Search This Blog

Showing posts with label SSH. Show all posts

GitHub Announced Security Key Support for SSH Git Operations

 

When using Git over SSH, GitHub, the ubiquitous host for software creation and version control (and unfortunate victim of a relentless stream of attacks targeting the same), now supports encryption keys.

GitHub security engineer Kevin Jones said in a blog post on Monday that this is the next step in improving security and usability. These portable FIDO2 fobs are used for SSH authentication to protect Git operations and avoid the havoc that can occur when private keys are misplaced or stolen, or when malware attempts to execute requests without user permission. For instance, in 2019, the TrickBot data-stealing malware was updated to include a password grabber that could attack data from OpenSSH applications. 

These security keys, which include the YubiKey, Thetis Fido U2F Security Key, and Google Titan Security Keys, are easy to carry around in your pocket and attach to computers via USB, NFC, or Bluetooth. They can be used instead of one-time passwords generated by apps or sent via SMS. SMS SSH codes sent via text can currently be intercepted.

Strong passwords are still relevant, but because of the proliferation of data breaches and cyberattacks, they are becoming less useful as a single security mechanism, prompting the development of password managers that often check for credential leakage online, biometrics, and security keys. 

"We recognize that passwords are convenient, but they are a consistent source of account security challenges," Jones commented. "We believe passwords represent the present and past, but not the future. By removing password support for Git, as we already successfully did for our API, we will raise the baseline security hygiene for every user and organization, and for the resulting software supply chain." 

Since keys are one of the variables in multi-factor authentication (MFA), users can treat them with the same care as any other credential. You should have your security key plugged in if you're the only one that has access to it. “When using SSH with a security key, none of the sensitive information ever leaves the physical security key device,” Jones added. “If you’re the only person with physical access to your security key, it’s safe to leave plugged in at all times.” 

When you use a security key, neither ransomware nor unintended private-key leakage will reveal your keys, he said: “As long as you retain access to the security key, you can be confident that it can’t be used by anyone else for any other purpose.”

GitHub Informed Clients of “Potentially Serious” Security Bug

 

GitHub on Monday informed clients that it had found what it described as an “extremely rare, but potentially serious” security bug identified with how some authenticated sessions were handled. On 8th March GitHub signed out all clients that were signed in before March 8th. The precautionary measure was taken seven days after the organization had gotten an underlying report of dubious conduct, from an external party. 

The Microsoft-owned software development platform said the bug was found on March 2 and an underlying patch was carried out on March 5. A subsequent fix was delivered on March 8 and on the evening of that very day the organization chose to invalidate all authenticated sessions to completely eliminate the possibility of exploitation. On Friday, the GitHub team has remediated the security flaw and kept on analyzing the situation over the weekend. The vulnerability being referred to, could be misused in extremely rare circumstances, when a rare condition would happen during the backend request handling process, permitting the session cookie of a logged-in GitHub client to be sent to the software of another client, giving the latter access to the former user’s account.

“It is important to note that this issue was not the result of compromised account passwords, SSH keys, or personal access tokens (PATs) and there is no evidence to suggest that this was the result of a compromise of any other GitHub systems,” says Mike Hanley, GitHub’s recently appointed chief security officer. “Instead, this issue was due to the rare and isolated improper handling of authenticated sessions. Further, this issue could not be intentionally triggered or directed by a malicious user.” 

The organization declared that the bug existed on GitHub.com for less than two weeks and it doesn't resemble some other GitHub.com assets or products were impacted as a result of this bug. "We believe that this session misrouting occurred in less than 0.001% of authenticated sessions on GitHub.com. For the very small population of accounts that we know to be affected by this issue, we’ve reached out with additional information and guidance,” continues Hanley in the announcement. 

The organization is still analyzing if any project repositories or source code were messed with because of this vulnerability as this kind of authentication vulnerabilities could pave the way for software supply-chain attacks.

Secure your Home Server from being used as a Hacking Server by Crooks


SSH also referred to as Secure Shell, is a cryptographic network protocol which secures remote login from one computer to another. It is employed by almost all the Linux sysadmins and although Windows users are more acquainted with Remote Desktop Protocol (RDP), many of Window sysadmins also use SSH instead of RDP, the reason being its Raw power.

RDP provides full graphical remote control of a Windows computer to its users along with access to the regular Windows desktop through keyboard and mouse, whereas SSH, which is comparatively more genric, allows user to run almost every program remotely which further lets him administer the system automatically from a distance through pre-written scripts or by entering commands live, it also allows user to do both simultaneously.

Resultantly, cybercriminals who somehow can get access to a user's SSH password can also access his system, if not the entire network.

Network tunneling is another feature provided by SSH, wherein, users build an encrypted network connection between multiple computers, they start from one computer to another and extends that connection to a third system to carry out the online work.

SSH server also acts as a special-purpose VPN or encrypting proxy when it allows users to redirect network traffic when they are on the go.

Therefore, criminals who have access to any user's SSH password can use his server as the basis for his future attacks and the victims would be blaming the owner of the server.

Now, unfortunately, people have an SSH server at their home even if they don't realize it as home routers have a pre-configured SSH server which is placed for administrative reasons.

While hacking, cybercriminals do not differentiate between the SSH servers manages by users themselves and those managed by their ISP's, they go on exploiting regardless, as these servers can potentially allow them to breach data and make a profit via reselling it.

Users are advised to take the time to understand and get familiar with their router's configuration settings, in the cases where it is not managed by ISP. Furthermore, turn off all the features you don't require and also the ones you are not certain about. Lastly, ensure that you are using the latest version.