Chris Mosby at myITforum.com

Wi-Fi Protected Setup (WPS) PIN Brute Force Vulnerability
Published: 2011-12-30,
Last Updated: 2011-12-30 03:19:11 UTC
by Raul Siles (Version: 1)
Rate this diary:

1 comment(s)

Wi-Fi Protected Setup (WPS) is a Wi-Fi Alliance specification (v1.0 - available since January 2007) designed to ease the process of securely setup Wi-Fi devices and networks. A couple of days ago US-CERT released a new vulnerability note, VU#723755, that allows an attacker to get full access to a Wi-Fi network (such as retrieving your ultra long secret WPA2 passphrase) through a brute force attack on the WPS PIN. The vulnerability was reported by Stefan Viehböck and more details are available on the associated whitepaper. In reality, it acts as a "kind of backdoor" for Wi-Fi access points and routers.

The quick and immediate mitigation is based on disabling WPS. Your holiday gift for the people around you these days is to tell them to disable WPS.

It is important to remark that this vulnerability affects both the WPS design (which typically means higher impact and longer fix times) and the current Wi-Fi vendor implementations. The design is affected as WPS presents serious weaknesses that allow an attacker to determine if half of the PIN is correct (Do you remember Windows LANMAN (LM) authentication? 7+7 != 14). Therefore the brute force process can be split in two parts, significantly reducing the time required to brute force the entire PIN from 100 million (108) to 11,000 (104 + 103) attempts.The vendor implementations (in Wi-Fi access points and routers) are also affected due to the lack of a proper (temporarily) lock out policy after a certain number of failed attempts to guess the PIN, plus some collateral DoS conditions.

The researcher used a Python (Scapy-based) tool that has not been release yet, although other tools that allow to test for the vulnerability have been made public, such as Reaver . The current tests indicate that it would take about 4-10 hours for an attacker to brute force the 8 digit PIN (in reality 7 digit PIN, 4+3+1 digits).

Lots of Wi-Fi devices available in the market implement WPS, a significant number seem to implement the PIN authentication option (the vulnerable mechanism - called PIN External Registrar), as it seems to be a mandatory requirement in the WPS spec to become WPS certified (by the Wi-Fi Alliance), and still a very relevant number seem to have WPS enabled by default. Based on that, and the experience we had on similar Wi-Fi vulnerabilities over the last decade, it might take time to the Wi-Fi industry to fix the design flaw and release a new WPS version, it will take more time to (all) vendors to release a new firmware version that fixes or mitigates the vulnerability, and it will take even extra time to end users and companies to implement a fixed and secure WPS version and/or implementation, or to disable WPS (although this is the quickest option... we know it takes much more time than we would like :( ).

To sum up, millions of devices worldwide might be affected and it will take months (or years - think on WEP) to fix or mitigate this vulnerability... so meanwhile, it is time to start a global security awareness campaign:
Disable WPS!!

This diary extends the Wi-Fi security posture of previous ISC diaries, were we covered the security of common Wi-Fi usage scenarios, and will be complemented by two upcoming Wi-Fi security end-user awareness resources: the SANS OUCH! January 2012 issue and lesson 12 of Intypedia (both will be available on mid January 2012).

----
Raul Siles
Founder and Senior Security Analyst with Taddong
www.taddong.com

ASP.Net Vulnerability
Published: 2011-12-29,
Last Updated: 2011-12-29 20:59:55 UTC
by Richard Porter (Version: 1)
Rate this diary:

0 comment(s)

We have been tracking this issue. Microsoft has an excellent write up on this. Some of my clients and my own company received alerts directly from Microsoft. If you are a heavy ASP.Net user please look into these issues and take proper steps for work around and patch.





MSFT is listing a WebCast on the OOB Patch [1]

Also a couple of great write ups and release. [2]

[1] https://msevents.microsoft.com/CUI/EventDetail.aspx?culture=en-US&EventID=1032502798

[2] http://technet.microsoft.com/en-us/security/bulletin/ms11-100

Hash collisions vulnerability in web servers
Published: 2011-12-28,
Last Updated: 2011-12-28 16:34:27 UTC
by Daniel Wesemann (Version: 1)
Rate this diary:

0 comment(s)


A new vulnerability advisory by security firm n-runs [1] describes how hash tables in PHP5,Java,ASP.NET and others can be attacked with deliberate collisions in the hash function, leading to a denial of service (DoS) on the web server in question. Microsoft have already responded with an advisory [2] of their own, other vendors are likely to follow.

[1] http://www.nruns.com/_downloads/advisory28122011.pdf
[2] http://technet.microsoft.com/en-us/security/advisory/2659883
Keywords: DoS vulnerability webattacks webserver

GlobalSign releases security incident report.
Tweet
10
Published: 2011-12-14,
Last Updated: 2011-12-14 17:39:34 UTC
by donald smith (Version: 1)
Rate this diary:

3 comment(s)

GlobalSign released a press release today to address concerns that they may have had a compromise of their CA infrastructure.
http://www.globalsign.co.uk/company/press/121411-security-incident-report.html
They did a good job of stating what they did find and what they didn’t. They also address new measures put in place to improve their overall security posture.
“We didn't find any evidence of
* Rogue Certificates issued.
* Customer data exposed.
* Compromised GlobalSign Root Certificate keys and associated Hardware Security Modules (HSM).
* Compromised GlobalSign Certificate Authority (CA) infrastructure.
* Compromised GlobalSign Issuing Authorities and associated HSMs.
* Compromised GlobalSign Registration Authority (RA) services.

What did happen
* Peripheral web server, not part of the Certificate issuance infrastructure, hosting a public facing web property was breached.
* What could have been exposed? Publicly available HTML pages, publicly available PDFs, the SSL Certificate and key issued to www.globalsign.com.
* SSL Certificate and key for www.globalsign.com were deemed compromised and revoked. “

December 2011 Microsoft Black Tuesday Summary

3 comment(s)

Overview of the December 2011 Microsoft patches and their status.

Microsoft Security Bulletin Advance Notification for December 2011

Published: Thursday, December 08, 2011

Version: 1.0

This is an advance notification of security bulletins that Microsoft is intending to release on December 13, 2011.

This bulletin advance notification will be replaced with the December bulletin summary on December 13, 2011. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification.

To receive automatic notifications whenever Microsoft Security Bulletins are issued, subscribe to Microsoft Technical Security Notifications.

Microsoft will host a webcast to address customer questions on the security bulletins on December 14, 2011, at 11:00 AM Pacific Time (US & Canada). Register now for the December Security Bulletin Webcast. After this date, this webcast is available on-demand. For more information, see Microsoft Security Bulletin Summaries and Webcasts.

Microsoft also provides information to help customers prioritize monthly security updates with any non-security, high-priority updates that are being released on the same day as the monthly security updates. Please see the section, Other Information.

Newest Adobe Flash 11.1.102.55 and Previous 0 Day Exploit
Tweet
2
Published: 2011-12-08,
Last Updated: 2011-12-08 21:52:32 UTC
by Adrien de Beaupre (Version: 1)
Rate this diary:

0 comment(s)

A researcher has published some information about two new previously unknown vulnerabilities that appear to be exploitable in Adobe Flash version 11.1.102.55 and previous. Adobe has not yet released an advisory. There is no patch or workaround for the vulnerabilities. As far as I know there have not been any IDS/IPS or anti-virus signatures released yet for the exploit. On the good side this one does not yet appear to have been exploited in the wild. The major operating systems that run Flash all appear to be vulnerable. The vulnerability impacts are full compromise as the user running Flash via remote arbitrary code execution, typically delivered from a malicious web page with a crafted SWF file. Little else is known about the specific nature of the vulnerabilities. CVE CVE-2011-4693 and CVE-2011-4694 have been assigned. This will likely be another major one to keep an eye one in the near future. Particularly as Adobe scrambles to get a patch out and everyone else looks for mitigation strategies.

References:

http://www.securitytracker.com/id/1026392
http://secunia.com/advisories/47161
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4693
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4694

Cheers,
Adrien de Beaupré
intru-shun.ca