You would think that with it being the summer holidays and all, that not much would be happening in the world of cyber security. Think again.
This month has seen the Black Hat Security Conference running concurrently with the DefCon Security Conference and proceeded by the smaller, juicier and definitely hairier BSides Security Conference.
Given that all of these events are held in the outer circle of Hell that is Las Vegas, one can only admire the strength and stamina of the fictional security professional who manages to both stick out all of the events and come home with something useful, or in fact be able to remember anything other than the chinking of the fruit machines and the taste of his/her room carpet.
Perhaps fortune favours the young rather than the brave at these shows.
Black Hat had a very interesting keynote speaker, who gave a bit of a mundane, self congratulatory and very ‘high level’ talk, none other than Google’s ‘Security Princess’ (how they get away with that, we don’t know) – Pariza Tabriz.
Ms Tabriz is responsible for many aspects of Google’s security including the Chrome browser and of course Tavis Ormandy’s outfit Project Zero, whom she depicted as kittens playing with/on a Mac in what was either a joke about protecting their images or some passive aggressive management posturing (more likely).
Defending Google’s 90 day disclosure window (90 days being the time between Google finds a flaw and discloses it to a vendor and when they make it public), Tabriz claimed that since its introduction (Project Zero started in 2014), the number of vulnerabilities fixed in 90 days has risen from 25% to 98%, similar figures to solved crimes when torture is sanctioned.
During the talk, Ms Tabriz made a shocking revelation about one of the fundamental keys for success within Google projects; it sets milestones, and when they are achieved has a party! Who would have thought? Along with the free snacks on campus, it would appear that these make up for the 15 days leave a year for three years – yes we know they have excellent maternity/paternity benefits.
Now some of the party activities looked a little bit excruciating, involving audience participation, which as you know is a massive hit with engineers. The sentiment however is a good one.
Joking aside, Tabriz made some excellent points about organisational change and working on root cause rather than reactive patching (using the game whack-a-mole as a neat analogy). You can listen to her wise words in full from about 23:30.
Outside of conference world, it has been a very busy week in the world of Wireless Security, so busy that we are going to have to have a go at summarising the situation as it stands. Deep Breath…
Now we all know that WPA2 has been crackable for some time. You may remember the KRACK attack of 2017?
Well that attack is actually quite hard to perform and not very reliable, however just this week, a new much simpler attack against WPA2 has been revealed and demonstrated by none other than the developer of Hashcat, Jens “Atom” Steube.
This hack utilises the Pairwise Master Key Identifier (PMKID)-based roaming features of the stack and is very easy to execute. You can read the technical announcement, the slightly sanitised version, or a nice overview written by none other than Bill Buchanan OBE who predicts that this is the beginning of the end for WPA2.
In other WiFi doom, a bug has been discovered in the wpa_supplicant in Linux and Android builds, which means that if you are running WPA2 and TKIP, you are vulnerable. The advice is to stop using TKIP, no one should be anyway, but you may have some lying around like a bad smell – best check.
What we need is a champion to come to our rescue! Wait, what’s that coming over the hill? The banner says WPA3, hurrah!
This week saw the release of WPA3 in both personal and enterprise versions. Highly resistant to dictionary and other attacks, WPA3 is the future and as more WPA2 flaws become apparent, making it a very weak link, you should consider moving your home and business wireless to it to protect against intruders.
If you would like some help with your wireless network standards or implementation or could do with a top to bottom cyber review, we have just the team for you. If you would like to invite us to a party we are ready and waiting. Contact us at: [email protected] or call 020 7517 3900.
Enjoy what is left of the Summer.