Threat and Threats and Malware Top story vulnerabilities vulnerabilities PwC Weekly Security Report This is a weekly digest of security news and events from around the world. Excerpts from news items are presented and web links are provided for further information. Threats and vulnerabilities KRACK attacks defeat Wi-Fi security on most devices Threats and vulnerabilities This bug let a researcher bypass GoDaddy’s site security tool Malware Hyatt Hotels hit by credit card data-stealing malware – again Top stories Microsoft Edge is the best browser for blocking phishing websites Hacking a power grid in three (not-so-easy) steps Threats and Threat and Malware Top story vulnerabilities vulnerabilities KRACK attacks defeat Wi-Fi security on most devices Conventional wisdom has long held that locking Some router makers have started deploying fixes for down your router with WPA2 encryption protocol enterprise-grade hardware. Microsoft has released a would protect your data from snooping. That was patch for its limited vulnerabilities, too. A few Linux true for a long time, but maybe not for much longer. distros have patches live, but it’ll take time for A massive security disclosure details vulnerabilities everyone to catch up. in WPA2 that could let an attacker intercept all your precious data, and virtually every device with Android devices are trickier. Google says it will have Wi-Fi is affected. patches complete for existing devices in the coming weeks, but it’s up to individual OEMs to roll them The vulnerability has been dubbed a Key out. Since it’s mostly newer phones that are Reinstallation Attack (KRACK) by affected, it shouldn’t be too much of a hassle. Any discoverers Mathy Vanhoef and Frank device with the November 2017 patch level or later Piessens of KU Leuven. It’s not specific to any will be protected. specific piece of hardware or device–it’s a flaw in the WPA2 standard itself. KRACK bears some resemblance to standard “man in the middle” attacks by impersonating an existing network. To exploit a network, attackers first clone the MAC Source: address of the network and set up a duplicate of it https://www.extremetech.com/internet/257 on a different wireless channel. Devices connecting 518-krack-attacks-defeat-wifi-security- to the original can be forced onto the fake network. devices That would usually be impossible because of the non-matching AES encryption keys in WPA2, but KRACK leverages a flaw in the four-way handshake that confirms the match. Normally, WPA2 keys require a unique encryption Our perspective key for each network frame. The KRACK The WPA2 security protocol protecting most vulnerabilities allow the rogue network to reuse old Wi-Fi devices can be bypassed, potentially keys and reset the counter to make them valid allowing any attacker to intercept every again. At that point, it becomes trivially easy to password, credit card number or critical data decrypt traffic coming from a device. over the airwaves, if an attacker is part of the There are multiple variants of this attack. The most network. The problem lies in the very basic severe version affects all current Linux distros and structure of the protocol as a result of which all Android devices running 6.0 or higher. Apple’s changing the password of the Wi-Fi router macOS is vulnerable to almost as many variants, would not be of much help. The threat of attack but Windows is only affected by one version or becomes more severe when client systems KRACK. The iOS platform doesn’t have the most access and share data over the same network. severe vulnerability, but several others do work. According to the researchers, every operating Microsoft and Apple confirmed that they have system and piece of networking hardware is patched their systems against these attacks. It susceptible to at least one flavor of KRACK. is therefore advisable for administrators of Wi-Fi routers to upgrade firmware to the So, what can you do about this? Not a whole lot latest available from the OEM after assessing right now. The issue exists on virtually all devices, the risk of the changes made to the systems. and it’s up to vendors to release patches. Threat and Threats and Malware Top story vulnerabilities vulnerabilities This bug let a researcher bypass GoDaddy’s site security tool A widely used security tool owned by web hosting "In reviewing this situation, it appears someone was provider GoDaddy, designed to prevent websites able to find a vulnerable website and manipulate from being hacked, was easily bypassed, putting their requests to temporarily bypass our WAF," websites at risk of data theft. said Daniel Cid, GoDaddy's vice-president of engineering. The company's website application firewall (WAF), provided by Sucuri and acquired by GoDaddy "Within less than a day, our systems were able to earlier this year, protects websites against a pick up this attempt and put a stop to it," he said. range of attacks by adding an extra layer of security to a website to protect against cross-site scripting Cid said the company is "not aware of other and SQL injection techniques. customers" impacted by the bypass, but wouldn't say how many websites were at risk of the But a security researcher told ZDNet that the bypass technique. firewall would let through some commands, allowing him to gain access to vulnerable databases Lesley Carhart, a digital forensics and incident behind the scenes. That, he said, put sites at risk of response specialist, explained that web application data theft. firewalls mimic the behavior of antivirus products rather than a traditional firewall. Touseef Gul was able to bypass the firewall with a relatively simple SQL injection string, which he "In a lot of ways web attacks are way harder to showed to ZDNet but we're not publishing. SQL firewall than traffic in and out of a network," said injection attacks can be launched from the web Carhart. "You can deny almost everything at a browser's address bar. If the attack is successful it network firewall or host firewall." will display a list of database tables on the website "Web traffic filtering relies more on blacklisting bad itself. Where he was expecting to receive an "access stuff using signatures than whitelisting slews of denied" message, the firewall let the command unneeded ports and protocols like traditional through and returned a list of tables from the target firewalls," she added. website's database. He was also able to obtain the database's admin account and MD5 hashed Web application firewalls block attacks on sites password, which nowadays is easily crackable. running web applications that are already vulnerable to attacks, like out-of-date content management What surprised the researcher, he said, was how systems, like WordPress or Joomla, she explained. easy the firewall was to bypass. "In principle, it's a great move to add another layer He gave an example of part of the code he used. He of defense to sites, but it should never be mistaken said that while the firewall would block a common for or implied to be a replacement for secure command used in SQL injections, such as "UNION coding," she said. SELECT," a modified, encoded version of the same command -- such as "UNION SELE%63T" (where %63 is an encoded "C") -- was not blocked by the filter. Source: http://www.zdnet.com/article/security- For its part, GoDaddy said it patched the bug within bug-let-hacker-bypass-godaddy-site- a day of the security researcher's private disclosure firewall-tool/ to the company. Threat and Threats and Top story vulnerabilities vulnerabilities Malware Hyatt Hotels hit by credit card data-stealing malware – again Hackers have infected Hyatt Hotels' payment card "This incident is something we take seriously, and systems with malware and have potentially stolen we are sorry for the inconvenience and concern this visitor names and credit card details for the second may cause our guests," said Floyd. time in as many years. The company says it is has implemented additional In a statement Hyatt Hotels Corporation president security measures to strengthen the security of its of operations Chuck Floyd said the company has systems and that "Customers can confidently use "discovered signs of and then resolved payment cards at Hyatt hotels worldwide". unauthorized access to payment card information" from cards entered manually or swiped at the front It's the second time the hotel group has been hit desk of some Hyatt hotels between March 18, 2017 with malware recently: last year, the hotel group and July 2, 2017. revealed that almost half its properties had fallen victim to payment data stealing malware. In total, 41 hotels are affected, almost half of which are in China. Irregular activity has also been ZDNet contacted Hyatt Hotels for additional detected in Hyatt hotels in Brazil, Columbia, Guam, comment, but had not received a response as of the India, Indonesia, Japan, Mexico, Puerto Rico, South time of publication. Korea and Hawaii in United States. Source: Upon discovering the unauthorized access, Hyatt http://www.zdnet.com/article/hyatt-hotels- launched an investigation alongside "third-party hit-by-credit-card-data-stealing-malware- experts", payment card networks and the again/ authorities. The investigation found that the data breach can be traced back to "an insertion of malicious software code from a third party onto certain hotel IT systems." The company hasn't provided figures on the number of guests who have fallen victim to the credit card data thieves, only that it's a "small" number of them, but Hyatt says it has contacted all the guests who used the payment card systems at the infected hotels during the at-risk dates.