Get Your Copy.
The Countermeasure is delivered to your inbox each Saturday, giving you insights on enterprise security developments you may have missed.
#Hackersummercamp Special Edition
Coverage from Blackhat and Defcon:
- Wireless Armageddon
- ‘Secure’ is just a word
- Cyber insurance: expect higher premiums, more requirements
What We Learned at Blackhat and Defcon
One of the most disturbing things we encountered at hacker summer camp was a private demo of a proof of concept crack for WPA3. While it has not, to our knowledge, been made public yet, the demo has to do with poor implementation of Dragonfly, which is the replacement scheme for the three-way handshake of WPA2.
This hack is different from the existing and well known "downgrade" attacks which merely caused access points to negotiate using WPA2 instead of WPA3. The attack seems to target something in the implementation of Dragonfly, with claims being made about broad applicability.
While it's early days yet for this vulnerability, and there is a lot of testing yet to go before the details are discussed publicly, it was only ever a matter of time before WPA3 was cracked. This brings up (again) the general insecurity of Wi-Fi, and emphasizes the need to encrypt everything that passes over Wi-Fi, regardless of your level of confidence in the encryption of the Wi-Fi protocol itself.
This issue is reflected in the general anxieties of attendees to both Blackhat and Defcon. There was a great deal of talk in the hallways about the need for better wireless detection. There are any number of wireless protocols in use besides Wi-Fi, and they are increasingly finding their ways into our organizations.
Mobile/cellular signals are one possible threat vector, but so too are protocols such as Bluetooth, Zigbee, and others popular with Internet of Things (IoT) devices. In addition to simply detecting the presence of these signals, there was a great deal of discussion about the desire to precisely locate these signals, something that has taken on new urgency with the advent of warshipping: Hack in the box: Hacking into companies with “warshipping”.
Also related is the absolutely unprecedented buzz around hacking and cracking IoT and medical devices. It cannot be emphasized enough just how much the vulnerabilities of these categories of devices were being discussed, nor how prominent the concerns were about them. Multiple tools—even entire frameworks for attacking these devices—were discussed, demoed, and more.
If your company doesn't take wireless security seriously, it's time to start. For many organizations, there are already more devices on their networks with wireless than without, and the attack surface this presents is largely unmonitored. If your vendors don't offer wireless sensing, security, location, and more, it's time to pressure them to do so.
If the hackers at hacker summer camp are any indication, the next 18 months is going to see vulnerability after vulnerability exposed, and the damage that even moderately-capable nerds can cause with $200 worth of hardware is going to make us long for the simple days when SQL Injections and ransomware were all we had to worry about.
‘Secure’ Is Just a Word
Perhaps the most interesting session attended this year was focused on hacking Telegram, Signal, and similar "secure" IMs. For those interested in breaking into these supposedly "secure" IMs, session hacking is the name of the game, and everyone, including the much beloved Telegram and Signal, are vulnerable.
“Session hijacking” is a reasonably well-known form of session hacking, commonly used in browser and web application exploitation, and played a big role in many demonstrations regarding how to exploit IMs, IoT devices, and (Software-as-a-Service (SaaS) applications. A subset of session hijacking, “session shadowing” is a big deal for compromising "secure" applications.
Session shadowing is an example of exploiting bad application design. Here, the application allows multiple sessions from the same device/phone number/other unique identifier, allowing an attacker to set up a parallel session to the legitimate one, and then do various flavors of bad things.
To be clear, these applications aren’t being compromised because the encryption that makes them "secure" was cracked. They’re being compromised because of design choices in the client application implementation. In some cases, such as allowing session shadowing, these design choices require a fair amount of knowledge about complex approaches to attacking applications.
In others, however, the design choices are stunningly bad. For example, creating a "secure" instant messenger where two-step verification is not only not enabled by default, but isn't even available during registration. We here at The Countermeasure disapprove.
It’s worth noting the sessions about compromising secure IM, IoT devices, and medical devices were standing room only—and then some. In many cases, people were listening in from the halls. There is a great deal of interest in these topics by both attackers and defenders, and this tells us something about where we can expect a focus from attackers over the next year.
Do not trust that just because the literature says that something is "secure," that it actually is. If you have communications of any kind that you actually need to be concerned about, take the time to comb over information security forums and publications to see what the current state of known vulnerabilities are against applications you are proposing to adopt. Set up alerts to flag up any news about these applications in the tech press. "Secure" applications tend to be found to be insecure over time, and your use thereof needs to be vetted on an ongoing basis.
Cyber Insurance: Expect Higher Premiums, More Requirements
Cyber insurance and information security are intertwined. Because there is so little meaningful regulation in the world regarding either privacy or information security, it turns out that getting cyber insurance is, in almost all cases, cheaper than licensing information security tools, and the nerds required to run them.
This is, of course, a significant problem for anyone trying to convince a board of directors to spend adequately on information security. With luck, however, emerging regulatory regimes will change this trend, adding real consequences to lax security practices. In addition, as insurance companies get a better understanding of the real-world risk profile that information security choices present, rates are expected to go up.
Insurance companies are, however, being proactive about information security. While some offer blanket protection with minimal oversight, these policies are increasingly rare. Many insurance companies offer lower rates to organizations that get regular third-party audits, for example, and these audits are increasingly mandatory to get coverage at all.
In fact, the best cyber insurance coverage available today simply can't be had without being able to demonstrate that an organization has a bare minimum adequate security capability. This is especially true for organizations seeking hundreds of millions in liability for breaches. It is still relatively easy to get insurance for internal compromises that don't include much third-party liability.
Even if you have great cyber insurance coverage today, it’s worth beginning (or, if you already have them underway, continuing) efforts to objectively characterize your security posture. It will matter sooner rather than later in terms of how much and what quality of cyber insurance you can get.
On a related note, it’s worth mentioning Project CITL, which stands for Cyber ITL. The purpose of CITL is to provide a quantitative means to judge the security of products, and to allow anyone with any level of knowledge to judge and cross-compare software.
CITL throws boxed attacks at software (such as fuzzers, known exploit types, and so on), which helps to more objectively characterize different types of software.
Video of the Week
Expect a lot of video and audio recordings from #hackersummercamp to hit the Internet in the next few days and weeks. Here is one of the first ones released
Podcast of the Week
Tweet of the Week
My 11yo daughter was watching Riverdale last night and yelled at the TV:
“You don’t just plug a random USB key you found into a computer: it could have a virus on it!” #infosec – Andrew McAllister - @andrewmcdotca
- Found: World-readable database used to secure buildings around the globe
- So you can't find enough cyber-security experts to join the team. Time to dial a managed security service provider?
- Patch your internet-connected printer! Serious vulnerabilities discovered
- How dodgy browser plugins, web scripts can silently rewrite that URL you were about to hit – and throw you into an internet wormhole
- US insurers face SEC probe over web-access bungle that exposed 'up to 885 million' files
- Firefox fixes “master password” security bypass bug
- A look at the Windows 10 exploit Google Zero disclosed this week