Each week we bring you some of the top stories in the cyberverse, the news of data breaches, cyber attacks or ransomware that break down national borders and affect us all. We delve into lessons learned and troubles to avoid. Sometimes the stories have a resolution, which can be implemented into other businesses. Other times they merely represent cautionary tales, with no immediate action to implement.
This week we focus primarily on the UK, where two major cyber events made a splash. But first, we’ll look at one of the biggest stories in cyber security history: a security weakness that affects nearly every device on the globe.
Security researchers have discovered and published data about serious vulnerabilities in the WPA2 Wi-Fi protocol. Nearly every Wi-Fi connected device uses the industry standard WPA2-PSK authentication (Wi-Fi Protected Access 2, Pre-Shared Key). Since WPA2 encryption changes with each user and use, it’s become the gold standard for everything from cellphones and laptops to connected refrigerators and baby monitors.
That’s why a vulnerability in the protocol itself is so dangerous, it means that security measures like passwords do not matter since the weaknesses bypass all of those protections, that are later in the communication process. In some cases, the newly discovered vulnerabilities even allow packets to be uploaded to your device remotely.
So first, the bad news:
- Yes, virtually all wireless connected devices are affected
- No, updating passwords does nothing
- Yes, it means the possibility of remote access to all of your devices
Next, the good news:
- Yes, patches have already started coming out
- No, there’s no evidence that the vulnerabilities have yet been exploited
- Yes, someone would need to be within range of your Wi-Fi connection to exploit the vulnerabilities on your device
Now for some important details. According to the research paper’s author, Mathy Vanhoef, the main method of potential attack is against the 4-way handshake protocol of WPA2. The 4-way handshake is the point of encryption in joining a Wi-Fi network, after which all traffic will be encrypted with the negotiated key. He called the attack KRACK because it interferes with the Key Reinstallation AttaCK (and “Krack Attack” sounds better than KRA or KRattack or other possible variations of the coined phrase that would not involve a repetition of the “attack” part).
“When a client joins a network, it executes the 4-way handshake to negotiate a fresh encryption key. It will install this key after receiving message 3 of the 4-way handshake. Once the key is installed, it will be used to encrypt normal data frames using an encryption protocol. However, because messages may be lost or dropped, the Access Point (AP) will retransmit message 3 if it did not receive an appropriate response as an acknowledgment. As a result, the client may receive message 3 multiple times. Each time it receives this message, it will reinstall the same encryption key, and thereby reset the incremental transmit packet number (nonce) and receive replay counter used by encryption protocol…an attacker can force these nonce resets by collecting and replaying retransmissions of message 3 of the 4-way handshake. By forcing nonce reuse in this manner, the encryption protocol can be attacked e.g. packets can be replayed, decrypted, and/or forged. The same technique can also be used to attack the group key, PeerKey, TDLS, and fast BSS transition handshake.”
Security researcher Brian Krebs outlined another layer of protection that you might immediately be thinking of, the SSL encryption that is separate in most connections, such as emails or interactions with your banking agency (anything that begins with an “https://” the “s” is, of course, for “secure”).
The KRACK attack, however, may bypass some of those seemingly secure connections. The paper’s authors point out examples of bypassing HTTPS in android apps, banking apps, Apple’s iOS and OS X and even VPN apps. (More details about those bypasses are in the study). The safest bet, then, is to patch as soon as patches become available. Since the industry got a warned of the contents prior to the release of the paper, many of them have already created patches. Smartphones, laptops, and routers are among many of the already updateable devices.
The worst thing to do would be to do nothing, but for many Internet-ready devices in the IoT (internet of things) updating/patching is not supported still, even though researchers (and even senators) have been asking the FCC to require devices to support updates. The smartest thing, then, would be to replace devices that cannot be updated with those that can–not just to prevent this KRACK Attack, but to be able to protect against future attacks.
Recently we outlined some of the major attacks against Ireland, a small island nation in which more than one-third of companies have experienced an economic crime, with cybercrime being the fastest-growing attack method. Now grocery giant Musgrave Group has confirmed a major cyber attack.
Cyber attacks against retailers and grocers, in particular, are nothing new. In the US, Whole Foods Market (recently acquired by Amazon), has been dealing with the consequences of a data breach. Similarly, Musgrave’s attack, affecting more than 200 stores and tens of thousands of people, targeted credit and debit card numbers. Stolen data, according to the company’s statement, may have affected credit and debit card numbers and expiration dates, but do not seem to have leaked CCV or PIN numbers.
Still, those who might have been impacted should keep a close eye on bank statements, or even consider ordering a replacement. Credit card numbers and expiration dates are a popular item on the dark web, where dark web monitoring reveals card information for sale to cyber criminals. After all, what is the dark web if not a dumping ground for leaked credentials and personal information?
More secure shopping methods require CCV information for online purchases, and EMV chip cards (for in-person shopping) are both techniques that researchers advise might make card purchases more secure. The truly paranoid among us might insist on only cash, though in a world where as much as 79% of shopping is done online, cash might not even be an option. Blockchain-backed cryptocurrencies like Bitcoin come with their own risks but might also become the currencies of the future.
All such technological speculation still adds up to this:
- Keep an eye on statements
- Rapidly report any evidence of fraud, for your personal financial security
- Stay informed of such leaks on the dark web, to protect your business
For our last stop on this week’s cyber disaster tour, another stop in the UK, this time at the Houses of Parliament in Britain, where British MPs got hit with a massive brute-force, targeted attack. (Note for non-Brits: MPs = members of parliament).
Cyber attacks in the political arena are certainly nothing new. From the Stuxnet virus, which was reportedly created by the US to attack Iran’s nuclear research facilities, to the accusations in the past year of Russian interference in global elections, to the fact that the WannaCry virus may have come from North Korea, most of the world’s major governments have gone cyber in their espionage and assault methods.
When news first broke of this attack on MPs, Russia again sat in the hot seat. Now it seems Iran may have been the culprit. The attack occurred in June, with the investigation still ongoing. Up to 90 MP email accounts were hit. No matter who researches decide, ultimately, was responsible, it sheds light on some very interesting points, both in the political arena and beyond.
First, a point about politics. For sure, if you are in a position of power, political or otherwise, you should consider that you are in the crosshairs of adversaries armed with cyber weaponry. Access to insider information in the business world or sensitive information in the political world provides leverage for those that would trade in secrets. It raises some alarms about blackmail, even beyond the Ashley Madison scandal (where thousands of .gov email addresses were among the leaked accounts), because it affects more people than the targeted MPs. When constituents email their representative, it might be data they wouldn’t want to be shared.
Andrew Brigden, the Tory MP for North West Leicestershire summed it up when he said, “People come to us with their worst problems in their life in the confidence that their emails are secure. If people thought our emails were not secure it would seriously undermine our constituents’ confidence and trust in approaching their MP at a time of crisis.”
Undermining confidence seems to be the major purpose behind attacks on foreign nations, so in that sense even if no emails were obtained, the cyber attack could be viewed as a “success” by assailants. But beyond the confidence issues, there are issues of password security. Just about every time a data breach occurs, password dumps show up on the dark web. Cybercriminals can use these leaked credentials to target other sites. Despite warnings from professionals, people still often reuse passwords between sites.
It’s sort of like having your house and car keyed to the same key, and yet it happens. The attack on the British MPs, however, used another hacking tactic: brute force password attempts. Brute force attacks are more cumbersome. Through any known data about you, such as your children’s names or the town where you grow up, or through dictionary methods (using words, including such common substitutions as an “@” symbol for “a”) attackers use preset programs to repeatedly guess passwords. Though sites only allow for so many password attempts before you get locked out, some less secure sites essentially can be moved to a safe zone for the hacker, where more attempts can be made without a lockout.
Fearing the success of the brute force attacks, MPs were instead locked out proactively from their own email accounts, with many taking to social media to notify constituents of the situation. Before long, service was restored. Maybe along the way, a few elected officials learned to choose unique passwords. Perhaps. At the very least, you can learn from such attacks and keep your own passwords unique and secure (and your Wi-Fi-ready devices up-to-date).
Tune in Next Week
Whether scouring the headlines or deep-diving into the dark web, we like to stay informed. Tune in each week for the latest in water cooler conversation amusement and actionable intelligence alike. Same bat-channel, same bat-time.
In the meantime, enjoy the headlines, but stay out of them.