Insights

8-Character Passwords Cracked Like Twigs, and UK NCSC Approves ADFS Exit, and Helpdesk Software Asks “Would You like Some Ransomware with That?”

by

This week’s security snacks:

  • Using an 8-character password? Don’t!
  • UK National Cyber Security Center now recommends Azure AD over ADFS
  • Is your IT Helpdesk or MSP providing remote assistance using Kaseya? Ensure they have it patched!

Happy munching!

Using an Eight-Character Password? Don’t!

Bite

Brute force password recovery tool HashCat can now recover your 8-character password in under 2 ½ hours!

Snack

We all know that the future of secure computing is heading to a password-less utopia. If however, you believe that the requirement of a “complex” eight-character password baseline is sufficient for your organization…. Well, it’s time to think again.

The open sourced password recovery tool, HashCat, can now recover Windows NTLM hashed passwords in under 2 ½ hours. Of course, there are some caveats to this ability, including utilizing some serious data crunching horse power in the form of high-end CPU and GPU combinations. Thanks though to cloud computing, not only can you do away with forking out on hardware, it might also be a lot cheaper than you think.

As for those security minded individuals reading this thinking eight characters are far too short, well you are of course correct. Unfortunately, many online services including those used for email, often use this figure as the security bar. An example of this is Microsoft’s password change recommendation for Office 365, which lists this very figure (https://support.office.com/en-us/article/change-password-in-outlook-web-app-50bb1309-6f53-4c24-8bfd-ed24ca9e872c). So without pointing the finger of blame, you can see why it might be used as a corporate security standard.

As for those passwords that have already been compromised, attackers can simply leverage large pre-defined lists to speed up their attack process. If you want to check if

your password has been compromised, then look no further than Troy Hunt’s HaveIBeenPawned site.

A few suggestions:

  • Increase password length
  • Leverage additional security technologies (MFA/Conditional access for example)
  • Enable notifications of new logon attempts
  • Use pass phrases

Meal

You can find an excellent write-up of this in article from The Register titled Use an 8-char Windows NTLM password? Don’t. Every single one can be cracked in under 2.5hrs.

UK National Cyber Security Center Now Recommends Azure AD over ADFS

Bite

Synchronization of passwords to Azure AD causing you a security headache? Read on..

Snack

Since Office 365 was launched in 2011, companies around the globe have taken advantage to make the jump to an operational expense model. The benefit of leveraging Microsoft’s platform from both an operational cost and security perspective has resulted in mass consumption of the cloud service.

One thing has come up time and time again however, that is which identity provider to use, often driven by the want to keep details secured on the internal network. Password hash synchronization through Azure AD Connect (formally DirSync & Azure AD Sync) has been a thorn in the side for many IT departments. The security department usually insists on pushing back to a federated scenario with ADFS (Active Directory Federation Services) due to the perceived risk.

The fact of the matter is that the passwords sent to Azure are hashed values of the original hashed password. A point often missed is that this by its very nature negates against the potential for a pass-the-hash attack on your internal IT infrastructure. Implementing ADFS as the security provider also puts the burden of securing the boundary to your network and of course ensuring it is constantly available in order to consume resources. This is something in a cloud-first era that seems a bit counterproductive.

This week the UK’s National Cyber Security Center published an article recommending that companies use password hash synchronization as their preferred method from a security viewpoint. So, if you need extra ammo to retire your ADFS environment then this is another source to utilize in your arsenal for the security team.

Meal

To read the full list of published recommendations, visit the UK NCSC website’s blog Securing Office 365 with better configuration.

Is your IT Helpdesk or MSP providing remote assistance using Kaseya? Ensure they have it patched!

Bite

You’ve patched your computers, the applications, and the firewall, but… if the IT helpdesk is using an unpatched remote support tool it could still be curtains for your network.

Snack

Ransomware has been something that has infected many thousands of machines across the globe. Infection of a network can start with a user visiting an infected web site or as part of a targeted attack, but what if the very software that your IT helpdesk was using provided the required back door.

As we have all come to know when it comes to IT security, prevention is the best form of cure. Taking this mantra, organizations implement tools across their network to ensure that not only Microsoft operating systems, but also third-party applications are fully patched according to the recommendations of the manufacturer. So, for those IT helpdesks and managed service providers who provide remote support to the “protected network”, it is also important that the very software they use does not within itself cause an issue.

GandCrab Ransomware, SQL Injection Vulnerability and the Unpatched Perfect Storm

Security researcher Alex Wilson notified Kaseya back in November of 2017 that the potential for an attacker to compromise systems using their ConnectWise Manage software via SQL injection existed. Kaseya of course rushed out to provide a security hotfix, however, as is often the case the weakest link is those who fail to implement the patch.

Reports are emerging of the spread of attacks using this vulnerability have risen over the past month, so if you or your MSP are using Kaseya do the sensible thing and ensure that it is fully patched. Nobody needs the headache of testing the protection offered from security products or file recovery capabilities in a panic situation, or worse still, having to pay the Bitcoin ransom.

Meal

If you want a little more information, you can find it ZDNet article GandCrab ransomware gang infects customers of remote IT support firms.

Maurice Daly and Paul Winstanley
Microsoft MVPs