[opensuse] Fwd: Basically every WiFi device just hacked?
All, Most WiFi routers have WEP, WPA, and WPA2. WPA2 was the most secure and the recommendation. No longer: https://www.theregister.co.uk/AMP/2017/10/16/wpa2_krack_attack_security_wifi... But WPA2 comes in a couple variants. Does anyone know if any of them are unaffected? Thanks Greg -- -- Greg Freemyer Advances are made by answering questions. Discoveries are made by questioning answers. — Bernard Haisch -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 16 October 2017 at 15:36, Greg Freemyer <greg.freemyer@gmail.com> wrote:
All,
Most WiFi routers have WEP, WPA, and WPA2.
WPA2 was the most secure and the recommendation.
No longer:
https://www.theregister.co.uk/AMP/2017/10/16/wpa2_krack_attack_security_wifi...
But WPA2 comes in a couple variants. Does anyone know if any of them are unaffected?
Thanks Greg
I don't know, but I do know that SUSE are working on providing us fast updates for SLE (which Leap will get equally fast) and Tumbleweed -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, Oct 16, 2017 at 9:43 AM, Richard Brown <RBrownCCB@opensuse.org> wrote:
On 16 October 2017 at 15:36, Greg Freemyer <greg.freemyer@gmail.com> wrote:
All,
Most WiFi routers have WEP, WPA, and WPA2.
WPA2 was the most secure and the recommendation.
No longer:
https://www.theregister.co.uk/AMP/2017/10/16/wpa2_krack_attack_security_wifi...
But WPA2 comes in a couple variants. Does anyone know if any of them are unaffected?
Thanks Greg
I don't know, but I do know that SUSE are working on providing us fast updates for SLE (which Leap will get equally fast) and Tumbleweed
So this may be addressable on the client end? I hope so! Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
16.10.2017 16:52, Greg Freemyer пишет:
On Mon, Oct 16, 2017 at 9:43 AM, Richard Brown <RBrownCCB@opensuse.org> wrote:
On 16 October 2017 at 15:36, Greg Freemyer <greg.freemyer@gmail.com> wrote:
All,
Most WiFi routers have WEP, WPA, and WPA2.
WPA2 was the most secure and the recommendation.
No longer:
https://www.theregister.co.uk/AMP/2017/10/16/wpa2_krack_attack_security_wifi...
But WPA2 comes in a couple variants. Does anyone know if any of them are unaffected?
The weakness is in initial client-AP handshake, so I assume all variants are affected.
Thanks Greg
I don't know, but I do know that SUSE are working on providing us fast updates for SLE (which Leap will get equally fast) and Tumbleweed
So this may be addressable on the client end? I hope so!
If I read linked paper correctly, this *is* client vulnerability: When a client joins a network, it executes the 4-way handshake to negotiate a fresh session key. It will install this key after receiving message 3 of the handshake. Once the key is installed, it will be used to encrypt normal data frames using a data-confidentiality protocol. However, because messages may be lost or dropped, the Access Point (AP) will retransmit message 3 if it did not receive an appropriate response as acknowledgment. As a result, the client may receive message 3 multiple times. Each time it receives this message, it will reinstall the same session key, and thereby reset the incremental transmit packet number (nonce) and receive replay counter used by the data-confidentiality protocol. We show that an attacker can force these nonce resets by collecting and replaying retransmissions of message 3. By forcing nonce reuse in this manner, the data-confidentiality protocol can be attacked, e.g., packets can be replayed, decrypted, and/or forged. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 16 October 2017 at 15:52, Greg Freemyer <greg.freemyer@gmail.com> wrote:
On Mon, Oct 16, 2017 at 9:43 AM, Richard Brown <RBrownCCB@opensuse.org> wrote:
On 16 October 2017 at 15:36, Greg Freemyer <greg.freemyer@gmail.com> wrote:
All,
Most WiFi routers have WEP, WPA, and WPA2.
WPA2 was the most secure and the recommendation.
No longer:
https://www.theregister.co.uk/AMP/2017/10/16/wpa2_krack_attack_security_wifi...
But WPA2 comes in a couple variants. Does anyone know if any of them are unaffected?
Thanks Greg
I don't know, but I do know that SUSE are working on providing us fast updates for SLE (which Leap will get equally fast) and Tumbleweed
So this may be addressable on the client end? I hope so!
Greg
I believe for absolute safety it needs to be addressed at every end - which is pretty scary given how many Wi-Fi devices are out there (I just bought a new Mi-Fi at the weekend..&sigh&) For us I know we have hostapd (for people using openSUSE as a wifi AP) and wpa_supplicant (for clients) patches in the works -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, Oct 16, 2017 at 04:05:57PM +0200, Richard Brown wrote:
On 16 October 2017 at 15:52, Greg Freemyer <greg.freemyer@gmail.com> wrote:
On Mon, Oct 16, 2017 at 9:43 AM, Richard Brown <RBrownCCB@opensuse.org> wrote:
On 16 October 2017 at 15:36, Greg Freemyer <greg.freemyer@gmail.com> wrote:
All,
Most WiFi routers have WEP, WPA, and WPA2.
WPA2 was the most secure and the recommendation.
No longer:
https://www.theregister.co.uk/AMP/2017/10/16/wpa2_krack_attack_security_wifi...
But WPA2 comes in a couple variants. Does anyone know if any of them are unaffected?
Thanks Greg
I don't know, but I do know that SUSE are working on providing us fast updates for SLE (which Leap will get equally fast) and Tumbleweed
So this may be addressable on the client end? I hope so!
Greg
I believe for absolute safety it needs to be addressed at every end - which is pretty scary given how many Wi-Fi devices are out there (I just bought a new Mi-Fi at the weekend..&sigh&)
For us I know we have hostapd (for people using openSUSE as a wifi AP) and wpa_supplicant (for clients) patches in the works
As Richard writes, we will be releasing updates. FWIW, if you behave the same with your laptop and cellphone in your own wireless networks with WPA compared to Wireless internet cafes / hotels / trains that have unprotected wifi, then you don't need to panic anyway. SSL and VPN is usually to our rescue here. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Without HTML this time: On Mon, Oct 16, 2017 at 12:18 PM, Marcus Meissner <meissner@suse.de> wrote: <snip>
As Richard writes, we will be releasing updates.
FWIW, if you behave the same with your laptop and cellphone in your own wireless networks with WPA compared to Wireless internet cafes / hotels / trains that have unprotected wifi, then you don't need to panic anyway.
SSL and VPN is usually to our rescue here.
Ciao, Marcus
Marcus, I think this crack is more serious than most. If I use an open WiFi or WEP and someone performs enough packet capture they can indeed figure out how to decrypt and monitor my communications. SSL and VPN indeed keep them from figuring anything out. But this is a full-fledged man-in-the-middle crack. That includes packet manipulation and injection. Maybe not immediately, but in short order bad actors will surely figure out how to short circuit SSL and SSH type protections. I imagine in a few days, we'll start to see client OS patched. Routers seem to always take longer. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, Oct 16, 2017 at 05:07:17PM -0400, Greg Freemyer wrote:
Without HTML this time:
On Mon, Oct 16, 2017 at 12:18 PM, Marcus Meissner <meissner@suse.de> wrote: <snip>
As Richard writes, we will be releasing updates.
FWIW, if you behave the same with your laptop and cellphone in your own wireless networks with WPA compared to Wireless internet cafes / hotels / trains that have unprotected wifi, then you don't need to panic anyway.
SSL and VPN is usually to our rescue here.
Ciao, Marcus
Marcus,
I think this crack is more serious than most.
If I use an open WiFi or WEP and someone performs enough packet capture they can indeed figure out how to decrypt and monitor my communications. SSL and VPN indeed keep them from figuring anything out.
But this is a full-fledged man-in-the-middle crack. That includes packet manipulation and injection. Maybe not immediately, but in short order bad actors will surely figure out how to short circuit SSL and SSH type protections.
I imagine in a few days, we'll start to see client OS patched. Routers seem to always take longer.
If you are using open WLANs (without WPA or WEP), this packet injection is alreay possible as you write above. The KRACK attack weakens WPA a bit towards this kind of openess. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-10-16 23:07, Greg Freemyer wrote:
I imagine in a few days, we'll start to see client OS patched. Routers seem to always take longer.
I just read this on usenet: +++---------------- •****Routers and gateways are only affected when in bridge mode**** (which is not enabled by default and not used by most customers). A WPA-2 handshake is initiated by a router in bridge mode only when connecting or reconnecting to a router <https://kb.netgear.com/000049498/Security-Advisory-for-WPA-2-Vulnerabilities-PSV-2017-2826-PSV-2017-2836-PSV-2017-2837> ----------------++- If correct, this is good news, for me at least. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
On Tue, Oct 17, 2017 at 7:02 AM, Carlos E. R. <robin.listas@telefonica.net> wrote:
On 2017-10-16 23:07, Greg Freemyer wrote:
I imagine in a few days, we'll start to see client OS patched. Routers seem to always take longer.
I just read this on usenet:
+++---------------- •****Routers and gateways are only affected when in bridge mode**** (which is not enabled by default and not used by most customers). A WPA-2 handshake is initiated by a router in bridge mode only when connecting or reconnecting to a router
<https://kb.netgear.com/000049498/Security-Advisory-for-WPA-2-Vulnerabilities-PSV-2017-2826-PSV-2017-2836-PSV-2017-2837> ----------------++-
If correct, this is good news, for me at least.
If it's true it's good news for anyone that connects to public infrastructure (hotels/airports/coffee shops) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Greg Freemyer wrote:
On Tue, Oct 17, 2017 at 7:02 AM, Carlos E. R. <robin.listas@telefonica.net> wrote:
On 2017-10-16 23:07, Greg Freemyer wrote:
I imagine in a few days, we'll start to see client OS patched. Routers seem to always take longer. I just read this on usenet:
+++---------------- •****Routers and gateways are only affected when in bridge mode**** (which is not enabled by default and not used by most customers). A WPA-2 handshake is initiated by a router in bridge mode only when connecting or reconnecting to a router
<https://kb.netgear.com/000049498/Security-Advisory-for-WPA-2-Vulnerabilities-PSV-2017-2826-PSV-2017-2836-PSV-2017-2837> ----------------++-
If correct, this is good news, for me at least. If it's true it's good news for anyone that connects to public infrastructure (hotels/airports/coffee shops)
I think the article refers to specific NETGEAR equipment, listed on the right hand side. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-10-17 17:38, Richmond wrote:
Greg Freemyer wrote:
On Tue, Oct 17, 2017 at 7:02 AM, Carlos E. R. <> wrote:
On 2017-10-16 23:07, Greg Freemyer wrote:
I imagine in a few days, we'll start to see client OS patched. Routers seem to always take longer. I just read this on usenet:
+++---------------- •****Routers and gateways are only affected when in bridge mode**** (which is not enabled by default and not used by most customers). A WPA-2 handshake is initiated by a router in bridge mode only when connecting or reconnecting to a router
<https://kb.netgear.com/000049498/Security-Advisory-for-WPA-2-Vulnerabilities-PSV-2017-2826-PSV-2017-2836-PSV-2017-2837> ----------------++-
If correct, this is good news, for me at least. If it's true it's good news for anyone that connects to public infrastructure (hotels/airports/coffee shops)
I think the article refers to specific NETGEAR equipment, listed on the right hand side.
I think it applies to all, nevertheless. The problem is not with implementation, but with the protocol design itself; AFAIK the AP points are not affected, it is the clients. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
On 10/17/2017 09:44 AM, Carlos E. R. wrote:
I think it applies to all, nevertheless. The problem is not with implementation, but with the protocol design itself; AFAIK the AP points are not affected, it is the clients.
Unless APs are connected each other in "mesh network" wirelessly or acting as a client to another access point, or supporting 802.11r (fast roaming). That's why major AP providers are providing a patch or already pushed it from their cloud services, such as Meraki, Aerohive, Aruba, Ubiquity, Mojo, etc. Toshi -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 10/17/2017 11:38 AM, Richmond wrote:
If correct, this is good news, for me at least. If it's true it's good news for anyone that connects to public infrastructure (hotels/airports/coffee shops)
I think the article refers to specific NETGEAR equipment, listed on the right hand side.
It said the problem only happens in bridge mode, that is one access point repeating another. If that is the case, it would apply to any access point. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
If correct, this is good news, for me at least. If it's true it's good news for anyone that connects to public infrastructure (hotels/airports/coffee shops)
I think the article refers to specific NETGEAR equipment, listed on the right hand side. It said the problem only happens in bridge mode, that is one access
On 10/17/2017 11:38 AM, Richmond wrote: point repeating another. If that is the case, it would apply to any access point.
Yes it says it only happens in bridge mode, on those netgear routers. That's the way I am reading it. I don't think it means it only happens in bridge mode on all routers. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-10-17 19:22, Richmond wrote:
James Knott wrote:
If correct, this is good news, for me at least. If it's true it's good news for anyone that connects to public infrastructure (hotels/airports/coffee shops)
I think the article refers to specific NETGEAR equipment, listed on the right hand side. It said the problem only happens in bridge mode, that is one access
On 10/17/2017 11:38 AM, Richmond wrote: point repeating another. If that is the case, it would apply to any access point.
Yes it says it only happens in bridge mode, on those netgear routers. That's the way I am reading it. I don't think it means it only happens in bridge mode on all routers.
As the failure is in the protocol, it applies to all routers. Netgear just happens to document it on their own. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
On 10/16/2017 09:43 AM, Richard Brown wrote:
But WPA2 comes in a couple variants. Does anyone know if any of them
are unaffected?
Thanks Greg I don't know, but I do know that SUSE are working on providing us fast updates for SLE (which Leap will get equally fast) and Tumbleweed
Would SUSE being up to date affect this? Or is it an attack on the access point? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 16 October 2017 at 18:18, James Knott <james.knott@rogers.com> wrote:
On 10/16/2017 09:43 AM, Richard Brown wrote:
But WPA2 comes in a couple variants. Does anyone know if any of them
are unaffected?
Thanks Greg I don't know, but I do know that SUSE are working on providing us fast updates for SLE (which Leap will get equally fast) and Tumbleweed
Would SUSE being up to date affect this? Or is it an attack on the access point?
Now I've been able to read and understand the latest information The attack is on the clients The fixes therefore need to be delivered and applied to all client devices. That isn't just linux machines, but any phones, IoT devices, anything that connects to Wi-Fi and authenticates using WPA. For example, I'm now harrassing Huawei to figure out when they'll patch their Mobile-WiFi device I just got, because it can work as a WiFi extender (and therefore a client to a WiFi network) in addition to being a mobile hotspot. So every openSUSE machine you have using wifi is vulnerable until we get patches out. like Marcus said, treating WPA like it's insecure and relying on SSL and VPN and such in the meanwhile is recommended -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-10-16 18:22, Richard Brown wrote:
On 16 October 2017 at 18:18, James Knott <> wrote:
On 10/16/2017 09:43 AM, Richard Brown wrote:
The attack is on the clients
...
So every openSUSE machine you have using wifi is vulnerable until we get patches out. like Marcus said, treating WPA like it's insecure and relying on SSL and VPN and such in the meanwhile is recommended
I understand that every openSUSE machine is vulnerable till every machine in the same network is patched. Once a single one is successfully attacked, they are in. In the network, that is. Besides, any communication protocol that uses encryption is safe, even if they get entry to our WiFi: ssh, https... but not, I think, smb, nfs, most email... -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
On 10/16/2017 01:51 PM, Carlos E. R. wrote:
Besides, any communication protocol that uses encryption is safe, even if they get entry to our WiFi: ssh, https... but not, I think, smb, nfs, most email...
Many email providers are moving to SSL/TLS for POP, IMAP and SMTP. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-10-16 20:11, James Knott wrote:
On 10/16/2017 01:51 PM, Carlos E. R. wrote:
Besides, any communication protocol that uses encryption is safe, even if they get entry to our WiFi: ssh, https... but not, I think, smb, nfs, most email...
Many email providers are moving to SSL/TLS for POP, IMAP and SMTP.
Not mine. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
On 10/16/2017 04:02 PM, Carlos E. R. wrote:
On 2017-10-16 20:11, James Knott wrote:
On 10/16/2017 01:51 PM, Carlos E. R. wrote:
Besides, any communication protocol that uses encryption is safe, even if they get entry to our WiFi: ssh, https... but not, I think, smb, nfs, most email... Many email providers are moving to SSL/TLS for POP, IMAP and SMTP. Not mine.
Geez... Spain is really behind the times. Can you not even configure it with your email apps? Also, email web interfaces now use https. Also, Google tries to favour https web sites, to encourage encryption on the web. I just verified my email connections on the 2 accounts I have. Both use SSL/TLS for IMAP and SMTP. I also have OpenVPN configured between my notebook computer and firewall, so I can encrypt everything . With this, all traffic is sent through the VPN to my home network. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 10/16/2017 04:37 PM, James Knott wrote:
Many email providers are moving to SSL/TLS for POP, IMAP and SMTP. Not mine.
Geez... Spain is really behind the times. Can you not even configure it with your email apps? Also, email web interfaces now use https. Also, Google tries to favour https web sites, to encourage encryption on the web.
I just verified my email connections on the 2 accounts I have. Both use SSL/TLS for IMAP and SMTP. I also have OpenVPN configured between my notebook computer and firewall, so I can encrypt everything . With this, all traffic is sent through the VPN to my home network.
I just received this article: http://www.techrepublic.com/article/dhs-orders-federal-agencies-to-bolster-cybersecurity-with-https-email-authentication/?ftag=TRE684d531&bhid=12825460 "Some 85% of consumer email inboxes in the US support DMARC, including Gmail, Yahoo, and Microsoft accounts. But DMARC adoption rates among government and enterprises remains low, according to the Global Cyber Alliance." Notice that "85% of consumer email inboxes"? That looks like most to me. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-10-16 22:37, James Knott wrote:
On 10/16/2017 04:02 PM, Carlos E. R. wrote:
On 2017-10-16 20:11, James Knott wrote:
On 10/16/2017 01:51 PM, Carlos E. R. wrote:
Besides, any communication protocol that uses encryption is safe, even if they get entry to our WiFi: ssh, https... but not, I think, smb, nfs, most email...
(I should have said: "some email")
Many email providers are moving to SSL/TLS for POP, IMAP and SMTP. Not mine.
Geez...
I'll answer on a new thread :-) -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
On 16/10/17 01:51 PM, Carlos E. R. wrote:
I understand that every openSUSE machine is vulnerable till every machine in the same network is patched. Once a single one is successfully attacked, they are in. In the network, that is.
That applies at the more general level as well; if the proverbial and nefarious "they" get in to a programmable device then 'they" can do pretty much whatever is within their capability to any information on your network. Many of the protocols that would otherwise be encrypted to the outside world are either in the clear or are stored, temporarily or otherwise in files. I may use TLS and IMAPS and SMTP-S to my server but the mail message I send is in cleartext in my local 'sent' folder, and I might save critical files that I read locally. in my DatabaseOfDotSigQuotes, subsection 'security', there is: "If you have only one layer of protection you are only as safe as the next bug-de-jour" - Brad M Powell, Snr Network Security Architect, Sun Microsystems
Besides, any communication protocol that uses encryption is safe, even if they get entry to our WiFi: ssh, https... but not, I think, smb, nfs, most email...
If and only if "they" are limited , somehow, to only sniffing the network traffic, then source-encrypted traffic is 'safe', for varying levels and interpretations of 'safe'. In which case the argument against broadcast traffic, the use of switches, aggressive subletting, or putting each device on its own port on a router (or sophisticated switch), that is every device on its own DMZ, and having a "deny all except" filtering policy (the wifi router doesn't need to have a SMTP connection the the SAN, in fact the SAN it doesn't need anything except SMB and NFS and HTTPS from and only from the management device) should be considered the baseline. More realistically, what seems to be a reasonable level of security in this day and age is requiring a great deal of administration & configuration management. I'm seeing products that can do all this, but I still feel that are overwhelming. Why do need three doublewide screens to display the dashboard of this software telling me what's going on on my network. Marcus Ranum once commented that while umbrellas are only of limited use and have other problems, at least they don't annoy you by notifying you of every raindrop they stop. In a broader sense, if we are so perverse as to call computer malware "bugs" and "viruses" and "worms", and use other biological analogies, then why do we deny what biological systems really do about attacks? My skin, my gut, my whole immune system is the end point of millennia of an evolutionary war the scale of which the computer world has never seen. I shrug off, every hour, thousands of 'attacks' by a wide variety of, also highly evolved, micro-organisms. it's not a perfect scheme; it breaks down sometimes. The old advert "kills 99% of known germs" applies. it's the unknown and the 1% that matter". But even so, so that 99% my body has no dashboard to tell me what's going on, and even for the 1% there are artificial aids ("antibiotics") when I am alerted. I think we have a technology and approach to technology that seems more interested in feeding the inner geek of the sysadmins than in securing our technological infrastructure. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
From the general description (I haven't been able to inspect a detailed demo), it looks like a cousin to the Diffie Hellman flaw described last year.
If so, - All encrypted traffic including SSL/TLS, SSH, VPNs, etc should be protected despite the researchers' suggestion that <might> also be vulnerable. And, all User activity that involves exchanging passwords on websites, Financial/Banking, email and other activity are covered here. - The other stuff about capturing, replaying and injecting content or even false network settings is a different consideration, but if this is not much different than what has always been possible using aircrack-ng against WEP or WPA1, then there are practical considerations which can make this kind of attack difficult although possible... like... The attacker might have to capture gigabytes of data to obtain the few packets which contain a WPA handshake. Low activity APs might be more vulnerable than heavily used. Once captured, the attacker has to crack the keys. Depending on strength and available machine resources plus method of crack (are rainbow tables available and used?), this might take awhile Once cracked, the keys are usable for only as long as the original User has not yet closed his wireless session. Once the User has disconnected, then a new session and handshake has to be cracked. So, Unless you're supporting a high security wireless network, I don't think that anyone should be pressing any emergency buttons, and if you were supporting a high security network then I'd be questioning why you even have Wifi or not deploying WiFi that automatically rotates new keys every few minutes. Tony On Mon, Oct 16, 2017 at 9:18 AM, James Knott <james.knott@rogers.com> wrote:
On 10/16/2017 09:43 AM, Richard Brown wrote:
But WPA2 comes in a couple variants. Does anyone know if any of them
are unaffected?
Thanks Greg I don't know, but I do know that SUSE are working on providing us fast updates for SLE (which Leap will get equally fast) and Tumbleweed
Would SUSE being up to date affect this? Or is it an attack on the access point?
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Regarding stuff like key servers, That's not going to be affected. Servers hold the keys for providing authentication for services, but those keys are not generally used directly in WiFi (or at least not the systems I know about). Normally those keys are used to generate ephemeral (single use) keys which are then used for handshakes. In the case of Network Security like LDAP/AD, Both the Server and Client have been joined to the Domain beforehand, so each contains a "secret" that is commonly known to the two that doesn't have to be exchanged over the network. Tony On Mon, Oct 16, 2017 at 9:35 AM, Tony Su <tonysu@su-networking.com> wrote:
From the general description (I haven't been able to inspect a detailed demo), it looks like a cousin to the Diffie Hellman flaw described last year.
If so, - All encrypted traffic including SSL/TLS, SSH, VPNs, etc should be protected despite the researchers' suggestion that <might> also be vulnerable. And, all User activity that involves exchanging passwords on websites, Financial/Banking, email and other activity are covered here.
- The other stuff about capturing, replaying and injecting content or even false network settings is a different consideration, but if this is not much different than what has always been possible using aircrack-ng against WEP or WPA1, then there are practical considerations which can make this kind of attack difficult although possible... like...
The attacker might have to capture gigabytes of data to obtain the few packets which contain a WPA handshake. Low activity APs might be more vulnerable than heavily used.
Once captured, the attacker has to crack the keys. Depending on strength and available machine resources plus method of crack (are rainbow tables available and used?), this might take awhile
Once cracked, the keys are usable for only as long as the original User has not yet closed his wireless session. Once the User has disconnected, then a new session and handshake has to be cracked.
So, Unless you're supporting a high security wireless network, I don't think that anyone should be pressing any emergency buttons, and if you were supporting a high security network then I'd be questioning why you even have Wifi or not deploying WiFi that automatically rotates new keys every few minutes.
Tony
On Mon, Oct 16, 2017 at 9:18 AM, James Knott <james.knott@rogers.com> wrote:
On 10/16/2017 09:43 AM, Richard Brown wrote:
But WPA2 comes in a couple variants. Does anyone know if any of them
are unaffected?
Thanks Greg I don't know, but I do know that SUSE are working on providing us fast updates for SLE (which Leap will get equally fast) and Tumbleweed
Would SUSE being up to date affect this? Or is it an attack on the access point?
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Based on the non-detailed descriptions I've read, although the specific handshake step might be on the client side, it's not likely a client only flaw. It's the whole handshake, which likely means that both AP and client need to be patched. Tony On Mon, Oct 16, 2017 at 9:41 AM, Tony Su <tonysu@su-networking.com> wrote:
Regarding stuff like key servers, That's not going to be affected. Servers hold the keys for providing authentication for services, but those keys are not generally used directly in WiFi (or at least not the systems I know about). Normally those keys are used to generate ephemeral (single use) keys which are then used for handshakes.
In the case of Network Security like LDAP/AD, Both the Server and Client have been joined to the Domain beforehand, so each contains a "secret" that is commonly known to the two that doesn't have to be exchanged over the network.
Tony
On Mon, Oct 16, 2017 at 9:35 AM, Tony Su <tonysu@su-networking.com> wrote:
From the general description (I haven't been able to inspect a detailed demo), it looks like a cousin to the Diffie Hellman flaw described last year.
If so, - All encrypted traffic including SSL/TLS, SSH, VPNs, etc should be protected despite the researchers' suggestion that <might> also be vulnerable. And, all User activity that involves exchanging passwords on websites, Financial/Banking, email and other activity are covered here.
- The other stuff about capturing, replaying and injecting content or even false network settings is a different consideration, but if this is not much different than what has always been possible using aircrack-ng against WEP or WPA1, then there are practical considerations which can make this kind of attack difficult although possible... like...
The attacker might have to capture gigabytes of data to obtain the few packets which contain a WPA handshake. Low activity APs might be more vulnerable than heavily used.
Once captured, the attacker has to crack the keys. Depending on strength and available machine resources plus method of crack (are rainbow tables available and used?), this might take awhile
Once cracked, the keys are usable for only as long as the original User has not yet closed his wireless session. Once the User has disconnected, then a new session and handshake has to be cracked.
So, Unless you're supporting a high security wireless network, I don't think that anyone should be pressing any emergency buttons, and if you were supporting a high security network then I'd be questioning why you even have Wifi or not deploying WiFi that automatically rotates new keys every few minutes.
Tony
On Mon, Oct 16, 2017 at 9:18 AM, James Knott <james.knott@rogers.com> wrote:
On 10/16/2017 09:43 AM, Richard Brown wrote:
But WPA2 comes in a couple variants. Does anyone know if any of them
are unaffected?
Thanks Greg I don't know, but I do know that SUSE are working on providing us fast updates for SLE (which Leap will get equally fast) and Tumbleweed
Would SUSE being up to date affect this? Or is it an attack on the access point?
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 16/10/17 17:35, Tony Su wrote:
From the general description (I haven't been able to inspect a detailed demo), it looks like a cousin to the Diffie Hellman flaw described last year.
If so, - All encrypted traffic including SSL/TLS, SSH, VPNs, etc should be protected despite the researchers' suggestion that <might> also be vulnerable. And, all User activity that involves exchanging passwords on websites, Financial/Banking, email and other activity are covered here.
- The other stuff about capturing, replaying and injecting content or even false network settings is a different consideration, but if this is not much different than what has always been possible using aircrack-ng against WEP or WPA1, then there are practical considerations which can make this kind of attack difficult although possible... like...
The attacker might have to capture gigabytes of data to obtain the few packets which contain a WPA handshake. Low activity APs might be more vulnerable than heavily used.
Once captured, the attacker has to crack the keys. Depending on strength and available machine resources plus method of crack (are rainbow tables available and used?), this might take awhile
LIKE A COUPLE OF NANOSECONDS? Sorry for shouting, but the nature of the crack tricks wpa_supplicant into using a key of 0x00.
Once cracked, the keys are usable for only as long as the original User has not yet closed his wireless session. Once the User has disconnected, then a new session and handshake has to be cracked.
So, Unless you're supporting a high security wireless network, I don't think that anyone should be pressing any emergency buttons, and if you were supporting a high security network then I'd be questioning why you even have Wifi or not deploying WiFi that automatically rotates new keys every few minutes.
Yes you should be pressing security buttons. The key is absolutely no protection at all! Cheers, Wol -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 10/16/2017 09:36 AM, Greg Freemyer wrote:
All,
Most WiFi routers have WEP, WPA, and WPA2.
WPA2 was the most secure and the recommendation.
No longer:
https://www.theregister.co.uk/AMP/2017/10/16/wpa2_krack_attack_security_wifi...
But WPA2 comes in a couple variants. Does anyone know if any of them are unaffected?
I don't know if this would affect Enterprise WPA2, which uses a key server. Regardless, requiring re-entering a key should be a flag that something's wrong. If a key worked before, it should keep on working. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
I see there is a bug open: https://bugzilla.suse.com/show_bug.cgi?id=1063479 *Bug 1063479* <https://bugzilla.suse.com/show_bug.cgi?id=1063479> -VUL-0: hostap: WPA2 attacks (VU#228519) aka "KRACK" -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (11)
-
Andrei Borzenkov -
Anton Aylward -
Carlos E. R. -
Greg Freemyer -
James Knott -
Marcus Meissner -
Richard Brown -
Richmond -
Tony Su -
Toshi Esumi -
Wols Lists