Weekly Cyber Security News: 17th July 2018

Posted by on July 17, 2018 0 Comment

This is a weekly news update for the 17th of July 2018. This post is part of the weekly news series on cybersecurity with content curated by the hackers & experts at Security Brigade.

India Among Top Three Countries Most Targeted For Phishing

Phishing and malware-based attacks are the most prolific online fraud tactics developed over the past decade. Phishing attacks not only enable online financial fraud but these sneaky threats chip away at our sense of security as they get better at mimicking legitimate links, messages, accounts, individuals and sites.
According to the RSA Quarterly Fraud Report for the period between January 1 to March 31, 2018, phishing accounted for 48 per cent of all cyber-attacks. The report that contains fraud attack and consumer fraud data and analysis, noted that Canada, the United States, India and Brazil were the countries most targeted by phishing.
Read More

The Biggest Hacks And Data Breaches of 2018 (so far)

We’re now more than halfway through 2018, and the number of data breaches is ramping up. This year has seen more third-party services being breached and customer data stolen from multiple companies in one go. From the devastating Aadhar breach to Ticketmaster, here’s a roundup of the year in breaches.
Read More

Online Bank Accounts Among Hackers’ Favorite Targets

The number-one threat is attacks that target web application users. Alarmingly, 87 per cent of banking web applications and all government web applications tested by Positive Technologies were susceptible to attacks against users. Users of government web applications, in particular, tend not to be security-savvy, which makes them easy victims for attackers.
Read More

The IoT’s Perplexing Security Problems

With over 50 billion dollars spent globally on IoT products, companies need to pay attention to the deployment of IoT devices. Devices are regularly put online with default passwords, legacy code riddled with known vulnerabilities, and a lack of defined policies and procedures to monitor them, leaving companies extremely vulnerable.
Read More

Endpoint Security-Related Issues That Providers Encounter

Endpoint security is of critical importance to all kinds of organizations. Efforts are on to secure all endpoints in enterprise networks. These include mobile devices, laptops, desktops, servers etc. “Fileless attacks”, which exploit gaps in traditional security, are also on the rise and efforts are on to prevent these as well.
Read More

KRACK Attack: Breaking WPA2

Posted by on October 17, 2017 0 Comment

The Krack Attack affects most wireless networks and clients across the world. Wireless networks play a crucial role in the digital world and most internet users use WiFi networks on a daily basis. Having encryption on wireless networks has become the benchmark and over the years we’ve had many encryption algorithms for WiFi communication – First WEP, followed by WPA and now WPA2.

That being said – In line with Murphy’s law and assisted by growing computational capabilities thanks to Moore’s Law – Each one of them has eventually succumbed to a vulnerability that renders it irrelevant.

WPA2 has been so far considered as the most trusted and secure protocol for wireless communication till date.

A security researcher from the Belgian University KU Leuven named Mathy Vanhoef released details about an attack called KRACK – Key Re-installation Attack for WPA2 protocol on his website.

Vanhoef writes about this attack on his website:

The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available.

Our main attack is against the 4-way handshake of the WPA2 protocol. This handshake is executed when a client wants to join a protected Wi-Fi network, and is used to confirm that both the client and access point possess the correct credentials (e.g. the pre-shared password of the network). At the same time, the 4-way handshake also negotiates a fresh encryption key that will be used to encrypt all subsequent traffic. Currently, all modern protected Wi-Fi networks use the 4-way handshake. This implies all these networks are affected by (some variant of) our attack. For instance, the attack works against personal and enterprise Wi-Fi networks, against the older WPA and the latest WPA2 standard, and even against networks that only use AES. All our attacks against WPA2 use a novel technique called a key reinstallation attack (KRACK). 

Here’s How the KRACK WPA2 Attack Works:

What is the impact ?

According to the researcher the impact of this vulnerability depends on the handshake being attacked, and the data-confidentiality protocol in use since against AES-CCMP an attacker can only replay and decrypt packets but can’t forge it.

“The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others,” the US-CERT warned. “Note that as protocol-level issues, most or all correct implementations of the standard will be affected.”

To simply a bit, the communication over HTTPS is secure (but may not be 100 percent secure) and cannot be decrypted using the KRACK attack. That being said, you are advised to use a secure VPN service – which encrypts all your Internet traffic whether it’s HTTPS or HTTP.

How to protect your networks from Krack Attack?

As of now the only efficient mechanism is to apply patches / updates for clients and deploy the latest firmware being released. Changing the password of your Wi-Fi network does not prevent (or mitigate) the attack.

Below are some firmware and driver updates available for KRACK WPA2 vulnerability for the major vendors :

The complete list is available at Bleeping computer where they are tracking the progress of each specific vendor’s patch release.

Krack Attack - WPA2 Patch Story

Image Source : CommitStrip

Is there anyway to mitigate this attack?

Until a patch and firmware update are released by your vendor, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.

Assigned CVE Identifiers

The following Common Vulnerabilities and Exposures (CVE) identifiers were assigned to track which products are affected by specific instantiations of our key re-installation attack:

  • CVE-2017-13077: Re-installation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
  • CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
  • CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
  • CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
  • CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
  • CVE-2017-13082: Accepting a re-transmitted Fast BSS Transition (FT) Re-association Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
  • CVE-2017-13084: Re-installation of the STK key in the PeerKey handshake.
  • CVE-2017-13086: re-installation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
  • CVE-2017-13087: Re-installation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
  • CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.

Note that each CVE identifier represents a specific instantiation of a key re-installation attack. This means each CVE ID describes a specific protocol vulnerability, and therefore many vendors are affected by each individual CVE ID. You can also read vulnerability note VU#228519 of CERT/CC for additional details on which products are known to be affected.

How does it work?

The attack occurs due to a vulnerability in the 4-way handshake or against cipher suites defined in the WPA2 protocol and hence all products using the correct implementation of the protocol are vulnerable. The attacks targets the 4-way handshake, and does not exploit access points, but instead targets the clients.

The idea behind this attack is to abuse the keys being used in phase 3 of 4 way handshake where key is generated after 2 way handshake between AP and client.

This authenticated key can be captured with MITM and can be replayed to exploit the vulnerability since the keys are already used and fully authenticated and verified for handshake between AP and client.

Earlier the reuse of generated and used keys was not possible for further implementation since the router used to get restarted for multiple use of same key. Even if the same problem occurs in current scenario, the attackers are able misuse this since keys are stored in non-volatile memory on boot during restart