Welcome to Cyber Threats 101! This is the fifth chapter in our A Busy College Student’s Guide to Online Security. We’ll begin by defining what are password attacks and share expert tips on how to avoid becoming a victim to these attacks.
What are password attacks?
Password attacks are methods that take advantage of stolen, weak and/or reused passwords used to protect online accounts. In fact, 81 percent of hacking-related breaches in 2016 was the result of an attacker leveraging stolen and/or weak passwords.
Hackers can use one or more strategies to “guess” or crack encrypted passwords, including brute force attacks, dictionary attacks, and keyloggers. Before we get into these attacks, you must first know what encryption is.
What is encryption?
Encryption is the process of encoding messages or information in such a way that only authorized parties can read it. It transforms data that you send across the Internet into a format which is only readable when in possession of a decryption key, which provides the code to decipher the encryption.
Brute Force Attacks take a “try-try again” approach to guess password possibilities using automation software. Starting with one-digit passwords, the program will continue to guess longer combinations of letters, numbers, and symbols.
To get a better idea of how brute force attacks work, take a look at this short video from Lynda.com:
What are dictionary attacks?
Dictionary Attacks are based on the idea that we love to use names, places, sports teams, slang, etc. in our passwords. This method also uses automation software to guess different password combinations based on commonly used words that could be found in the dictionary.
What are keyloggers?
Keyloggers are malicious programs hackers implant on a target’s computer system–commonly through phishing emails–and are used to track and record every keystroke you make. It can record passwords, social security numbers, phone numbers, and even your credit card information.
Why shouldn’t I reuse a password on multiple accounts?
You should avoid reusing the same password on multiple accounts because hackers are known to use stolen or weak passwords from a massive data breach or from a password attack to deface your public profiles, commit identity fraud, steal your financial information, or send malicious messages or emails under your name.
Learn from the mistake of Facebook CEO Mark Zuckerberg who’s LinkedIn credentials were compromised in a massive data breach from 2012, which lead to a hacker group also compromising his Pinterest and Twitter pages; not to mention his password was “dadada“.
Here are 5 tips to help you create a strong password:
Create a password that is–at a minimum–8 characters long. Ideally, your password should be between 12-15 characters.
Create a memorable, yet complex password by using a password mnemonic or a passphrase. You can start with a phrase, sentence, song lyric, etc. that is meaningful to you, but wouldn’t make sense to an automated computer program. You can also add a few numbers and special symbols for complexity.
Use a mix of case-sensitive letters, numbers, and symbols, but you won’t get away with replacing an “S” with a “$” or changing an “A” to “@”. In reality, hackers and automated password attack programs are already one step ahead of you and can easily pick up on these patterns.
Struggling to remember your new password? Write down a hint–not your password–that will jog your memory, but will be meaningless to anyone else. Then, keep it in a safe place.
UPDATE (5th September 2018). Since we published our original report, Google has now resolved the underlying vulnerability. The latest update of Chrome (tested against version 69.0.3497.81) addresses the issue we highlighted in this blog, where credentials are auto-filled on unencrypted HTTP pages. This makes the attack require significantly more user interaction, in the same way that Firefox, Edge Internet Explorer and Safari do. This makes the exploit much closer to a phishing attack and much less likely to succeed.
It is important to note that the latest version of Opera is still vulnerable as of 2018-09-05, but will hopefully also be quickly patched. This is a positive response from Google and is great to see following our original report to them in March 2018.
As per our originally-proposed solution, it would also be great to see Microsoft adjust captive portals in Windows to behave in a similar way to those in MacOS (separate browser) and for router manufacturers to enforce HTTPS management by defaults on their devices. These changes would further limit this vector of attack.
Original Article:
During a recent engagement we found an interesting interaction of browser behaviour and an accepted weakness in almost every home router that could be used to gain access a huge amount of WiFi networks.
The browser behaviour relates to saved credentials. When credentials are saved within a browser, they are tied to a URL and automatically inserted into the same fields when they are seen again. The accepted home router weakness is simply the use of unencrypted HTTP connections to the management interfaces.
By combining these two components it was possible to gain access to various networks without cracking a single handshake, which is the currently most-used method of gaining access to a WPA/WPA2 network but requires a weak passphrase. The attack should work on most networks, but there are a few pre-requisites that need to be met for the attack to succeed:
There MUST be an active client device on the target network
Client device MUST have previously connected to any other open network and allowed automatic reconnection
Client device SHOULD* be using a Chromium-based browser such as Chrome or Opera
Client device SHOULD** have the router admin interface credentials remembered by the browser
Target network’s router admin interface MUST be configured over unencrypted HTTP
Without those five pre-requisites, the attack is not possible. However, those are all somewhat likely occurrences given that most browsers prompt users to save credentials automatically. The main pre-requisites that lower the likelihood are Chromium usage and saved router credentials, but this will still affect a huge number of people.
*Firefox, IE/Edge and Safari require significant user interaction, so attack does work, but is more of a social engineering based. With Chrome it is significantly more seamless. **If the router’s admin interface credentials are not saved, it is still possible to attempt to guess default values
It is also important to note that the attack has been demonstrated against home routers by extracting the WiFi key directly from the web interface. However, other devices can be targeted if they have a semi-predictable URL that is exposed over unencrypted HTTP. Many IoT devices fit into this category but none were specifically tested here.
Before getting to the meat of the attack, we are assuming that you are already familiar with the Karma/Jassager attack. Karma is used in part of the workflow and if you are not familiar with it, consider reading the following article:
Step 1. Bring the client device onto a network we control:
The first step is to start sending deauthentication requests with aireplay-ng and with the Karma attack using ‘hostapd-wpe’, both with an Alfa AWUS036NHA.
Step 2. Trigger the browser to load our URL:
We did this with ‘dnsmasq’ and a Python script. When we see a HTTP request, we create a response redirecting to our URL and serve our own page.
The URL and served page are different depending on the router we’re targeting. We can detect which URL/Page pair to send based on BSSID and ESSID or just take a guess, the range of options is limited anyway.
There are some extra options for redirection too. By default, we allow HTTPS through untouched and wait for an HTTP request. But if this is taking too long, triggering captive portal detection on Windows will automatically launch the default browser at a URL we specify. However, there are limitations to triggering a captive portal, primarily against MacOS, which launches a separate browser specific to dealing with captive portals, preventing us from accessing stored credentials.
Step 3. Steal the autocomplete credentials:
This is where things get interesting. When our page loads, the browser makes two initial checks.
Does our URL origin match the router’s admin interface origin (protocol & IP address/hostname)
Do the input fields on the page match what the browser remembers of the router’s interface
If these two checks pass, then the browser automatically populates our page with the saved credentials. In this case, the router’s admin details. Naturally these input fields are completely hidden from the target.
If the target is using Chrome, there is one more step: The Chromium feature “PasswordValueGatekeeper” requires a user to interact with the page in some way. A click anywhere on the page is fine, and after the click we can harvest the credentials.
If the target is using Firefox, Internet Explorer, Safari or Edge, then we can’t have the input fields hidden. The attack would still work, but only if the target clicks on our form field and select their credentials from the drop-down instead. At this point the attack is mostly social engineering.
But let’s not stop here, these credentials are almost useless right now. There’s even a good chance we might have guessed them before we even started the attack (for example, admin:password) but we can’t use them from our current position on the outside of the network.
Step 4. Send the target to their home WiFi
Once we have the credentials, we want the target to keep our page open just a little longer. At this point we stop our Karma attack, releasing the target back to their own network.
Once the target device is successfully connected back to their original network, our page is sitting on the router admin interface’s origin with the admin credentials loaded into JavaScript. We then login using an XMLHttpRequest and grab the PSK or make whatever changes we need. In most WiFi routers that we tested, we could extract the WPA2 PSK directly from the web interface in plaintext, negating the entire need to capture a handshake to the network. But if a router hides the key, we could enable WPS with a known key, create a new access point or anything else we can do from within the router’s interface.
We wouldn’t even need to know the HTML structure of the router’s interface. We could just grab the entire page DOM, send it home and extract anything useful by hand. Using BeEF Project it would also be possible to proxy through to the page, granting the attacker access to the router interface as if they were logged in directly.
Solution
Fundamentally this is just a flaw in the way origins are shared and trusted between networks. In the case of home routers, they are predictable enough to be a viable target.
The easiest solution would be for browsers to avoid automatically populating input fields on unsecured HTTP pages. It is understandable that this would lower usability, but it would greatly increase the barrier to credential theft.
The most complete solution would be to implement HTTPS with trusted keys and certificates on these devices. But this requires support for custom HTTPS certificates as well as your own certificate management infrastructure, in an enterprise this is commonplace but for home users this is extremely unlikely. Vendors might consider implementing HTTPS on their devices by default, but those keys could simply be stolen by anyone with one of the devices by reverse-engineering the firmware.
Microsoft could also make the process more difficult to exploit by using a separate captive portal browser instead of simply launching the default browser similar to how MacOS behaves.
Disclosure Timeline
Chromium:
SureCloud: Disclosed March 2nd
Chromium: Response Received March 2nd (“working as designed”)
Microsoft
SureCloud: Disclosed March 27th
SureCloud: Chase Sent April 13th
[Microsoft’s messages were all being flagged as spam]
Microsoft: Response Received May 25th (Clarification requested)
SureCloud: Clarification Sent June 4th
Microsoft: Case opened June 5th
Microsoft: Requested disclosure details June 6th
SureCloud: Clarification sent June 6th
Microsoft: Flagged for consideration, but no immediate action June 21st
Asus
SureCloud: Disclosed March 21st
Asus: Responded March 22nd (Discussing with engineers)
SureCloud: Discussing solutions April 4th
SureCloud: Sent notice to publish May 25th
Asus: Discussing solutions June 11th
SureCloud: Discussing solutions and notice to publish July 11th
Following the discussions with ASUS, it’s became clear we’d exhausted all options for ethical disclosure with this Proof of Concept.
References
While this was only discovered after disclosing to Chromium, someone named Chris had beaten us to the underlying idea. We have however taken it much further and demonstrated a real-world attack.
These are Proof of Concept only and the community will no doubt take this attack much further. The long-term goal is to build a module for the WiFi Pineapple to automate the attack, with this is expected in the coming months.
Video
Mitigations
As highlighted we are exploiting ‘by design’ features, which will hopefully change with public release of this article. However, in the meantime there are a few key steps that can be taken to help protect yourself:
Only login to your router using a separate browser or incognito session
Clear your browser’s saved passwords and don’t save credentials for unsecure HTTP pages
Delete saved open networks and don’t allow automatic reconnection
As it is nearby impossible to tell if this attack has already happened against your network, change your pre-shared keys and router admin credentials ASAP. Again, use a separate/private browser for the configuration and choose a strong key.
The Justice Department last week urged everyone with a small office home office (SOHO) or NAS device to reboot their gadgets immediately in order to thwart VPNFilter, a new strain of malware that can brick your router.
The FBI seized a domain used to send commands to the infected devices, but it can't hurt to reboot anyway.
As Symantec outlines, VPNFilter is "a multi-staged piece of malware." Stage 1 makes the connection, Stage 2 delivers the goods, and Stage 3 acts as plugins for Stage 2. "These include a packet sniffer for spying on traffic that is routed through the device, including theft of website credentials and monitoring of Modbus SCADA protocols. Another Stage 3 module allows Stage 2 to communicate using Tor."
VPNFilter "is unlike most other IoT threats because it is capable of maintaining a persistent presence on an infected device, even after a reboot," Symantec says.
Still, "rebooting will remove Stage 2 and any Stage 3 elements present on the device, [temporarily removing] the destructive component of VPNFilter. However, if infected, the continuing presence of Stage 1 means that Stages 2 and 3 can be reinstalled by the attackers."
Those who believe they're infected should do a hard reset, which restores factory settings. Look for a small reset button on your device, though this will wipe any credentials you have stored on the device.
Below is a list of routers Symantec identified as vulnerable to VPNFilter. MikroTik tells Symantec that VPNFilter likely proliferated via a bug in MikroTik RouterOS software, which it patched in March 2017. "Upgrading RouterOS software deletes VPNFilter, any other third-party files and patches the vulnerability," Symantec says.
Linksys E1200
Linksys E2500
Linksys WRVS4400N
Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
Netgear DGN2200
Netgear R6400
Netgear R7000
Netgear R8000
Netgear WNR1000
Netgear WNR2000
QNAP TS251
QNAP TS439 Pro
Other QNAP NAS devices running QTS software
TP-Link R600VPN
"No other vendors, including Cisco, have been observed as infected by VPNFilter, but our research continues," according to Cisco Talos, which first reported the bug.
To date, Cisco Talos estimates that at least 500,000 in at least 54 countries have been hit by VPNFilter.
The feds are pinning this attack on Fancy Bear, a hacking group also known as APT28 and Sofacy Group, among other monikers. The group is notorious for attacking governments across the world and stealing confidential files from the Democratic National Committee during the 2016 election.
There are 2 primary methods to hack passwords: Brute Force and Password Guessing. Of the 2, believe it or not, it is easier to guess someone’s password than to try every combination of letters, numbers and symbols. In a brute force attack, password attempts would progress from: a, b, c; to aa, ab, ac; to aaa, aab, aac; and so on.
The core question is not, “Can my password be hacked?”, but rather “How long would it take?”. That’s where password entropy comes into play for our (the user’s) benefit. Loosely defined, entropy is disorder. Since a brute force attack is a very orderly attack, the more disorder you have in your password = better.
Numbers Game With 5 lower case characters, an online attack would get your password right in an average of 1 hour, 21 minutes. However, by introducing say a capital letter, a number, and a special character, that time rises to around 1.5 months.
With 7 lower case characters, a brute force attack would consume ~3.2 months, but if you introduce those other random characters, it rockets up to an average of 11 centuries! Taking it even further, at 8 characters the online crack time goes to 1,000 centuries which is effectively long enough to be considered near impossible under current computing capabilities.
That said, if the hacker is able to do an offline, or massive cracking array scenario, the password can again be deduced in a matter of hours. As such, even though the typical minimum / safe password length is 8 characters, what you use as your password matters even more.
Simplicity Opens the Door Every attempt to get your password will begin with guessing. According to a released “hack file” of 5 million passwords, we know what the most common passwords are, so hackers will start there.
Cybercrime is growing ever more pervasive—and costly. According to researcher Cybersecurity Ventures, the annual cost of cybercrime globally will rise from $3 trillion in 2015 to $6 trillion in 2021. Enabling this boom are thriving marketplaces online, where hackers sell tools and services to criminals. Virtually anything is available for the right price, points out Andrei Barysevich, director of advanced collection (“a fancy name for ‘spy,’ ” he says) at threat intelligence firm Recorded Future. A former consultant for the FBI’s cybercrime team in New York, Barysevich trawled the shadiest corners of the web to compile the cybercrime shopping list above, exclusively for Fortune. In the market for some basic malware? It’ll cost you as little as $1.
Not so long ago, there was one and only way to protect the precious data riding around in your laptop: Connect an external drive (or, if you were really fancy, a network drive), then perform a complete system backup.
But is that really necessary anymore? It's time to inject some modern thinking into the old notions of PC backups. Here's what you should know:
It's all about the data
Think about what you're really trying to preserve in a backup. It's the data, right? Family photos, financial records, school papers, work documents -- stuff like that.
OK, but what about software? What about the operating system? A full-system backup lets you preserve these items in addition to your data, the idea being to let you restore everything in one fell swoop should disaster strike.
But, remember: What you really care about is the data.
Not all software needs to be backed up...
In the old days, when you bought software on CDs or even floppy disks, a full-system backup was logical, if only to avoid having to manually reinstall all those programs. Thanks to slow-loading media and comparatively slow PCs, that could be a long, torturous process.
But think about the software you use today. Some of it is probably web-based, meaning there's nothing to reinstall -- you just sign back into your, say, Google Docs account. As for local apps like CCleaner, Evernote, iTunes, Steam (and Steam games) and your antivirus software, you can quickly and easily re-download and reinstall them. (Even certain data is easily replaceable, like the PDF instruction manual you downloaded for your printer. Why bother backing that up?)
So make a little inventory list of the software you're using and see if there's anything that actually needs to be backed up. There might be exceptions, like commercial programs that give you only a one-time download option (video editor CyberLink PowerDirector comes to mind). Those downloads, if you have any, should definitely get backed up along with your other data.
...and neither does Windows (sort of)
Assuming you're running Windows 10 ($139.95 at Amazon.com), it's definitely a good idea to make a one-time backup of the OS in case you need it later. You can do this by running Microsoft's media-creation tool, which will put a copy of the OS onto a flash drive (5GB or larger).
Ah, but will you need it later? If you're having software-related issues with your PC (malwareinfestation, everyday Windows wonkiness), you can use Windows' Recovery tool to get a factory-fresh reset -- no external media required. But if you have to, say, replace a defunct hard drive, now you'll want that flash drive so you can reinstall Windows.
The dirty little secret of full-system backups
OK, but if that's the case, doesn't a full-system backup make more sense so you can do a full-system restoration? I'll argue no, for these reasons:
Full-system backups take time, even if you're just making incremental ones.
Full-system backups require large-capacity external drives, which cost money. You also need backup software. There are freeware options, but do you really want to trust your entire hard drive to a free program?
A full-system restore doesn't afford the benefits of a fresh Windows install; instead, you end up with all the same stray Registry keys and fragmented files that were dragging down the system before.
Full-system restores are notoriously inconsistent. In my experience, they just flat-out don't work sometimes. Contrast that with a fresh install of Windows, reinstalling your software and then restoring your data: Not much can go wrong with that.
Solution: Back up just your data
We've come full circle. These days, a full-system backup is of questionable value. That's because the only thing that really matters is your data -- and think about where that data lives.
On your hard drive, yes, but also in the cloud? All you need is a service like Amazon Drive, iCloud Drive, Google Drive or Microsoft OneDrive -- anything that automatically syncs your files to online storage.
Meanwhile, are there even photos on your PC anymore? If you're like many users, you take pictures with your phone, and that phone copies everything to the cloud. Likewise, are you still using your PC to manage a music collection? If you subscribe to the likes of Apple Music or Spotify, there's nothing you need to back up; all your songs and playlists live on those services.
Obviously there are exceptions, like if you have a large video library. Those files consume a lot of space, meaning cloud backup may not be practical. But I suspect many users just want to preserve office documents, tax records and the like, in which case a small amount of cloud storage easily gets the job done.
The big caveat
Many cloud services suffer from one considerable flaw: They won't protect you against ransomware and other forms of malware. The problem is that files corrupted on your PC will quickly get corrupted in the cloud as well, as part of the automated syncing process.
You can overcome that problem by keeping malware off your PC in the first place. But many security experts note that the best way to protect yourself is to make regular local backups of your data. (Just your data, mind you.) And here's the key: Make sure your backup includes older versions of your files. Because as with online backups, it's all too easy for infected files to overwrite clean ones, leaving your backup in the same condition as your hard drive.
Some backup services (including Carbonite, Dropbox and Google Drive) support versioning as well, though Google's implementation allows you to access only one file at a time -- just about useless if you have hundreds or even thousands of files to restore. And OneDrive keeps older versions only of Office files.
What are your thoughts on modern-day PC backups? Do you think archiving data alone is enough? Share your thoughts in the comments!
