Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Personal Data
Azure Credential Stuffing Credentials Leak Dark Web Data Breach Disney Mozilla Mozilla Firefox Personal Data

Mozilla: Maximum Breached Accounts had Superhero and Disney Princes Names as Passwords

 

The passwords that we make for our accounts are very similar to a house key used to lock the house. The password protects the online home (account) of personal information, thus possessing an extremely strong password is just like employing a superhero in a battle of heroes and villains. 

However, according to a new blog post by Mozilla, superhero-themed passwords are progressively popping up in data breaches. Though it may sound absurd - following the research done by Mozilla using the data from haveibeenpwned.com, it was evident that most frequent passwords discovered in data breaches were created on either the names of superheroes or Disney princesses. Such obvious passwords make it easier for hackers to attack and hijack any account or system. 

While analyzing the data it was seen that 368,397 breaches included Superman, 226,327 breaches included Batman, and 160,030 breaches had Spider-Man as their passwords. Further, thousands of breaches featured Wolverine and Ironman as well. And not only this research from 2019 showed that 192,023 breached included Jasmine and 49,763 breached included Aurora as their password.

There were 484,4765 breached that had password as ‘princess’ and some Disney + accounts had password as ‘Disney’. This is one of the biggest reasons that support data breaches by hackers and boost their confidence.

With the increasing frequency of compromised account credentials on the dark web, a growing number of businesses are turning to password-less solutions. Microsoft has expanded its password-less sign-in option from Azure Active Directory (AAD) commercial clients to use Microsoft accounts on Windows 10 and Windows 11 PCs. 

Almost all of Microsoft's employees are passwordless, according to Vasu Jakkal, corporate vice president of the Microsoft Security, Compliance, Identity, and Management group.

"We use Windows Hello and biometrics. Microsoft already has 200 million passwords fewer customers across consumer and enterprise," Jakkal said. "We are going completely passwordless for Microsoft accounts. So you don't need a password at all," he further added. 

Though it's common to reuse passwords, it is highly dangerous, yet it's all too frequently because it's simple and people aren't aware of the consequences. Credential stuffing exploits take advantage of repeated passwords by automating login attempts targeting systems utilizing well-known email addresses and password pairings. One must keep changing their passwords from time to time and try to create a strong yet not so obvious password.
Read more »
ransomware attacks
BEC frauds Business Email Compromise Cyber Security Ransom Ransom Attack Ransomware ransomware attacks

Ransomware Attacks At An All Time High, Reports Palo Alto

 

Presently, RaaS (ransom as a service) and ransomware attacks are at an all time high, topping the list in cybersecurity community since the last few months, threat actors and hackers are constantly attacking businesses, corporate and emails for personal monetory gains. The BEC (Business Email Compromise), EAC (personal email account compromise) , scams have caused the most threat and impact, as per the cybersecurity reports. 

FBI in its enquiry found that BEC and EAC accounts for a minimum $1.86 billion losses in 2020, that too in the US region only, a 5% jump in losses compared to 2019. EAC and BEC amount for 45% of total reported cybersecurity incidents in the US and 11% of users are over the age of 60. 

A roughly estimate suggests that largest reported ransomware payment till date has been $40 million. Unit 42 reports "when scammers use this tactic, it usually starts with a baited email enticing the recipient to open the attachment or click on the link to a webpage. 

The emails usually focus on some segment of business operations (including finance, human resources, logistics and general office operations) and point to an attachment or link related to topics requiring user action." Experts say that average ransomware demands in 2020 were $847,344, meanwhile, the average ransom that victims paid was $312,493. 

In 2021, the ransom amount paid has risen upto 82% to $570,000. The amount mentioned for average ransom clients paid only includes direct financial losses given in ransoms. They do not include losses related with organization which lost revenue while being compelled to work in a compromised state during a cyberattack, and do not consist resources cost during the incident breach, but only include attacks that are known. The company decides not to report a cybersecurity incident depending upon nature and impact of the ransomware attack. 

In the end, the decision complicates it for federal and cybersecurity agencies to calculate the full impact of these attacks. The EAC and BEC ransomware attacks have one thing in common, they need access privilege to victim's account and networks. 

"The lucrative nature of BEC/EAC scams drives criminals to continually modify and upgrade their tactics to defeat protections. One of the newer techniques integrates spear phishing, custom webpages and the complex cloud single sign-on ecosystem to trick users into unwittingly divulging their credentials," reports Unit 42 of palo alto networks.
Read more »
User Security
Cyber Attacks Data Breach Ransomware attack User Privacy User Security

Private Details of Thousands of Customers Leaked in Hawaii Firm Ransomware Attack

 

Hawaii payroll processing firm has confirmed the data breach which affected nearly 4,500 customers. The company suffered a ransomware attack in mid-February that exposed social security numbers, dates of birth, the full names of clients, and bank details. 

“The company’s server were breached by someone able to gain access to Hawaii Payroll's systems through a compromised client account and execute a privilege escalation attack that enabled the intruder to disable and remove security software and encrypt all data residing in Hawaii Payroll's servers," according to the company. 

To mitigate the risks, the firm suspended all remote client access and asked its third-party vendor that manages information technology operations to examine the extent of the breach. The company filed a complaint with the Federal Bureau of Investigation's Honolulu field office and also notified state regulators and credit reporting agencies. 

Earlier this year in May, the company sent letters to customers potentially impacted by the ransomware attack, but some were returned unopened, and the company is still trying to secure access to many of the files that were encrypted by the attacker, said company owner Michelle Wells-Nagamine in an interview with the Honolulu Star-Advertiser. 

Fortunately, there have been no reports of data leakage on the dark web. "We got everything put back in for this year, and we marched forward. That's all I can do. The company retained "expert forensic assistance to further investigate and remediate the situation and to suggest security improvements,” she added.

According to the state Department of Commerce and Consumer Affairs, Hawaii Payroll Services, established in July 2003, is a domestic limited liability that offers payroll processing, 401 (k) reporting, and payroll tax filing. It serves more than 120 local companies, including Rainforest at Kilohana Square, Diamond Bakery, Yummy's BBQ and Jean's Warehouse.

According to the U.S. Department of Justice, cybercrimes surged by 40% in 2020, from 467,361 complaints that cost U.S. citizens nearly $3.5 billion in 2019 to 791,790 complaints and $4.2 billion in losses in 2020. Additionally, the FBI's Internet Crime Complaint Center received 2,474 ransomware reports last year which accounted for over $29.1 million in losses.

However, estimates of lost business, time, wages, files or equipment, or any third-party remediation services acquired by a victim were not included in a dollar figure. In some instances, victims do not report losses to the federal government, generating an artificially low overall ransomware loss rate.
Read more »
Russia
America China Cyber Criminals Cyber Security cyber threat Iran North Korea Russia

NSA’s Cyber Chief Warned About the Increasing Cyber Threat

 

On Wednesday the 29th of September, the chief of the cyber branch of the National Security Agency cautioned about the growing number of digital dangers and threats that these cybercriminals pose. 

Rob Joyce, Director of the NSA Cybersecurity Directorate, stated during the ASPEN Cyber Summit in Colorado that nearly every single government in the world today has a cyber exploitation program. 

Joyce has been a special assistant of the president and cyber security coordinator of the National Security Council in 2018, with many other responsibilities in the nation's leading e-spy agency. 

“The vast majority of those are used for espionage and intelligence purposes, but… there is interest in dabbling in offensive cyber and outcomes. The difference between the top of the list and the bottom of the list, usually, is scale,” stated Joyce. 

There are some “high-end, sophisticated small actors, but they’re confined to whatever that national interest is that they’re aimed at so we see less of them.” 

Joyce also gave his evaluated statements on the so-called "Big Four" and the latest internet business of the foreign states who were historically the digital opponents of America — Russia, China, Iran, and North Korea. 

Starting with Russia he said that, it's the distressing force. Often they attempt not to boost their activities but to pull others down. They are still extremely active in intelligence-gathering efforts targeting vital infrastructure and countries. The problem is that they employ disruptive effects all around the world aggressively. The organization saw indications of U.S. vital infrastructure pre-positioning. For this everyone must strive against every item that can't be permitted. 

Further, talking about China he noted that, Chinese is off the charts, considering the scale and scope. The number of cyber actors from China is growing all over the world. NSA respected them less than that from four or five years ago to the present day, the changes as perceived. They have always been wide, loud, and boisterous, and what the organization discovers, the elite in that group is the elite if one has such a vast resource base. 

“The high end of the Chinese sophistication is really good. We’ve got to continue to understand, disrupt and then find ways across the whole of that technology to kind of push back… Yes, defense is really important, but you also have to work to disrupt so that’s the continuous engagement strategy out of the [Defense Department] and the idea that we got to put sand and friction in their operations, so they don’t get just free shots on goal,” he added. 

Later he made statements about Iran saying that Iran is still operational in cyber activities. Certainly, they were the first and foremost nation when everyone spoke of a bank distributed denial of service operations and the Shamoon Wiper malware. However what NSA observed is that they often concentrate very much on regional matters, at present. Their attention was not as broad on the impact. But they are capable, especially because their decision is less judgmental, and most crucially because it is a realistic measure. Iran sometimes does not appreciate how much it has done to, or has gone far as to arouse the wrath and concern of the larger community. 

Lastly, he told that North Korea remains extremely focused on the regime's income creation, as North Korea can not be affected even with several sanctions. They, therefore, had to develop ways to create cash, trade and realized that it is simpler to steal Bitcoin than to steal from Bangladesh Bank. They didn't attack the largest banks as hard, since in the crypto realm they made their required money. 

“The commercial firms were dealing with a lot of North Korean issues back when the [Covid-19] vaccine was an issue; they were going after the intellectual property of vaccine makers. So, still active, still a threat, very capable but mostly focused on crypto exchanges and creating money.” He added. 
Read more »
User Security
Data Breach data security Neiman Marcus NMG User Data User Security

Neiman Marcus Announced Data Breach Millions Are Affected

American luxury retailer Neiman Marcus Group (NMG) has published a cyber security report in which it has disclosed a major data breach that directly impacted around 4.6 million consumers. The company told in a press release that they have already started alerting 4.6 million customers regarding their personal credentials associated with online services accounts that may have been accessed by a third party in May 2020. 

According to the organization, the breach took place in the month of May last year. The company got an alert when “an unauthorized party” got access to the personal credentials of some of Neiman Marcus's consumers from their online accounts. 

Following the incident, the company joined hands with law enforcement agencies and will do a further investigation with the cybersecurity company Mandiant. 

As part of the breach, the personal information of the users was stolen including Names, usernames, and passwords of Neiman Marcus online accounts addresses, contact information, Payment card numbers, and expiration dates (although no CVV numbers), Neiman Marcus virtual gift card numbers (without PINs), and security questions of Neiman Marcus online accounts. Around 3.1 million payment and virtual gift cards were compromised. However, around 85 percent of these were out of service or invalid. 

The breach did not affect the customers data of Bergdorf Goodman and Horchow who are a part of the Neiman Marcus Group. Following the incident, the company suggested its customers change passwords of their accounts and report if they experience any weird activity in their system. 

"At Neiman Marcus Group, customers are our top priority," CEO Geoffroy van Raemdonck said in a statement Friday. "We are working hard to support our customers and answer questions about their online accounts. We will continue to take actions to enhance our system security and safeguard information."


Read more »
Trojan
Android Bank Cyber Security Banking Malware Banking scam Hydra Malware malware Malware Trojan Trojan

Hydra Malware Targets Germany's Second Largest Bank Customers

 

The Hydra banking trojan has resurfaced to target European e-banking platform users, especially Commerzbank customers, Germany's second-largest financial institution. 

MalwareHunterTeam discovered the two-year-old virus in a fresh dissemination operation that targets German users with a malicious APK called 'Commerzbank Security' with a lookalike icon to the legitimate application. 

This grabbed the attention of Cyble researchers, who sampled the file for a more in-depth study, revealing a sophisticated phishing tool with broad rights access. 

According to Cyble experts, Hydra is still evolving; the variations used in the latest campaign include TeamViewer features, similar to the S.O.V.A. Android banking Trojan, and utilize various encryption methods to avoid detection, as well as Tor for communication. 

The latest version additionally allows to turn off the Play Protect Android security function. The virus demands two very hazardous permissions, BIND_ACCESSIBILITY_PERMISSION and BIND_DEVICE_ADMIN, according to the experts. 

The Accessibility Service is a background service that assists users with disabilities, and the BIND_ACCESSIBILITY_SERVICE permission permits the app to access it. 

The analysis published by Cyble states, “Malware authors abuse this service to intercept and monitor all activities happening on the device’s screen. For example, using Accessibility Service, malware authors can intercept the credentials entered on another app.” 

“BIND_DEVICE_ADMIN is a permission that allows fake apps to get admin privileges on the infected device. Hydra can abuse this permission to lock the device, modify or reset the screen lock PIN, etc.” 

Other rights are requested by the malware to carry out harmful activities such as accessing SMS content, sending SMSs, making calls, modifying device settings, spying on user activity, and sending bulk SMSs to the victim's contacts: 
  • CHANGE_WIFI_STATE : Modify Device’s Wi-Fi settings 
  • READ_CONTACTS: Access to phone contacts 
  • READ_EXTERNAL_STORAGE: Access device external storage 
  • WRITE_EXTERNAL_STORAGE: Modify device external storage 
  • READ_PHONE_STATE: Access phone state and information 
  • CALL_PHONE: Perform call without user intervention 
  • READ_SMS : Access user’s SMSs stored in the device 
  • REQUEST_INSTALL_PACKAGES : Install applications without user interaction 
  • SEND_SMS: This allows the app to send SMS messages 
  • SYSTEM_ALERT_WINDOW: The display of system alerts over other apps 
The code analysis shows that many classes are missing from the APK file. To avoid signature-based detection, the malicious code uses a custom packer. 

Cyble concluded, “We have also observed that the malware authors of Hydra are incorporating new technology to steal information and money from its victims. Alongside these features, the recent trojans have incorporated sophisticated features. We observed the new variants have TeamViewer or VNC functionality and TOR for communication, which shows that TAs are enhancing their TTPs.” 

“Based on this pattern that we have observed, malware authors are constantly adding new features to the banking trojans to evade detection by security software and to entice cybercriminals to buy the malware. To protect themselves from these threats, users should only install applications from the official Google Play Store.” 

18 million potential targets

Commerzbank has 13 million German clients and another 5 million in Central and Eastern Europe. This amounts to a total of 18 million potential targets, which is always an important factor for malware distributors. 

Typically, threat actors utilise SMS, social media, and forum postings to direct potential victims to malicious landing pages that install the APK on German devices. 

If anyone believes they have already fallen into Hydra's trap, it is suggested that they clean their device with a trustworthy vendor's security tool and then do a factory reset.
Read more »
United States
Crypto Currency Multi-factor authentication SMS Technology Threat actor United States

Thousands of Coinbase Clients were Robbed due to an MFA Flaw

 

After exploiting a vulnerability in Coinbase's SMS multi-factor authentication security mechanism, a threat actor stole cryptocurrency from 6,000 customers, according to the firm. A threat actor executed a hacking campaign between March and May 20th, 2021 to penetrate Coinbase customer accounts and steal cryptocurrency, according to a warning given to impacted consumers this week. 

The hackers apparently required to know the user's email address, password, and phone number, as well as have access to their email accounts, according to the US-based exchange, which has roughly 68 million customers from over 100 countries. It's unclear how the hackers got their hands on that information. 

"In this incident, for customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase's SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account," Coinbase told customers in electronic notifications. 

Customers' personal information was exposed as well, according to the report, "including their complete name, email address, home address, date of birth, IP addresses for account activity, transaction history, account holdings, and balances."

According to Coinbase, a flaw in their SMS account recovery process allowed hackers to acquire access to the SMS two-factor authentication token required to access a secured account. Coinbase claims to have updated the "SMS Account Recovery protocols" after learning of the incident, preventing any further bypassing of SMS multi-factor authentication. 

Because the Coinbase bug allowed threat actors to gain access to accounts that were thought to be secure, the exchange is depositing funds in affected accounts equal to the stolen amount. 

"We will be depositing funds into your account equal to the value of the currency improperly removed from your account at the time of the incident. Some customers have already been reimbursed -- we will ensure all customers affected receive the full value of what you lost," promised Coinbase. It's unclear whether Coinbase will credit hacked users with the stolen cryptocurrency or fiat currency. If fiat currency is used, it may result in a taxable event for the victims if their profits increase. 

Coinbase recommends implementing multi-factor authentication (MFA) with security keys, Time-based One-Time Passwords (TOTP) with an authenticator app, or SMS text messages as a last resort in their account security guide.
Read more »
ransomware attacks
Cyber Security Hacking Ransom Ransomware ransomware attacks

JVCKenwood Company Suffers Ransomware Attacks, Hackers Demand $7 Million Ransom

 

JVCKenwood was hit by a Conti ransomware attack, the attackers claim that 1.7 TB of data has been stolen and are asking for a $7 million ransom. JVCKenwood is an electronics multinational company from Japan having around 17000 employees and total revenue of $2.45 Billion in 2021. The company is famous for its brands Victor, Kenwood, and JVC which builds cat and home sound equipments, healthcare and radio equipments, portable power stations, and professional and in-vehicle cameras. 
Earlier this week, JVCKenwood revealed that its servers belonging to sales companies from Europe were compromised on 22 September and the hackers might have had access to data while the attack was ongoing. The company noticed unauthorized access in September 2021 to the servers handled by  JVCKenwood Group's sales organizations in Europe. The company in a press conference revealed that there might be a potential of data leak by third parties that made unauthorized entry attempts. 

As of now, a thorough inquiry is being done by external specialized firms of the company teamed up with associated authorities. Experts haven't confirmed any data leak, to date. Other details related to the breach would be given on the company website after they are available. According to experts, a source shared a ransom note for the Conti ransomware sample used in the JVCKenwood data breach. While negotiating, the hacking group claims to have stolen 1.5 TB of files and is asking $7 million for ransom for not leaking the data in return for providing the decryption key. To make sure that the attack was legit, the hackers shared a file that contained scanned passport copies of employees, as proof. 

After the hackers gave proof, the JVCKenwood representative hasn't made any contact with the hacker which means that the company isn't willing to pay the ransom. "Conti is a ransomware family believed to be operated by the TrickBot threat actor group and is commonly installed after networks are compromised by the TrickBot, BazarBackdoor, and Anchor trojans. The ransomware gang has been responsible for a wide range of attacks over the years, including high-profile attacks against the City of Tulsa, Ireland's Health Service Executive (HSE), Advantech, and numerous health care organizations," reports Bleeping Computers.
Read more »
US Hospital
Cyber Attacks Ransomware ransomware attacks US Hospital

Ransomware Attack on Hospital Associated with Baby’s Death

 

An infant birthed in Alabama subsequently died of heavy brain injury due to botching because the hospital faced a ransomware attack, a lawsuit states. However, this 2019 ransomware paralyzed hospital in the United States will defend itself in November against the death of a baby which is reportedly caused by a cyber attack. 

The file is the very first public credible allegation that anyone was killed at least partially by attackers who shut down hospital computers remotely in an effort at extraction, a steadily growing practice in cybercrime. 

The prosecution was originally reported by The Wall Street Journal by Teiranni Kidd, the baby's mother. It says that Springhill Medical Center, a hospital, had not told her that perhaps the hospital computers went down because of a cyberattack, and when she came to deliver her daughter, they provided her severely reduced treatment. 

In 2019, Springhill stated it had suffered a "network security incident," a typical cyber strike euphemism. Springhill stated at that time to see a regular amount of patients, as that of the local news station WKRG reported, although some of them turned away due to a ransomware attack. 

First, in January 2020 Kidd sued the hospital and then modified the case when her daughter died in July. A response request was not answered by the hospital. Kidd refused to speak since her case is underway. 

The legal proceedings showed that Kidd wasn't notified about the cyberattack when she went to give birth to a baby girl and also that doctors and nurses then overlooked several key tests, which showed that the umbilical cord was wrapped all around the neck of the baby and caused brain damage, which resulted in death, nine months later. 

“It’s an awful thing, but we’ve been expecting this for years to happen, because when things go wrong, eventually somebody’s going to die,” Liska said. 

It wasn't the first occasion wherein homicide allegations involving ransomware have been brought, but it is the first instance where a case has indeed been brought before the court. The nearest was an instance from September last when a German patient passed away in a re-routing ambulance owing to ransomware attacked the hospital. At the moment a negligent murder inquiry was initiated by German police and they stated that they could be liable for attacking them. 

Furthermore, given the time and lack of scruples to be directed at a healthcare center, Springhill has refused to name the ransomware behind the July 2019 attack.
Read more »
User Security
Credential Stuffing Attacks Cyber Attacks Online Retailers User Security

Proxy Phantom Employs Automated Credential Stuffing Technique to Target Online Retailers

 

Cybersecurity researchers have exposed a massive fraud operation that targets e-commerce companies in account takeover attacks. 

Sift, a fraud prevention firm announced on Thursday that the hacker ring, dubbed Proxy Phantom, is employing over 1.5 million sets of stolen account credentials in automated credential stuffing assaults against online retailers.

Credential stuffing attacks usually depend on a large number of stolen or leaked credentials-username and password pairs-for one website and tests them on the login pages of other websites. The attacker’s motive is to secure unauthorized access to as many user accounts as possible and then carry out other assaults or fraudulent schemes. 

According to the estimation of Sift’s researchers, only 0.1% of credential stuffing assaults are successful. However, given the low success rate, you can attempt thousands of account combinations at the same time, these attacks can still be useful – particularly when employed against businesses or financial services.

Proxy Phantom "flooded businesses with bot-based login attempts to conduct as many as 2,691 login attempts per second,” as per Sift's Q3 2021 Digital Trust & Safety Index. Scammers also employed connected and rotating IP addresses to make the queries appear to stem from different geographical areas and primarily targeted e-commerce platforms and online services.

"As a result, targeted merchants using rules-based fraud prevention methods would be forced to play a supercharged, global game of "whack-a-mole," with new combinations of IP addresses and credentials (likely purchased in bulk on the dark web) coming for them at an unthinkable pace," Sift stated.

The study further reports that account takeover attacks identified by the company jumped by 307% over Q3. Specifically, the financial sector is a top target, including cryptocurrency exchanges and digital wallet services. 

Earlier this month, Netacea, a UK-based software firm released an index documenting the actions of scalper bots. These automated systems are manufactured to defeat online queues for high-ticket products like concert tickets and gaming consoles in order to resell and generate a profit for their operators.

 “Fraudsters will never stop adapting their techniques to overwhelm traditional fraud prevention, making suspicious logins look legitimate, and legitimate ones look suspicious. At the same time, poor consumer security habits—like reusing passwords for multiple accounts—make it easy and continue to breathe life into the fraud economy,” stated Jane Lee, trust and safety architect at Sift. 

“To proactively secure customer accounts and fuel expansion into new markets, merchants need to adopt a Digital Trust & Safety strategy to stop these advanced attacks before they shatter consumer loyalty and stifle growth,” she added.
Read more »
Wifi vulnerability
Android Android Security Android Users Data Breach Educational Institute User Credentials User Data User Privacy Wifi vulnerability

Thousands of University Wi-Fi Networks Dislcose Log-In Credentials

 

Multiple configuration vulnerabilities in a free Wi-Fi network used by several colleges can enable access to the usernames and passwords of students and teachers who connect to the system using Android and Windows devices, according to the findings by researchers. 

WizCase researchers lead by researcher Ata Hakçl evaluated 3,100 Eduroam setups at universities throughout Europe and discovered that more than half of them have vulnerabilities that threat actors might exploit. 

They noted that the risk of misconfiguration might spread to other companies throughout the world. Eduroam offers free Wi-Fi access at participating institutions. It provides log-in credentials to students, researchers, and faculty members, allowing them to access the internet across many universities by utilizing credentials from their own university. 

Researchers found vulnerabilities in the execution of the Extensible Authentication Protocol (EAP) used by Eduroam, which offers numerous levels of authentication when individuals connect to the network. Some of these authentication steps are not implemented properly in some colleges, causing security flaws.

Researchers wrote in a report posted Wednesday, “Any students or faculty members using Eduroam or similar EAP-based Wi-Fi networks in their faculties with the wrong configuration are at risk.” 

“If you are using an Android device and have Eduroam Wi-Fi set to auto-connect, malicious people could capture your plaintext username and password by only getting 20 or so meters in the range of you.” 

WizCase evaluated several configuration guidelines and built a test environment with multiple attack scenarios for the study. Overall, their analysis indicated that in the majority of institutions with misconfigured networks, threat actors may establish an “evil twin”, Eduroam network that a user would mistake for the actual network, especially on Android devices. 

Referring to Eduroam's catalogue application that performs certificate checks, researchers stated, “This could result in these devices automatically sending their stored credentials in order to connect to the evil twin Wi-Fi network for users not using eduroamCAT.” 

Researchers emphasized that the issue is not due to any technical flaw in Eduroam's services or technology, but rather due to improper setup instructions provided by the institutions' own network administrators to those setting up access. 

Moreover, while each institution supplies resources and personnel to assist Eduroam functioning, researchers discovered that there is no centralized management for the network – either as a whole or at each university where the system is in place. This signifies that a minor misconfiguration may make it a target for hackers. 

Researchers narrowed down the issue further by dissecting the numerous consecutive steps of EAP authentication, discovering that inadequate implementation of the last level of this authentication, known as "Inner Authentication," is at the foundation of the problem. Inner Authentication is accomplished in one of two methods in EAP. 

One method is to utilize the Plain Authentication Protocol (PAP), which sends users' credentials to the authentication server in plaintext and relies on Outer Authentication to completely encrypt the traffic with a server certificate. 

The alternative method utilizes Microsoft Challenge Handshake Authentication Protocol version 2 (MSCHAPv2), which understands that there may be errors in the “Outer Authentication stage, and transfers the password in a hashed, non-plaintext form. 

Mismanaged Certificate Checks 
“When a network with the same Wi-Fi name appears, Android devices will not check whether this certificate is trustworthy or not, and will not even notify the user about the certificate before connecting,” they explained. 

Even an operating system that properly performs certificate checks can disclose data since many users do not understand what a certificate check implies and will permit the connection to proceed even if they get an alert concerning the certificate. 

According to the researchers, this indicates that the problem can arise on Windows as well if a system is misconfigured. iOS devices are not vulnerable to the vulnerability since they do not enable connections to EAP networks without first installing the EAP configuration file, which ensures the validity of the server-side certificate. 

As per the researchers, 2,100 of the 3,100 Eduroam participating university setups examined by WizCase are possibly impacted by the issue. 

According to the firm, it may be prevented by returning to the second technique of Inner Authentication. WizCase contacted Eduroam in December to share their results and received a response the same day. 

In accordance with WizCase, Eduroam officials stated that they are aware of “Eduroam identity providers who do not follow the requirements of the Eduroam policy and leave their own users unprotected,” agreeing with researchers that this conduct is “unacceptable.” It is unknown whether Eduroam contacted its customers to alert them about the issue.
Read more »
Subscribe to: Comments (Atom)