Weak Password used in Ransomware Attack

Posted by Steven Maglio on Monday, May 13, 2019

Recently, it’s been reported that there have been a number of ransomware attacks against Github and Bitbucket. The attacks have a similar attack pattern of using a brute force/dictionary attack to gain access to accounts with weak passwords. At least, that’s the theory at this time. (Updated 5/18/2019: Github has posted on their blog that credentials were gained through account leakage.)

We are currently in the process of thinking about moving a large amount of source control into Github and wanted to see what sort of mitigations we have in place for access to source control through a browser.

  1. Secondary SSO System

    We are going to use a Github Enterprise account, which will be connected to an on-premise SSO solution.

    To log into our GitHub repositories you will need to log in through Github username/password system and then you will have to log in a second time through our on-premise SSO solution.
  2. Strong Password Requirements in On-Premise SSO

    Logging in twice doesn’t prevent a weak password from being vulnerable. So, that needs to be a way to enforce strong password strength.

    I don’t know if it’s possible to enforce strong password policies within Github (ie. 15 characters, a variety of character types, etc.). But, I know that we do have strong password enforcement within our on-premise SSO. So, that should solve the “weak password” problem.
  3. Required MFA in Organizational Github Enterprise Account

    Another quick thing that should alleviate weak passwords is MFA. Within Github Organizations you can require that 2FA be turned on for your organization. Github offers a number of options for 2FA, but the preferred option should be a TOTP compatible device (like Google Authenticator). Text messages have proven to be a bit insecure.
  4. Require MFA on On-Premise SSO

    So, this ones a bit trickier to work out. I haven’t seen an option in Github which would allow it’s third-party integration system (the one that interacts with the On-Premise Authentication System) to support checking for a field within the returned attributes which states that the third-party/on-premise authentication system used MFA to authenticate the end user. If it was possible to do that, then it would be useful to require that the source control users setup MFA within the On-Premise SSO system as well.

Labels: ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Creative Commons License
This site uses Alex Gorbatchev's SyntaxHighlighter, and hosted by herdingcode.com's Jon Galloway.