A new paper(1) discussing vulnerabilities on WPA2-PSK was released recently and many people have been interested in it, but have not gained access. By using a library, yes they still exist and are still useful, I was able to get access to the paper.

WPA2-PSK has a key length between 8 to 63 ASCII characters. They collected WPA2 handshakes using Aireplay deauthentication attack. Their method uses pre generated dictionary of 666,696 entries and Aircrack to bruteforce the password in their test.  They wrote a program that would generate a dictionary of all possible 95 ASCII characters for the entire PSK key space. They also discuss ways to prevent this type of attack.  

While the methodology is sound and I applaud anyone that publishes papers, but didn’t uncover a new flaw. WPA2 Rainbow tables(2) have been around for a while and you gain a huge speed advantages in this case. Pure brute forcing the entire ASCII passwords can be done without a pre generated dictionary and they didn’t discuss any speed trade-off by doing this.  I would love to see a follow-up with comparisons.

Check with your library and see if they have it, or if they can do a interlibrary loan. What do you think of the paper?

 

1. Tsitroulis, Achilleas, Dimitris Lampoudis, and Emmanuel Tsekleves. "Exposing WPA2 security protocol vulnerabilities." International Journal of Information and Computer Security 6.1 (2014): 93-107.

 

--

Tom Webb

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Read 12 remaining paragraphs | Comments

The next innovation in health care may come from Silicon Valley.

On at least one occasion, technology behind Oregon's faulty health insurance website was discussed as a possible fix for problems that initially beset Healthcare.gov, the federal insurance exchange that underpins Obamacare.

While announcing the launch of its new line of 4TB enterprise-class SSDs this week, SanDisk also said it plans to up the ante for capacity.

Hewlett-Packard is eyeing 2015 for the release of its first Nonstop systems based on x86 server hardware, a company official said this week.

Cisco has put out to pasture its WebEx Social enterprise social networking suite, opting instead to partner with Jive Software.

Microsoft shipped an emergency update for Internet Explorer to close a hole that hackers had already been exploiting, and in an unexpected move, allowed Windows XP machines to receive the update.

Foursquare, one of the first apps to put location-sharing on the map, is rethinking its service and dividing it in two in an effort to stay relevant.

Congress should take action to protect privacy in response to a growing big-data revolution, a White House panel has recommended, but its report does not address wide-ranging surveillance and data-collection programs at the U.S. National Security Agency.

A study released this week shows that 73% of IT executives believe cloud providers are hiding performance problems.

Facilities solutions specialist ABM has more than 100,000 employees and customers around the world, all served by a small IT team struggling to deliver IT services to its constituents. It needed to find a way to deliver IT services faster and cheaper and says virtualization with Hyper-V is the way forward.

The U.S. Department of Justice would prohibit eBay from entering into agreements with other tech firms to not recruit each other's employees, in a settlement announced by the agency Thursday.

Oracle will allow customers to convert money they're now spending on annual support for on-premises into software subscriptions for its SaaS (software as a service) applications, in a bid to block defections to competitors such as Workday and Salesforce.com.

The National Democratic Institute has workers in 65 countries -- not all of them friendly. To support its growing global mission, and to improve efficiency without buying more hardware, the nonpartisan nonprofit has spent the last four years migrating to the cloud.

Read 9 remaining paragraphs | Comments

Advanced academic backgrounds in statistics, mathematics, and other science and technology fields usually provide the raw analytical skills required for a data scientist's job. But even with such skills, some additional prep work is generally needed to handle such a job in private industry.

Companies that rely on top tech workers are turning to real-time compensation benchmarking tools to ensure they're paying competitive rates to both attract workers with in-demand skills and reduce turnover.

Government culture and compensation can make the private sector more appealing for young technologists, contributing to a talent shortfall at a time when the feds need IT expertise more than ever -- as the Healthcare.gov fiasco painfully illustrated.

As cloud apps become more business-critical, the CIO is emerging as the cloud services broker. In this new IT model, which is expected to expand rapidly in the next 12 months, CIOs can push cloud service providers to deliver detailed SLAs.

Windows XP users continued to put the old OS out to pasture last month, but the now-unsupported operating system still powered more than a quarter of all PCs on the planet.

Microsoft will release a special update later today (10am PT, 1pm ET, 7pm UTC) fixing the Internet Explorer vulnerability which has been used in targeted attacks recently. The vulnerability was announced late last week and affects Internet Explorer 6 and later on Windows versions back to Windows XP. The patch will be published as MS14-021 in line with the May update which is still expected for Tuesday, May 13th.

We do rate this bulletin as "PATCH NOW!" for clients. Even though many organizations started to move away from Internet Explorer as a primary browser, it may still launch in some cases and unless you are using a non-Microsoft operating system you are likely vulnerable. Even servers should apply this patch, but it is less likely that the vulnerability is exposed on a server. Microsoft downplays the risk of the vulnerability for servers by labeling it as "Moderate" due to the crippled default configuration of Internet Explorer on servers. 

The patch pre-announcement does specifically list Widnows XP SP3 as vulnerable, indicating that the patch may cover Windows XP SP 3 even though no more patches were expected for Windows XP.

Overview of the May 2014 Microsoft patches and their status.

#	Affected	Contra Indications - KB	Known Exploits	Microsoft rating(**)	ISC rating(*)
					clients	servers
MS14-021	Vulnerabilities in Internet Explorer
	Microsoft Internet Explorer CVE-2014-1776	KB 2963983	Used in targeted exploits.	Severity:Critical Exploitability: 1	PATCH NOW!	Critical

yle="text-align: center;">We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

[1] https://technet.microsoft.com/en-us/library/security/ms14-may.aspx

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Infosec 2014: Enablement key to mobile security, says AirWatch ComputerWeekly.com As the world approaches 1.3 billion mobile devices, businesses should approach adoption in terms of enablement, says VMware's mobile device management firm, AirWatch. “When tackling mobile security, businesses need to aim to make it simple and ...

People vital to security intelligence, say experts ComputerWeekly.com Actionable security threat intelligence is mainly about having the right people with the right skills, a panel of information security professional has told attendees of Infosecurity Europe 2014 in London. “Invest in people who clearly understand the ...

Watch out, WhatsApp (and Facebook): Photo messaging app Snapchat is now offering video calls and instant messaging.

You'd think your SaaS vendors would know a lot more about you and their customers than IBM, Ma Bell or even the NSA. They know every click, login and data entry, right? Not necessarily.

Smoothly scalable, automatically redundant, set-it-and-forget-it NAS rewrites the network storage playbook

PayPal has unveiled a new global branding campaign designed to put greater focus on its ability to let people make payments for goods and services anywhere and anytime.

Cisco WebEx Meetings Server CVE-2014-2186 Cross Site Request Forgery Vulnerability

My little "lab of vulnerable devices" is still getting regular visits from script kiddies world wide. By now, I replaced some of the simulated honeypots with actual devices, giving me a bit a more accurate view of what is happening and how attackers are distinguishing honeypots from real devices. For example, the DVR I set up with default telnet credentials is getting regularly visited and the following command tends to get executed first:

/bin/busybox;echo -e '\147\141\171\146\147\164'

The output is busybox "help" screen, followed by the characters represented by the "echo" command. The characters are represented in octal in this case.

For example, on my busybox DVR:

[[email protected] /] # echo -e '\101\102\103\104\105\106'
ABCDEF

On the other hand, the same command on my MAC or a "normal" Linux system:

$ echo -e '\101\102\103\104\105\106'
\101\102\103\104\105\106

(the actual string used is a bit different but spells out a word I didn't feel comfortable posting here)

I also set up a little web based scanner to test for vulnerable DVRs. The scanner will try to connect via telnet using the common default credentials "root" and "12345". If the login is successful, the scanner will try to run "ps" to look for the "cmd.so" entry commonly associated with the litecoin miner we found recently on these devices. You can find the scanner at https://isc.sans.edu/tools/dvrtest.html . By default, it will just scan the IP address you are connecting from. If you log in, you may specify other IP addresses. Please only use against IP addresses you are authorized to scan.

And a quick update on the "honeypot fingerprinting": I am also seeing "echo -e \\x51\\x51" . But this appears to return "QQ" no matter if it is running on the DVR or a normal Linux system.

------

Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

CRN - UK

Infosec 2014 paints picture of industry in transition CRN - UK Those who braved the tube strike to attend Infosec 2014 will leave with the impression of both an event and industry in a state of flux. This is the IT security extravaganza's final year in Earls Court but this year's event was also noteworthy for ... and more »

Infosec 2014: Act now, but no new EU data protection law before 2017, says ICO ComputerWeekly.com Expect new European Union (EU) data protection law to be enacted in 2017 at the earliest, said David Smith, deputy commissioner at the Information Commissioner's Office. “But, get your house in order now under the current law, to ensure you are ready ... and more »

Four reasons to move entirely to IPv6. (Insider; registration required)

AT&T has approached satellite provider DirecTV about a possible acquisition, in a bid to more closely integrate TV and broadband services, according to the Wall Street Journal.

InfoSec 2014: 17 Percent Of All Thefts In The UK Threaten Victim Privacy TechWeekEurope UK The findings were presented at the InfoSec 2014 conference in London, where it was revealed that the number of data breaches reported to the ICO has increased by ten percent in 2104, but the the regulator is only half as likely to issue monetary fines ... and more »

Symantec has seen another round of a ham-fisted but surprisingly successful attack that targets Facebook users hoping to break into their friends' accounts.

Facebook, in a push to make its platform more useful for third-party developers, is launching tools to give their apps more exposure, including a mobile "like" button.

Achieving any certification worth its salt is never easy, but some are faster to complete than others -- and easier on your wallet as well. Here are five worth considering.

A piece of malware targeting Russian-speaking Android users abuses a person's contact list to try and infect other devices, according to security vendor Eset.

Google is releasing separate mobile apps for its Docs, Sheets and Slides apps, breaking them out from the Google Drive storage service where they used to reside.

Wearables could become the next big growth market for mobile devices, but they'll have to get more useful and less expensive first.

Facebook is not your scrappy startup anymore. It's providing a host of tools for third-party developers aimed at catching bugs swiftly, more toolkit options and lending a big helping hand in app development.

TechWeekEurope UK

InfoSec 2014: High-Tech Bridge Democratises Access To Ethical Hacking TechWeekEurope UK ... expert which includes recommendations tailored to individual customers. Kolochenko, who visited London for the InfoSec 2014 conference, told TechWeekEurope the service is unique because it offers real penetration testing starting from just $639 (£380).