[sf-lug] New Attack problems

Rick Moen rick at linuxmafia.com
Mon Oct 16 11:00:55 PDT 2017 

Quoting Bobbie Sellers (bliss-sf4ever at dslextreme.com):

> Hi LUGers,
>     Bad News. October 16, 2017
> 
>     Note that this is an attack against WiFI.  So here connected to DSL
> by Ethernet cable I am not much worried.  When we use WiFi at various
> location we are in danger of the KRACK attack but we know these are
> largely insecure but this will work on phones to decrypt data sent
> over WiFi and acquire it.

Quoting article:

   It can allow attackers to steal information such as credit cards,
   passwords, chat messages, email, photos, etc. An attacker might also
   be able to inject and manipulate data.

Scenario assumes said data are transmitted in plaintext across the WiFi
LAN, in other words that you are entrusting your security and privacy to 
WiFi encryption and send vital, sensitive information across it using
plaintext protocols (such as unencrypted HTTP and unencrypted SMTP).

Sorry, but is anyone still doing that?  Personally, I learned ages ago
not to trust the network, not to trust other people's routers, and not
to trust other people's recursive DNS.  Probably few here take things
that far, but:  Do you ever enter your credit card into a non-HTTPS 
connection?  You login to your bank Web site or Ebay or whatever
_first_, right, have reasonable confidence you're not on a
fraudulent site, and make sure you are on https before entering your
credit card, right?  So, you have session encryption at the https level,
and aren't relying on the network being secure.

I would suggest that it is, or should be, the same case with all the
other data cited:  If you're going to be discussing or transmitting
anything sensitive, you should (and probably do) take meaningful steps
to ensure you are using fairly verifiably genuine session encryption
_first_ before discussing or transmitting it.

If anyone here hasn't yet developed that habit, I suggest doing so --
and then it's not a huge concern whether you can trust the network or
not, as you are no longer relying on that as your sole protection.

That having been said, it'll be A Good Thing for the KRACK vulnerability
to get closed for WiFi-level encryption -- but this isn't the first 
hapless failure of WiFi encryption, and probably won't be the last.

Don't trust the network.  You don't have to, so don't.

More information about the sf-lug mailing list