Salesforce to Require Strong Multi-Factor Authentication; Poisoned USB Devices Are Still Being Mailed to Targets; Apache Wants Open-Source Users to Share the Security Burden

This should be the norm for at least all cloud services, and really all logins. Microsoft data showed that using any form of MFA would have thwarted 99.9 percent of successful account compromises. Users are increasingly doing so with the home accounts on banking and even social media. Use of MFA allows security resources to be focused on the extremely clever 0.1 percent of attacks vs. drowning from the simple 99.9 percent.

John Pescatore

Great move. MFA is a must in particular for systems like Salesforce working with critical data. If you try to rely on other means to mitigate attacks against other critical systems (e.g. VPNs): Stop doing stupid things like relying on geofencing. Implement a solid MFA solution now.

Johannes Ullrich

You should already have configured your IDP to require MFA when accessing cloud and other Internet accessible services. Where you are enabling SSO from trusted devices, ensure those devices require strong authentication, additionally disable the ability to login directly to accounts bypassing your SSO/authentication process. Read the FAQ, including the types of second factor which explicitly disallowed.

Lee Neely

Not only is this exciting from a security perspective (I’m a huge fan of 2FA / MFA) but it’s very impressive how Salesforce is rolling this out. Take a moment to read their MFA FAQ. It’s extensive, detailed, and well thought out. Some key things I found interesting: You have to use “strong” MFA, no SMS text messages or phone calls to obtain your one time code; you have to use technologies like local mobile authentication apps. Also, and this was a bit hidden, there are legal consequences if you don’t implement strong MFA. If you somehow work your way around the requirement and your data is compromised, you and NOT Salesforce are most likely legally responsible for any harm to your data. Is MFA perfect? Absolutely not. Will bad guys figure out ways around MFA? Absolutely. Security is ultimately about compromises and managing risk to an acceptable level. With passwords / accounts being a top two driver for breaches globally for the past three years (VZ DBIR), this is a step most organizations should be taking.

Lance Spitzner

MFA should be enabled everywhere. Hopefully this move by Salesforce, given their user base, pushes more adoption.

Jorge Orchilles

Fin7 did that back in 2020 as well. I guess it worked well enough for them to try again. For myself: I always wanted to have one of those USB micro controllers. If you work for Fin7 and are reading this: contact me for my mailing address. For everybody else: Sorry, no great defense against this in particular if people use their own systems in a home office environment.

Johannes Ullrich

In the SANS 2020 Top New Attacks and Threats Report, Ed Skoudis highlighted “poisoned USB devices” as a threat vector. I had actually received one in the US mail from China earlier that year, trying to get me to insert it in my computer to get $500 in free PayPal cash. You can download that report from https://www.sans.org/white-papers/39520/

John Pescatore

Don’t assume that risks of inserting the device will be offset by a media scan. Some NGAV products no longer scan media, rather they wait until an executable/dll/etc. is loaded into memory before analysis is performed. The USB thumb drive may be emulating a keyboard or network card. When in doubt, don’t insert it before you’ve fully vetted and tested, preferably on a system designed for that purpose. Consider requiring a kiosk to scan and transfer data from all externally provided media for your corporate systems.

Lee Neely

If you speak MITRE ATT&CK, this technique is called Hardware Additions and is part of the Initial Access tactic. It has been documented since April 2018: https://attack.mitre.org/techniques/T1200/. In recent updates, MITRE has improved the mitigations and detections sections to provide more actionable information.

Jorge Orchilles

The ASF recommendations to businesses are solid: Know where you are using open-source components so you can patch them. Contribute some of your resource to skilled vulnerability testing and contribute to speeding the discovery of vulnerability in open-source software. In 2014, after the Heartbleed OpenSSL vulnerability, the Linux Foundation started the Core Infrastructure initiative to gain support for raising the bar on the security of widely used open-source components. Adobe, Bloomberg, HP, Huawei and salesforce.com were early supporters but not much happened. The CII has now become the Open Source Security Foundation with the goal of “… to inspire and enable the community to secure the open source software we all depend on, including development, testing, fundraising, infrastructure, and support initiatives…” Microsoft, Google, AWS, JP Morgan Chase, Redhat, many others are listed as premier members and on the technical advisory committee.

John Pescatore

When using open-source software, it’s expected that discovered vulnerabilities are reported back quickly. If you have fixes, report them as well. Apache has project teams which will respond immediately to reported issues. Once updates or fixes are released, typically in less than two weeks after the report, businesses need to jump on applying them.

Lee Neely

One promise of open source was that many eyes would improve code quality, It has not proved to be true. CISA has identified more than 3000 products the use log4J. Now this may not mean that the code was seen by the same number of sets of eyes, but it was certainly seen by many Instead what we have seen is that what is everyone's responsibility is no one's responsibility. We need better accountability.

William Hugh Murray

Speaking for my fellow developers: I know, we can't help it. It is hard to break a habit. But please spend the extra time to actually read change notes and move on to a newer version of the libraries you are using. It is much easier to do so step by step as new versions are released vs doing a big "flag day" once a decade to move everything.

Johannes Ullrich

Where your CI processes are downloading libraries regularly, make sure they are downloading the current approved versions. Make sure you’ve qualified the fixed versions such as Log4j 2.17.1.

Lee Neely

While the path the FTC wants to follow may be tricky, don’t count on that keeping you insulated. Be aware of which applications you have, both internally and outsourced/cloud services. Document risk decisions you have made and actions taken. Include supplier notices about Log4j applicability and remediation. Verify that your monitoring and defenses are operating as planned.

Lee Neely

The VMware advisory VMSA-2021-0028 (https://www.vmware.com/security/advisories/VMSA-2021-0028.html) covers all their products impacted by the CVE-2020-44228 and CVE-2021-45046 vulnerabilities including update and mitigation information. Make sure that you review the status for ALL your VMware products, taking appropriate actions where needed. Note some products still don’t have a released patch be prepared to implement the identified mitigations.

Lee Neely

Parsing URLs is hard. And it isn't made easier by ever changing, and in part conflicting, standards. Great paper and a must read for anybody doing web development.

Johannes Ullrich

While the parsers have been updated to address the inconsistencies, due care is also required to make sure that you’re consistent in how you’re parsing URLs and that the returned information is the actual information you are seeking rather than a subset or omission of critical information. Consider standardizing on a standard library for consistent results.

Lee Neely

Looks like QNAP now agrees with what I have been posting here in the past to similar vulnerabilities: Get your NAS devices off the internet (or get pwn3d, which may be fun too).

Johannes Ullrich

Repeat after me: I solemnly swear not to expose NAS to the Internet. If you really must expose it, make sure that remote administration is disabled and follow the vendor guides for securing it. Monitor access, applications loaded and activity. Lastly, make sure you’ve got a disconnected backup in case it does get compromised, corrupted, or otherwise exploited.

Lee Neely

Enforce encryption, OS updates, and password requirements with your MDM, refrain from installing applications or updates “on the road” and use a trusted VPN anyplace you are unfamiliar with your connectivity regardless of method. In addition to the guidance, consider using a loaner device when on foreign travel, particularly to high-risk areas.

Lee Neely

In the SANS 2020 New Attacks and Threat report (download from https://www.sans.org/white-papers/39520/) SANS instructor Heather Mahalik detailed this type of threats to mobile phones and top mitigation approaches.

John Pescatore

Automatic updates should have already taken care of applying this update. If not, you can update your site via the administrator dashboard. You can also check the version using the WordPress CLI. If you’re on an older branch, and not able to move to 5.8.3, review the WordPress download site to ensure you’re on the latest for that version, then kick of the project to move to the 5.8 branch.

Lee Neely