Kremlin hackers are right now exploiting security hole in VMware software to hijack systems, NSA warns The NSA reckons Russian government hackers are actively abusing a critical security hole in VMWare's software to infiltrate victims' networks. Sysadmins are urged to deploy the necessary patch as soon as possible. “Russian state-sponsored malicious cyber actors are exploiting a vulnerability in VMware Access and VMware …
If I were a bad person I would set about creating valid user names and passwords with sufficient privileges to create new users before rummaging through other peoples data. VMware is no different than server based applications in as much VMware has all your golden eggs in one basket. Patching once meant fixing some minor irritant to make it work better. This VMware fix is fundamental and should never have happened. Passwords are critical and it's time to remove cognitive thinking for devising password to machine generating passwords.
Yours truly
apg -t -a 0 -n 10 -m 10 -M NCS
Machine-generated passwords are not the answer. You or I cannot memorise "a78SHbgP6EhfEhdYEQtu", so we'll write it down.
The MoD here in the UK have an interesting system which generates nine-character alpha passwords, in three groups of three biased towards vaguely pronounceable but nonsensical syllables, then gives the user a choice of half a dozen. But even this best-case results in large amounts of writing passwords down.
GJC
re: "You or I cannot memorise" So what?
https://www.troyhunt.com/only-secure-password-is-one-you-cant/
Writing it down on a piece of paper isn't so bad. It's secure from online attacks, especially if you don't reuse passwords. If someone's prepared to break into your office to get the password, they're probably prepared to threaten you with a claw hammer or bribe you to get the password. But just use a password safe. Then you just remember one password. Try this:-
https://www.mozilla.org/en-GB/firefox/lockwise/
It's also getting easier to protect your accounts with 2FA. There are several free authenticator apps for smart phones.
Sure, password safes are good. I use one myself, that's where the twenty character password I posted came from (freshly generated, of course, and I'm so paranoid I'm not even going to tell you which battery safe package I use, just in case).
But they have limitations. There are systems I want to access on the move, where typing in a decently secure password from a password safe on my phone is a grade one PITA. For those, I'm CorrectHorseBatteryStaple-compliant all the way.
GJC
You or I cannot memorise "a78SHbgP6EhfEhdYEQtu"
That sounds like a challenge! <snicker>
That being said, I seem to have memorized (unintentionally) at least 50 passwords from a number of different users as well as many, many permutations of my own... security is supposed to be *hard.
>Passwords are critical and it's time to remove cognitive thinking for devising password to machine generating passwords.
Have a vested interest in Credentials Management Systems by any chance?
One of the issues is that in many organisations, more than one person needs to know various admin passwords, so whilst machine generated passwords are relatively simple for a single user to manage in their personal password locker, things get a lot more complex when those passwords have to be shared across geographically distributed teams - hence why CMS starts to look attractive.
However, it worth remembering, a password, however 'complex' is still a single factor... So the simple mitigation - which is worth doing regardless, is to do as the NSA suggests and layer the security so that multiple factors are required to achieve access.
Although care is needed to avoid creating new flaws, of which the recently disclosed iPhone backdoor is an elegant example: Flaw allowed iPhone hacking remotely through wi-fi It is worth skim reading the linked blog post
The problem with "hard passwords are the answer" is that it is still vulnerable to phishing - trying to come up with a complex password to address phishing attacks is probably just giving the spear phisher a larger phish because "unguessable passwords" tend to be used everywhere.
The article seems to suggest multiple issues:
- public-facing management interfaces although maybe "public" in this case is between tenents in a multi-tenent hosting facility. The fix is remove public access (wrap it in a VPN or similar tunneling solution for gods sake...) to carefully manage access to a known set of addresses via ACL's
- ideally use 2FA for critical infrastructure authentication. And if the application doesn't support 2FA ensure that access from untrusted devices (i.e. VPN clients) does require 2FA. And before anyone complains about cost, it is essentially free for the admin staff of small companies with the likes of Duo/MS/Google/Authy etc
- if the first two steps aren't possible THEN use hard passwords and ensure they aren't re-used. i.e if your e-mail account is phished ensure the password doesn't give access to all your critical admin accounts by using seperate hard passwords. And maybe question why your organisation doesn't take security seriously - or at least seriously enough to reduce high risk issues with simple, low-cost fixes.
Whenever the Russians are taken out of the sack, one inevitably wonders what they are trying to distract you from. In this case the answer is quite easy to find:
.
https://news.cgtn.com/news/2020-11-17/How-the-U-S-Danish-scandal-reveals-the-hypocrisy-of-Clean-Network--Vudb3n1LZS/index.html
"How the U.S.-Danish scandal reveals the hypocrisy of the 'Clean Network'"
.
https://www.datacenterdynamics.com/en/news/danish-whistleblower-details-nsa-collaboration-submarine-cable-spying-surveillance-data-center/
"Danish whistleblower details NSA collaboration, submarine cable spying, surveillance data center"
.
https://www.techzine.eu/news/security/52178/danish-intelligence-agency-helped-nsa-spy-on-europe/
"The National Security Agency, an American intelligence agency, has had access to Danish intelligence networks to spy on several countries in northern Europe for years."
.
https://www.bbc.com/news/world-europe-53889612
"Denmark's military intelligence head has been suspended after it was revealed the agency had broken laws and misled the intelligence watchdog."
.
https://www.thelocal.dk/20201117/us-accused-of-spying-on-danish-and-european-defence-industries
"Seven years after the Edward Snowden scandal, new allegations that the US spied on close allies have emerged in Denmark, this time regarding the defence industry and a Danish fighter jet tender won by the US."
.
https://www.thedrive.com/the-war-zone/37668/nsa-spied-on-denmark-as-it-chose-its-future-fighter-aircraft-report
"NSA Spied On Denmark As It Chose Its Future Fighter Aircraft: Report"
...
>"Seven years after the Edward Snowden scandal, new allegations that the US spied on close allies have emerged in Denmark, this time regarding the defence industry and a Danish fighter jet tender won by the US."
Allegations, given the UK evidence going back decades, expect these to be well-founded and probably supported by evidence. Perhaps now some people will understand why the US were keen on leaning on its allies to not use Huawei kit...
@Roland6
*
https://www.theguardian.com/uk-news/2018/sep/21/british-spies-hacked-into-belgacom-on-ministers-orders-claims-report
*
About those dangerous hackers in Cheltenham.....they need to stop stealing the secrets of Belgian chocolate......please, Roland, how are we going to stop them?
*
Then there's the Americans, the Australians and the other bad guys in the Five Eyes.......long before we get to the Chinese!!
*
Oh...I know.....OUR HACKERS are the "good guys"......it's those nasty foreigners bringing the Internet into disrepute!!!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
