|
anthonypants posted:Even so, it would be really nice if there were some method of defense from the client side, otherwise you're not going to be able to connect to a Starbucks' or a hotel's wifi network until WPA3.
|
#
?
Oct 16, 2017 09:08
|
|
|
|
| # ? Apr 28, 2024 22:55 |
|
|
The video demo is out for the WPA2 attack: https://www.youtube.com/watch?v=Oh4WURZoR98 I'm potentially being dumb here, but it looks like it forces the client to connect to a rogue AP in order for the capture of the traffic to work. Hasn't that been a possibility for a while? The second part of the video is a MitM downgrade of SSL which presumably HSTS would prevent, assuming the browser isn't broken. Edit: Maybe I've missed the point and the rogue AP is only used to gently caress with the handshake. Thanks Ants fucked around with this message at 10:36 on Oct 16, 2017 |
|
#
?
Oct 16, 2017 10:33
|
|
|
Thanks Ants posted:The video demo is out for the WPA2 attack: He used an Android device for this - this isn’t an Android-specific bug is it? Also does this allow the hacker to steal the network’s PSK?
|
|
#
?
Oct 16, 2017 11:16
|
|
|
The paper shows Android to be vulnerable in a way that Windows isn't, as it will accept a load of zeros as the key.
|
|
#
?
Oct 16, 2017 11:18
|
|
|
Thanks Ants posted:The paper shows Android to be vulnerable in a way that Windows isn't, as it will accept a load of zeros as the key. Are modern iOS devices vulnerable? Like I said too you can fiddle with traffic but you can’t get the PSK in plaintext right?
|
|
#
?
Oct 16, 2017 11:29
|
|
|
Good morning what should I be working on this w- what the gently caress
Potato Salad fucked around with this message at 12:40 on Oct 16, 2017 |
|
#
?
Oct 16, 2017 11:31
|
|
|
Three-Phase posted:Are modern iOS devices vulnerable? Like I said too you can fiddle with traffic but you can’t get the PSK in plaintext right? Everything using WPA2 is vulnerable to the attacks. New versions of Linux just make it extra trivial because of a flaw in wpa_supplicant. Website for the attack is up: https://www.krackattacks.com/
|
|
#
?
Oct 16, 2017 11:47
|
|
|
Debian already pushed patches to stable. I haven't checked OpenWRT but it shouldn't take long, right? And then the only people affected will be the 99.9% who never flash their firmware, use the wifi router their ISP give/lease them when they sign up, etc.?
|
|
#
?
Oct 16, 2017 11:51
|
|
|
Rectus posted:Everything using WPA2 is vulnerable to the attacks. New versions of Linux just make it extra trivial because of a flaw in wpa_supplicant. Well drat. Exposing the PSK is especially bad. EDIT: article doesn’t mention compromising the PSK itself? As in someone being able to hop onto a network as a separate device? 
Three-Phase fucked around with this message at 12:24 on Oct 16, 2017 |
|
#
?
Oct 16, 2017 12:14
|
|
|
Three-Phase posted:Well drat. Exposing the PSK is especially bad. Article explicitly says that the PSK isn’t compromised.
|
|
#
?
Oct 16, 2017 12:29
|
|
|
Three-Phase posted:Well drat. Exposing the PSK is especially bad. Sorry, missed the PSK part in your question.
|
|
#
?
Oct 16, 2017 12:55
|
|
|
Subjunctive posted:Article explicitly says that the PSK isn’t compromised. Ok, well at least that’s one ray of shnshine. I missed that in the article.
|
|
#
?
Oct 16, 2017 13:34
|
|
|
Rectus posted:Everything using WPA2 is vulnerable to the attacks. New versions of Linux just make it extra trivial because of a flaw in wpa_supplicant. Reading through this, it’s bad, but not as bad as I thought (in that it mainly seems to require fixes on the client side only unless you’re implementing some specific features). Other than all the Android devices that will never get another security update, anything big I’m missing?
|
|
#
?
Oct 16, 2017 14:16
|
|
|
This is why you should always leave your router set to the default password instead of the one you use for the rest of your accounts.
|
|
#
?
Oct 16, 2017 14:56
|
|
|
Maneki Neko posted:Reading through this, it’s bad, but not as bad as I thought (in that it mainly seems to require fixes on the client side only unless you’re implementing some specific features). This is just the start. This is how WEP broke down initially;slow to start until critical "ooh. It's super bad" That poc just happened to be for Android but he needed something to send to the vendors.
|
|
#
?
Oct 16, 2017 15:04
|
|
|
Maneki Neko posted:Reading through this, it’s bad, but not as bad as I thought (in that it mainly seems to require fixes on the client side only unless you’re implementing some specific features). While there are a lot of APs built in to home routers that'll never see updates, they're mostly not connected to high-value target networks. A lot of the major commercial AP vendors already have updates available, hell quite a few had already silently patched the issue in a publicly available firmware and then just announced it when disclosure time came around. Within a few weeks I expect that the majority of business-grade WiFi APs will be patched for this. On the other hand the client side is going to be vulnerable pretty much forever. As you note there are probably literally millions of Android devices that will never see an update again (if they ever did in the first place), all kinds of IoT things, all kinds of appliances. If it connects to a WiFi network it's probably vulnerable, and if it runs Linux it's apparently probably particularly vulnerable thanks to the wpa_supplicant bug.
|
|
#
?
Oct 16, 2017 15:39
|
|
|
Meraki are releasing firmware today:quote:Dear Meraki Customer,
|
|
#
?
Oct 16, 2017 15:52
|
|
|
https://twitter.com/mrgretzky/status/919883806475194368
|
|
#
?
Oct 16, 2017 16:10
|
|
|
I've not seen the usual vendors crawl out of their holes to tell people to use their Internet security suite that tunnels everything back to their  yet, presumably that's on the way
|
|
#
?
Oct 16, 2017 16:24
|
|
|
LEDE's rolling out updates to the latest version via their package manager for the WPA2 issue right now according to their forum. It's not out for mine yet, but they should be all built and released in the next few hours.
|
|
#
?
Oct 16, 2017 17:21
|
|
|
Thanks Ants posted:I've not seen the usual vendors crawl out of their holes to tell people to use their Internet security suite that tunnels everything back to their You can stop checking LinkedIn for the next 2-4 weeks because every vendor will be unbearable.
|
|
#
?
Oct 16, 2017 17:28
|
|
|
people check linkedin?
|
|
#
?
Oct 16, 2017 18:38
|
|
|
Three-Phase posted:Are modern iOS devices vulnerable? Like I said too you can fiddle with traffic but you can’t get the PSK in plaintext right? https://papers.mathyvanhoef.com/ccs2017.pdf It's not getting the PSK, it's forcing re-use of the temporal keys due to a flaw in 802.11i 4-way handshake. It allows packet replay and decryption with AES and packet replay, decryption and forging with TKIP and GCMP. It's especially bad for TKTIP and GCMP due to the forging and really no one should be using it anymore anyway. This is a vulnerability in WPA/WPA2 in general, not *just* WPA/WPA2-PSK. And iOS is not vulnerable since they break spec and don't allow msg 3 to be resent in eapol. Windows breaks spec the same way. Both iOS and Windows are vulnerable to the GTK attack. Android is completely owned due to it allowing the attack to actually set a temporal key of all 0's.  Also, mitigation appears to be possible at either end. So either the AP needs a hotfix to enable a key re-use check or on the client side. If only one of the sides won't allow it, this won't work. Proteus Jones fucked around with this message at 18:55 on Oct 16, 2017 |
|
#
?
Oct 16, 2017 18:51
|
|
|
Cross posting from yospos: Your Android phone isn't completely owned. All networks are untrusted and if you have an open network in your network list this literally changes nothing for your security. Even then if your poo poo isn't end to end secure it's insecure full stop, trusting WiFi security for absolutely anything beyond packets from your device to the router is stupid.
|
|
#
?
Oct 16, 2017 19:03
|
|
|
Got a quick cert/CSR question: We have a third party that wants higher ups are going to have host a website for us at a subdomain customname.ourcompany.com Obviously because they are using ourcompany.com as the subdomain, we need to provide them a valid certificate that matches the name customname.ourcompany.com (they asked for our wildcard cert, and we already shot them down). They are asking us what information to put into the CSR that they are going to give to us, but, shouldn't that be on them to fill in? I'm somewhat unclear as to what real ramifications the contents of the CSR have, as long as the CN and dnsDomainName match what we need. I'll probably end up just providing them an openssl config file to generate the csr, but I figured I'd ask here first.
|
|
#
?
Oct 16, 2017 19:36
|
|
|
apseudonym posted:Cross posting from yospos: Fair enough. I was being hyperbolic.
|
|
#
?
Oct 16, 2017 19:40
|
|
|
Wicaeed posted:Got a quick cert/CSR question:
|
|
#
?
Oct 16, 2017 19:51
|
|
|
Wicaeed posted:Got a quick cert/CSR question: I don't think any of the address details appear in the cert anywhere, unless you're using an EV cert. Can they just use Let's Encrypt and leave you alone?
|
|
#
?
Oct 16, 2017 20:07
|
|
|
Can someone explain how PKI differs from just having a public/private key? Is it just the fact that there is a CA, or is there something else to it? I see people talking about implementing PKI like its some huge project, but as far as I can tell its just keeping track of your certs/keys and keeping your private keys secure. What am I missing here?
|
|
#
?
Oct 16, 2017 20:21
|
|
|
RFC2324 posted:Can someone explain how PKI differs from just having a public/private key? Is it just the fact that there is a CA, or is there something else to it? You are correct but the effort to implement PKI is mainly deciding how to manage the trust. Internet, email, internal networking , username/password authentication, signing, encrypting messages and files, backups, network segregation. Creating a public/private key pair is nothing much. Implementing PKI is figuring out, "Maybe we should not use one public/private key to do everything I listed above"
|
|
#
?
Oct 16, 2017 20:28
|
|
|
Doesn't it also encompass the distribution of certificates, which is not a trivial task
|
|
#
?
Oct 16, 2017 20:32
|
|
|
Thanks Ants posted:Doesn't it also encompass the distribution of certificates, which is not a trivial task My personal understanding and use of the acronym "PKI" is that it's more all encompassing and like you said includes the infrastructure for distribution, issuing, etc.
|
|
#
?
Oct 16, 2017 20:37
|
|
|
EVIL Gibson posted:You are correct but the effort to implement PKI is mainly deciding how to manage the trust. Thanks Ants posted:Doesn't it also encompass the distribution of certificates, which is not a trivial task CLAM DOWN posted:My personal understanding and use of the acronym "PKI" is that it's more all encompassing and like you said includes the infrastructure for distribution, issuing, etc. So its the management system I was missing, and the (to me obvious) don't reuse passwords rule, since a key is effectively a password. Are there any good out of the box management systems, or are these generally homegrown solutions? Thanks for the clarification 
|
|
#
?
Oct 16, 2017 21:52
|
|
|
If you're setting up a large environment you have to think about CA's, sub CA's, publishing of ARL's/CRL's and how you want devices to retrieve certs (scep/cmp) etc. And what precious posters said about building a trust and how to manage that trust so it doesn't become worthless due to people loving things up.
|
|
#
?
Oct 16, 2017 21:52
|
|
|
CLAM DOWN posted:My personal understanding and use of the acronym "PKI" is that it's more all encompassing and like you said includes the infrastructure for distribution, issuing, etc. Yeah, PKI is all the backend crap needed to have joe user request a public/private key pair and have it be managed by the organization, or a cert for something, or any kind of managed encryption system.
|
|
#
?
Oct 16, 2017 21:55
|
|
|
Really excited for all the assholes in the park across the street to packet sniff in on all the k-dramas the family watches.
|
|
#
?
Oct 16, 2017 23:35
|
|
|
I got my hostapd update for LEDE. Update your poo poo if you haven’t already. I tried setting up an OpenVPN connection, but I just found out Android doesn’t support TAP after I spent like two hours on it. Also, I can’t figure out why the Windows client won’t update my routes. I added the push redirect-gateway line to the server, but nothing changes. I’m not even sure if any traffic was going through it at all. I may play around with it later, but I’ll just use my cellular connection and USB tethering if I’m not at home for now.
|
|
#
?
Oct 17, 2017 00:03
|
|
|
Double Punctuation posted:I got my hostapd update for LEDE. Update your poo poo if you haven’t already.
|
|
#
?
Oct 17, 2017 00:18
|
|
|
anthonypants posted:Does android still do that thing where if you install a root certificate, like you might for a VPN, it leaves a notification forever that your phone's network activity is being monitored? There were at least two threads about it on the Google issue tracker, but that was a while ago and they've been disappeared. Nope, we're running Android phones with custom/internal roots and there's no notification or message like that, I know what you're referring to though.
|
|
#
?
Oct 17, 2017 00:24
|
|
|
|
| # ? Apr 28, 2024 22:55 |
|
|
anthonypants posted:Does android still do that thing where if you install a root certificate, like you might for a VPN, it leaves a notification forever that your phone's network activity is being monitored? There were at least two threads about it on the Google issue tracker, but that was a while ago and they've been disappeared. I also haven't had this stuck on my Andriod for a while now.
|
|
#
?
Oct 17, 2017 01:01
|
|
