Information Security News
A new paper(1) discussing vulnerabilities on WPA2-PSK was released recently and many people have been interested in it, but have not gained access. By using a library, yes they still exist and are still useful, I was able to get access to the paper.
WPA2-PSK has a key length between 8 to 63 ASCII characters. They collected WPA2 handshakes using Aireplay deauthentication attack. Their method uses pre generated dictionary of 666,696 entries and Aircrack to bruteforce the password in their test. They wrote a program that would generate a dictionary of all possible 95 ASCII characters for the entire PSK key space. They also discuss ways to prevent this type of attack.
While the methodology is sound and I applaud anyone that publishes papers, but didnât uncover a new flaw. WPA2 Rainbow tables(2) have been around for a while and you gain a huge speed advantages in this case. Pure brute forcing the entire ASCII passwords can be done without a pre generated dictionary and they didnât discuss any speed trade-off by doing this. I would love to see a follow-up with comparisons.
Check with your library and see if they have it, or if they can do a interlibrary loan. What do you think of the paper?
1. Tsitroulis, Achilleas, Dimitris Lampoudis, and Emmanuel Tsekleves. "Exposing WPA2 security protocol vulnerabilities." International Journal of Information and Computer Security 6.1 (2014): 93-107.
Tom Webb(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
by Peter Bright
Microsoft officially ended support of the twelve-and-a-half-year-old Windows XP operating system a few weeks ago. Except it apparently didn't, because the company has included Windows XP in its off-cycle patch to fix an Internet Explorer zero-day that's receiving some amount of in-the-wild exploitation. The unsupported operating system is, in fact, being supported.
Explaining its actions, Microsoft says that this patch is an "exception" because of the "proximity to the end of support for Windows XP."
The decision to release this patch is a mistake, and the rationale for doing so is inadequate.
Microsoft has released an emergency update for all recent Windows operating systems—including the recently decommissioned XP—fixing a critical security bug that is currently being exploited in real-world attacks.
The decision to patch XP underscores the potential seriousness of the vulnerability. Since it resides in versions 6 through 11 of Internet Explorer, the remote code-execution hole leaves an estimated 26 percent of Internet browsers susceptible to attacks that can surreptitiously install hacker-controlled backdoors when users visit a booby-trapped website. By some measures, 28 percent of the Web-using public continues to use the aging OS, which lacks crucial safety protections built into Windows 7 and 8.1.
Thursday's release demonstrates the razor-thin tightrope Microsoft walks as it tries to wean users off a platform it acknowledges is no longer safe against modern hacks. While the XP fix may deprive some laggards of the incentive to upgrade, Microsoft also has a responsibility to prevent exploits that could turn large numbers of the Internet population into compromised platforms that attack others.
Microsoft will release a special update later today (10am PT, 1pm ET, 7pm UTC) fixing the Internet Explorer vulnerability which has been used in targeted attacks recently. The vulnerability was announced late last week and affects Internet Explorer 6 and later on Windows versions back to Windows XP. The patch will be published as MS14-021 in line with the May update which is still expected for Tuesday, May 13th.
We do rate this bulletin as "PATCH NOW!" for clients. Even though many organizations started to move away from Internet Explorer as a primary browser, it may still launch in some cases and unless you are using a non-Microsoft operating system you are likely vulnerable. Even servers should apply this patch, but it is less likely that the vulnerability is exposed on a server. Microsoft downplays the risk of the vulnerability for servers by labeling it as "Moderate" due to the crippled default configuration of Internet Explorer on servers.
The patch pre-announcement does specifically list Widnows XP SP3 as vulnerable, indicating that the patch may cover Windows XP SP 3 even though no more patches were expected for Windows XP.
Overview of the May 2014 Microsoft patches and their status.
|#||Affected||Contra Indications - KB||Known Exploits||Microsoft rating(**)||ISC rating(*)|
|MS14-021||Vulnerabilities in Internet Explorer|
|Microsoft Internet Explorer
|KB 2963983||Used in targeted exploits.||Severity:Critical
(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.
Infosec 2014: Enablement key to mobile security, says AirWatch
As the world approaches 1.3 billion mobile devices, businesses should approach adoption in terms of enablement, says VMware's mobile device management firm, AirWatch. “When tackling mobile security, businesses need to aim to make it simple and ...
People vital to security intelligence, say experts
Actionable security threat intelligence is mainly about having the right people with the right skills, a panel of information security professional has told attendees of Infosecurity Europe 2014 in London. “Invest in people who clearly understand the ...
My little "lab of vulnerable devices" is still getting regular visits from script kiddies world wide. By now, I replaced some of the simulated honeypots with actual devices, giving me a bit a more accurate view of what is happening and how attackers are distinguishing honeypots from real devices. For example, the DVR I set up with default telnet credentials is getting regularly visited and the following command tends to get executed first:
/bin/busybox;echo -e '\147\141\171\146\147\164'
The output is busybox "help" screen, followed by the characters represented by the "echo" command. The characters are represented in octal in this case.
For example, on my busybox DVR:
[[email protected] /] # echo -e '\101\102\103\104\105\106'
On the other hand, the same command on my MAC or a "normal" Linux system:
$ echo -e '\101\102\103\104\105\106'
(the actual string used is a bit different but spells out a word I didn't feel comfortable posting here)
I also set up a little web based scanner to test for vulnerable DVRs. The scanner will try to connect via telnet using the common default credentials "root" and "12345". If the login is successful, the scanner will try to run "ps" to look for the "cmd.so" entry commonly associated with the litecoin miner we found recently on these devices. You can find the scanner at https://isc.sans.edu/tools/dvrtest.html . By default, it will just scan the IP address you are connecting from. If you log in, you may specify other IP addresses. Please only use against IP addresses you are authorized to scan.
And a quick update on the "honeypot fingerprinting": I am also seeing "echo -e \\x51\\x51" . But this appears to return "QQ" no matter if it is running on the DVR or a normal Linux system.
CRN - UK
Infosec 2014 paints picture of industry in transition
CRN - UK
Those who braved the tube strike to attend Infosec 2014 will leave with the impression of both an event and industry in a state of flux. This is the IT security extravaganza's final year in Earls Court but this year's event was also noteworthy for ...
Infosec 2014: Act now, but no new EU data protection law before 2017, says ICO
Expect new European Union (EU) data protection law to be enacted in 2017 at the earliest, said David Smith, deputy commissioner at the Information Commissioner's Office. “But, get your house in order now under the current law, to ensure you are ready ...
InfoSec 2014: 17 Percent Of All Thefts In The UK Threaten Victim Privacy
The findings were presented at the InfoSec 2014 conference in London, where it was revealed that the number of data breaches reported to the ICO has increased by ten percent in 2104, but the the regulator is only half as likely to issue monetary fines ...
InfoSec 2014: High-Tech Bridge Democratises Access To Ethical Hacking
... expert which includes recommendations tailored to individual customers. Kolochenko, who visited London for the InfoSec 2014 conference, told TechWeekEurope the service is unique because it offers real penetration testing starting from just $639 (£380).