Shortening Certificate Lifecycles; SolarWinds Hardcoded Credential Vulnerability; State-Sponsored Hackers are Targeting Critical Infrastructure

This change has been discussed for about a year now. It is important to automate certificate renewals, if possible with standard protocols like ACME. Some certificate authorities may also offer their own solutions, but be careful before you lock yourself into a proprietary solution.

The CA Browser Forum has now been around for almost 20 years and has always been slow to make needed progress in making an SSL trust chain actually trustable. In 2011, compromise of a Comodo affiliate Registration Authority resulted in bogus certificates being issued for domains at Yahoo, Google, Skype, Mozilla and others. This pointed out how weak the strength of registration validation was, and in 2014 the Heartbleed OpenSSL vulnerability was discovered and we saw how badly certificate revocation was handled. The changes recommended are long overdue. Imagine if we said 'Let's only patch Windows once every 398 days because sys admins are complaining.' CIOs like to talk about rapid development and CI/CD pipelines - if IT operations can really do that they should be able to patch operating systems every 2 weeks and renew certificates every 45 days by 2027.

With the advent of Let's Encrypt, I would say this is an excellent idea for a large set of websites on the internet. Where this is problematic are protocols that live outside of the web. Some certificates are used internally between services in various places. One example is 802.1X/NAC with EAP and EAP-TLS. Another example is Smart Cards. There are just some places where renewing certificates is more problematic and impactful. Let's do this where we can and consider something longer-term where we cannot.

There will have to be agreement on duration: 90, 45, etc. Shorter lifetime reduces the amount of time a compromised certificate can be used, reducing risk and improving security. This will also require automation as we're busy putting certificates on endpoints, mobile devices, and about any service which supports it, and there is no good way continue manual updates. Let's Encrypt already only issues 90-day certificates. Even with 398-day expirations, start automating certificate updates; your future self, who isn't getting the expired certificate ticket, will thank you.

I hope Solarwinds does not blame the intern this time. The password isn't Solarwinds123 É is it?

CVE-2024-28986, Java Deserialization RCE flaw, CVSS score 9.8, and CVE-2024-28987, hardcoded credential flaw, CVSS score 9.1, are fixed in SolarWinds Web Help Desk (WHD) 12.8.3 Hotfix 2 or 3. As WHD 12.8.3 Hotfix 3 is now available, if you've not already applied HF 2, go straight to HF3. Per the NIST KEV, you have until November 5th to remediate this vulnerability.

This was expected as soon as the credentials became public.

Ugh, hardware credential baked into the product. That's bad enough, but to have to announce another hot fix in the span of six months after the last bugaboo that gained so much notoriety Not a good look for the company after it tried to calm jittery customers with an independent third-party audit and security focused marketing blitz.

MFA push bombing attacks are why you should be looking at phishing resistant MFA. If you've rolled out MFA, make sure that you're covering all Internet facing services. Train users to detect unsuccessful login attempts, deny MFA requests they didn't generate, and ensure that MFA, where enabled, is properly configured. Make sure that passwords, where used, are strong and follow the latest NIST 800-63 guidance, and that you're disabling accounts in an expeditious fashion. Make sure that you're tracking password reset requests for attempts to bypass your processes.

Can't we just get to the point where we say, if you're internet facing, you're being targeted? I mean, nation state, cyber-criminal, hacktivist, they're all using the same tactics listed. If I'm a defender, I already know I'm a target of some organization. The best thing I can do is be religious in the patching, configuring, and monitoring of my enterprise. Have we 'over-rotated' on the value of threat intelligence?

Even the most obvious bears repeating.

While we tend to think of NSA in its SIGINT mission, they also have responsibility for COMSEC. They will get it right in time.

We can barely get companies on TLS 1.3 or just on TLS 1.2, released in 2008. Some work is already being done out of various universities claiming to have 'broken' RSA and possibly AES. Broken is probably the wrong way of thinking about it. They have proven prime number factorization to decrypt RSA in a reasonably fast amount of time using Quantum computing. This means that there may not be a reasonably good enough cryptographic set of algorithms that would be truly secure for some time. This is the current thinking, which probably means that we need to be much more agile in quickly changing ciphers.

CISA continues to shine the light on bad coding practices in support of their Secure by Design, Secure by Default, and Secure Operations initiatives. Those old shortcuts and bad practices need to become a thing of the past. Regrettably, some systems may need a forklift replacement rather than the end-to-end revamping of the security. The best plan is to work with your suppliers on what their plans are, and make sure that your internal SQA practices are set up to catch these bad practices.

Trying to teach good practice is not working. Calling out bad practice is worth a try.

Good practice in navigation, land, sea, and air, is to use more than one method. It is equally good practice in security.

Pilots compare flying during the jamming, which lasts 6-8 minutes at a time, to being transported back 30 years in time. The ground-based systems are becoming less common due to their increased cost versus GPS. Currently, these attacks are largely in the vicinity of the Russia/Ukraine conflict and now also include jamming of the GNSS satellite and ground communications bands. Even devices like iPads, which use multiple GPS satellites for accuracy and resiliency, are impacted by the jamming.

Except for the Actionable Insights sections, this should really be called the Microsoft Digital Threat Report 2024. I tried to get the Chat GPT AI bot to just pull those sections - most of them started with 'Move to Multi-Factor Authentication' - but could not get it to do it. To save you a lot of reading, 70 pages in I found this summary for OT security that really is the same for IT: 'Based on this work we've identified three core actions that, if taken by the operations technology industry, would significantly improve the security of systems across the industry: 1 Adopt modern authentication for users and devices. 2 Enable centralized device configuration management and secure apps and devices by default. 3 Implement a Secure Development Lifecycle (SDLC) program for product development that is certified by independent security experts.'

The top targeted sectors worldwide are, IT (24%), Education and Research (21%), Government (12%), Think tanks and NGOs (5%), Transportation (5%), Consumer Retail (5%), Finance (5%), Manufacturing (4%), Communications (4%), and other (16%). From 2023 to 2024 there is an increase of over 13 trillion security signals per day with over 1500 unique threat groups tracked. While many of the recommended mitigations are familiar, note that OT is even more firmly on the radar as trends show an increasing focus on attacking these components. The report is 114 pages, while the summaries are about 14, so you want to start there first.

The report weighs in at a beefy 114 pages. As always, chock full of interesting tidbits on the evolving threat and security, including AI. Here's the bottom line by Tom Burt: "We all can, and must, do better, hardening our digital domains to protect people at all levels." That quote was applicable in 2023, in 2022, in 2021, É you get the picture.