Cyber Access Control | MFA Enterprise Password Management | Access Smart

Archive for hacking

Giant Hole in Government’s Cybersecurity Strategy

The government is never going to fix its cybersecurity problem until it fixes its procurement problem!

cybersecurity weakness in US Government

Shockingly, there are no NAICS, SIC or SIN CODES for cybersecurity products on the GSA Schedule. As a California Certified Small Business owner who offers multi-factor authentication (MFA) products on the GSA Schedule, this is a serious problem.

Without cybersecurity procurement codes, government agencies and departments are unable to find, let alone implement, targeted products and services to keep our nation’s electronic data secure. Current procedure involves a keyword search on the GSA Schedule. If the exact keyword is not typed or listed, no match is found. An agency’s only recourse then becomes generating expensive and time consuming RFIs, RFPs and RFQs. Cybersecurity NAICS, SIN and SIC codes are designed streamline the entire process, save money and ensure fast cybersecurity implementations. Read More→

Power LogOn’s Reaction to Pass the Hash

Pass the Hash Protections.

Pass The Hash

Copyright: Walt Disney Productions

Last week I attended the BSide LA hackers’ conference to discuss that passwords are secure. At first, some of the attendees scoffed at my claim. I then went on to explain that it’s the management of passwords and the way some IT administrators configure their networks that causes the insecurities. To that point, they agreed. However, the more persistent attendees brought up the “Pass the Hash” (PtH) attack as the reason why passwords will never be secure.

Not being as well verse on PtH as with other attacks, I needed to do a little research before I had an informed response.

A Pass-the-Hash (PtH) attack uses a technique in which an attacker captures the password hash value on one computer and then plays back the hash without ever knowing any passwords. Ultimately, the attacker gets access to network disks, memory, network domain controllers, and other servers to install drivers, applications, and execute applications.

For a hacker to start the attack, he/she first needs access to a computer on a network with administrator rights. This often can easily be accomplished if IT inadvertently assigned “Administration” rights to a User/employee (Note: most Users do not need Administrator rights). Because Users typically do a poor job of generating and managing their logon password, the hacker easily breaks in the User’s account. The administrative privileges allows the hacker to drill deeper into the network. Even if a complex password is used, if the employee writes it down on a sticky note it only takes a cell phone camera to capture the password and sell it on the internet.

The password hash is the key to the kingdom with superadmin rights. The hacker can do anything, and can bypass all the security barriers IT has installed. All operating systems, authentication protocol, even Kerberos, and smartcard logons are vulnerable. What’s worst, there’s no defense, but there are protections.

Hash authentication is not a bug, hole, or flaw that can be solved with a patch. Microsoft, Apple, and others claim they cannot stop the attack. Therefore, the best defense is stop worrying and fighting PtH. Instead, keep the hackers from getting in in the first place. Here are some simple ways to start protecting your network.

  1. Don’t allow every user or employee to have administrative rights
  2. Administrator passwords should have a short lifecycle
  3. Implement strong, complex password policies
  4. Of course, maintain strong and up-to-date antivirus, antimalware, firewalls, whitelists, etc.
  5. Don’t use Remote Desktop Protocol (RDP) or some other sort of interactive remote software to administrate computers
  6. Don’t allow or assign a superadmins. Instead, “delegate” just the rights an administrator needs and no more
  7. When and employee is finished for the day, they not only need to log out but power down the computer

 

How Power LogOn Addresses Pass the Hash

Pass the Hash is not a password authentication issue, but again an administration and system security issue. While Power LogOn cannot stop or prevent a PtH there are features within Power LogOn to make an unauthorized access more difficult.

  1. IT assigns complex passwords
  2. IT changes passwords more frequently in the background
  3. Users don’t generate, type or know their passwords
  4. Power LogOn can auto-shut down or log users off the network when their smartcard is removed
  5. PL does not store an “authenticator” in memory and therefore requires users to present their card every time they logon to an application or website while using PL SSO functionality
  6. If a thief stole a Windows users password or password hash it would not enable them to logon to Power Logon managed SSO applications or website

Again, currently there are no ways to stop a Pass the Hash attack. Access Smart does not claim that we can safeguard a company for such an attack. However, Power LogOn does add some barriers while keeping the logon process convenient for the user so they don’t circumvent cyber security. The best an IT administrator can do is put up enough barriers for a hacker that the time and effort to break into a computer and network is too great; especially when there are easier prey just around the corner.

Cyber Warfare: Chapter 7.

Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners by J. Andress and S. Winterfeld.

Cyber warfare is real. That’s why each Friday I will post a review on this book: Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners, and today I am sharing what I am reading in…

Chapter 7: Psychological Weapons. Cyber Warfare Techniques Tactics and Tools for Security Practitioners - Book review by Dovell Bonnett of Access Smart.com

Psychological weapons are another tool used in cyber warfare. It is designed to leverage the frailties of people (often refered to as “wetware” by  hackers) to ultimately gain access into computers, networks or infrastructure. While the military may call it PSY OPS, law enforcement uses the term “con artists” and cyber attackers call it “social engineering” it is all the same thing: the use of psychology to manipulate an individual’s beliefs, frailties and motivations in such a way as to knowingly or unknowingly convey valuable information. The authors again do a great job of comparing military operations with civilian ones, I am only going to focus on those that are pertinent to businesses. Read More→

Cyber Warfare: Chapter 6

Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners by J. Andress and S. Winterfeld.

Cyber warfare is real. That’s why each Friday I will post a review on this book: Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners, and today I am sharing what I am reading in…

Chapter 6: Physical Weapons. Cyber Warfare Techniques Tactics and Tools for Security Practitioners - Book review by Dovell Bonnett of Access Smart.com

Chapter 6 it’s all about physical weapons. A key point is how both the physical and logical worlds are tied together in cyberspace. Computers and networks need buildings, utilities, electricity, cooling, etc. to operate. But it is also true that software and applications are what run and manage this infrastructure. These two worlds have a symbiotic relationship. Therefore, the strategy in cyber warfare, as in conventional, is understanding all aspects of a system and determining where are the vulnerabilities.

Read More→

Google may be doing Harm

Google is gathering your personal and corporate data.

Cloud security Google Inc. (GOOG) motto is, “do no harm.” But who defines what is harmful? Employees recently testified to the U.S. Federal Communications Commission that they didn’t initially know that their mapping-service project software was gather personal data, even though an undisclosed engineer told a few fellow workers. The software would access payload data like e-mails, text messages, passwords, internet-usage, and other highly sensitive personal information. The FCC ended up not penalizing Google for data gathering, but assessed a $25,000 fine for not cooperating with the FCC during the initial inquiry. The fine would not even be considered a slap on the wrist. Read More→