Positive Technologies’ researchers detected a way that partially disables the functionality of Intel ME

During the study of internal architecture of Intel Management Engine (ME) 11, Positive Technologies experts discovered an undocumented mode that allows to partially disable the functionality of the technology. Experts remind that Intel ME has access to almost all data on the computer and the ability to execute third-party code allows to completely compromise the platform.

In their blog researchers describe how they discovered undocumented mode and how it is connected with High Assurance Platform (HAP) program.

PCs with Skype under serious threat: vulnerability CVE-2017-9948

Critical vulnerability CVE-2017-9948 –  stack buffer overflow bug that makes Skype vulnerable, allowing an attacker to remotely cause the application to crash and execute malicious code on the victim’s computer. The vulnerability exists in Skype 7.2, 7.35 and 7.36.

Microsoft has already patched the bug in Skype version 7.37.178 and users are recommended to install this version as soon as possible to make sure that they’re not targeted by attacks based on this vulnerability.

Microsoft Edge vulnerable to cookie and password theft

The Microsoft Edge browser seems to have a severe password vulnerability. Recent reports reveal that attackers or hackers could easily obtain user password and cookie files for online accounts, a vulnerability that was discovered by security expert Manuel Caballero, someone with vast experience of unearthing Edge and Internet Explorer bugs and flaws. It also seems that attacks can be customized to dump the passwords or cookies of more online services such as Amazon, Facebook, and more.

it outsoursing logo

Your IT Outsourcing Provider Under Control

Security measures to take when outsourcing IT services.

Don’t worry, take control!

Outsourcing IT infrastructure services is a logical step for a growing business. When a qualified contractor is selected, it allows an organization to optimize IT costs and improve quality of service. IT outsourcing also creates the flexibility to regulate the volume of services delivered. If a company’s needs change rapidly, contractors can promptly ramp up or down the volume of IT services.

IT outsourcing requires that a company review its organizational processes to properly establish cooperation with IT service providers. In addition, the company should consider the risks associated with transferring infrastructure control (network and server administration, all key account data, etc) to a third-party provider and its employees. In other words, the company provides a significant management leverage over their business to an outside company, which can never be 100% reliable.

So how do you minimize the risks? This issue has been explored more extensively than you might expect at first glance. To minimize potential risks, you can use organizational and technical control measures.
Organizational measures include the creation of an “IT Government” unit within the organization – a sort of “government” along with its competencies, such as coordinating and supervising contractors, and influencing their actions, including limiting their access or blocking them.

Available technical measures include software and hardware products that provide accurate control over outsourced IT employees by auditing and recording all actions performed by a remote administrator.

Below is a list of the industry’s most popular products, along with URLs so you can evaluate these solutions yourself:

Company Website Products
TSFactory (USA) https://www.tsfactory.com/ RecordTS – terminal session audit and recording (Terminal Services, Citrix, vWorkSpace)
ObserveIT (USA-Israel) http://www.observeit.com/ Visual session recording – audit, alerting and user session recording on Windows and Unix servers.
СensorNET (UK-USA) https://www.censornet.com/ Desktop Monitoring – online monitoring, audit and recording user actions.
BalaBit (USA-Hungary) https://www.balabit.com/ Shell Control Box – software and hardware complex for control, audit and recording remote sessions.

BalaBit Shell Control Box as a possible solution

Let us take a closer look at what we believe is the most interesting solution, BalaBit Shell Control Box.

Shell Control Box (SCB) stands out from the crowd, because it is not just a set of agents for client and server machines. It is an independent device that controls, monitors and audits remote administrators’ access to servers, providing full transparency and independence from clients and servers.

SCB is a tool for supervising server administrators and administration processes by managing the encrypted connections used in server administration. SCB fully controls connections made via SSH, RDP, Telnet, TN3270, Citrix ICA and VNC, creating a clear set of functions and a controlled access level for administrators.

Among SCB’s most significant features are the following:

  • Ability to disable unwanted channels and features (for example, TCP port redirection, file transfer, VPN, etc.);
  • Control over selected authentication methods;
  • Required external authentication on the SCB gateway;
  • Implementation of authorization with the ability to monitor and audit in real time;
  • Encrypted auditing of selected channels; time-tagged and digitally signed audit trails;
  • Information about user group membership through the LDAP database;
  • Keys and server host certificates with SCB access can be checked, configured, and managed using any modern web browser.

Let’s take a look at a potential plan for incorporating SCB into the company’s IT infrastructure:

scb schema

(In this scenario, the company uses one server (Server 1) for SCB monitoring to decrease the number of hosts under a paid license. The admin connects to the other servers (Servers 2-4) via Server 1).

Our SCB server is configured as a remote desktop gateway. When accessing the server, the administrator authenticates on the SCB server. Upon successful authentication, an additional check is performed on the server. Next, the administrator establishes various connections to other servers, which are also monitored by the SCB server, from the controlled server.

Shell Control Box admin and control functionality are available via a web interface:

After the SCB server is configured, all traffic passing through it is automatically recorded. SCB has a single interface to view and change the configuration, reports, audit trails.

Shell Control Box admin and control

SCB provides the ability to view audits of past connections, quickly terminate current connections to servers, and observe the actions of remote administrators online.

Shell Control Box admin and control

To replay audit trails, the computer has Audit Player, which allows previously saved video connections to be replayed. The screenshot below illustrates using Audit Player to replay a video from when a remote administrator performed an RDP session from a monitored server to another server in the network:

Shell Control Box admin and control

Let’s take a look at an example. Suppose a business-critical service unexpected does down on a business day. We know the time when it happened and which server is responsible for this service, so we go to the search option in the web interface. We input the date, time, type of protocol:

Shell Control Box admin and control

We need to find the corresponding session.

We can perform a quick replay after rendering and, if necessary, download a video of the RDP connection.

The video of the RDP connection to the server will show the work of the remote administrator who performed the unscheduled restart of the service. This audit video is great proof when resolving any claims with the IT outsourcing provider.

Conclusions

We have tried to use the functionality in BalaBit Shell Control Box to demonstrate how to create additional security that provides full control and auditing of IT companies performing server maintenance, with the ability to replay the actions performed on the servers.

Such strict auditing of IT contractors may seem to destroy trusting relationships. In fact, the situation is exactly the opposite: trust must be accompanied by transparency and the ability to verify. High-quality IT outsourcing companies should welcome such an option for client oversight, because it is a chance for the contractor to demonstrate the quality of their services and solidify the customer relationship. As an IT outsourcing company, we have a vested interest in making our customer feel safe when working with us. Moreover, we are ready to deploy such products for our customers.

As a result, we can say that the days of outsources’ uncontrolled access to customers’ IT infrastructure, and all the accompanying fears, are over. The provider’s actions can be monitored, negligence can be proved, and unauthorized actions can be tracked and prevented. The only factor is the cost, but this is largely compensated by the benefits received.

If you have any organizational or technical questions, please contact us and we will be happy to provide a consultation.

More articles about it-outsourcing

two factor authentification logo

Protect Your Emails with Two-Factor Authentication

The large number of hacks of celebrities’ email accounts reported by the media and widely discussed by the general public cause users to be greatly concerned about the safety of their data. So that’s what we are going to address in this article.

What is two-factor authentication and how can it help?

Two-factor authentication is a method of establishing identity using two different types of information. The first type is usually a user name and password, while the second type is provided in an SMS, smartphone app, OTP device or certificate.

SMS

There is a lot of information on the Internet on how two-factor authentication works via SMS.

In my opinion, if the potential monetization of hacking your account does not exceed $1000, this type of protection is acceptable. If you want to protect more valuable data, SMS is not quite the right approach. Your mobile phone could be stolen or your SIM card could be replaced. By the time you notice, the hacker will have already downloaded all your correspondence from the server. For example, the Gmail account of the Russian political activist Navalny was hacked and years of private email correspondence went public. His account was protected using SMS-based two-factor authentication. The recent attack on users of mobile banking clients also demonstrates the vulnerability of this method.

Significant disadvantages of this method include extreme inconvenience in protecting email, and problems for travelers and those frequently changing their SIM cards.

Mobile app

Authentication through a mobile application solves the problem of protecting the SIM card against copying or theft, and is more convenient for traveling. But the other problems remain.

OTP

OTP (One Time Password) devices probably provide the highest level of protection among all the methods. Devices that require you to enter a PIN code before use are particularly effective. No wonder every bank that cares about its reputation uses OTPs for clients’ financial transactions.

The main disadvantage is that they are not very convenient to use for email protection.

Protection with a certificate

This technology lets you restrict access to email using only user credentials on authorized devices by installing a special certificate on the device.

Unfortunately, this technology does not solve the protection problem that arises if a laptop or phone is stolen. However, disk encryption in combination with a fingerprint sensor completely solves the problem of protecting the laptop, and if an attacker manages to gain access to the email on a mobile phone, the damage is incomparably smaller than when all email is downloaded from servers. Of course, encrypting and protecting mobile devices can reduce the damage caused by this threat to zero.

The main advantage of this technology is its transparency for the user. After installing the certificate on the device, the user can work as usual without entering any codes. Even if the password is compromised, it can only be used on authorized devices.

Certificates can be either associated with a USB token (a popular solution among Russian banks) or a user device. In our opinion, this solution is more suitable for corporate users.

Of course, this technology only applies to corporate emails and introduces just one component to a system of data security measures.

We can protect mail on MS Exchange Server and clients using Exchange through ActiveSync and OWA. Unfortunately, the current version of MS Outlook does not support this solution.

In technical terms, two-factor authentication using a certificate is based on the corporate public key infrastructure (PKI). To grant access to a device, the system administrator installs a user certificate that contains a private key without the ability to export. The user can then use the Exchange Web Interface (OWA). By clicking on a corresponding link, the user receives a certificate request as the first authentication factor, and then enters his or her credentials in the web form as the second factor.

To use two-factor authentication, mobile devices must support ActiveSync version 12.0+. At present, it is supported by the following devices:

  • Apple iPhone / iPad with iOS 6.x and higher;
  • Smartphones and tablets with Android version 4.1.2 and higher;
  • Devices with Windows Phone 7 and higher.

An enterprise IT administrator uses the iPhone Configuration Utility (iPCU) to install an Apple devices profile with all necessary account information, user certificates, and the certification authority.

On devices running Android and Windows Phone, the administrator installs the created certificate chains and configures the user account, indicating which certificate to use for login. For large organizations, the process can be automated using dedicated Mobile Device Management (MDM) software which manages devices on various platforms (for example, on BES 12).

More articles about two-factor authentication