MS-CHAPv2 Can Be Cracked

This post is a bit technical and isn’t for everyone. I still want to include it in because it could help someone, someday.

MS-CHAP v2 is an authentication protocol used to secure VPNs and some wireless networks. It’s commonly used with PPTP VPNs and sometimes with WPA2 wireless networks. For the past few years it was considered secure as long as it’s used with a strong password (a complicated password).

Today some researchers at a security conference demonstrated how to crack it in one day. They demonstrated that they can decrypt all data sent across the VPN or over WiFi.

So if you’re setting up a network and come across the MS-CHAP v2 setting, remember that as of today it’s no longer secure. It’s not even slightly secure, or better than nothing. If someone wants to view your encrypted VPN or WiFi traffic and you use MS-CHAP v2 then they can, with very little effort. Full details on cracking MS-CHAP v2 are here.

130 Million Credit Cards

There’s an interesting news article here about someone who stole 130 million credit card numbers and was later arrested for it. The interesting points are:

  • 130 million is a large number. How many people like in your city? Or country? He operated in the USA, and I don’t have any stats on how many credit cards there are in USA but it’d be somewhere around half of all credit cards. The more you think about this the less secure you’ll feel about your own credit card number.
  • All this data was sold to hackers in various cities countries (California, Illinois, Latvia, the Netherlands and Ukraine). So even though he was arrested the data’s been compromised already.
  • There’s nothing you or I could have done to protect ourselves from people like this. He stole the numbers from businesses (such as restaurants) that store the numbers on their databases, not from people’s home computers.
  • He wasn’t a sophisticated hacker, he just looked for businesses with wireless networks and weak security (read here on how to secure a wireless network the right way) and installed malware to do the work.
    Businesses should be doing more to keep their data safe. A lot of the time they just don’t have the skills or budget to spend on network security (especially non-technology businesses such as restaurants). Yet there’s a moral obligation to do so. What can we do about that?
    You should also be watching your own credit card accounts regularly.  Internet banking makes it easy to check your account details every couple of nights from home. By doing so you’ll notice compromised accounts early and can get the card cancelled. Just make sure your computer is safe when you log onto internet banking sites (read here and here for some good tips).
    The full article on this incident is here. It’s a bit long but an interesting read.

Beware Of Fake Obama News

A lot of people are talking about Barack Obama, it seems to be a big news topic right now. Scammers have taken advantage of the media hype and have started publishing fake news sites.

These fake news sites are designed to get your attention and to go to their web page. Their web page then attempts to install malware on your PC.

Some of the fake headlines include:

  • Barack Obama has refused to be a president
  • Haven’t you heard latest news about our president-elect?
  • Barack Obama abandoned sinking ship
  • Obama doesn’t wany [sic] anymore to be a president

These fake sites have a professional look and feel. If you don’t have a good anti virus package installed it’s very likely your PC will become infected and you won’t know about it. The infection forms part of a botnet, meaning it’s under the control of someone else and will be used to commit online crimes.

So be cautious about these fake news articles. It’s highly unlikely that Obama has changed his mind at this stage. Use a good anti virus package that also scans web sites. And don’t use Internet Explorer, start using one of the popular alternative browsers such as FireFox, Opera, Chrome, and Safari.

Whenever something big happens in the news there are people that will always take advantage with made-up sensational headlines, designed to trick you into opening their web pages.

Key Duplication

Here’s an interesting use of technology to copy someone’s keys (the metal kind that opens doors). It works with someone taking a hi res photo of your keys, then enhancing the image enough to make a template for someone to cut a copy of a the key.

What kind of photos will work?

Useful photos can be found on photo sharing web sites (such as Facebook or Flickr). This is a passive way for someone to find an image of your keys.

Another tactic is for someone to target you with a camera phone, taking photos of your keys while you hold them. Or with a camera and a telescopic lens, from 200 feet away as the article below suggests.

This isn’t really a new trick, but the software to do all the hard work is new. Technology like this only gets better so it’s time to learn how to protect yourself.

Some tips:

  • If you upload photos showing your keys then take the time to blur the keys first. This is similar to how you would blur your car number plate, or a credit card
  • Don’t display any keys in public. It wouldn’t be hard to obscure them with your hands
  • If you have a choice (such as when purchasing a car) opt for something that uses RFID chips embedded in the keys (many cars have this these days)

Read more about the technique here, and read the full paper here.

Is WPA Still Secure?

There was a media announcement recently from a Russian company called Elcomsoft claiming to be able to crack WPA encryption. What’s this about and how does it affect you?

WPA is the preferred encryption for wireless networks, the kind you probably have at home or in the office. Here’s a quick recap of where WPA fits in:

  • WEP – the old wireless security option. This is useless, it provides no real security.
  • WPA – this replaced WEP. Some old devices didn’t support it but most new ones do. WPA is good, highly recommended.
  • WPA2 – this is better than WPA

So what did Elcomsoft do?
They developed a way to speed up the time it takes to crack WPA and  WPA2 encryption. Here’s a short summary:

  • If you use a short password, say 10 letters long, it used to take 579,000 years to crack. With this new technology it would now take 5793 years, or 5 years if they purchase 1000 of these machines dedicated to hacking into your wireless network (at a cost of over $1m of hardware).
  • If you use a good password, e.g. 20 characters long, will now take 10,000,000,000,000 years to crack, or shorter if you have thousands of computers working together on this.

In other words the article is mostly hype. Making something 100 faster doesn’t mean much when we’re talking about trillions of years.

The short version is: use WPA/WPA2 and a long password when configuring your wireless network. Use at least 20 characters.

What I’ve written above applies to small networks such as home or small offices. For large networks you should be using a technology called Radius together with WPA, this is much more secure, extremely hard to crack, and of course more complicated and expensive to install and maintain.

ClickJacking Exploit

A rather serious exploit has recently been discovered.

It’s called ClickJacking. The problem is in Adobe’s Flash player, which just about everyone in the world has installed (sometimes without even knowing it). 

The vulnerability makes it possible for someone to control your computer’s webcam or microphone, lettting other people spy on you. It’s a serious problem.

Who’s at risk?

Anyone who has Flash version or earlier is at risk. This includes Windows, Mac, and Linux users, and FireFox, IE, Safari, Chrome, and Opera users (does this list include you?)

What can you do to protect yourself?

Adobe is publishing a fix very soon and the best thing to do is to upgrade to the latest version of  Flash. Flash should prompt you to download an update – say yes to this. Otherwise download the latest version from Adobe’s web site.

If for some reason you can’t update Flash on your PC there’s another way to protect yourself (this is a last resort tactic, updating Flash is much safer). The workaround is to set the Always Deny option, as detailed here on Adobe’s site.

Further info:

Someone has gone to the trouble of setting up a sample of how the exploit works and recorded a video to demonstrate. Play the YouTube video in this article.

Skype in China

People in China using Skype, or people elsewhere using Skype to talk to people in China, should be aware that some conversations are being monitored by the Chinese government. This article explains how this was recently exposed.

The system listens for sensitive terms (mostly political subjects) and logs conversations that meet this requirement. This works differently to how the Germans are doing it.

Unsecured Wireless Routers

Here’s what happens when you don’t take proactive steps to secure your wireless router (or wireless network). Recently there were a series terrorist bomb attacks in India, and threat emails were sent by the terrorists. 

The source of the emails were traced and they came from the home of an innocent family in Mumbai (India). The terrorists had used their unsecure wireless network to gain access to the internet and do their thing. The residents said,

“We did not feel the need to secure or password-protect our internet connection. But now it has become a necessity for all citizens to secure their connections”

This stuff really happens, read the full article here.

So how do you secure your wireless router? What other consequences can you face for leaving it unsecure? Read our previous article. In fact, use the search box on the top right of this site and search for “wireless” – there’s a lot to learn about wireless security at home and in the office.

Keep in mind that when you buy new (or old) wireless equipment such as a wireless router, the security settings are almost always set to the most insecure options. That’s crazy, but manufacturers think that turning on security by default makes it too hard for people to install these things. Maybe, but most people are lazy and don’t turn on the security features, putting them at risk of being hacked or involved in serious crime.

Large Hadron Collider Malware

As always people who write and distribute malware take advantage of popular news stories. This time there’s a fake link to a video about the Large Hadron Collider (a new science project). If you attempt to watch the video it asks you to download a plugin (it says that you need to download it in order to view the video).

We’ve mentioned this before, you don’t normally need to download plugins to view videos on the web.

If you see an email or web post with the following then ignore it, it just asks you to install a malicious plugin,

“This thing rocks! By the way, you can watch “Large Hadron Collider” start video report at http://*** Pretty interesting, isn’t it?”