Tuesday, 29 July 2014

Researcher to Demonstrate Poor SSL Implementations Using Pineapple WiFi

Pineapple WiFi hacking
A leading provider of advanced threat, security and compliance solutions, Tripwire, has announced thatCraig Young, a security researcher from its Vulnerability and Exposure Research Team (VERT), is working on a paper about SSL vulnerabilities that will be presented at DEF CON 22 Wireless Village.

There are thousands of websites over Internet that contain serious mistakes in the way that Secure Sockets Layer and Transport Layer Security (SSL/TLS) is implemented, leaving them vulnerable to man-in-the-middle (MitM) attacks that could compromise sensitive user data such as banking credentials, credit card numbers and other information.

MitM attack is one of the common and favorite techniques of attackers used to intercept wireless data traffic. Cyber criminals could able to intercept sensitive user data, including credit card numbers, PayPal credentials and social network credentials as well.

Young has unearthed various situations where poor SSL implementations in combination with inbuilt weaknesses in the 802.11 WiFi standards result in certain flaws that can be easily exploited by attackers with “devastating real-world consequences”.

Researcher has also created a short video that demonstrates how a Pineapple WiFi can be easily hacked and exploited “to abduct, stalk, spy on or even physically harm unsuspecting victims.

The WiFi Pineapple, Linux powered and runs the open-source Karma Wi-Fi attack program, is a small self-contained appliance designed to help security researchers conduct penetration testing in an unobtrusive manner. Since 2008, WiFi Pineapple has been serving penetration testers, law enforcement, military and government with a versatile wireless auditing platform for almost any deployment scenario.
In the conference, Young will give explanation on:
  • A general strategy for confirming that an SSL-based application performs appropriate certificate validation
  • How to recognize and examine trust manager implementations within a compiled Android APK
  • What types of applications are most at-risk
  • Tactics to minimize exposure to 802.11 protocol design flaws, which enable man-in-the-middle attacks
Craig Young is an award-winning cyber security expert, who has uncovered multiple router security holes, Google authentication vulnerabilities, and has filed numerous CVEs. He is currently working in a team of expert security researchers at VERT, a team dedicated to ensuring Tripwire customers have the most extensive protection possible.

Just a week back, a data forensic expert and security researcher detailed a number of undocumented features in Apple iOS devices at the Hackers On Planet Earth (HOPE X) conference held in New York on Friday.

The allegation by the researcher that iOS contains a “backdoor” permitting third parties to potentially gain access to large amount of users' personal data, provoked Apple to give a strong response.

Reference- http://thehackernews.com/

No comments:

Post a Comment