It’s time to let go of the view that multi-factor authentication (MFA) provides enough security.
Hackers have the means to steal passwords, hijack users’ sign-in sessions and bypass the authentication process entirely, even when MFA is enabled. Adversary-in-the-middle (AiTM) attacks may be nothing new, but the ability of criminals to bypass MFA is.
What’s new?
Attackers can now intercept the legitimate session cookie issued by a real website, along with the authentication token.
The sophistication of these modern AiTM attacks has been highlighted by Microsoft, who explain how AiTM phishing attacks work.
In simple terms:
- An attacker sends a cleverly crafted email (phishing attack) which looks legitimate
- An unsuspecting user clicks on this link, which takes them to the attackers’ ‘spoof’ website
- The attackers’ website silently and transparently forwards on the request to the real site (Office365, Google etc) for authentication
- The user sees the real website and enters their credentials to authenticate
The attacker can now silently intercept this data while it passes through their website
Cookie theft
Ever wondered how you can launch Edge or Chrome and navigate to your Office 365 email without being prompted for authentication? Or launch Outlook or Teams without being prompted for authentication?
This is because you have already done that once and have a safely stored session cookie which is valid for a set number of days. This is what the attacker is after and once they have it, they have easy, instant access to your email or Teams account.
Build multiple layers of protection
A multi-layered approach to security is the key. Relying on a single security mechanism such as MFA is like putting all your eggs in one basket. You need to reduce the possibility of security compromise by adding more control layers.
- Enable MFA if you haven’t done so already. Without this, it’s like having a toy padlock on your front door.
- Raise awareness. This is the most effective and essential step of all. Educate users on how to spot phishing emails and when they should and shouldn’t enter their credentials.
- Implement advanced email filtering. Reduce the chance of attacker emails reaching users’ mailboxes by deploying Content Filtering, Sender Filtering and Safe Links. These are must-haves.
- Implement a Web Proxy. These may be usually considered a mechanism to stop people accessing Facebook or eBay during working hours, but when combined with Deep SSL Inspection, a Web Proxy can inspect all traffic leaving the organisation and track known suspicious or malicious content and sites.
- Implement EDR. Next Generation anti-virus/anti-malware technologies with an Endpoint Detection and Response (EDR) service overlay can detect threats in your networking environment and respond to them appropriately, automatically, and ideally with a human interaction when required.
- Implement Microsoft Conditional Access Security Defaults. Conditional Access policies allow IT admins to create conditions before events, such as authentication, can be accepted. This could include enforcing MFA when logging into any Azure integrated Cloud App, including Office 365, to block sign-ins from untrusted locations or from unknown devices.
- Implement Least Privilege. If an attacker manages to penetrate all these layers you can still limit the damage done. If the end user does not have local admin rights, then there’s a good chance that the attacker will not have these when they compromise that machine. Another, possibly even more important, step is admin account separation
None of these controls are particularly new. They are in essence good practice and should be implemented as a base standard in all sizes of IT estate. The majority shouldn’t even cost significantly to implement if anything.
QuoStar’s Head of Security and resident CISO David Clarke shares his views on the new piece of legislation to protect the consumer – The Product Security and Telecommunications Infrastructure (PSTI) Bill.
“The Product Security and Telecommunications Infrastructure (PSTI) Bill supports the rollout of future-proof, gigabit-capable broadband and 5G networks, and better protects citizens, networks and infrastructure against the harms enabled through insecure consumer connectable products.” [Department for Digital, Culture, Media & Sport, 24 November 2021]
This is a very interesting piece of legislation as the “Product Security Measures” apply to manufacturers, importers, and distributors in the supply chain for consumer connectable products.
“A consumer connectable product is an internet-connectable or network-connectable product.” [Department for Digital, Culture, Media & Sport, 24 November 2021]
The PSTI Bill
The government has stated that the security requirements will apply in relation to products including:
- Connected cameras, TVs, and speakers
- Smartphones
- Connected children’s toys and baby monitors
- Connected safety-relevant products such as smoke detectors and door locks
- Internet of Things base stations and hubs to which multiple devices connect
- Wearable connected fitness trackers
- Outdoor leisure products, such as handheld connected GPS devices that are not wearables
- Connected home automation and alarm systems
- Connected appliances, such as washing machines and fridges
- Smart home assistants
The security requirements, to be set out in regulations, will:
- Ban default passwords
- Require products to have a vulnerability disclosure policy
- Require transparency about the length of time for which the product will receive important security updates.
The scale of devices with weak security is absolutely huge, Kaspersky research says there were 1.5 billion attacks against IoT (Internet of Things) products in the first 6 months of 2021.
As we speak (7th December 2021) more than 300 SPAR convenience stores across the UK have either had to revert to cash-only payments – or shut altogether – following a cyber-attack that has meant all point of sale devices have had to be taken offline, meaning the stores are unable to take card payments. It’s not the first time a European supermarket has been caught up in a supply chain attack this year. Sweden’s Coop stores were all hit with REvil ransomware in July this year, as a consequence of the Kaseya breach.
Ban Default Passwords
The question is, will this legislation make a difference? Removing default passwords will of course make a huge difference, yes. And no. It may just delay the inevitable. Will the devices have to have a standard for passwords e.g. minimum length or complexity? Will the device have a lock out period e.g.10 fails and you are locked out? If not, enumeration software will eventually crack the password.
Vulnerability disclosure
Good idea in principle, the difficulty will be whether these devices will auto update as it may be unlikely many users will have the technical capability to do it themselves.
Important security updates
If security updates are available for 2 years, similar to the average Android phone, what happens then? Will the consumers be alerted when the end of the 2 years is up? Will this then become part of built-in obsolescence, so new phones, doorbells, fitness wearables, washing machines need to be bought new again probably every 2 years.
“Ensure that consumer connectable products, such as smart TVs, internet-connectable cameras and speakers, are more secure against cyber-attacks, protecting individual privacy and security” [Department for Digital, Culture, Media & Sport, 24 November 2021]
This would seem to indicate that if there is damage to an individual’s privacy, there could be a group action against the TV manufacturer, importer, distributor, and manufacturers.
Should these devices go through a form of accredited security testing? In business-to-business relationships, there is usually a requirement that all systems should be updated within 14 days and be in support by the vendor.
In the age of Teleworking would the “work” supply chain be fully in scope? Home routers should not use a default password, and all software/firmware under the legislation must be in support by the vendor. Should smart speakers be updated? The doorbell, fish tank thermometer, alarm system, Wi-Fi Garden lighting? These could all potentially be in scope, especially where someone works from home, as a vulnerability for the corporate workspace.
Just one vulnerable point can allow criminals into a network.
In 2018, attackers were able to compromise a connected thermometer in a fish tank that had a default password. The fish tank was in the lobby of a US casino, and attackers used this vulnerability to enter the network and access sensitive details, such as bank details.
It’s very difficult to ensure that every link in the chain has appropriate cyber security measures in place and it only takes one vulnerable point to allow criminals into a network. Once they’re in, the knock-on effects can be catastrophic.
This is a step in right direction, but how do we manage the consequences, and will enforcement be likely?
Even in the Code of Practice for Consumer IoT Security there is some mention about encryption and cryptographic keys, but it’s not very detailed. Without encryption how will personal data and passwords be stored on IoT devices?
Hopefully, this will be the start of safer online world. Although is it enough? Probably not at this stage.
Will there now be a possibility of a class action against a device manufacturer for privacy infractions? Does this mean that the device manufacturer, importer, distributor could inadvertently (under GDPR) become a data controller if they are responsible or partly responsible for a breach? The bill raises more questions than it answers in the long term.
At QuoStar we manage these types of issues for corporate clients regularly. Patch management, passwords, release management and regular upgrades as well as containing systems and devices that cannot be upgraded, so they need to be contained and segregated with special security layers.