Monday, 16 October 2017

Krack WiFi Attack: Vulnerabilities in WPA2 Protocol

All Wi-Fi connections are potentially vulnerable to a newly discovered security attack called "Krack", which allows an attacker to listen in on internet traffic (a Man-in-the-Middle Attack) over a wireless network. 

In theory, a hacker could read your web and email communications, and even inject malware like ransomware onto your device. Krack takes advantage of unpatched Apple, Android, and Windows operation systems, while unpatched Wi-Fi access points can be manipulated to orchestrate the man-in-the-middle attack.

The sky is not falling in on WiFi, this is not like the WEP protocol situation of many years ago, WEP is a security protocol fundamentally flawed by design, WPA2 encryption is not broken, the software that uses it needs to be corrected to secure it. Wireless Access Points (APs) and operating systems that use WPA2 are (or soon will be) patchable, which protects them from this attack.

For a video demo of the attack see - https://www.krackattacks.com/#demo 
For the full technical details of the WPA2 flaw and attack method see - https://papers.mathyvanhoef.com/ccs2017.pdf

Wireless Usage Advice
  • Make sure your laptop operating system has the very latest security updates patched (always) i.e. Windows, Linux, Mac. Microsoft said they have already patched Windows systems, but at this time have not confirmed details about which patch it was. Several Linux distributions have released patches for the flaw.
  • Make sure your smartphone and tablet devices have the latest security updates patched, especially Android devices, and Apple, and Windows (if anyone still uses it)
  • As always, if you are going to use public WiFii networks, my first suggestion is to avoid using public WiFi, but if you are, use VPN software. Using a secure VPN will protect you against "Krack exploited" public WiFi access points, regardless of patching and whether AP is exploited. Failing that, if you like to take risks with your personal and confidential information, as a very last resort ensure you use "https://" websites only, and be extra vigilant the "https://" do not revert to "http://".  If it does, it is a clear sign of a compromised wireless network and of your connection to it.

Preventing Your Wireless Access Point from being Exploited
Wireless Access Points (AP) firmware versions are presently being updated and released to fix this WPA2 flaw, apply them with they are released - see https://www.kb.cert.org/vuls/id/228519/. AP firmware patches are often missed, as routers updates tend not to be applied automatically.

Monday, 2 October 2017

Cyber Security Roundup for September 2017

A massive data breach at Equifax dominated the UK media finance headlines this month, after 143 million customer records were compromised by a cyber-attack, 400,000 of which were UK customer accounts. Hackers took advantage of Equifax’s negligence in not applying security updates to servers. The data breach has already cost the CEO, CIO and CISO their jobs. In the UK Equifax faces investigations and the prospect of significant fines by both the Financial Conduct Authority and the Information Commissioner's Office over the loss of UK customer financial and personal data respectively.

Hackers stole a quarter of a million Deloitte client emails, follow the breach Deloitte was criticised by security professional for not adopting two-factor authentication to protect the email data which they hosted in Microsoft’s Azure cloud service.

September was an extremely busy month for security updates, with major patches releases by Microsoft, Adobe, Apache, Cisco and Apple to fix an array of serious security vulnerabilities including BlueBorne, a Bluetooth bug which exposes billions of devices to man-in-the-middle attacks.

UK government suppliers using Kaspersky to secure their servers and endpoints may well be feeling a bit nervous about the security software after Kaspersky was banned by US Government agencies. The US Senate accused the 20-year-old Russian based security company as being a pawn of the Kremlin and posing a national risk to security. Given the US and UK intelligence agency close ties, there are real fears it could lead to a similar ban in the UK as well. A UK ban could, in theory, be quickly extended to UK government suppliers through the Cyber Essentials scheme, given the Cyber Essentials accreditation is required at all UK government suppliers.

While on the subject of the Russia, the English FA has increased its cybersecurity posture ahead of next year's World Cup, likely due to concerns about the Russian Bears hacking group. The hacking group have already targeted a number of sports agencies in recent months, including hacking and releasing football player's world cup doping reports last month. 

In the last couple of weeks, I was Interviewed for Science of Security, and I updated my IBM Developer Works article on Combating IoT Cyber Threats.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS