WPA2 Security Flaw – KRACK-Key Installation Attack

Recently new administrative vulnerabilities were discovered in the WPA2 security protocol, which is a 13-year-old WiFi authentication method to secure WiFi associations and still the most common used system for computers, phones and routers.

According to ZDNet, this security flaw affects our homes, organizations and system administration organizations that manufacture them as well.Such a security flaw threatens the safety of data like passwords, and personal information like chatlogs, photographs and credit cards.

Mathy Vanhoef of imec-DistriNet, KU Leuven discovered that the attack called “KRACK-Key Reinstallation Attack” works by exploiting a 4-way handshake of the WPA2 protocol.

Video with proof of concept:

For a KRACK attack to be successful, an already-in-use key is re-installed by tricking the victim. That leads to the manipulation and replay of cryptographic handshake messages.

When the attacker is within physical range of a vulnerable device, network traffic could be decrypted, connections could be hijacked, and any content could be injected into the traffic stream. Simply said: The attack allows new devices with a pre-shared password to join the network. This flaw, if exploited, gives an attacker a skeleton key to access any WPA2 network without a password.

Microsoft Windows and the latest versions of Apple’s iOS are largely immune from the flaws, according to security researcher Kevin Beaumont, in a blog post. However, Vanhoef said the security issue is “exceptionally devastating” for Android 6.0 Marshmallow and above.

Although security experts said it wasn’t clear if any attacks had been seen in the wild, over an insecure network sites and services with HTTPS traffic will encrypt the data from the browser to the server.

The warning was uncovered around the time of the Black Hat security conference, when Vanhoef presented a talk on networking protocols, with a focus on the Wi-Fi handshake that authenticates a user joining a network.
The cyber-emergency unit has since reserved 10 common vulnerabilities and exposures (CVE) records. Those can be found here.

Krack, as it is called on the internet right now, shows us that for over 13 years while everyone believed they were securely browsing the internet, they were not. And it is just an example of something that is uncovered, but who knows what is still to come? It is another reason why you should always be vigilant and stay up to date with security issues. Because no one else will do it for you.

Sources: ZDnet

Microsoft internal bug database hacked in 2013 and silence followed

Microsoft’s internal database for bug tracking was hacked over 4 years ago. The hack was already discovered in 2013 but was never disclosed to the public. The hacked database contained a list of secret security flaws and possible exploits within its widely used software. They managed to fix the issue within months after that. However, something that is disturbing is that the public was never informed. During the months Microsoft was creating solutions to combat the possible exploits, the public was exposed to numerous threats without knowing about it.

The company checked to see if the leaked information had been used in other breaches around that same time, before Microsoft was able to patch them. According to insiders they were unable to link the hack to any other breaches happening before that. Since then the company has put more emphasis on internal security and former employees state that hacks like this will probably not occur anymore in the future.

But the fact remains the public should have been informed, even if it meant that the hackers likely would have used the exploits more aggressively since they knew the hack was discovered. If the public had been informed about what happened, companies, users and even governments could have taken preventative measures to ensure their security. The fact that Microsoft didn’t disclose that the breach occurred isn’t a great move at all.

“Bad guys with inside access to that information would literally have a ‘skeleton key’ for hundreds of millions of computers around the world,” said Eric Rosenbach, the U.S. deputy assistant secretary of defense for cyber at the time.

The dangers posed by information on such software vulnerabilities became a matter of broad public debate this year, after a National Security Agency stockpile of hacking tools was stolen, published and then used in the destructive “WannaCry” attacks against U.K. hospitals and other facilities.

Only one breach of a big database from a software company has been disclosed. In 2015, the nonprofit Mozilla Foundation – which develops the Firefox web browser – said an attacker had gotten access to a database that included 10 severe and unpatched flaws. One of those flaws was then leveraged in an attack on Firefox users, Mozilla disclosed at the time.
In contrast to Microsoft’s approach, Mozilla provided extensive details of the breach and urged its customers to take action.

Sources: Engadget, Reuters