the start.

They didn’t go after consumer targets (back then) through mass-delivered spam campaigns or browser exploit kits, as most ransomware do. Instead, they focused on high profile, government or corporate targets. Since these targets have the money for bigger payouts, they obviously make more attractive targets for big game hunters like Snatch.

The group has been operating as a business, advertising for affiliate partners and looking for collaborators since last year. Here is an ad from one of the group’s operators (mentioning that they only work with Russian speakers).

snatch forum ad looking for affiliates

Photo by Sophos, via ZDnet.

Especially when targeting large organizations, the Snatch ransomware doesn’t just shoot in the dark. They do their homework really well about who they’re after, much like in the process of spear-phishing.

They buy access to a network or work with other hackers to breach their target’s systems if they can’t get in themselves. Then, they stay silent for weeks and even months, gathering more info, observing and waiting. The ransomware part of the attack only starts to unfold once the Snatch team has covered all their basis and the victory is all-but-guaranteed.

Furthermore, unlike other ransomware gangs who simply encrypt files and then demand to be paid for the encryption key, Snatch also steals valuable data. The researchers who have been investigating the Snatch ransomware gang found evidence that they also engage in data theft through it.

Thus, even if you pay the ransom to get your files back (a strategy we never recommend, even if it means losing your files), you can later find it leaked and for sale on the dark web.

Coverware, a company that sometimes negotiates ransomware payouts on behalf of the victims, told Sophos that they privately handled 12 payouts for the Snatch infection between July and October 2019. The payments ranged between $2,000 and $35,000. The only publicly known case of Snatch ransomware infection was the SmarterASP.net web hosting company. So far, the ransomware gang managed to keep a low profile.

How to Stay Safe from the Snatch Ransomware

Priority no #1: Get your security straightened out (DNS shields up!)

No matter how good you think your Antivirus solution is, this time it might not cut it. You definitely need to up your game with a DNS traffic filter which helps detect unknown threats and blocks ransomware before it can reach your system.

Unlike reactive solutions like Antivirus software, a proactive solution like our Thor Foresight Enterprise will prevent the ransomware payload from reaching your systems. It will also block numerous other ways that hackers usually employ to get into your systems, too. Essentially, if the Snatch ransomware strain manages to infiltrate your systems, no reactive security solution will be able to help you, no matter how reliable it has been in the past. We are entering a new and more dangerous world of online threats. It’s time to employ security solutions that can keep up with it.

Priority no #2: Spread the word and educate your users

No one can afford to stop learning and just leave security to the experts (system admins and so on). Even if you have the best EDR solution out there, distracted and uninformed users can jeopardize all the security efforts.

There’s no way around it anymore: everyone needs to be on their toes and learn more about how contemporary threats work. As these threats evolve and change, so should the best security practices that users must employ in their online activity.

You can get started with our free cybersecurity resources here. It’s simple, actionable advice and no matter how non-technical you are, as long as you read a bit every few days, you’ll be better prepared to handle cyber-emergencies.

The post SECURITY ALERT: Snatch Ransomware Reboots Your PC in Safe Mode to Avoid Detection appeared first on Heimdal Security Blog.