Protecting Against Key Reinstallation Attacks in WPA2 (KRACK)

Just recently, a paper was leaked in regards to a vulnerability in WPA2 that affects just about everyone who uses a wireless connection. More specifically, the vulnerability lies at the 3rd stage of the 4-way handshake used by WPA2 to provide authentication and session key agreement. The attack also requires an evil twin access point since the session key is derived from the MAC address.

The paper, written by Belgian researchers, Mathy Vanhoef and Frank Piessens, is 16 pages long and goes into detail on the various exploitations possible. We don’t want to rehash everything here when you can go straight to the source, so for those who want to know the technical ins and outs of this vulnerability, we recommend reading about it from the horse’s mouth: https://papers.mathyvanhoef.com/ccs2017.pdf

What most people probably want to know, though, is “how do I avoid getting hacked?” The safest and most immediate solution is switch to wired for the time being. Although the chances of a hack are low, if you live in an area with a high population density that has more technically inclined people, and if you’re responsible for protecting significant assets, your chances of experiencing a hack go up. So for now, and until patches are released by various vendors, we recommend moving to wired networking. For those of you on laptops without an Ethernet port, you can purchase USB to Ethernet dongles online or at your local tech store. Yes, this is inconvenient for many people, so each person will have to weigh that inconvenience vs. the sensitivity of the data they work with and make the best decision for them.

(more…)

0 Comments

Principal Security Engineer, Patrick Kelley, Lectures at GSU.

Principal Security Engineer, Patrick Kelley, was given the opportunity to Guest Lecture for the Master of Science in Information Systems - Cybersecurity Concentration, last evening. The discussion was centered around implementation of security controls in cloud environments and the anatomy of a Penetration Test.

0 Comments

Defense Federal Acquisition Regulation Supplement (DFARS)

NIST 800-171 – 12/31/2017 – Less than 90 days until the deadline!

Contracted information systems not part of an IT service or system operated on behalf of the Government must adhere to the following requirements:

Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012
. . . the covered contractor information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Non Federal Information Systems and Organizations. . .” The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017. . .

(more…)

0 Comments

Rotating Security Assessors

In order to protect valuable corporate assets and prove due diligence, security assessments and validation of controls are required on a regular basis. To adhere to regulatory compliance, these tasks are generally scheduled in advance and involve the repeated use of a single person or group of professional penetration testers. In this established routine lies a potential problem.

Penetration Testing is an art based on well-trained and highly creative individuals. Their most important task is to replicate attack strategies that many adversarial groups would launch against the corporate assets, defined as Physical Infrastructure or Intellectual Property. Threat Actors use widely different methods of attack plans, with an even more diverse range of tools, making it impossible to develop a “one size fits all” defense plan.

(more…)

0 Comments