NIST doesn't like the way system admins use SSH
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
August 25, 2014
Over the past several months, NIST (National Institute of Standards and Technology) has taken a long and objective look at how companies use Secure Shell (SSH) and it doesn't like what it sees at all.
In spite of the sheer depth of access generally handed SSH Unix and Linux implementations for a host of different activities (root server management, file transfers, back-ups, software/patch management, disaster recovery, provisioning and database updates) system admins aren't working hard enough to protect those activities, and a lot can be done to change that.
The NIST report says-- “As a whole, management of automated access requires proper provisioning, termination, and monitoring processes, just as interactive access by normal users does. However, the security of SSH-based automated access has been largely ignored to date, even though it is encrypted”.
The report adds, an SSH process running under a patch management system will be given root access to accounts or administrator-level access to Oracle databases, for example. Security is, therefore, critical and needs to be addressed as such.
As always, the most important security considerations fall under the heading of “normal security practice”. NIST points to the security vulnerabilities in older versions of SSH to recommend proper patch management.
User accounts need to be managed and deleted if they're not required. SSH client/server configurations need to be watched, and keys need to be continually monitored and audited.
To be sure, several of the NIST recommendations echo the various concerns expressed last year by the protocol's author Tatu Ylonen when he called for a new version of SSH.
In other internet security news
One of the biggest private parcel carrier and freight forwarder in the U.S., United Parcel Service has discovered a serious computer security breach at 51 of its stores, making the company the latest retailer to lose sensitive customer information.
With annual sales totalling several billions, UPS said that the hacking had escaped detection at stores in 24 U.S. states, or around 1 percent of its locations.
At most stores, the malware attack occurred after March 26, and was eliminated by August 11.
Customer names, postal addresses, email addresses and payment card information were compromised. Tim Davis, president of The UPS Store, apologized in a statement for any anxiety the theft may have caused customers.
He added that UPS had deployed "extensive resources to quickly address and eliminate this issue."
Each UPS Store is franchised and runs separate computer systems, which may have helped limit the extent of the attack.
UPS said the malware was not found at any of its other businesses, however. The UPS security breach is the latest in a long string of incidents in which hackers and miscreants have made off with retail consumer data and sensitive credit card information.
Just last week, Albertson's and SuperValu announced that hackers broke into their credit and debit card payment networks.
Additionally, in December 2013, Target has been hit and hackers stole 40 million credit cards, along with Adobe, Snapchat, Michaels, Neiman Marcus, AOL, and eBay.
All in all, independent research reveal that about half of all American adults were hacked in a recent 12-month period, in one form or another.
In other internet security news
Community Health Systems, which operates 206 hospitals across the United States, confirms that hackers recently broke into its server network and stole sensitive personal data on over 4.5 million patients.
Miscreants managed to gain full access to patients' names, social security numbers, physical addresses, zip codes, birthdays and telephone numbers.
Any patient who received treatment from a network-owned hospital in the last five years or was merely referred there by an outside doctor is directly affected.
The large data breach places these people at heightened risk of identity fraud, among other risks. That allows criminals to easily open bank accounts and credit cards on their behalf, take out loans and ruin personal credit history.
The company's hospitals operate in 28 states but have their most significant presence in Alabama, Florida, Mississippi, Oklahoma, Pennsylvania, Tennessee and Texas.
Community Health Systems (CHS) hired cybersecurity experts at Mandiant to consult on the security breach. They have determined that the hackers were located in China and used high-end, sophisticated malware to launch the attacks sometime between April and June of this year.
The FBI said that it's working closely with the hospital network and committing significant resources and efforts to target, disrupt, dismantle and arrest the perpetrators.
Federal investigators and Mandiant told the hospital network those hackers have previously been spotted conducting corporate espionage and targeting valuable information about various medical devices.
But this time, the hackers stole patient data instead. Hackers did not manage to steal information related to patients' medical histories, clinical operations or credit cards, however.
Nevertheless, the lost personal information is protected by the Health Insurance Portability and Accountability Act, the federal health records protection law.
That means that patients could sue the hospital network for damages and financial compensation.
As for exposed victims protecting themselves? There's little they can do, at least for now anyway. Making matters worse, Community Health Systems said it will provide notification to the 4.5 million patients "as required by federal and state law," which is inconsistent and can vary by region.
There is no federal data breach law that requires timely and transparent disclosure that sensitive personal information was lost.
CHS tried to stem worries about the damages in a filing Monday with the Securities and Exchange Commission, saying that it "carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature."
The hospital network said that just before Monday's announcement, it managed to wipe the hackers' malware from its computer systems and implemented protections to prevent similar break-ins in the future.
Furthermore, the company plans to offer identity theft protection to the 4.5 million victims of the data breach.
In other internet security news
Oracle’s highly publicized data redaction feature in its Database 12c is very easy to subvert without needing to use exploit code, attendees at Defcon 22 in Las Vegas have witnessed.
Specifically, the so-called redaction features in 12c are designed to automatically protect sensitive database information by either totally obscuring column data or partially masking it.
For example, recalling just the last four digits of a U.S. social security number when a search query is run would provide the complete SSN.
However, according to David Litchfield, security specialist at Datacomm TSS and the author of The Oracle Hacker’s Handbook, the redaction features are so riddled with basic security flaws that you don’t even need to execute native exploit code to defeat the redaction itself. Some clever SQL coding is all that's needed, we're told.
“If Oracle has an acceptable security development lifecycle in place, anyone would have found these flaws and stopped them in their tracks even before they got out of the gate,” Litchfield told conference attendees.
“Anyone with a minimum of SQL knowledge would have found these bugs very easily,” Litchfield added. He also said that within five minutes of investigating the redactions system, he found serious security flaws in more of the coding.
He demonstrated how with some simple keystrokes an evil employee – or someone able to inject SQL queries remotely – could gain sufficient admin privileges to defeat data redaction, and get access to the data in the system.
He joked at Larry Ellison’s assertion last January that no one had hacked an Oracle database in twenty years. Litchfield claimed that the 2011 Sony PlayStation Network hacking attack that took the network offline for nearly two months was traced back to an Oracle database.
As a security researcher, Litchfield said he always reported flaws to vendors as he found them. But he expressed frustration that Oracle was slow to patch, and when it did get around to issuing fixes they were either broken, incomplete or unreliable.
Typically, Oracle engineers will patch against exploit code, rather than fixing the fundamental security issue, he told the Defcon audience on Friday.
Of course, this isn't a good approach since small changes to exploit code may defeat the new protections.
Litchfield pointed to Microsoft as an example of what could be done in database security. In the wake of the Bill Gates security memo, the entire SQL 2005 development team stopped working and went over old code with a complete security review in order to fully assess the problem and provide a permanent fix.
The result down the line was that patching and flaw detection in Microsoft SQL dropped sharply, and the code security of IIS and Exchange has also been much improved as well.
Oracle should take a page out of Microsoft’s book when it comes to security, he suggested, and customers should demand change.
“If you're running Oracle database servers and don't like the way they work on the security aspect of things, then get on the phone to Oracle, because we really need to get this sorted,” he concluded.
As of today, it's understood that Oracle has not fully patched the security bugs described by Litchfield. The database giant was not immediately available for comment.
In other internet security news
It's widely reported this morning that Russian hackers have stolen over 1.2 billion internet user names and passwords, amassing to what could be the largest collection of stolen credentials in history.
The news was first reported by The New York Times, which cited research from Milwaukee-based Hold Security. The firm didn't reveal the identities of the targeted websites, citing nondisclosure agreements and a desire to prevent existing security vulnerabilities from being more widely exploited than what they are already.
Hold Security founder Alex Holden said that the incident includes credentials gathered from over 420,000 websites-- both smaller sites as well as household names.
The hackers didn't breach any major email providers, however. Holden added that the miscreants made their money by sending out spam for bogus products like weight-loss pills, and had apparently amassed its collection of digital credentials for that relatively innocuous purpose.
"To be clear, it's really not that impactful to the individuals per se, and that's why they were under the radar for so long," Holden said.
"They've ignored all financial information almost completely," he added. But Holden said the kacker's success at amassing passwords demonstrates that weak security and easy-to-guess passwords are all too common on most websites and social media, no matter how popular they are.
The miscreants began collecting user data a few years ago by simply buying it on the black market. Their trove has grown significantly this year thanks to the utilization of an automated program that deeply scans the whole internet to find security vulnerabilities on any website or social media, Holden said.
The reported theft dwarfs the one revealed in 2013 by discount retailer Target, which admitted in December of last year that hackers had stolen credit and debit-card data from well over 110 million accounts.
Since the dawn of the internet, hackers from Russia and Eastern Europe are well known for launching sophisticated cyberattacks for financial gain.Tweet Share on Twitter.
Source: The National Institute of Standards and Technology.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!
You can link to the Internet Security web site as much as you like.