Teken Posted October 16, 2017 Share Posted October 16, 2017 It seems everyday some real smart guy / team is able to find a flaw in existing protocols / standards: https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/ I find it interesting the author states most of the systems impacted by this are Android, Linux, systems. Windows and iOS is stated as being impacted less?!? Regardless, all of the hard work from these researchers and solution(s) should hopefully be implemented in future releases. On a related tangent this flaw is the reason as to why Google and Government agencies have been able to access wireless networks for years. If anyone recalls the huge fiasco where the Google mapping car was *Some how* able to access secured networks while driving around. This is exactly how it was done . . . Meaning just because this public announcement just came out it was well understood by the spooks and others. Link to comment
elvisimprsntr Posted October 17, 2017 Share Posted October 17, 2017 From what I have read, the KRACK attack does not compromise the PSK itself, but uses the protocol to tell a client to switch frequencies to a rouge AP and re-use the nonce encryption key which was intentionally zeroed out after installation as required by the spec. I don’t think this vulnerability was used in the Google inadvertent WiFi collection. Vendors where notified individually in July and in mass in August. https://www.krackattacks.com Here is the most comprehensive list I’ve come across listing how vendors are doing. What I find most alarming is companies like Google and Amazon are still in the evaluation phase. What have they been doing for 3 months? Perhaps they were waiting for open source patches to become available. Apple, pfSense, LEDE, DDWRT are testing patches. I’m already running iOS 11.1b3 which includes the patches. Good luck Android users. https://www.bleepingcomputer.com/news/security/list-of-firmware-and-driver-updates-for-krack-wpa2-vulnerability/ The other concern is whether all the embedded devices in the wild will ever receive patches. I’ve reached out to the companies for devices I own if I haven’t seen an official response or statement from them. Link to comment
Teken Posted October 17, 2017 Author Share Posted October 17, 2017 From what I have read, the KRACK attack does not compromise the PSK itself, but uses the protocol to tell a client to switch frequencies to a rouge AP and re-use the nonce encryption key which was intentionally zeroed out after installation as required by the spec. I don’t think this vulnerability was used in the Google inadvertent WiFi collection. Vendors where notified individually in July and in mass in August. https://www.krackattacks.com Here is the most comprehensive list I’ve come across listing how vendors are doing. What I find most alarming is companies like Google and Amazon are still in the evaluation phase. What have they been doing for 3 months? Perhaps they were waiting for open source patches to become available. Apple, pfSense, LEDE, DDWRT are testing patches. I’m already running iOS 11.1b3 which includes the patches. Good luck Android users. https://www.bleepingcomputer.com/news/security/list-of-firmware-and-driver-updates-for-krack-wpa2-vulnerability/ The other concern is whether all the embedded devices in the wild will ever receive patches. I’ve reached out to the companies for devices I own if I haven’t seen an official response or statement from them. I agree the odds Android will be fully patched is next to zero . . . There were too many iterations of Googles (A-Z) Android OS on hardware that could not be upgraded to the next level. While 90% of the hardware makers who used these first, second generation Android OS simply abandoned them and never bothered to develop a fix for any known vulnerability. The major barrier for some was hardware limitation so they physically could not be upgraded to the next Android flavor. RE: Google collection -> What isn't popularly well known in the *Public Domain* is how and what data was captured. Anyone who has been a member of any security forum will tell you what Google told the public isn't the whole truth. Keeping in mind this whole KRACK is only one of dozens of holes in various platforms. Anyone who has been tracking the whole NSA hack of treasure trove of *Hacking Tools* which the North Koreans have literally used for their own use. Was the direct result of no less than three of the major events on the Internet . . . Not too long ago people were laughing at North Korea and saying they had zero capability in cyber warfare. I can tell you with a high level of confidence no one is laughing anymore and they are one of the leaders in this field. Keeping in mind these same so called professional know it all's. Said North Korea was 10, 20 years out from ever mastering the *Bomb* . . . I'm going to ignore anything I hear, read, see about how secure things are because there is no such thing as secure in 2017 with respect to electronics when its attached to the Internet. Anyone who doubts the veracity of that bold statement need only Google *Thin Thread*. Link to comment
MWareman Posted October 18, 2017 Share Posted October 18, 2017 Just as an FYI - in the security community there are currently over 200 known exploits against the latest iPhone OS, and less than half that against the latest Pixel Android. The issue is other manufacturers (where hundreds of vulnerabilities generally lie) - not Google (who do a much better job it turns out than Apple) I was just at a significant but NDAd security conference with some big players. They all carry Pixel phones. Other indications, LastPass and Yubikeys are common in this group... For security, I’d take a Pixel over any other device.... except maybe a Cryptophone.. Link to comment
Scottmichaelj Posted October 18, 2017 Share Posted October 18, 2017 Just as an FYI - in the security community there are currently over 200 known exploits against the latest iPhone OS, and less than half that against the latest Pixel Android. The issue is other manufacturers (where hundreds of vulnerabilities generally lie) - not Google (who do a much better job it turns out than Apple) I was just at a significant but NDAd security conference with some big players. They all carry Pixel phones. Other indications, LastPass and Yubikeys are common in this group... For security, I’d take a Pixel over any other device.... except maybe a Cryptophone.. What do you think about “Dashlane” app? Is there a reason to puck Lastpass over it? Link to comment
MWareman Posted October 18, 2017 Share Posted October 18, 2017 I cannot speak to Dashlane, other than to say I’ve met hundreds of people that use LastPass (personally and professionally in the security industry) and never met anyone that uses Dashlane. Link to comment
G W Posted October 18, 2017 Share Posted October 18, 2017 I cannot speak to Dashlane, other than to say I’ve met hundreds of people that use LastPass (personally and professionally in the security industry) and never met anyone that uses Dashlane.I know of a few government agencies that require it on mobile devices. Sent from my SM-G955U1 using Tapatalk Link to comment
elvisimprsntr Posted October 18, 2017 Share Posted October 18, 2017 Lastpass and 1Password were already hacked. Just a matter of time for Dashlane. iCloud Keychain works across web and apps, managed by a company with has the ca$h to spend on security. Link to comment
MWareman Posted October 19, 2017 Share Posted October 19, 2017 Lastpass and 1Password were already hacked. Just a matter of time for Dashlane. iCloud Keychain works across web and apps, managed by a company with has the ca$h to spend on security.Yes, there was an attack on LastPass that leaked some encrypted data blobs, but the encryption was found sound and as long as the user was using a strong master password their vault is safe.... 1Password users were not so lucky. In fact, the result of the audit after the LastPass leak convinced many more security professionals to use LastPass.... Link to comment
G W Posted October 19, 2017 Share Posted October 19, 2017 Yes, there was an attack on LastPass that leaked some encrypted data blobs, but the encryption was found sound and as long as the user was using a strong master password their vault is safe.... 1Password users were not so lucky. In fact, the result of the audit after the LastPass leak convinced many more security professionals to use LastPass.... And to this day, no one has shown that any account was accessed. Old news. Sent from my Nexus 6P using Tapatalk Link to comment
Recommended Posts
Archived
This topic is now archived and is closed to further replies.