Author Archives: Lisa Wallace

About Lisa Wallace

Lisa Wallace joined MSI in 2015 as a security focal and project manager, and became Technical Director in 2017. She is involved in internal and external penetration testing application assessments digital forensics threat intelligence incident response eDiscovery efforts She is responsible for scoping our efforts across all workstreams, as well as project and staff coordination and management. She has worked in a variety of fields, including utilities, financial services, telecommunications, and consulting in a number of ancillary industries.

We’re all on….Krack?

Posted on by

Yesterday, the media exploded with news of the new Krack attack against WPA2. What’s Krack? While it sounds like a new designer drug, it’s short for – Key Reinstallation Attacks.

What’s that mean in English? Due to a flaw in the WPA2 protocol, a determined attacker can target and break the 4-way handshake and compromise the unique session keys. They can force reuse of a key, and intercept (as well as potentially modify) unencrypted traffic. The full whitepaper is here.

The good news, such as it is:

  • This is not a remote attack – the attacker needs to be in range of the affected Wifi connection
  • At this point, there is no evidence of these attacks in the wild. Caveat, at this point.

There have been a couple of reports suggesting that WPA2 should be disabled in lieu of WPA or (ack) WEP. These are not better options, as a general rule. WEP in particular is vulnerable far beyond the WPA2 protocol issues.

What can we do, and what should our user base do?

  • As soon as there’s a patch available, take advantage of it.
  • Watch your vendors – who is patching quickly, and who is not? If your vendor is months behind the curve, why? It may be time to look at other options.
  • Wired connections are immune. This should go without saying – this includes tethering directly to mobile devices, not tethering via WiFi.
  • You’re already horribly suspicious of free public WiFi, right? Double that paranoia.
  • If you must use a public WiFi, do not do so without using a VPN or other traffic encryption mechanism. Split tunnel VPN is not your friend here – configure a full tunnel VPN connection
  • Bring your physical security staff into the conversation. They will be integral in observation of potential attackers in the sphere of your physical presence. (Have you checked how far your WiFi signal is traveling lately? Consider checking…)

CERT has a complete list of vendors and their known status here.

Questions, comments, things I haven’t thought about? Reach out, I’d love to hear from you. Twitter @TheTokenFemale at any time.

Time Warner – 320,000 passwords compromised

Posted on by
3

Knock knock! Who’s there? The FBI….

This is never the way you’d like your day to play out. Last week, Time Warner was notified by the FBI that a cache of stolen credentials that appear to belong to Time Warner customers had been discovered.

At this point, the origination of the usernames and passwords is a bit of a mystery. Time Warner states: 

“We have not yet determined how the information was obtained, but there are no indications that TWC’s systems were breached.

The emails and passwords were likely previously stolen either through malware downloaded during phishing attacks or indirectly through data breaches of other companies that stored TWC customer information, including email addresses.

For those customers whose account information was stolen, we are contacting them individually to make them aware and to help them reset their passwords.”

Time Warner customers who have not yet been contacted should still consider changing their  passwords – there is no indication at this point if this is new or previously compromised password data, and a new password is never a bad idea.

Please share with anyone who is using Time Warner systems – friends, co-workers, weird relatives and neighbors as well. Remember that any password that is used twice isn’t a safe password – unique passwords are always the best practice. Password managers (LastPass, KeePass, etc.) are often a good idea to help maintain unique, difficult to decipher passwords.