Or let’s just call this, “Scary Notes From the Field” One of the things I like about working on Hacker Highschool (HHS) is talking with the people who are helping us build it, and who are teaching it. How often do you get to compare notes with another teacher on turning a room full of teenagers loose with Ettercap? What could go wrong? I’m lucky to have a strong tolerance for experimentation. But sometimes the things I hear are outright dismaying.

“I’m visiting another school for a competition,” one popped up in a chat window. “I thought I’d see if I could boot to my Linux USB stick. Which was no sweat. No BIOS protection.”

“Now, now,” I typed back. “Don’t go being a bad example.”

“But I was able to mount the Windows partition. And do the Sticky Keys renaming trick. And reboot to Windows, get a shell, create a user, add to the Admins group,” he wrote, making me very uneasy.

“Do they have an IT person? Maybe you should talk to them.” Because that’s one of our most important lessons: let the right people know, if you’re able to do something you shouldn’t. One truly brilliant HHS student did exactly that, from India, notifying the CIA about a vulnerability he found. Think about that: would you be willing to do the same from within the US? This young man was both not stupid and very lucky, because he was then suddenly employed with a certain major search engine.

“I did,” wrote back Teacher X. “He said he’s not worried about it, because the students don’t know how to do that kind of thing.”

Cue the flashing lights, sirens, bells. If Teacher X was there with his students, there absolutely WERE students there who knew how to do that sort of thing.

“Uh, please don’t do anything else,” I begged.

Should I (or the school’s IT guy) worry about this kind of thing? Do we really need to lock down classroom computers? Of course you should just do what everybody else does because things like Rio Rancho Hackers could never happen twice. Or like most security professionals, you probably didn’t do anything devious or sneaky in high school.

Feeling cautious yet?

Much more than weak BIOS protection, though, what dismays me is the attitude (much, much too common), that there’s no issue there. There certainly is. And it’s not the BIOS password. It’s the attitude of the caretakers. If this is how we’re running systems in direct contact with some of the most dangerous creatures Nature has ever made, designed with logical decision making to be the last feature they develop. So are we really taking security seriously?

Within 24 hours I was talking with another contributor, this one a Raspberry Pi pro who has helped us set up Fedora on the Pi. Are you familiar with the Fedora Security Spin, or Fedora spins in general? While there are Kali images for Pi, let’s just ponder for a second the wisdom of turning teenagers loose with Kali. It’s not that I don’t trust the kids (by default I don’t), but that I am leery of a tool with so many moving parts, that does so much back-channel communication, being brought into so many networks. Not to be too paranoid, but if you were planning a galactic-scale trojan, wouldn’t a “pen testing” distro be just a keen way to do it? That’s why we steer our students, and teachers, to FSS (File Sharing System).

In any case our contributor was tinkering with getting promiscuous mode working, a problem we solved quickly. Except then he called me back. “Hey, check this out: I’m just sitting here with my Pi, and it’s telling me somebody in my building has an access point running WPA.”

“Yeah, it’s crap,” I agreed. “But that should only last a couple of minutes.”

“You’d think so. Except I’ve been watching it. And it’s staying on. And now it’s not the only one.”

“Wait a minute, are you getting prompted for a PIN?” I asked with a seriously sinking feeling.

“Yup,” he said. “And … I just found the default PIN online.”

“Oh. You. Are. Kidding.”

“I’ve got at least a half dozen more. All Q1000 routers. And get this: they all use the same PIN.”

Let me pull a curtain of charity over the language that followed. But it took me mere minutes with DuckDuckGo.com to find that this issue has been known since at least 2012, that many Actiontec and Linksys DSL gateways have no way to turn off WPS, and that the default Q1000 PIN is completely ridiculous. It’s the worst password since Bashir Assad’s 12345.

And this is what Qwest has shipped to thousands of users.

I’ll spare Qwest, Actiontec, Linksys and all the others further basting with my broad brush of shame. But when manufacturers and huge corporations leave holes big enough to drive a semi-truck through, and users are obviously oblivious to these weaknesses, and IT staff drinks it down with a big glass of don’t care, it suggests that our general position on security is: We’re not worried about it. And that is a serious problem.

A business is supposed to take care of the people they employ or the customers that visit. If a store mops the floor they need to put out that slippery when wet triangle. When a kitchen cooks food they’re supposed to make sure nobody get sick from it. This isn’t just legal stuff, it’s how you retain employees and customers by not harming them. So why doesn’t this include data and networks?

It pays to remember some of the best advice I’ve seen on cracking WPA and WPA-2 keys: Don’t bother. Identify the model of the gateway, then find an exploit or a vulnerability on it instead. Of course, we’re all depending on these great WPA keys to keep our networks safe, and that’s a trust in a single authentication control, which has it’s own issues. Unfortunately, there’s another trust to be analyzed: the trust you place in your gateway firmware, which is an entirely separate appsec issue.

At ISECOM we take trust analysis seriously and we particularly look for exposed or unsafe interactions. A DSL gateway with a known PIN and WPS that you can’t turn off is offering an interaction to anyone that drives by. Or any kid that knows how to use Reaver.

So what are you going to do at the enterprise scale? Enterprise equipment should always be able to disable WPS, or won’t have it at all. But home equipment is a serious problem, especially if you’re connecting to corporate.

No matter what, your due diligence needs to include determining you’re not using a wildly vulnerable piece of hardware, and ensuring it allows only the interactions you specifically want, which is to say—no one should be able to break your wicked encryption by cracking an 8-digit PIN. You’ll want some other features, but in the meantime go check your ISP gateway device.

The views and opinions reflected in this article are my own and do not represent Norse’s positions or strategies.

The post Serious Security, Scary Notes From the Field appeared first on Darkmatters.

… Read Original Article At Dark Matters