Welcome to Cyber Threats 101! This is the fifth chapter in our A Busy College Student’s Guide to Online Security. We’ll begin by defining what are password attacks and share expert tips on how to avoid becoming a victim to these attacks.
What are password attacks?
Password attacks are methods that take advantage of stolen, weak and/or reused passwords used to protect online accounts. In fact, 81 percent of hacking-related breaches in 2016 was the result of an attacker leveraging stolen and/or weak passwords.
Hackers can use one or more strategies to “guess” or crack encrypted passwords, including brute force attacks, dictionary attacks, and keyloggers. Before we get into these attacks, you must first know what encryption is.
What is encryption?
Encryption is the process of encoding messages or information in such a way that only authorized parties can read it. It transforms data that you send across the Internet into a format which is only readable when in possession of a decryption key, which provides the code to decipher the encryption.
Brute Force Attacks take a “try-try again” approach to guess password possibilities using automation software. Starting with one-digit passwords, the program will continue to guess longer combinations of letters, numbers, and symbols.
To get a better idea of how brute force attacks work, take a look at this short video from Lynda.com:
What are dictionary attacks?
Dictionary Attacks are based on the idea that we love to use names, places, sports teams, slang, etc. in our passwords. This method also uses automation software to guess different password combinations based on commonly used words that could be found in the dictionary.
What are keyloggers?
Keyloggers are malicious programs hackers implant on a target’s computer system–commonly through phishing emails–and are used to track and record every keystroke you make. It can record passwords, social security numbers, phone numbers, and even your credit card information.
Why shouldn’t I reuse a password on multiple accounts?
You should avoid reusing the same password on multiple accounts because hackers are known to use stolen or weak passwords from a massive data breach or from a password attack to deface your public profiles, commit identity fraud, steal your financial information, or send malicious messages or emails under your name.
Learn from the mistake of Facebook CEO Mark Zuckerberg who’s LinkedIn credentials were compromised in a massive data breach from 2012, which lead to a hacker group also compromising his Pinterest and Twitter pages; not to mention his password was “dadada“.
Here are 5 tips to help you create a strong password:
Create a password that is–at a minimum–8 characters long. Ideally, your password should be between 12-15 characters.
Create a memorable, yet complex password by using a password mnemonic or a passphrase. You can start with a phrase, sentence, song lyric, etc. that is meaningful to you, but wouldn’t make sense to an automated computer program. You can also add a few numbers and special symbols for complexity.
Use a mix of case-sensitive letters, numbers, and symbols, but you won’t get away with replacing an “S” with a “$” or changing an “A” to “@”. In reality, hackers and automated password attack programs are already one step ahead of you and can easily pick up on these patterns.
Struggling to remember your new password? Write down a hint–not your password–that will jog your memory, but will be meaningless to anyone else. Then, keep it in a safe place.
UPDATE (5th September 2018). Since we published our original report, Google has now resolved the underlying vulnerability. The latest update of Chrome (tested against version 69.0.3497.81) addresses the issue we highlighted in this blog, where credentials are auto-filled on unencrypted HTTP pages. This makes the attack require significantly more user interaction, in the same way that Firefox, Edge Internet Explorer and Safari do. This makes the exploit much closer to a phishing attack and much less likely to succeed.
It is important to note that the latest version of Opera is still vulnerable as of 2018-09-05, but will hopefully also be quickly patched. This is a positive response from Google and is great to see following our original report to them in March 2018.
As per our originally-proposed solution, it would also be great to see Microsoft adjust captive portals in Windows to behave in a similar way to those in MacOS (separate browser) and for router manufacturers to enforce HTTPS management by defaults on their devices. These changes would further limit this vector of attack.
Original Article:
During a recent engagement we found an interesting interaction of browser behaviour and an accepted weakness in almost every home router that could be used to gain access a huge amount of WiFi networks.
The browser behaviour relates to saved credentials. When credentials are saved within a browser, they are tied to a URL and automatically inserted into the same fields when they are seen again. The accepted home router weakness is simply the use of unencrypted HTTP connections to the management interfaces.
By combining these two components it was possible to gain access to various networks without cracking a single handshake, which is the currently most-used method of gaining access to a WPA/WPA2 network but requires a weak passphrase. The attack should work on most networks, but there are a few pre-requisites that need to be met for the attack to succeed:
There MUST be an active client device on the target network
Client device MUST have previously connected to any other open network and allowed automatic reconnection
Client device SHOULD* be using a Chromium-based browser such as Chrome or Opera
Client device SHOULD** have the router admin interface credentials remembered by the browser
Target network’s router admin interface MUST be configured over unencrypted HTTP
Without those five pre-requisites, the attack is not possible. However, those are all somewhat likely occurrences given that most browsers prompt users to save credentials automatically. The main pre-requisites that lower the likelihood are Chromium usage and saved router credentials, but this will still affect a huge number of people.
*Firefox, IE/Edge and Safari require significant user interaction, so attack does work, but is more of a social engineering based. With Chrome it is significantly more seamless. **If the router’s admin interface credentials are not saved, it is still possible to attempt to guess default values
It is also important to note that the attack has been demonstrated against home routers by extracting the WiFi key directly from the web interface. However, other devices can be targeted if they have a semi-predictable URL that is exposed over unencrypted HTTP. Many IoT devices fit into this category but none were specifically tested here.
Before getting to the meat of the attack, we are assuming that you are already familiar with the Karma/Jassager attack. Karma is used in part of the workflow and if you are not familiar with it, consider reading the following article:
Step 1. Bring the client device onto a network we control:
The first step is to start sending deauthentication requests with aireplay-ng and with the Karma attack using ‘hostapd-wpe’, both with an Alfa AWUS036NHA.
Step 2. Trigger the browser to load our URL:
We did this with ‘dnsmasq’ and a Python script. When we see a HTTP request, we create a response redirecting to our URL and serve our own page.
The URL and served page are different depending on the router we’re targeting. We can detect which URL/Page pair to send based on BSSID and ESSID or just take a guess, the range of options is limited anyway.
There are some extra options for redirection too. By default, we allow HTTPS through untouched and wait for an HTTP request. But if this is taking too long, triggering captive portal detection on Windows will automatically launch the default browser at a URL we specify. However, there are limitations to triggering a captive portal, primarily against MacOS, which launches a separate browser specific to dealing with captive portals, preventing us from accessing stored credentials.
Step 3. Steal the autocomplete credentials:
This is where things get interesting. When our page loads, the browser makes two initial checks.
Does our URL origin match the router’s admin interface origin (protocol & IP address/hostname)
Do the input fields on the page match what the browser remembers of the router’s interface
If these two checks pass, then the browser automatically populates our page with the saved credentials. In this case, the router’s admin details. Naturally these input fields are completely hidden from the target.
If the target is using Chrome, there is one more step: The Chromium feature “PasswordValueGatekeeper” requires a user to interact with the page in some way. A click anywhere on the page is fine, and after the click we can harvest the credentials.
If the target is using Firefox, Internet Explorer, Safari or Edge, then we can’t have the input fields hidden. The attack would still work, but only if the target clicks on our form field and select their credentials from the drop-down instead. At this point the attack is mostly social engineering.
But let’s not stop here, these credentials are almost useless right now. There’s even a good chance we might have guessed them before we even started the attack (for example, admin:password) but we can’t use them from our current position on the outside of the network.
Step 4. Send the target to their home WiFi
Once we have the credentials, we want the target to keep our page open just a little longer. At this point we stop our Karma attack, releasing the target back to their own network.
Once the target device is successfully connected back to their original network, our page is sitting on the router admin interface’s origin with the admin credentials loaded into JavaScript. We then login using an XMLHttpRequest and grab the PSK or make whatever changes we need. In most WiFi routers that we tested, we could extract the WPA2 PSK directly from the web interface in plaintext, negating the entire need to capture a handshake to the network. But if a router hides the key, we could enable WPS with a known key, create a new access point or anything else we can do from within the router’s interface.
We wouldn’t even need to know the HTML structure of the router’s interface. We could just grab the entire page DOM, send it home and extract anything useful by hand. Using BeEF Project it would also be possible to proxy through to the page, granting the attacker access to the router interface as if they were logged in directly.
Solution
Fundamentally this is just a flaw in the way origins are shared and trusted between networks. In the case of home routers, they are predictable enough to be a viable target.
The easiest solution would be for browsers to avoid automatically populating input fields on unsecured HTTP pages. It is understandable that this would lower usability, but it would greatly increase the barrier to credential theft.
The most complete solution would be to implement HTTPS with trusted keys and certificates on these devices. But this requires support for custom HTTPS certificates as well as your own certificate management infrastructure, in an enterprise this is commonplace but for home users this is extremely unlikely. Vendors might consider implementing HTTPS on their devices by default, but those keys could simply be stolen by anyone with one of the devices by reverse-engineering the firmware.
Microsoft could also make the process more difficult to exploit by using a separate captive portal browser instead of simply launching the default browser similar to how MacOS behaves.
Disclosure Timeline
Chromium:
SureCloud: Disclosed March 2nd
Chromium: Response Received March 2nd (“working as designed”)
Microsoft
SureCloud: Disclosed March 27th
SureCloud: Chase Sent April 13th
[Microsoft’s messages were all being flagged as spam]
Microsoft: Response Received May 25th (Clarification requested)
SureCloud: Clarification Sent June 4th
Microsoft: Case opened June 5th
Microsoft: Requested disclosure details June 6th
SureCloud: Clarification sent June 6th
Microsoft: Flagged for consideration, but no immediate action June 21st
Asus
SureCloud: Disclosed March 21st
Asus: Responded March 22nd (Discussing with engineers)
SureCloud: Discussing solutions April 4th
SureCloud: Sent notice to publish May 25th
Asus: Discussing solutions June 11th
SureCloud: Discussing solutions and notice to publish July 11th
Following the discussions with ASUS, it’s became clear we’d exhausted all options for ethical disclosure with this Proof of Concept.
References
While this was only discovered after disclosing to Chromium, someone named Chris had beaten us to the underlying idea. We have however taken it much further and demonstrated a real-world attack.
These are Proof of Concept only and the community will no doubt take this attack much further. The long-term goal is to build a module for the WiFi Pineapple to automate the attack, with this is expected in the coming months.
Video
Mitigations
As highlighted we are exploiting ‘by design’ features, which will hopefully change with public release of this article. However, in the meantime there are a few key steps that can be taken to help protect yourself:
Only login to your router using a separate browser or incognito session
Clear your browser’s saved passwords and don’t save credentials for unsecure HTTP pages
Delete saved open networks and don’t allow automatic reconnection
As it is nearby impossible to tell if this attack has already happened against your network, change your pre-shared keys and router admin credentials ASAP. Again, use a separate/private browser for the configuration and choose a strong key.
ENTERPRISE GRADE FIREWALL ROUTER FOR SAFER & SMARTER HOMES
Cybersecurity, Parental Controls & VPN Services For Your Home via Roqos Core routers. https://www.roqos.com/ Roqos VPN provides you a secure Internet experience by encrypting all your connections and routing them to your home router. You can browse safely from public Wi-Fi, access your connected devices in your home remotely, and enjoy streaming services while away from home.
Roqos Home app helps you setup and manage your Roqos Core Wi-Fi VPN router. Roqos subscription service comes with Roqos Core to help you take control of your home network and Internet access.
ENTERPRISE GRADE CYBERSECURITY A trusted cybersecurity technology that inspects the traffic on your network and automatically blocks threats traditional software or hardware solutions may not detect.
CONTENT FILTERS Control what your kids can access online by selecting from preset filter categories or creating your own custom filter lists.
SCHEDULES Set schedules to pause the Internet for your kids’ devices on certain days and times.
PAUSE INTERNET Instantly pause internet for family members with a single tap.
GUEST WiFi Share your internet securely with your guests. Text or email them a temporary access code valid for number of days.
MANAGE CONNECTED DEVICES See a list of all devices connected to your network and control their access.
VPN-IN Securely connect to your home network from public networks anywhere in the world and access devices at home.
KIDS VPN Enforce all parental control filters and schedules on your kids’ devices even when they are away from home.
VPN-OUT Prevent your Internet Service Provider from collecting data on your usage by encrypting Internet traffic between Roqos Core and Roqos VPN servers.
COUNTRY BLOCK Restrict internet traffic from select countries to protect yourself from threats originating from those countries.
ALERTS Be in the know about what’s happening on your network via notifications sent to your phone and inbox.
As we bring more and more smart devices into our homes, we potentially open ourselves up to a variety of new risks with devices opening back doors into networks or falling prey to botnets.
German antivirus company Avira is launching a new approach to home security which needs no new infrastructure on the domestic network and no configuration done by the user.
SafeThings sits within the home router and works with cloud-based machine learning. Avira licenses the product to router manufacturers and internet service providers, enabling them to protect networks from misuse and to deliver value-added IoT security services directly to end users.
"At Avira, we have been at the forefront of Artificial Intelligence innovation for a decade, being the first vendor within the security industry to identify how to apply AI to our field and to do it," says Travis Witteveen, CEO of Avira. "We have a wealth of experience in protecting both the privacy of end-users and the security of their traditional devices. Today we stand alone in the cyber security industry with the introduction of Avira SafeThings, an innovative router app and behavioral threat intelligence platform that secures all IoT devices in the home. We've designed SafeThings to effectively solve the IoT vulnerabilities without being too invasive, expensive, or complicated for the end user -- and we've done this in a way that provides additional benefits for the internet service providers and router manufacturers."
SafeThings is made up of a number of modules, Protection Cloud builds category and individual device profiles to create device management and rule definitions and automatically protect the device functionality. By analyzing metadata on gateway traffic, no invasive deep packet inspections are needed.
The Sentinel module is a software agent positioned at the gateway to each smart home, embedded in the firmware on the router, Sentinel fingerprints IoT devices and collects packet header metadata for AI analysis. After communicating with Protection Cloud, Sentinel enforces protection and communication rules.
A web-based user interface shows users in real time what each IoT device in their network is doing and enables them to see and modify firewall policies and device rules. There's also a Data Forefront API service that lets service providers and OEMs access and control SafeThings functionality, for example to drill down into specific details and control rules and actions to be taken in case of a compromised device.
It also allows for custom plugins to let SafeThings clients offer their end users additional security apps via a branded secure app store. These integrated services such as VPN or parental controls would operate at router level with management in the cloud.
"We see SafeThings as a 'B2B2C' product, providing consumers with the security and privacy protection they need while delivering it to them via the internet service providers and router manufacturers. As an embedded software solution, SafeThings is imminently flexible according to each client’s technical and marketing needs,” adds Witteveen.
Whether you are at home or in public, you might be looking for apps for finding Wi-Fi Hotspots. There are a ton of apps out there that can help you find Wi-Fi Hotspots. Since there are so many choices, we know that it can be difficult to find the best ones out of the thousands available. We thought we would tell you the best apps for finding Wi-Fi Hotspots.
These apps will all help you find where you can connect to the Internet from your mobile device without issues and for free. Read on to learn about the best apps for finding Wi-Fi Hotspots that you can begin using today for free Internet on mobile.
Top 5 Apps for Finding Wi-Fi Hotspots
WiFi Finder- WiFi Finder by SpeedSpot is on our list of the best apps for finding Wi-Fi Hotspots. This is a free app on IOS and Android and it allows you to find Wi-Fi anywhere. There is an Offline Map as well that allows you to see Wi-Fi even disconnected. There is a crowdsource to this app which is where all of the hotspots come from. That also means you are looking at the most reliable and up-to-date information possible.
You will be able to download the Wi-Fi hotspot map so that you can look at it while in offline mode as well. You can filter by location and by quickest connection. The database is huge so there is always going to be a list of several Wi-Fi hotspots no matter where you live or are at. There is a way to rate each hotspot by the speed and you can search based on numerous filters.
Wiffinity- Wiffinity is also on our list of the best apps for finding Wi-Fi Hotspots. This is a free Android and iOS app where you can find Wi-Fi anywhere. There are over 300,000 hotspots available in this app, which is more than most other Wi-Fi hotspot apps. You do not need to register for this app or sign up, which is really nice. There is also offline mode available so you can find the hotspots even while off the Internet.
Wiffinity is very simple to use and it will show you the database containing all of the hotpots and passwords. There are many countries that this app works for including Rome, Spain, Amsterdam, and Barcelona. The best part about Wiffinity is that the database is so expansive. There is literally not one location you cannot find a hotspot for using this app.
WiFi Magic by Mandic Passwords– If you are looking for one of the best apps for finding Wi-Fi Hotspots then look no further than WiFi Magic. This app is free on iOS and Android and is developed by Mandic Passwords. This app will contain all of the passwords for the Wi-Fi hotspots. It is great to use while out and about. Whether you are at Starbucks or a local hotel, you can use this app to find the password to get into the hotspot. No longer will you need to ask the staff anymore to get the password.
This app is community-based, which means people contribute and share Wi-Fi passwords. This is only for the public Wi-Fi networks though. You will not be able to access private networks with the app. There are purchases you can make in the app to remove the advertisements as well. This app will also help you find the local Wi-Fi hotspots in your area. It is very simple to use and Wi-Fi Magic really will leave you feeling as if you witnessed magic with how quick it is.
Avast Wi-Fi Finder- Avast Wi-Fi Finder also makes our list of the best apps for finding Wi-Fi Hotspots. This is a free app on iOS and Android and it allows you to find the secure Wi-Fi locations. You will find the public free hotspots using this app and all of the spots were verified before hand by real people. This allows you to connect securely and safely to various Wi-Fi hotspots.
All of the Wi-Fi hotspots are reliable and you can check the speed and security of each network before you connect. If you are worried about security, this is one of the best apps for finding Wi-Fi Hotspots. There are security ratings, privacy warnings, and scans that are done on the networks to ensure they are safe. Definitely one of the best apps you can use on either Android or iOS to connect safely to public free Wi-Fi hotspots.
Hotspot Finder– Lastly, on our list of the best apps for finding Wi-Fi Hotspots we have Hotspot Finder. This app is free on iOS and it will tell you where all of the hotspots are near you. This app also has reviews and business information from Yelp for each location. You will be able to look at the map to see the various Wi-Fi hotspots and also search for a hotspot. You can choose to look at the hotspots in a list view as well, which is pretty cool.
This app is great because it will show you both the free Wi-Fi hotspots and the ones you will need to pay for. You will be able to look up a lot of different information with Hotspot Finder. With this app, you can also save the various hotspots that you want as a favorite. This allows you to quickly and easily access that hotspot again when you are in that area.
