Jason Kent, hacker-in-residence at Cequence Security, discusses how to track user-agent connections to mobile and desktop APIs, to spot malicious activity.
Month: September 2021
Multiple configuration flaws in a free Wi-Fi network used by numerous universities can allow access to usernames and passwords of students and faculty who connect to the system from Android and Windows devices, researchers have found.
A research team from WizCase, led by researcher Ata Hakçıl, reviewed 3,100 configurations of Eduroam at universities throughout Europe, finding that more than half of them have issues that can be exploited by threat actors. The misconfiguration danger could extend to other organizations globally as well, they added.
Eduroam provides free Wi-Fi connections at participating institutions. It assigns students, researchers and faculty members log-in credentials that allow them to obtain internet connectivity across different institutions by using credentials from their own university.
Specifically, researchers discovered flaws in the implementation of the Extensible Authentication Protocol (EAP) that Eduroam uses, which provides different stages of authentication as people connect to the network. Some of those authentication phases aren’t configured properly in some universities, opening security holes, they said.
“Any students or faculty members using Eduroam or similar EAP-based Wi-Fi networks in their faculties with the wrong configuration are at risk,” researchers wrote in a report posted Wednesday. “If you are using an Android device and have Eduroam Wi-Fi set to auto-connect, malicious people could capture your plaintext username and password by only getting 20 or so meters in range of you.”
Network ‘Evil Twin’
For the research, WizCase examined various configuration-setup guides and set up a test environment with different attack scenarios. Overall, their findings showed that in most of the universities with misconfigured networks, threat actors can configure an “evil twin” Eduroam network that a user would think was the real network, particularly on Android devices.
“This could result in these devices automatically sending their stored credentials in order to connect to the evil twin Wi-Fi network for users not using eduroamCAT,” which is Eduroam’s catalog application which handles certificate checks, they wrote.
Researchers stressed that the problem is not the fault of any technical vulnerability from Eduroam’s services or technology, but from erroneous configuration instructions that the universities’ own network administrators provide to those setting up access, they said.
Indeed, while each institution provides resources and people to help keep Eduroam running, there is no centralized management for the network — either as a whole or at each university where the system is in place, researchers observed. This means that “a simple misconfiguration could make it the target of hackers,” they said.
Researchers further pinpointed the problem by breaking down the multiple sequential phases of EAP authentication, finding that poor implementation of the last stage of this authentication, called “Inner Authentication,” is the root of the issue.
In EAP, Inner Authentication is done in one of two ways. One way is to use Plain Authentication Protocol (PAP), which transfers the credentials of the users to the authentication server in plaintext, relying on the Outer Authentication to completely encrypt the traffic using a server certificate.
The other way uses Microsoft Challenge Handshake Authentication Protocol version 2 (MSCHAPv2, which recognizes there may be failures in the “Outer Authentication” stage, and transfers the password in a hashed, non-plaintext form, researchers said.
The vulnerable universities use the former.
Botched Certificate Checks
The problem lies in that not every OS implements the certificate check to secure the connection properly—Android being among those OSes, researchers wrote.
“When a network with the same Wi-Fi name appears, Android devices will not check whether this certificate is trustworthy or not, and will not even notify the user about the certificate before connecting,” they explained.
This means if an Android user has enabled auto-connect for a network using a server certificate, Android devices will automatically attempt to connect to this network and send stored credentials, and the user is none the wiser, researchers said.
Even an OS that implements certificate checks properly can expose data because often a user doesn’t know what a certificate check means, and so will allow the connection to continue even if they are receive an alert about the certificate, they added. This means that the issue can occur on Windows as well if a system is misconfigured, researchers said.
However, iOS devices aren’t vulnerable to the issue because they don’t allow connections to EAP networks without installing the EAP configuration file, which enforces the validity of the server-side certificate, researchers said.
Of the 3,100 Euroam participating university configurations reviewed by WizCase, 2,100 scattered across Europe are potentially affected by the problem, researchers said. It could be mitigated by reverting to the second method of Inner Authentication, according to the firm.
WizCase contacted Eduroam in December to disclose their findings, receiving a response on the same day, researchers said. Eduroam representatives said they are aware of “Eduroam identity providers who do not follow the requirements of the Eduroam policy, and leave their own users unprotected,” agreeing with researchers’ assessment that this behavior is “unacceptable,” according to WizCase. It’s unclear if Eduroam contacted its customers to alert them to the issue.
Researchers have demonstrated that someone could use a stolen, unlocked iPhone to pay for thousands of dollars of goods or services, no authentication needed.
The NSA and CISA issued recommendations on choosing and hardening VPNs to prevent nation-state APTs from weaponizing flaws & CVEs to break into protected networks.
Categories
Apple AirTag Zero-Day Weaponizes Trackers
Apple’s personal item-tracker devices can be used to deliver malware, slurp credentials, steal tokens and more thanks to XSS.
Original release date: September 28, 2021
The National Security Agency (NSA) and CISA have released the cybersecurity information sheet Selecting and Hardening Standards-based Remote Access VPN Solutions to address the potential security risks associated with using Virtual Private Networks (VPNs). Remote-access VPN servers allow off-site users to tunnel into protected networks, making these entry points vulnerable to exploitation by malicious cyber actors.
Exploitation of these devices can enable:
- Credential harvesting
- Remote code execution on the VPN device
- Cryptographic weakening of encrypted traffic sessions
- Hijacking of encrypted traffic sessions
- Arbitrary reads of sensitive data (e.g., configurations, credentials, keys) from the device
The information sheet helps organizations select standards-based (rather than proprietary) VPN solutions and provides hardening guidance to prevent compromise and respond to attacks.
CISA encourages organizations to review and adopt recommendations in the information sheet to reduce risk.
This product is provided subject to this Notification and this Privacy & Use policy.
Original release date: September 28, 2021
Hikvision has released updates to mitigate a command injection vulnerability—CVE-2021-36260—in Hikvision cameras that use a web server service. A remote attacker could exploit this vulnerability to take control of an affected device.
CISA encourages users and administrators to review Hikvision’s Security Advisory HSRC-202109-01 and apply the latest firmware updates. See security researcher Watchful IP’s technical blogpost for more information.
This product is provided subject to this Notification and this Privacy & Use policy.
The unredacted RCE exploit allows unauthenticated, remote attackers to upload files to the vCenter Server analytics service.
According to a 2020 study conducted by Stanford University, almost 90% of cyber security breaches are caused by human error. Though there are a variety of factors that contribute to this statistic, one of the main offenses is poor password hygiene. “Password hygiene” is the practice of ensuring your passwords are unique, secure, and difficult to crack. You can do your part toward improving your password hygiene by following these three easy tips:
- Create a strong (and memorable) password
We’ve all been told to avoid common passwords such as “123456789” or “asdfghjkl,” but what really goes into creating a strong password? Statistically speaking, the most difficult passwords to crack are at least 16 characters and are comprised of a completely random assortment of letters, numbers, and symbols. However, if you are prone to forgetting your passwords, you’ll find that what you gain in security with this option you begin to lack in convenience. A quality alternative to this is using what cybersecurity professionals refer to as a passphrase. A passphrase is a sentence-like string of words that is easier to remember than a traditional password and is used to authenticate a user’s identity. An example of a passphrase would be “Cartoon-mouse-tugboat-S1nging.” This particular passphrase contains a quality mixture of letters, numbers, and punctuation, while still remaining memorable.
- Store your passwords securely
Whether you are working from home or in an office environment, you are susceptible to having your password stolen. The best way to organize your passwords and to keep them safe is to use a password manager. Gone are the days of writing your password down on a sticky note and keeping it on your desk! Password managers are digital vaults that can securely store your login information for a variety of sites. While there are a slew of password managers offered for all different kinds of devices, some of the more highly reviewed software downloads are “Last Pass,” “KeePass,” and “Bitwarden.”
- Be cautious of where you enter your passwords
Hackers can use social engineering to collect employee credentials and gain access to an organization’s network. The most common way this attack is implemented is through phishing emails. Phishing emails are sent by hackers impersonating a legitimate person or organization in an attempt to gain personal information from the recipient (such as user logins and passwords). If you are suspicious of the legitimacy of an email that is requesting you enter a username or password, it is important to NOT click any links or attachments that are included in the message. To make any edits to your credentials for a website, open another tab and type in the websites URL directly into your browser.
With cybercrime on the rise, it is important that we do our part to protect both our own data, as well as our organization’s. By following the aforementioned tips, you can help ensure you are an asset to your organization’s security infrastructure, rather than just a part of another statistic. Ensuring you are maintaining proper password hygiene is one of the easiest and most effective ways to keep your information safe.
Categories
5 Steps to Securing Your Network Perimeter
Ekaterina Kilyusheva, head of the Information Security Analytics Research Group at Positive Technologies, offers a blueprint for locking up the fortress.