Daily Archives: 2017/10/16

You are browsing the site archives by date.

Barbarians Inside the Walls

So, today on the Internet the “big news” was KRACK, the “Key Replacement AttaCK” (get it?); I learned about it from WordFence here: https://www.wordfence.com/blog/2017/10/krack-and-roca/?utm_source=list&utm_medium=email&utm_campaign=101617. In point of truth there were two large vulnerabilities announced today, the other being “ROCA” (see https://www.reddit.com/r/netsec/comments/76pv2s/roca_vulnerable_rsa_generation_cve201715361/).

(If you’d rather I provided shortlinks, I suppose I can do that. But, since no one ever comments on here I don’t guess I’ll ever know that you would have liked that…)

So I was able to work for four hours today, and already knew about these things when I went in; being “part-time on-call” allows me to sort of be undefined ahead of time in terms of work hours, reporting time, etc., you see. But they were kind of on my mind for the four hours I was there, and I started looking into it after I got home.

Now, here’s the thing, folks: If you’ve got some kind of Internet service, and any part of it is wireless (meaning you have even one device that is connected by anything other than a Cat-5, Cat-5a, or Cat-6 wire, then the likelihood is that you’re vulnerable to some kind of attack unless you get it under control. Soon. Likewise, if you use “wireless hotspots” ever, not only are you vulnerable, but anyone else using such is likewise vulnerable, until and unless the hotspot “provider” has attended to the problem and got it under control.

Until this thing is fixed, any router/gateway using WPA2-AES (WiFi Protected Access II-Advanced Encryption Standard) or WPA-TKIP (WiFi Protected Access-Temporal Key Integrity Protocol) is vulnerable in the extreme to any attacker who is within the 100m physical range of your wireless router’s/gateway’s point of presence. Got it?

Does your smart phone manage bank accounts for you in any way–do you charge tickets to movies or sports events or anything else through them, for example? Do you pay bills via your smart phone? Do you know that the people (banks, merchants, etc.) are at the same time cripplingly honest and also so hardened in a security posture and protocol that they cannot be used as a vector usable by a miscreant to learn, harvest, and have your personally identifiable information? Do you really know that?

I humbly submit that you cannot know that!

I also submit that there are two, and only two ways, that you can protect yourself and all that you hold dear against the type of attack vector that was announced today.

  1. You do not engage in any kind of “eCommerce” until you know that your finances, your life, yourself are protected.
  2. You never use a smart phone to read a “QR” code, or to “pay your bill” at a merchant. I mean, seriously, don’t even install the “FREE APP” that can do that, for you don’t know what that “free application” is actually doing!

What I’ve done since I got home from my four hours of work today has largely been about ensuring, as best I can, that this problem is mitigated and can not affect me.

Apple Computers tells me that this vulnerability in the very WPA/WPA2 protocols was mitigated in an “earlier beta” in the MacOS Sierra operating system, and I have the latest release of that on both Macs already, so I hope I can safely “feel good” about that whole thing.

I’m also running Pibuntu (derived from Ubuntu 16.04) on two Raspberry Pis, and was able to “apt-get upgrade” both suspect packages, particularly “wpasupplicant” earlier. I “feel pretty good” about that.

Then I upgraded my router’s GUI Language and Firmware to the latest version, which is always frightening.

Finally I upgraded my iPhone to iOS 11.0.3, in hopes that Apple have taken care of this “not-so-little” problem.

I wish you the best!