Wi-Fi Protected Setup - Pixie Dust Attack. An offline bruteforce attack that leaves certain routers vulnerable. Works for Boardcom and Ralink chipset based Wi-Fi routers.
Apache Kafka for Cybersecurity and SIEM / SOAR ModernizationKai Wähner
Data in Motion powered by the Apache Kafka ecosystem for Situational Awareness, Threat Detection, Forensics, Zero Trust Zones and Air-Gapped Environments.
Agenda:
1) Cybersecurity in 202X
2) Data in Motion as Cybersecurity Backbone
3) Situational Awareness
4) Threat Intelligence
5) Forensics
6) Air-Gapped and Zero Trust Environments
7) SIEM / SOAR Modernization
More details in the "Kafka for Cybersecurity" blog series:
https://www.kai-waehner.de/blog/2021/07/02/kafka-cybersecurity-siem-soar-part-1-of-6-data-in-motion-as-backbone/
M-Trends® 2010: The Advanced Persistent ThreatFireEye, Inc.
The inaugural M-Trends report details threat intelligence learned while conducting intrusion investigations for the U.S. government, the defense industrial base, and commercial organizations. This report focuses on the Advanced Persistent Threat (APT), and outlines trends, techniques, and real details of how the APT successfully compromises any target it desires. For the latest M-Trends report, visit https://www.fireeye.com/mtrends
Malware and Anti-Malware Seminar by Benny CzarnyOPSWAT
Benny Czarny presented an introduction to malware and anti-malware to computer science students at San Francisco State University. The presentation introduced the concept of malware, types of malware, and methods for detecting malware. Benny provided examples of historical malware and illustrations of the difficulties that security vendors face in detecting threats.
Database firewall is a useful tool that monitor databases to identify and protect against database specific attacks that mostly seek to access sensitive information stored in the databases. However the commercial database firewalls are expensive and needs specific product knowledge, while the opensource database firewalls are designed for specific opensource database servers.
In order to fulfill the need of inexpensive database firewall, Snort - an opensource IDS/IPS - is possible to achieve the goal in some scenarios with familiar rule writing. The paper will explain the limitation of Snort as a database firewall, constraints in commercial database statement and some example implementation.
Industroyer: biggest threat to industrial control systems since Stuxnet by An...CODE BLUE
Industroyer is the first ever malware specifically designed to attack power grids. This unique and extremely dangerous malware framework was involved in the December 2016 blackout in Ukraine. What sets Industroyer apart from other malware targeting infrastructure, such as BlackEnergy (a.k.a. SandWorm), is its ability to control switches and circuit breakers directly via 4 different industrial communication protocols.
In addition to explaining why Industroyer can be considered the biggest threat to industrial control systems since the infamous Stuxnet worm, we will take a look at the 2016 power outage in the context of the other numerous cyberattacks against Ukrainian critical infrastructure in the recent years.
As the protocols and hardware targeted by Industroyer are employed in power supply infrastructure, transportation control systems, and other critical infrastructure systems, like water and gas, worldwide, the malware can be re-purposed to target vital services in other countries. This discovery should serve as a wake-up call for those responsible for security of these critical systems.
Anton Cherepanov
Anton Cherepanov is currently working at ESET as Senior Malware Researcher; his responsibilities include the analysis of complex threats. He has done extensive research on cyber-attacks in Ukraine. His research was presented on numerous conferences, including Virus Bulletin, CARO Workshop, PHDays, and ZeroNights. His interests focus on reverse engineering and malware analysis automation.
Róbert Lipovský
Róbert Lipovský is Senior Malware Researcher in ESET’s Security Research Laboratory, with 10 years’ experience with malware research. He is responsible for malware intelligence and analysis and leads the Malware Research team in ESET’s HQ in Bratislava. He is a regular speaker at security conferences, including Black Hat, Virus Bulletin, and CARO. He runs a reverse engineering course at the Slovak University of Technology, his alma mater and the Comenius University. When not bound to a keyboard, he enjoys sports, playing guitar and flying an airplane.
Apache Kafka for Cybersecurity and SIEM / SOAR ModernizationKai Wähner
Data in Motion powered by the Apache Kafka ecosystem for Situational Awareness, Threat Detection, Forensics, Zero Trust Zones and Air-Gapped Environments.
Agenda:
1) Cybersecurity in 202X
2) Data in Motion as Cybersecurity Backbone
3) Situational Awareness
4) Threat Intelligence
5) Forensics
6) Air-Gapped and Zero Trust Environments
7) SIEM / SOAR Modernization
More details in the "Kafka for Cybersecurity" blog series:
https://www.kai-waehner.de/blog/2021/07/02/kafka-cybersecurity-siem-soar-part-1-of-6-data-in-motion-as-backbone/
M-Trends® 2010: The Advanced Persistent ThreatFireEye, Inc.
The inaugural M-Trends report details threat intelligence learned while conducting intrusion investigations for the U.S. government, the defense industrial base, and commercial organizations. This report focuses on the Advanced Persistent Threat (APT), and outlines trends, techniques, and real details of how the APT successfully compromises any target it desires. For the latest M-Trends report, visit https://www.fireeye.com/mtrends
Malware and Anti-Malware Seminar by Benny CzarnyOPSWAT
Benny Czarny presented an introduction to malware and anti-malware to computer science students at San Francisco State University. The presentation introduced the concept of malware, types of malware, and methods for detecting malware. Benny provided examples of historical malware and illustrations of the difficulties that security vendors face in detecting threats.
Database firewall is a useful tool that monitor databases to identify and protect against database specific attacks that mostly seek to access sensitive information stored in the databases. However the commercial database firewalls are expensive and needs specific product knowledge, while the opensource database firewalls are designed for specific opensource database servers.
In order to fulfill the need of inexpensive database firewall, Snort - an opensource IDS/IPS - is possible to achieve the goal in some scenarios with familiar rule writing. The paper will explain the limitation of Snort as a database firewall, constraints in commercial database statement and some example implementation.
Industroyer: biggest threat to industrial control systems since Stuxnet by An...CODE BLUE
Industroyer is the first ever malware specifically designed to attack power grids. This unique and extremely dangerous malware framework was involved in the December 2016 blackout in Ukraine. What sets Industroyer apart from other malware targeting infrastructure, such as BlackEnergy (a.k.a. SandWorm), is its ability to control switches and circuit breakers directly via 4 different industrial communication protocols.
In addition to explaining why Industroyer can be considered the biggest threat to industrial control systems since the infamous Stuxnet worm, we will take a look at the 2016 power outage in the context of the other numerous cyberattacks against Ukrainian critical infrastructure in the recent years.
As the protocols and hardware targeted by Industroyer are employed in power supply infrastructure, transportation control systems, and other critical infrastructure systems, like water and gas, worldwide, the malware can be re-purposed to target vital services in other countries. This discovery should serve as a wake-up call for those responsible for security of these critical systems.
Anton Cherepanov
Anton Cherepanov is currently working at ESET as Senior Malware Researcher; his responsibilities include the analysis of complex threats. He has done extensive research on cyber-attacks in Ukraine. His research was presented on numerous conferences, including Virus Bulletin, CARO Workshop, PHDays, and ZeroNights. His interests focus on reverse engineering and malware analysis automation.
Róbert Lipovský
Róbert Lipovský is Senior Malware Researcher in ESET’s Security Research Laboratory, with 10 years’ experience with malware research. He is responsible for malware intelligence and analysis and leads the Malware Research team in ESET’s HQ in Bratislava. He is a regular speaker at security conferences, including Black Hat, Virus Bulletin, and CARO. He runs a reverse engineering course at the Slovak University of Technology, his alma mater and the Comenius University. When not bound to a keyboard, he enjoys sports, playing guitar and flying an airplane.
Anti-Forensics: Real world identification, analysis and preventionSeccuris Inc.
Reliance on forensic investigation of information systems has become a daily requirement for law enforcement and security practitioners around the world.
Effective evidence collection and analysis is the foundation of any investigation; identification of suspects, motives and methods demand the acquisition of the largest amount information that evidence can provide us. Anti-Forensics – Real world identification, analysis and prevention will discuss how criminals, attackers, non-enlightened investigators all have the ability to impact the amount useful information we have at our disposal. Michael will show the audience real world scenarios detailing how Anti-forensics tools are used to
hide and destroy incriminating evidence, outlining common anti-forensic techniques. This will be followed by discussion of hands-on identification and prevention
practices used to raise awareness around current academic research and identify potential solutions for practitioners and law enforcement organizations.
This talk was presented in NULL Delhi chapter meet in 2014, as an insight into the world of PCI (Payment Card Industry) and the 12 requirements of PCI DSS
Continuous and Visible Security Testing with BDD-SecurityStephen de Vries
This presentation makes the case for adapting security requirements and processes to those used by developers. Specifically, it advocates the use of BDD (Given/When/Then) specifications to create self-verifying security requirements.
You've heard of infrastructure as code, with the BDD-Security framework, we can now write security-processes-as-code.
Honeypot is an exciting new technology with enormous potential for the security community.It is resource which is intended to be attacked and compromised to gain more information about the attacker and his attack techniques.
VoIP (Voice Over IP) güvenliği nasıl sağlanmaktadır?İsmail ŞEN
Bu konuda VOIP teknolojisinin temelleri, çalışma mantığı, kullanım kolaylıkları ve bu kullanım kolaylıklarının getirdiği zafiyetlerin incelenmesi, ortaya çıkan güvenlik açıklarının ortadan kaldırılması veya kaldırılamıyorsa kabul edilebilir seviyeye indirgenmesi konuları işlenmektedir. VOIP güvenlik protokollerinin, yeterince güvenlik sağlayıp sağlamadığı konularının yanı sıra, VOIP Güvenliğinin, fiziksel güvenlikten, ağ güvenliğine kadar birçok güvenlik önlemini de beraberinde getirdiği uygulamalarla anlatılmıştır.
Anti-Forensics: Real world identification, analysis and preventionSeccuris Inc.
Reliance on forensic investigation of information systems has become a daily requirement for law enforcement and security practitioners around the world.
Effective evidence collection and analysis is the foundation of any investigation; identification of suspects, motives and methods demand the acquisition of the largest amount information that evidence can provide us. Anti-Forensics – Real world identification, analysis and prevention will discuss how criminals, attackers, non-enlightened investigators all have the ability to impact the amount useful information we have at our disposal. Michael will show the audience real world scenarios detailing how Anti-forensics tools are used to
hide and destroy incriminating evidence, outlining common anti-forensic techniques. This will be followed by discussion of hands-on identification and prevention
practices used to raise awareness around current academic research and identify potential solutions for practitioners and law enforcement organizations.
This talk was presented in NULL Delhi chapter meet in 2014, as an insight into the world of PCI (Payment Card Industry) and the 12 requirements of PCI DSS
Continuous and Visible Security Testing with BDD-SecurityStephen de Vries
This presentation makes the case for adapting security requirements and processes to those used by developers. Specifically, it advocates the use of BDD (Given/When/Then) specifications to create self-verifying security requirements.
You've heard of infrastructure as code, with the BDD-Security framework, we can now write security-processes-as-code.
Honeypot is an exciting new technology with enormous potential for the security community.It is resource which is intended to be attacked and compromised to gain more information about the attacker and his attack techniques.
VoIP (Voice Over IP) güvenliği nasıl sağlanmaktadır?İsmail ŞEN
Bu konuda VOIP teknolojisinin temelleri, çalışma mantığı, kullanım kolaylıkları ve bu kullanım kolaylıklarının getirdiği zafiyetlerin incelenmesi, ortaya çıkan güvenlik açıklarının ortadan kaldırılması veya kaldırılamıyorsa kabul edilebilir seviyeye indirgenmesi konuları işlenmektedir. VOIP güvenlik protokollerinin, yeterince güvenlik sağlayıp sağlamadığı konularının yanı sıra, VOIP Güvenliğinin, fiziksel güvenlikten, ağ güvenliğine kadar birçok güvenlik önlemini de beraberinde getirdiği uygulamalarla anlatılmıştır.
Веб-уязвимости и безопасность данных:
- Почему важно понимать основы веб-разработки несмотря на стремительное развитие технологий
- Клиент-серверные взаимодействия и уязвимости HTTP протокола
- Как найти веб-уязвимости, а также самые распространенные ошибки веб-приложений
- Способы защиты данных и пользователей
- Использование man-in-the-middle, и почему нельзя доверять публичным Wi-Fi точкам доступа
Видео запись доклада https://www.youtube.com/watch?v=w0kMtXAQiaY
Примеры кода https://goo.gl/9DJI5c
Сканирование уязвимостей со вкусом Яндекса. Тарас Иващенко, Яндексyaevents
Тарас Иващенко, Яндекс
Администратор информационной безопасности в Яндексе. Специалист по информационной безопасности, проповедник свободного программного обеспечения, автор Termite, xCobra и участник проекта W3AF.
Тема доклада
Сканирование уязвимостей со вкусом Яндекса.
Тезисы
В докладе будет рассказано о внедрении в Яндексе сканирования сервисов на уязвимости как одного из контроля безопасности в рамках SDLC (Secure Development Life Cycle). Речь пойдет о сканировании уязвимостей на этапе тестирования сервисов, а также о сканировании сервисов, находящихся в промышленной эксплуатации. Мы рассмотрим проблемы, с которыми столкнулись, и объясним, почему в качестве основного механизма решили выбрать открытое программное обеспечение (сканер уязвимостей w3af), доработанное под наши нужды.
- Out of box: базовые настройки современных роутеров?
- Почему на коробке написано 300Mb/s а реальная скорость около 140Mb/s?
- Сколько роутеру нужно антенн?
- Несколько способов борьбы с соседями;
- Шифрование, скрывать имя сети или нет?
How to Hack WPA/WPA2 Wi Fi with Kali Linux. Kali Linux can be used for many things, but it probably is best known for its ability to penetration test, or “hack,” WPA and WPA2 networks.
Warning..!! WIFI hacking is illegal. "This ppt is only for educational purposes. I am not responsible for any consequences."
Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...Positive Hack Days
Integrated services by telecom operators and Unified Communications technology promise a quick payback and great convenience. However, it was discovered from practice that VOIP and IPPBX services can cause many problems, first of all relating to information security and fraud. What information security issues can arise for a company if Unified Communications are used? VOIP/PBX/MGW broken in 60 seconds - is it possible? Effective methods and practicalities of Unified Communications security will be discussed.
The goal of the workshop is to provide a hands-on introduction to key pen-testing tools and concepts that white-hat and black-hat hackers utilize to find and exploit vulnerabilities in real-world embedded devices.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Enhancing Performance with Globus and the Science DMZGlobus
ESnet has led the way in helping national facilities—and many other institutions in the research community—configure Science DMZs and troubleshoot network issues to maximize data transfer performance. In this talk we will present a summary of approaches and tips for getting the most out of your network infrastructure using Globus Connect Server.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Welcome to the first live UiPath Community Day Dubai! Join us for this unique occasion to meet our local and global UiPath Community and leaders. You will get a full view of the MEA region's automation landscape and the AI Powered automation technology capabilities of UiPath. Also, hosted by our local partners Marc Ellis, you will enjoy a half-day packed with industry insights and automation peers networking.
📕 Curious on our agenda? Wait no more!
10:00 Welcome note - UiPath Community in Dubai
Lovely Sinha, UiPath Community Chapter Leader, UiPath MVPx3, Hyper-automation Consultant, First Abu Dhabi Bank
10:20 A UiPath cross-region MEA overview
Ashraf El Zarka, VP and Managing Director MEA, UiPath
10:35: Customer Success Journey
Deepthi Deepak, Head of Intelligent Automation CoE, First Abu Dhabi Bank
11:15 The UiPath approach to GenAI with our three principles: improve accuracy, supercharge productivity, and automate more
Boris Krumrey, Global VP, Automation Innovation, UiPath
12:15 To discover how Marc Ellis leverages tech-driven solutions in recruitment and managed services.
Brendan Lingam, Director of Sales and Business Development, Marc Ellis
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
The Metaverse and AI: how can decision-makers harness the Metaverse for their...Jen Stirrup
The Metaverse is popularized in science fiction, and now it is becoming closer to being a part of our daily lives through the use of social media and shopping companies. How can businesses survive in a world where Artificial Intelligence is becoming the present as well as the future of technology, and how does the Metaverse fit into business strategy when futurist ideas are developing into reality at accelerated rates? How do we do this when our data isn't up to scratch? How can we move towards success with our data so we are set up for the Metaverse when it arrives?
How can you help your company evolve, adapt, and succeed using Artificial Intelligence and the Metaverse to stay ahead of the competition? What are the potential issues, complications, and benefits that these technologies could bring to us and our organizations? In this session, Jen Stirrup will explain how to start thinking about these technologies as an organisation.
2. Myself
Sumit Shrivastava – Security Analyst @ Network Intelligence India Pvt. Ltd.
2.5+ years of work experience in the field of Digital Forensics and Assessment
Certifications
Computer Hacking and Forensics Investigator v8, EC-Council
Certified Professional Forensics Analyst, IIS Mumbai
Certified Professional Hacker NxG, IIS Mumbai
Certified Information Security Consultant, IIS Mumbai
Certified Information Security Expert – Level 1, Innobuzz Knowledge Solutions
Once upon a time Android and Web Developer
3. Today’s takeaway
Introduction to WPS
Terminology
WPS Pin Formats
WPS Negotiation Process
Types of attacks on WPS
Diving into Pixie Dust
P0wning the WiFi Router - Demonstration
4. Introduction to WPS
Wi-Fi Protected Setup (WPS, Wi-Fi Simple Config)
Uses PIN Method to secure wireless home network
Created by Wi-Fi Alliance, introduced in 2006
Goal – to allow the home users, who know very little about the wireless security, to add
new devices
Major security flaw revealed in December 2011
Allowed brute-force the WPS Pin
SEVERELY BROKEN PROTOCOL!!!
5. Terminology
Enrollee: A device seeking to join a WLAN domain
Registrar: An entity with the authority to issue WLAN credentials
External Registrar: A registrar that is separate from the AP
AP: An infrastructure mode 802.11 Access Point
Note:- AP and client device may change roles i.e. AP acts as Enrollee and Client Device acts
Registrar, when WPS is used to configure the access point
6. WPS Pin
A WPS Pin looks like
This is what your Wi-Fi Router has
at its back label
8. WPS Negotiation
Process
M1 – 128-bit random nounce
generated by Enrollee
(N1||PKE)
M2 – 128-bit random nounce
generated by Registrar
(N1||N2||PKR||Auth).
Auth = HMAC (M1||M2)
M3 – E-Hash1 (E-
S1||PSK1||PKE||PKR) OR E-
Hash2 (E-
S2||PSK2||PKE||PKR)
9. Type of Attacks on WPS
Online Brute-force
Offline Brute-force
Physical Attack
10. Diving into Pixie Dust
What you require?
Hashes -> E-Hash1 and E-Hash2
Public Keys -> PKE, PKR
Authkey
E-Nounce (Enrollee Nounce)
Flaw is in the E-S1 and E-S2 generation which are Psudo-Random Numbers
Dominique Bongard, found many AP use insecure PRNG
Broadlink -> c.rand()
Ralink -> E-S1 and E-S2 are never generated, hence they are always 0
If PRNG state is recovered, E-S1 and E-S2 can be calculated
PSK1 and PSK2 can be calculated from E-Hash1 and E-Hash2
To successfully complete this attack, negotiation should complete within 1 second