Security

On Facial Recognition and Identity Proofing

Wired has a good piece on the IRS in the US caving to public outcry and ditching its integration with ID.me - a service that was supposed to verify identities (by matching video selfies to existing records). It’s understandable why this would cause concerns given that facial recognition is rife with false matches, biases and a reputation for invasiveness. With fraud being a pressing issue now when a majority of us (at least in Australia) access nearly every civic service online, governments are going to want to think about how they balance policy, privacy and messaging.

Unfortunately, the landscape at the moment is messy and populated by a number of third-party vendors still finding their feet in an area where privacy and policy concerns are outweighed by sexier usability and convenience use cases.

“The fact we don’t have good digital identity systems can’t become a rationale for rushing to create systems with Kafkaesque fairness and equity problems.” - Jay Stanley, ACLU

It’ll be interesting to see how Australia’s Trusted Digital Identity Framework (TDIF) will look to address some of these inherent problems through a continuous expansion of its standards.

On the SolarWinds Breach

Where to begin. It’s almost impossible to comprehend what the fallout of this breach will be in the immediate to medium term; in fact, there isn’t enough information out there yet to conduct an effective post-mortem so to speak.

One thing is for certain - organisations are going to be wary of trusting ‘technology solutions’ from vendors. This isn’t to say that SolarWinds (and FireEye) did not have adequate measures in place; just that breaches are inevitable and organisations that rely on technology vendors are also dependent on these vendors having adequate controls in place alongside stringent self-audits. Organisations out there that trusted SolarWinds to push Orion to their networks in effect trusted that SolarWinds had a strong handle on their security posture. In Australia, CPS 234 mandates that APRA-regulated entities will need to have information security measures in place and includes cybersecurity assessments by independent assessors. Obviously, the effectiveness will boil down to the thoroughness of the assessor.

All this gets more complicated when you start to look into how the breach occurred in the first instance. It is starting to increasingly seem like hackers leveraged widely-used protocols and solutions. Ars Technica has a fascinating report referencing security firm Volexity, who encountered the same attackers in 2019; at the time, they bypassed MFA protections for Microsoft Outlook Web App (OWA) users.

Toward the end of the second incident that Volexity worked involving Dark Halo, the actor was observed accessing the e-mail account of a user via OWA. This was unexpected for a few reasons, not least of which was the targeted mailbox was protected by MFA. Logs from the Exchange server showed that the attacker provided username and password authentication like normal but were not challenged for a second factor through Duo. The logs from the Duo authentication server further showed that no attempts had been made to log into the account in question. Volexity was able to confirm that session hijacking was not involved and, through a memory dump of the OWA server, could also confirm that the attacker had presented cookie tied to a Duo MFA session named duo-sid.

Krebs on Security has a great write-up with a sobering quote from the DHS’s Cybersecurity and Infrastructure Security Agency.

CISA’s advisory specifically noted that “one of the principal ways the adversary is accomplishing this objective is by compromising the Security Assertion Markup Language (SAML) signing certificate using their escalated Active Directory privileges. Once this is accomplished, the adversary creates unauthorized but valid tokens and presents them to services that trust SAML tokens from the environment. These tokens can then be used to access resources in hosted environments, such as email, for data exfiltration via authorized application programming interfaces (APIs).”

The CISA goes on to advise that if an org identifies ‘SAML abuse’, mitigating individual issues might not be enough; you’ll need to consider the entire identity store as compromised. And unfortunately, the only remedy to that is building back identity and trust services from the ground up.

Additional Reading:

VMware Flaw a Vector in SolarWinds Breach?

SolarWinds hackers have a clever way to bypass multi-factor authentication

FireEye Threat Research

Krebs on IoT Vulnerabilities

Brian Krebs has some interesting insight into this past weekend's DDoS attack on Dyn, an internet infrastructure company that provides services for some of the web's biggest destinations including Twitter, Amazon, Reddit and Netflix.

At first, it was unclear who or what was behind the attack on Dyn. But over the past few hours, at least one computer security firm has come out saying the attack involved Mirai, the same malware strain that was used in the record 620 Gpbs attack on my site last month. At the end September 2016, the hacker responsible for creating the Mirai malware released the source code for it, effectively letting anyone build their own attack army using Mirai.

Mirai scours the Web for IoT devices protected by little more than factory-default usernames and passwords, and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate legitimate visitors or users.

...

The wholesalers and retailers of these devices might then be encouraged to shift their focus toward buying and promoting connected devices which have this industry security association seal of approval. Consumers also would need to be educated to look for that seal of approval. Something like Underwriters Laboratories (UL), but for the Internet, perhaps.

Until then, these insecure IoT devices are going to stick around like a bad rash — unless and until there is a major, global effort to recall and remove vulnerable systems from the Internet. In my humble opinion, this global cleanup effort should be funded mainly by the companies that are dumping these cheap, poorly-secured hardware devices onto the market in an apparent bid to own the market. Well, they should be made to own the cleanup efforts as well.

The upside here is that IoT manufacturers and vendors will now have to wisen up to the fact that they have more to gain from secure devices and a lot to lose from a repeat of this weekend's events.