NOTE TO computerconsultantsforum.com and forums.techcareerfubar.com USERS: This is the same site. Your login will work here. Use the "forgot password" function if you need help recovering your password.

Get rid of this big black message box by joining here: http://mature-it.pro/register/

Obvious fact: You're not logged in.

Therefore, you're only seeing the tip of the iceberg of great discussion threads on this site. The frankest, most raw and truthful observations about employment and work life in the IT and engineering fields are in "members only" sections that are ONLY visible when you are registered and you log in.

If you're 35 or over, and work in IT, or are retired from IT, and you dislike the herd mentality and clueless, adolescent snobbery of forums such as "Hacker News", then you really should join this board. Why? Because you're too smart for Facebook. And everyone needs someone to gossip, commisserate, and chat with at their level.

Who we are:

A collection of IT, engineering and sciences professionals, in a variety of current circumstances with a variety of career backgrounds. Including:

  • System admins
  • Developers and programmers
  • Freelancers and "gig" entrepreneurs
  • Contract, job shopping and FTE-employed contract house IT workers
  • Web developers
  • Inventors
  • Artists and writers with tech backgrounds

This forum has its roots in the 1990s buildup of the IT field into what we know today and has been around since 2002. 10s of thousands of messages and threads about a variety of career, FTE, contract, and side gig issues and opportunities.

If you're as smart as the typical experienced IT professional, you have a critical mind that has a hard time staying engaged with pop culture and generic issues of the day. And you're WELL beyond the fanboy mentality of the young developer communities. Get some relief here.

Register on the board - your email is NEVER sold or provided to third parties. Then LOGIN FREQUENTLY to see new stuff daily. Note to long lost members: all politics have been marked as "opt in" only. You won't see anything political unless you ask for it.

Join by Registering here: http://mature-it.pro/register/

Author Topic: Just When You Thought Internet Security Couldn't Get Any Worse  (Read 358 times)

ArnoldW2

  • Trusted Member
  • Wise Sage
  • ******
  • Posts: 528
Just When You Thought Internet Security Couldn't Get Any Worse
« on: October 17, 2017, 05:12:01 pm »

ALL wifi networks' are vulnerable to hacking, security expert discovers

The security protocol used to protect the vast majority of wifi connections has been broken, potentially exposing wireless internet traffic to malicious eavesdroppers and attacks, according to the researcher who discovered the weakness.

Mathy Vanhoef, a security expert at Belgian university KU Leuven, discovered the weakness in the wireless security protocol WPA2, and published details of the flaw.

https://www.theguardian.com/technology/2017/oct/16/wpa2-wifi-security-vulnerable-hacking-us-government-warns

https://www.krackattacks.com/

benali72

  • CCF Winner's Circle - Supporter
  • Wise Sage
  • *
  • Posts: 2718
Re: Just When You Thought Internet Security Couldn't Get Any Worse
« Reply #1 on: October 17, 2017, 08:14:12 pm »
Thanks, Arnold.

If I read the articles correctly, you're not vulnerable if you're using HTTPS over WPA2, but if you use WPA2 encryption only, you are vulnerable.

Time to update a lot of routers!

I wonder if the router vendors will be able to offer downloadable firmware updates to fix this, or whether the only option will be new routers?

Also, I wonder if WPA2 is fixable via a fix, or whether it will have to be junked and we go on to "WPA3" ?  The Guardian article seems to say that WPA2 is fixable via a fix.

The Gorn

  • I absolutely DESPISE improvised sulfur-charcoal-salt peter cannons made out of hollow tree branches filled with diamonds as projectiles.
  • Trusted Member
  • Wise Sage
  • ******
  • Posts: 22560
  • Gorn Classic, user of Gornix
Re: Just When You Thought Internet Security Couldn't Get Any Worse
« Reply #2 on: October 17, 2017, 08:45:40 pm »
I skimmed a tiny bit of the Krack site's explanation. It's a man-in-the-middle attack and it relies on a predictable pattern of exchanging ciphers when setting up the connection.

My gut feeling is that such attacks will be unavoidable unless each end uses something similar to private/public key cryptography so that a middleman can't intercept states of the connection setup.

In other words each end of the connection will have to share some identity info in order to make the connection truly private.

Any such scheme as WPA that relies on dynamic setup of connections with unknown user hardware and firmware at each end will be vulnerable. They'll probably redesign the WPA protocol to avoid THIS attack but a new protocol will have its own weakness waiting to be exploited.

The only airtight fix to this I can think of is to make all users of wifi be known parties with their own crypto keys. There goes all possible anonymity. Even a Starbucks wifi will know who you are.  >:(
« Last Edit: October 17, 2017, 08:55:53 pm by The Gorn »
Gornix is protected by the GPL. *

* Gorn Public License. Duplication by inferior sentient species prohibited.

benali72

  • CCF Winner's Circle - Supporter
  • Wise Sage
  • *
  • Posts: 2718
Re: Just When You Thought Internet Security Couldn't Get Any Worse
« Reply #3 on: October 17, 2017, 08:56:19 pm »
Regarding my previous post, I read over the papers again and now understand --

1. No need for WPA3, WPA2 can be patched to fix this
2. Users need to update both their PC OS and router firmware to be safe (doing only one or the other leaves you vulnerable still)

Of course, in light of Gorn's post, all this fixes only the immediate vulnerability that has been discovered... which could only be the first of many.

unix

  • Trusted Member
  • Wise Sage
  • ******
  • Posts: 4170
Re: Just When You Thought Internet Security Couldn't Get Any Worse
« Reply #4 on: October 18, 2017, 05:40:34 am »
so when does the Android OS get a patch? Meaning Samsung in my case.
 
Brawndo. It's got what plants crave.

The Gorn

  • I absolutely DESPISE improvised sulfur-charcoal-salt peter cannons made out of hollow tree branches filled with diamonds as projectiles.
  • Trusted Member
  • Wise Sage
  • ******
  • Posts: 22560
  • Gorn Classic, user of Gornix
Re: Just When You Thought Internet Security Couldn't Get Any Worse
« Reply #5 on: October 18, 2017, 06:17:35 am »
Regarding my previous post, I read over the papers again and now understand --

1. No need for WPA3, WPA2 can be patched to fix this
2. Users need to update both their PC OS and router firmware to be safe (doing only one or the other leaves you vulnerable still)

Of course, in light of Gorn's post, all this fixes only the immediate vulnerability that has been discovered... which could only be the first of many.

I'm just voicing an opinion based on my own intuition of the process that's going on in wireless secured networks to create connections.

I say what I did because, after all, WPA was supposed to be secure and fairly bulletproof - the designers supposedly anticipated any possible hacks. Except they didn't.

I'm guessing that any revision of the protocols will have similar design oversights that may take years to uncover, just like this one. It's not like a mathematical proof of unhackability is possible.
Gornix is protected by the GPL. *

* Gorn Public License. Duplication by inferior sentient species prohibited.

benali72

  • CCF Winner's Circle - Supporter
  • Wise Sage
  • *
  • Posts: 2718
Re: Just When You Thought Internet Security Couldn't Get Any Worse
« Reply #6 on: October 18, 2017, 10:38:37 am »
I'm just voicing an opinion based on my own intuition of the process that's going on in wireless secured networks to create connections.

I understand. And I think you nailed it right on the head. I wouldn't be surprised at all if we see similar vulnerabilities exposed in the future.