It is currently Sat Dec 16, 2017 4:23 am

All times are UTC - 7 hours


Please visit our local business partnersSite Terms of ServicePrivacy Policy
Allroos Cactus Jack's Saloon and Grill Dan Smith, Loan Officer Evergreen, Conifer Elevation Dental El Rancho Brewing Co. Evergreen Towing Ferellgas Lynn Brown Nerium RE/MAX Alliance Evergreen Tree Top Thai Massage & Spa Tupper's Team

 




Post new topic Reply to topic  [ 7 posts ] 
Author Message
PostPosted: Mon Oct 16, 2017 7:20 am 
Offline
User avatar

Joined: Mon Jul 14, 2014 7:05 pm
Posts: 5488
Quote:
Severe flaw in WPA2 protocol leaves Wi-Fi traffic open to eavesdropping
ArsTechnica, Dan Goodin - 10/15/2017, 10:37 PM

An air of unease set into the security circles on Sunday as they prepared for the disclosure of high-severity vulnerabilities in the Wi-Fi Protected Access II protocol that make it possible for attackers to eavesdrop Wi-Fi traffic passing between computers and access points.

The proof-of-concept exploit is called KRACK, short for Key Reinstallation Attacks. The research has been a closely guarded secret for weeks ahead of a coordinated disclosure that's scheduled for 8am Monday, East Coast time. A website disclosing the vulnerability said it affects the core WPA2 protocol itself and is effective against devices running the Android, Linux, Apple, Windows, and OpenBSD operating systems, as well as MediaTek Linksys, and other types of devices. The site warned attackers can exploit it to decrypt a wealth of sensitive data that's normally encrypted by the nearly ubiquitous Wi-Fi encryption protocol.

"This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites."

"Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations," the researchers explained. "For example, HTTPS was previously bypassed in non-browser software, in Apple's iOS and OS X, in Android apps, in Android apps again, in banking apps, and even in VPN apps."

The researchers went on to say that the weakness allows attackers to target both vulnerable access points as well as vulnerable computers, smartphones and other types of clients with differing levels of difficulty... According to a researcher who has been briefed on the vulnerability, it works by exploiting a four-way handshake that's used to establish a key for encrypting traffic. During the third step, the key can be resent multiple times. When it's resent in certain ways, a cryptographic nonce can be reused in a way that completely undermines the encryption.
(full article) https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping

This is actually a really big deal, and is almost certainly a vulnerability that was designed right in at figurative gunpoint of tyrants and monsters.


Top
 Profile  
 
PostPosted: Mon Oct 16, 2017 4:36 pm 
Offline
User avatar

Joined: Tue Jan 27, 2015 7:28 pm
Posts: 5236
Location: My Safe Space
Woody the windows expert doesn't think it is that big a deal.

https://askwoody.com/2017/krack-attach- ... t-falling/


Top
 Profile  
 
PostPosted: Mon Oct 16, 2017 4:46 pm 
Offline
User avatar

Joined: Mon Jul 14, 2014 7:05 pm
Posts: 5488
Woody sounds like an idiot to me, but then, perhaps his situational awareness simply sucks rotten eggs. This is huge, actually, in the security world. Not because anyone should have been relying upon WPA2 for security, but because it continues to confirm a growing certainty that someone's been poisoning the well of network security in a quite brazen, extreme, and destructive fashion.

But hey, this is just demonstrating to us all exactly why it is unassailable truth that Edward Snowden was and is a countrywide hero, true patriot, and literal Godsend for the True and Actual United States of America as well as the civilized world of humanity. People like him who raise the alarm are like angels come to protect Earth and God's creation.


Top
 Profile  
 
PostPosted: Mon Oct 16, 2017 5:21 pm 
Offline
User avatar

Joined: Tue Jan 27, 2015 7:28 pm
Posts: 5236
Location: My Safe Space
Nah, no idiot at all. Been reading Woody's posts for years, very helpful info for captive windoze users.

Whatever. Carry on.

Thou sham'st the music of sweet news By playing it to me with so sour a face. Were I like thee I'd throw away myself. Out of my sight! Thou dost infect my eyes. j/k

:lol:


Top
 Profile  
 
PostPosted: Mon Oct 16, 2017 6:27 pm 
Offline
User avatar

Joined: Mon Jul 14, 2014 7:05 pm
Posts: 5488
I feel like you're sort of telling me to appeal to the stone by not addressing the merits of what I said, which is a fallacy they say.


Top
 Profile  
 
PostPosted: Tue Oct 17, 2017 5:30 am 
Offline
User avatar

Joined: Tue Jan 27, 2015 7:28 pm
Posts: 5236
Location: My Safe Space
ChromaKey wrote:
This is actually a really big deal, and is almost certainly a vulnerability that was designed right in at figurative gunpoint of tyrants and monsters.


I guess I was mostly referring to your conclusion about the designers of WPA2...

The WPA2 standard was IEEE 802.11i—the Wi-Fi Alliance industry working group. So this entire industry working group of experts and peer reviewers was apparently corrupted by your imaginary tyrants and monsters? Yikes! :lol:

https://www.wired.com/story/krack-wi-fi ... erability/


Top
 Profile  
 
PostPosted: Tue Oct 17, 2017 7:40 am 
Offline
User avatar

Joined: Mon Jul 14, 2014 7:05 pm
Posts: 5488
joeschmo wrote:
So this entire industry working group of experts and peer reviewers was apparently corrupted

Hey, award this kid a gold star. I think they just noticed something. We call that something a "National Security Letter" lately, but you really only need one good operative in the organization, if they have the right level of access and privilege/trust. Now repeat this idea across every large open source project or US-based technological firm or international corporation that wants access to US markets, and you begin slowly to comprehend the scope of this issue. Good morning, here, smell the coffee.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

All times are UTC - 7 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
POWERED_BY