Explaining Security

New Wi-Fi attack found on WPA2 using PMKID

This could make many “thought safe” Wi-Fi routers not so

Here is where paying attention to new attacks is important.

hashcat.net has the information:

This attack does not even need a full EAPOL 4-way handshake, EAPOL stands for Extensible Authentication Protocol(EAP) over LAN. A simple 4-way handshake is shown pictorially below (from hitchhikersguidetolearning.com)

This means that in the past an attack on Wi-Fi would would need EAPOL 4-way handshake to be captured. Capturing the 4-way handshake is sometimes difficult to achieve.

Instead in this attack: ” We receive all the data we need in the first EAPOL frame from the AP.”

First one captures a sample initial Message from the ‘Authenticator’ which includes a PMKID (run hcxdumptool)

Second (run hcxpcaptool) to convert captured data from pcapng format to a hash format accepted by hashcat

Third (run hashcat) to crack the string of data.

So now no 4-way handshake is needed, only expertise to run a couple of scripts and to know how to set up the Wi-Fi capture by using the Wi-Fi network card.

The comments on the hashcat webpage do mention that your Wi-Fi network card must have the capability to capture wlan traffic.

So this requires more review and investigations.

Unknown Risks: Possible to Gauge?

Does the definition of unknown make measuring risk also unknown?

Let’s assume a cloud account has been created on Amazon Cloud(AWS – Amazon Web Services) or elsewhere (Rackspace, Azure, or Google cloud)

This cloud account will always be the Achilles heel of your Internet presence. I.e. if someone gets a hold of he main account instead of who is supposed to take care of it, the criminal hacker can modify and add users so as to make imperceptible changes to your website until it is too late.

Then let’s dissect an interesting interview with Bruce Schneier at Threatpost about “Going Dark”

Specifically “people’s long tail of digital metadata.

A person’s metadata will include the phone’s gmail account, all the places you have been using Google’s map app, and many other apps that are on your phone and soon your car. How will it all look once everything in your house, car, and work is interconnected? Identity Access Management will be that much more important.

I.e. how you can access the phone and all the apps. Every time an app says you can reset your password by sending an email, that means the email is the one thing that has to be defended without fail.

So if the cloud account was set up with a specific email, that email account has to be defended without a hacker even remotely able to access it. Of course one has to keep operational intelligence about various company actions out of social media. I.e. a new promotion in IT in charge of cloud accounts is not something to discuss in social media(in fact anywhere). You can say you have understanding in cloud architecture, but I would not get into details. It is important to keep many details about your environment out of any site on the Internet.

Notice how a Facebook “friend” can send you phishing requests via SMS (text or messages via Facebook) and try to get access to your computer that way. if you click on link then it goes to a website that looks like Facebook but is really a scam. notice the URL: facebook.ssbh.edu.bd (a Bulgarian university server) This example is from today’s post in Internet Storm Center: Facebook Phishing via SMS

There are many ways somebody can get access to your credentials, including if you just give them away.

My policy is to never follow a link if they are asking for my credentials I just do not enter them. Answering a bunch of questions about some quiz on Facebook, on whether you are Italian or not… is generally a bad idea as Kirstin Fawcett wrote in mentalfloss.com :“taking Facebook Quizzes Could Put You at Risk For Identity Theft”

Or maybe they are called ‘surveys’ , either way they constitute a risk that may not be worth taking. Every action on the Internet increases your risk of a potential attacker gaining more insight into your environment / personal life/ or other facet that advances an attacker.

Spam email is a perfect phishing attack by hackers to gain information or credentials from you. – never click on a link that then asks for credentials to be entered. Are there exceptions to this rule? unfortunately yes, as some reset procedures require you to click and reset your credentials in some environments. So how does one get past this? Not every user is going to be well versed in Domain name methods of hackers. And to some degree there will never be a 100% foolproof way to differentiate good sites from bad.

So do your social engineering training and keep up with attacks, and you have to accept some risk.

Back to my original question are unknown risk possible to gauge? I think that some risk is impossible to put a number on it. But we can mitigate and accept some unknown risk, and keep vigilance. Knowing as much as we can about potential unknowns is the est we can do – Some Unknown unknowns are inevitable, but no point fretting on those.

Is There Cyber Risk? How to Assess Risk?

An interesting video from RSA Conference 2018: “There’s no such Thing as a Cyber-risk”

So if you look at possible risk domains Computer Security (or Cybersecurity is not on there.

Operations: errors – fraud – talent – employee engagement – safety
Service Availability: capacity, resiliency, data integrity, intentional disruption
Product delivery: pre-executions – release executions
Compliance: regulatory, contractual obligations, privacy lane, employment law, other laws

Of course data integrity is there – so if there is a cybersecurity problem data integrity may become an issue.

The definition of “Operational risk” is the prospect of loss resulting from inadequate or failed procedures, systems or policies. Employee errors. System failures. fraud or other criminal activity. Any event that disrupts business processes

The problem with Cyber risk is that it can affect operations but is not always obvious how bad it can get until it happens. Can you operate without computers? Can it get that bad? What if it does? Just like one may have electricity backup in an area which has frequent power outages, one has to consider what to do if there are no computers to run credit card transactions.

To properly assess operational risk, what is it one must ask in regards to computer assets with regard to cybersecurity? What if I cannot use this device? i.e. it has been hijacked by hackers or otherwise incapacitated.

If credit card processing is stolen, what could be worse is now your reputation can take a hit. Since the news will be filled with stories of Credit card fraud originating at your business.

Consider reputation in assessing operational risk. And reputation does not always mean systems fail or money is lost due to no electronic access.

It all depends on who you claim to be in the public space. Is your business marketing claim to be up-to-date? Then reputation may have to have a higher impact. Make sure you are spending enough resources in relation to your REAL level of risk.

If you need help in assessing risk contact us.

NIST 800-171 rev1 (Updated 6/7/2018)

This document was updated and created to protect CUI – Controlled Unclassified Information for all government entities. So if you want to have a contract with the government you better have a plan in place. Due to Executive order 13556 (Nov 4, 2010), Controlled Unclassified Information program to standardize unclassified information and designated the NARA (National Archives and Records Administration).

Interesting to note all this standardization comes from a long list of departments in charge of classifying information. But the reality is there are many things similar to standards like PCI, COBIT 5, and others.

Notice that in 800-171 requires a Security Assessment:

Assess security controls in the organization- are they effective?
Develop and implement plans of action to fix deficiencies and reduce or eliminate vulnerabilities.
Monitor security controls on an ongoing basis
Develop, document, and periodically update system security plans that describe system environments as changes occur, system environments, how they are implemented, and relationships to other systems.

So essentially common sense security functions.

Anytime a change occurs (new device, moving, adding, subtracting) one has to re-evaluate security posture.

How about Risk assessment:

Periodically assess risk to organizational operations(mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
Remediate vulnerabilities in accordance with risk assessments.

So if you look at the document – it just means what all respectable requirements have.

Document and inventory your stuff.
create risk assessments and impact assessments
set up vulnerability scans
remediate vulnerabilities!

Talk about change, the document 800-171 has recently been revised and updated, Both in February and June 2018:

February: 16 editorial changes and 42 substantive
June: 27 editorial changes and 5 substantive.

Most of the changes were deletions and some clarifications.

There is a change in authentication, now MFA(Multi Factor Authentication) is required instead of two-factor or regular password authentication.

Above is the section (Identification and Authentication) where MFA is shown.

If you need help in performing risk and security assessments Contact Us.

Tuesday July 10th patch Tuesday #7 of 2018

53 vulnerabilities in today’s Patch Tuesday

There is a Dashboard set up by Morphus Labs

3 publicly disclosed and 17 critical.

It is always important to keep up on your patching regimen, as today’s vulnerabilities become more and more dangerous in the future.

But one has to assess the current and older vulnerabilities with what is going on in _your_ environment. Here is another article on what type of updates there are in this month’s updates Dark Reading: “July Security Updates”

Since most of these updates are browser based except for the latest update for the Meltdown and Spectre type of fix.

Looking over the updates one has to look at the remote code execution vulnerabilities to find the issues to patch first.

Because Microsoft has put out patches once a month on the 2nd Tuesday, some other software companies also do the same, so IT departments have a consistent review of the patches to be installed. Adobe has released 105 vulnerabilities for Reader and Acrobat, as well as some Flash. One thing that comes out of these situations is the planning of downtime for cloud systems which have to have all patches installed for the users who wish to run their applications.

So even if most of the vulnerabilities are browser based then some servers may need to have a number of patches.

In my opinion this Vulnerability “CVE-2018-8327” is very dangerous, as it is a remote code execution malicious code potential. Microsoft Security TechCenter goes into some details.

Since this is a new vulnerability as of July10 there is a race now on, the race is as to who will install patches or who will download malicious software (Malware) first.

Image is from the SanS.edu website.

Also an update today – 7/12/18:

Lists the vulnerabilities in a different manner than Internet Storm center.

From Talos Blog:
Microsoft released its monthly set of security advisories today for vulnerabilities that have been identified and addressed in various products. This month’s release addresses 53 new vulnerabilities, 17 of which are rated critical, 34 are rated important, one is rated moderate, and one is rated as low severity. These vulnerabilities impact Windows Operating System, Edge, Internet Explorer and more.
Reference: https://blog.talosintelligence.com/2018/07/ms-tuesday.html
Snort SID: 47111-47114, 47091-47092, 47107-47110, 47100-47103, 47096-47099