Jump to content
DVDVR Message Board

YOUR WI-FI IS FUCKED


Recommended Posts

https://www.krackattacks.com/

Basically: there's a major exploit within the most common security standard (WPA2) that leaks data, personal information, and can- in extreme cases- allow remote code execution (a virus that opens itself, in layman's terms). So this is like the internet version of discovering asbestos is catastrophically bad for humans.

BL88'S UNPROFESSIONAL ADVICE

1) Turn off your wifi network. If you know how to, awesome. If you don't, you'll be calling your ISP in a few steps anyways.
2) Turn off wifi on your phones/tablets/laptops. That extreme case that lets remote code execution happen? One such extreme case is android phones above 6.0. So don't use public or private wifi for a while. Data is fine.
3) Call your ISP, and ask them how they handle modem firmware updates. Most major ISPs will do this remotely. You're definitely going to want to know if you're one of those ISPs or not.
3a) this is a good time to talk to your ISP about how to get into your modem if you have to. also because you'll need to know how to do this for step five.
4) Update your OS as soon as you see the option to. Most companies are going to be cranking overtime to get this done so this'll probably only be a problem for like a week or so.
5) Change your wifi password after your modem is updated.
6) Buy/make your IT guys some baked goods, if you work somewhere that has IT guys.

Godspeed out there.

  • Thanks 3
Link to comment
Share on other sites

Here is the bulletin from US-CERT that we got this morning.

Quote

US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017

For you InfoSec geeks out there, there will be a white paper issues and a panel discussion at the upcoming ACM Conference on Computer and Communications Security conference in Dallas.

BL88's advice is very sound and it is pretty much the same protocol we're following at DoD.  Talk to your ISP and ask how they are handling firmware updates downstream and upstream and also contact the vendors of your various wireless devices in your home (routers, smart phones, tablets, computers, laptops, televisions, internet of thing devices) and see how they handle firmware updates.

  • Like 1
Link to comment
Share on other sites

I'm going to let the IT folks know about this, thanks for the heads up.   Considering we use Wifi so much in our lives it's scary to think how widespread the impact can be if attackers took advantage of this exploit.

Link to comment
Share on other sites

If there's anything I've learned over nearly two decades in IT, especially over the past year, it's this:

It's not if something gets hacked/compromised - it's when.

About the only bright point is that the huge push toward HTTPSing all the things in the past yearish will make this SLIGHTLY less shitty than it could have been.   I use Ubiquiti hardware at home for my Wifi and apparently there's already a patch in beta, but it's more for the client side stuff.  Ugh.

I have VPNs to give some additional security over Wifi right now (and my employer uses VPNs extensively) because this is going to be really ugly for a very long time.  How many IoT-style devices will never be updated or even considered?

  • Like 1
Link to comment
Share on other sites

11 minutes ago, Michael Sweetser said:

Thankfully I have VPNs to give some additional security over Wifi right now because this is going to be really ugly for a very long time. 

Somewhat true.  VPN's are only as secure as the machines on the other ends of the tunnel. 

You'll still need to protect your home machines if you think the machines at the company you work for are at risk and you'll have to be extra vigilant at home to make sure you don't risk becoming a virtual back door that attackers use to access the network at the company you work for.

  • Thanks 1
Link to comment
Share on other sites

2 minutes ago, J.T. said:

Somewhat true.  VPN's are only as secure as the machines on the other ends of the tunnel. 

You'll still need to protect your home machines if you think the machines at the company you work for are at risk and you'll have to be extra vigilant at home to make sure you don't risk becoming a virtual back door that attackers use to access the network at the company you work for.

Quoted for complete and utter truth on all counts.  All of this helps to mitigate the damage somewhat, but there's no way around it - this is a protocol-level flaw.  As Mikrotik said in their update, even a properly implemented WPA2 setup is vulnerable.

Vigilance is always the lynchpin of security.  Without it, you're fucked.  95% of the time there's a security vulnerability or intrusion or a data breach, it's because somebody fucked up somewhere and didn't do the needful.

  • Like 1
Link to comment
Share on other sites

I would be concerned, but not freaked out or anything.

The WiFi protocol exploits may be new, but the ransomware and other malicious code that may be used to compromise a computer or device have probably been out in the wild for quite some time and are either already have patches issued to counter them or they have hot fixes on the way. 

Keep up with your AV updating and regular OS hardening practices and you should be okay.

The weak link in this chain will be companies that aren't used to issuing regular firmware updates.

As I said before and Mike QFTed, do not deviate from your usual due diligence.  Protect yo' neck.

  • Like 2
Link to comment
Share on other sites

5 minutes ago, RIPPA said:

giphy.gif

Hackers prey upon the lazy and the arrogant.  This is the first thing you learn in Cyber Ops class.

The worst things you can do are underestimate and overestimate the threat.

If you already have good practices in place; keep on doing what you're doing.

Link to comment
Share on other sites

I just let the network techs at our work know and they knew about it yesterday.  They put a case ticket in and said even patches won't necessarily work because of design flaws in WPA2.  So if they're saying we're screwed for awhile then I can only imagine how my home network will be handled.

Link to comment
Share on other sites

Some good samaritan is keeping an updated list of major software companies that have issued patches for the WPA2 leaks that they are updating as they learn about new patches. You can find that here. The article also suggests that the bigger issue is fixing individual devices over patching routers, but I am someone who has been called "god-tier paranoid" by full-blown conspiracy theorists, so there's that.

  • Like 1
  • Thanks 1
Link to comment
Share on other sites

1 hour ago, BL88 said:

The article also suggests that the bigger issue is fixing individual devices over patching routers, but I am someone who has been called "god-tier paranoid" by full-blown conspiracy theorists, so there's that.

Getting access to a network does you no good if there is no end machine to compromise. 

If I am a net bandit  I have these objectives:

  1. Grab important data from your machine for whatever nefarious purpose I have in mind (identity theft, re-sale)..
  2. Turn your machine into a bot so that I can use it to access other machines or disrupt network traffic.
  3. Capture your machine via ransomware and extort money for its surrender.

Arguably number one or number two is the highest likely reason. 

Ransomware is a pretty stupid concept, honestly.  The evidence of your intrusion is right there in a pretty package tied with a pink bow.  The forensics guy assessing the situation knows the network is vulnerable and also has a sample of your handiwork to decompile and study.

Anyone who looks to get paid via virtual extortion is sitting around waiting for handcuffs to be placed on their wrists.... unless the actor is state sponsored or otherwise encouraged by a government.

[OMINOUS MUSIC PLAYS HERE FOR CONSPIRACY THEORISTS~!]

A hacker is either looking for data or access to data.  Protecting routers and switches will be a very high priority, but the primary focus will always be on locking down individual devices.

Oh and to paraphrase the old saying, just because you're god level paranoid does not mean that someone isn't trying to break into your shit.  STAY WOKE~!

  • Like 2
Link to comment
Share on other sites

Since I live in the middle of nowhere, I don't even use any security. You'd have to be next to my room to get access to my shitty wifi. I shall be enabling Skynet shortly.

Link to comment
Share on other sites

8 minutes ago, Ryan said:

Since I live in the middle of nowhere, I don't even use any security. You'd have to be next to my room to get access to my shitty wifi.

Back in the dial-up days, you would be a low priority target (i.e.. no important data to steal, remote site, etc.) but in the age of broadband, you are probably a high value target, unfortunately.

An unprotected machine on a low security network is a prime candidate for induction into a botnet.

You don't have to be a company with massive amounts of PII to be a target these days. 

There may be megs and megs of software on your machine that you might not even realize is there right now and you don't have the bandwidth analyzer to notice whether or not someone is piggybacking on your outbound  traffic.

  • Like 1
Link to comment
Share on other sites

13 minutes ago, Zimbra said:

What do people recommend for AV these days?  I've been using Kaspersky but it sure seems like time to move on from them.

Kapersky Labs is actually one of the better AV companies out there.  They are very proactive when it comes to computer forensics. 

Remember these are the guys that de-compiled and found out exactly what STUXNET's capabilities were.

Most AV companies are fairly reputable, but you don't have to pay an arm and a leg for good protection.  There are lots of free AV programs out there like Panda that will adequately protect your machine and are updated regularly. 

What you need to remember is that AV isn't the only layer of security you will need for your computer. 

You will also need good malware protection (for example, some with advertisers work deals with AV companies to make sure that their advert-ware does not register as malicious code to a Host Based SS or Anomaly Based SS) as well as some sort of masking software that allows you to surf somewhat anonymously or at least helps you leave a very small digital footprint.

Of course, most browsers are engineered to work against you since sites are actively tagging your metadata so they can steal your soul,,, er.. better tailor internet content to your personal preferences.

Link to comment
Share on other sites

8 minutes ago, J.T. said:

Kapersky Labs is actually one of the better AV companies out there.  They are very proactive when it comes to computer forensics. 

Remember these are the guys that de-compiled and found out exactly what STUXNET's capabilities were.

Most AV companies are fairly reputable, but you don't have to pay an arm and a leg for good protection.  There are lots of free AV programs out there like Panda that will adequately protect your machine and are updated regularly. 

What you need to remember is that AV isn't the only layer of security you will need for your computer.  You will also need good malware protection as well as some sort of masking software that allows you to surf somewhat anonymously or at least helps you leave a very small digital footprint.

Of course, most browsers are engineered to work against you since sites are actively tagging your metadata so they can steal your soul,,, er.. better tailor internet content to your personal preferences.

I also know some people recommend just sticking by Windows Defender and not running another AV. Especially if you're running Windows 10. 

Obviously, you don't maybe have the customer support there if something goes wrong that you'd get from paying for something.

Link to comment
Share on other sites

As a rule, I really don't trust Windows to even be adequately secure so I always pile on extra programs on the Win10 devices at my house.

The two LINUX machines I have tend to be good as they are with AV and malware software added on as a precaution.

The scary thing about this WiFi protocol exploit is that it affects systems you don't normally update yourself, which is why the best thing you can do to protect yourself is lock down the end machines that could be the targets of exploitation.

Link to comment
Share on other sites

Yeah, I really need to get back up to date on my CS stuff. Most of my current job is so marketing influenced that I haven't exercised that half of my brain in a good while. Definitely on the agenda for 2018.

Link to comment
Share on other sites

Man, this router is older than I remembered. Latest and only firmware update is 2005. Whee! I used Windows 7 and monitor everything fairly closely, but nothing is perfect.

Link to comment
Share on other sites

14 minutes ago, Ryan said:

To show you the age of this crap-ass router, it doesn't even have WPA2. Say hello to PSK2 which is probably useless.

 

7 minutes ago, Ryan said:

Man, this router is older than I remembered. Latest and only firmware update is 2005. Whee! I used Windows 7 and monitor everything fairly closely, but nothing is perfect.

Dear prospective burglar,

There is no need to use the key I have hidden under my welcome mat to gain entry into my house.  The front door is already unlocked. 

Most of my valuables are electronic in nature, but I do have a small amount of cash I keep in the master bedroom in the nightstand.

I have no dogs, cameras or alarms.  Please do not feel threatened by the VIVINT sign in my front yard.  it is just there for show.

There is some leftover fried chicken in the fridge.

I will be home from work by 5PM EST.  Please make sure to be gone by then.  Try to keep breakage to a mnimum while you are ransacking my crib.

I would be grateful if you did me the courtesy of dialing 911 on my landline and reporting the theft before you make your getaway.

Love,

Ryan.

 

Link to comment
Share on other sites

Yeah, that sounds about right. Luckily, there is literally no important data stored on this computer or in the cloud of any website about me personally. I'm picky about giving out anything. Make sure to wipe your feet though. This includes gaming devices, phones, tablets and anything else with wi-fi on it.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...