Cyber Security News & Trends

This week, SonicWall CEO Bill Conner is interviewed by on Federal Tech Talk, the potential of a 5G future is considered, and more details emerge about the Citrix data breach.

SonicWall Spotlight

Federal Tech Talk’ Hosts SonicWall CEO Bill Conner to Examine Cybercriminal Strategies that Threaten Federal Agencies – SonicWall Blog

  • SonicWall CEO Bill Conner joins John Gilroy on Federal Tech Talk, a radio show and podcast on the Federal News Network. They discuss emerging cyber threats including attacks over non-standard ports, encrypted threats and malicious PDFs and Office files.

SonicWall Reports Dramatic Rise in Fraudulent PDF Files in Q1 2019 – Tech Observer (India)

  • With SonicWall Capture Labs researchers releasing details on the growth of fraudulent PDFs and Office files, SonicWall’s Debasish Mukherjee talks to Tech Observer about how Real-Time Deep Memory Inspection (RTDMI) can detect new malware almost instantly.

Cyber Security News

Cybersecurity: The Key Lessons of the Triton Malware Cyberattack You Need to Learn – ZDNet

  • The Triton malware attack of 2017 was unsuccessful but still managed to shut down industrial operations at a critical infrastructure firm in the Middle East. ZDNet explore how real-world physical security problems intersected with cyber security problems and allowed a cyberattack to go very far before being caught.

P2P Weakness Exposes Millions of IoT Devices – Krebs on Security

  • Peer-to-peer communications software iLnkP2P includes several critical security flaws that leaves millions of Webcams, baby monitors and more open to a cyberattack.

The Terrifying Potential of the 5G Network – The New Yorker

  • While some claim 5G technology will usher in a fourth industrial revolution, there’s a worry that such a huge change could have disastrous effects and policymakers may not be taking the cyber security concerns seriously enough.

“Denial of Service” Attack Caused Grid Cyber Disruption: DOE – E&E News

  • A “cyber event” interrupted power grid operations in the western United States on March 5 of this year. Initially details on what happened were scarce but it has now been confirmed that a denial-of-service (DDOS) attack occurred against an unnamed energy company.

Putin Signs Law to Isolate Russian Internet – Financial Times

  • Russian president Vladimir Putin signed a law that will allow the Kremlin to disconnect Russia from the global internet. Critics are casting it as an attempt to curb free speech or internal dissent within Russia, but the Kremlin says the law is a cyber security safeguard that would allow the Russian internet to continue running in the event of a hostile cyberattack on its infrastructure.

DC Metro Vulnerable to Cybersecurity Attacks, Says Inspector General – The Hill

  • The Washington D.C. Metro has vowed to hire experts to help with cyber security vulnerabilities present in its current systems.

Hackers Lurked in Citrix Systems for Six Months – ZDNet

  • The FBI has become involved in an ongoing investigation into an “intermittent” but long-lasting data breach at Citrix. Information on what data was accessed by hackers is not yet known but it is possible that the data stolen includes names, Social Security numbers, and financial information.

Financial Data for Multiple Companies Dumped Online in Failed Extortion Bid – Dark Reading

  • 516GBs of potentially sensitive stolen data was dumped online after German digital infrastructure service provider Citycopy refused to pay up in an attempted cyber-extortion attempt. The data dump has not been verified or fully examined yet, but the would-be extortionists claim it includes “financial and private information on all clients include VAG, Ericsson, Leica, MAN, Toshiba, UniCredit, and British Telecom (BT).”

Docker Hub Breach Hits 190,000 Accounts – SecurityWeek

  • Docker Hub, the world’s largest library and community for container images, suffered a data breach with 5% of users affected. Usernames and hashed passwords were accessible. Docker says the company breach has now been sealed and that they are working to ensure it cannot happen again.

In Case You Missed It

Dragonblood Vulnerability: Is your WiFi secure?

It’s Game of Thrones season! And anything to do with dragons reminds me of GoT. The Dragonblood vulnerability recently exposed weak security of the WPA3 standard. It was just a year ago that KRACK exposed weaknesses in the WPA2 standard. In response, a stronger successor to WPA2 was announced by the Wi-Fi Alliance: WPA3.

But, was this really a strong successor as it was perceived? Apparently, no.

WPA3 incorporated Simultaneous Authentication of Equals (SAE) handshake, which was a huge improvement over WPA2 as it prevents dictionary attacks. The family of SAE handshakes is referred to as Dragonfly. This handshake is susceptible to password-partitioning attacks, which resemble dictionary attacks and leverages side-channel leaks to recover network passwords.

According to the researchers Vanhoef and Ronen, who published the paper on this vulnerability, WPA3 is affected by serious design flaws that could have been avoided with feedback from industry experts about secure WiFi. Among these flaws is the fact that WPA3 failed to introduce any new protocols, rather it only instructs which existing protocols should be supported.

WPA3 background

WPA3 made enhancements over WPA2 using the latest security methods, disallowing outdated legacy protocols and implementing the use of Protected Management Frames (PMF). It was designed with two types of networks in mind: protection for home networks with WPA3-Personal and for enterprise networks with WPA3-Enterprise.

WPA3-Personal provides increased network password protection, while WPA3-Enterprise provides higher security protocols for enterprise networks. In WPA3-Personal networks, the SAE handshake is the replacement for Pre-Shared Key (PSK) in WPA2-Personal networks. WPA3 includes natural password selection, ease of use and forward secrecy.

What is the Dragonfly handshake?

WPA3-Personal mandates the support of SAE handshakes, which is a balanced Password Authentication Key Exchange where two endpoints (AP and AP, or AP and client) store passwords in clear text. The input for the SAE handshake is a pre-shared secret and the output is a high-entropy Pairwise Master Key. After this execution, a four-way handshake takes place to generate a Pairwise Transient Key.

6 ways Dragonblood affects your wireless network

  1. Denial of Service (DoS) attack. WPA3’s anti-clogging mechanism that is supposed to prevent DoS attacks does not prevent it. Hence, this can bring down access points and cause disruption on your networks.
  2. Downgrade attack. WPA3’s transition mode is susceptible to dictionary attacks. In this mode, a WPA3-capable access point can accept connections from both WPA2 and WPA3 client devices. If an attacker uses a man-in-the-middle attack to modify the beacons of a WPA3-capable access point to fool the client into thinking it is a WPA2 access point, during the four-way WPA2 handshake the client detects the anomaly and aborts the transmission. However, enough frames are sent during the handshake that the attacker can pull off a dictionary attack. In addition, the researchers also discovered “implementation-specific downgrade attacks when a client improperly auto-connects to a previously used WPA3-only network.”
  3. SAE group negotiation attack. Client devices can prioritize groups in SAE handshake according to 802.11 specifications. With SAE, when a client connects to an access point it includes the desired group in the commit frame and this process continues. “Unfortunately, there is no mechanism that detects if someone interfered with this process. This makes it trivial to force the client into using a different group: simply forge a commit frame that indicates the AP does not support the currently selected group.” This results in a downgrade attack. This method can also be used to perform upgrade attacks.
  4. Timing-based side-channel attacks. SAE handshake is susceptible to timing attacks that leak password information, which could later be used in password-partitioning attacks leading to the recovery of the victim’s password.
  5. Cache-based side-channel attacks. SAE is further susceptible to vulnerabilities in the implementation of its algorithms, which could be leveraged in password-partitioning attacks leading to the recovery of the victim’s password.
  6. EAP-PWD. Affects the Extensible Authentication Protocol (EAP) that is supported in WPA2 and WPA standards. The researchers also “discovered serious bugs in most products that implement EAP-pwd. These allow an adversary to impersonate any user, and thereby access the Wi-Fi network, without knowing the user’s password.”

How to protect against Dragonblood

The Dragonblood vulnerability can be fixed with software patches. While the Wi-Fi Alliance is communicating guidelines to vendors, ensure that your network is always patched with the latest security updates from wireless device manufacturers. In combination, use strong passwords on your networks.

Does the Dragonblood vulnerability affect SonicWave wireless access points?

No. This vulnerability does not affect SonicWall wireless access points. The SonicWave access points provide superior wireless security and a dedicated third radio for security scanning. Advanced security services like the Capture Advanced Threat Protection (ATP) sandbox and Content Filtering Service (CFS) can be performed by the APs, even when they are untethered from the firewalls. It gives you the ultimate flexibility to manage wireless from the cloud or via the firewalls — without compromising security.