The National Security Agency is publicly acknowledged for its finding and reporting of CVE-2020-0601, marking the start of what it says is a new approach to security.
The first Patch Tuesday of 2020 has the industry buzzing about 49 CVEs, in particular a Windows CryptoAPI spoofing vulnerability disclosed to Microsoft by the US National Security Agency (NSA).
CVE-2020-0601, which affects Windows’ cryptographic functionality, exists in Windows 10, Windows Server 2016, and Windows Server 2019. It’s categorized by Microsoft as Important and rated as level one, or “exploitation more likely,” in its advisory released today. Neither Microsoft nor the NSA has seen this vulnerability used in the wild, and the agency said it has not seen it in a tool.
The certificate-validation flaw exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the bug by using a spoofed code-signing certificate to sign a malicious executable so the file appears to be from a known and trusted source. The move could trick both users and anti-virus software, the DHS explains in an emergency directive on today’s patches. Neither a user nor the AV program would know a file was malicious.
With this vulnerability, an attacker could issue a maliciously crafted certificate for a hostname that didn’t authorize it. As a result, a browser that relies on CryptoAPI would not issue a warning to the user, giving the intruder access to modify or inject data on user connections. Successful exploitation could also allow an attacker to launch man-in-the-middle attacks and decrypt confidential data on users’ connections to the affected software.
Some places where trust may be breached include HTTPS connections, signed files and emails, and signed executable code launched as user-mode processes, the NSA says in an advisory. An attacker could compromise Web certificates and spy on traffic as part of a man-in-the-middle attack, or compromise digitally signed emails. For apps using signatures for verification, an attacker could manipulate a user into deploying a malicious app that is signed and seems real.
If exploited, CVE-2020-0601 could render affected platforms “fundamentally vulnerable,” officials say, and the consequences of not patching this flaw are “severe and widespread.” The agency anticipates remote exploitation tools will be made quickly and widely available.
“The blast radius is pretty close to as bad as you can get,” says Will Ackerly, CTO and cofounder of Virtu, who spent eight years with the NSA, where he was a technology architect and created the Trusted Data Format (TDF). If the operating system believes software is trusted, users won’t see certain dialogues and certain blocks will be bypassed.
“It attacks trust,” says Dr. Richard Gold, director of security engineering at Digital Shadows, of the vulnerability. “It is no longer possible to rely on the cryptographic guarantees provided by an unpatched system.” In this sense, he continues, this is a “very serious” bug as it attacks the trust businesses have in a system to verify updates, check signatures, and other measures.
New NSA-Vendor Cooperation
Microsoft has publicly credited the NSA with reporting CVE-2020-0601, a shift away from the agency’s practice of keeping vulnerabilities under wraps. It marks the start of a new approach by the NSA, said NSA director of cybersecurity Anne Neuberger on a call with reporters today.
“We thought hard about that,” said Neuberger with respect to the decision to allow attribution. While the NSA has been discovering vulnerabilities for a long time, it has never permitted public attribution to reporting a vulnerability.
NSA experts look very carefully at software, especially software the US government plans to use including Windows and commercial products. They did an evaluation and turned it over to Microsoft. It’s unclear how much time passed between the NSA’s discovery of the bug and Microsoft’s patch.
Neuberger says the agency routinely finds vulnerabilities but with respect to the reporting process, “we’re working to do several things differently along the way.” The NSA follows the vulnerabilities equities process (VEP), which is used by the federal government to determine how to treat vulnerabilities on a case-by-case basis: should they be disclosed to the public to improve computer security, or should they be kept secret for offensive government use? VEP was created between 2008-2009; the government publicly disclosed the process in Nov. 2017.
Virtu’s Ackerly says this shift is the next step of a gradual change he noticed during his time with the NSA. Neuberger has coordinated with other agencies and counties, where her counterparts spoke to the value of public engagement. Now we’re seeing the NSA move forward on this.
Will see more vulnerability reports from the NSA? “We’ll approach each situation on its own merits,” Neuberger said in response.
But Don’t Stop Patching There
Microsoft today also disclosed multiple Windows RDP bugs. CVE-2020-0609 and CVE-2020-0610 are critical Windows RDP Gateway Server remote code execution vulnerabilities that exist when an unauthenticated attacker connects to a target system using RDP and sends specially crafted requests. Both are pre-authentication and require no user interaction; to exploit them an attacker would need to send a specially crafted request to a target system’s RD Gateway via RDP. The two vulnerabilities affect Windows Server 2012 and newer.
There is also CVE-2020-0611, a Remote Desktop Client RCE vulnerability that exists when a user connects to a malicious server. An attacker would first need to have control of the server and then convince a user to connect via social engineering, DNS poisoning, or a man-in-the-middle attack. If successful, they could execute arbitrary code on the connecting machine and install programs; view, change, or delete data; or create new accounts with full user rights. This bug affects Windows Server 2012 and newer, as well as Windows 7 and newer.
The Cybersecurity and Infrastructure Security Agency (CISA) is unaware of active exploitation of these vulnerabilities, officials wrote in advisory AA20-014A. Organizations are advised to prioritize patching for mission-critical systems, internet-facing systems, and networked servers.
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio
Using APIs for Better Cyber Security
What is an API?
What is an API? – For the general users of the internet and computer interface, it is normally understood that the screens, keyboards, monitors, etc. are the only computer interfaces in front of them. These are the visible computer interfaces with which we interact with the machine and the internet. There is another type of interface that we come across every day, but is hidden from our view. These interfaces enable software components to interact with each other. For a long time, this process was not standardized and developers of the operating system Unix made protocols for interprocess communication (IPC).
By the early 2000s, the need for a standard, open software-to-software interface was felt by the technology industry. This led to the development of the application programming interface, commonly known as API. API’s could provide a standardized interface through which software could communicate amongst themselves by sharing data and managing shared memory. APIs made software services available to workloads and applications. They facilitate bidirectional communication between two processes. An API includes all information needed to carry out a task and, unlike a web form, an API does not need multiple user transactions to successfully complete a process.
Cyber security and API
API security encapsulates integrity protection of the APIs you use or own. API’s are used by microservices and containers to communicate among themselves. With the development of API’s, we find ways to connect everyday things to smart devices, like a refrigerator with an android smartphone. As integration of computers increases, interconnectivity becomes more important, and so do APIs and their security. With the rise of the Internet of Things (IoT) applications, API security has become a growing concern.
Web scraping and APIs
Other than communicating within the software, an API is also used for providing access to the data of an application, web page, or operating system. Similarly, web scraping refers to the process of ‘scraping’ data from a webpage or multiple web pages.
Web scraping is used to extract data from a given web page, whereas an API provides the data directly. This poses a problem where the developer has not provided the API with the data. Sometimes APIs can be given at a charge, and that fee might not be affordable. In these scenarios, web scraping is necessary to obtain the data you need.Web scraping with software written in Python is one of the more common methods used to extract data from web pages.
Security threats with API
Some common threats associated with APIs are:
- Man in the Middle (MITM): An MITM attract refers to an attacker secretly intercepting communication between two APIs to obtain sensitive information. MITM attacks can grant access to personal financial and credential details to the attacker.
- API injections: API injection refers to the insertion of malicious code into vulnerable software. Malicious commands can also be inserted into an API message, like a SQL command. All web APIs that require parsers and processors are susceptible to API injections.
- Distributed denial of service (DDOS): DDoS attacks lead to the crashing of a website by flooding the bandwidth or resource of the attacked system. A DDoS attack topples the functioning of the memory and bandwidth by injecting a huge number of concurrent connections and sending/requesting huge amounts of data with every transaction. The machine resource will eventually crash under such pressure.
SOAP and REST API
SOAP and REST are the two most common approaches to implement APIs.
SOAP (Simple Object Access Protocol) is based on XML and used for communicating among computers. SOAP uses a built-in WS security standard that utilizes XML Encryption, XML Signature, and SAML tokens for messaging security considerations.
REST (Representational State Transfer) makes use of HTTP to get data and perform operations on remote computers. SSL authentication and HTTPS are used in REST for securing communication. It is easier to track and maintain all of these security protocols if you deploy to a centralized cloud deployment platform suited to creating and hosting APIs.
How to improve cyber security
A hacked API can cause a serious data breach. Owing to their vulnerability, it is important to take additional steps to ensure security.
- Using tokens: Assigning tokens to trusted identities and controlling access to data can protect your machine from malicious attacks.
- Authentication verifies the identity of the end-user. Authentication is implemented using the TLS protocol in REST APIs. OAuth 2 and OpenID are even more secure than the TLS protocol.
- Using an API gateway can secure your APIs. These gateways check the API traffic. A good gateway allows you to authenticate traffic. You can also control and analyze how your APIs are used.
- Using sniffers to detect vulnerabilities is a safe practice to secure your APIs. In addition, be updated about your API components and major leaks and threats.
- Authorizing what data a user can access from the API prevents malicious users from accessing data that is beyond their role. This keeps them away from being able to access admin functionality.
This article covered everything you need to know about API’s and cybersecurity. API security protects the integrity of APIs and is something that should be a concern for organizations and individuals with the evolution and constant development of IoT.
Konsentus Verify supports checking of UK-RTS compliant certificates
Konsentus today confirmed that its open banking third party provider (TPP) identity and regulatory checking solution, Konsentus Verify, can validate the identity of TPPs regardless of whether a UK-RTS compliant digital certificate or EEA issued eIDAS certificate is presented.
This follows OBIE’s recent announcement that UK-regulated TPPs must complete their migration from OBIE Legacy Certificates to UK-RTS compliant certificates (OBWACs/ OBSEALs) no later than 30 June 2021 by which time they must also have revoked any active OBIE Legacy Certificates.
From the end of June 2021, ASPSPs must reject the use of OBIE Legacy Certificates for PSD2 identification purposes ensuring they only accept certificates that are compliant with the UK-RTS.
Konsentus Verify provides TPP identity and regulatory checking services to protect Financial Institutions from the risk of open banking fraud. The identity checking element of the Konsentus solution is based on the validation of a TPP’s digital identity certificate.
Konsentus Verify checks in real-time a certificate’s validity and whether it has been issued by a trusted certificate issuer. In addition, Konsentus Verify checks the Payment Services a TPP is authorised to provide by its home country National Competent Authority.
However, digital identity certificates are not usually updated over a certificate’s lifespan and do not list the roles a TPP can perform outside the TPP’s home country. Any ‘Passporting’ information must be obtained for each country the TPP wants to provide services into.
Any EEA TPP wanting to access accounts held by a UK-based ASPSP must either be on the FCA’s Temporary Permissions Regime list or registered directly with the FCA. Konsentus Verify validates in real-time the legitimacy and current authorisation status of TPPs providing payment services in the UK regardless of whether an eIDAS or UK-RTS compliant certificate is presented.
Mike Woods, CEO Konsentus commented, “With over 200 UK TPPs regulated to provide open banking services in the UK, we can offer our customers a single solution that means both UK-RTS compliant certificates and eIDAS certificates can be checked without having to introduce additional processes or delays. No matter where the transaction is taking place or where the TPP is located, we offer our customers a single solution providing identity and regulatory checking at the time of the transaction.”
The Hidden Challenges of Data Retention
Companies are drowning in enterprise data. While such data can serve as a conduit to innovation, it can also be a liability.
Having the right data retention policies in place not only protects data from unauthorized access or other malfeasances, it also ensures data is primed for business usage. Furthermore, recent regulations such as GDPR mandate the creation of a data retention policy to prove data is properly managed and utilized throughout its entire lifecycle, but especially at the very end.
While many organizations excel at saving data, few have mastered data disposal.
According to a 2020 Deloitte survey, while 80% of companies surveyed have a defined data retention policy in place:
“only one out of three respondents provided data to the business process owners for final disposition. Data is seldom reclassified or anonymised per current practices. Organisations may not be aware of techniques to use anonymised/pseudonymised data in an effective manner. Only 30 percent of the organisations were adopting automated erasure techniques for data on completion of the retention period.”
Furthermore, the report found that an alarming number of companies relied on ineffective data deletion and drive/device formatting methods that can leave sensitive data unprotected. In fact, more than 15% of second-hand drives purchased from an online retailer contained leftover data from the previous users.
GDPR and like-minded regulations also require proof of data disposal in the event of a consumer complaint. However, this too has been woefully overlooked as only 32% of companies “are prepared for and may have conducted audits of processing activities with respect to end-of-life of personal data.”
It is clear that CISOs need to become involved with the data retention process. Though policy decisions can be left to chief data and privacy officers, CISOs are increasingly being compelled to oversee the execution of data retention strategy, especially when it comes to the logging and verification of data disposal.
Data Lake Security & Governance
Over the past decade, data lakes have surged in popularity amongst data scientists looking to experiment with advanced analytics. However, if not properly maintained, data swaps can easily devolve into data swamps whereby the system is flooded with irrelevant, unusable data.
Such an environment poses a number of data security and privacy risks. To start with, data that can’t be found can’t be disposed of or retrieved in response to subject access requests.
Secondly, even well governed data lakes are vulnerable to false data injection and malware obfuscation as datasets are not segmented by clear boundaries. As a result, someone with access to a particular file object can modify it, and there is no trail or history of what was modified.
CISOs, CDOs and CPOs must work together to create security-first data governance frameworks for data lakes to protect the business, it’s customers and it’s most valuable strategic data assets. Such a plan should also address:
- Data access control
- Data protection (encryption)
- Data lake usage audit
- Data leak prevention
- Data lineage documentation
In the event the business opts to “drain the data swamp” it’s critical for the CISO to play an active role in determining what data to keep and how to dispose of unusable or corrupted data in the securest way possible.
Millions of Connected Cameras Open to Eavesdropping
GM Boosting EV Investment 30%, Will Build 2 More Battery Factories
U.S. FCC votes to advance proposed ban on Huawei, ZTE equipment approvals
Nvidia to invest at least $100 million in UK supercomputer, CEO says
Republican congressional committee will start accepting cryptocurrency donations
EU states back personal data flows with ex-member Britain
Demands of copyright trolls must be reasonable, EU’s top court rules
Can the US Survive California’s Drought?
Pokémon Go to add real-time sky lighting, new Pokédex features later this summer
Phoenix takes over VALORANT Instagram account
Cardano Price Reached A Plateau, This Is How It Will Reach $2?
KAY/O trailer reveals more VALORANT lore
Can Electric Pickup Trucks Save the Grid in Texas?
Flying Pencil: Inside United’s Boeing 757-300 Operations
Submit Your Algorithm for a Chance to Win Prizes Totaling $700,000+
‘Larcenauts’ Review-in-progress – Bringing the Hero Shooter to VR
5 tips for brands that want to succeed in the new era of influencer marketing
PUBG Mobile Club Open (PMCO) Fall Split registrations to begin on June 21
Interview With Dandelion (Geothermal) Co-Founder Kathy Hannun
US lawmakers want to restrict police use of ‘Stingray’ cell tower simulators
Twitch sets new milestone with 2.2 billion hours watched in May
Antonov Airlines Transports 5 Helicopters On The AN-124-100
Lordstown Motors reverses claims about ‘binding orders’ for electric pickup truck
SolarTaxi Adds The XPeng G3 To Its Growing Range Of EV Models For Sale & Leasing In Ghana!
‘RuneScape’ opens up to everyone on iOS and Android
SEC v. Ripple: Implications of Ripple’s Fair Notice Defense
China launches 3 astronauts to its new space station core module
Watch Microsoft’s second E3 showcase here at 1PM ET
How Long Does THC Oil Stay in Your System?
How to Land a Data Analytics Job in 6 Months
Amazon’s Appstore lowers its cut of developer revenue for small businesses, adds AWS credits
Esports1 week ago
Genshin Impact Echoing Conch Locations Guide
Esports1 week ago
All 17 character locations in Collections in Fortnite Chapter 2, season 7
Esports1 week ago
Here are all the milestones in Fortnite Chapter 2, season 7
Esports1 week ago
How to complete Pokémon Go’s A Very Slow Discovery Collection Challenge
Esports1 week ago
Free boxes and skins up for grabs in Brawl Stars to celebrate one-year anniversary of China release
Gaming1 week ago
MUCK: How To Get The Best Weapon | Wyvern Dagger Guide
AI1 week ago
How to Become a 21st Century Engineer?
Esports1 week ago
What Time Does Minecraft 1.17 Release?
Blockchain1 week ago
BPI No Longer Allows Crypto Transactions
Esports1 week ago
How to Fly UFOs in Fortnite
Esports1 week ago
MLB The Show 21 Kitchen Sink 2 Pack: Base Round Revealed
AR/VR1 week ago
‘Warhammer Age of Sigmar: Tempestfall’ Gets First Look at Gameplay, Invite-only Beta