Old Hacks, New Pain

The video on the right is about ten years old but the techniques described are evergreen. Wifi – man in the middle attacks, web based client side injection attacks, USB flash drive malware and RFID attacks are all well known attack vectors in the security community but as we’ll go on to discuss here, whilst many of the challenges demonstrated in the video have been addressed, many also remain.
Lets take a look at each of these now in a little more detail.

Wireless Man In The Middle

Before the advent of ubiquitous public free WIFI. wireless networks were primarily to be found in private locations such as homes and offices. Back then, a practice called wardriving, (the ugly stepchild of wardialling) was the best way to get up to no good. Practitioners would assemble their toolkit of laptop, battery, amplifiers and fancy high gain antennas and head to the vicinity of these networks where they would snoop the network and look for opportunities to get up to mischief. Nowadays, all a miscreant needs to do is go buy a coffee, plonk themselves down in the corner and wait.

Ten years ago, WEP (Wired Equivalent Privacy) was still in quite widespread use and was woefully vulnerable to attack. With WEP in use, each packet is encrypted with an RC4 (Rivest Cipher 4 stream cipher. Multiple vulnerabilities have been discovered in RC4, rendering it insecure) cipher stream generated by a 64 bit RC4 key. The key is made up of a 24 bit IV (initialisation vector) and a 40 bit WEP key. The encrypted packet is generated by bitwise modulo 2 addition of the plaintext and the RC4 cipher stream.

WEP Weakness

The fact is, unless a protocol compels good key management practices, they will not happen. Poor quality and long lived keys can and most certainly do exist on WEP implementations and most WEP networks had one single WEP key shared between every host on the network. Everything on the network needed to be a holder of the key in some form and, since changing keys was tedious and burdensome, keys were rarely changed. Furthermore, a key size of 40 bits was a weakness in and of itself. 40 bits may have been acceptable in the late 90s, but nowadays its not enough.

In addition to the key management issues, the system has been designed with use of an initialisation vector that is too small. At 24 bits, a given WEP key only allows for 16,777,216 different RC4 cipher streams. If IV’s are reused then this becomes a problem. And they are. Another problem lies in the way that the IV is chosen. The specification does not define this and therefore reuse can become a significant problem.

WEP therefore, in summary, has significant design flaws and vulnerabilities.

Client-Side Injection Attacks

Client side injection attacks are basically a form of content spoofing which tricks a user into believing that certain content on a site is legitimately part of the web page and not inserted from another source.

Otherwise known as XSS (cross site scripting), these attacks allow an attacker to execute javascript in the target web browser which can be used to hijack sessions, modify sites, insert more insecure content or take over the target browser. All WAF (web application frameworks) are vulnerable to this type of attack if the website and associated code is constructed poorly. As mentioned before, the attacks typically use javascript but HTML can also be used as can any number of other scripting languages such as VB Script, ActiveX, Java or even Flash. The only prerequisite to the scripting language used is that it is supported by the browser.

XSS attacks typically come in one of two forms, namely persistent or non persistent. Persistent XSS attacks usually add malicious code to a site in the form of added links found in forum posts, emails in webmail clients and even chat conversations within browsers. Non persistent attacks require the user to click a link that has been modified with code which, when clicked is executed in the client browser.

Thumb drive trojans

Thankfully we have moved on from the days when operating systems like Windows XP would “auto run” some of the code on a thumb drive simply by virtue of being plugged in. Nowadays the latest operating systems avoid doing this because of the security threat that it can present. Nevertheless, unknown USB drives can contain malware which, when run, can infect the operating system with ransomware, or worse. Furthermore, even non executable files which typically attract less scrutiny that executables can contain malware which launches simply by opening the file.


Leave a Reply

You must be logged in to post a comment.