If you weren’t in Amsterdam last week, you missed out on a session at the Hack in the Box conference that is sure to be of interest to PeopleSoft customers. Presenters from ERPScan presented their latest findings in ERP vulnerability research and how PeopleSoft is affected.
Most critical to their findings is being able to brute force the PeopleSoft specific PS_TOKEN cookie to be able to recover the internal password used to sign the cookies. This means that an attacker could be able to generate their own PS_TOKEN cookies at will for whatever user name that they choose.
Fear not though; there are ways to make sure that your PeopleSoft system is secure.
What is a PS_TOKEN cookie?
For those that aren’t familiar, the PS_TOKEN is what PeopleSoft uses to verify that someone has been authenticated by a PeopleSoft system. It is not the same as the regular session cookie that identifies a given login session, but is one of the mechanisms for establishing a new session. For example, someone might login to a PeopleSoft system for Financial data, receive a PS_TOKEN cookie, and then when accessing a PeopleSoft system for Human Resource data, the PS_TOKEN cookie allows them access without needing to login again for the HR system.
This works by defining in the PeopleSoft configuration which nodes are considered to trust each other. In the example above, where someone logged in to the Financials system and was then given a PS_TOKEN cookie, when they went to the HR system, it would only allow that person to continue without authentication if 1) the node that created the cookie (the Financials system) is in the list of the nodes that the HR system trusts. 2) the PS_TOKEN cookie has not expired (the default expiration is 8 hours, but this is configurable) and 3) the user account that the PS_TOKEN cookie was issued for exists in the HR system.
How can you mitigate the risk?
Unfortunately, generating a PS_TOKEN cookie when someone logs in is hard-coded into PeopleSoft. Even if you don’t have multiple PeopleSoft systems. In theory, you can remove all nodes from the trusted node table so that the generated PS_TOKEN can’t be used for establishing new sessions, but this has an impact on some system level functionality as well (e.g. reporting functionality stops working), which makes that impractical.
It turns out though that you don’t even need a PS_TOKEN cookie to work in PeopleSoft. Who knew?!? You can test this yourself by logging in to a PeopleSoft environment with a browser that allows deleting individual cookies, such as Google Chrome, and remove the PS_TOKEN cookie after you have logged in. Everything will continue working properly.
Deleting the cookie manually is not viable either though. This is something that you can do with the Appsian Security Platform for PeopleSoft. You can remove the PS_TOKEN for just the public browsing sessions or for all users if you don’t rely on the PS_TOKEN cookie to transfer users between different PeopleSoft systems.
You can also create rules in the Security Platform that allow you to allow usage of the PS_TOKEN on your internal network, but block it from external users.
How about external authentication such as Kerberos/Shibboleth/OAuth2?
If you already have PeopleSoft configured for external authentication, then you definitely don’t need the PS_TOKEN cookie to pass users between different PeopleSoft systems. Once the person crosses from one system to the other, your external authentication kicks in and automatically log them in to the other environment.
Doesn’t Two Factor Authentication fix this?
If you require two factor authentication each time someone logs in to PeopleSoft, then this greatly reduces the exposure from an attacker being able to generate their own PS_TOKEN cookies. They would be able to start a session, but then would be immediately challenged for the second factor of authentication.
The Appsian Security Platform for PeopleSoft supports requiring a two factor challenge at authentication time, but one issue is that usability suffers dramatically when constantly requiring a second factor at login time. In fact, what we typically see with Appsian customers implementing the Security Platform is that it is preferred to wait until someone accesses sensitive data/actions before requiring the additional factor of authentication. This hits a balance between locking things down and the user experience.
What about using a stronger hashing algorithm?
A stronger hashing function will help, but less than you think. If you look at tools like oclHashcat, they show that breaking an SHA-256 hash runs at about 40% of the speed of breaking an SHA-1 hash. Breaking an SHA-512 hash runs at about 14% of the speed of breaking an SHA-1 hash.
So if it would have taken someone 8 hours before to break an SHA-1 hash, now they have to wait overnight in order to break an SHA-256 hash. Or they have to wait a few days to break an SHA-512 hash. Not a big deal if full access to a PeopleSoft environment as any user is the prize.
The other thing to keep in mind is that you can now rent GPU instances from Amazon with over 1500 cores in them and breaking hashes is something that is, as they say, embarrassingly parallel.
For additional information on the Security Platform or Appsian visit www.appsian.com.
GreyHeller is thrilled to showcase our Mobile and Security solutions at Collaborate 2015. From announcing new partnerships, to launching your institution’s mobile strategy, to practical ways to protect your ERP systems, we’ll be available to demo our solutions and answer your questions.
Turn your employees into fans of your PeopleSoft application. PeopleMobile® provides a modern, easy to use experience that your employees will love.
- Provide a beautiful mobile and desktop experience that matches your brand identity
- “Plug and Play” your PeopleSoft content with mobile applications and portals
- Transform any of PeopleSoft’s 6,000 pages, including customizations
- Implement quickly and easily using your existing PeopleSoft version and infrastructure
- Leverage your employees’ existing PeopleSoft skills for implementation and support
- Responsive Design
- Automatically transforms any PeopleSoft page
- Adapts to customizations and new PeopleSoft releases
- Compatible with PeopleTools 8.45 and greater
Protect and secure your organization and your PeopleSoft investment. ERP Firewall mitigates internal and external risks while lowering total cost of ownership.
- Control access outside the perimeter
- Reduce or eliminate data leakage
- Protect against compromised credentials
- Empower security administrators with visibility into system use including incident response
- Protect against misuse of personal information for high profile students by administrators
- Data Masking
- 2-Factor Authentication
- Location Based Security
- VIP Data Protection
- Delegate Access
- Logging & Analysis
Visit booth 636 at Collaborate 2015 for more information on our Mobile and Security solutions and to check out how our products work with our partners’ solutions: GreyHeller + Modo Labs and GreyHeller + Duo Security.
August 26, 2014 – San Ramon, CA – According to a recent advisory issued by Research and Education Networking Information Sharing and Analysis Center (REN-ISAC), Higher Education faculty and administrators are being targeted with sophisticated spearphishing attacks. Cyber criminals harvest credentials and then alter victims’ payroll bank account information to re-route direct deposits to bank accounts controlled by the cyber criminals.
Tactics, techniques and procedures (TTP’s) of the cyber criminals include:
- Altering direct deposit account information
- Spoofed to appear as if message came from the appropriate department, e.g. HR for “salary increase” lures or IT department if “mailbox exceeded”
- Spoofed login screens that are a close replica of legitimate login screen
- Targeting of faculty and staff
- Using university images within e-mails text
- Spoofed institutional-specific prompts for additional credential information, e.g., PINS, bank account numbers.
- URLs mimicking legitimate (and accessible) portal URLs
- Use of the “salary increase” approach seems to coincide with end of the fiscal year.
The phishing e-mails have contained official institutional images, often via an HTML image link direct to the resource.
“Higher Education is a honey pot for the bad guys. We know of dozens more institutions that have been spearphished than are mentioned in the REN-ISAC report,” according to Greg Wendt, GreyHeller’s Executive Director of Security Solutions.”
GreyHeller’s Security Suite complies with REN-ISAC’s recommended prevention techniques:
- Redacting or masking of sensitive data
- Implementing Two-Factor Authentication at the transaction layer
- Limiting self-service functions by location – on- or off-campus
- Detailed and specific logging of the most critical events
“Our recent Security webinar series focused on helping organizations mitigate cybercrime. How to implement Two-Factor Authentication and Logging/Analysis and Incident Response contain information that will thwart the bad guys,” stated Mr. Wendt.
Recordings of the webinars can be found on GreyHeller’s website. The full REN-ISAC advisory can be found here.
San Ramon, California-based GreyHeller serves Oracle® PeopleSoft customers globally across all industries, helping them secure and mobilize their PeopleSoft investment. GreyHeller’s software solutions – PeopleMobile®, ERP Firewall and Single Signon – are in production at nearly 100 PeopleSoft customers. PeopleMobile® renders PeopleSoft responsive across any mobile device and desktop. ERP Firewall and Single Signon protect PeopleSoft customers from criminal and inadvertent breach. For more information about GreyHeller, please visit www.greyheller.com.
Ethical Hackers at Rhino Security Labs released information about serious security holes within Oracle applications this week. Millions of records were at risk across numerous state and federal agencies, colleges and ports.
There are several causes of an event like this. Lax security and poor change control policies are at the forefront. Isn’t it time to stop “hoping” that you do not get hacked? Utilizing the ERP Firewall for multi-factor authentication could have stopped access like this before it started.
Oracle released the patch for this issue more than two years ago. Two years and it is still an issue in production systems around the world. Maintenance and security go hand in hand. If your organization cannot stay current on maintenance – then you owe it to you customers to implement the ERP Firewall to protect their data. If your organization stays current with maintenance you still owe your customers the same protection level of the ERP Firewall.
As the article states, “This is somewhat bigger than, than some of the major data breaches we’ve seen in the credit card industry,” said Caudill. “Even though there’s many fewer records here, only a few million, we’re talking about Social Security numbers, date of births, everything you need for identity theft, as opposed to credit card theft.”
Securing your applications is not an option it is mandatory. Make the call today, because it is not just your job your saving it is your identity.
Costs associated with the Maricopa County Community College District (MCCCD) data breach that occurred in April 2013 continue to rise and have nearly reached the $20 million mark.
Higher education institutions store the same sensitive data as do banks – SSN; DOB; Address; Bank account/Direct Deposit.
Higher education institutions almost by definition have open networks.
The bad guys have figured that out and are launching full scale attacks on PeopleSoft higher ed customers.
Do the math…..license ERP Firewall for a fraction of data breach costs.
Larry just posted a YouTube video that describes how our ERP Firewall product’s 2-Factor Authentication feature can help prevent students from hacking into PeopleSoft Campus Solutions and changing grades. The video contains specifics on how 2-Factor Authentication works.
Larry created the YouTube video based on what was reported recently at Purdue University where students are facing felony charges for hacking into secure systems and changing grades (we don’t know whether the Purdue incident involved PeopleSoft).
Apparently, hacking to change grades is not uncommon: