CISA sent an unusual warning late last week. The federal cybersecurity agency instructed government IT departments to drop everything and patch their Windows servers.
The source of all their fears? The Zerologon vulnerability, disclosed last week. Augusts patch Tuesday fixed the bug, but its feared many organizations will have delayed installing it on their AD domain controllers.
The thing is,Zerologon rates a perfect 10 on the CVSS scale. In todays SBBlogwatch, we run and hide.
Your humble blogwatchercurated these bloggy bits for your entertainment. Not to mention:Maiden Goes To Hollywood.
Whats the craic, Zack?Mister Whittaker reportsHomeland Security issues rare emergency alert:
The Cybersecurity and Infrastructure Security Agency, better known as CISA, [is] requiring all federal departments and agencies to immediately patch any Windows servers vulnerable to the so-called Zerologon attackciting an unacceptable risk to government networks. Rated the maximum 10.0 in severity, [it] could allow an attacker to take control of any or all computers on a vulnerable network, including domain controllers.The bug was appropriately called Zerologon, because an attacker doesnt need to steal or use any network passwords to gain access to the domain controllers. With complete access to a network, an attacker could deploy malware, ransomware, or steal sensitive internal files.Although the CISA alert only applies to federal government networks, the agency said it strongly urges companies and consumers to patch their systems as soon as possible if not already.
AndDan Goodin addsAgencies that dont update must disconnect all domain controllers:
Microsoft published a patch last Tuesday. No later than 11:59pm EDT on Wednesday, agencies are to submit a completion report attesting the update has been applied to all affected servers or provide assurance that newly provisioned or previously disconnected servers will be patched.Its possible for attackers to exploit the vulnerability over the Internet [if] organizations expose their domain controllers. [Or, if they] have exposed Server Message Blockor Remote Procedure Call, [it] may be exploitable. Queries using the Binary Edge search service show that almost 30,000 domain controllers are viewable and another 1.3 million servers have RPC exposed.Zerologon is tracked as CVE-2020-1472. Further raising that stakes was the release by multiple researchers of proof-of-concept exploit code that could provide a roadmap for malicious hackers.Researchers continue to find evidence that people are actively developing attack code. Given the stakes and the amount of publicly available information about the vulnerability, it wouldnt be surprising to see in-the-wild exploits emerge in the coming days.
Feeling smug because you dont use Windows?Stop that, say Sambas Andrew Bartlett and Douglas Bagnall:
Installations running Samba asthe Active Directory DC [or] the classic/NT4-style DC [are] vulnerable. However, since version 4.8the default behaviour of Samba has been to insist on a secure netlogon channelequivalent to having server schannel = yes in the smb.conf.Versions 4.8 and above are not vulnerable unless they have the smb.conf lines server schannel = no or server schannel = auto. Samba versions 4.7 and below are vulnerable unless they have server schannel = yes. Each domain controller needs the correct settings in its smb.conf.Samba 4.10.18, 4.11.13, and 4.12.7 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible.Our Code, Our Bugs, Our Responsibility.
Wait. Pause.?Why havent these IT people already done the job? v1 cant understand whats taking them so long:
The CVE was initially released on August 11. Funny theyre just now in a hurry to patch a severity-10 thats been out now for six weeks.Granted, it took Microsoft until last Tuesday to publish a patch, but any competent admin would have looked at that and said that goes on now and has already closed that barn door. Sure, tell the idiots to get it done immediately, then review the completion reports and fire everyone that waited until they were ordered to patch their servers, and hire competent replacements.
Butacdha reckons it aint that simple:
Youre missing the biggest reason: enterprise IT shops with strict change management processes and, especially in government, years of austerity budgets cutting resources for both sysadmins and rigorous testing.If you have a charge management process which takes a month to approve updates, the problem is not the sysadmin. If years of skimping means that the operators are afraid to patch because theyll be punished if it breaks things and they dont have a robust testing process, the problem is not the sysadmin.This is more expensive than people like to admit. You either need to accept lower security/reliability or spend more on staff, capacity, and licenses. Lots of places try to cut that corner and itll seem to work until, as Warren Buffet likes to say, the tide goes out.This is a really tricky problem in government because the pay scales can be very hard to change. Historically the higher-level positions were senior and relatively limited, so its not like you can just effortlessly bump all of your developer positions up to the highest grade without hitting budget caps. That probably means youre hiring people at lower levels which are more like entry level pay.
AndDeputy Cartmans been there done that bought the T-shirt:
Once organizations reach a certain size, they seem to instill a very very strong sense of Dont rock the boat if you dont have to mindset. You want to be proactive and apply a patch? Well what if it breaks something!? Just sit on your ***, keep looking at Tik-Tok, and counting down the days for your pension.Fix **** after the duct tape breaks, and move on with your life. Im already starting to feel this way at my defense company job due to its size. Fixing all the **** Im seeing thats pants-on-head stupid would go about as well as punching a concrete wall until my fists are hamburger.Just roll your eyes, take your time with that 8th cup of coffee, and just do what you can.
What went wrong, anyway?With a neat precis, heres tialaramex:
This is an amazing bug. What happens is, youre supposed to fill out a bunch of bytes as proof of who you are, and then a bunch of bytes that represent stuff like seconds since the start of the Unix epoch. If you cant do this, NetLogon figures you arent really who you say you are.The exploit is: Fill everything out with all zeroes. This will succeed one time in 256 on average.[It] isnt a bug in the code, its a design mistake: If you implement exactly what Microsofts design document says for NetLogon, one time in 256 all zeroes lets you in. By design. Stupid stupid design.It stands out how terrible Microsoft is at cryptographic design. Microsoft does this over and over.
IT people deserve blame too.Coppercloud dreams up the best simile:
Wait, people have domain controllers present on the public internet? Like, no firewall, port forwarded or no NAT, no VPN? Just out there?This is plugging a hole in a leaky chicken fence and hoping it floats.
Cue:the inevitable conspiracy theory. jiggawatts approaches 88 mph:
I am now convinced that Microsoft is purposefully degrading the quality of the cryptography at the behest of the NSA. Microsoft products have all of the following current cryptographic problems: There is no support for TLS 1.3. HSTS is very hit and miss. Until very recently, youd have to jump through hoops to enable TLS 1.1 and 1.2. Across a forest trust, RC4 is the default cipher. If you try to enforce AES ciphers youll break some forms of single-sign-on from Azure AD. If you use ECC certificates, youre stuck with the handful of now very thoroughly legacy curves. You cant have elliptic curve certificates with: NDES, AD FS, SQL Server, SCCM until very recently, and in fact just about every Microsoft product except for IIS. Which I remind you still cant do TLS 1.3. Azure Key Vault cant issue anything but RSA certificates from third-party CAs. The NSA does exist. They do degrade cryptographic algorithms, either through national security letters or simply bribery. The Dual_EC_DRBG fiasco happened. It really happened. Private United States based organisations do cooperate with these programs, either willingly or because they are forced to.Its one thing to accuse a neighbour randomly of murder. Its entirely another thing if you see them putting a shockingly large and heavy rolled up carpet in the boot of their car.
Meanwhile,kaur thinks a thought experiment:
Every country in the world is [asking] questions: Why do we use a consumer OS built by an US company? Can we trust USA to be our ally and not abuse its power over Microsoft? Can we trust USA to stay our ally in the forseeable future?
Maiden Goes To Hollywood
Previously in And Finally
You have been readingSBBlogwatchbyRichiJennings. Richi curates the best bloggy bits, finest forums, and weirdest websites so you dont have to. Hate mail may be directed to@RiCHiorsbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
Image sauce: Ryan McGuire (via Pixabay)
Recent Articles By Author
Link:
Feds Yell PATCH NOW over Windows AD Zerologon Vuln - Security Boulevard
- To Foil NSA Spies, Encrypt Everything [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- What is cryptography? - A Word Definition From the ... [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- cryptography: Definition from Answers.com [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- Cryptography - Wikipedia, the free encyclopedia [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- Cryptography - CISSP Domain 07 - Video [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- Cryptography Advanced Encryption Standard AES Tutorial,fips 197 - Video [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- Faraday Project for Network Security and Cryptography - Video [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- An Overview of Cryptography - Gary C. Kessler [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- An Open Letter from US Researchers in Cryptography and ... [Last Updated On: January 24th, 2014] [Originally Added On: January 24th, 2014]
- Gambling with Secrets Part 4 8 Private Key Cryptography - Video [Last Updated On: January 24th, 2014] [Originally Added On: January 24th, 2014]
- Gambling with Secrets Part 1 8 What is Cryptography - Video [Last Updated On: January 24th, 2014] [Originally Added On: January 24th, 2014]
- Public Key Cryptography RSA Encryption Algorithm - Video [Last Updated On: January 24th, 2014] [Originally Added On: January 24th, 2014]
- Public Key Cryptography Diffie Hellman Key Exchange - Video [Last Updated On: January 24th, 2014] [Originally Added On: January 24th, 2014]
- Intro to Cryptography - Video [Last Updated On: January 24th, 2014] [Originally Added On: January 24th, 2014]
- Caesar Cipher Ancient Cryptography - Video [Last Updated On: January 24th, 2014] [Originally Added On: January 24th, 2014]
- 50 top US cyber security experts write open letter calling for end to NSA 'snoop-ops' [Last Updated On: January 26th, 2014] [Originally Added On: January 26th, 2014]
- Prominent cryptography and security researchers deplore NSA's surveillance activities [Last Updated On: January 27th, 2014] [Originally Added On: January 27th, 2014]
- Obama Stays Silent on Reform of NSA's Crypto Subversion [Last Updated On: January 30th, 2014] [Originally Added On: January 30th, 2014]
- Cryptography experts sign open letter against NSA surveillance [Last Updated On: January 30th, 2014] [Originally Added On: January 30th, 2014]
- US crypto researchers to NSA: If you must track, track responsibly [Last Updated On: January 30th, 2014] [Originally Added On: January 30th, 2014]
- Java Cryptography Architecture (JCA) Overview - Video [Last Updated On: January 30th, 2014] [Originally Added On: January 30th, 2014]
- Cryptography - Part 1 - Video [Last Updated On: January 30th, 2014] [Originally Added On: January 30th, 2014]
- Cryptography - Part 2 - Video [Last Updated On: January 30th, 2014] [Originally Added On: January 30th, 2014]
- International Journal on Cryptography and Information Security ( IJCIS) - Video [Last Updated On: January 30th, 2014] [Originally Added On: January 30th, 2014]
- Bitcoin Lowdown: Block Chain Cryptography Trumps Human Trust, Deal With It - Video [Last Updated On: January 31st, 2014] [Originally Added On: January 31st, 2014]
- Bitcoin Lowdown: Block Chain Cryptography Trumps Human Trust - Video [Last Updated On: January 31st, 2014] [Originally Added On: January 31st, 2014]
- NSA and GCHQ spoofed LinkedIn to hack Belgian cryptography professor [Last Updated On: February 1st, 2014] [Originally Added On: February 1st, 2014]
- Lecture 17: Elliptic Curve Cryptography (ECC) - Video [Last Updated On: February 1st, 2014] [Originally Added On: February 1st, 2014]
- Cryptography event - Pravega 2014 - Video [Last Updated On: February 3rd, 2014] [Originally Added On: February 3rd, 2014]
- Lecture 1: Introduction to Cryptography - Video [Last Updated On: February 3rd, 2014] [Originally Added On: February 3rd, 2014]
- US and UK spy agencies accused of swoop on Belgian cryptography expert [Last Updated On: February 4th, 2014] [Originally Added On: February 4th, 2014]
- Conceal: Facebook's new Java APIs for cryptography on Android [Last Updated On: February 4th, 2014] [Originally Added On: February 4th, 2014]
- Cryptography Apps: How To Keep Your Personal Info Private [Last Updated On: February 4th, 2014] [Originally Added On: February 4th, 2014]
- Cryptography Breakthrough Could Make Software Unhackable [Last Updated On: February 4th, 2014] [Originally Added On: February 4th, 2014]
- Oi, Android devs! Facebook wants your apps to be more secure [Last Updated On: February 5th, 2014] [Originally Added On: February 5th, 2014]
- Lecture 19: Elgamal Digital Signature - Video [Last Updated On: February 5th, 2014] [Originally Added On: February 5th, 2014]
- Lecture 18: Digital Signatures and Security Services - Video [Last Updated On: February 5th, 2014] [Originally Added On: February 5th, 2014]
- Cryptography 1. List some of the attacks on the Diffie ... [Last Updated On: February 6th, 2014] [Originally Added On: February 6th, 2014]
- Cryptography Breakthrough Could Make Software Unhackable ... [Last Updated On: February 6th, 2014] [Originally Added On: February 6th, 2014]
- Cryptography: Secret Coding, Spying, and E-Commerce - Video [Last Updated On: February 6th, 2014] [Originally Added On: February 6th, 2014]
- Cryptography - Video [Last Updated On: February 9th, 2014] [Originally Added On: February 9th, 2014]
- Public Key Cryptography: RSA Encryption Algorithm - Video [Last Updated On: February 10th, 2014] [Originally Added On: February 10th, 2014]
- Is Bitcoin Anonymous? Arvind Narayanan | Princeton University | Real World Cryptography Workshop - Video [Last Updated On: February 10th, 2014] [Originally Added On: February 10th, 2014]
- A Competitive Study of Cryptography Techniques over Block Cipher - Video [Last Updated On: February 14th, 2014] [Originally Added On: February 14th, 2014]
- How Quantum Computing Will Change Cryptography [Last Updated On: February 15th, 2014] [Originally Added On: February 15th, 2014]
- REALITY LOST - EXCERPT SIX (QUANTUM CRYPTOGRAPHY) - Video [Last Updated On: February 15th, 2014] [Originally Added On: February 15th, 2014]
- Introduction to Cryptography of Bitcoin, Explained! - Video [Last Updated On: February 18th, 2014] [Originally Added On: February 18th, 2014]
- [FOSDEM 2014] USE OTR or how we learned to start worrying and love cryptography - Video [Last Updated On: February 18th, 2014] [Originally Added On: February 18th, 2014]
- Reshif's Cryptography Challenge Solution/Walkthrough - Video [Last Updated On: February 20th, 2014] [Originally Added On: February 20th, 2014]
- [DEFCON 19] Steganography and Cryptography 101 - Video [Last Updated On: February 22nd, 2014] [Originally Added On: February 22nd, 2014]
- A Brief Rundown Of The Spying Questions Intel's CEO Won't Answer [Last Updated On: February 25th, 2014] [Originally Added On: February 25th, 2014]
- DEF CON 8 - Jon Erickson - Number Theory Complexity, Theory, Cryptography, and Quantum Computing. - Video [Last Updated On: February 26th, 2014] [Originally Added On: February 26th, 2014]
- Was YOUR iPhone at risk of being hacked? Bug in Apple update left mobiles open to identity theft for up to 18 months ... [Last Updated On: February 27th, 2014] [Originally Added On: February 27th, 2014]
- Security researchers urge tech companies to explain their cryptographic choices [Last Updated On: February 27th, 2014] [Originally Added On: February 27th, 2014]
- Apple reveals algorithm behind 'encrypted' iMessages [Last Updated On: February 28th, 2014] [Originally Added On: February 28th, 2014]
- Wiliest Ways to Keep the NSA at Bay [Last Updated On: March 1st, 2014] [Originally Added On: March 1st, 2014]
- How to Pronounce Cryptography - Video [Last Updated On: March 1st, 2014] [Originally Added On: March 1st, 2014]
- cryptography in DNS - Video [Last Updated On: March 3rd, 2014] [Originally Added On: March 3rd, 2014]
- Who is the reclusive billionaire creator of Bitcoin? [Last Updated On: March 4th, 2014] [Originally Added On: March 4th, 2014]
- How to say cryptography in Italian - Video [Last Updated On: March 4th, 2014] [Originally Added On: March 4th, 2014]
- Massive Linux security flaw dwarfs Appleās cryptography problems of just last week [Last Updated On: March 5th, 2014] [Originally Added On: March 5th, 2014]
- Security lessons from RSA [Last Updated On: March 5th, 2014] [Originally Added On: March 5th, 2014]
- Visual Cryptography - Video [Last Updated On: March 5th, 2014] [Originally Added On: March 5th, 2014]
- Classical Computing Embraces Quantum Ideas [Last Updated On: March 6th, 2014] [Originally Added On: March 6th, 2014]
- Quantum Cryptography Conquers Noise Problem [Last Updated On: March 6th, 2014] [Originally Added On: March 6th, 2014]
- REALITY LOST Bonus scene 4. Quantum cryptography Founding Fathers. - Video [Last Updated On: March 7th, 2014] [Originally Added On: March 7th, 2014]
- Quantum Cryptography: From Theory to Practice - Video [Last Updated On: March 9th, 2014] [Originally Added On: March 9th, 2014]
- Forcing Trust: Nonlocal Games and Untrusted-device Cryptography - Video [Last Updated On: March 9th, 2014] [Originally Added On: March 9th, 2014]
- TrustyCon 2014 - New Frontiers in Cryptography - Video [Last Updated On: March 9th, 2014] [Originally Added On: March 9th, 2014]
- REALITY LOST Bonus scene 3. Christian Kurtsiefer on hacking quantum cryptography. - Video [Last Updated On: March 9th, 2014] [Originally Added On: March 9th, 2014]
- Nerlens Noel Tweets Date for Potential NBA Debut [Last Updated On: March 9th, 2014] [Originally Added On: March 9th, 2014]
- CISSP SG Cryptography - Video [Last Updated On: March 10th, 2014] [Originally Added On: March 10th, 2014]
- More secure communications thanks to quantum physics [Last Updated On: March 13th, 2014] [Originally Added On: March 13th, 2014]
- New Cryptography Scheme Secured By Quantum Physics [Last Updated On: March 13th, 2014] [Originally Added On: March 13th, 2014]
- History Of Cryptography - Video [Last Updated On: March 14th, 2014] [Originally Added On: March 14th, 2014]
- avc 19 Cryptography x264 - Video [Last Updated On: March 15th, 2014] [Originally Added On: March 15th, 2014]
- Edward Snowden Speaks at SXSW [Last Updated On: April 10th, 2017] [Originally Added On: March 15th, 2014]
- Tor is building an anonymous instant messenger [Last Updated On: April 10th, 2017] [Originally Added On: March 15th, 2014]
- learn cryptography learn the following pkcs refrences - Video [Last Updated On: March 16th, 2014] [Originally Added On: March 16th, 2014]
- [Lec-2][Part-2] Shift Cipher - Symmetric ciphers - Video [Last Updated On: March 16th, 2014] [Originally Added On: March 16th, 2014]