Week 12: Introduction to Wireless Security with WEP and WPA2 PSK

Millions of Hotel Guests Worldwide Caught Up in Mass Data Leak

Due to a cloud misconfiguration users of a popular reservation platform threaten travelers with identity theft, scams, credit-card fraud and vacation-stealing. The misconfigured Amazon Web Services S3 bucket. Revealed the records include sensitive data and credit-card details. The Prestige Software’s “Cloud Hospitality” is used by hotels to integrate their reservation systems with online booking websites like Expedia and Booking.com.

The company was storing years of credit-card data from hotel guests and travel agents without any protection in place, putting millions of people at risk of fraud and online attacks, “The S3 bucket contained over 180,000 records from August 2020 alone. Many of them related to hotel reservations being made on numerous websites, despite global hotel bookings being at an all-time low for this period.”

 

 

This weeks reading talks about XML Services. XML Web services are the fundamental building blocks in the move to distributed computing on the Internet. Open standards and the focus on communication and collaboration among people and applications XML Web Services expose useful functionality to Web users through a standard Web protocol. In most cases, the protocol used is SOAP. XML Web services provide a way to describe their interfaces in enough detail to allow a user to build a client application to talk to them. This description is usually provided in an XML document called a Web Services Description Language (WSDL) document. XML Web services are registered so that potential users can find them easily. This is done with Universal Discovery Description and Integration (UDDI).

Researchers has found vulnerabilities in WPA 3 that could be used by an attackers to gain the password for the Wi-Fi (Khandelwal, 2019). WPA is used to authenticate the device using a  AES (Advanced Encryption Standards) protocol. It is being designed to prevent attackers from performing eavesdropping attack on wireless data. WAP 3 has been designed to b secure than WPA 2.  WPA 3 uses a more secure handshake than WAP 2. Which is known as Dragonfly. It aim is to protect the Wi-Fi network from an offline directory attack.  There are two types of attack that can be performed: downgrade attack and second to side channel leaks.

 

References:

Khandelwal, S. 2019. Security Flaws in WPA3 Protocol Let Attackers Hack WiFi Password. Retrieved from: https://thehackernews.com/2019/04/wpa3-hack-wifi-password.html

 

 

XML Web Services Security and Web-based Application Security

• XML web services operate over standard protocols/technologies
  • XML, HTTP, TCP/IP, SMTP
  • De Facto today is HTTP protocol
• Web-based services: vulnerabilities within infrastructure
  • ex. web application published, the entire world is invited to send HTTP requests
  • attacks can be buried and past firewalls/filters/platform/intrusion detection
  • Defenses used can be parameter validation on
    • The data type (string, integer, real, etc) ·
    • Allowable character set
    • Minimum and maximum length
    • Whether a null is allowed or not
    • Whether the parameter is required or not
    • Whether duplicates are allowed
    • Numeric ranges · enumerated values · specific patterns
    • etc

Discussion  Questions:

1. What web-based services do you use most commonly in your day-to-day operations?
2. Have you encountered a situation where a web-based vulnerability were exploited?

ICE Operations Arrests 113 Child Predators

The United States and Brazil have been working together to arrest 113 people suspected of producing and sharing Child Sexual Abuse Material.

US Immigration and Customs Enforcement, Homeland Security, and Brazil Ministry of Justice and Public Security made arrests through the US and South America during Operation Protected Childhood. OPC VII was a team that worked with the Cyber Crimes Center to find perpetrators in Brazil, Argentina, Paraguay, and Panama. Similarly in the US, HSI has executed 13 child exploitation search warrants and has made 9 arrests for child exploitation offenses. Many criminals were suspected of posting CSAM content on the social media app, KIK. Other apps such as Facebook Messenger and Twitter supplied information helping make these arrests. Since the launch of operation OPC, the operation has helped make 781 arrests and 1383 search warrants have been executed due to their findings. Dozens of minors were rescued a well.

 

https://www.infosecurity-magazine.com/news/ice-operation-arrests-113-child/

Intro-to-Ethical-Hacking-Week-12

Microsoft is urging users to abandon telephone-based multi-factor authentication (MFA) solutions like one-time codes sent via SMS and voice calls and instead replace them with newer MFA technologies.  Alex Weinert, Director of Identity Security at Microsoft said in a blog post last year that users who enabled multi-factor authentication (MFA) ended up blocking around 99.9% of automated attacks against their Microsoft accounts.  SMS and voice calls are transmitted in cleartext and can be easily intercepted by determined attackers, using techniques and tools like software-defined-radios, FEMTO cells, or SS7 intercept services.  SMS-based one-time codes are also phishable via open source and readily-available phishing tools like Modlishka, CredSniper, or Evilginx.  Weinert goes on to say that users should enable a stronger MFA solution for their accounts, recommending Microsoft’s Authenticator MFA app as a good starting point.  But if users want the best, they should go with hardware security keys, which Weinert ranked as the best MFA solution in a blog post he published last year.

https://www.zdnet.com/article/microsoft-urges-users-to-stop-using-phone-based-multi-factor-authentication/