Crack me if you can

If you think that your Steam or Origin account with its handful of purchases and achievements is of no interest to cybercriminals, we have bad news. Every year, scammers indiscriminately steal hundreds of thousands of gaming accounts and sell them on the black market. The first barrier that protects your account from this fate is your password. We explain how to make it as strong as possible.

This Week in Security News: Payment Card Skimmer Attacks Hit 8 Cities and Survey Finds 72% of Remote Workers Have Gained Cybersecurity Awareness During Lockdown

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about eight U.S. cities that recently had payment card data stolen via point-of-sale skimming malware on their Click2Gov online payment platforms. Also, learn about the cybersecurity behaviors of more than 13,000 remote workers across 27 countries in a new survey from Trend Micro.

Researchers Uncover Zero-Day Vulnerability on Cisco Routers

CyCognito Inc today announced its research team has uncovered a significant Cross-Site Scripting (XSS) vulnerability on the web admin interface of Cisco small business router models RV042 and RV042G. Cisco routers are popular around the world, and the company has approximately 50% market share in the router and switch market globally. This vulnerability gives attackers an easy path for taking control of a router administrator’s web configuration utility, a position that allows them to perform all admin actions, from viewing and modifying sensitive information to taking control of the router or having the ability to move laterally and gain access to other systems.

Inside the Plot To Kill the Open Technology Fund

An anonymous reader quotes a report from VICE News: [The Open Technology Fund is a U.S. government-funded nonprofit, which is part of the umbrella group called the U.S. Agency for Global Media (USAGM), which also controls Radio Free Asia and Voice of America.] OTF’s goal is to help oppressed communities across the globe by building the digital tools they need and offering training and support to use those tools. Its work has saved countless lives, and every single day millions of people use OTF-assisted tools to communicate and speak out without fear of arrest, retribution, or even death. The fund has helped dissidents raise their voices beyond China’s advanced censorship network, known as the Great Firewall; helped citizens in Cuba to access news from sources other than the state-sanctioned media; and supported independent journalists in Russia so they could work without fear of a backlash from the Kremlin. Closer to home, the tools that OTF has funded, including the encrypted messaging app Signal, have allowed Black Lives Matter protesters to organize demonstrations across the country more securely.

But now all of that is under threat, after Michael Pack, a Trump appointee and close ally of Steve Bannon, took control of USAGM in June. Pack has ousted the OTF’s leadership, removed its bipartisan board, and replaced it with Trump loyalists, including Bethany Kozma, an anti-transgender activist. One reason the OTF managed to gain the trust of technologists and activists around the world is because, as its name suggests, it invested largely in open-source technology. By definition, open-source software’s source code is publicly available, meaning it can be studied, vetted, and in many cases contributed to by anyone in the world. This transparency makes it possible for experts to study code to see if it has, for example, backdoors or vulnerabilities that would allow for governments to compromise the software’s security, potentially putting users at risk of being surveilled or identified. Now, groups linked to Pack and Bannon have been pressing for the funding of closed-source technology, which is antithetical to the OTF’s work over the last eight years.

Monitoring AWS Certificate Manager Private CA with AWS Security Hub

Certificates are a vital part of any security infrastructure because they allow a company’s internal or external facing products, like websites and devices, to be trusted. To deploy certificates successfully and at scale, you need to set up a certificate authority hierarchy that provisions and issues certificates. You also need to monitor this hierarchy closely, looking for any activity that occurs within your infrastructure, such as creating or deleting a root certificate authority (CA). You can achieve this using AWS Certificate Manager (ACM) Private Certificate Authority (CA) with AWS Security Hub.

AWS Certificate Manager (ACM) Private CA is a managed private certificate authority service that extends ACM certificates to private certificates. With private certificates, you can authenticate resources inside an organization. Private certificates allow entities like users, web servers, VPN users, internal API endpoints, and IoT devices to prove their identity and establish encrypted communications channels. With ACM Private CA, you can create complete CA hierarchies, including root and subordinate CAs, without the investment and maintenance costs of operating your own certificate authority.

AWS Security Hub provides a comprehensive view of your security state within AWS and your compliance with security industry standards and best practices. Security Hub centralizes and prioritizes security and compliance findings from across AWS accounts, services, and supported third-party partners to help you analyze your security trends and identify the highest priority security issues.

In this example, we show how to monitor your root CA and generate a security finding in Security Hub if your root is used to issue a certificate. Following best practices, the root CA should be used rarely and only to issue certificates under controlled circumstances, such as during a ceremony to create a subordinate CA. Issuing a certificate from the root at any other time is a red flag that should be investigated by your security team. This will show up as a finding in Security Hub indicated by ‘ACM Private CA Certificate Issuance.’

Example scenario

For highly privileged actions within an IT infrastructure, it’s crucial that you use the principle of least privilege when allowing employee access. To ensure least privilege is followed, you should track highly sensitive actions using monitoring and alerting solutions. Highly sensitive actions should only be performed by authorized personnel. In this post, you’ll learn how to monitor activity that occurs within ACM Private CA, such as creating or deleting a root CA, using AWS Security Hub. In this example scenario, we cover a highly sensitive action within an organization building a private certificate authority hierarchy using ACM Private CA:

Creation of a subordinate CA that is signed by the root CA:

Creating a CA certificate is a privileged action. Only authorized personnel within the CA Hierarchy Management team should create CA certificates. Certificate authorities can sign private certificates that allow entities to prove their identity and establish encrypted communications channels.

Architecture overview

This solution requires some background information about the example scenario. In the example, the organization has the following CA hierarchy: root CA → subordinate CA → end entity certificates. To learn how to build your own private certificate infrastructure see this post.

Figure 1: An example of a certificate authority hierarchy

There is one root CA and one subordinate CA. The subordinate CA issues end entity certificates (private certificates) to internal applications.

To use the test solution, you will first deploy a CloudFormation template that has set up an Amazon CloudWatch Events Rule and a Lambda function. Then, you will assume the persona of a security or certificate administrator within the example organization who has the ability to create certificate authorities within ACM Private CA.

Figure 2: Architecture diagram of the solution

The architecture diagram in Figure 2 outlines the entire example solution. At a high level this architecture enables customers to monitor activity within ACM Private CA in Security Hub. The components are explained as follows:

  1. Administrators within your organization have the ability to create certificate authorities and provision private certificates.
  2. Amazon CloudWatch Events tracks API calls using ACM Private CA as a source.
  3. Each CloudWatch Event triggers a corresponding AWS Lambda function that is also deployed by the CloudFormation template. The Lambda function reads the event details and formats them into an AWS Security Finding Format (ASFF).
  4. Findings are generated in AWS Security Hub by the Lambda function for your security team to monitor and act on.

This post assumes you have administrative access to the resources used, such as ACM Private CA, Security Hub, CloudFormation, and Amazon Simple Storage Service (Amazon S3). We also cover how to remediate through practicing the principle of least privilege, and what that looks like within the example scenario.

Deploy the example solution

First, make sure that AWS Security Hub is turned on, as it isn’t on by default. If you haven’t used the service yet, go to the Security Hub landing page within the AWS Management Console, select Go to Security Hub, and then select Enable Security Hub. See documentation for more ways to enable Security Hub.

Next, launch the CloudFormation template. Here’s how:

  1. Log in to the AWS Management Console and select AWS Region us-east-1 (N. Virginia) for this example deployment.
  2. Make sure you have the necessary privileges to create resources, as described in the “Architecture overview” section.
  3. Set up the sample deployment by selecting Launch Stack below.

The example solution must be launched in an AWS Region where ACM Private CA and Security Hub are enabled. The Launch Stack button will default to us-east-1. If you want to launch in another region, download the CloudFormation template from the GitHub repository found at the end of the blog.

Now that you’ve deployed the CloudFormation stack, we’ll help you understand how we’ve utilized AWS Security Finding Format (ASFF) in the Lambda functions.

How to create findings using AWS Security Finding Format (ASFF)

Security Hub consumes, aggregates, organizes, and prioritizes findings from AWS security services and from third-party product integrations. Security Hub receives these findings using a standard findings format called the AWS Security Finding Format (ASFF), thus eliminating the need for time-consuming data conversion efforts. Then it correlates ingested findings across products to prioritize the most important ones.

Below you can find an example input that shows how to use ASFF to populate findings in AWS Security Hub for the creation of a CA certificate. We placed this information in the Lambda function Certificate Authority Creation that was deployed in the CloudFormation stack.

{ "SchemaVersion": "2018-10-08", "Id": region + "/" + accountNum + "/" + caCertARN, "ProductArn": "arn:aws:securityhub:" + region + ":" + accountNum + ":product/" + accountNum + "/default", "GeneratorId": caCertARN, "AwsAccountId": accountNum, "Types": [ "Unusual Behaviors" ], "CreatedAt": date, "UpdatedAt": date, "Severity": { "Normalized": 60 }, "Title": "Private CA Certificate Creation", "Description": "A Private CA certificate was issued in AWS Certificate Manager Private CA", "Remediation": { "Recommendation": { "Text": "Verify this CA certificate creation was taken by a privileged user", "Url": "https://docs.aws.amazon.com/acm-pca/latest/userguide/ca-best-practices.html#minimize-root-use" } }, "ProductFields": { "ProductName": "ACM PCA" }, "Resources": [ { "Details": { "Other": { "CAArn": CaArn, "CertARN": caCertARN } }, "Type": "Other", "Id": caCertARN, "Region": region, "Partition": "aws" } ], "RecordState": "ACTIVE" }

Silicon Valley Elite Discuss Journalists Having Too Much Power in Private App

During a conversation held Wednesday night on the invite-only Clubhouse app—an audio social network popular with venture capitalists and celebrities—entrepreneur Balaji Srinivasan, several Andreessen Horowitz venture capitalists, and, for some reason, television personality Roland Martin spent at least an hour talking about how journalists have too much power to “cancel” people and wondering what they, the titans of Silicon Valley, could do about it.

ForgeRock Identity Live 2020: What Our Customers Are Saying

CEO Perspective 

ForgeRock Identity Live 2020 went virtual last week! It was exciting to connect with everyone, share what is happening at ForgeRock, and learn from each other. While I would have preferred to meet in person, the conversations with customers and partners were just as meaningful. We heard from leading brands around the globe about how identity is shaping the future of their organizations and saw some amazing product demos from our ForgeRock team.