A new paper(1) discussing vulnerabilities on WPA2-PSK was released recently and many people have been interested in it, but have not gained access. By using a library, yes they still exist and are still useful, I was able to get access to the paper.

WPA2-PSK has a key length between 8 to 63 ASCII characters. They collected WPA2 handshakes using Aireplay deauthentication attack. Their method uses pre generated dictionary of 666,696 entries and Aircrack to bruteforce the password in their test.  They wrote a program that would generate a dictionary of all possible 95 ASCII characters for the entire PSK key space. They also discuss ways to prevent this type of attack.  

While the methodology is sound and I applaud anyone that publishes papers, but didn’t uncover a new flaw. WPA2 Rainbow tables(2) have been around for a while and you gain a huge speed advantages in this case. Pure brute forcing the entire ASCII passwords can be done without a pre generated dictionary and they didn’t discuss any speed trade-off by doing this.  I would love to see a follow-up with comparisons.

Check with your library and see if they have it, or if they can do a interlibrary loan. What do you think of the paper?


1. Tsitroulis, Achilleas, Dimitris Lampoudis, and Emmanuel Tsekleves. "Exposing WPA2 security protocol vulnerabilities." International Journal of Information and Computer Security 6.1 (2014): 93-107.

2. "The Renderlab: Church of Wifi WPA-PSK Lookup Tables." 2006. 2 May. 2014 <hxxp://www.renderlab.net/projects/WPA-tables/>



Tom Webb

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Aurich Lawson

Microsoft officially ended support of the twelve-and-a-half-year-old Windows XP operating system a few weeks ago. Except it apparently didn't, because the company has included Windows XP in its off-cycle patch to fix an Internet Explorer zero-day that's receiving some amount of in-the-wild exploitation. The unsupported operating system is, in fact, being supported.

Explaining its actions, Microsoft says that this patch is an "exception" because of the "proximity to the end of support for Windows XP."

The decision to release this patch is a mistake, and the rationale for doing so is inadequate.

Read 12 remaining paragraphs | Comments

The next innovation in health care may come from Silicon Valley.
On at least one occasion, technology behind Oregon's faulty health insurance website was discussed as a possible fix for problems that initially beset Healthcare.gov, the federal insurance exchange that underpins Obamacare.
While announcing the launch of its new line of 4TB enterprise-class SSDs this week, SanDisk also said it plans to up the ante for capacity.
Hewlett-Packard is eyeing 2015 for the release of its first Nonstop systems based on x86 server hardware, a company official said this week.
Cisco has put out to pasture its WebEx Social enterprise social networking suite, opting instead to partner with Jive Software.
Microsoft shipped an emergency update for Internet Explorer to close a hole that hackers had already been exploiting, and in an unexpected move, allowed Windows XP machines to receive the update.
Foursquare, one of the first apps to put location-sharing on the map, is rethinking its service and dividing it in two in an effort to stay relevant.
Congress should take action to protect privacy in response to a growing big-data revolution, a White House panel has recommended, but its report does not address wide-ranging surveillance and data-collection programs at the U.S. National Security Agency.
A study released this week shows that 73% of IT executives believe cloud providers are hiding performance problems.
Facilities solutions specialist ABM has more than 100,000 employees and customers around the world, all served by a small IT team struggling to deliver IT services to its constituents. It needed to find a way to deliver IT services faster and cheaper and says virtualization with Hyper-V is the way forward.
The U.S. Department of Justice would prohibit eBay from entering into agreements with other tech firms to not recruit each other's employees, in a settlement announced by the agency Thursday.
Oracle will allow customers to convert money they're now spending on annual support for on-premises into software subscriptions for its SaaS (software as a service) applications, in a bid to block defections to competitors such as Workday and Salesforce.com.
The National Democratic Institute has workers in 65 countries -- not all of them friendly. To support its growing global mission, and to improve efficiency without buying more hardware, the nonpartisan nonprofit has spent the last four years migrating to the cloud.

Microsoft has released an emergency update for all recent Windows operating systems—including the recently decommissioned XP—fixing a critical security bug that is currently being exploited in real-world attacks.

The decision to patch XP underscores the potential seriousness of the vulnerability. Since it resides in versions 6 through 11 of Internet Explorer, the remote code-execution hole leaves an estimated 26 percent of Internet browsers susceptible to attacks that can surreptitiously install hacker-controlled backdoors when users visit a booby-trapped website. By some measures, 28 percent of the Web-using public continues to use the aging OS, which lacks crucial safety protections built into Windows 7 and 8.1.

Thursday's release demonstrates the razor-thin tightrope Microsoft walks as it tries to wean users off a platform it acknowledges is no longer safe against modern hacks. While the XP fix may deprive some laggards of the incentive to upgrade, Microsoft also has a responsibility to prevent exploits that could turn large numbers of the Internet population into compromised platforms that attack others.

Read 9 remaining paragraphs | Comments

Advanced academic backgrounds in statistics, mathematics, and other science and technology fields usually provide the raw analytical skills required for a data scientist's job. But even with such skills, some additional prep work is generally needed to handle such a job in private industry.
Companies that rely on top tech workers are turning to real-time compensation benchmarking tools to ensure they're paying competitive rates to both attract workers with in-demand skills and reduce turnover.
Government culture and compensation can make the private sector more appealing for young technologists, contributing to a talent shortfall at a time when the feds need IT expertise more than ever -- as the Healthcare.gov fiasco painfully illustrated.
As cloud apps become more business-critical, the CIO is emerging as the cloud services broker. In this new IT model, which is expected to expand rapidly in the next 12 months, CIOs can push cloud service providers to deliver detailed SLAs.
Windows XP users continued to put the old OS out to pasture last month, but the now-unsupported operating system still powered more than a quarter of all PCs on the planet.

Microsoft will release a special update later today (10am PT, 1pm ET, 7pm UTC) fixing the Internet Explorer vulnerability which has been used in targeted attacks recently. The vulnerability was announced late last week and affects Internet Explorer 6 and later on Windows versions back to Windows XP. The patch will be published as MS14-021 in line with the May update which is still expected for Tuesday, May 13th.

We do rate this bulletin as "PATCH NOW!" for clients. Even though many organizations started to move away from Internet Explorer as a primary browser, it may still launch in some cases and unless you are using a non-Microsoft operating system you are likely vulnerable. Even servers should apply this patch, but it is less likely that the vulnerability is exposed on a server. Microsoft downplays the risk of the vulnerability for servers by labeling it as "Moderate" due to the crippled default configuration of Internet Explorer on servers. 

The patch pre-announcement does specifically list Widnows XP SP3 as vulnerable, indicating that the patch may cover Windows XP SP 3 even though no more patches were expected for Windows XP.

Overview of the May 2014 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*)
clients servers
MS14-021 Vulnerabilities in Internet Explorer
Microsoft Internet Explorer
KB 2963983 Used in targeted exploits. Severity:Critical
Exploitability: 1
PATCH NOW! Critical
yle="text-align: center;">We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.

[1] https://technet.microsoft.com/en-us/library/security/ms14-may.aspx

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Infosec 2014: Enablement key to mobile security, says AirWatch
As the world approaches 1.3 billion mobile devices, businesses should approach adoption in terms of enablement, says VMware's mobile device management firm, AirWatch. “When tackling mobile security, businesses need to aim to make it simple and ...


People vital to security intelligence, say experts
Actionable security threat intelligence is mainly about having the right people with the right skills, a panel of information security professional has told attendees of Infosecurity Europe 2014 in London. “Invest in people who clearly understand the ...

Watch out, WhatsApp (and Facebook): Photo messaging app Snapchat is now offering video calls and instant messaging.
You'd think your SaaS vendors would know a lot more about you and their customers than IBM, Ma Bell or even the NSA. They know every click, login and data entry, right? Not necessarily.
Smoothly scalable, automatically redundant, set-it-and-forget-it NAS rewrites the network storage playbook
PayPal has unveiled a new global branding campaign designed to put greater focus on its ability to let people make payments for goods and services anywhere and anytime.
Cisco WebEx Meetings Server CVE-2014-2186 Cross Site Request Forgery Vulnerability

My little "lab of vulnerable devices" is still getting regular visits from script kiddies world wide. By now, I replaced some of the simulated honeypots with actual devices, giving me a bit a more accurate view of what is happening and how attackers are distinguishing honeypots from real devices. For example, the DVR I set up with default telnet credentials is getting regularly visited and the following command tends to get executed first:

/bin/busybox;echo -e '\147\141\171\146\147\164'

The output is busybox "help" screen, followed by the characters represented by the "echo" command. The characters are represented in octal in this case.

For example, on my busybox DVR:

[[email protected] /] # echo -e '\101\102\103\104\105\106'

On the other hand, the same command on my MAC or a "normal" Linux system:

$ echo -e '\101\102\103\104\105\106'

(the actual string used is a bit different but spells out a word I didn't feel comfortable posting here)

I also set up a little web based scanner to test for vulnerable DVRs. The scanner will try to connect via telnet using the common default credentials "root" and "12345". If the login is successful, the scanner will try to run "ps" to look for the "cmd.so" entry commonly associated with the litecoin miner we found recently on these devices. You can find the scanner at https://isc.sans.edu/tools/dvrtest.html . By default, it will just scan the IP address you are connecting from. If you log in, you may specify other IP addresses. Please only use against IP addresses you are authorized to scan.

And a quick update on the "honeypot fingerprinting": I am also seeing "echo -e \\x51\\x51" . But this appears to return "QQ" no matter if it is running on the DVR or a normal Linux system.


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.


Infosec 2014 paints picture of industry in transition
Those who braved the tube strike to attend Infosec 2014 will leave with the impression of both an event and industry in a state of flux. This is the IT security extravaganza's final year in Earls Court but this year's event was also noteworthy for ...

and more »

Infosec 2014: Act now, but no new EU data protection law before 2017, says ICO
Expect new European Union (EU) data protection law to be enacted in 2017 at the earliest, said David Smith, deputy commissioner at the Information Commissioner's Office. “But, get your house in order now under the current law, to ensure you are ready ...

and more »
Four reasons to move entirely to IPv6. (Insider; registration required)
AT&T has approached satellite provider DirecTV about a possible acquisition, in a bid to more closely integrate TV and broadband services, according to the Wall Street Journal.

InfoSec 2014: 17 Percent Of All Thefts In The UK Threaten Victim Privacy
TechWeekEurope UK
The findings were presented at the InfoSec 2014 conference in London, where it was revealed that the number of data breaches reported to the ICO has increased by ten percent in 2104, but the the regulator is only half as likely to issue monetary fines ...

and more »
Symantec has seen another round of a ham-fisted but surprisingly successful attack that targets Facebook users hoping to break into their friends' accounts.
Facebook, in a push to make its platform more useful for third-party developers, is launching tools to give their apps more exposure, including a mobile "like" button.
Achieving any certification worth its salt is never easy, but some are faster to complete than others -- and easier on your wallet as well. Here are five worth considering.
A piece of malware targeting Russian-speaking Android users abuses a person's contact list to try and infect other devices, according to security vendor Eset.
Google is releasing separate mobile apps for its Docs, Sheets and Slides apps, breaking them out from the Google Drive storage service where they used to reside.
Wearables could become the next big growth market for mobile devices, but they'll have to get more useful and less expensive first.
Facebook is not your scrappy startup anymore. It's providing a host of tools for third-party developers aimed at catching bugs swiftly, more toolkit options and lending a big helping hand in app development.

TechWeekEurope UK

InfoSec 2014: High-Tech Bridge Democratises Access To Ethical Hacking
TechWeekEurope UK
... expert which includes recommendations tailored to individual customers. Kolochenko, who visited London for the InfoSec 2014 conference, told TechWeekEurope the service is unique because it offers real penetration testing starting from just $639 (£380).

Internet Storm Center Infocon Status