New kind of attack on RADIUS protocol. Linksys routers sending Wifi passwords out in plain text.  

News

Hi friends,

Here we are with this week's newsletter. Some interesting research, some nice opinion pieces, and unfortunately also a list of breaches and issues. I hope you enjoy the read!

Also, a random extra shoutout to 1Password for making this newsletter possible, I'm really grateful to them for the support. Thanks 1Password!

Cheers,

Dieter Van der Stock

"Blast-RADIUS": attack breaks 30-year-old protocol used in networks everywhere

It's quite a long and deep-diving article, I'll try to summerize as well as possible:

  • Radius is an authentication protocol that's old but still widely used.
  • It makes use of md5, which is highly problamatic, and apparantly no one really noticed until now.
  • The researchers were able to come up with an attack where a man-in-the-middle can gain admin access to devices that use RADIUS to authenticate themselves.
  • The researchers were able to execute the neccessary hash collision in about five minutes, which isn't very practical considering RADIUS login sessions time out after 30 to 60 seconds. But they were using fairly modest hardware. With the right hardware, it would be a viable attack.
  • It affects all authentication modes of RADIUS/UDP apart from those that use EAP (Extensible Authentication Protocol).
  • In the long run, the only real fix is to use TLS for RADIUS communcations (which apparently has been wip for a long time)
arstechnica.com

Linksys Velop routers send Wi-Fi passwords in plaintext to US servers

"During routine installation checks, they detected several data packets being transmitted to an AWS server in the US. These packets included the configured SSID name and password in clear text, identification tokens for the network within a broader database, and an access token for a user session". Ouch. Even worse, Linksys had time to respond and fix this since November 2023 but failed to do so.

stackdiary.com

The president ordered a board to probe a massive Russian cyberattack. It never did.

Interesting opinion piece on how a proper review of the Solarwinds hacks could have mitigated, if not prevented, the later hacks on Microsoft by the Chinese.
An interesting idea in the article, that I hadn't heard before, is to implement a cyber equivalent of the National Transportation Safety Board, the independent agency required to investigate every major aviation accidents. That would definitely be worthwhile.

arstechnica.com

As Cyber Command evolves, its novel malware alert system fades away

Pleasant write-up of how US Cyber Command got to sharing malware samples publically, how they perform "Hunt Forward" missions to scoure foreign networks to find malware in use elsewhere, and how data is now shared with the community.

therecord.media

Quick links

  • Google Advanced Protection Program gets passkeys for high-risk users: link.
  • Cloudflare blames recent outage on BGP hijacking incident: link.
  • Europol says Home Routing mobile encryption feature aids criminals: link.
  • US disrupts AI-powered bot farm pushing Russian propaganda on X: link.
  • CISA urges devs to weed out OS command injection vulnerabilities: link.
  • Critical infrastructure organizations want CISA to dial back cyber reporting: link.

Breaches and leaks

  • RansomHub says it published Florida health department data: link.
  • Roblox vendor data breach exposes dev conference attendee info: link.
  • Evolve Bank says data breach impacts 7.6 million Americans: link.
  • City of Philadelphia says over 35,000 hit in May 2023 breach: link.
  • Fujitsu confirms customer data exposed in March cyberattack: link.
  • Neiman Marcus data breach: 31 million email addresses found exposed: link.
  • Hackers leak 39,000 print-at-home Ticketmaster tickets for 154 events: link.
  • Computer maker Zotac exposed customers' RMA info on Google Search: link.
  • Hacktivists release two gigabytes of Heritage Foundation data: link.
  • Debt collection agency says data breach affected more than 4 million people: link.
  • ‘Serious hacker attack’ forces Frankfurt university to shut down IT systems: link.
  • Shopify denies it was hacked, links stolen data to third-party app: link.

Issues and fixes

  • GitLab: Critical bug lets attackers run pipelines as other users: link.
  • Microsoft July 2024 Patch Tuesday fixes 142 flaws, 4 zero-days: link.
  • New Eldorado ransomware targets Windows, VMware ESXi VMs: link.
  • RCE bug in widely used Ghostscript library now exploited in attacks: link.
  • Windows MSHTML zero-day used in malware attacks for over a year: link.
  • Hackers target WordPress calendar plugin used by 150,000 sites: link.

Implement passwordless logins into your app in seconds

Solid security shouldn't have to come at the expense of a great user experience. That's why Passage by 1Password provides a passwordless auth service that allows you to implement passkey logins in your app or website with just a few lines of code. (Sponsored)

1password.com

No spam, ever. We'll never share your email address and you can opt out at any time.