A quick Saturday digest of cybersecurity news articles from other sources.
NIST proposes barring some of the most nonsensical password rules
Proposed guidelines aim to inject badly needed common sense into password hygiene.
Last week, NIST released its second public draft of SP 800-63-4, the latest version of its Digital Identity Guidelines. At roughly 35,000 words and filled with jargon and bureaucratic terms, the document is nearly impossible to read all the way through and just as hard to understand fully. It sets both the technical requirements and recommended best practices for determining the validity of methods used to authenticate digital identities online. Organizations that interact with the federal government online are required to be in compliance.
- Verifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.
- Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters.
- Verifiers and CSPs SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords.
- Verifiers and CSPs SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. Each Unicode code point SHALL be counted as a single character when evaluating password length.
- Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.
- Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
- Verifiers and CSPs SHALL NOT permit the subscriber to store a hint that is accessible to an unauthenticated claimant.
- Verifiers and CSPs SHALL NOT prompt subscribers to use knowledge-based authentication (KBA) (e.g., “What was the name of your first pet?”) or security questions when choosing passwords.
- Verifiers SHALL verify the entire submitted password (i.e., not truncate it).
Threat Actors Continue to Exploit OT/ICS through Unsophisticated Means
09/25/2024 12:20 PM EDT
CISA continues to respond to active exploitation of internet-accessible operational technology (OT) and industrial control systems (ICS) devices, including those in the Water and Wastewater Systems (WWS) Sector. Exposed and vulnerable OT/ICS systems may allow cyber threat actors to use default credentials, conduct brute force attacks, or use other unsophisticated methods to access these devices and cause harm.
CISA urges OT/ICS operators in critical infrastructure sectors to apply the recommendations listed in Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity to defend against this activity. To learn more about secure by design principles and practices, visit CISA’s Secure by Design webpage. For more information and guidance on protection against the most common and impactful threats, tactics, techniques, and procedures, visit CISA’s Cross-Sector Cybersecurity Performance Goals.
Tor anonymity compromised by law enforcement. Is it still safe to use?
Despite people generally considering the Tor network as an essential tool for anonymous browsing, german law enforcement agencies have managed to de-anonymize Tor users after putting surveillance on Tor servers for months.
Before we go into the what the agencies did, let’s take a look at some basics of Tor.
How Tor works
On a daily basis, millions of people use the Tor network to browse privately and visit websites on the dark web. Tor enhances privacy by directing internet traffic through a minimum of three randomly chosen routers, or nodes. During this process user data is encrypted before it reaches the destination via the exit node, ensuring a user’s activities and IP address remain confidential and secure.
Here’s a closer look at how this mechanism works:
- Entry node: When you start browsing with Tor, your connection is first directed to an entry node, also known as a guard node. This is where your internet traffic enters the Tor network, with your IP address only visible to this node.
- Middle nodes: After entering the Tor network, your traffic passes through one or more middle nodes. These nodes are randomly selected, and each one knows only the IP address of the previous relay and the next relay. This prevents any single relay from knowing the complete path of your internet activity.
- Exit node: The last relay in the chain is the exit node. It decrypts the information from the middle relays and sends it out to the destination. Importantly, the exit node strips away layers of encryption to communicate with the target server but does not know the origin of the traffic, ensuring that your IP address remains hidden.
This layered security model, like peeling an onion, is where Tor gets its name. Tor is an acronym for The Onion Router. Each layer ensures that none of the nodes in the path knows where the traffic came from and where it is going, significantly increasing the user’s anonymity and making it exceedingly difficult for anyone to trace the full path of the data.
Although many researchers theoretically considered that de-anonymization was possible, in general it was thought practically unfeasible if a user followed all the necessary security measures.
How did the de-anonymization work?
German news outlet NDR reports that law enforcement agencies got hold of data while performing server surveillance which was processed in such a way that it completely cancelled Tor anonymity. The reporters saw documents that showed four successful measures in just one investigation.
After following up on a post on Reddit and two years of investigation, the reporters came to the conclusion that Tor users can be de-anonymized by correlating the timing patterns of network traffic entering and exiting the Tor network, combined with broad and long-term monitoring of Tor nodes in data centers.
If you can monitor the traffic at both the entry and the exit points of the Tor network, you may be able to correlate the timing of a user’s true IP address to the destination of their traffic. To do this, one typically needs to control or observe both the entry node and the exit node used in a Tor circuit. This does not work when connecting to onion sites however, because the traffic would never leave the Tor network in such a case.
The timing analysis uses the size of the data packets that are exchanged to link them to a user. You can imagine that with access to a middle node, you can tie the incoming and outgoing data packets to one user. While this doesn’t reveal any of the content of the messages, this could help in establishing who’s communicating with who.
Tor is still safe, says Tor
The problem that Tor faces lies in the fact that it was designed with hundreds of thousands of different nodes all over the world in mind. In reality, there are about 7,000 to 8,000 active nodes, and many of them are in data centers. As a consequence, the “minimum of three” often means “only three” which increases the potential effectiveness of timing attacks.
The Tor Project said:
“The Tor Project has not been granted access to supporting documents and has not been able to independently verify if this claim is true, if the attack took place, how it was carried out, and who was involved.”
Based on the information provided, the Tor Project concluded that one user of the long-retired application Ricochet was de-anonymized through a guard discovery attack. This was possible, at the time, because the user was using a version of the software that neither had Vanguards-lite, nor the Vanguards add on, which were introduced to protect users from this type of attack
Which means they feel confident to claim that Tor is still safe to use. However, we would like to add that users should be aware that several law enforcement agencies–and cybercriminals–run Tor nodes, which can pose risks.
If you use Tor, here are some basic rules to stay as anonymous as possible:
- Always download Tor Browser from the official Tor Project website.
- Keep Tor Browser updated to the latest version for security patches.
- Use the default Tor Browser settings – don’t install add-ons or change the settings unless you know what you are doing and what the implications are.
- Enable the “Safest” security level in Tor Browser settings.
- Only visit HTTPS-encrypted websites.
- Avoid logging into personal accounts or entering personal information. If you post your personal information somewhere that undermines the whole idea of staying anonymous.
- Be extremely cautious about downloading files or clicking links, even more so on the Dark Web.
- Disable JavaScript if possible although this may break some sites.
- Clear cookies and local site data after each browsing session.
- Use a reputable VPN in addition to Tor for an extra layer of encryption.
- Run up-to-date antivirus/anti-malware software on your device.
OCT
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com