Wireless

Wireless: Get Ready to Kiss WPA Goodbye

The word is out in InfoSec circles that a practical attack method against WPA - enabled wireless access points has been announced and is to be presented at PacSec in Tokyo this week.

It used to be that only a dictionary attack against WPA-encrypted packets using a weak pre-shared key (PSK) was available; if you had a PSK of more than 8 characters, you could be reasonably assured that you were secure. Now, Erik Tews will be presenting his attack method, which uses a combination of protocol weaknesses and cryptographic weaknesses to compromise TKIP encryption. The attack lets the attacker inject seven packets into the network, per decrypt window.

There’s far reaching ramifications to this attack, but in short terms, this presentation means the days of WPA are numbered. Some of the attack code is known to be already available.

The attack focuses on TKIP encryption, and you may think that with AES enabled, you are safe. Not, however, if your router defaults back to TKIP to enable older clients to connect. Not all routers allow you to disable this feature, either. On some equipment AES is called WPA2 and TKIP is WPA. The WPA spec leaves support of CCMP(AES) optional while the WPA2 spec mandates both TKIP and AES capability.

What to do today (and believe me, I’m checking my home router, and will be auditing routers to this effect in the future; best believe that PCI will update their requirements quickly, as well)? Check your APs (access points) as follows:

Use only AES
Disable Negotiations to TKIP from CCMP(AES).
If you must use TKIP, rekey every 120 seconds.

Interestingly, the amount of time he is estimating is 15 minutes to crack WPA.

What to do going forward? Plan on upgrading your wireless access points sooner rather than later. It won’t be long before some joker is using this attack to break into businesses.

ATMs with Bugs - At the Grocery Store

From the Wall Street Journal comes the disturbing news that a high-tech wireless “bug” has been found in hundreds of grocery store ATMs in five different European countries. According to WSJ:

Examining the store’s credit-card readers, investigators discovered a high-tech bug tucked behind the motherboard. It was small card containing wireless communication technology.

The bug reads an individual’s card number and the corresponding personal identification number, then packages and stores the data. The device would once a day call a number in Lahore to upload the data to servers there and obtain instructions on what to steal next.

The easiest way police have been finding these things is to weigh the ATM, although the bug (a card, actually, and I think has to be plugged into the motherboard) only weighs about 4 ounces. How many more will they find? Now that ATM fraudsters can go “upscale” to a wireless bug instead of a clumsy card skimmer, theft becomes even easier. These bugs are big enough to be programmable, so that they could only collect information from Platinum level cards, for instance, instead of my Uncle Bert’s VISA card.

Although the article does not address debit cards, I would have to wonder what the impact was on those? Did they escape due to the lack of PIN capture? Possibly.

The first solution I would think of would be to lock down the phone line so that it ONLY can dial home (and not to Lahore to deliver its’ payload). Not only that, log and report any attempts to dial elsewhere.

This is a VERY sophisticated attack, and appears to be widespread. Early estimates indicate a theft between 50 to 100 million dollars.

Just who has had access to the inside of those machines, that were built in China? How are they secured? The report mentions that the bug is “attached behind to the motherboard.” Somebody has some inside knowledge of this equipment and has used that knowledge to quite an effect.

Thieves keep getting smarter.

Kill Your WEP Now

The announcement on Tuesday that indicted 11 people for “the largest data breach in history” was an interesting read:

The indictment returned Tuesday by a federal grand jury in Boston alleges that the suspects hacked into the wireless computer networks of retailers including TJX Cos., BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW and set up programs that captured card numbers, passwords and account information.

What was the common technical denominator of the attacks? Wireless networks. Think wireless cash registers, connecting to local servers, and from there transmitting the information to corporate databases.

TJX had no firewall between their insecure wireless network and their corporate network. They were using WEP, a wireless protocol that can be cracked with trivial (10 minutes) effort.
BJ’s failed to encrypt customer data when transmitted or stored on BJ’s computers, kept that data in files accessible using default passwords, and ran insecure, insufficiently monitored wireless networks. (There was an unsecured access point at a store).

Although the Attorney General said that “They used sophisticated computer hacking techniques that would allow them to breach security systems,” later on the Feds commented that
“The alleged thieves weren’t computer geniuses, just opportunists who used a technique called “wardriving,” which involved cruising through different areas with a laptop and looking for accessible wireless Internet signals. Once they located a vulnerable network, they installed so-called “sniffer programs” that captured credit and debit card numbers as they moved through a retailer’s processing networks.”

So they drive around, found the signal they could crack, installed sniffers and probably got all the way into corporate networks. You have to know that sniffing would not capture millions of numbers - I’m still betting they got into corporate databases. All it takes is one open wireless access point if you don’t have them secured from your network.

Sadly, of the 11 people indicted, only three are in custody in the United States.

There’s a BIG Difference Between Hannaford and TJMaxx

One of my readers has commented about how badly Hannaford and TJMaxx have been treated by the media and Internet commentary because of their data breaches.

From my perspective, concerning the data breaches, I can only speak as an auditor and an engineer, not having been inside either company’s network, but, like you, I can read the news and read between the lines.

And I think that Hannaford was doing a good job and TJMaxx was not. Why?

TJMaxx was not PCI compliant, and Hannaford was. Big deal, you say, we all know about compliance! It’s the “Gentleman’s C.” Absolutely. But Hannaford cared enough to make the effort, at least, and get in line with some basic good security practices.

They were NOT storing Social Security numbers, names addresses and PIN numbers. They were doing it right.

TJMaxx, on the other hand (and a bigger company, at that) was using WEP at all their stores, and wasn’t even baseline with their information storage practices. Didn’t even try to put compensating controls in place (like a firewall between the stores and the corporate network). Have they even done anything different? Nothing in the news about that.

Hannaford was out there replacing hardware in a hurry to get rid of the malware. When was the last time a company replaced hardware in all their stores? Not cheap, and an enormous effort. Maybe it was driven by reputation risk, but that’s 150% more than we know about TJMaxx’s efforts.

Hannaford was the victim of a sophisticated attack, probably (??????) from Russia, and possibly with inside help. (More on the Russians, later.) Could they have caught it? We’ll know more, I hope, and soon.

TJMaxx let a script kiddie and his pals in, because they didn’t want to upgrade their registers and hardware until they absolutely had to. The money that went to banks and fines and external auditors for the next 20 years could have covered it. Easily. They took a risk, and had a “plan” for compliance. Their acquiring bank let them do that because it was better than no plan at all.

They’ve paid the fines and settled the suits, but they’ll be an object lesson for a long time to come.