DOCSLIB.ORG

Pwc Weekly Cyber Security

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Threats and Threats and Malware Top story vulnerabilities vulnerabilities PwC Weekly Security Report This is a weekly digest of security news and events from around the world. Excerpts from news items are presented and web links are provided for further information. Malware Windows botnet spreads Mirai malware Threats and vulnerabilities Internet users urged to change passwords after Cloudbleed Threats and vulnerabilities Google’s Project Zero reveals vulnerability in Internet Explorer and Microsoft Edge Top story Crypto specialists break SHA-1 security standard Threats and Threats and Top story Malware vulnerabilities vulnerabilities Windows botnet spreads Mirai malware Security researchers from Kaspersky Lab are currently investigating the first Windows-based spreader for the Mirai malware, something that can have huge implications for companies that invested heavily in IoT. The spreader was apparently built by someone with "more advanced skills" than those that had created the original Mirai malware. This, Kaspersky Lab says, has "worrying implications for the future use and targets of Mirai-based attacks." It is richer and more robust than the original Mirai codebase, even though many of its components are "several years old." Its spreading capabilities are limited, as it can only deliver from an infected Windows host to a vulnerable Linux-powered IoT device. Even that -- if it can brute-force a remote telnet. It was also said that the author is likely Chinese- speaking, more experienced, but probably new to Mirai. "The appearance of a Mirai crossover between the Linux platform and the Windows platform is a real concern, as is the arrival on the scene of more experienced developers. The release of the source code for the Zeus banking Trojan in 2011 brought years of problems for the online community -- and the release of the Mirai IoT bot source code in 2016 will do the same for the Internet. More experienced attackers, bringing increasingly sophisticated skills and techniques, are starting to leverage freely available Mirai code. A Windows botnet spreading IoT Mirai bots turns a corner and enables the spread of Mirai to newly available devices and networks that were previously unavailable to Mirai operators. This is only the beginning," says Kurt Baumgartner, principal security researcher, Kaspersky Lab. Source: https://betanews.com/2017/02/23/windows -botnet-spreads-mirai-malware Threat and Threats and Malware Top story vulnerabilities vulnerabilities Internet users urged to change passwords after Cloudbleed Multiple high-profile apps including Uber and FitBit The researchers said the impact of the vulnerability have been leaking customer data for months due to is potentially wide-reaching due to the massive the Cloudbleed vulnerability discovered by Google customer base of Cloudflare. researchers last week. “I didn't realise how much of the internet was sitting The bug in the source code of internet services behind a Cloudflare CDN until this incident,” the company Cloudflare caused sensitive data to be researcher said. cached by search engines, potentially allowing hackers to pose as legitimate customers. The The Google team said that Cloudflare has responded compromised data includes private messages and to the issue promptly but advises users to change authentication cookies. their passwords and switch to two-factor authentication where possible. “We've discovered (and purged) cached pages that contain private messages from well-known services, “With the haemorrhaging from Cloudbleed first PII from major sites that use Cloudflare, and even reported on Friday, new data from Skyhigh plaintext API requests from a popular password Networks indicates the wounds to IT are manager that were sent over http,” said a cyber- widespread,” commented Kaushik Narayan, CTO of security researcher from Google’s Project Zero team. cloud access security broker Skyhigh Networks. “The examples we're finding are so bad, I cancelled “After analysing more than 30 million enterprise some weekend plans to go into the office on Sunday users across the globe, Skyhigh found 99.7 per cent to help build some tools to clean-up.” of companies have at least one employee that used a Cloudbleed vulnerable cloud application.” Threat and Threats and Malware Top story vulnerabilities vulnerabilities Internet users urged to change passwords after Cloudbleed Even though few enterprise-ready cloud services were themselves affected – fewer than four per cent – there’s a very long list of potential consumer- focused services that may have been vulnerable to credential loss, Skyhigh Networks said. Cloudbleed got its name after the Heartbleed vulnerability in the Open SSL cryptographic software library, discovered in 2014. The researchers said Cloudbleed could be potentially as serious as Heartbleed, which affected millions of websites, enabling hackers to gain access to sensitive user data. According to Gizmodo, Cloudbleed is a result of a coding error affecting a single character in Cloudflare’s code. Source: https://eandt.theiet.org/content/articles/20 17/02/internet-users-advised-to-change- passwords-after-cloudbleed-vulnerability- discovered/ Our perspective Cloudflare Inc. handles traffic for many popular services, including Uber and Fitbit. It also helps customers to protect and defend themselves from denial-of-service attacks and configure SSL encryption for their websites. It is quite possible for an attacker to have access to private web data along with encryption keys, if the password is compromised. After studying the vulnerabilities and the impact of the exploit, all readers are strongly advised to change their password quickly to avoid any security risks. Threats and Threats and Malware Top story vulnerabilities vulnerabilities Google’s Project Zero reveals vulnerability in Internet Explorer and Microsoft Edge Google's Project Zero has exposed another security Source: flaw in Microsoft software — this time in Internet http://www.windowscentral.com/googles- Explorer and Microsoft Edge. As reported by The project-zero-reveals-vulnerability-internet- Register, the flaw was first disclosed to Microsoft on explorer-and-edge November 25, but has now gone public after exceeding Project Zero's 90-day disclosure deadline without a patch. Our perspective The bug in question could allow a website to crash The newly disclosed zero-day vulnerability, the browser and execute code with just 17 lines of which creates a type confusion flaw, affects HTML. If you're into the nitty-gritty technical Microsoft Edge and Internet Explorer on fully details of the issue, you can dive into the full patched systems and can potentially allow explanation of the flaw at Project Zero's post. remote attackers to execute arbitrary code on the underlying system. We understand that This isn't the first time Google has publicly outed a researchers have confirmed the flaw in Microsoft software without a patch being unavailability of exploits. However, it is quite issued. Most recently, the two software giants butted possible for attackers to use PoC details to heads in late 2016 after Google disclosed a bug in develop working exploits which may Windows just days after alerting Microsoft. suddenly surface in the wild. Organisations Similarly, January of 2015 saw Google publish a that have developed custom software with Windows 8.1 vulnerability just days before a patch inherent vulnerabilities may be more was set to go live. susceptible to this exploit as a door may exist for attackers to deploy this exploit. Given that It's not clear when or how quickly Microsoft might a fix has not been provided in the latest issue a fix for this particular flaw. The company patches, all Windows administrators are curiously delayed its usual monthly round of fixes advised to assess the criticality of the risk and for February, noting that they'll arrive with March's apply patches for this vulnerability as soon as Patch Tuesday on March 14. However, the company they become available. did issue a fix for a critical Adobe Flash bug just days later, so there's a chance we could see a security fix outside of the usual monthly schedule. Threats and Threats and Malware vulnerabilities vulnerabilities Top story Crypto specialists break SHA-1 security standard Researchers at the Dutch research institute CWI and Google have broken the SHA-1 internet security standard, which is widely used for digital signatures and file integrity verification, including secure credit card transactions. According to CWI cryptanalyst Marc Stevens: “Many applications still use SHA-1, although it was officially deprecated by NIST in 2011 after exposed weaknesses since 2005. Our result proves the deprecation by a large part of the industry has been too slow and that migration to safer standards should happen as soon as possible.” The team says it broke SHA-1 using a collision attack. Google’s Elie Bursztein added: “Finding the collision in practice took a lot of effort, both in building the cryptanalytic attack and in its large scale execution. It required more than 9.2 x 1018 SHA1 computations that took 6500 years of CPU computation and 100 years of GPU computations. We used the same infrastructure that powers many Google AI projects, including Alpha Go and Google Photo, as well as Google Cloud.” Stevens said that, to defend against SHA-1 collision attacks, systems must migrate to SHA-2 or SHA-3. In the case of HTTPS, this process began in 2015 and, this year, browsers will mark SHA-1 based certificates as insecure. Source: http://www.newelectronics.co.uk/electroni cs-news/sha-1-security-standard- broken/151987/ About PwC At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 countries with more than 2,23,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com In India, PwC has offices in these cities: Ahmedabad, Bengaluru, Chennai, Delhi NCR, Hyderabad, Kolkata, Mumbai and Pune.
Recommended publications
  • Internet Security Threat Report Volume 24 | February 2019

    Internet Security Threat Report Volume 24 | February 2019

    ISTRInternet Security Threat Report Volume 24 | February 2019 THE DOCUMENT IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENT. THE INFORMATION CONTAINED IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE. INFORMATION OBTAINED FROM THIRD PARTY SOURCES IS BELIEVED TO BE RELIABLE, BUT IS IN NO WAY GUARANTEED. SECURITY PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS DOCUMENT (“CONTROLLED ITEMS”) ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER FOR YOU TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT SUCH CONTROLLED ITEMS. TABLE OF CONTENTS 1 2 3 BIG NUMBERS YEAR-IN-REVIEW FACTS AND FIGURES METHODOLOGY Formjacking Messaging Cryptojacking Malware Ransomware Mobile Living off the land Web attacks and supply chain attacks Targeted attacks Targeted attacks IoT Cloud Underground economy IoT Election interference MALICIOUS
  • Security Now! #664 - 05-22-18 Spectreng Revealed

    Security Now! #664 - 05-22-18 Spectreng Revealed

    Security Now! #664 - 05-22-18 SpectreNG Revealed This week on Security Now! This week we examine the recent flaws discovered in the secure Signal messaging app for desktops, the rise in DNS router hijacking, another seriously flawed consumer router family, Microsoft Spectre patches for Win10's April 2018 feature update, the threat of voice assistant spoofing attacks, the evolving security of HTTP, still more new trouble with GPON routers, Facebook's Android app mistake, BMW's 14 security flaws and some fun miscellany. Then we examine the news of the next-generation of Spectre processor speculation flaws and what they mean for us. Our Picture of the Week Security News Update your Signal Desktop Apps for Windows & Linux A few weeks ago, Argentinian security researchers discovered a severe vulnerability in the Signal messaging app for Windows and Linux desktops that allows remote attackers to execute malicious code on recipient systems simply by sending a message—without requiring any user interaction. The vulnerability was accidentally discovered while researchers–amond them Juliano Rizzo–were chatting on Signal messenger and one of them shared a link of a vulnerable site with an XSS payload in its URL. However, the XSS payload unexpectedly got executed on the Signal desktop app!! (Juliano Rizzo was on the beach when the BEAST and CRIME attacks occurred to him.) After analyzing the scope of this issue by testing multiple XSS payloads, they found that the vulnerability resides in the function responsible for handling shared links, allowing attackers to inject user-defined HTML/JavaScript code via iFrame, image, video and audio tags.
  • Cyber Security Trends: Aiming Ahead of the Target to Increase Security in 2017

    Cyber Security Trends: Aiming Ahead of the Target to Increase Security in 2017

    Cyber Security Trends: Aiming Ahead of the Target to Increase Security in 2017 A SANS Whitepaper Written by John Pescatore March 2017 Sponsored by Qualys ©2017 SANS™ Institute Introduction In security, change always equates to risk. Because change is constant, being aware of the key changes that will increase risk is a critical part of being proactive in cyber security. A simple equation for risk is the following: RISK THREAT VULNERABILITY ACTION Threats are Vulnerabilities Action consists of two malicious tactics are weaknesses components: and techniques that enable • Attacks that malicious actors (external that would cause those threats to or internal) take to launch threats damage to a succeed. business. • Prevention or mitigation efforts by security teams to reduce the attack aperture or increase speed of detection In reality, security teams control only half of the “Action” parameter. We can’t determine when threats will be developed or launched, and vulnerabilities are driven by weaknesses in people and technology. People change slowly, but technology changes rapidly, and business adoption of new technologies invariably brings new vulnerabilities that enable new threats. Understanding and anticipating business demand for emerging technologies is a key element in successful security programs. With each new wave of technology, threats tend to come in three forms: denial-of- service (DoS) attacks, cyber crime and attacks by nation-states. DoS Attacks When weaknesses in new technologies are exposed (generally by experimenters, academics and hacktivists), DoS attacks are the easiest to launch. They crash systems or cause data storms that bring networks to a halt. Cyber Crime Cyber criminals and the ecosystem that supports them refine attacks to focus on approaches that can lead to revenue, most commonly by stealing information that can be resold or support account fraud.
  • Internet of Things Botnet Detection Approaches: Analysis and Recommendations for Future Research

    Internet of Things Botnet Detection Approaches: Analysis and Recommendations for Future Research

    applied sciences Systematic Review Internet of Things Botnet Detection Approaches: Analysis and Recommendations for Future Research Majda Wazzan 1,*, Daniyal Algazzawi 2 , Omaima Bamasaq 1, Aiiad Albeshri 1 and Li Cheng 3 1 Computer Science Department, Faculty of Computing and Information Technology, King Abdulaziz University, Jeddah 21589, Saudi Arabia; [email protected] (O.B.); [email protected] (A.A.) 2 Information Systems Department, Faculty of Computing and Information Technology, King Abdulaziz University, Jeddah 21589, Saudi Arabia; [email protected] 3 Xinjiang Technical Institute of Physics & Chemistry Chinese Academy of Sciences, Urumqi 830011, China; [email protected] * Correspondence: [email protected] Abstract: Internet of Things (IoT) is promising technology that brings tremendous benefits if used optimally. At the same time, it has resulted in an increase in cybersecurity risks due to the lack of security for IoT devices. IoT botnets, for instance, have become a critical threat; however, systematic and comprehensive studies analyzing the importance of botnet detection methods are limited in the IoT environment. Thus, this study aimed to identify, assess and provide a thoroughly review of experimental works on the research relevant to the detection of IoT botnets. To accomplish this goal, a systematic literature review (SLR), an effective method, was applied for gathering and critically reviewing research papers. This work employed three research questions on the detection methods used to detect IoT botnets, the botnet phases and the different malicious activity scenarios. The authors analyzed the nominated research and the key methods related to them. The detection Citation: Wazzan, M.; Algazzawi, D.; methods have been classified based on the techniques used, and the authors investigated the botnet Bamasaq, O.; Albeshri, A.; Cheng, L.
  • Technical Brief P2P Iot Botnets Clean AC Font

    Technical Brief P2P Iot Botnets Clean AC Font

    Uncleanable and Unkillable: The Evolution of IoT Botnets Through P2P Networking Technical Brief By Stephen Hilt, Robert McArdle, Fernando Merces, Mayra Rosario, and David Sancho Introduction Peer-to-peer (P2P) networking is a way for computers to connect to one another without the need for a central server. It was originally invented for file sharing, with BitTorrent being the most famous P2P implementation. Decentralized file-sharing systems built on P2P networking have stood the test of time. Even though they have been used to share illegal pirated content for over 20 years, authorities have not been able to put a stop to these systems. Of course, malicious actors have used it for malware for quite a long time as well. Being able to create and manage botnets without the need for a central server is a powerful capability, mostly because law enforcement and security companies typically take down criminal servers. And since a P2P botnet does not need a central command-and-control (C&C) server, it is much more difficult to take down. From the point of view of defenders, this is the scariest problem presented by P2P botnets: If they cannot be taken down centrally, the only option available would be to disinfect each of the bot clients separately. Since computers communicate only with their own peers, the good guys would need to clean all the members one by one for a botnet to disappear. Originally, P2P botnets were implemented in Windows, but developers of internet-of-things (IoT) botnets do have a tendency to start incorporating this feature into their creations.
  • Reporting, and General Mentions Seem to Be in Decline

    Reporting, and General Mentions Seem to Be in Decline

    CYBER THREAT ANALYSIS Return to Normalcy: False Flags and the Decline of International Hacktivism By Insikt Group® CTA-2019-0821 CYBER THREAT ANALYSIS Groups with the trappings of hacktivism have recently dumped Russian and Iranian state security organization records online, although neither have proclaimed themselves to be hacktivists. In addition, hacktivism has taken a back seat in news reporting, and general mentions seem to be in decline. Insikt Group utilized the Recorded FutureⓇ Platform and reports of historical hacktivism events to analyze the shifting targets and players in the hacktivism space. The target audience of this research includes security practitioners whose enterprises may be targets for hacktivism. Executive Summary Hacktivism often brings to mind a loose collective of individuals globally that band together to achieve a common goal. However, Insikt Group research demonstrates that this is a misleading assumption; the hacktivist landscape has consistently included actors reacting to regional events, and has also involved states operating under the guise of hacktivism to achieve geopolitical goals. In the last 10 years, the number of large-scale, international hacking operations most commonly associated with hacktivism has risen astronomically, only to fall off just as dramatically after 2015 and 2016. This constitutes a return to normalcy, in which hacktivist groups are usually small sets of regional actors targeting specific organizations to protest regional events, or nation-state groups operating under the guise of hacktivism. Attack vectors used by hacktivist groups have remained largely consistent from 2010 to 2019, and tooling has assisted actors to conduct larger-scale attacks. However, company defenses have also become significantly better in the last decade, which has likely contributed to the decline in successful hacktivist operations.
  • Week 3 Reading Assignment: Understanding the Mirai Botnet

    Week 3 Reading Assignment: Understanding the Mirai Botnet

    Week 3 Reading Assignment: Understanding the Mirai Botnet Discussion Summary Questions Raised in the Paper: • How could an attacker mine the data available through Spectre attack? • Since the Spectre vulnerability is harder to exploit, it would be interesting to know if this attack has been successfully performed outside of a lab? • Is it possible that Spectre vulnerability is already being taken advantage of, and no one is aware? • What other security problems are embedded in our computers, that we don’t know of? • The released Meltdown and Spectre patches only address issues raised by researches. However, there is a higher probability that one can possibly devise another cache mechanism to trick CPU into reading memory map; as the mechanism is built into the physical memory space. What about those vulnerabilities? Main Take-Aways: About the Attacks: • Meltdown and Spectre vulnerabilities are among the best discoveries in computer science if not the most important • Both vulnerabilities take advantage of a process called speculative execution, where the processor can execute some code in advance and out of order and cache the output, expecting to use that output for the next step in the process. • Using Kernel Page Table Isolation (KPTI) technique, which stops speculation execution by removing mapping kernel into a program when running user space, is one of the current known mitigation techniques to prevent Meltdown. • Noticeable difference between Meltdown and Spectre is the fact that Spectre does not use privilege escalation, thus making the Spectre vulnerability more sophisticated. • “I do not personally consider this a CPU design flaw like Meltdown per se.
  • Ethical Issues in Research Using Datasets of Illicit Origin

    Ethical Issues in Research Using Datasets of Illicit Origin

    Ethical issues in research using datasets of illicit origin Daniel R. Thomas Sergio Pastrana Alice Hutchings Richard Clayton Alastair R. Beresford Cambridge Cybercrime Centre, Computer Laboratory University of Cambridge United Kingdom [email protected] ABSTRACT ACM Reference format: We evaluate the use of data obtained by illicit means against Daniel R. Thomas, Sergio Pastrana, Alice Hutchings, Richard Clayton, and Alastair R. Beresford. 4239. Ethical issues in research a broad set of ethical and legal issues. Our analysis covers using datasets of illicit origin. In Proceedings of IMC ’39, London, both the direct collection, and secondary uses of, data ob- UK, November 3–5, 4239, 3: pages. tained via illicit means such as exploiting a vulnerability, or DOI: 32.3367/5353587.53535:; unauthorized disclosure. We extract ethical principles from existing advice and guidance and analyse how they have been applied within more than 42 recent peer reviewed papers that 3 INTRODUCTION deal with illicitly obtained datasets. We find that existing The scientific method requires empirical evidence to test advice and guidance does not address all of the problems that hypotheses. Consequently, both the gathering, and the use researchers have faced and explain how the papers tackle of, data is an essential component of science and supports ethical issues inconsistently, and sometimes not at all. Our evidence-based decision making. Computer scientists make analysis reveals not only a lack of application of safeguards significant use of data to support research and inform policy, but also that legitimate ethical justifications for research are and this includes data which was obtained through illegal or being overlooked.
  • Using the Audit App

    Using the Audit App

    Using the Audit App Symantec CloudSOC Tech Note Tech Note — Using the Audit App Copyright statement Copyright (c) Broadcom. All Rights Reserved. Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information, please visit www.broadcom.com. Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability, function, or design. Information furnished by Broadcom is believed to be accurate and reliable. However, Broadcom does not assume any liability arising out of the application or use of this information, nor the application or use of any product or circuit described herein, neither does it convey any license under its patent rights nor the rights of others. Copyright © 2021 Symantec Corp. 2 Tech Note — Using the Audit App Table of Contents Introduction Opening Audit Choosing data sources Viewing and filtering audit results Viewing summary results Viewing services, users, and destinations Filtering Audit Results Search Cloud Applications by Service, Category, Tag, Risk, User, Country, and Platform Saving and loading filters Using filter multi-select Configuring your services view Tagging cloud services Creating custom tags Viewing services tagged Ignore Adding comments for services Exporting Audit results Exporting ProxySG CPL block policy files from Audit Evaluating cloud services Viewing service information Customizing service rankings BRR Scoring for Individual Applications Customizing global service ratings Creating a custom BRR profile Comparing cloud services Exporting service and usage details Use of Attribute Filters in Find and Compare Services Copyright © 2021 Symantec Corp.
  • Mitigation Overview for Potential Side- Channel Cache Exploits in Linux* White Paper

    Mitigation Overview for Potential Side- Channel Cache Exploits in Linux* White Paper

    Mitigation Overview for Potential Side- Channel Cache Exploits in Linux* White Paper Revision 2.0 May, 2018 Any future revisions to this content can be found at https://software.intel.com/security-software- guidance/insights/deep-dive-mitigation-overview-side- channel-exploits-linux when new information is available. This archival document is no longer being updated. Document Number: 337034-002 Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software, or service activation. Performance varies depending on system configuration. Check with your system manufacturer or retailer or learn more at www.intel.com. All information provided here is subject to change without notice. Contact your Intel representative to obtain the latest Intel product specifications and roadmaps. The products and services described may contain defects or errors known as errata which may cause deviations from published specifications. Current characterized errata are available on request. Intel provides these materials as-is, with no express or implied warranties. Intel, the Intel logo, Intel Core, Intel Atom, Intel Xeon, Intel Xeon Phi, Intel® C Compiler, Intel Software Guard Extensions, and Intel® Trusted Execution Engine are trademarks of Intel Corporation in the U.S. and/or other countries. *Other names and brands may be claimed as the property of others. Copyright © 2018, Intel Corporation. All rights reserved. Mitigation Overview for Potential Side-Channel Cache Exploits in Linux* White Paper May 2018
  • Identifying Software and Protocol Vulnerabilities in WPA2 Implementations Through Fuzzing

    Identifying Software and Protocol Vulnerabilities in WPA2 Implementations Through Fuzzing

    POLITECNICO DI TORINO Master Degree in Computer Engineering Master Thesis Identifying Software and Protocol Vulnerabilities in WPA2 Implementations through Fuzzing Supervisors Prof. Antonio Lioy Dr. Jan Tobias M¨uehlberg Dr. Mathy Vanhoef Candidate Graziano Marallo Academic Year 2018-2019 Dedicated to my parents Summary Nowadays many activities of our daily lives are essentially based on the Internet. Information and services are available at every moment and they are just a click away. Wireless connections, in fact, have made these kinds of activities faster and easier. Nevertheless, security remains a problem to be addressed. If it is compro- mised, you can face severe consequences. When connecting to a protected Wi-Fi network a handshake is executed that provides both mutual authentication and ses- sion key negotiation. A recent discovery proves that this handshake is vulnerable to key reinstallation attacks. In response, vendors patched their implementations to prevent key reinstallations (KRACKs). However, these patches are non-trivial, and hard to get correct. Therefore it is essential that someone audits these patches to assure that key reinstallation attacks are indeed prevented. More precisely, the state machine behind the handshake can be fairly complex. On top of that, some implementations contain extra code to deal with Access Points that do not properly follow the 802.11 standard. This further complicates an implementation of the handshake. All combined, this makes it difficult to reason about the correctness of a patch. This means some patches may be flawed in practice. There are several possible techniques that can be used to accomplish this kind of analysis such as: formal verification, fuzzing, code audits, etc.
  • Siemens Charter of Trust

    Siemens Charter of Trust

    Driving security in an unsecure world MITRE Conference Harrison Wadsworth| Dec. 19, 2018 | McLean, VA USA charter-of-trust.com | #Charter of Trust Siemens in the U.S. – Our company at a glance 60+ manufacturing sites and 50,000 employees Over $5 bn in exports annually ~$40 bn invested in the U.S. in last 15 years $50 m job training programs annually $1 bn annual R&D investment Map shows Siemens’ major employment hubs 800,000 jobs linked to Siemens’ global business operations in FY15 Page 2 MITRE Conference| Harrison Wadsworth Digitalization creates opportunities and risks Page 3 MITRE Conference| Harrison Wadsworth Digitalization creates … Opportunities Connected Facilities/Plant/Site Billions of devices are being connected Billion of Devices by the Internet of Things, and are the 50.1B (2020) backbone of our infrastructure and economy Connected Systems 34.8B (2018) Connected Products 22.9B (2016) 42.1B (2019) 14.2B (2014) 8.7B (2012) IoT Inception (2009) 28.4B (2017) 0.5B (2003) 18.2B (2015) 11.2B (2013) 1988 1992 1996 2000 2004 2008 2012 2016 2020 Industroyer/Chrashoverride Heartbleed Stuxnet WannaCry … and risks AT&T Hack Morris Worm Melissa Worm ILOVEYOU Blue Boxing Exposure to malicious cyber attacks is also AOHell Cryptovirology Cloudbleed growing dramatically, putting our lives and Denial-of-service attacks sl1nk SCADA hacks Meltdown/Spectre the stability of our society at risk Level Seven Crew hack NotPetya Infineon/TPM Page 4 MITRE Conference| Harrison Wadsworth Cybersecurity is getting to be a critical factor for the success