Overview of the KRACK Wi-Fi Attack

The Key Reinstallation Attack (KRACK) Wi-Fi Issue

ccs2017

Much has been written about the research performed by Mathy Vanhoef who recently published “Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2.”  While the paper was completed in mid-May, it was not publicly released until just recently, allowing vendors time to implement fixes.  Fortunately there is a website that provides updated information on vendors that have provided fixes for this issue.

How the KRACK attack works, according to  Vanhoef’s research:

First of all, this is a proximity hack, thus an attacker that wishes to exploit this must be in physical proximity to the router/access point and the client.  The process by which a client connects to a Wi-Fi network involves a four-way handshake process through which a client negotiates a session key.  The key is installed once a client receives message 3 of the handshake; thus if an access point sends message 3 and does not receive an acknowledgement it will re-transmit.  When this happens, message 3 may be resent multiple times and each time the same session key will be reinstalled and the incremental transmit packet number (nonce) will be reset.  Consequently, an attacker can force message 3 retransmits and in so doing force nonce reuse and packets can be replayed, forged, and/or decrypted.

An overview of the KRACK vulnerability is explained in this video:

What you should do:

  • apply patches and updates regularly — vendors are releasing updates for KRACK so stay up to date
    • If your ISP isn’t releasing firmware updates for your router, consider switching or moving to customer-owned vs. rented/leased equipment
    • use cellular data vs. wi-fi on your mobile devices until your device is patched
  • use a VPN to encrypt all of your network packets — as this article points out however, be aware of the VPN service you use
  • use wired connections vs. wireless if that is an option for you
  • if you have Internet of Things (Iot) devices consider placing them offline until fixes are available
  • use HTTPS everywhere which works on Chrome, Firefox (and Firefox on Android), and Opera — https traffic is encrypted and not vulnerable to KRACK

This should serve as yet another reminder of how vulnerable our devices and our data remain. WPA2 was a well-baked standard that was implemented  years ago, the 4-way handshake is over fourteen years old.  Be aware of your surroundings, take care when using Wi-Fi hotspots and practice good cyber hygiene.

Tags: ,

Cyber Round Up: Likelihood of North Korean cyber attacks; AI has “real biases”; UK Internet Safety Strategy

  • The Likelihood of North Korean Cyber Attacks (CSIS): Earlier this fall, CSIS published a piece discussing the potential of North Korean cyber attacks.  The piece put North Korea’s cyber capabilities in context with the bigger overall picture of what North Korea might want to do, or should do, in terms of its actions towards the U.S.  The author stated that the nation is the “least capable of our opponents” when it comes to cyber and that any cyber attack is unlikely absent armed conflict. The full article can be read here.
  • Artificial Intelligence—With Very Real Biases (WSJ):  According to a report earlier this week from the Wall Street Journal, Artificial Intelligence may end up making the same errors and having the same biases that humans do. The author first points out that AI will likely be used in much more subtle ways than the way that many people perhaps imagine.  The article points out that the cornerstone of these AI programs is that they are able to “learn.” But this means that they will learn biases and bad habits just as much as they will the good ones.  As AI takes on a bigger role in society, the lack of social and contextual awareness becomes a bigger problem, the author says. The full article can be read here.

  • UK’s New ‘Internet Safety Strategy’ Cracks Down on Online Danger (Lawfare):  Britain’s Conservative party is following through on campaign promises to make the nation “the safest place in the world to be online,” according to a post on Lawfare.  A Green Paper published recently takes strong stances but is lacking in details as to how these goals will be achieved, the author says.  The government plans to force social media companies to take responsibility and is considering reclassifying those companies as publishers as opposed to platforms, according to the post. One major issue for the plan, the author suggests, is whether U.S. companies choose to comply. The full article can be read here.

Tags: , , ,

Haley calls Russian election interference ‘warfare,’ but is it an armed attack?

Yesterday Reuters reported that U.S. Ambassador to the United Nations Nikki Haley called last year’s Russian meddling in the Presidential election “warfare.”  The comments came during a panel discussion alongside two former Secretaries of State, Madeleine Albright and Condoleezza Rice.

Haley explained, “When a country can come interfere in another country’s elections that is warfare. It really is, because you’re making sure that the democracy shifts from what the people want,” she said, reports Reuters. “This is their new weapon of choice and we have to get in front of it.”

Haley’s comments touch on one of the most important questions when it comes to cyber space and cyber war.  In 2011, the then legal adviser of the U.S. State Department Harold Koh clearly stated that International Law applies in cyber space. That much has broad support.  The challenge comes when you try to apply it.

What qualifies as an “armed attack” in cyber space?  There is no clear answer. While Haley didn’t use those exact words, the term “warfare” seems to be very close in nature to “armed attack.”  If the U.S. were to officially adopt this stance, it would have major implications.  Why?  Because nations that are signatories of the UN Charter have agreed to not use military force in international affairs unless authorized by the Security Council or in self-defense after an armed attack.  Thus, activities like Russian interference in an election would open the door to a response from the U.S.

But what type of response? Is it limited to a cyber response? Could it take kinetic action in the traditional military sense?  Again, these are the ambiguities that exist when trying to apply even the most established principles of international law to cyber space.

Many experts restrict an “armed attack” in cyberspace to actions whose effects include immediate death or serious bodily injury. Professor Snyder, the editor of this blog, prefers to define “armed attack” as something that “tears at the fabric of society.” Perhaps the interference in last year’s election didn’t quite rise to this level. But it’s certainly plausible to see scenarios where, had the Russian attempts been more successful, the United States would have been in chaos.  The election results sparked significant divisiveness as it is.  Imagine if the results were contested and we truly didn’t know the result of an election.

In context, Haley’s comments do not amount to an official position and aren’t changing the cyber landscape quite yet. But this type of thinking from our nation’s leaders could alter the way cyber activities occur between international actors.

Tags: , , ,

Cyber Round Up: Surveillance Reform; DHS to mandate basic security protocols; Proposed Hack Back Bill

  • Surveillance “Reform”: The Fourth Amendment’s Long, Slow Goodbye (Just Security): A post on Just Security earlier this week addressed both the history of surveillance in the U.S. since 9/11 and the future of it with the looming sunset of Section 702. The post explains how, in the wake of the terrorist attacks, those in charge were able to implement such expansive surveillance programs.  The author does not hide his opinions on the issue, frequently referring to the “abuses” that have occurred over the last 16 years. He then hypothesizes that substantive change is unlikely and any reform will be in name only. The full piece can be read here.
  • DHS will demand that feds implement basic email security (Yahoo Finance UK): A number of different outlets posted articles covering this development on Monday, but I thought this headline captured the development most accurately. According to the article, DHS will issue a mandate soon that requires agencies to implement two “new” security measures. According to the article, “DMARC helps detect and block spoofed emails to prevent impersonation of government officials. STARTTLS prevents emails from being intercepted en route to the recipient.” The article emphasizes that both of these are over 10 years old and have been widely use by major email providers such as Google and Microsoft.  The piece shows just how far behind the government can be when it comes to technology and security. The full piece can be read here.
  • New bill would allow hacking victims to ‘hack back’ (The Hill):  We first tweeted this story on Monday when it broke with the disclaimer that we normally don’t cover proposed bills. There’s simply too many and most never make it too far. The article does a good job framing the issue and explaining the initial reaction from the bill’s proponents as well as those who aren’t quite sold.  According to the article, the bill seems intended to provide a narrow set of measures for people to protect their own information, but critics worry that it opens up the door to a whole new set of issues. The full article can be read here.

 

Tags: , , , ,

Lawfare explains the Microsoft Ireland case after SCOTUS grants cert

Yesterday, the Supreme Court granted the DOJ’s petition for writ of certiorari in its case against Microsoft. A post on Lawfare provides a good explanation of the case’s history and the issues at stake. That post is included below or can be found here.

A Primer on Microsoft Ireland, the Supreme Court’s Extraterritorial Warrant Case - Lawfare

Tags: , , ,

Cyber Round Up: Commentary on Chinese Cyberthreat; The Real Threat from Kaspersky; Commentary on Public Opinion of AI

  • How the Chinese cyberthreat has evolved [commentary] (Fifth Domain):  Commentary written last week for the Fifth Domain explains that while the most damaging cyber attacks against the U.S. come from other nations, the Chinese cyber threat has evolved recently and should be addressed. It explains how Chinese hackers unified in defense of their country but were actually denounced by the Chinese government.  Among other things, the piece also explains Chinese efforts to increase censorship within its own borders and its 2015 agreement with the U.S. . It identifies cyber espionage as China’s strongest capability. The full article can be read here.
  • The Real Threat from Kaspersky Security Software (Lawfare): A blog written for Lawfare last week took a different approach to analyzing the recent revelations about Kaspersky software.  The author acknowledges that the compromised information could have been “severe,” but that it was also “transient.”  The author focuses on two major concerns. First, he asks what the nature of the search algorithm is. What exactly is it meant to look for?  Second, what is the scope of potential damage from non- U.S. government computers throughout the rest of the world?  The author argues that the mining from potentially 400 million computers worldwide is a much greater threat than one individual government computer. The full piece can be read here.
  • Fear, Democracy, and the Future of Artificial Intelligence (CSIS): A few weeks ago, Pew Research conducted a poll about how Americans feel about automation, with the general trend being that most Americans fear its effects. Commentary written in response to the poll first criticizes how the issue was framed. It then went on to address the larger issue with public opinion of AI.  If the U.S. doesn’t develop the technology, according to the article, then other nations will and the U.S. will fall far behind.  The author emphasizes the need to educate the public about the benefits of AI so that Americans will be able to make informed decisions. The full article can be read here.

 

 

 

https://www.csis.org/analysis/fear-democracy-and-future-artificial-intelligence-

https://www.lawfareblog.com/real-threat-kaspersky-security-software

Tags: , , , ,

Video: Richard Clarke and Gen. Michael Hayden on Information Warfare, Equifax, Cyber Insurance

An article yesterday posted on CSO provided commentary on a series of cyber events. The piece was written in response to a panel discussion in which former White House Cybersecurity Advisor Richard Clarke and former Director of the CIA and NSA General Michael Hayden discussed cyber security and information warfare. Their discussion strayed and ultimately ended up touching on the Equifax breach. The full 30 minute panel discussion, which was hosted by the Washington Post, can be found here.

The piece written for CSO provided a simple but effective bullet point summary of the Equifax breach for anyone who hasn’t followed closely. It then focused on one of Clarke’s comments from the summit in which he stated, “…companies like Equifax will continue to screw up until there is a penalty for doing so…”

Of course, both the panel and the author of the article talked about what a data breach law should look like at the federal level.  The current California state law was proposed as the bare minimum.  The author then highlights how the cyber insurance market will have to develop if proposals like the ones made by Clarke and Hayden are to become anything more than “academic discussions.”

Both the panel discussion itself and the CSO article are worth a listen/read.

Tags: , , ,

Cyber Round Up: A Turning Point for Attribution; Cyber Attribution Isn’t ‘So Important’; NSA hack

  • Georgia Tech Cyber Security Summit Declares 2017 a Turning Point for Attribution (Georgia Tech): Georgia Tech hosted its 15th Annual Cyber Security Summit last week, and some prominent guest made headlines during their talks.  A summary posted on Georgia Tech’s website highlights the conference’s notable discussions. Stewart Baker, a former assistant secretary for policy at DHS and now a partner at Steptoe & Johnson who focuses on cyber, said that attribution has improved significantly.  Baker explained how this has developed and then others considered its implications. One major theme was that there is a lack of deterrence when it comes to cyber space. The full article describing the Summit’s panel can be found here.
  • Cyber attribution isn’t so important, even for nation states (ZDNet):  An article today says that Australia, and probably the other Five Eye nations, are capable of pinpointing who is responsible for cyber attacks.  The article discusses some of Australia’s recent developments in cyber capability and policy. One Australian official, according to the article, says that instead of worry about attribution, nation states could operate better through a normative framework.  Specifically, nation states should take responsibility for what happens in their own back yards, the article suggests.  The full article can be read here.
  • Report: Hackers Stole NSA Cybertools In Another Breach Via Another Contractor (NPR): The headline of the article says it all. Another hack from Russia, another loss of sensitive information, and it came from a government contractor again.  An article from NPR explains the perfect storm of events that led to the hack, including an NSA contractor taking home software from work to run on his home computer, where he also had software from Russian based Kaspersky Labs. The article notes that the NSA’s layered defenses mean this hack alone won’t be devastating, but it highlights the bigger issues with the government’s security. The full article can be read here.

Tags: , ,

Adding Insult to Injury: IRS awards Equifax $7M Contract

Adding Insult to Injury: IRS awards Equifax $7M Contract

Numerous news outlets have covered the recent sole-source contract that the IRS awarded Equifax in order to … wait for it … “verify taxpayer identity” in an effort to combat fraud, according to ARSTechnica.  Lest you jump to any nefarious conclusions, please understand that this contract was awarded after this very same company received widespread news coverage regarding a recent hack (or two) that resulted in the exposure of over 143M Social Security numbers.

Yet another example of our government at its finest.  The IRS suffered a data breach a couple of years ago (which barely counts since only 100K records were exposed), Equifax is breached multiple times nearly half of all US citizens are impacted and the IRS moves forward with a sole-source contract so that Equifax which can’t secure its own data can begin to help the IRS verify and protect its data.  It seems to defy logic, until you realize the government is involved and suddenly it all makes sense.

However, it seems that even US Senators are exasperated by this gaffe, with Sen. Ben Sasse (R-NEB) asking the (former) Equifax CEO “Why in the world should you get a no-bid contract right now?”, according to the Chicago Tribune.  When government action defies political logic and can’t be easily explained away you know something strange is afoot.

If there was ever any doubt that cybersecurity was and continues to be an issue, one need not look very far. In the digital age it seems we are caught in a nightmarish game of the blind leading the blind.  The IRS contract states that Equifax is the only company capable of providing these services, according to Politico.  However, if this is in fact true, then we are all doomed.

 

Tags: , ,

Cyber Round Up: 2013 Yahoo Breach Impact Expanded, Social Security Numbers In Need of Replacing; Judge Concerned with Companies Sharing Consumer Data

  • Every single Yahoo account was hacked – 3 billion in all (CNNMoney): If you have an account at Yahoo in any capacity (that includes email, Tumblr, Flickr, etc.), the August 2013 breach affected you, according to this article. Yahoo originally reported 1 billion accounts were breached in the hack. But yesterday, Verizon revealed it hired “outside forensic experts,” who found the breach actually impacted 3 times the number originally thought. This comes four months after Verizon acquired Yahoo’s internet assets for nearly $4.5 billion.Experts report it is not uncommon for the breach to impact more people than originally estimated. The company has not yet revealed who it hired as the outside forensic experts. Read more about the expanded breach here.
  • White House: Social Security numbers are ‘flawed system,’ need modern tech replacement (TechRepublic): Social Security numbers may be a dying identification system, according to this article. Rob Joyce, the White House cybersecurity coordinator, reportedly said social security numbers are “outdated” and are no longer useful. Joyce discussed one of the biggest flaws, explaining how the numbers cannot be changed even if after they are compromised.Joyce suggested modern cryptographic identifiers, blockchain ledger technology, and biometrics as potential modern alternatives to the current system, which started in 1936. Read about the suggested alternatives and current criticism they have here.
  • 9th Circ. Judge ‘Creeped Out’ By ESPN, Adobe Data Swap (Law360): ESPN’s sharing of viewer data is making a 9th Circuit Judge uncomfortable, according to a recent article. U.S. Circuit Judge Morgan Christen reportedly said she was “creeped out.” The judge’s comments arise from a case alleging ESPN wrongfully disclosed the personal information of app users to Adobe.In the class action case, Judge Christen expressed privacy concerns over companies sharing data for the purposes of targeting consumers with specific advertisements. She pointed specifically to the Video Privacy Protection Act Congress passed, asking, “Isn’t that exactly what [Congress] was talking about?” ESPN’s counsel responded, saying the statute focused on only one piece of personal identifying information. Read more about the current case, Chad Eichenberger v. ESPN Inc., here.

Tags: , , , , , , , , , ,

Next Page »

Authors

Untitled Document
Professor William Snyder

Professor William C. Snyderis a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.

Ryan D. White

Ryan D. WhiteRyan is currently a third year law student at Syracuse University College of Law, and is also pursuing a Master of Public Administration degree from Syracuse’s Maxwell School of Citizenship and Public Affairs. Ryan spent time with Homeland Security Investigations while pursuing his undergraduate degree at Wesleyan University, and spent his first summer of law school as clerk for the U.S. Attorney’s Office in the Western District of New York. He is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and participates in the Veteran’s Legal Clinic. Full biography

Shelby E. Mann

Ryan D. WhiteShelby is a second year law student at the Syracuse University College of Law. During her final year at the University of Missouri, she served as a full-time news producer for ABC 17 News. Shelby spent her first summer of law school at the Shelby County District Attorney General's Office in Memphis, Tenn., in the Public Corruption and Economic Crimes Unit. She is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and the senior editor for the Syrian Accountability Project. Full biography

Christopher w. FolkChristopher W. Folk

is a 2017 graduate of SU College of Law. A non-traditional student, Christopher returned to academia after spending nearly twenty years in the high tech industry. Christopher served in the Marine Corps, graduated from Cornell University with a B.S. In Applied Economics and Business Management, attended Northeastern University’s High-Tech MBA Program and received a M.S. In Computer Information Systems. Christopher previously worked in Software Engineering. Christopher is currently serving his second term as Town Justice for the Town of Waterloo. Christopher externed with a Cybersecurity firm in the Washington, D.C. area between his first and second year at SU College of Law. Full biography

Anna Maria Castillo

Anna Maria Castillois 2016 graduate of Syracuse College of Law. She also holds a Master of Arts in International Relations from Syracuse University's Maxwell School of Citizenship and Public Affairs. She has interned at a London-based think-tank that specializes in transnational terrorism and global security and at the legal department of a defense contractor. She served as an executive editor in the Syracuse Law Review. Full biography

Jennifer A. CamilloJennifer A. Camillo

is a 2015 graduate of Syracuse College of Law and is a prosecutor. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She was a member of the Syracuse National Trial Team and was awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.

Tara J. PistoreseTara J. Pistorese

holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She wrote for this blog when a student. She is now a member of the U.S. Army Judge Advocate General's Corps.

Benjamin Zaiser

is both a scholar and a Federal Agent of the Federal Criminal Police Office of Germany. (Opinions expressed here are his own and not any part of official duty.) Full biography

Categories