Weekly podcast: WPA2 Krack attack, Iranian brute force, pizza and Microsoft

This week, we discuss the WPA2 protocol’s susceptibility to attack, claims that Iran subjected the UK’s parliamentary email system to a brute-force attack, breaches at pizza vendors, and an alleged security slip-up at Microsoft that exposed a database of unfixed vulnerabilities.

Hello and welcome to the IT Governance podcast for Friday, 20 October 2017. Here are this week’s stories.

The WPA2 protocol, which is used to secure most wireless networks, has been found to be vulnerable to an attack that could allow eavesdroppers to access secure Internet connections.

It works by tricking victims into reinstalling keys that are already in use by manipulating and replaying handshake messages, and is “exceptionally devastating against Linux and Android 6.0 or higher”.

Mathy Vanhoef of the University of Leuven, who discovered the flaw, explained that “attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on”.

He continued: “The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations”, so “if your device supports Wi-Fi, it is most likely affected”.

Before you panic, however, it’s worth noting that the key reinstallation attack, or Krack as it has been nicknamed (after all, major vulnerabilities have to have nicknames nowadays) only works when attackers are within range of the victim, and, according to The Register, even if communications are intercepted, they could very well be safely encrypted by a cryptographic protocol at the transport or application layer, such as HTTPS, TLS, SSH or PGP, or via a VPN.

Moreover, Vanhoef is a responsible researcher who alerted vendors before publicly disclosing the vulnerability. Many of them have now released patches. You’re advised to update as soon as possible – assuming you haven’t already. For further information, consult US-CERT’s information about affected products.

You might remember that the UK’s parliamentary email system was subjected to a brute-force attack in June, leaving MPs and Westminster staff unable to access their accounts. At the time, the Commons Press Office said that up to 90 accounts with weak passwords had been compromised. Rob Grieg, the director of the Parliamentary Digital Service, commented: “it looks more like a state activity than anything else.”

Russia was initially blamed, but Whitehall officials have now claimed that Iran was responsible for the attack. According to The Times, “It is believed to be Iran’s first significant act of cyberwarfare on Britain and underlines its emergence as one of the world’s biggest cyberpowers.”

The BBC security correspondent Gordon Corera told Radio 4’s PM programme that the attack was a sign that Iran was becoming “more aggressive and capable as a cyber power”. He said Iran’s motive was unclear, and that it could merely have been exploring networks to see what it could find.

Pizza Hut has admitted that it suffered a data breach in which “a small number” of US customers’ payment card details were compromised earlier this month. Bleeping Computer reports that Pizza Hut emailed customers on Saturday to tell them it had “identified a temporary security intrusion” on its website.

It said: “We have learned that the information of some customers who visited our website or mobile application during an approximately 28-hour period (from the morning of October 1, 2017 [to] midday on October 2, 2017) and subsequently placed an order may have been compromised.

“The security intrusion at issue impacted a small percentage of our customers and we estimate that less than one percent of the visits to our website over the course of the relevant week were affected.”

Alas, the email came too late for some customers, who vented their frustration about losing money on Twitter.

Pizza Hut suffered another data breach in 2012, when 240,000 credit card details were stolen in Australia.

Meanwhile, Domino’s in Australia has also come under fire from disgruntled pizza lovers this week after they found their details on spam lists following a data breach at an unnamed former supplier. It commented:

“There is no evidence to suggest that there has been any unauthorised access to Domino’s systems.

“Ongoing testing has confirmed our systems are secure and at no time has customer financial information (including credit cards) or passwords, been accessed or compromised.

“Domino’s confirmed customers do not have to update passwords or details but recommends they don’t click on any links contained in the spam material, mark the emails as spam, and ensure their virus protection is up-to-date.”

Reuters had an interesting exclusive on Tuesday: Microsoft’s secret database of software vulnerabilities was “broken into by a highly sophisticated hacking group more than four years ago, according to five former employees”.

According to Reuters, the database “contained descriptions of critical and unfixed vulnerabilities in some of the most widely used software in the world, including the Windows operating system”. Worse, the database was “poorly protected, with access possible via little more than a password”.

Microsoft discovered the breach in early 2013, and “published a brief statement that portrayed its own break-in as limited and made no reference to the bug database.”

Microsoft declined to comment on its former employees’ revelations, telling Reuters: “Our security teams actively monitor cyber threats to help us prioritize and take appropriate action to keep customers protected.”

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog.

Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.