|
Your donations keep RPGWatch running!
RPGWatch Forums » General Forums » Tech Help » This week in computer security

Default This week in computer security

October 16th, 2017, 13:03
A serious issue has been found in the WPA2 protocol, which is likely to affect most wireless clients (like your phone): https://www.krackattacks.com/
--
In the beginning the Universe was created. This has made a lot of people very angry and been widely regarded as a bad move. Douglas Adams
There are no facts, only interpretations. Nietzsche
Some cause happiness wherever they go; others whenever they go. Oscar Wilde
Myrthos is offline

Myrthos

Myrthos's Avatar
Cave Canem
Administrator
RPGWatch Team

#201

Join Date: Aug 2006
Location: Netherlands
Posts: 8,225
Mentioned: 25 Post(s)

Default 

October 16th, 2017, 13:16
Hmmm… I'll have to try testing this when I get back home. I have my neighbor's wifi password and he has mine as we're on different provider so when one loses "the signal" it all still works, but we did test "juniper" scheme on breaking WPA2. It actually hits the router's admin id key itself and it worked both on him and on me although our routers are from different manufacturer.
This seems to be a completely different method.

As usual, I don't care about phones and phone vulnerabilities so won't bother with that.
--
Toka Koka
joxer is offline

joxer

joxer's Avatar
The Smoker
Original Sin 1 & 2 Donor

#202

Join Date: Apr 2009
Posts: 17,257
Mentioned: 59 Post(s)

Default 

October 16th, 2017, 19:01
Wow, that's a big one. Technically, if you use WiFi at home or office, you should now treat your network as if it were fully open to the internet. Until every relevant device that forms part of the network is patched, you rely entirely upon the internal security of your devices to secure your traffic. Unless you are using something like Kerberos to encrypt and manage access to your network resources, you are wide open.

As a general rule, I recommend using a low power PC as a router, running something like PFsense, which will be swiftly patched. As a friend of mine in network security said to me, "friends don't let friends use consumer routers."

As a stopgap measure, I'm configuring my server to allow access only through VPN, even for internal traffic.
--
"Orwell was almost exactly wrong in a strange way. He thought the world would end with Big Brother watching us, but it ended with us watching Big Brother." Alan Moore
Ripper is offline

Ripper

Ripper's Avatar
Ngikufisela iwela

#203

Join Date: Nov 2014
Posts: 5,868
Mentioned: 16 Post(s)

Default 

October 16th, 2017, 19:19
So much for protocol design (!) - although I suppose it did go unnoticed for a long time… The article I glanced at earlier said they idn't think it had been exploited as yet (of course, now that everyone knows….)
booboo is offline

booboo

booboo's Avatar
SasqWatch

#204

Join Date: Aug 2007
Location: Cape Town, South Africa
Posts: 1,545
Mentioned: 8 Post(s)

Default 

October 16th, 2017, 19:23
The usual practice for white-hat hacker organisations is to inform the big players ahead of time to prepare the patches, before going public. They consider it a sort of ethical balancing act - allow an opportunity for the fix to be prepared, but not waiting too long so as they are keeping known vulnerabilities from the public.
--
"Orwell was almost exactly wrong in a strange way. He thought the world would end with Big Brother watching us, but it ended with us watching Big Brother." Alan Moore
Ripper is offline

Ripper

Ripper's Avatar
Ngikufisela iwela

#205

Join Date: Nov 2014
Posts: 5,868
Mentioned: 16 Post(s)

Default 

October 16th, 2017, 21:52
This is a huge deal, as many wifi networks uses WPA2 (including my home and work networks).

Hopefully this can be fixed with software and firmware patches on routers and devices without having to buy new equipment.

Sounds like the standard needs to be updated as well.
Thrasher is offline

Thrasher

Thrasher's Avatar
Wheeee!

#206

Join Date: Aug 2008
Location: Studio City, CA
Posts: 15,056
Mentioned: 3 Post(s)

Default 

October 17th, 2017, 01:19
My router is so old there probably won't be a fix. There is some DD-WRT firmware from September. Maybe they will update it again, soon.
Last edited by posfan12; October 17th, 2017 at 01:36.
posfan12 is offline

posfan12

posfan12's Avatar
Watchdog

#207

Join Date: Aug 2010
Posts: 165
Mentioned: 2 Post(s)

Default 

October 17th, 2017, 01:25
Yeah, mine too. It's about 10 years old.
Thrasher is offline

Thrasher

Thrasher's Avatar
Wheeee!

#208

Join Date: Aug 2008
Location: Studio City, CA
Posts: 15,056
Mentioned: 3 Post(s)

Default 

October 17th, 2017, 10:29
Apparently, the vulnerability is "patched" in windows, Microsoft fixed it:
https://www.theverge.com/2017/10/16/…curity-patches
--
Toka Koka
joxer is offline

joxer

joxer's Avatar
The Smoker
Original Sin 1 & 2 Donor

#209

Join Date: Apr 2009
Posts: 17,257
Mentioned: 59 Post(s)

Default 

October 17th, 2017, 14:15
Originally Posted by joxer View Post
Apparently, the vulnerability is "patched" in windows, Microsoft fixed it:
https://www.theverge.com/2017/10/16/…curity-patches
I'm not yet clear on whether the flaw can be fixed in a one-sided manner; whether it can be mitigated by one party in the exchange honouring the fix, or if it requires all parties to be correct.
--
"Orwell was almost exactly wrong in a strange way. He thought the world would end with Big Brother watching us, but it ended with us watching Big Brother." Alan Moore
Ripper is offline

Ripper

Ripper's Avatar
Ngikufisela iwela

#210

Join Date: Nov 2014
Posts: 5,868
Mentioned: 16 Post(s)

Default 

October 17th, 2017, 19:19
I depends on who is providing the key.
Thrasher is offline

Thrasher

Thrasher's Avatar
Wheeee!

#211

Join Date: Aug 2008
Location: Studio City, CA
Posts: 15,056
Mentioned: 3 Post(s)

Default 

October 17th, 2017, 21:58
They do say that the client devices need to be patched. Having an unpatched client on a patched router does not make you safe. As you could still end up connecting to the attackers router.
The attacker cannot get your info when your client is patched, even when you connect to the attacker’s router.
Having both patched is the best solution if I understood it correctly as it prevents the man-in-the middle attack that is needed for this.
--
In the beginning the Universe was created. This has made a lot of people very angry and been widely regarded as a bad move. Douglas Adams
There are no facts, only interpretations. Nietzsche
Some cause happiness wherever they go; others whenever they go. Oscar Wilde
Myrthos is offline

Myrthos

Myrthos's Avatar
Cave Canem
Administrator
RPGWatch Team

#212

Join Date: Aug 2006
Location: Netherlands
Posts: 8,225
Mentioned: 25 Post(s)

Default 

October 18th, 2017, 19:56
This is more critical in cities where you can scan lots of devices and less critical in the country where no one is near you. I think that is obvious. The reason these vulnerabilities are such a big deal is that while only a few people can craft the hack (the fellow delivery groceries or paving the street isn't going to know beans about this crap); script hacks are developed by those with financial intererest and then distributed to low paying grunt workers who have no clue what they are doing to collect data. Sort of like google folks for doing street views. They just hire drivers who stick devices on their car and drive around for a few bucks. They don't have to know that the devices are collecting passwords from random wifi signals
you is offline

you

Lazy_dog
RPGWatch Donor
Original Sin 2 Donor

#213

Join Date: Oct 2006
Location: usa - boston
Posts: 3,552
Mentioned: 7 Post(s)

Default 

December 16th, 2017, 18:09
This article just told me that oon December 12 "IP traffic" got redirected "to and from" "Apple, Google, Facebook, Microsoft, Twitch, NTT Communications und Riot Games" towards an Russian provider through "BGP-Hijacking" :
https://www.heise.de/newsticker/meld…t-3919524.html

Seemingly old problems are still there.
--
Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius and a lot of courage to move in the opposite direction. (E.F.Schumacher, Economist, Source)
Alrik Fassbauer is offline

Alrik Fassbauer

Alrik Fassbauer's Avatar
TL;DR
Original Sin 1 & 2 Donor

#214

Join Date: Nov 2006
Location: Old Europe
Posts: 17,656
Mentioned: 4 Post(s)

Default 

December 16th, 2017, 19:02
Good find. This is an issue with BGP. It happens both intentionally as per the article (usually Russia) and unintentionally (a couple of years ago Pakistain tried to block some social networks and accidentally published the BGP change that was intended to be local).
Last edited by you; December 16th, 2017 at 22:56.
you is offline

you

Lazy_dog
RPGWatch Donor
Original Sin 2 Donor

#215

Join Date: Oct 2006
Location: usa - boston
Posts: 3,552
Mentioned: 7 Post(s)

Default 

December 16th, 2017, 19:02
Trouble is, so much of the internet architecture was built with security as an afterthought. Much of it is still a house of cards, and it'll be a long time before we close up all the easy vulnerabilities.
--
"Orwell was almost exactly wrong in a strange way. He thought the world would end with Big Brother watching us, but it ended with us watching Big Brother." Alan Moore
Ripper is offline

Ripper

Ripper's Avatar
Ngikufisela iwela

#216

Join Date: Nov 2014
Posts: 5,868
Mentioned: 16 Post(s)

Default 

December 16th, 2017, 22:57
Well in the case of BGP (like smtp) it was not built per sey. It was a lab experiment. Security wasn't an issue in the lab test


Originally Posted by Ripper View Post
Trouble is, so much of the internet architecture was built with security as an afterthought. Much of it is still a house of cards, and it'll be a long time before we close up all the easy vulnerabilities.
you is offline

you

Lazy_dog
RPGWatch Donor
Original Sin 2 Donor

#217

Join Date: Oct 2006
Location: usa - boston
Posts: 3,552
Mentioned: 7 Post(s)

Default 

December 18th, 2017, 19:45
Originally Posted by you View Post
Security wasn't an issue in the lab test
… Like 640 k being enough for everyone .. -.. …

And this is what makes me REALLY worried : Scientists developing things without doing REAL thinking abnout its implications … To me, it's nothing more than children's play … Here we do need so much more philosophers and deep thinkers - but on the othger hand both are heavily frowned upon in nature sciences.
--
Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius and a lot of courage to move in the opposite direction. (E.F.Schumacher, Economist, Source)
Alrik Fassbauer is offline

Alrik Fassbauer

Alrik Fassbauer's Avatar
TL;DR
Original Sin 1 & 2 Donor

#218

Join Date: Nov 2006
Location: Old Europe
Posts: 17,656
Mentioned: 4 Post(s)

Default 

December 18th, 2017, 20:29
I think you are a little bit off your rocker. First this wasn't science it was engineering. Second the person 'inventing' these protocols didn't know they were inventing a protocol to be used by others.

It is sort of like you buying a few wires and resisters. Putting them together and discovering an interesting tool. THen your neighbor sees this tool and makes it available to the public without understanding the full implicatins of the tool limits.

Around 1990 the first worm was let loose by accident. The intention was to show the lack of security in the internet but instead of understanding what had happen the politiicans locked him up and threw away the key (the worm did nothing harmful but because is was too effective it did shut down some systems due to load issues).

Originally Posted by Alrik Fassbauer View Post
Like 640 k being enough for everyone .. -..

And this is what makes me REALLY worried : Scientists developing things without doing REAL thinking abnout its implications To me, it's nothing more than children's play Here we do need so much more philosophers and deep thinkers - but on the othger hand both are heavily frowned upon in nature sciences.
you is offline

you

Lazy_dog
RPGWatch Donor
Original Sin 2 Donor

#219

Join Date: Oct 2006
Location: usa - boston
Posts: 3,552
Mentioned: 7 Post(s)

Default 

December 18th, 2017, 20:35
There are always unscrupulous people out there will will abuse technology for their own gain without regard to the downsides. An easy quick buck to use a developed technology that doesn't actually meet all the security requirements.
Thrasher is offline

Thrasher

Thrasher's Avatar
Wheeee!

#220

Join Date: Aug 2008
Location: Studio City, CA
Posts: 15,056
Mentioned: 3 Post(s)
RPGWatch Forums » General Forums » Tech Help » This week in computer security
Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

All times are GMT +2. The time now is 05:05.
Powered by vBulletin® Version 3.8.10
Copyright ©2000 - 2018, vBulletin Solutions, Inc.
User Alert System provided by Advanced User Tagging (Lite) - vBulletin Mods & Addons Copyright © 2018 DragonByte Technologies Ltd.
Copyright by RPGWatch