Cyber-ketju: verkkovakoilu,kännyköiden ja wlanien seuranta, hakkerointi, virukset, DoS etc

[ctg]

#PWHashMining

FireEye reckons sysadmins need help enforcing enterprise password rules, so it's released and open-sourced a tool that distributes password testing across multiple GPU-equipped machines.

GoCrack (at GitHub) combines the management of a red team's cracking tasks with privilege management, so the password tests don't fall into the wrong hands.

Only creators of task data, or those they delegate permission to, can see the contents of a cracking task. “Modifications to a task, viewing of cracked passwords, downloading a task file, and other sensitive actions are logged and available for auditing by administrators”, the company explains in its blog post.

The cracking engine's dictionaries, mangling rules and the like are made available to other users, but the administrator can protect them against views or edits.

Under the hood, GoCrack uses hashcat v3.6 or higher, and while it doesn't need an external database server, it supports LDAP or database-backed authentication.

The server component runs on any Linux server with Docker, and NVIDIA Docker lets GoCrack run in a container with full GPU access.

Future plans include MySQL and PostgreSQP database support, UI support for file editing, automatic task expiration, and expanded hashcat configuration.

http://www.theregister.co.uk/2017/10/31/fireeye_simplifies_hashcat/

 

[ctg]

A Russian law that bans the use or provision of virtual private networks (VPNs) will come into effect Wednesday.

The legislation will require ISPs to block websites that offer VPNs and similar proxy services that are used by millions of Russians to circumvent state-imposed internet censorship.

It was signed by President Vladimir Putin on July 29 and was justified as a necessary measure to prevent the spread of extremism online. Its real impact, however, will be to make it much harder for ordinary Russians to access websites ISPs are instructed to block connections to by Russian regulator Roskomnadzor, aka the Federal Service for Supervision of Communications, Information Technology and Mass Media.

Among those banned websites are Wikipedia – placed on the list on the pretext that it contained information about taking drugs – and numerous pornographic websites, as well as some genuinely extremist outlets such as The Daily Stormer.

http://www.theregister.co.uk/2017/10/31/russias_vpn_law_comes_into_effect/

 

[ctg]

Today, 9 November 2017, WikiLeaks publishes the source code and development logs to Hive, a major component of the CIA infrastructure to control its malware.

Hive solves a critical problem for the malware operators at the CIA. Even the most sophisticated malware implant on a target computer is useless if there is no way for it to communicate with its operators in a secure manner that does not draw attention. Using Hive even if an implant is discovered on a target computer, attributing it to the CIA is difficult by just looking at the communication of the malware with other servers on the internet. Hive provides a covert communications platform for a whole range of CIA malware to send exfiltrated information to CIA servers and to receive new instructions from operators at the CIA.

Hive can serve multiple operations using multiple implants on target computers. Each operation anonymously registers at least one cover domain (e.g. “perfectly-boring-looking-domain.com”) for its own use. The server running the domain website is rented from commercial hosting providers as a VPS (virtual private server) and its software is customized according to CIA specifications. These servers are the public-facing side of the CIA back-end infrastructure and act as a relay for HTTP(S) traffic over a VPN connection to a “hidden” CIA server called ‘Blot’.

https://wikileaks.org/vault8/

Pureskelkaa hieman aikaa tuota CIAn ylläpitämää malware verkkoa, eli valtiollisten bottiarmeijaa. Miksi se on laillinen mutta tavallinen kansalainen saa sen ylläpitämisestä linnaa?

 

[ctg]

A total of 2,531 of the top 3 million websites (1 in 1,000) are running the Coinhive miner, according to new stats from analytics firm Red Volcano.

BitTorrent sites and the like were the main offenders but the batch also included the Ecuadorian Papa John's Pizza website [see source code].

JavaScript-based Coinhive crypto-mining software on websites is bad news for surfers because the technology can suck up power and resources without user consent.

Coinhive launched a service this year that allowed mining of a digital currency called Monero directly within a web browser. The simplicity of the Coinhive API integration made the approach successful but partly due to several initial oversights – most notably through a failure to enforce an opt-in process to establish user consent – the technology has been widely abused.

http://www.theregister.co.uk/2017/11/09/crypto_mining_sitrep/

Ehkä tämä olisi uusi keino tuottaa foorumille valuuttaa.

 

[ctg]

So Aggarwal and co specifically examine the likelihood of a quantum computer becoming that powerful on the network. They look at the projected clock speeds of quantum computers in the next 10 years and compare that to the likely power of conventional hardware.


Their conclusion will be a relief to Bitcoin miners the world over. Aggarwal and co say that most mining is done by application-specific integrated circuits (ASICs) made by companies such as Nvidia. This hardware is likely to maintain a speed advantage over quantum computers over the next 10 years or so.

“We find that the proof-of-work used by Bitcoin is relatively resistant to substantial speedup by quantum computers in the next 10 years, mainly because specialized ASIC miners are extremely fast compared to the estimated clock speed of near-term quantum computers,” they say.


But there is a different threat that is much more worrying. Bitcoin has another cryptographic security feature to ensure that only the owner of a Bitcoin can spend it. This is based on the same mathematics used for public-key encryption schemes.

The idea is that the owner generates two numbers—a private key that is secret and a public key that is published. The public key can be easily generated from the private key, but not vice versa. A signature can be used to verify that the owner holds the private key, without revealing the private key, using a technique known as an elliptic curve signature scheme.

In this way, the receiver can verify that the owner possesses the private key and therefore has the right to spend the Bitcoin.

The only way to cheat this system is to calculate the private key using the public key, which is extremely hard with conventional computers. But with a quantum computer, it is easy.

And that’s how quantum computers pose a significant risk to Bitcoin. “The elliptic curve signature scheme used by Bitcoin is much more at risk, and could be completely broken by a quantum computer as early as 2027,” say Aggarwal and co.

Indeed, quantum computers pose a similar risk to all encryption schemes that use a similar technology, which includes many common forms of encryption.

There are public-key schemes that are resistant to attack by quantum computers. So it is conceivable that the Bitcoin protocols could be revised to make the system safer. But there are no plans to do that now.

https://www.technologyreview.com/s/...ers-pose-imminent-threat-to-bitcoin-security/

 

[ctg]

Information about this one is still tricking in, so take it with a grain of salt, but security company [Bkav] is claiming they have defeated the Face ID system featured in Apple’s iPhone X. By combining 2D images and 3D scans of the owner’s face, [Bkav] has come up with a rather nightmarish creation that apparently fools the iPhone into believing it’s the actual owner. Few details have been released so far, but a YouTube video recently uploaded by the company does look fairly convincing.

For those who may not be keeping up with this sort of thing, Face ID is advertised as an improvement over previous face-matching identification systems (like the one baked into Android) by using two cameras and a projected IR pattern to perform a fast 3D scan of the face looking at the screen. Incidentally, this is very similar to how Microsoft’s Kinect works. While a 2D system can be fooled by a high quality photograph, a 3D based system would reject it as the face would have no depth.

[Bkav] is certainly not the first group to try and con Apple’s latest fondle-slab into letting them in. Wired went through a Herculean amount of effort in their attempt earlier in the month, only to get no farther than if they had just put a printed out picture of the victim in front of the camera. Details on how [Bkav] managed to succeed are fairly light, essentially boiling down to their claim that they are simply more knowledgeable about the finer points of face recognition than their competitors. Until more details are released, skepticism is probably warranted.

Still, even if their method is shown to be real and effective in the wild, it does have the rather large downside of requiring a 3D scan of the victim’s face. We’re not sure how an attacker is going to get a clean scan of someone without their consent or knowledge, but with the amount of information being collected and stored about the average consumer anymore, it’s perhaps not outside the realm of possibility in the coming years.

https://hackaday.com/2017/11/14/face-id-defeated-with-3d-printed-mask-maybe/

 

[ctg]

The US Department of Defense is funding research into how hackers hack, with an interesting twist. It wants to wire them up with body monitoring equipment to measure how they react while hunting down and exploiting security flaws.

The study is running this month and next at what's described as a high-security nuclear science facility run by Sandia National Labs in Albuquerque, New Mexico, according to official documents seen by The Register. Sandia is a Honeywell-owned US government contractor tasked with researching and designing components that go into nuclear bombs, among other work.

Infosec professionals recruited for the research will each be given two days to participate in a standard capture-the-flag competition – in which hackers race to compromise secured systems – using Kali Linux laptops, as well as solving some puzzles and filling in questionnaires.

They will not be attacking live production machines, but it's understood they will be competing in environments similar to Uncle Sam's real-world networks. The aim, we're told, is to figure out which combinations of hardware and software is the easiest and hardest for seasoned pros to infiltrate, and how they physically and mentally cope with the challenge.

http://www.theregister.co.uk/2017/11/15/us_government_hackers_heart_rate_monitors/

 

[ctg]

Naapurin cyberoperaattori jäi kiinni.

Russia has denied that a person nabbed by Estonian local authorities was one of its spies. Estonia alleges the suspect had been intent on hacking into the Baltic country’s computer network.

Alexei Vasilyev, 20, was arrested in the northeastern border city Narva on 4 November as he was about to leave Estonia by officials of the Estonian Internal Security Service (ISS). The Russian national has since been detained on suspicion of being an agent of the Russian Federal Security Service (FSB).

Russian ambassador to Estonia Alexander Petrov told Interfax on Monday that he was “perplexed as to why the Estonian authorities said right after his detention that he is an FSB agent”, Estonian news outlet ERR reports.

Local reports suggest the arrest is not connected to recent security problems with Estonia's ID-card nor is it connected to Estonia’s current term of presidency of the Council of the European Union.

The suspect is alleged by Estonia to have been making preparations into a hack into unspecified Estonian state institutions. According to the Estonians, these activities were "monitored throughout" and were "unsuccessful". No further details of the alleged offences have been released to date.

"Acting against the Republic of Estonia as an agent of a foreign power's special service is definitely a serious crime and we will find out all important details as soon as possible," state prosecutor Inna Omblerr said, the Baltic Times reports. "At present we can say without disclosing any details that bigger damage was prevented.”

http://www.theregister.co.uk/2017/11/14/alleged_hacker_spy_arrested_in_estonia/

 

[ak.tied]

https://www.reuters.com/article/us-...-in-britain-government-official-idUSKBN1DF01N

Russia attacked energy, telecom and media in Britain: government official

(Reuters) - Russian cyber operatives have attacked Britain’s media, telecommunications and energy sectors over the past year, according to prepared remarks by the head of the government’s main cyber defense agency.

 

[salama-anteri]

Russia attacked energy, telecom and media in Britain: government official

"train as you fight"?
- tosin sairaaloiden kanssa taisi P.Korea (lunnasvaatimuksineen) olla asialla
- ensimmainen valtiollinen "bank heist": P.Korea Bangladeshin keskuspankin kimpussa... taisivat saada $32 milj. - yritystahan oli mrd-kaupalla

 

[ctg]

Kaspersky Lab, the US government's least favorite computer security outfit, has published its full technical report into claims Russian intelligence used its antivirus tools to steal NSA secrets.

Last month, anonymous sources alleged that in 2015, an NSA engineer took home a big bunch of the agency's cyber-weapons to work on them on his home Windows PC, which was running the Russian biz's antimalware software – kind of a compliment when you think about it. The classified exploit code and associated documents on the personal system were then slurped by Kremlin spies via his copy of Kaspersky antivirus, it was claimed.

Kaspersky denied any direct involvement. It was unfortunate timing considering US officials had banned the Russian software from all federal government systems the month before. The biz offered to hand over its source code to investigators, to prove it wasn't up to anything dodgy, and began a full internal inquiry.

The report, published on Thursday, said it has no record of the described snafu in 2015, but the case looked like a situation that kicked off the year before. A user with a Verizon FiOS IP address in the Baltimore area, near the NSA headquarters, fired up the Kaspersky software, and it found on the PC powerful cyber-attack code that appeared to be part of a collection codenamed the Equation Group files. We know that now these files belonged to the NSA, but at the time, Kaspersky was still figuring out where they came from.

Kaspersky had been researching the Equation Group's spyware tools for months after it encountered the data elsewhere. The files showed all the hallmarks of being a highly sophisticated state-sponsored creation – such as the NSA's handiwork. Assigning names like Equation, Grayfish, Fanny, DoubleFantasy and Equestre to the tools it found in the surveillance set, Kaspersky updated its antivirus signatures in June 2014 to look for instances on its customers' computers. That would mean people running Kaspersky's tools would be protected from the mysterious malware.

Signatures aren't an exact science, and these digital fingerprints for the Equation Group files triggered hundreds and thousands of detections, most of which turned out to be false positives. But towards the end of the year, the software appeared to hit pay dirt, Kaspersky said, and it found 17 instances of Equestre, two more for Greyfish and a 7zip archive that also appeared to be holding the spyware code – all on a single computer. The NSA engineer's home computer.

"An archive file firing on these signatures was an anomaly, so we decided to dig further into the alerts on this system to see what might be going on," the report stated. "After analyzing the alerts, it was quickly realized that this system contained not only this archive, but many files both common and unknown that indicated this was probably a person related to the malware development."

Over a three month period, Kaspersky found 37 unique Equation Group files on the computer, with indications this machine belonged to a developer of the sophisticated malware. The security shop said it was withholding further details on this until it receives permission from the user to do so – so don't hold your breath.

http://www.theregister.co.uk/2017/1...c_was_riddled_with_malware_from_pirated_code/

 

[ctg]

The United States' Department of Justice has identified a suspect in July's attack on Home Box Office, naming an Iranian national, Behzad Mesri, in an indictment unsealed Tuesday, November 21.

Announcing the charges, acting Manhattan US attorney Joon Kim said Mesri is “had previously hacked computer systems for the Iranian military”.

HBO acknowledged the breach in late July, after the attacker began leaking news of an exploit after the broadcaster didn't pay the US$5.5 million (in Bitcoin) ransom, later incresaed to $6 million.

While working for the military, the indictment [PDF] claimed, Mesri conducted attacks on “military systems, nuclear software systems, and Israeli infrastructure”. He also stands accused of being an occasional member of the hacking collective “Turk Black Hat Security”. As a “Turk Black Hat”, the indictment said he took part in Website defacements using the handle “Skote Vahshat”.


In his hack-and-extort campaign against HBO, Mesri identified locations the company's staff used for remote access, compromised “multiple user accounts” of staff and contractors, and from there, logged into HBO's systems, the indictment said.

http://www.theregister.co.uk/2017/11/22/department_of_justice_names_behzad_mesri_as_hbo_hacker/

 

[Fencer]

"Venäjän Zapad-harjoituksen aikaan alkaneet verkkohyökkäykset jatkuvat Ahvenanmaalla: ”Alkaa olla normaalitila”
https://www.is.fi/kotimaa/art-2000005459694.html
Julkaistu: 22.11. 12:09

Ahvenanmaa on joutunut laajojen palvelunestohyökkäysten kohteeksi syyskuusta alkaen. Maakunnan nettiyhteyksiä vastaan kohdistuneet hyökkäykset alkoivat Venäjän suuren Zapad-sotaharjoituksen aikaan ja jatkuvat yhä. Todisteita Venäjän roolista ei tosin ole. Venäjän ja Valko-Venäjän suuri, Itämerelle ulottunut Zapad-sotaharjoitus alkoi 14. syyskuuta.

Samaan aikaan Ahvenmaalla alkoi palvelunestohyökkäyksien sarja, joka on häirinnyt ja hidastanut maakunnan tietoliikennettä näihin päiviin saakka. Esimerkiksi nettiyhteydet ulkomaisiin palvelimiin ja Suomeen ovat menneet välillä poikki ja muutenkin yhteydet ovat olleet hitaita.

– Alkuun siitä oli haittaa koko tietoliikenteelle, ei pelkästään kohteille, tietoturva-asiantuntija Perttu Halonen Viestintävirastosta sanoo.

Halosen mukaan ajallinen yhteys Venäjän Zapad-harjoitukseen on olemassa, mutta vahingontekijää on liki mahdoton todistaa. Palvelunestohyökkäyksiä tiettyjä kohteita vastaan voi tilata pikkurahallakin netin harmailta markkinoilta.

– 10–15 minuutin hyökkäyksen saa tilattua jopa alle kymmenellä dollarilla. Se on kiusallisen helppoa, sillä kyseessä on rikos, Halonen sanoo.

Poikkeuksellisen Ahvenmaahan kohdistuneesta hyökkäyksestä tekee, että se on jatkunut näihin päiviin saakka.

– Se alkaa olla Ahvenmaalla jo normaalitila. Mutta Ahvenanmaalla on nyt sopeuduttu elämään toistuvien hyökkäysten kanssa, eivätkä ne enää suuresti häiritse palveluiden toimivuutta.

– Hyökkäyksiä on ollut useita samalla tavoin tehtyjä. Riippuu hyökkäys-käsitteen määritelmästä, onko kyseessä useita erillisiä vai yksi pitkäkestoinen hyökkäys, Halonen lisää.

Palvelunestohyökkäyksien kohteeksi ovat joutuneet eräät paikalliset yrittäjät ja mm. Nya Åland -lehti sekä maakuntahallitus. Varsinaisesta kyber-iskusta ei kannata puhua, sillä esimerkiksi sairaalat ja maakunnan infrastruktuuri ovat olleet suojassa.

Alkusyksystä herätti kohua, kun pääesikunta kielsi venäläistä koululaivaa saapumasta Ahvenanmaalle syyskuussa. Vierailu olisi ajoittunut Zapadin ja Ruotsin Aurora-sotaharjoituksen yhteyteen, mihin myös Suomi osallistui.

Venäjän valtiollisen meriakatemian omistama, Kaliningradia kotisatamanaan pitävä Kruzenshtern-alus oli tulossa Maarianhaminaan 164 kadettia mukanaan. Vierailuyritystä epäiltiin Venäjän operaatioksi testata Ahvenmaan demilitarisoitua asemaa ja Suomen valmiutta. Pääesikunta ei ole kommentoinut päätöksen syitä."

 

[miheikki]

Minun Nokia N82:sta puuttuu oletettavasti tämä ominaisuus. Tiedusteluviranomaiset hoi! Vaihdan luurini uudempaan, jos maksatte. Hintahaarukka 300- 400 €.

• 23.11. klo 06:12 http://www.tekniikkatalous.fi/tekni...-olisi-pois-paalta-ja-sim-kortti-irti-6688627

Android-puhelin kerää sijaintitietosi ja lähettää se Googlelle – vaikka seuranta olisi pois päältä ja sim-kortti irti

JAA ARTIKKELI

• Facebook
• Twitter
• LinkedIn
• Google+
• Sähköposti

Android-puhelimet keräävät sijaintitietosi ja lähettävät sen Googlelle, vaikka ottaisit sim-kortin pois ja kytkisit seurantatoiminnon pois päältä. Google on myöntänyt asian, kirjoittaa Quartz.

Seuranta tapahtuu puhelinten tukiasemien tietojen avulla. Niistä kerättyä salattua dataa on lähetetty Googlelle verkkoyhteyden yli.

Toiminto on ollut käytössä tammikuun alusta asti kaikissa Android-puhelimissa ja -tableteissa. Käyttäjä ei ole voinut vaikuttaa datan keruuseen.

Heti asian tultua julkisuuteen yhtiö ilmoitti poistavansa toiminnon käytöstä.

Löytö on huolestuttava, sillä yleensä tukiasemien dataa jaetaan operaattorien ulkopuolelle vain hyvin harvoin. Nyt paljastuneiden tietojen perusteella seuranta olisi huomattavasti aiemmin luultua helpompaa. Siltä voi käytännössä välttyä siis ainoastaan käyttämällä kertakäyttöisiä puhelimia, The Verge analysoi.

Googlen mukaan seurantatoiminto poistetaan käytöstä marraskuun lopulla.

Lähde: Tivi

 

[ctg]

The FBI failed to notify scores of US officials that Russian hackers were trying to break into their personal Gmail accounts despite having evidence for at least a year, an investigation found.

The Associated Press dedicated two months and a small team of reporters to go through a hit list of targets of Fancy Bear, a Russian government-aligned cyberespionage group, that was provided by the cybersecurity firm Secureworks. Previous investigations based on the list had shown how Fancy Bear worked in close alignment with the Kremlin’s interests to steal tens of thousands of emails from the Democratic party.

https://www.theguardian.com/us-news/2017/nov/26/russia-hacking-fbi-fancy-bear-officials-email

 

[ctg]

A young Russian alleged to have masterminded a massive hacking of social networks including LinkedIn and Dropbox is now at the center of an extradition struggle between the United States and Russia.
Yevgeniy Nikulin was detained in October 2016, in the Czech Republic capital of Prague, after US authorities issued an international arrest warrant for him. He was on vacation there with his girlfriend.

A grand jury indictment filed in 2016 in California charges him with computer intrusion and aggravated identity theft, among other offenses. Nikulin denies all the charges. If convicted of all charges, he could face a maximum sentence of more than 50 years in prison and more than $2 million in fines.

http://edition.cnn.com/2017/11/25/europe/us-russia-extradition-fight/index.html

 

[ctg]

Researchers have packed extra information onto single photons to speed up quantum key distribution (QKD) systems.

QKD uses a characteristic of quantum mechanics to protect keys used to encrypt data using classical crypto schemes: if Eve tries to snoop on the key Alice is sending Bob, the quantum state/s a photon carries are destroyed. Alice and Bob know there's an eavesdropper, and the key Eve eavesdropped is useless.

However, compared to conventional telecommunications systems, QKD is slow: most systems based on photon-by-photon transmission of crypto keys run at speeds of hundreds of kilobits per second.

Research from Duke University's Nurul Taimur Islam, with collaborators from Ohio State University, Oak Ridge National Laboratory, and the National University of Singapore, achieved megabit key distribution rates using off-the-shelf components, meaning existing photonic QKD systems could be adapted to use it their work.

In a paper based on research funded by the United States Navy and Defense Advanced Research Projects Agency (DARPA), published in Science Advances and available as pre-press at arXiv, the researchers explained that to get faster key distribution rates, they worked to overcome the limits on photon detectorss speed.

The paper explained that if keys are distributed as one-qubit-per-photon, the system speed is limited by how fast states can be generated.

The solution is to encode more than one state on the photon – to turn it into a “qudit” (more than two dimensions per photon) instead of a qubit – in this case using time-of-arrival as one dimension, and the phase of the photon as the other.

“The secret key is calculated using the sifted photon time-of-arrival data, and the amount of extractable secret data is determined using the noise level observed in the sifted phase measurement data,” the paper explained.

“Using a four dimensional (d = 4) state space represented by four distinct time bins and its conjugate state space in the Fourier transform domain, we realise a QKD that generates and ultra-high secret key rate.”

The researchers note that their technique is robust enough to be used to send photons across free space, although they expect its first application would be in metropolitan-scale fibre networks.

http://www.theregister.co.uk/2017/1...nfo_onto_photon_for_faster_quantum_key_disto/

http://advances.sciencemag.org/content/3/11/e1701491

 

[ctg]

!!!

Researchers at CyberArk Labs have created a post-intrusion attack technique known as a Golden SAML that could allow an attacker to fake enterprise user identities and forge authentication to gain access to valuable cloud resources in a federation environment.

“Using this post-exploit technique, attackers can become any user they want to be – with the highest level of privileges – and gain approved, federated access to a targeted app,” according to CyberArk Labs who revealed the attack technique this week.

https://threatpost.com/saml-post-intrusion-attack-mirrors-golden-ticket/128993/

Golden Ticket is a type of attack against an IT infrastructure’s authentication protocols. Similar to Pass-the-Hash, Overpass-the-Hash and Pass-the-Ticket, a Golden Ticket attack is considered the most invasive because it provides an adversary with unrestricted access and control of an IT landscape via manipulation of the Windows Server Kerberos authentication framework.

Instead of targeting the Windows Server Kerberos, a Golden SAML attack leverages the Security Assertion Markup Language 2.0 (SAML) protocol. SAML is an open standard for exchanging authentication and authorization data between an identity provider and a service provider.

“Golden SAML poses serious risk because it allows attackers to fake an identity and forge authentication to any cloud app (Azure, AWS, vSphere, etc.) that supports SAML authentication. Using this post-exploit technique, attackers can become any user they want to be – with the highest level of privileges – and gain approved, federated access to a targeted app,” researchers wrote.

SAML assertions are trusted and signed via a specific RSA key stored with an identity provider environment.

The prerequisites of such attacks, however, are considerable. Among other things, hackers will need the private key that signs the SAML objects, an Active Directory Federation Services user account, token-signing private key, an identity provider (IdP) public certificate and an IdP name.

Attackers must also gain access to where the identity management is taking place in order to gain access to those resources. Sometimes a third party handles the SAML key management, other times it is hosted within a company’s own domain.

“Once the attacker has gained access to this key, the attacker can create whatever SAML authentication object they want. They can be any user on the targeted service with any permissions on the system that they desire as long as they sign the SAML assertion with the stolen key,” said Shaked Reiner, a security researcher with CyberArk Labs in an interview with Threatpost.

Similar to Microsoft’s Kerberos based environments that enables Golden Ticket to work, a fix for Golden SAML is not trivial. “There isn’t anyone to blame here, but if you are using SAML you need to be aware of this problem,” said Doron Naim, senior security researcher with CyberArk Labs.

Microsoft doesn’t consider this a vulnerability because in order to carry out an Golden SAML attack an adversary must already of compromised a company’s network and have domain admin access, Naim said.

“As for the defenders, we know that if this attack is performed correctly, it will be extremely difficult to detect in your network,” researchers wrote. “We recommend better monitoring and managing access for the ADFS account, and if possible, auto-rollover the signing private key periodically, making it difficult for the attackers.”

https://www.cyberark.com/threat-res...k-technique-forges-authentication-cloud-apps/

 

[salama-anteri]

Kannattais aika akkia hankkiutua eroon noista Windows-ymparistoista?
it provides an adversary with unrestricted access and control of an IT landscape via manipulation of the Windows Server Kerberos authentication framework.
- ym. linkista suoraan poimittua

 

[ctg]

Kannattais aika akkia hankkiutua eroon noista Windows-ymparistoista?

Ei ole tarve. Linuxissa ja omenayhtiön tuotteessa on aivan samanlaisia haavoittuvuuksia. Ongelma tässä on että tuo on suora keino nostaa oikeuksia ja se ohittaa kerberoksen, vaikka kerboros on tarkoitettu mandatooriksi ovikontrolliksi systeemiin. Kansankielellä tämä on portsari joka saattaa päästää luvattomia vieraita sisään tietyissä tilanteissa. Aikoinaan Win 95 password kontrollin pystyi ohittamaan ESC nappulalla, tässä on vastaava tilanne, missä firmojen käyttämä Mikkisoftan pykäämä hyvin monimutkainen mustalaatikko kusee. Henkilökohtaisesti uskon että kerberos pitäisi uudelleen kirjoittaa, mutta ongelma tässä on että jossain vaiheessa joku toinen kirjoittaa uuden bypassin ja juuri tuo bypass tekee tästä ison asian.

Hyökkäysmielessä tämä on hyvä asia. Bypass ohi firmojen yleisimmän "ovi" kontrollin.