Cyber Round-up

Cyber Round-up for 19th October

Welcome to Ironshare’s Cyber Round-up, where we take a look back at the events of that last week and handpick some of the news, posts, views, and highlights from the world of Security.

30,000 Records Leaked in Pentagon Data Breach

News of a data breach at the Pentagon broke earlier this week, which reported that both credit card data and personal information of up to 30,000 civilian and military personnel had been leaked.

The source of the breach was not the Pentagon themselves but a third-party vendor that provided travel services for the Defense Department’s staff. For obvious security reasons the Pentagon has decided not to disclose the name of this third party while the investigation continues, but they have confirmed that no classified information was compromised as part of this breach.

The investigation into the size and scope of the breach is still ongoing, but a Pentagon spokesman was keen to point out that the data leak was the result of a hack on a single vendor, that provided a service to a small portion of DoD personnel.

This is not the first hack or data breach experienced by the DoD, and certainly won’t be the last. The timing of this couldn’t have been worse though, as a damning report recently released by the United States Government Accountability Office, highlighted the critical vulnerabilities present in most weapon systems, that made them susceptible to sophisticated cyber-attacks.

https://apnews.com/7f6f4db35b0041bdbc5467848225e67d

NCSC Annual Review 2018

The National Cyber Security Centre, the driving force in securing the UK’s cyber defences, has this week released their annual review which details their activities and successes throughout their second year.

Since their creation in 2016 the NCSC has strived to make the UK a safer place to live and work online, and this report highlights how they have boldly continued on this path during the last 12 months.

The direction, information and published guidance that is produced by the NCSC is excellent, with simple and concise approaches that can be applied to all organisations regardless of type or size.

NCSC have been involved in key activities throughout the year, issuing published guidance for small business and charities to improve security, hosting the CyberUK conference in Manchester, established educational courses to get young people into Cyber security, and working with their US counterparts to issues alert on the malicious activity of the Russian government, to name just a few.

Combining this with the work they have done during their involvement with hundreds of cyber security incidents and the take down of thousands of malicious sites and domains, the value the NCSC provides to the UK is priceless. We look forward to seeing what is in store for the next 12 months.

https://www.ncsc.gov.uk/annual-review-2018/

TLS 1.0 & TLS 1.1 Finally being Retired

All major browser vendors have this week officially released noticed on the retirement of the legacy TLS 1.0 and 1.1 protocols, which is due to start in January 2020 with Google Chrome. TLS or Transport Layer Security is the critical security protocol that’s used with HTTPS to protect and encrypt our modern-day web traffic.

Since the retirement of SSL (Secure Sockets Layer) in June 2015, we have been waiting to hear the fate of the early TLS versions. TLS 1.0 is nearly 20 years old and contains older insecure ciphers, as well as being vulnerable to the BEAST & FREAK attacks.

Early this year the industry had a big push to move all sites over to TLS 1.2 in preparation for this retirement, and the likes of Microsoft have plans already in place with their Office 365 SaaS platform, to mandate the use of TLS 1.2 from 31st October 2018, as we covered in a previous post.

In August 2018 the IETF approved TLS 1.3 as the new internet security standard, which has paved the way for these legacy versions to be dropped from use. This is all due to start in Jan 2020 when Google removes the support from Chrome, this is followed by Safari and Mozilla Firefox in March 2020, and Microsoft at some point in the first half of 2020.

It is recommended that if you are still running services that rely on TLS 1.0 or 1.1, you should start to plan now for upgrading to TLS 1.2 as a minimum. Although the vendors stats suggest that the number of internet connected devices using these protocols is at an all-time low, remember to consider your legacy internal systems also. Depending upon your infrastructure, applications or services this may be a lengthy process to complete, so don’t delay. Links to the vendor notices are contained below:

Safari: https://webkit.org/blog/8462/deprecation-of-legacy-tls-1-0-and-1-1-versions/

Google: https://security.googleblog.com/2018/10/modernizing-transport-security.html

Microsoft: https://blogs.windows.com/msedgedev/2018/10/15/modernizing-tls-edge-ie11/

Mozilla: https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/

SSH Flaw allows Unauthenticated Access to Systems

If you run Unix, Linux or network systems you will be familiar with the Secure Shell protocol known as SSH. SSH is most commonly used as a remote management command line tool, for securely accessing server or network device consoles for administrative purposes.

This week a serious flaw in the open source SSH library ‘libssh’ was released, disclosing that a vulnerability in the libssh code, will allow malicious actors to successfully connect to a device listening for SSH connections, without the need for authentication. Through use of a crafted response during the SSH connection, the actor can convince the device that it has already authenticated, removing the need to provide valid user name and password credentials.

This bug is only applicable to libssh and not the more popular OpenSSH implementation.

If any of your systems are using libssh, it is strongly advised that you update to the latest versions of code as soon as possible. Also keep in mind that IOT and network devices may be running vulnerable embedded versions of libssh, that would require your device firmware to be upgraded in order to remove this threat.

https://nakedsecurity.sophos.com/2018/10/17/serious-ssh-bug-lets-crooks-log-in-just-by-asking-nicely/

And that’s it for this week, please don’t forget to tune in for our next instalment.

Sign Up

To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailList

You can also follow us using the social media links provided.

If your business needs to improve its security, kick-start your Cyber plans with our Free Cyber Assessment: http://bit.ly/IronFreeCyberReview

 

Ironshare – Security Simplified

 

Edition #13 – 19th October 2018