KRACK WiFi Vulnerability

Tuesday, October 17th, 2017 | Mark Bedford | Comments Off on KRACK WiFi Vulnerability

You may have heard about a recent WiFi security problem nicknamed KRACK which was uncovered by a group of researchers early 2017. They discovered that there is a problem with the way WiFi devices negotiate their encrypted connections and this leads to some serious issues, so you should be worried but don’t panic. Your wireless password is safe as it is not disclosed (as long as it is not used elsewhere).

The issues are present in ALL devices that use the WiFi WPA protocol and include Android, Apple iOS, OSX, Windows, Linux, IoT devices. Because the vulnerability can only be exploited by an attacker in your WiFi coverage area you wont be attacked by a bad actor from the other side of the world at 3:00 am but you might by your local neighborhood hacker.

Patched or un-patched, if you use HTTPS or SSH (or anything with SSL/TLS encryption), whatever you send is secure and cannot be plainly seen or intercepted (as far as this vulnerability goes). An attacker will see that there is traffic but not the contents of the traffic. If you use a VPN (no NOT Hola or its ilk) then traffic traversing the VPN is also secure. So there maybe some privacy issues here but not confidentiality issues. In many ways this is no different than using an open WiFi network at the airport or hotel, assume that your traffic is being watched therefore sensitive information should be protected with encryption. Note for Otago VPN users, only the traffic to/from Otago is secure, other traffic may not be.

There is only one remediation at present, patch your device with the security update for this specific vulnerability when it becomes available. Vendors are currently working on patches, or have already released them. This includes lots of devices that are still working after many years of active service (the vulnerability is some 10 years old). Many older devices will never receive security updates so if you continue to use these devices you should assume that all of your traffic is being spied on and potentially altered. Time to dispose of them responsibly and upgrade them to a newer supported device.

For those wanting a more technical discussion, here is a Information Security blog article https://blogs.otago.ac.nz/infosec/2017/10/17/wpa2-krack-technical-notes/

 

Is my home Wifi network ok?

Tuesday, October 17th, 2017 | Mark Borrie | Comments Off on Is my home Wifi network ok?

What is it KRACK?

You may have heard about the latest security problem with wifi networks and be wondering what this is all about.

Yes this is a serious problem, and YES your home network is vulnerable. Every network is currently vulnerable to this new issue. More importantly, you computers, laptops, phones and other devices are also vulnerable.

What impact is there?

Potentially this impacts an extensive range of devices including Apple, Android, OpenBSD, Linux, Microsoft, smart computers, smart phones, access points, IoT devices etc. The attack cannot be executed remotely; the attacker must be within range of your wireless network ie physically near your Wi-Fi.

So what can happen? An attacker can insert themselves into your network conversations and listen to what is going back and forth. They could also potentially start changing things. If you are communicating over an encrypted link such as using https then an attacker cannot see your information. This means that your passwords will continue to stay secure.

At this time, there is no evidence that an attack tool exists in the wild but they will come sooner rather than later. Until then the attack will only be possible from a skilled attacker, however once easy-to-use tools are available the skill factor is no longer a barrier . Expect to see your neighbourhood hackers attacking your old iPhone or Android device.

What to do about it?

With this in mind you should patch all of your devices soon.

If you have an older device then the manufacturer may not release patches for this issue. This is a problem and you will need to consider upgrading your device to one that is supported.

If you need to ensure the privacy of your network usage then use a VPN to encrypt all your traffic. VPN is a protocol for encrypting all network traffic between two network points. The University has a VPN service that allows staff to connect to the internal University network from most places on the Internet. You will need to find a suitable VPN service for you.

The Bleeping Computer site is keeping an up to date list of patched devices at https://www.bleepingcomputer.com/news/security/list-of-firmware-and-driver-updates-for-krack-wpa2-vulnerability/

Summary

KRACK is an issue for all wireless networks. You should apply the security patches as soon as they become available.

Older devices may not receive security updates and are now at risk of becoming a gateway into your network and privacy. As such, sensible disposal is the preferred approach.

For devices where no patch is available you should assume that all traffic from that device can be spied on and potentially altered. Using a VPN to help mitigate this for you.

WPA2 “KRACK” – Technical notes

Tuesday, October 17th, 2017 | Jim Cheetham | Comments Off on WPA2 “KRACK” – Technical notes

KRACK (Key Reinstallation Attacks) is an effective attack on the WPA2 802.11i protocol used for protecting WiFi networks, published on October 16 2017 .

Because it is an attack on the protocol itself, every piece of equipment that can communicate over WiFi is affected. The attack must be carried out by a device that is in range of the network; i.e. this is a local attack, not a remote one.

TL;DR

Be WORRIED, but there is no need to PANIC. If there is a PATCH for your device, apply it as soon as possible. Otherwise, worry until there is.

KRACK tricks your wireless devices into resetting their encryption sessions to a known state, after which the attacker can read everything that they do, and can inject their own data into the network (i.e. a Man-in-the-Middle attack). This effectively turns your “private, secure” WPA2 network into a “public, insecure” one.

If you are safe operating your device on a public insecure network (e.g. airport or coffee-shop WiFi), then you will be equally safe operating it on a compromised WPA2 network.

KRACK does NOT steal your WiFi passwords or credentials.

The only effective fix for KRACK is on your client devices. PCs and laptops are likely to be patched quickly, mobile phones much more slowly if at all, and IoT devices are at serious risk.

KRACK References

  • KRACK website, https://www.krackattacks.com/
  • Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2, https://papers.mathyvanhoef.com/ccs2017.pdf
  • CERT CVEs, http://www.kb.cert.org/vuls/id/228519
    • CVE-2017-13077: reinstallation of the pairwise key in the Four-way handshake
    • CVE-2017-13078: reinstallation of the group key in the Four-way handshake
    • CVE-2017-13079: reinstallation of the integrity group key in the Four-way handshake
    • CVE-2017-13080: reinstallation of the group key in the Group Key handshake
    • CVE-2017-13081: reinstallation of the integrity group key in the Group Key handshake
    • CVE-2017-13082: accepting a retransmitted Fast BSS Transition Reassociation Request and reinstalling the pairwise key while processing it
    • CVE-2017-13084: reinstallation of the STK key in the PeerKey handshake
    • CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake
    • CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame
    • CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame

Timeline

In early 2017 the researchers were finishing off another security publication when they realised that part of the OpenBSD network code for WiFi that they were discussing had a potential problem. By July 2017 a wide range of systems had been confirmed with this problem, and the CERT/CC co-ordinated a wider notification to OS and device vendors in late August. The public announcement was made on 16 October 2017.

Many vendors have made announcements and released patches already, more will be coming soon. OpenBSD patched early due to their relationship to the original discovery, some other vendors seem to have issued patches already but many important ones are yet to patch.

Patches

At the moment I’m getting my information from the CERT/CC and the Bleeping Computer website, but I’ll verify from original sources as soon as I can. https://www.bleepingcomputer.com/news/security/list-of-firmware-and-driver-updates-for-krack-wpa2-vulnerability/

No Patches

If you have a device using WiFi, and there are no patches for it, you should assume that all traffic from that device can be spied on and potentially altered. If you are encrypting your communications with TLS/SSL or something equivalent like OpenSSH, then all you are at risk from is a lack of privacy. However, you might need to consider implementing a VPN if you rely on plaintext or easily spoofed protocols.

Further Questions

If you have any further questions, please get in touch with the Information Security Office through the usual channels.

 

Thursday, November 21st, 2013 | Mark Bedford | Comments Off on

Well it is hard to believe that we are well into November and what a month it has been. With the recent Adobe password debacle where 150 million email addresses, their password hashes and the hints were exposed on the internet. Then there was Kiwicon, the New Zealand hacker conference in Wellington, where “AmmonRa” took us for a ride.

With the Christmas shopping season just around the corner many will be purchasing online and there are the usual reminders. Things to watch out for are nicely organised in this SANS article by Lenny Zeltser.

While you are shopping, perhaps this Microsoft blog article from Holly Stewart will encourage you to finally ditch your old XP computer. A couple of noteworthy points in the article are that XP is six times more likely to get infected than Windows 8, and when XP service pack 2 went out of support there was a huge disparity of infections as much as 66% higher than the supported XP service pack 3. So plan now to buy your Windows 8 replacement computer before it gets infected.

 

Cyber Attackers Access 72,000 Confidential Employee Details

Thursday, August 1st, 2013 | Mark Bedford | Comments Off on Cyber Attackers Access 72,000 Confidential Employee Details

The University of Delaware was on the 22nd July the recipient of a criminal attack on one of its systems. The criminals were able to steal files that contained 72,000 names, addresses and other personally identifiable information for past, present and student employees. The University is working with the Federal Bureau of Investigation and Mandiant to determine the scope of the attack after having taken immediate corrective action. The University has indicated that the attackers used a vulnerability in software acquired from an unnamed vendor.

Flashback Malware Infecting Macs

Thursday, April 12th, 2012 | Gene Teo | Comments Off on Flashback Malware Infecting Macs

Screenshot - Java for OS X Lion 2012-003 update

Java for OS X Lion 2012-003 update

Edit: 9:29am 13 Apr 2012 – Apple have just released “Java for OS X Lion 2012-003” – a security update that removes the most common variants of the Flashback malware, and also configures the Java web plug-in to disable the automatic execution of Java applets. Users may re-enable automatic execution of Java applets using the Java Preferences application. If the Java web plug-in detects that no applets have been run for an extended period of time it will again disable Java applets.

A new variant of Java-based malware dubbed “Flashback” has been spreading rapidly on OSX – some reports suggested over 550 thousand Macs were infected as of 4 April 2012. It gains a foothold on a vulnerable system and can be used to download more malware at a later date.

There has been lots of publicity about Flashback, mainly because Apple contributed significantly to the problem by release a fix 8 weeks late. Ed Bott summarizes the situation very well in a blog post at zdnet.com.

It is caused by attackers exploiting several bugs in Java to trigger a “drive-by” infection of vulnerable computers. This means viewing a malicious website is enough to infect your computer. Java is used to run various applications and comes built in to most Apple computers. The official Apple support document (HT5228) is very brief – and only notes that that “Java for OS X Lion 2012-002 and Java for Mac OS X 10.6 Update 7” fixes multiple vulnerabilities in Java 1.6.0_29. While Java is made by Oracle, Apple manages Java updates to OSX independently.

Lessons:

  • Macs and OSX should not be viewed as “more secure” than Windows or other operating systems, especially since Apple has a history of being slow in releasing security fixes.
  • Antivirus software should be installed on all computers – it is cost effective protection against most threats.

What you should do:

Detection and removal (Technical users only):

  1. Check the DYLD_INSERT_LIBRARIES environment variable in web browsers, or visit flashbackcheck.com or www.drweb.com/flashback/?lng=en to detect infected computers.
  2. Rebuild infected machines from known good media. Cleanup should only be opted for where a rebuild is prohibitively costly
  3. Manually cleanup the infection, or use a removal tool: We know of tools from Apple (via Software Update), Kapersky and F-Secure.

 

 

Hacking WiFi Protected Setup (WPS)

Monday, January 9th, 2012 | Gene Teo | 1 Comment

Update: Cisco has responded to this with a recommendation to disable WPS on their Small Business product series. Note that this does not apply to Linksys devices, even though Cisco does own the Linksys brand.

WiFi Protected Setup (WPS) is a feature on WiFi access points that makes it easier to connect a new device to them – sometimes as easy as pushing the WPS button of the Access Point and new device at the same time.

On 27 December 2011 the US Department of Homeland Security’s Computer Emergency Readiness Team documented a security flaw in WPS that was discovered independently by security researchers Stefan Veihbock (pdf) and Craig Heffner.

The flaw allows an attacker to recover WPA/WPA2 passphrases – the attack reportedly takes 4-10 hours per access point. Both researchers have released tools to verify the vulnerability and allow for other security teams to perform their own evaluations.

Over at Ars Technica, Sean Gallagher has replicated the attack and notes:

That wouldn’t be as much of a problem for security if wireless access points locked out devices after repeated bad PIN entries. But on many WPS wireless routers, there is no lockout feature. That means attackers can continue to attempt to connect at their leisure.

An successful attack means the attacker is now connected to your WiFi network, and is able to start attacking the computers on it. This is an extremely severe vulnerability – anyone transmitting highly sensitive data over WiFi via a WPS capable Access Point should retire the Access Point immediately and use cabled connections.

Wi-Fi Protected Setup Logo

Wi-Fi Protected Setup Logo

Note that not all WiFi Access Points are WPS capable. The easiest way to tell is to check with the manufacturer (search for the make and model of your Access Point), or examine the access point for a button or labels with the WPS logo.

New PuTTY — security vulnerability

Tuesday, December 13th, 2011 | Jim Cheetham | Comments Off on New PuTTY — security vulnerability

There is a new version of the excellent & venerable PuTTY tool, due to a security vulnerability that might expose your session passwords in memory.

http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/password-not-wiped.html contains the details of the problem, and http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html will help you find the files you need to address the problem.

Privacy Monitor

Wednesday, December 7th, 2011 | Jim Cheetham | Comments Off on Privacy Monitor

The Information Security Office is dreaming of a White Christmas this year.

Especially now that we have a Privacy Monitor …

Following on from the post on Instructables.com that showed how to hack an old LCD monitor by removing the polarised film and re-inserting it into a pair of glasses (http://www.instructables.com/id/Privacy-monitor-made-from-an-old-LCD-Monitor/) we did pretty much the same thing to create our Christmas Decorations this year :-

Direct Link: https://blogs.otago.ac.nz/infosec/files/2011/12/ISOwhitescreen.flv

 

NoScript available for Android Firefox

Wednesday, October 19th, 2011 | Jim Cheetham | Comments Off on NoScript available for Android Firefox

The excellent & highly recommended NoScript addon for Firefox has been released on the Android platform (and Maemo, but I’m probably the only person here who has one of those). This addon blocks JavaScript, Java and Flash activity on webpages, giving you a simple way to selectively re-enable trusted providers and restore the full page functionality temporarily if you need it.

https://www.infoworld.com/d/mobile-technology/noscript-security-tool-released-android-maemo-176280 provides a nice writeup; NSA is the distribution point for the add-on itself.