News & Information for Technology Purchasers NewsFactor Sites:     Enterprise Security Today     CRM Daily     Business Report     Sci-Tech Today  
This ad will display for the next 20 seconds. Please click for more information, or scroll down to pass the ad, or Close Ad.
Home Enterprise I.T. Cloud Computing Applications Hardware More Topics...
APC Free White Paper
Optimize your network investment &
Enter to win a Samsung Galaxy Note
Enterprise I.T.
Fiercely productive scanners
Average Rating:
Rate this article:  
Microsoft Warns of Windows Phone 8 Wi-Fi Weakness
Microsoft Warns of Windows Phone 8 Wi-Fi Weakness

By Jennifer LeClaire
August 6, 2013 2:33PM

    Bookmark and Share
The issue is that Microsoft committed one of the cardinal sins of security: it took a good idea (encryption), implemented it badly in Windows Phone 7.8 and Windows Phone 8 operating systems and then released it to the market, said Kevin O'Brien, an enterprise solution architect at CloudLock.

Microsoft is warning consumers with smartphones that sport the Windows Phone 7.8 and Windows 8 mobile operating systems that they could be open for attack.

Hackers could exploit a weakness in the Wi-Fi authentication process, known as PEAP-MS-CHAPv2 (Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2), to access the user's log-on credentials.

"In vulnerable scenarios, an attacker who successfully exploited this issue could achieve information disclosure against the targeted device," the company said in a security advisory. "Microsoft is not currently aware of active attacks or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary."

Intercepting Encrypted Credentials

Here's how an attacker-controlled system could exploit the weakness: First, the system poses as a known Wi-Fi access point. This charade would cause the targeted device to automatically attempt to authenticate with the access point. That, in turn, would allow the attacker to intercept the victim's encrypted domain credentials.

At that point, an attacker could exploit cryptographic weaknesses in the PEAP-MS-CHAPv2 protocol to grab the victim's domain credentials. Finally, those credentials could be used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on the network.

We caught up with Kevin O'Brien, an enterprise solution architect at CloudLock, to get his take on the exploit. He told us the pivot point is cryptographic weakness.

"We've seen this particular type of vulnerability before, including from Microsoft, whose ASP.NET framework had a similar issue a few years ago," O'Brien said. "We've seen it recently, in the now well-known Cryptocat exploit. And we'll see it again. 

As O'Brien sees it, the issue is that Microsoft committed one of the cardinal sins of security: it took a good idea (encryption), implemented it badly and then released it to the market.

"What went wrong in the MS-CHAPv2 example here is that the protocol relies largely upon smoke and mirrors to appear confusing, either intentionally or due to a lack of understanding on the behalf of the original coders," O'Brien said. "As a result, the entire protocol is compromised, and it should cease to be used in favor of the far more robust open-source alternatives in the market today."

A Recipe for Mass Compromise

Mike Gross, Global Risk strategy director at 41st Parameter, told us the lesson: most mobile devices, by default, enable convenient access to known Wi-Fi and other networks, so users need to be aware of these settings and how they can protect themselves. (continued...)

1  |  2  |  Next Page >


Tell Us What You Think


APC has an established a reputation for solid products that virtually pay for themselves upon installation. Who has time to spend worrying about system downtime? APC makes it easy for you to focus on business growth instead of business downtime with reliable data center systems and IT solutions. Learn more here.

 Enterprise I.T.
1.   Malware Targets Facebook Users
2.   Zebra Buys Motorola Enterprise Biz
3.   NSC Backs Disclosing Vulnerabilities
4.   Salesforce To Dominate S.F. Skyline
5.   Heartbleed Bug Could Disconnect IoT?

Malware Targets Facebook Users
iBanking app spys on communications.
Average Rating:
Zebra Buys Motorola Enterprise Biz
Pays $3.45B in all-cash deal.
Average Rating:
Google Glass Finds a Home in Medicine
Hands-free information access a boon.
Average Rating:
Product Information and Resources for Technology You Can Use To Boost Your Business

Network Security Spotlight
Google's Street View Software Unravels CAPTCHAs
The latest software Google uses for its Street View cars to read street numbers in images for Google Maps works so well that it also solves CAPTCHAs, those puzzles designed to defeat bots.
Canadian Teen Arrested for Heartbleed Hack
One week after the OpenSSL Heartbleed vulnerability was unveiled, Canadian authorities have made the first arrest -- a London, Ontario teenager -- connected to exploiting the security hole.
IBM Offers Security, Disaster Recovery as SoftLayer Service
New disaster recovery and security services for SoftLayer clients are being added by IBM. Big Blue said the new capabilities will speed cloud adoption by alleviating concern over business continuity.

Enterprise Hardware Spotlight
Vaio Fit 11A Battery Danger Forces Recall by Sony
Using a Sony Vaio Fit 11A laptop? It's time to send it back to Sony. In fact, Sony is encouraging people to stop using the laptop after several reports of its Panasonic battery overheating.
Continued Drop in Global PC Shipments Slows
Worldwide shipments of PCs fell during the first three months of the year, but the global slump in PC demand may be easing, with a considerable slowdown from last year's drops.
Google Glass Finds a Home in Medical Education, Practice
Google Glass may find its first markets in verticals in which hands-free access to data is a boon. Medicine is among the most prominent of those, as seen in a number of Glass experiments under way.

Mobile Technology Spotlight
Google Releases Chrome Remote Desktop App for Android
You're out on a sales call, and use your Android mobile device to grab a file you have back at the office on your desktop. That's a bit easier now with Google's Chrome Remote Desktop app for Android.
Amazon 3D Smartphone Pics Leaked
E-commerce giant Amazon is reportedly set to launch a smartphone after years of development. Photos of the phone, which may feature a unique 3D interface, were leaked by tech pub BGR.
Zebra Tech Buys Motorola Enterprise for $3.45B
Weeks after Lenovo bought Motorola Mobility’s assets from Google for $2.91 billion, Zebra Technologies is throwing down $3.45 billion for Motorola’s Enterprise business in an all-cash deal.

NewsFactor Network
Home/Top News | Enterprise I.T. | Cloud Computing | Applications | Hardware | Mobile Tech | Big Data | Communications
World Wide Web | Network Security | Data Storage | Small Business | Microsoft/Windows | Apple/Mac | Linux/Open Source | Personal Tech
Press Releases
NewsFactor Network Enterprise I.T. Sites
NewsFactor Technology News | Enterprise Security Today | CRM Daily

NewsFactor Business and Innovation Sites
Sci-Tech Today | NewsFactor Business Report

NewsFactor Services
FreeNewsFeed | Free Newsletters | XML/RSS Feed

About NewsFactor Network | How To Contact Us | Article Reprints | Careers @ NewsFactor | Services for PR Pros | Top Tech Wire | How To Advertise

Privacy Policy | Terms of Service
© Copyright 2000-2014 NewsFactor Network. All rights reserved. Article rating technology by Blogowogo. Member of Accuserve Ad Network.