COMPUTER SECURITY BREACHES

COMPUTER SECURITY BREACHES

Executive Summary

OneLogin the login manager has now become a part of the companies being breached in 2017. The company manages password of individuals. Its customer’s data and files were stolen and encrypted. The attack was accomplished by the use of sensitive keys to enter into system encrypting all its data. All the customers’ data was compromised. This report provides an overview about one of the major security breaches this year i.e., OneLogin, the cause of the breach, its occurrence and possible and preventive methods to protect the system from further attacks.

COMPUTER SECURITY BREACHES

On 17 May, 2017 the world experienced another big computer security breach of the year. The online password manager giant OneLogin which provides user to manage single logins for various different websites and apps through a common platform got breached with a cyber-attack. The firm reported that the personal data related to customers was compromised and encrypted at the same time. The attackers have encrypted the system and data with a common key required for it decryption (Mailonline, 2017).

OneLogin main headquarters are in San Francisco. OneLogin is a site that manages password and identities along with information related to logins. It has a wide user approach from corporate to enterprise giants from various sectors such as law and finance, healthcare facilities, news channels etc. It is based on a single login concept which helps customers to access single accounts on other sites such as Microsoft, Google etc, and applications (cloud base). Millions of its staff and other users access their accounts worldwide; this list consists of around 2000 firms from all over the world, 80 service providers, and 400 application providers (Maunder, 2017).

How the attack occurred-

The attackers crippled company by breaching their data and damaging hundreds of users data. The intruder encrypts the user’s data with decrypting key affecting customers. Once a user sign in to OneLogin site its data including passwords and id’s remembered by the system to be used on other sites and applications (Burgess, 2017).

Fig.1: OneLogin breaching steps (Source: Cryptzone Insight)

An intruder used a high sensitive keys- AWS to gain access to the system with the help of a small service provider using it as a mediator host i.e., AWS API. After gaining complete access the hacker create different AWS to gain information of a third party by AWS API. The breach was detected after seven hours by a company’s staff who shut down the whole system and AWS keys, until then the hackers got a full access of database with additional information of usernames, passwords, applications, softwares. Onelogin keep its data encrypted. However, intruders find a way to decrypt the data. This type of breach is not rare. All hybrid networks resources are at a great risk. AWS keys are used to share security responsibilities of the cloud with its customers.

Impact on Customers-

The hackers decrypt the accessible databases comprising of information related to users, keys and applications. The firm advised its wide customers to be cautious and recommend them certain preventive measures.

Many hospitals as a OneLogin user become the victim of cyber-attack. Many surgeries, operations were cancelled as their system blacked out. There was a chaos in the hospitals as they run out of medics and the patients were pleaded to stay in common wards if they are not facing any serious health issues (Whittaker, 2017).

Methods

With increasing breaching attacks on sites like OneLogin, where AWS keys are used to setup single login identification, AppGate like applications can be used. This application checks for multiple authentication methods using potential IAM service providers as contexts factor to authenticate.

When a breach occurs in the system changes in user device location changes, this change helps AppGate to enter into the system in combination with SIEM solutions with immediate effect and provide solutions.

Change in variables can be combated by modifying policies. SIEM enters the system and provide an instant pop-up when unidentified activity is observed. In OneLogin seven hours identification process, SIEM would have provided with an instant notification. AppGate make use of multi-factor authentication (MFA) model to protect AWS keys and resources. It helps user to have specific access to identified sites and applications and not a single sign in option (Hoyos, 2017).

Fig.2: AppGate solution for security breaching (Source: Cryptzone Insight)

Discussion

OneLogin recommended its worldwide users to follow some preventive measures after their databases were breached and decrypted. The Remediations are as follows:

Make copies of the directory passwords and reset them.

Use SAML SSO to generate new application certification

Apply new oAuth directory and desktop tokens for LDAP and Active connectors

Generate and update API credentials, before authenticating third party apps for directing.

Update the necessary applications and sites along with new operating system to avoid risks and revive your secured passwords from secure note application.

Update form based apps that contain administrative credentials

End point users should update their passwords additionally with personalised applications.

Replace and change shared secrets option and logged off immediately from all the applications and sites using single sign in (‘Lessons Learned from OneLogin’s AWS Breach’, 2017).

Conclusion

The increasing threats of security breaches on OneLogin have drawn focus on developing new and updated methods and models to pre determine such attacks. The after attacks measures to clean up such issues includes using restricted sites to access files and applications. SAML authentication process and protected IP addresses and passwords manage a secured login system with effective security. Applications like AppGate prove to be a better security solution for the cases like OneLogin security breaches. They make use of cipher keys to protect databases and systems. They have additional benefit of instant notification process whenever and unidentified source is found and likewise prevent data breaching.

References

Burgess, M. (2017, July 13). Six million Verizon accounts exposed after cloud server security flaw. Retrieved August 25, 2017, from http://www.wired.co.uk/article/hacks-data-breaches-2017

Hoyos, A. (2017, May 31). May 31, 2017 Security Incident (UPDATED June 8, 2017). Retrieved August 25, 2017, from https://www.onelogin.com/blog/may-31-2017-security-incident

Krebs on Security. (n.d.). Retrieved August 25, 2017, from https://krebsonsecurity.com/2017/06/onelogin-breach-exposed-ability-to-decrypt-data/

Lessons Learned from OneLogin’s AWS Breach. (2017, June 20). Retrieved August 25, 2017, from https://insight.cryptzone.com/network-security/lessons-learned-onelogins-aws-breach/

Mailonline, P. W. (2017, June 01). Have you been hacked? Password manager OneLogin is hit by a major breach and warns data has been compromised. Retrieved August 25, 2017, from http://www.dailymail.co.uk/sciencetech/article-4563162/Password-manager-OneLogin-hit-security-breach.html

Maunder , M. (2017, June 01). PSA: OneLogin Breached. Here’s What You Need to Do. Retrieved August 25, 2017, from https://www.wordfence.com/blog/2017/06/onelogin-breached/

Whittaker, Z. (2017, June 07). OneLogin security chief reveals new details of data breach. Retrieved August 25, 2017, from http://www.zdnet.com/article/onelogin-security-chief-new-details-data-breach/

PART B

CRYPTOGRAPHIC RANSOMWARE ATTACKS AND ITS PREVENTION: AN APPROACH

Executive Summary

Ransomware is malicious software which blocks a person’s access to his computer and data and demands a ransom in exchange. The malware asks for a huge amount of digital money to be paid in exchange of decryption key. Large private firms as well as government agencies and individual users all are at a great risk of their important data being stolen and encrypted. This report focuses on ransomware the biggest computer security breach and the approaches related to its prevention. It also provides a clear idea of preventive measures to deal with it and the methods of recovery.

CRYPTOGRAPHIC RANSOMWARE ATTACKS AND ITS PREVENTION: AN APPROACH

According to reports, ransom ware has crippled large number of firms such as WPP, Maersk (Transport Company), some big law firms and individuals. The attacks have increased constitutively (Pazz, R.D. and Abraham, L, 2016). It is a kind of malware (malicious software) once entered in a system blocks the user to access its computer and useful data without a paid decrypted key. The malware demands ransom (digital money i.e., bit coins) in exchange of decryption key to restore their data.

Working of ransom ware –

Ransomware lock the computer’s operating system by directly targeting the master boot making the system inaccessible. Steps involved:

It attacks system files via several malicious forms such as email attachments, viral downloaded content, infected softwares, and fake installs etc. (Abrams, 2016). Hacking social sites and steal user’s login id and password, advertisements are some other ways of spreading this virus to other systems.

The binary infects the computer by entering into systems using one of the above modes and cause malicious breakdown by infecting files and important data of the user.

Fig.1: How ransomware works (Source: McAfee Labs, 2016).

3. The ransomware now communicates with servers to for an encryption key that will be needed to encrypt the data and files (Nieuwenhuizen, 2017).
4. The process will search for the unreplicated important files of the user typically the extension files (jpg, docx, pptx or pdf) in the system step wise.
5. Target files are renamed and replaced to a different location to encrypt them completely.
6. After successful encryption of files, a ransom is demanded in the form of Bitcoins (digital money) on screens of the system. (Fig. 2)

Fig. 2: Example of ransom demand screen (Source: trendmicro.com)

Affected Countries and firms –

The malware cyber-attack that started from Ukraine hit large parts of many countries, Europe, Russia, Asia, The USA etc. many big firms have also been affected in both public and private sectors (Finance, real estate, consumer service), the advertising giant WPP, Transport firm Maersk, some big oil companies- Rosneft, leading manufacturing giants, more than a million systems globally that were running on old Microsoft versions as reported in The New York Times (Kharpal, 2017).

1. Maersk- a world’s leading shipping and Transport Company have to change the routes of its ships after all its systems got hacked. Due to this, the company was unable to do the shipment at its ports.
2. Rosneft- another Russian oil company hit by ransomware runs into a breakdown after its production and retail operations were badly hit.

Methods

Ransomware attacks are getting prominent every year; this year experienced the most cyber-attacks of all times. So, to protect a system from a malware some methods based on cryptological algorithms can be used. Cryptological algorithms help to develop protocols that provide privacy to the system. The algorithms make use of geometric analysis to solve network related issues. In this report, some methods are proposed based on block ciphers (Tran, 2014).

ECB mode

CBC mode

1. ECB mode- The major disadvantage of this mode is cannot hide pattern of files completely i.e., same cipher block is formed after encryption of same normal text block. So, in ECB mode its disadvantage is used to protect files from attack. Protection is done with encoded data.

It includes the following steps-

First, Data expending- A block size “n” is created by padding each byte with 0 bytes. So a file such as (3):

T = B0,B1, · · ·Bm

After expension- T = B0, [0 ··· 0]n−1, B1, [0 ··· 0]n−1, · · · ,Bm, [0 ··· 0]n−1

As a result, a dictionary is formed- dic = [0 ··· 0]n, 1, [0 ··· 0]n−1, · · · , 255, [0 ··· 0]n−1

The dictionary file ‘dic’ will also encrypted with all the other files, if the malware is using a common key. Now, the decrypted values are known to the user, as the dictionary block file matches with encrypted file and all the important files can be easily recovered.

2. CBC mode- A block cipher cannot be used in CBC mode as the encrypted block file starts with xor. In this mode second bytes of data can be recovered by recreating different dictionaries.

dicib = (b, [0 ··· 0]n−1) ⊕ Ci. (Biddle, 2016)

Discussion

Some of the strategies that can be followed to prevent ransomware attack are-

To protect a system from ransomware attack it has to be stopped before its endpoint.

To minimize the attacks update your system regularly and use only the current operating systems- old operating systems are prone to vulnerable attacks.

Ransomware reach their endpoints using fake URLs and IP address- keep spam and web filters on in your system.

Access only authorised sites and keep your restricted sites control application on.

Don’t work on other sites while logged in administrator.

Keep a backup of your files regularly offsite and limit your files sharing activities (Frenkel, 2017).

Conclusion

The above report concludes that cyber security systems should identify more quick and early detection of the new attacks. Some studies reported counter measures to be undertaken after attack on files. The above mentioned models provide the first line of control from ransomware attacks. In the future, a smart security model should be designed with web and spam filters and restricted data identification which can pre determine the attacks and secure data and files accordingly.

References

Abrams, L. (2016, June 24). The Week in Ransomware – June 24 2016- Locky Returns, CryptXXX, Apocalypse, and More. Retrieved August 25, 2017, from https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-24-2016-locky-returns-cryptxxx-apocalypse-and-more/

Biddle, S. (2016, March 08). CryptoWall, TeslaCrypt and Locky: A Statistical Perspective. Retrieved August 25, 2017, from https://blog.fortinet.com/2016/03/08/cryptowall-teslacrypt-and-locky-a-statistical-perspective

By The Numbers: Ransomware Rising. (2016). Retrieved August 25, 2017, from https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/by-the-numbers-ransomware-rising

FRENKEL, S. (2017, June 27). Global Ransomware Attack: What We Know and Don’t Know. Retrieved August 25, 2017, from https://www.nytimes.com/2017/06/27/technology/global-ransomware-hack-what-we-know-and-dont-know.html?mcubz=0

Kharpal, A. (2017, June 28). ‘Petya’ ransomware: All you need to know about the cyberattack and how to tell if you’re at risk. Retrieved August 25, 2017, from https://www.cnbc.com/2017/06/28/petya-ransomware-cyberattack-explained-how-to-tell-if-youre-at-risk-or-been-attacked.html

Nieuwenhuizen, D. (2017). A Behavioural-based Approach to Ransomware Detection. Retrieved August 25, 2017, from https://labs.mwrinfosecurity.com/publications/a-behavioural-based-approach-to-ransomware-detection/

Solon, O., & Hern, A. (2017, June 28). ‘Petya’ ransomware attack: what is it and how can it be stopped? Retrieved August 25, 2017, from https://www.theguardian.com/technology/2017/jun/27/petya-ransomware-cyber-attack-who-what-why-how

Tran, M. (2014). CryptoLocker and the Rise of Cryptographic Ransomware. Retrieved August 25, 2017, from http://docplayer.net/37957215-Cryptolocker-and-the-rise-of-cryptographic-ransomware.html