subject:"\[PLUG\] WPA2 vulnerability"

Re: [PLUG] WPA2 vulnerability

2017-10-17 Thread Dick Steffens

On 10/16/2017 11:18 PM, Mke C> wrote:
>
>> Okay. I did make some effort to find out more details before posting to
>> PLUG, but didn't know about the sites you list.
> It's not my intention to be a jerk-face about this stuff. I just googled
> the guy's name and wpa2 vulnerability to find those other info sources.
>
> I personally find security & privacy very interesting and extremely
> relevant in today's world. I don't always have the time, energy nor
> technical aptitude to make sense out of it all. However, I do believe we
> are better served by making a reasonable effort to share the best info
> we can and learn what we can so we can have informed and even enjoyable
> conversations that help us all become better digital denizens.

I agree, and I am very grateful to be able to learn from the great folks 
on this list.

-- 
Regards,

Dick Steffens

___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] WPA2 vulnerability

2017-10-17 Thread Dick Steffens

On 10/16/2017 10:41 PM, Russell Senior wrote:
> LEDE and OpenWrt (soon to be re-merged) pushed the fix out today.

Good to know. I'll look into that.

Thanks!

-- 
Regards,

Dick Steffens

___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] WPA2 vulnerability

2017-10-17 Thread Cryptomonkeys.org

The primary weakness is client side. My understanding is that patching the AP 
helps, but doesn't completely mitigate.

Don't forget to patch your printers, phones, tv's, and cameras.

Remember, Security is the 'S' in IoT


> On Oct 17, 2017, at 12:41 AM, Russell Senior  
> wrote:
> 
> LEDE and OpenWrt (soon to be re-merged) pushed the fix out today.
> 
> The one thing that isn't clear to me is whether both ends (AP and
> client) need to be fixed, or if patching at one end is enough.  Of
> course, if you just leave your network open, like the Personal Telco
> Project does, then you won't have this problem. ;-)
> 
> The other significant bug-of-the-day was the Infineon weak-RSA key
> bug.  I already have my free-replacement YubiKey 4's on order.  I
> generated my RSA keys off of the key and installed them, which makes
> my keys not affected by the faulty on-TPM-chip key generation code,
> however I might want to some day.
> 
> -- 
> Russell Senior
> russ...@personaltelco.net
> 
> On Mon, Oct 16, 2017 at 10:00 PM, Dick Steffens  wrote:
>> On 10/16/2017 09:37 PM, Mke C> wrote:
 Have people looked in to this:
 
 https://apnews.com/743db922a4d2473a8745ce54c134c33a/Researchers-discover-vulnerability-affecting-Wi-Fi-security
 
 If so, how have you handled it?
>>> Step 1. Get actual useful information on the vulnerability that provides
>>> some degree of understanding and assessing the risk.  That AP article is
>>> a prime example of standard mainstream fear mongering of the latest
>>> vulnerability discovered by a security researcher in a lab. Please help
>>> us all by not sharing info from AP in the future.
>>> 
>>> Better and more useful info here:
>>> Mostly layman but thorough -
>>> https://techcrunch.com/2017/10/16/wpa2-shown-to-be-vulnerable-to-key-reinstallation-attacks/
>>> 
>>> More technical - https://www.krackattacks.com/
>> 
>> Okay. I did make some effort to find out more details before posting to
>> PLUG, but didn't know about the sites you list.
>> 
>>> Step 2. Realize that cracking into a WiFi network isn't easy and takes
>>> time and effort. Not too mention trying to capture actual sensitive
>>> personal data.
>>> 
>>> Step 3 Have some coffee, tea or beer. Re-read step 2 and contemplate the
>>> following:
>>> 
>>> "He further writes that while some of the attacks detailed in the paper
>>> may seem hard to pull off, follow-up work has shown that attacks against
>>> — for example — macOS and OpenBSD are “significantly more general and
>>> easier to execute”, adding: “So although we agree that some of the
>>> attack scenarios in the paper are rather impractical, do not let this
>>> fool you into believing key reinstallation attacks cannot be abused in
>>> practice.”
>>> 
>>> Pizza Hut was recently hacked. 60,000 customers billing information
>>> compromised in 28 hrs. Equifax hack, etc, etc.
>>> 
>>> Step 4. Have some more of my fav beverage and wait patiently for
>>> security updates while using the Internet over a wired connection.
>> 
>> That's what I was hoping would be the answer. It's a known problem of
>> high enough priority that the major distros will take care of it, and
>> I'll keep up with my updates.
>> 
>>> Step 5. Realize that when I need to use WiFi, I'll just use it and
>>> probably not concern myself with security risks as like most people, I
>>> got stuff to do, places to go and people to see.
>>> 
>>> Step 6. Due to step 5, I put my faith and trust that there are good
>>> people who will release security patches and other good people who will
>>> file a class action law suits and polices / laws that protect consumers
>>> from identity theft, fraud and abuse.
>>> 
>>> Sleep well! =)
>> 
>> Most of my interaction with the Internet is over a wired connection. I
>> do regularly use WiFi at home. We're in a semi-rural neighborhood. There
>> aren't too many folks out here for that to be a major concern, and we're
>> not on a major thoroughfare. My home WiFi use is through my Buffalo
>> WZR-600 DHP router running OpenWRT. I'll check and see if OpenWRT is
>> working on anything related to this, and trust that Ubuntu will push out
>> a patch. My wife uses a Lenovo Win7 laptop, so I'll make sure MS is
>> doing something about it, too.
>> 
>> Thanks for your reply.
>> 
>> --
>> Regards,
>> 
>> Dick Steffens
>> 
>> 
>> ___
>> PLUG mailing list
>> PLUG@lists.pdxlinux.org
>> http://lists.pdxlinux.org/mailman/listinfo/plug
> ___
> PLUG mailing list
> PLUG@lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug

--
Louis Kowolowskilou...@cryptomonkeys.org 

Cryptomonkeys:   http://www.cryptomonkeys.com/ 


Making life more interesting for people since 1977

___
PLUG mailing list
PLUG@lists.pdxlinux.org
http:

Re: [PLUG] WPA2 vulnerability

2017-10-16 Thread Mke C>



> Okay. I did make some effort to find out more details before posting to
> PLUG, but didn't know about the sites you list.

It's not my intention to be a jerk-face about this stuff. I just googled 
the guy's name and wpa2 vulnerability to find those other info sources.

I personally find security & privacy very interesting and extremely 
relevant in today's world. I don't always have the time, energy nor 
technical aptitude to make sense out of it all. However, I do believe we 
are better served by making a reasonable effort to share the best info 
we can and learn what we can so we can have informed and even enjoyable 
conversations that help us all become better digital denizens.

I often listen to the Security Now Podcast and Last Spring I attended a 
Priv & Sec presentation. It wasn't one of these that are currently on 
Calagator listed below. What I quickly realized is that as the amount of 
sw and the level of connectivity between sw & devices increases so will 
the attack surface to the point of exhaustion, frustration and 
potentially insanity.

I take reasonable and responsible priv & sec measures. However, at the 
end of the day I think more about what are the repercussions and 
recourse when the proverbial matter hits the fan. Good luck!

Calagator Sec & Priv Events: 
(http://calagator.org/events/search?utf8=%E2%9C%93&query=privacy)
Monday
Oct 16  Controlling Your Online Privacy 

6–8pmNorthwest Academy 
Saturday
Oct 21  Intermediate Digital Privacy & Safety 

1–3pmFree Geek 

Thursday
Oct 26  Intro to Digital Privacy & Safety 

10:30am–12:30pmFree Geek 

___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] WPA2 vulnerability

2017-10-16 Thread Russell Senior

LEDE and OpenWrt (soon to be re-merged) pushed the fix out today.

The one thing that isn't clear to me is whether both ends (AP and
client) need to be fixed, or if patching at one end is enough.  Of
course, if you just leave your network open, like the Personal Telco
Project does, then you won't have this problem. ;-)

The other significant bug-of-the-day was the Infineon weak-RSA key
bug.  I already have my free-replacement YubiKey 4's on order.  I
generated my RSA keys off of the key and installed them, which makes
my keys not affected by the faulty on-TPM-chip key generation code,
however I might want to some day.

-- 
Russell Senior
russ...@personaltelco.net

On Mon, Oct 16, 2017 at 10:00 PM, Dick Steffens  wrote:
> On 10/16/2017 09:37 PM, Mke C> wrote:
>>> Have people looked in to this:
>>>
>>> https://apnews.com/743db922a4d2473a8745ce54c134c33a/Researchers-discover-vulnerability-affecting-Wi-Fi-security
>>>
>>> If so, how have you handled it?
>> Step 1. Get actual useful information on the vulnerability that provides
>> some degree of understanding and assessing the risk.  That AP article is
>> a prime example of standard mainstream fear mongering of the latest
>> vulnerability discovered by a security researcher in a lab. Please help
>> us all by not sharing info from AP in the future.
>>
>> Better and more useful info here:
>> Mostly layman but thorough -
>> https://techcrunch.com/2017/10/16/wpa2-shown-to-be-vulnerable-to-key-reinstallation-attacks/
>>
>> More technical - https://www.krackattacks.com/
>
> Okay. I did make some effort to find out more details before posting to
> PLUG, but didn't know about the sites you list.
>
>> Step 2. Realize that cracking into a WiFi network isn't easy and takes
>> time and effort. Not too mention trying to capture actual sensitive
>> personal data.
>>
>> Step 3 Have some coffee, tea or beer. Re-read step 2 and contemplate the
>> following:
>>
>> "He further writes that while some of the attacks detailed in the paper
>> may seem hard to pull off, follow-up work has shown that attacks against
>> — for example — macOS and OpenBSD are “significantly more general and
>> easier to execute”, adding: “So although we agree that some of the
>> attack scenarios in the paper are rather impractical, do not let this
>> fool you into believing key reinstallation attacks cannot be abused in
>> practice.”
>>
>> Pizza Hut was recently hacked. 60,000 customers billing information
>> compromised in 28 hrs. Equifax hack, etc, etc.
>>
>> Step 4. Have some more of my fav beverage and wait patiently for
>> security updates while using the Internet over a wired connection.
>
> That's what I was hoping would be the answer. It's a known problem of
> high enough priority that the major distros will take care of it, and
> I'll keep up with my updates.
>
>> Step 5. Realize that when I need to use WiFi, I'll just use it and
>> probably not concern myself with security risks as like most people, I
>> got stuff to do, places to go and people to see.
>>
>> Step 6. Due to step 5, I put my faith and trust that there are good
>> people who will release security patches and other good people who will
>> file a class action law suits and polices / laws that protect consumers
>> from identity theft, fraud and abuse.
>>
>> Sleep well! =)
>
> Most of my interaction with the Internet is over a wired connection. I
> do regularly use WiFi at home. We're in a semi-rural neighborhood. There
> aren't too many folks out here for that to be a major concern, and we're
> not on a major thoroughfare. My home WiFi use is through my Buffalo
> WZR-600 DHP router running OpenWRT. I'll check and see if OpenWRT is
> working on anything related to this, and trust that Ubuntu will push out
> a patch. My wife uses a Lenovo Win7 laptop, so I'll make sure MS is
> doing something about it, too.
>
> Thanks for your reply.
>
> --
> Regards,
>
> Dick Steffens
>
>
> ___
> PLUG mailing list
> PLUG@lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] WPA2 vulnerability

2017-10-16 Thread Dick Steffens

On 10/16/2017 09:37 PM, Mke C> wrote:
>> Have people looked in to this:
>>
>> https://apnews.com/743db922a4d2473a8745ce54c134c33a/Researchers-discover-vulnerability-affecting-Wi-Fi-security
>>
>> If so, how have you handled it?
> Step 1. Get actual useful information on the vulnerability that provides
> some degree of understanding and assessing the risk.  That AP article is
> a prime example of standard mainstream fear mongering of the latest
> vulnerability discovered by a security researcher in a lab. Please help
> us all by not sharing info from AP in the future.
>
> Better and more useful info here:
> Mostly layman but thorough -
> https://techcrunch.com/2017/10/16/wpa2-shown-to-be-vulnerable-to-key-reinstallation-attacks/
>
> More technical - https://www.krackattacks.com/

Okay. I did make some effort to find out more details before posting to 
PLUG, but didn't know about the sites you list.

> Step 2. Realize that cracking into a WiFi network isn't easy and takes
> time and effort. Not too mention trying to capture actual sensitive
> personal data.
>
> Step 3 Have some coffee, tea or beer. Re-read step 2 and contemplate the
> following:
>
> "He further writes that while some of the attacks detailed in the paper
> may seem hard to pull off, follow-up work has shown that attacks against
> — for example — macOS and OpenBSD are “significantly more general and
> easier to execute”, adding: “So although we agree that some of the
> attack scenarios in the paper are rather impractical, do not let this
> fool you into believing key reinstallation attacks cannot be abused in
> practice.”
>
> Pizza Hut was recently hacked. 60,000 customers billing information
> compromised in 28 hrs. Equifax hack, etc, etc.
>
> Step 4. Have some more of my fav beverage and wait patiently for
> security updates while using the Internet over a wired connection.

That's what I was hoping would be the answer. It's a known problem of 
high enough priority that the major distros will take care of it, and 
I'll keep up with my updates.

> Step 5. Realize that when I need to use WiFi, I'll just use it and
> probably not concern myself with security risks as like most people, I
> got stuff to do, places to go and people to see.
>
> Step 6. Due to step 5, I put my faith and trust that there are good
> people who will release security patches and other good people who will
> file a class action law suits and polices / laws that protect consumers
> from identity theft, fraud and abuse.
>
> Sleep well! =)

Most of my interaction with the Internet is over a wired connection. I 
do regularly use WiFi at home. We're in a semi-rural neighborhood. There 
aren't too many folks out here for that to be a major concern, and we're 
not on a major thoroughfare. My home WiFi use is through my Buffalo 
WZR-600 DHP router running OpenWRT. I'll check and see if OpenWRT is 
working on anything related to this, and trust that Ubuntu will push out 
a patch. My wife uses a Lenovo Win7 laptop, so I'll make sure MS is 
doing something about it, too.

Thanks for your reply.

-- 
Regards,

Dick Steffens


___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] WPA2 vulnerability

2017-10-16 Thread Mke C>


> Have people looked in to this:
>
> https://apnews.com/743db922a4d2473a8745ce54c134c33a/Researchers-discover-vulnerability-affecting-Wi-Fi-security
>
> If so, how have you handled it?

Step 1. Get actual useful information on the vulnerability that provides 
some degree of understanding and assessing the risk.  That AP article is 
a prime example of standard mainstream fear mongering of the latest 
vulnerability discovered by a security researcher in a lab. Please help 
us all by not sharing info from AP in the future.

Better and more useful info here:
Mostly layman but thorough - 
https://techcrunch.com/2017/10/16/wpa2-shown-to-be-vulnerable-to-key-reinstallation-attacks/

More technical - https://www.krackattacks.com/

Step 2. Realize that cracking into a WiFi network isn't easy and takes 
time and effort. Not too mention trying to capture actual sensitive 
personal data.

Step 3 Have some coffee, tea or beer. Re-read step 2 and contemplate the 
following:

"He further writes that while some of the attacks detailed in the paper 
may seem hard to pull off, follow-up work has shown that attacks against 
— for example — macOS and OpenBSD are “significantly more general and 
easier to execute”, adding: “So although we agree that some of the 
attack scenarios in the paper are rather impractical, do not let this 
fool you into believing key reinstallation attacks cannot be abused in 
practice.”

Pizza Hut was recently hacked. 60,000 customers billing information 
compromised in 28 hrs. Equifax hack, etc, etc.

Step 4. Have some more of my fav beverage and wait patiently for 
security updates while using the Internet over a wired connection.

Step 5. Realize that when I need to use WiFi, I'll just use it and 
probably not concern myself with security risks as like most people, I 
got stuff to do, places to go and people to see.

Step 6. Due to step 5, I put my faith and trust that there are good 
people who will release security patches and other good people who will 
file a class action law suits and polices / laws that protect consumers 
from identity theft, fraud and abuse.

Sleep well! =)
___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] WPA2 vulnerability

2017-10-16 Thread David Bridges

Using Debian (sid) here, wpasupplicant was upgraded this morning and
from the changelog it appears that it addresses the vulnerabilities. 


wpa (2:2.4-1.1) unstable; urgency=high

  * Non-maintainer upload by the Security Team.
  * Fix multiple issues in WPA protocol (CVE-2017-13077, CVE-2017-
13078,
CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,
CVE-2017-13086, CVE-2017-13087, CVE-2017-13088):
- hostapd: Avoid key reinstallation in FT handshake
- Prevent reinstallation of an already in-use group key
- Extend protection of GTK/IGTK reinstallation of
- Fix TK configuration to the driver in EAPOL-Key 3/4
- Prevent installation of an all-zero TK
- Fix PTK rekeying to generate a new ANonce
- TDLS: Reject TPK-TK reconfiguration
- WNM: Ignore WNM-Sleep Mode Response if WNM-Sleep Mode
- WNM: Ignore WNM-Sleep Mode Response without pending
- FT: Do not allow multiple Reassociation Response frames
- TDLS: Ignore incoming TDLS Setup Response retries


On Mon, 2017-10-16 at 12:07 -0700, Dick Steffens wrote:
> Have people looked in to this:
> 
> https://apnews.com/743db922a4d2473a8745ce54c134c33a/Researchers-disco
> ver-vulnerability-affecting-Wi-Fi-security
> 
> If so, how have you handled it?
> 
___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

[PLUG] WPA2 vulnerability

2017-10-16 Thread Dick Steffens

Have people looked in to this:

https://apnews.com/743db922a4d2473a8745ce54c134c33a/Researchers-discover-vulnerability-affecting-Wi-Fi-security

If so, how have you handled it?

-- 
Regards,

Dick Steffens

___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] WPA2 vulnerability

Re: [PLUG] WPA2 vulnerability

Re: [PLUG] WPA2 vulnerability

Re: [PLUG] WPA2 vulnerability

Re: [PLUG] WPA2 vulnerability

Re: [PLUG] WPA2 vulnerability

Re: [PLUG] WPA2 vulnerability

Re: [PLUG] WPA2 vulnerability

[PLUG] WPA2 vulnerability

9 matches

Site Navigation

Mail list logo

Footer information