Amping Up Auth Security in Response to Trojan Alert for Salesforce.com
A recent alert was released last week when one of Salesforce.com’s security partners reported that the Dyre Trojan may now be targeting some Salesforce.com users. Dyre, found by PhishMe researchers, is said to be used in the recent JPMorgan Chase phishing email campaign currently undergoing investigation. The last breach reported by the bank in December 2013 affected nearly 500,000 individuals, as reported by Reuters.
Their Salesforce.com-specific recommendations for organizations include:
- Working with your IT security team to ensure your anti-malware can detect Dyre
- Activating IP Range Restrictions to ensure users can access Salesforce.com only from your corporate network or VPN
- Use SMS/Email Identity Confirmation as added login protection with Salesforce credentials
- Implement the Salesforce# Authenticator App that also provides an additional layer of security with 2-step verification
- Leverage SAML authentication capabilities that require all authentication attempts to be sourced from your network
I had to do a little more digging to find details on their authentication security options, including two-factor authentication. In a video titled Enhancing Security with Two-Factor Authentication, they stated that Salesforce.com automatically conducts Risk-Based Authentication whenever customers log in, which includes the following:
- Analyzes authentication events for network location and activated browsers
- Sends one-time passwords via email or text message
- Lets you view and manage information, including user network and browsers
- Lets you set up trusted networks
Customers are also given the option to enable Salesforce.com’s two-factor authentication mobile app that generates time-based OTPs (one-time passwords), which is an always-changing code that you must manually type into the login prompt.
As you can see to the right, their app actually displays a countdown of the number of seconds you have left to use the generated code before the app generates a new code (typically every 30-60 seconds).
Their ‘high assurance” session level setting lets you prompt for two-factor authentication whenever anyone logs into certain apps, reports or dashboards.
Out-of-Band Authentication (OOBA) to Defeat Dyre
In a Knowledge Article on Two-Factor Authentication on the Salesforce website, they state that two-factor authentication is a combination of:
- Password you already know
- Additional randomly generated password that refreshes
Which is certainly true, in this case, but there are additional authentication methods available with other two-factor authentication options. Duo’s two-factor mobile app gives you the option to authenticate via a push notification, which not only saves you the trouble of typing in a one-time passcode (series of random numbers), but also gives you a more secure, out-of-band option of authenticating.
Why is it more secure? Follow this narrative: as other news articles state, the banker Trojan Dyre (detected by ESET software as Win32/Battdil.A, with other aliases including Infostealer.Dryanges, Win32:Dyre-D and Dyreza), according to WeLiveSecurity.com) can effectively bypass both SSL encryption and two-factor authentication systems (that is, certain methods of two factor, including the most common method that uses one-time passwords). WeLiveSecurity.com describes the threat in more detail:
Dyre’s danger lies in its ability to dupe users into believing they have a secure SSL connection to a bank, while in fact it is performing a ‘man-in-the-middle’ attack, intercepting data without disrupting what appears to be a legitimate secure connection.
Dyre injects malicious code into web browsers, ready to steal information when victims visit their banking site.
This type of ‘browser hooking’ technique means the Trojan can steal banking credentials in addition to passcodes or one-time passwords typed into a two-factor authentication prompt, effectively allowing remote attackers to log into your bank account, or, in this case, your Salesforce.com account.
A two-factor authentication method that pushes notifications to your phone inherently requires the possession of your smartphone to verify your identity; effectively protecting against a man-in-the-middle attack carried out by a Trojan like Dyre. Implementing two factor on your other web-based cloud app logins can help protect users against credential-stealing malware and Trojans and keep accounts safe. I explain this more in a blog refuting the claims of a 2FA bypass in Answer to OTP Bypass: Out-of-Band Two-Factor Authentication.
Salesforce.com states that they use two-factor authentication in conjunction with their VPN vendor (Cisco) in order to be successfully signed onto the VPN (making the distinction that their two-factor authentication vendor is different, obviously from their VPN vendor - they use RSA). Learn more about integrating 2FA with VPNs in Two-Factor Authentication for VPN. Additionally, find out how to integrate and use a better two-factor authentication solution with your third-party accounts.