A serious issue has been found in the WPA2 protocol, which is likely to affect most wireless clients (like your phone): https://www.krackattacks.com/

Hmmm… I'll have to try testing this when I get back home. I have my neighbor's wifi password and he has mine as we're on different provider so when one loses "the signal" it all still works, but we did test "juniper" scheme on breaking WPA2. It actually hits the router's admin id key itself and it worked both on him and on me although our routers are from different manufacturer.
This seems to be a completely different method.

As usual, I don't care about phones and phone vulnerabilities so won't bother with that.

Wow, that's a big one. Technically, if you use WiFi at home or office, you should now treat your network as if it were fully open to the internet. Until every relevant device that forms part of the network is patched, you rely entirely upon the internal security of your devices to secure your traffic. Unless you are using something like Kerberos to encrypt and manage access to your network resources, you are wide open.

As a general rule, I recommend using a low power PC as a router, running something like PFsense, which will be swiftly patched. As a friend of mine in network security said to me, "friends don't let friends use consumer routers."

As a stopgap measure, I'm configuring my server to allow access only through VPN, even for internal traffic.

So much for protocol design (!) - although I suppose it did go unnoticed for a long time… The article I glanced at earlier said they idn't think it had been exploited as yet (of course, now that everyone knows….)

The usual practice for white-hat hacker organisations is to inform the big players ahead of time to prepare the patches, before going public. They consider it a sort of ethical balancing act - allow an opportunity for the fix to be prepared, but not waiting too long so as they are keeping known vulnerabilities from the public.

This is a huge deal, as many wifi networks uses WPA2 (including my home and work networks).

Hopefully this can be fixed with software and firmware patches on routers and devices without having to buy new equipment.

Sounds like the standard needs to be updated as well.

My router is so old there probably won't be a fix. There is some DD-WRT firmware from September. Maybe they will update it again, soon.

Yeah, mine too. It's about 10 years old.

Apparently, the vulnerability is "patched" in windows, Microsoft fixed it:
https://www.theverge.com/2017/10/16/…curity-patches

I'm not yet clear on whether the flaw can be fixed in a one-sided manner; whether it can be mitigated by one party in the exchange honouring the fix, or if it requires all parties to be correct.

I depends on who is providing the key.

They do say that the client devices need to be patched. Having an unpatched client on a patched router does not make you safe. As you could still end up connecting to the attackers router.
The attacker cannot get your info when your client is patched, even when you connect to the attacker’s router.
Having both patched is the best solution if I understood it correctly as it prevents the man-in-the middle attack that is needed for this.

This is more critical in cities where you can scan lots of devices and less critical in the country where no one is near you. I think that is obvious. The reason these vulnerabilities are such a big deal is that while only a few people can craft the hack (the fellow delivery groceries or paving the street isn't going to know beans about this crap); script hacks are developed by those with financial intererest and then distributed to low paying grunt workers who have no clue what they are doing to collect data. Sort of like google folks for doing street views. They just hire drivers who stick devices on their car and drive around for a few bucks. They don't have to know that the devices are collecting passwords from random wifi signals :)

This article just told me that oon December 12 "IP traffic" got redirected "to and from" "Apple, Google, Facebook, Microsoft, Twitch, NTT Communications und Riot Games" towards an Russian provider through "BGP-Hijacking" :
https://www.heise.de/newsticker/meld…t-3919524.html

Seemingly old problems are still there.

Good find. This is an issue with BGP. It happens both intentionally as per the article (usually Russia) and unintentionally (a couple of years ago Pakistain tried to block some social networks and accidentally published the BGP change that was intended to be local).

Trouble is, so much of the internet architecture was built with security as an afterthought. Much of it is still a house of cards, and it'll be a long time before we close up all the easy vulnerabilities.

Well in the case of BGP (like smtp) it was not built per sey. It was a lab experiment. Security wasn't an issue in the lab test :)

… Like 640 k being enough for everyone .. -.. …

And this is what makes me REALLY worried : Scientists developing things without doing REAL thinking abnout its implications … To me, it's nothing more than children's play … Here we do need so much more philosophers and deep thinkers - but on the othger hand both are heavily frowned upon in nature sciences.

I think you are a little bit off your rocker. First this wasn't science it was engineering. Second the person 'inventing' these protocols didn't know they were inventing a protocol to be used by others.

It is sort of like you buying a few wires and resisters. Putting them together and discovering an interesting tool. THen your neighbor sees this tool and makes it available to the public without understanding the full implicatins of the tool limits.

Around 1990 the first worm was let loose by accident. The intention was to show the lack of security in the internet but instead of understanding what had happen the politiicans locked him up and threw away the key (the worm did nothing harmful but because is was too effective it did shut down some systems due to load issues).

There are always unscrupulous people out there will will abuse technology for their own gain without regard to the downsides. An easy quick buck to use a developed technology that doesn't actually meet all the security requirements.