Today, President Joseph R. Biden signed an Executive Order (EO) to build U.S. capacity to evaluate and mitigate the risks of Artificial Intelligence (AI) systems to ensure safety, security, and trust, while promoting an innovative, competitive AI ecosystem that supports workers and protects consumers. The U.S. Department of Commerce will play a key role in implementing the EO, combining sophisticated standards and evaluation capabilities with a robust combination of reporting requirements and voluntary measures. Specifically, the National Institute of Standards and Technology (NIST), the Bureau of Industry and Security (BIS), the National Telecommunications and Information Administration (NTIA), and the U.S. Patent and Trademark Office (USPTO) will be responsible for carrying out a significant portion of the EO’s objectives.
Month: October 2023
NCCoE Releases Drafts for NIST SP 1800-36, Trusted IoT Onboarding (Vols. B, C, and E)
The NIST National Cybersecurity Center of Excellence (NCCoE) has released the second preliminary drafts of volumes B, C, and E for NIST Special Publication (SP) 1800-36, Trusted Internet of Things (IoT) Device Network-Layer Onboarding and Lifecycle Management. The public comment period for the drafts is open through December 15, 2023.
About the Project
Provisioning network credentials to IoT devices in an untrusted manner leaves networks vulnerable to having unauthorized IoT devices connect to them. It also leaves IoT devices vulnerable to being taken over by unauthorized networks. Instead, trusted, scalable, and automatic mechanisms are needed to safely manage IoT devices throughout their lifecycles, beginning with secure ways to provision devices with their network credentials—a process known as trusted network-layer onboarding. Trusted network-layer onboarding, in combination with additional device security capabilities such as device attestation, application-layer onboarding, secure lifecycle management, and device intent enforcement, could improve the security of networks and IoT devices.
This practice guide aims to demonstrate how organizations can protect both their IoT devices and their networks. The updated drafts of volumes B, C, and E describe advancements to the IoT onboarding functional implementations. NCCoE is collaborating with product and service providers to produce example implementations of trusted network-layer onboarding and capabilities that improve device and network security throughout the IoT-device lifecycle to achieve this.
Submit Your Comments
The public comment period for draft vols. B, C, and E is open until 11:59 p.m. EST on Friday, December 15, 2023. The second preliminary drafts of vols. A and D released last month are also available for comment until 11:59 p.m. EST on Friday, November 10, 2023.
Visit the NCCoE IoT Onboarding project page for the draft publications and comment form.
Microsoft Azure Virtual Training Day: Digitally Transform with Modern Analytics
Create more business impact using proactive and predictive analytics at Azure Virtual Training Day: Digitally Transform with Modern Analytics from Microsoft Learn. Join us for this free training event to learn how to build an analytics solution using Azure Synapse Analytics. Maximize your organization’s intelligent decision-making capabilities and learn to build an end-to-end solution by preparing data for storage, processing, and analysis. You will have the opportunity to: Create a data warehouse in the cloud. Accelerate your big data engineering with Spark in Azure Synapse Analytics. Build automated data integration with Azure Synapse Pipelines. Learn to perform operation analytics with Azure Synapse Link. Join us at an upcoming two-part event: November 27, 2023 | 12:00 PM – 3:30 PM | (GMT-05:00) Eastern Time (US & Canada) November 28, 2023 | 12:00 PM – 2:00 PM | (GMT-05:00) Eastern Time (US & Canada) Delivery Language: English Closed Captioning Language(s): English |
REGISTER TODAY > |
Okta Breach
Last week, Okta identity and access management (IAM) service identified adversarial activity that leveraged a stolen credential to access the support case management system. The threat actor was able to view sensitive HTTP Archive (HAR) files uploaded by a limited number of Okta customers as part of recent support cases. HAR files store information exchanged between the web client and web server and can store sensitive information such as authentication tokens, API keys, and session cookies. Okta’s support team typically requests customers to share these files when submitting a support ticket so that the Okta technician can replicate and troubleshoot the browser activity. Okta stated that all impacted customers were notified, which included BeyondTrust, CloudFlare, and 1Password. These organizations successfully terminated or blocked malicious activity using a defense-in-depth approach. |
Multi-factor authentication (MFA) continues to be targeted by threat actors. Last month, Okta revealed social engineering campaigns targeting US-based Okta customer organizations’ IT service desk personnel in attempts to reset MFA for high-privilege users. The threat actor leveraged the compromised Okta Super Admin accounts to abuse legitimate identity features to impersonate users within the compromised organization. Impacted organizations include MGM and Caesar’s Palace, ultimately affecting millions of patrons worldwide due to subsequent ransomware attacks. |
Logging Made Easy
The Cybersecurity and Infrastructure Security Agency (CISA) announced Logging Made Easy, a new Windows-based, free and publicly available log management solution designed to help organizations, especially target rich/cyber poor organizations, more effectively use available security data to detect and address cyber threats. Logs give an administrator insight into their system and network performance. More specifically, logs pinpoint exactly who is connected to a device and how they are using it. System records, coupled with the practice of protective monitoring – the act of reviewing logs, either manually or through automation – plays an integral part in mitigating risk and identifying vulnerabilities as part of a proactive cybersecurity posture. Logging Made Easy can help target rich/cyber poor organizations leverage key data to detect and mitigate intrusions more effectively. No sign-up or lengthy onboarding is required. It is right for your organization, if: You are a small organization with limited resources and need a centralized logging capability. You do not have a Security Operations Center, Security Information and Event Management solution, or any active monitoring functions currently in place. You have small, isolated networks where your existing corporate monitoring practices cannot reach. You recognize the value of gathering logs and monitoring your enterprise’s information technology but lack a service that allows you to do so. Those with further questions may contact the CISA Cybersecurity Shared Services Office at cybersharedservices@cisa.dhs.gov. |
Securing API Keys, Access Tokens, and Secrets
In an increasingly digital society, enterprise systems and software services offer various solutions that address the needs of government entities, organizations, and small businesses. The inner workings of these systems and services rely on vital components such as API keys, access tokens, and secrets to deliver business functionality to their clients. An API (Application Programming Interface) allows software components to connect and communicate with one another. API keys are a unique series of characters that grant verified access to an API and keys can be obtained through the permission of the API owner. Access tokens are similar to API keys; however, they contain a limited scope of what can be accessed and have a temporary lifespan. Secrets are sensitive credentials or privileged information that are contained or used within an application. These components are often connected to systems or services that store sensitive or business-critical data, and the increased reliance on them incentivizes cybercriminals to conduct cyberattacks. We explore Microsoft’s investigative report of the Storm-0558 key acquisition, lessons learned, other incidents, and recommendations to secure API keys, access tokens, and secrets.
On July 11, 2023, Microsoft published an initial post of a cyberattack involving the advanced persistent threat (APT) actor, tracked as Storm-0558, accessed and exfiltrated unclassified email data from various government agencies. The threat actor gained access to enterprise email accounts on Outlook Web Access in Exchange Online (OWA) and Outlook.com by discovering a leaked Microsoft Account (MSA) Consumer key, which enabled the threat actor to forge access tokens to the enterprise email accounts. MSA Consumer Keys allow a user to cryptographically sign into a Microsoft consumer service, while an access token is a string that enables clients to call protected web APIs securely.
Microsoft’s Investigative Report of Storm-0558 Key Acquisition
On September 6, 2023, Microsoft published the results of their investigative report on how Storm-0558 acquired the MSA Consumer Key used to forge access tokens to OWA and Outlook.com. A consumer signing system crash in April 2021 led to a snapshot of the crashed process to be stored in a “crash dump.” Crash dumps are created when an application faces an exception/error when running its code. These crash dumps contain vital diagnostic data that assist a software development team in understanding what caused the error. As per standard Microsoft debugging procedure, the crash dump should have been cleaned of any sensitive data, such as the signing keys or access tokens, before being moved into a debugging environment. However, Microsoft’s credential scan failed to detect sensitive information in the crash dump. The APT actor retrieved the key when they compromised a Microsoft engineer’s corporate account, inadvertently giving the hackers access to their debugging environment. This debugging environment included the crash dump that contained the consumer key. However, to access enterprise applications, an enterprise key is needed. In September 2018, Microsoft introduced a common key metadata publishing endpoint that allows customers to access various accounts with a single click. To accommodate this change, Microsoft updated its documentation and libraries to automatically check the scope of the keys. The scope of the keys determines whether a key is authorized to access a consumer or enterprise account. However, the libraries that perform this scope validation failed to verify the key type. Therefore, the mail system accepted access to an enterprise email using a consumer key that was then used to forge access tokens to OWA and Outlook.com.
Lessons Learned
The Storm-0558 key acquisition highlights that the Azure AD Software Development Kit (SDK) should have included better documentation for validating an access/authentication token’s issuer ID, which would have enabled developers both within Microsoft and outside the organization to better implement token authentication. Also, any debugging logs and crash dumps that store secrets should be disposed of routinely or when no longer needed. Additionally, mechanisms that scan components for secrets should be regularly tested and monitored to ensure their efficacy. Furthermore, keys and tokens should be rotated or set to expire regularly to avoid any potential or negative impacts of a breach of API keys or access tokens.
Other Incidents
Earlier this year, on February 7, 2023, the Cybernews research team discovered publicly accessible environment files hosted on Lowe’s Market website that leaked access tokens to AWS S3 buckets containing website-related assets and API keys to third-party services. These API keys provide access to various website and partner software functionality and may have allowed threat actors to steal user information, access partial credit card information, change product pricing, use the company’s official communication channels, and send emails to Lowe’s Market users.
On August 30, 2023, Sourcegraph, an AI-assisted coding platform, confirmed a security breach that led to the access of limited data, such as the license key holder’s name and email addresses for paid customers and account email addresses for community users. Malicious actors gained access to Sourcegraph’s data through a leaked administrative access token that was accidentally pushed to their code repository by a Sourcegraph engineer. Using the administrative access token, the threat actor created a new account with elevated privileges that was later used to navigate their admin dashboard containing user information.
More recently, on September 23, OpenSea, a Non-Fungible Tokens (NFT) marketplace, notified their customers of a breach with a third-party vendor. The breach exposed the API keys of OpenSea’s customers. OpenSea attempted to mitigate the risks of the API leak by informing users that their current keys would expire on October 2, 2023 and that clients should replace the expired keys. Although OpenSea has placed rate limits on the usage of APIs per key, this incident highlights the cyber risks of trusted third-party vendors and their impact of breaches on organizations.
Recommendations
Although every business has its own unique business-critical infrastructure or software, a few basic principles can be applied to all business-critical infrastructure or system software:
- Any secrets, such as passwords, API keys, access tokens, or personally identifiable information (PII), should not be stored in plaintext within logging environments. Encrypt secrets or tokens.
- Implement an expiration or rotation schedule for API keys or access tokens.
- Identify failure points in generating, verifying, and accepting access tokens or API keys and automate the process of updating these points whenever a change has been made.
- Implement the Principle of Least Privilege for API keys or access tokens.
- Set up logging capabilities to track the usage of secrets within your systems or software services.
CyberSeek provides detailed, actionable data about supply and demand in the cybersecurity job market.
CyberSeek, a free online tool that can help career seekers learn more about cybersecurity, has been updated with new data showing a snapshot of open jobs across the United States. The new data reveals that the labor market for cybersecurity talent remains undersupplied, with approximately 315,000 more cybersecurity workers needed to close current supply gaps. Read the full press release or explore CyberSeek.org to learn about common job titles, average salaries, commonly requested credentials, and more! |
Vulnerability in Cisco IOS XE Software Web UI
A vulnerability has been discovered in Cisco IOS XE Software Web UI that could allow for privilege escalation. Successful exploitation could allow an unauthenticated remote attacker to create an account on an affected system with privilege level 15 access, allowing them to use that account to gain control of the affected system. The Cisco IOS XE Software web UI is an embedded GUI-based system-management tool, that comes with the default image. |
Threat Intelligence Cisco is aware of this vulnerability being exploited in the wild. |
Systems Affected |
This vulnerability affects Cisco IOS XE Software if the Web UI feature is enabled. |
Risk Government: – Large and medium government entities: High – Small government entities: High |
Businesses: – Large and medium business entities: High – Small business entities: High |
Home Users: Low |
Technical Summary According to Cisco, at this time a patch is not available, and there are no workarounds that address this vulnerability. As a defensive measure it is strongly recommended that users disable the HTTP Server feature on all internet-facing systems. |
Recommendations |
Once available, apply appropriate patches provided by Cisco to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Block execution of code on a system through application control, and/or script blocking. Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries. |
Microsoft Security Virtual Training Day: Defend Against Threats and Secure Cloud Environments
Grow your skills at Security Virtual Training Day: Defend Against Threats and Secure Cloud Environments from Microsoft Learn. At this free event, you’ll learn to perform advanced hunting, detections, and investigations, and remediate security alerts with Microsoft Defender and Microsoft Sentinel. Using automated extended detection and response (XDR) in Microsoft Defender and unified cloud-native security information and event management (SIEM) through Microsoft Sentinel, you’ll learn to confidently perform investigations and remediations to help defend against threats. You will have the opportunity to: Learn how to investigate, respond to, and hunt for threats using Microsoft Sentinel, Microsoft Defender for Cloud, and Microsoft 365 Defender. Use Microsoft Defender for Cloud to perform cloud security posture management and to help protect cloud workloads. Understand ways to help protect people and data against cyberthreats with Microsoft technologies. Join us at an upcoming two-part event: November 16, 2023 | 12:00 PM – 2:45 PM | (GMT-05:00) Eastern Time (US & Canada) November 17, 2023 | 12:00 PM – 2:00 PM | (GMT-05:00) Eastern Time (US & Canada) Delivery Language: English Closed Captioning Language(s): English |
REGISTER TODAY > |
Register Now! NIST Personal Identity Verification Webinar
Register for our NIST Webinar! Learn about Revisions to Two of our Identity Special Publications
Event Date: November 8, 2023
Time: 1:00 PM-2:30 PM ET
Description:
The National Institute of Standards and Technology (NIST) will be hosting a webinar to introduce two recently published Public Draft Special Publications (SPs): The 3-part Drafts of SP 800-73 Revision 5, Interfaces for Personal Identity Verification (PIV) and Draft SP 800-78 Revision 5, Cryptographic Algorithms and Key Sizes for Personal Identity Verification. These publications are complements to FIPS 201-3, which defines the requirements and characteristics of government-wide interoperable identity credentials used by federal employees and contractors.
The workshop will discuss the necessary changes made to the PIV card, its credentials, and cryptographic capability to align with FIPS 201-3.
Full Agenda:
1:00 PM-1:05 PM – Introduction and Welcome
1:05 PM-1:15 PM – Introduction to the PIV Standard
1:15 PM-1:45 PM – Changes to Draft SP 800-73 Revision 5
1:45 PM-2:15 PM – Changes to Draft SP 800-78 Revision 5
2:15 PM-2:30 PM – Key Dates/Next Steps/Closing
Visit the event page to register and learn more about the workshop. If you have any questions, please reach out to our team at piv_comments@nist.gov.