WPA2 protocol used by vast majority of wifi connections has been broken

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
drummerboy
Posts: 54
Joined: Wed Apr 20, 2016 1:08 pm
Location: Atlanta, GA

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by drummerboy » Tue Oct 17, 2017 10:27 pm

Eero’s update came out today.... hopefully most routers get patched over the coming days.

billthecat
Posts: 106
Joined: Tue Jan 24, 2017 2:50 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by billthecat » Tue Oct 17, 2017 11:17 pm

azurekep wrote:
Tue Oct 17, 2017 9:23 pm
susze wrote:
Tue Oct 17, 2017 5:26 pm
In all likelihood any hacker would probably target a small business or doctors/ medical place before an individual home or even apartment. .
Who knows. I figure hackers have to start somewhere and they might go for the low-hanging fruit first. Like a doctor living in a nearby, affluent neighborhood dumb enough to have "MD" in the SSID. The hacker gets bragging rights for hacking a doctor, and gets the experience to go after bigger targets.
Maybe I should stop using SSID "NSA Remote Station AX315"

User avatar
jhfenton
Posts: 2176
Joined: Sat Feb 07, 2015 11:17 am
Location: Ohio

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by jhfenton » Wed Oct 18, 2017 4:55 am

billthecat wrote:
Tue Oct 17, 2017 11:17 pm
azurekep wrote:
Tue Oct 17, 2017 9:23 pm
susze wrote:
Tue Oct 17, 2017 5:26 pm
In all likelihood any hacker would probably target a small business or doctors/ medical place before an individual home or even apartment. .
Who knows. I figure hackers have to start somewhere and they might go for the low-hanging fruit first. Like a doctor living in a nearby, affluent neighborhood dumb enough to have "MD" in the SSID. The hacker gets bragging rights for hacking a doctor, and gets the experience to go after bigger targets.
Maybe I should stop using SSID "NSA Remote Station AX315"
Are you my father? That sounds like one of his names. That or “FBI Surveillance Van TF127”.

Uniballer
Posts: 76
Joined: Thu Apr 20, 2017 9:55 am

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by Uniballer » Wed Oct 18, 2017 5:21 am

One of my friend's is "Aditum Punctum LXIX" (latin for "access point 69")
Last edited by Uniballer on Wed Oct 18, 2017 1:37 pm, edited 1 time in total.

DiggleRex
Posts: 145
Joined: Fri Sep 29, 2017 7:17 am

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by DiggleRex » Wed Oct 18, 2017 9:16 am

Kenkat wrote:
Tue Oct 17, 2017 6:17 pm
I have an R6400; when I checked for updates, none were found. I had previously updated the firmware a few months ago -I wonder if this vulnerability was addressed then?
I had an update 2 days ago for the R6400 but it didn't provide any details on what. The current version is V1.0.1.26_1.0.19

susze
Posts: 134
Joined: Sun Jul 27, 2008 2:26 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by susze » Sun Oct 22, 2017 12:04 pm

From what I have read there are currently no exploits written for this widely available(maybe dark web). That would probably mean you would have to be extremely unlucky to be hacked by this. And hackers are probably already onto the next thing.

azurekep
Posts: 944
Joined: Tue Jun 16, 2015 7:16 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by azurekep » Sun Oct 22, 2017 1:44 pm

susze wrote:
Sun Oct 22, 2017 12:04 pm
From what I have read there are currently no exploits written for this widely available(maybe dark web). That would probably mean you would have to be extremely unlucky to be hacked by this. And hackers are probably already onto the next thing.
I think you have to assume that not everyone is going to get their router or devices patched. I'm betting hackers are probably just getting started!

User avatar
ram
Posts: 882
Joined: Tue Jan 01, 2008 10:47 pm
Location: Midwest

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by ram » Sun Oct 22, 2017 2:33 pm

azurekep wrote:
Mon Oct 16, 2017 11:33 am
The protocol I've developed after seeing my own and others' mistakes in networking (including mistakes by my ISP) is that if I don't thoroughly understand the technology and keep on top of it, and I don't "really" need it, I disable it.

Thus, for home networking, I have had wi-fi disabled for quite some time and remain wired.

That's an extreme stance, but I opt for safety over convenience most f the time.

If I were to go back to wi-fi, I'd look into the techniques to shape the footprint of the signal so that it remains centred on the house with minimal leakage to the street.
In a house can a person have one wired computer and do all financial stuff from that computer only.
The house remains wired and other devices use WiFi for non financial work. (music streaming)
Is this a reasonable option?
Ram

susze
Posts: 134
Joined: Sun Jul 27, 2008 2:26 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by susze » Sun Oct 22, 2017 3:23 pm

azurekep wrote:
Sun Oct 22, 2017 1:44 pm
susze wrote:
Sun Oct 22, 2017 12:04 pm
From what I have read there are currently no exploits written for this widely available(maybe dark web). That would probably mean you would have to be extremely unlucky to be hacked by this. And hackers are probably already onto the next thing.
I think you have to assume that not everyone is going to get their router or devices patched. I'm betting hackers are probably just getting started!
True on routers yes. But devices I think more and more people are patching just even doing it wo knowing. And my understanding is that-this is more on the client than the AP on where it can be exploited.

Either way Im sure there are a ton of other exploits out there that are undocumented or used by elite hackers or govt agencies.

gtd98765
Posts: 36
Joined: Sun Jan 08, 2017 4:15 am

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by gtd98765 » Sun Oct 22, 2017 3:32 pm

jhfenton wrote:
Wed Oct 18, 2017 4:55 am
billthecat wrote:
Tue Oct 17, 2017 11:17 pm
azurekep wrote:
Tue Oct 17, 2017 9:23 pm
susze wrote:
Tue Oct 17, 2017 5:26 pm
In all likelihood any hacker would probably target a small business or doctors/ medical place before an individual home or even apartment. .
Who knows. I figure hackers have to start somewhere and they might go for the low-hanging fruit first. Like a doctor living in a nearby, affluent neighborhood dumb enough to have "MD" in the SSID. The hacker gets bragging rights for hacking a doctor, and gets the experience to go after bigger targets.
Maybe I should stop using SSID "NSA Remote Station AX315"
Are you my father? That sounds like one of his names. That or “FBI Surveillance Van TF127”.
Seriously, it is better not to use an SSID identifiable to an individual/family. I recommend a short random string of letters or number, like "3Q7".

azurekep
Posts: 944
Joined: Tue Jun 16, 2015 7:16 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by azurekep » Sun Oct 22, 2017 3:37 pm

ram wrote:
Sun Oct 22, 2017 2:33 pm
azurekep wrote:
Mon Oct 16, 2017 11:33 am
The protocol I've developed after seeing my own and others' mistakes in networking (including mistakes by my ISP) is that if I don't thoroughly understand the technology and keep on top of it, and I don't "really" need it, I disable it.

Thus, for home networking, I have had wi-fi disabled for quite some time and remain wired.

That's an extreme stance, but I opt for safety over convenience most f the time.

If I were to go back to wi-fi, I'd look into the techniques to shape the footprint of the signal so that it remains centred on the house with minimal leakage to the street.
In a house can a person have one wired computer and do all financial stuff from that computer only.
The house remains wired and other devices use WiFi for non financial work. (music streaming)
Is this a reasonable option?
It's precisely because I don't understand enough about wifi and routers that I personally keep everything wired. It's an excellent question and hopefully somebody will answer.

azurekep
Posts: 944
Joined: Tue Jun 16, 2015 7:16 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by azurekep » Sun Oct 22, 2017 3:43 pm

susze wrote:
Sun Oct 22, 2017 3:23 pm
azurekep wrote:
Sun Oct 22, 2017 1:44 pm
susze wrote:
Sun Oct 22, 2017 12:04 pm
From what I have read there are currently no exploits written for this widely available(maybe dark web). That would probably mean you would have to be extremely unlucky to be hacked by this. And hackers are probably already onto the next thing.
I think you have to assume that not everyone is going to get their router or devices patched. I'm betting hackers are probably just getting started!
True on routers yes. But devices I think more and more people are patching just even doing it wo knowing. And my understanding is that-this is more on the client than the AP on where it can be exploited.

Either way Im sure there are a ton of other exploits out there that are undocumented or used by elite hackers or govt agencies.
No doubt.

I just think there are probably hacker specialities. Those who specialize in wireless may take advantage of a new security hole while it is still early. (I think it will take while for everything to get patched up.)

But yeah, on the spectrum of hacks, the wireless ones worry me the least. I worry more about the long-distance hackers that can hack from anywhere in the world vs the ones who need to be physically close to a router.

SittingOnTheFence
Posts: 199
Joined: Sun Sep 27, 2015 5:30 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by SittingOnTheFence » Mon Oct 23, 2017 2:10 pm

ram wrote:
Sun Oct 22, 2017 2:33 pm
In a house can a person have one wired computer and do all financial stuff from that computer only.
The house remains wired and other devices use WiFi for non financial work. (music streaming)
Is this a reasonable option?
Sure, it's reasonable. I only do financials on one wired computer. But anyone who gets into my network can then sniff what is happening. I consider that highly unlikely. More of a threat would someone stealing the computer and if I had 'remember my password' active at the site then it would be catastrophic. Since most financial sites use https, the data is encrypted so it would take a real pro to use sniffed info.

To be extra safe, use a separate browser for those web connections. And don't use it for general or random browsing. But if you get malware on the computer that you are using then all bets are off.

randomguy
Posts: 4884
Joined: Wed Sep 17, 2014 9:00 am

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by randomguy » Mon Oct 23, 2017 2:52 pm

SittingOnTheFence wrote:
Mon Oct 23, 2017 2:10 pm
ram wrote:
Sun Oct 22, 2017 2:33 pm
In a house can a person have one wired computer and do all financial stuff from that computer only.
The house remains wired and other devices use WiFi for non financial work. (music streaming)
Is this a reasonable option?
Sure, it's reasonable. I only do financials on one wired computer. But anyone who gets into my network can then sniff what is happening. I consider that highly unlikely. More of a threat would someone stealing the computer and if I had 'remember my password' active at the site then it would be catastrophic. Since most financial sites use https, the data is encrypted so it would take a real pro to use sniffed info.

To be extra safe, use a separate browser for those web connections. And don't use it for general or random browsing. But if you get malware on the computer that you are using then all bets are off.
That can't really sniff what is happening. They will see you are sending a bunch of packets to vanguard but they will have no way of seeing what is in those packets (wired or wireless). If they can break SSL, you have other problems.:) You have a much bigger risk using the same computer for financial transactions and anything else as your run some risk of getting some malware (scans the hard drive, keylogger). If you are being paranoid, spend 500 bucks and get some chromebook to do all your financial work on.

And realistically most of the problems come from server side issues (i.e. some one hacks vanguard) more than client side ones.

User avatar
telemark
Posts: 2057
Joined: Sat Aug 11, 2012 6:35 am

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by telemark » Thu Oct 26, 2017 12:43 pm

The original post at https://www.krackattacks.com/#wpa3 has been updated and now includes the following
Finally, although an unpatched client can still connect to a patched AP, and vice versa, both the client and AP must be patched to defend against all attacks!
That unambiguously states that updating your router is not sufficient to protect your devices if they are also vulnerable. And many older devices will almost certainly never be patched.

2015
Posts: 902
Joined: Mon Feb 10, 2014 2:32 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by 2015 » Thu Oct 26, 2017 10:45 pm

deleted
Last edited by 2015 on Thu Oct 26, 2017 11:02 pm, edited 1 time in total.

User avatar
ram
Posts: 882
Joined: Tue Jan 01, 2008 10:47 pm
Location: Midwest

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by ram » Thu Oct 26, 2017 10:58 pm

randomguy wrote:
Mon Oct 23, 2017 2:52 pm
SittingOnTheFence wrote:
Mon Oct 23, 2017 2:10 pm
ram wrote:
Sun Oct 22, 2017 2:33 pm
In a house can a person have one wired computer and do all financial stuff from that computer only.
The house remains wired and other devices use WiFi for non financial work. (music streaming)
Is this a reasonable option?
Sure, it's reasonable. I only do financials on one wired computer. But anyone who gets into my network can then sniff what is happening. I consider that highly unlikely. More of a threat would someone stealing the computer and if I had 'remember my password' active at the site then it would be catastrophic. Since most financial sites use https, the data is encrypted so it would take a real pro to use sniffed info.

To be extra safe, use a separate browser for those web connections. And don't use it for general or random browsing. But if you get malware on the computer that you are using then all bets are off.
That can't really sniff what is happening. They will see you are sending a bunch of packets to vanguard but they will have no way of seeing what is in those packets (wired or wireless). If they can break SSL, you have other problems.:) You have a much bigger risk using the same computer for financial transactions and anything else as your run some risk of getting some malware (scans the hard drive, keylogger). If you are being paranoid, spend 500 bucks and get some chromebook to do all your financial work on.

And realistically most of the problems come from server side issues (i.e. some one hacks vanguard) more than client side ones.
Sitting and Randomguy,
Thanks a lot. I already have a dedicated chromebook for financial work ( I do not mind being called paranoid. Better safe than sorry.). A separate computer is used for other websurfing. I use google chrome browser on both computers. Is it OK to use the same browser provided I am using 2 different computers. Or should I still use different browsers. Sorry if these are very dumb questions.
Ram

crumbone
Posts: 52
Joined: Thu Oct 12, 2017 11:50 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by crumbone » Fri Oct 27, 2017 12:09 am

randomguy wrote:
Mon Oct 23, 2017 2:52 pm
SittingOnTheFence wrote:
Mon Oct 23, 2017 2:10 pm
ram wrote:
Sun Oct 22, 2017 2:33 pm
In a house can a person have one wired computer and do all financial stuff from that computer only.
The house remains wired and other devices use WiFi for non financial work. (music streaming)
Is this a reasonable option?
Sure, it's reasonable. I only do financials on one wired computer. But anyone who gets into my network can then sniff what is happening. I consider that highly unlikely. More of a threat would someone stealing the computer and if I had 'remember my password' active at the site then it would be catastrophic. Since most financial sites use https, the data is encrypted so it would take a real pro to use sniffed info.

To be extra safe, use a separate browser for those web connections. And don't use it for general or random browsing. But if you get malware on the computer that you are using then all bets are off.
That can't really sniff what is happening. They will see you are sending a bunch of packets to vanguard but they will have no way of seeing what is in those packets (wired or wireless). If they can break SSL, you have other problems.:) You have a much bigger risk using the same computer for financial transactions and anything else as your run some risk of getting some malware (scans the hard drive, keylogger). If you are being paranoid, spend 500 bucks and get some chromebook to do all your financial work on.

And realistically most of the problems come from server side issues (i.e. some one hacks vanguard) more than client side ones.
People are missing the real vulnerability here: it's those Internet of Things devices (i.e., expensive "smart" thing that worked better when it was dumb.) They are almost never patched and are the most vulnerable attack vector in your house other than you (social engineering.) It's already been done multiple times to create botnets or (very creepily) to broadcast feeds of "smart" baby monitors.

SittingOnTheFence
Posts: 199
Joined: Sun Sep 27, 2015 5:30 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by SittingOnTheFence » Fri Oct 27, 2017 12:11 am

ram wrote:
Thu Oct 26, 2017 10:58 pm
I use google chrome browser on both computers. Is it OK to use the same browser provided I am using 2 different computers. Or should I still use different browsers. Sorry if these are very dumb questions.
I don't know how Chrome works, I just don't trust anything Google does anymore so never tried Chrome. I would be surprised if any info leaked across from one computer to another. That said, if your general browsing computer got infected with malicious stuff and it was on same network as your other computer it is possible that the other computer can be infected. It seems to me you can reduce those odds a tiny bit by using different OS's on the computers. I'm assuming that a malicious payload may be written for only one OS. That is certainly not true for really sophisticated malware but I presume most malware is not written by someone sophisticated.

I have noticed in using iOS it seems that what is done on iPad Safari leaks across to iPhone & vice-versa. I have not spent a lot of time checking that, I noticed it on one occasion. I believe that is due to info being shared via iCloud which is a setting that I can control. So, the keyring for the iPad resides on iCloud. iPhone uses same keyring. I presume Goggle has a similar functionality, so logged in to your google account might share info, possibly your Financial login credentials when you log into your google acct on a different computer. Just speculating here.

I read an interesting article today that Google has an arrangement available that uses usb tokens so you can prove who you are when you log in because you have the token. It is for folks in highly sensitive jobs but I gather that anyone can request it. For example, it would have prevented whomever breached Podesta's gmail account last year from doing that because they would not have had the token. This would be something that you use with google apps and not general browsing. It is supposed to be a step up from 2FA and it will be interesting if others jump on that train. The article said you need two usb sticks and there is a $20 charge for using each one. I don't know if that is a subscription model or a one time fee.

AntsOnTheMarch
Posts: 313
Joined: Mon May 29, 2017 5:47 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by AntsOnTheMarch » Fri Oct 27, 2017 6:26 am

I am all for practicing best methods of personal computer security but it seems like a sick joke to run around trying to hide your computer from the internet to do finances when equifax can treat the most sensitive information of ~140M people like so much garbage and put us all at risk. If this were the one and only hack, maybe I’d have more confidence in this whole new world but it seems to be a hack a minute.

I’ve been creating strong passwords for my accounts for over 20 years. Each account gets a different one. I use 2FA when available. I use a password manager. Etc, etc. And while I recommend theses things, It doesn’t make me “safe” (whatever that means) because hackers have have found the weak links in corporation, government and internet company hardware and systems and exploit them with great gusto. Not much I can do if that latest greatest phone is open or some major exploit other than to shut myself in a closet. Not a real choice.

So I just stay up to date and keep things patched, use common sense and caution. I’m not going the separate computer route myself. I do everything across three devices (phone, tablet, computer) and like them synced. And this hack, this doesn’t seem very threatening to me. Not gonna lose sleep over it.

But someone brought up the internet of things and there I do agree. Don’t be so quick to buy that refrigerator that can refill your milk supply from amazon. These devices have a long way to go to catch up with the security fortifications of say, OS X. Proceed with caution.

User avatar
telemark
Posts: 2057
Joined: Sat Aug 11, 2012 6:35 am

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by telemark » Fri Oct 27, 2017 10:35 am

ram wrote:
Thu Oct 26, 2017 10:58 pm
Thanks a lot. I already have a dedicated chromebook for financial work ( I do not mind being called paranoid. Better safe than sorry.). A separate computer is used for other websurfing. I use google chrome browser on both computers. Is it OK to use the same browser provided I am using 2 different computers. Or should I still use different browsers. Sorry if these are very dumb questions.
The concern there is that the browser may store important data like usernames or passwords, and that other sites you visit may be able to retrieve that data from the browser. This wouldn't apply to different copies of the same browser on different machines, unless you allow them to sync through the cloud.

azurekep
Posts: 944
Joined: Tue Jun 16, 2015 7:16 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by azurekep » Fri Oct 27, 2017 10:52 am

AntsOnTheMarch wrote:
Fri Oct 27, 2017 6:26 am
I am all for practicing best methods of personal computer security but it seems like a sick joke to run around trying to hide your computer from the internet to do finances when equifax can treat the most sensitive information of ~140M people like so much garbage and put us all at risk. If this were the one and only hack, maybe I’d have more confidence in this whole new world but it seems to be a hack a minute.

I’ve been creating strong passwords for my accounts for over 20 years. Each account gets a different one. I use 2FA when available. I use a password manager. Etc, etc. And while I recommend theses things, It doesn’t make me “safe” (whatever that means) because hackers have have found the weak links in corporation, government and internet company hardware and systems and exploit them with great gusto. Not much I can do if that latest greatest phone is open or some major exploit other than to shut myself in a closet. Not a real choice.

So I just stay up to date and keep things patched, use common sense and caution. I’m not going the separate computer route myself. I do everything across three devices (phone, tablet, computer) and like them synced. And this hack, this doesn’t seem very threatening to me. Not gonna lose sleep over it.
When I read these security threads, I'm always surprised by how many people use their phones for financial things. I guess it would be easier to understand if this was a trading board and people wanted to check hour by hour what their stocks were doing. But I remain baffled why things like bill pay, setting up a funds transfer, doing a periodic check of account balances, etc. can't be done at home on the most secure (and possibly wired) computer. I'm sure I'm missing something here, but don't know what.

Edit: I can see the need to check by phone if one is travelling. There may not be PCs or at least reliable PCs available to do periodic account checks.
But someone brought up the internet of things and there I do agree. Don’t be so quick to buy that refrigerator that can refill your milk supply from amazon. These devices have a long way to go to catch up with the security fortifications of say, OS X. Proceed with caution.
Definitely. This is a huge security hole.

Even before ioT became full-fledged, countless people had misconfigured IP security cameras and webcams, and there were a number of websites that found these cameras and posted them so the entire world could watch. I jjust used the past tense when writing this, but it's still the case. The misconfigured cams are so prevalent that some people eventually figured out they were being watched and decided they actually liked it. :shock: One woman has a cam in her living room and turns it on for the world to see every evening as she sits in her living room and knits. :?

URSnshn
Posts: 100
Joined: Sun Mar 13, 2016 6:10 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by URSnshn » Fri Oct 27, 2017 11:41 am

Do not assume that your Apple device will be updated. If your Apple Time Capsule, Airport Extreme, Express etc., is too old to get updates (I believe at 7 years, they are considered obsolete) - you may need to get another or at least call Apple and check it out.


edited for a third time to post the material with more clarity. 11/3/17
Last edited by URSnshn on Sat Nov 04, 2017 6:00 pm, edited 2 times in total.

2015
Posts: 902
Joined: Mon Feb 10, 2014 2:32 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by 2015 » Fri Oct 27, 2017 1:21 pm

SittingOnTheFence wrote:
Mon Oct 23, 2017 2:10 pm
ram wrote:
Sun Oct 22, 2017 2:33 pm
In a house can a person have one wired computer and do all financial stuff from that computer only.
The house remains wired and other devices use WiFi for non financial work. (music streaming)
Is this a reasonable option?
Sure, it's reasonable. I only do financials on one wired computer. But anyone who gets into my network can then sniff what is happening. I consider that highly unlikely. More of a threat would someone stealing the computer and if I had 'remember my password' active at the site then it would be catastrophic. Since most financial sites use https, the data is encrypted so it would take a real pro to use sniffed info.

To be extra safe, use a separate browser for those web connections. And don't use it for general or random browsing. But if you get malware on the computer that you are using then all bets are off.
This is why I run Wifi Guard before beginning all financial transactions in Avast's "bank mode". Wifi Guard is free, scans your network for all connections, and you can see what is actually on your network. Avast's bank mode acts as a computer within a computer and once it is closed it's like the entire session never happened. Avast comes with network inspection capability as well, and although Avast's inspection provides the condition of each device connected (which I like), I trust Wifi Guard more in terms of network connections scanning.

https://www.softperfect.com/products/wifiguard/

AntsOnTheMarch
Posts: 313
Joined: Mon May 29, 2017 5:47 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by AntsOnTheMarch » Fri Oct 27, 2017 3:53 pm

URSnshn wrote:
Fri Oct 27, 2017 11:41 am
Regarding Apple - do not assume that your Apple device will be updated. Some Apple devices I've heard will not be updated (older versions). So if your Apple Time Capsule, etc., is too old to get updates (and that may not be as old as you think) - you may want to get another or at least call them and check it out. Otherwise it might be time to get a new device.
What do you make of the statement below? Do you know something Apple doesn’t? (Emphasis mine)
Apple has told iMore that KRACK has already been fixed in the beta versions of iOS, macOS, watchOS, and tvOS, and that AirPort routers and Time Capusules don't appear to be vulnerable too the exploit.

https://www.androidcentral.com/hide-yo- ... rbody-here
azurekep wrote:
Fri Oct 27, 2017 10:52 am
When I read these security threads, I'm always surprised by how many people use their phones for financial things. I guess it would be easier to understand if this was a trading board and people wanted to check hour by hour what their stocks were doing. But I remain baffled why things like bill pay, setting up a funds transfer, doing a periodic check of account balances, etc. can't be done at home on the most secure (and possibly wired) computer. I'm sure I'm missing something here, but don't know what.

Edit: I can see the need to check by phone if one is travelling. There may not be PCs or at least reliable PCs available to do periodic account checks.
I rarely use my phone but I like to have logins there (1Password) just in case. Never know when you’ll need a password or PIN. I use my iPad a lot at home. I do most of my banking on a home network and if I have to be out / traveling, I use my phone as a hotspot (cellular connection) for anything sensitive. But no, I’m not logging into banking websites all day. I just find it handy to use the iPad. I’m also not sure why a computer would be more secure. Surely, by sheer volume, there are more exploits on desktop systems than iOS. Should I feel more secure on a Windows PC?

That brings us to a stripped down, dedicated computer for banking only and I’m not willing to go there. Seems like a rabbit hole to me. I’m willing to bet that identy theft and exploits on the banking institutions themselves are much more likely than someone fishing around on my Wi-Fi network for a hole.

User avatar
F150HD
Posts: 1133
Joined: Fri Sep 18, 2015 7:49 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by F150HD » Fri Oct 27, 2017 4:10 pm

I use Kasperskys Safe Money when logging into and checking financial accounts.

Despite the politics of Kaspersky, I like their Total Security Suite - SafeMoney is part of it. Usually found for like $30ish if you shop around.

Image

Why Safe Money is Useful?

2015
Posts: 902
Joined: Mon Feb 10, 2014 2:32 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by 2015 » Fri Oct 27, 2017 6:35 pm

azurekep wrote:
Fri Oct 27, 2017 10:52 am
AntsOnTheMarch wrote:
Fri Oct 27, 2017 6:26 am
...

So I just stay up to date and keep things patched, use common sense and caution. I’m not going the separate computer route myself. I do everything across three devices (phone, tablet, computer) and like them synced. And this hack, this doesn’t seem very threatening to me. Not gonna lose sleep over it.
When I read these security threads, I'm always surprised by how many people use their phones for financial things. I guess it would be easier to understand if this was a trading board and people wanted to check hour by hour what their stocks were doing. But I remain baffled why things like bill pay, setting up a funds transfer, doing a periodic check of account balances, etc. can't be done at home on the most secure (and possibly wired) computer. I'm sure I'm missing something here, but don't know what.

Edit: I can see the need to check by phone if one is travelling. There may not be PCs or at least reliable PCs available to do periodic account checks.
But someone brought up the internet of things and there I do agree. Don’t be so quick to buy that refrigerator that can refill your milk supply from amazon. These devices have a long way to go to catch up with the security fortifications of say, OS X. Proceed with caution.
Definitely. This is a huge security hole.
...
Totally agree. I would never access financial accounts on anything but a dedicated device at home, and definitely not via a phone (my phone is basically in terms of anything sensitive). I also can't justify participating in anything ioT related at this stage of the (in)security game. I view the ioT and the cloud as Black Swans waiting to happen.

azurekep
Posts: 944
Joined: Tue Jun 16, 2015 7:16 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by azurekep » Fri Oct 27, 2017 9:29 pm

AntsOnTheMarch wrote:
Fri Oct 27, 2017 3:53 pm
azurekep wrote:
Fri Oct 27, 2017 10:52 am
When I read these security threads, I'm always surprised by how many people use their phones for financial things. I guess it would be easier to understand if this was a trading board and people wanted to check hour by hour what their stocks were doing. But I remain baffled why things like bill pay, setting up a funds transfer, doing a periodic check of account balances, etc. can't be done at home on the most secure (and possibly wired) computer. I'm sure I'm missing something here, but don't know what.

Edit: I can see the need to check by phone if one is travelling. There may not be PCs or at least reliable PCs available to do periodic account checks.
I rarely use my phone but I like to have logins there (1Password) just in case. Never know when you’ll need a password or PIN. I use my iPad a lot at home. I do most of my banking on a home network and if I have to be out / traveling, I use my phone as a hotspot (cellular connection) for anything sensitive. But no, I’m not logging into banking websites all day. I just find it handy to use the iPad. I’m also not sure why a computer would be more secure. Surely, by sheer volume, there are more exploits on desktop systems than iOS. Should I feel more secure on a Windows PC?

That brings us to a stripped down, dedicated computer for banking only and I’m not willing to go there. Seems like a rabbit hole to me. I’m willing to bet that identy theft and exploits on the banking institutions themselves are much more likely than someone fishing around on my Wi-Fi network for a hole.
My bias is that I use a secure operating system (Linux) and I use mostly open-source applications. If we take away Linux and just focus on applications, I personally am more comfortable with applications where the code can be viewed by a lot of eyes. That's not a guarantee of security, but open source has a good track record.

"Apps" are a quesiton mark to me. I have done no research other than to skim one article (which I think I posted to in this thread) that mentioned that many banking apps are (or were) insecure. Without knowing if that is true or not, I wonder who looks at the code and how often, looking for vulnerabilities. Does Apple look at these apps just once to validate that they can be sold in the Apple store? Or is there a continual review process looking for holes?

So my comfort level with a PC/tablet over a phone is predicated on the things mentioned above -- a secure operating system and open-source applications . It would be nice to get a firm answer on the safety of banking and financial apps, Even if phones or tablets as a whole are deemed secure due to some kind of isolation of each process, if the individual apps themselves are not secure -- espcially the banking ones -- that would be a not-great thing.

AntsOnTheMarch
Posts: 313
Joined: Mon May 29, 2017 5:47 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by AntsOnTheMarch » Fri Oct 27, 2017 10:46 pm

I don’t use banking apps. I log on to my banking sites using iOS Safari links that I’ve saved in my bookmarks. That said, would I use the vanguard or chase banking apps? Sure. Whenever an alarm sounds, I like to ask myself, has there been a hack in the wild using this exploit? If the answer is no, it’s only a theoretical problem, or clickbait. Here’s an example:

Google engineer proves any iPhone app with permission to access the camera is capable of spying
http://appleinsider.com/articles/17/10/ ... -of-spying

But if you read the article, it basically states that an app that you allow to use the camera, uses the camera. Horror! Then there’s the fact the he didn’t follow apple’s guidelines and never submitted the app for review and approval to the App Store. Why? Because I’m sure he knew that it would be rejected. So he just installed it on his phone and boom! Security crisis. So now, this boatload of extreme FUD is likely to cause a bunch people to run off and stick a post-it note over their camera.

Meanwhile, hackers made off with treasure trove of 140m equifax accounts and there is nothing open source, Android, or apple’s walled garden could do to stop them.

azurekep
Posts: 944
Joined: Tue Jun 16, 2015 7:16 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by azurekep » Sat Oct 28, 2017 3:12 am

AntsOnTheMarch wrote:
Fri Oct 27, 2017 10:46 pm
I don’t use banking apps. I log on to my banking sites using iOS Safari links that I’ve saved in my bookmarks. That said, would I use the vanguard or chase banking apps?
I would be a bit skeptical myself. Though that's based partly on ignorance in not knowing how website develpment (a mature technology) translates into building an app (a newer technology). On the client side, there are many tools and techniques for making sure a web browser is safe. I don't know if that's the case with apps. Again though, that's ignorance talking on my part.
Google engineer proves any iPhone app with permission to access the camera is capable of spying
http://appleinsider.com/articles/17/10/ ... -of-spying

But if you read the article, it basically states that an app that you allow to use the camera, uses the camera. Horror!
I get your point that some of these issues are overblown. But I do think apps that give permission to the microphone is a bit more concerning. But I also consider it more of a privacy issue than security flaw.
Meanwhile, hackers made off with treasure trove of 140m equifax accounts and there is nothing open source, Android, or apple’s walled garden could do to stop them.
I was thinking more along the lines of the large number of browser exploits that have involved commercial plug-ins like Flash and Java. Equifax is the 100-year flood. Flash exploits are the more daily occurrence.

But to keep this focused on WPA2, I just think the way things are going that having a secure, preferably wired, computer or VM dedicated for financial use -- is not really much of a hardship. Especially for a Boglehead who checks their investments infrequently. It takes some of the guesswork out of wondering whether all the new technologies being rushed out have been properly vetted for security.

AntsOnTheMarch
Posts: 313
Joined: Mon May 29, 2017 5:47 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by AntsOnTheMarch » Sat Oct 28, 2017 6:35 am

azurekep wrote:
Sat Oct 28, 2017 3:12 am

I was thinking more along the lines of the large number of browser exploits that have involved commercial plug-ins like Flash and Java.
These are very easy to deal with on Safari in OS X (and pretty much any browser). Disable them or force them to ask permissions each time a website requests their use, and approve on a case by case basis.

I have java turned off completely and have for years. I have safari ask me to approve flash content. It rarely comes up. In iOS, these extensions are not supported so the user need not concern him/herself with them (another reason why the average user might be safer on an iPad). But nothing will protect a person who willy nilly clicks on every email link, casually jailbreaks their phone to get a third party app, etc.

Now, I agree with you that an expert user who wants to create some sort of sandbox environment for sensitive computer use is certainly not being paranoid and maybe gets a degree of extra security. But the average user will be helped more by simply following good simple practices and common sense rather using all sorts of software they don’t understand—and getting some sort of false comfort from it.

And again in the end, none of us get to control our data in the critical space where most hacks happen. Equifax is not the the 100 year flood—it’s just the latest and biggest but there have been others (see Anthem, the US government databases, etc). And there will be more. A huge payload or personal data is much more attractive to hackers than trying to sniff out Wi-Fi networks one at a time.

azurekep
Posts: 944
Joined: Tue Jun 16, 2015 7:16 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by azurekep » Sat Oct 28, 2017 1:14 pm

AntsOnTheMarch wrote:
Sat Oct 28, 2017 6:35 am
azurekep wrote:
Sat Oct 28, 2017 3:12 am

I was thinking more along the lines of the large number of browser exploits that have involved commercial plug-ins like Flash and Java.
These are very easy to deal with on Safari in OS X (and pretty much any browser). Disable them or force them to ask permissions each time a website requests their use, and approve on a case by case basis.

I have java turned off completely and have for years. I have safari ask me to approve flash content. It rarely comes up. In iOS, these extensions are not supported so the user need not concern him/herself with them (another reason why the average user might be safer on an iPad). But nothing will protect a person who willy nilly clicks on every email link, casually jailbreaks their phone to get a third party app, etc.
I just used Flash and Java as examples of non-open-source software that is problematic. I think most people now (at least on this site) are aware that these specific programs should be disabled if not removed. The industry is going that way as well with browsers on a path to abandon Flash.

But I did want to point out that as horrific as the Equifax breach was, if a simple Flash/Java or similar exploit results in a keylogger being installed on a system, that could be much worse than Equifax if it recorded log-in data. A hacker would have instant access to a bank account and could add themselves as a billpay recipient. So, the daily exploits can be more damaging than the massive server-side breaches , though the latter have longer-term consequences.
Now, I agree with you that an expert user who wants to create some sort of sandbox environment for sensitive computer use is certainly not being paranoid and maybe gets a degree of extra security. But the average user will be helped more by simply following good simple practices and common sense rather using all sorts of software they don’t understand—and getting some sort of false comfort from it.
You're right of course. I should be comparing the average (dumb) user who does their financial work on a computer vs the similarly dumb user who does their financial work on a phone. Which is safer? That's basically what I'm trying to get at. The one thing I know for sure is that web browsers on a computer are very customizable for security/privacy without a lot of additional software. But it requires a little reading to learn the ins and outs, and the developers have made the task more difficult by hiding many features as they add newer features. The fact that about:config is Firefox is about 345 zillion pages long now is not a good thing from a privacy/security standpoint since the user has lost control of their browser in a lot of ways. And just like with Windows, with every new feature added by Mozilla, new potential security vulnerabilities are added.

But then again, smart phone browsers and banking apps may be too limited in the configuration options they have. Insecure features may be embedded into the code, not amenable to modification by user action.
A huge payload or personal data is much more attractive to hackers than trying to sniff out Wi-Fi networks one at a time.
Agreed. One of my areas of ignorance was whether or not the WPA2 flaw allowed simply for eavesdropping on an ephemeral communication or if it could cause longer-term harm by getting into the router and affecting all communications -- wired and wireless. I think it's only the former, i.e., eavesdropping on a particular target of opportunity, with the hack ending as soon as the hacker drives away. That isn't too bad unless the victim is accessing a misconfigured banking site where perhaps the "https" is really "http" -- and the hacker catches this ephemeral communication and captures the username/password.

2015
Posts: 902
Joined: Mon Feb 10, 2014 2:32 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by 2015 » Sat Oct 28, 2017 1:43 pm

After a night of much research, here's my workaround. Hope it's helpful for anyone else in the same circumstances:

Windows quietly installed a patch on October 10 which my laptop shows installed, therefore my laptop dedicated to financial accounts is safe. AT&T is working with vendors for a patch for my router, Google is supposedly rolling out a patch for Android phones November 6th, and it's unknown when Motorola will be rolling out a patch for Moto G phones (which I have). So 3 avenues for a patch possibly in near future. Meanwhile, I will turn off phone WiFi when getting texts for 2FA for financial sites until patch happens, as I can send/receive texts with WiFi turned off. I don't use the phone a lot for data, and until the patches happen, I will minimize such use even more. As nothing I own uses ioT, that risk is off the table as well.

AntsOnTheMarch
Posts: 313
Joined: Mon May 29, 2017 5:47 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by AntsOnTheMarch » Tue Oct 31, 2017 9:28 pm

Apple issued security fixes for this (both OS X and iOS) today.

crumbone
Posts: 52
Joined: Thu Oct 12, 2017 11:50 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by crumbone » Tue Oct 31, 2017 11:54 pm

F150HD wrote:
Fri Oct 27, 2017 4:10 pm
I use Kasperskys Safe Money when logging into and checking financial accounts.

Despite the politics of Kaspersky, I like their Total Security Suite - SafeMoney is part of it. Usually found for like $30ish if you shop around.

Image

Why Safe Money is Useful?
I don't want to cross boundaries vis-a-vis political discussion, but I would have serious reservations about security software from a company that has been identified as a possible state actor in major security breaches (cf. https://www.google.com/amp/s/arstechnic ... s/%3famp=1 )

crumbone
Posts: 52
Joined: Thu Oct 12, 2017 11:50 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by crumbone » Tue Oct 31, 2017 11:59 pm

azurekep wrote:
Sat Oct 28, 2017 1:14 pm
AntsOnTheMarch wrote:
Sat Oct 28, 2017 6:35 am
azurekep wrote:
Sat Oct 28, 2017 3:12 am

I was thinking more along the lines of the large number of browser exploits that have involved commercial plug-ins like Flash and Java.
These are very easy to deal with on Safari in OS X (and pretty much any browser). Disable them or force them to ask permissions each time a website requests their use, and approve on a case by case basis.

I have java turned off completely and have for years. I have safari ask me to approve flash content. It rarely comes up. In iOS, these extensions are not supported so the user need not concern him/herself with them (another reason why the average user might be safer on an iPad). But nothing will protect a person who willy nilly clicks on every email link, casually jailbreaks their phone to get a third party app, etc.
I just used Flash and Java as examples of non-open-source software that is problematic. I think most people now (at least on this site) are aware that these specific programs should be disabled if not removed. The industry is going that way as well with browsers on a path to abandon Flash.

But I did want to point out that as horrific as the Equifax breach was, if a simple Flash/Java or similar exploit results in a keylogger being installed on a system, that could be much worse than Equifax if it recorded log-in data. A hacker would have instant access to a bank account and could add themselves as a billpay recipient. So, the daily exploits can be more damaging than the massive server-side breaches , though the latter have longer-term consequences.
Now, I agree with you that an expert user who wants to create some sort of sandbox environment for sensitive computer use is certainly not being paranoid and maybe gets a degree of extra security. But the average user will be helped more by simply following good simple practices and common sense rather using all sorts of software they don’t understand—and getting some sort of false comfort from it.
You're right of course. I should be comparing the average (dumb) user who does their financial work on a computer vs the similarly dumb user who does their financial work on a phone. Which is safer? That's basically what I'm trying to get at. The one thing I know for sure is that web browsers on a computer are very customizable for security/privacy without a lot of additional software. But it requires a little reading to learn the ins and outs, and the developers have made the task more difficult by hiding many features as they add newer features. The fact that about:config is Firefox is about 345 zillion pages long now is not a good thing from a privacy/security standpoint since the user has lost control of their browser in a lot of ways. And just like with Windows, with every new feature added by Mozilla, new potential security vulnerabilities are added.

But then again, smart phone browsers and banking apps may be too limited in the configuration options they have. Insecure features may be embedded into the code, not amenable to modification by user action.
A huge payload or personal data is much more attractive to hackers than trying to sniff out Wi-Fi networks one at a time.
Agreed. One of my areas of ignorance was whether or not the WPA2 flaw allowed simply for eavesdropping on an ephemeral communication or if it could cause longer-term harm by getting into the router and affecting all communications -- wired and wireless. I think it's only the former, i.e., eavesdropping on a particular target of opportunity, with the hack ending as soon as the hacker drives away. That isn't too bad unless the victim is accessing a misconfigured banking site where perhaps the "https" is really "http" -- and the hacker catches this ephemeral communication and captures the username/password.
It could be used for more than eavesdropping via packet injection, if you're using TKIP encryption and not AES.

crumbone
Posts: 52
Joined: Thu Oct 12, 2017 11:50 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by crumbone » Wed Nov 01, 2017 12:02 am

2015 wrote:
Fri Oct 27, 2017 6:35 pm
azurekep wrote:
Fri Oct 27, 2017 10:52 am
AntsOnTheMarch wrote:
Fri Oct 27, 2017 6:26 am
...

So I just stay up to date and keep things patched, use common sense and caution. I’m not going the separate computer route myself. I do everything across three devices (phone, tablet, computer) and like them synced. And this hack, this doesn’t seem very threatening to me. Not gonna lose sleep over it.
When I read these security threads, I'm always surprised by how many people use their phones for financial things. I guess it would be easier to understand if this was a trading board and people wanted to check hour by hour what their stocks were doing. But I remain baffled why things like bill pay, setting up a funds transfer, doing a periodic check of account balances, etc. can't be done at home on the most secure (and possibly wired) computer. I'm sure I'm missing something here, but don't know what.

Edit: I can see the need to check by phone if one is travelling. There may not be PCs or at least reliable PCs available to do periodic account checks.
But someone brought up the internet of things and there I do agree. Don’t be so quick to buy that refrigerator that can refill your milk supply from amazon. These devices have a long way to go to catch up with the security fortifications of say, OS X. Proceed with caution.
Definitely. This is a huge security hole.
...
Totally agree. I would never access financial accounts on anything but a dedicated device at home, and definitely not via a phone (my phone is basically in terms of anything sensitive). I also can't justify participating in anything ioT related at this stage of the (in)security game. I view the ioT and the cloud as Black Swans waiting to happen.
The flock of Black Swans arrived some time ago, and are thriving in the stagnant water of IoT "security." https://www.wired.com/story/reaper-iot- ... -networks/

https://arstechnica.com/information-tec ... ng-babies/

As the owner of some of these "smart" things (as few as I can manage) that I use for their "dumb" functionality, I've disabled as much as I can, and taught myself enough network administration to set up my home network in a way that blocks or severely limits their access to the internet and segregates them from my other internet-connected devices.

azurekep
Posts: 944
Joined: Tue Jun 16, 2015 7:16 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by azurekep » Wed Nov 01, 2017 12:17 am

crumbone wrote:
Tue Oct 31, 2017 11:59 pm
azurekep wrote:
Sat Oct 28, 2017 1:14 pm
One of my areas of ignorance was whether or not the WPA2 flaw allowed simply for eavesdropping on an ephemeral communication or if it could cause longer-term harm by getting into the router and affecting all communications -- wired and wireless. I think it's only the former, i.e., eavesdropping on a particular target of opportunity, with the hack ending as soon as the hacker drives away. That isn't too bad unless the victim is accessing a misconfigured banking site where perhaps the "https" is really "http" -- and the hacker catches this ephemeral communication and captures the username/password.
It could be used for more than eavesdropping via packet injection, if you're using TKIP encryption and not AES.
Thanks for that.

This article gives an explanation.

What Is Packet Injection and Why Should You Care?

SittingOnTheFence
Posts: 199
Joined: Sun Sep 27, 2015 5:30 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by SittingOnTheFence » Wed Nov 01, 2017 12:19 am

AntsOnTheMarch wrote:
Tue Oct 31, 2017 9:28 pm
Apple issued security fixes for this (both OS X and iOS) today.
Sort of. N/A to my v6 iPhone. Read the fine print:

"Available for: iPhone 7 and later, and iPad Pro 9.7-inch (early 2016) and later

Impact: An attacker in Wi-Fi range may force nonce reuse in WPA clients (Key Reinstallation Attacks - KRACK)"

AntsOnTheMarch
Posts: 313
Joined: Mon May 29, 2017 5:47 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by AntsOnTheMarch » Wed Nov 01, 2017 3:54 am

SittingOnTheFence wrote:
Wed Nov 01, 2017 12:19 am
AntsOnTheMarch wrote:
Tue Oct 31, 2017 9:28 pm
Apple issued security fixes for this (both OS X and iOS) today.
Sort of. N/A to my v6 iPhone. Read the fine print:

"Available for: iPhone 7 and later, and iPad Pro 9.7-inch (early 2016) and later

Impact: An attacker in Wi-Fi range may force nonce reuse in WPA clients (Key Reinstallation Attacks - KRACK)"
IIRC, iPhones prior to 7 aren’t vulnerable. If you’re still concerned, you need to verify.

AntsOnTheMarch
Posts: 313
Joined: Mon May 29, 2017 5:47 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by AntsOnTheMarch » Wed Nov 01, 2017 6:28 am

crumbone wrote:
Tue Oct 31, 2017 11:54 pm
F150HD wrote:
Fri Oct 27, 2017 4:10 pm
I use Kasperskys Safe Money when logging into and checking financial accounts.

Despite the politics of Kaspersky, I like their Total Security Suite - SafeMoney is part of it. Usually found for like $30ish if you shop around.

Image

Why Safe Money is Useful?
I don't want to cross boundaries vis-a-vis political discussion, but I would have serious reservations about security software from a company that has been identified as a possible state actor in major security breaches (cf. https://www.google.com/amp/s/arstechnic ... s/%3famp=1 )
Trusting your devices to “security software” can be dangerous to your digital health. Avast*, distributed malware to millions of computer users.
According to reports, the malware-infested version of CCleaner was downloaded by 2.27 million users.
https://thenextweb.com/security/2017/09 ... istribute/
* Avast Software /əˈvɑːst, -æst/ is a Czech multinational cybersecurity software company headquartered in Prague, Czech Republic, that develops antivirus software and internet security services.
https://en.wikipedia.org/wiki/Avast_Software

2015
Posts: 902
Joined: Mon Feb 10, 2014 2:32 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by 2015 » Wed Nov 01, 2017 2:17 pm

AntsOnTheMarch wrote:
Wed Nov 01, 2017 6:28 am
crumbone wrote:
Tue Oct 31, 2017 11:54 pm
F150HD wrote:
Fri Oct 27, 2017 4:10 pm
Trusting your devices to “security software” can be dangerous to your digital health. Avast*, distributed malware to millions of computer users.
According to reports, the malware-infested version of CCleaner was downloaded by 2.27 million users.
https://thenextweb.com/security/2017/09 ... istribute/
* Avast Software /əˈvɑːst, -æst/ is a Czech multinational cybersecurity software company headquartered in Prague, Czech Republic, that develops antivirus software and internet security services.
https://en.wikipedia.org/wiki/Avast_Software
It's a good idea to tell the whole story here. The location of Avast headquarters is immaterial to the hack:

https://blog.avast.com/avast-threat-lab ... r-incident


Technical update and ongoing analysis of the APT security incident

Experts at Avast Threat Labs have been analyzing the CCleaner advanced persistent threat (APT) continuously for the past few days and apart from the information in recent blog posts (Piriform and Avast posts), we are starting a series of technical blog posts describing details and technical information that we encountered during our analysis. Today, we will cover the ongoing analysis of the CnC server and the 2nd stage payload.

Just 4 days of data?

Shortly after receiving the initial notification about the incident from Morphisec, we reached out to law enforcement agencies to help us take down the Command and Control (CnC) server and get access to its contents. While analyzing the data, we noticed that there were only a few days’ worth of data in the logs, and we wondered why? We knew the server was installed on July 31st so there had to be more than a month’s worth of data since then


Where did the attackers come from?

To figure out who the attackers were, we looked for any breadcrumbs the attackers might have left for us to follow. As Costin Raiu pointed out on Twitter {redacted for security], there are some striking similarities between the code injected into CCleaner and APT17/Aurora malware created by a Chinese APT group in 2014/2015.

Interestingly enough, most of the connections came from Japanese networks. Although these addresses are likely just infected PCs and servers used as proxies, it suggests that the attackers might be familiar with Asian networks. The list of targeted companies contained quite a few Asian companies but none from China. Lastly, the time zone in the PHP scripts feeding the database were set to PRC (People’s Republic of China) although the system clock is in UTC.

Even with all of these clues, it is impossible at this stage to claim which country the attack originated from, simply because all of the data points could easily be forged to hide the true location of the perpetrator.

AntsOnTheMarch
Posts: 313
Joined: Mon May 29, 2017 5:47 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by AntsOnTheMarch » Wed Nov 01, 2017 4:35 pm

2015 wrote:
Wed Nov 01, 2017 2:17 pm
AntsOnTheMarch wrote:
Wed Nov 01, 2017 6:28 am
crumbone wrote:
Tue Oct 31, 2017 11:54 pm
F150HD wrote:
Fri Oct 27, 2017 4:10 pm
Trusting your devices to “security software” can be dangerous to your digital health. Avast*, distributed malware to millions of computer users.
According to reports, the malware-infested version of CCleaner was downloaded by 2.27 million users.
https://thenextweb.com/security/2017/09 ... istribute/
* Avast Software /əˈvɑːst, -æst/ is a Czech multinational cybersecurity software company headquartered in Prague, Czech Republic, that develops antivirus software and internet security services.
https://en.wikipedia.org/wiki/Avast_Software
It's a good idea to tell the whole story here. The location of Avast headquarters is immaterial to the hack:

https://blog.avast.com/avast-threat-lab ... r-incident


Technical update and ongoing analysis of the APT security incident

Experts at Avast Threat Labs have been analyzing the CCleaner advanced persistent threat (APT) continuously for the past few days and apart from the information in recent blog posts (Piriform and Avast posts), we are starting a series of technical blog posts describing details and technical information that we encountered during our analysis. Today, we will cover the ongoing analysis of the CnC server and the 2nd stage payload.

Just 4 days of data?

Shortly after receiving the initial notification about the incident from Morphisec, we reached out to law enforcement agencies to help us take down the Command and Control (CnC) server and get access to its contents. While analyzing the data, we noticed that there were only a few days’ worth of data in the logs, and we wondered why? We knew the server was installed on July 31st so there had to be more than a month’s worth of data since then


Where did the attackers come from?

To figure out who the attackers were, we looked for any breadcrumbs the attackers might have left for us to follow. As Costin Raiu pointed out on Twitter {redacted for security], there are some striking similarities between the code injected into CCleaner and APT17/Aurora malware created by a Chinese APT group in 2014/2015.

Interestingly enough, most of the connections came from Japanese networks. Although these addresses are likely just infected PCs and servers used as proxies, it suggests that the attackers might be familiar with Asian networks. The list of targeted companies contained quite a few Asian companies but none from China. Lastly, the time zone in the PHP scripts feeding the database were set to PRC (People’s Republic of China) although the system clock is in UTC.

Even with all of these clues, it is impossible at this stage to claim which country the attack originated from, simply because all of the data points could easily be forged to hide the true location of the perpetrator.
I didn’t mean to imply the country of origin mattered. Only that “computer security” software in general doesn’t necessarily make you safer and these companies are often targets themselves. I also noticed when I read some of the communications about this originally from avast that they made it seem that they found the problem but in fact, Cisco found it and notified them. Just buyer beware.

User avatar
F150HD
Posts: 1133
Joined: Fri Sep 18, 2015 7:49 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by F150HD » Wed Nov 01, 2017 8:29 pm

crumbone wrote:
Tue Oct 31, 2017 11:54 pm
I don't want to cross boundaries vis-a-vis political discussion, but I would have serious reservations about security software from a company that has been identified as a possible state actor in major security breaches (cf. https://www.google.com/amp/s/arstechnic ... s/%3famp=1 )
If you feel that way, then don't buy their products.

2015
Posts: 902
Joined: Mon Feb 10, 2014 2:32 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by 2015 » Wed Nov 01, 2017 8:51 pm

AntsOnTheMarch wrote:
Wed Nov 01, 2017 4:35 pm
2015 wrote:
Wed Nov 01, 2017 2:17 pm
AntsOnTheMarch wrote:
Wed Nov 01, 2017 6:28 am
crumbone wrote:
Tue Oct 31, 2017 11:54 pm
F150HD wrote:
Fri Oct 27, 2017 4:10 pm
Trusting your devices to “security software” can be dangerous to your digital health. Avast*, distributed malware to millions of computer users.
According to reports, the malware-infested version of CCleaner was downloaded by 2.27 million users.
https://thenextweb.com/security/2017/09 ... istribute/
* Avast Software /əˈvɑːst, -æst/ is a Czech multinational cybersecurity software company headquartered in Prague, Czech Republic, that develops antivirus software and internet security services.
https://en.wikipedia.org/wiki/Avast_Software
It's a good idea to tell the whole story here. The location of Avast headquarters is immaterial to the hack:

https://blog.avast.com/avast-threat-lab ... r-incident


Technical update and ongoing analysis of the APT security incident

Experts at Avast Threat Labs have been analyzing the CCleaner advanced persistent threat (APT) continuously for the past few days and apart from the information in recent blog posts (Piriform and Avast posts), we are starting a series of technical blog posts describing details and technical information that we encountered during our analysis. Today, we will cover the ongoing analysis of the CnC server and the 2nd stage payload.

Just 4 days of data?

Shortly after receiving the initial notification about the incident from Morphisec, we reached out to law enforcement agencies to help us take down the Command and Control (CnC) server and get access to its contents. While analyzing the data, we noticed that there were only a few days’ worth of data in the logs, and we wondered why? We knew the server was installed on July 31st so there had to be more than a month’s worth of data since then


Where did the attackers come from?

To figure out who the attackers were, we looked for any breadcrumbs the attackers might have left for us to follow. As Costin Raiu pointed out on Twitter {redacted for security], there are some striking similarities between the code injected into CCleaner and APT17/Aurora malware created by a Chinese APT group in 2014/2015.

Interestingly enough, most of the connections came from Japanese networks. Although these addresses are likely just infected PCs and servers used as proxies, it suggests that the attackers might be familiar with Asian networks. The list of targeted companies contained quite a few Asian companies but none from China. Lastly, the time zone in the PHP scripts feeding the database were set to PRC (People’s Republic of China) although the system clock is in UTC.

Even with all of these clues, it is impossible at this stage to claim which country the attack originated from, simply because all of the data points could easily be forged to hide the true location of the perpetrator.
I didn’t mean to imply the country of origin mattered. Only that “computer security” software in general doesn’t necessarily make you safer and these companies are often targets themselves. I also noticed when I read some of the communications about this originally from avast that they made it seem that they found the problem but in fact, Cisco found it and notified them. Just buyer beware.
I couldn't agree more. No sooner did the Equifax debacle happen then we are hit with knowing our router encryption isn't safe. It never ends. :oops:

crumbone
Posts: 52
Joined: Thu Oct 12, 2017 11:50 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by crumbone » Wed Nov 01, 2017 10:32 pm

2015 wrote:
Wed Nov 01, 2017 8:51 pm
AntsOnTheMarch wrote:
Wed Nov 01, 2017 4:35 pm
2015 wrote:
Wed Nov 01, 2017 2:17 pm
AntsOnTheMarch wrote:
Wed Nov 01, 2017 6:28 am
crumbone wrote:
Tue Oct 31, 2017 11:54 pm
Trusting your devices to “security software” can be dangerous to your digital health. Avast*, distributed malware to millions of computer users.
According to reports, the malware-infested version of CCleaner was downloaded by 2.27 million users.
https://thenextweb.com/security/2017/09 ... istribute/
* Avast Software /əˈvɑːst, -æst/ is a Czech multinational cybersecurity software company headquartered in Prague, Czech Republic, that develops antivirus software and internet security services.
https://en.wikipedia.org/wiki/Avast_Software
It's a good idea to tell the whole story here. The location of Avast headquarters is immaterial to the hack:

https://blog.avast.com/avast-threat-lab ... r-incident


Technical update and ongoing analysis of the APT security incident

Experts at Avast Threat Labs have been analyzing the CCleaner advanced persistent threat (APT) continuously for the past few days and apart from the information in recent blog posts (Piriform and Avast posts), we are starting a series of technical blog posts describing details and technical information that we encountered during our analysis. Today, we will cover the ongoing analysis of the CnC server and the 2nd stage payload.

Just 4 days of data?

Shortly after receiving the initial notification about the incident from Morphisec, we reached out to law enforcement agencies to help us take down the Command and Control (CnC) server and get access to its contents. While analyzing the data, we noticed that there were only a few days’ worth of data in the logs, and we wondered why? We knew the server was installed on July 31st so there had to be more than a month’s worth of data since then


Where did the attackers come from?

To figure out who the attackers were, we looked for any breadcrumbs the attackers might have left for us to follow. As Costin Raiu pointed out on Twitter {redacted for security], there are some striking similarities between the code injected into CCleaner and APT17/Aurora malware created by a Chinese APT group in 2014/2015.

Interestingly enough, most of the connections came from Japanese networks. Although these addresses are likely just infected PCs and servers used as proxies, it suggests that the attackers might be familiar with Asian networks. The list of targeted companies contained quite a few Asian companies but none from China. Lastly, the time zone in the PHP scripts feeding the database were set to PRC (People’s Republic of China) although the system clock is in UTC.

Even with all of these clues, it is impossible at this stage to claim which country the attack originated from, simply because all of the data points could easily be forged to hide the true location of the perpetrator.
I didn’t mean to imply the country of origin mattered. Only that “computer security” software in general doesn’t necessarily make you safer and these companies are often targets themselves. I also noticed when I read some of the communications about this originally from avast that they made it seem that they found the problem but in fact, Cisco found it and notified them. Just buyer beware.
I couldn't agree more. No sooner did the Equifax debacle happen then we are hit with knowing our router encryption isn't safe. It never ends. :oops:
Thoughts:
1. Most productive steps are behavioral (don't open email attachments, etc.)-- social engineering/phishing attacks are the most common and successful ones against individuals
2. Use a password manager.
3. Update everything regularly.
4. Replace WiFi with wired Ethernet everywhere it is feasible to do so. Consider separating your router and wireless access point into 2 separate devices (enterprise networks do this routinely for a number of reasons)
5. Keep the Internet of Things out of your house.
6. Avoid "security software"-- it's fundamentally reactive, ineffective, and has been used as an attack vector multiple times already.
7. Recognize that you are fundamentally powerless to stop these big breaches (especially by well-funded state actors.) Any useful change will have to come at the government level, so consider asking for it. (I hope this wasn't excessively political.)

Longtermgrowth
Posts: 428
Joined: Thu Nov 26, 2015 1:59 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by Longtermgrowth » Thu Nov 02, 2017 2:10 am

I'm far enough away from my neighbors, I doubt any are even within range. Plus anyone out in the street, probably out of range, is getting their license plate checked with binoculars or I'm just checking the mail with a pistol on my side.
I need to look into router software upgrades, no clue how it even works. Hardly ever go on my router config page, but I do have my SSID hidden. Friends that come over have no clue that I even have a supposed encrypted router, and they're always checking for free Wi-Fi...

2015
Posts: 902
Joined: Mon Feb 10, 2014 2:32 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by 2015 » Thu Nov 02, 2017 3:45 am

crumbone wrote:
Wed Nov 01, 2017 10:32 pm
2015 wrote:
Wed Nov 01, 2017 8:51 pm
AntsOnTheMarch wrote:
Wed Nov 01, 2017 4:35 pm
2015 wrote:
Wed Nov 01, 2017 2:17 pm
AntsOnTheMarch wrote:
Wed Nov 01, 2017 6:28 am
I didn’t mean to imply the country of origin mattered. Only that “computer security” software in general doesn’t necessarily make you safer and these companies are often targets themselves. I also noticed when I read some of the communications about this originally from avast that they made it seem that they found the problem but in fact, Cisco found it and notified them. Just buyer beware.
I couldn't agree more. No sooner did the Equifax debacle happen then we are hit with knowing our router encryption isn't safe. It never ends. :oops:
Thoughts:
1. Most productive steps are behavioral (don't open email attachments, etc.)-- social engineering/phishing attacks are the most common and successful ones against individuals. I"m already locked down like Fort Knox.
2. Use a password manager. I use that and a thousand other steps to fortify security.
3. Update everything regularly. Secunia software scans continuously for updates of all software on the computer.
4. Replace WiFi with wired Ethernet everywhere it is feasible to do so. Consider separating your router and wireless access point into 2 separate devices (enterprise networks do this routinely for a number of reasons) Hello no. That's where I draw the "security vs. convenience"
line. Instead, Microosoft has already issued a patch for my PC, and I turn off phone wi-fi before requesting text 2FA for website access.

5. Keep the Internet of Things out of your house. There's a "ioT Keep Out" sign on the front door.
6. Avoid "security software"-- it's fundamentally reactive, ineffective, and has been used as an attack vector multiple times already. Here I disagree. I only access all financial account websites and even email accounts in Avast's banking mode.
7. Recognize that you are fundamentally powerless to stop these big breaches (especially by well-funded state actors.) Any useful change will have to come at the government level, so consider asking for it. (I hope this wasn't excessively political.) Not to be/get political, but I'm not about to waste my time.

Longtermgrowth
Posts: 428
Joined: Thu Nov 26, 2015 1:59 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by Longtermgrowth » Thu Nov 02, 2017 4:42 am

So I checked my routers firmware version, went through the manufacturers website, and there is no upgrade for my device. Also while checking settings, I'm not using WPA2, but I'm not sure that makes me anymore secure...

SittingOnTheFence
Posts: 199
Joined: Sun Sep 27, 2015 5:30 pm

Re: WPA2 protocol used by vast majority of wifi connections has been broken

Post by SittingOnTheFence » Thu Nov 02, 2017 2:17 pm

Longtermgrowth wrote:
Thu Nov 02, 2017 4:42 am
I'm not using WPA2, but I'm not sure that makes me anymore secure...
Do you have a dead bolt on your front door? If so, then you should use wpa2 for similar reasons. If you don't lock your front door then I guess you don't need wpa2. Or, for that matter, none of the other less secure protocols.

Post Reply