HOLY FUCK

>For example, HTTPS was previously bypassed in non-browser software, in Apple's iOS and OS X, in Android apps, in Android apps again, in banking apps, and even in VPN apps.
krackattacks.com

dont talk about shit you dont know about

the attack creates a MitM attack

Says while probably browsing Sup Forums on the shitter

I thought he was just LARPing. Turns out we have an actual security insider browsing this anime board

Read it on android/flipboard 2 days ago.
>switched to lte.

>theguardian.com/technology/2017/oct/16/wpa2-wifi-security-vulnerable-hacking-us-government-warns

>This means connections to secure websites are still safe, as are other encrypted connections such as virtual private networks (VPN) and SSH communications.

>“Additionally, it’s likely that you don’t have too many protocols relying on WPA2 security. Every time you access an HTTPS site … your browser is negotiating a separate layer of encryption. Accessing secure websites over wifi is still totally safe. Hopefully – but there is no guarantee – you don’t have much information going over your network that requires the encryption WPA2 provides.”

Literally in the article.

Dont be a retarded faggot.

Whatever, there were dozens of ways to find out about this than the morning news.

Link the old thread

Well that article is fucking stupid. Someone exploiting this vulnerability can force your connection to go through plain text (ie. http instead of https) with very little effort.

>but muh theguardian article
fuck off retard

nope, my desktop doesn't even have a usb dongle
and my phone would be on data anyway

That's avoided with HSTS by competent websites, and you can avoid it on more sites with HTTPS Everywhere.

I read the op's warning too last night. Bless you mah boi

The thread from yesterday for those asking

Halp guys!! I think one of my Arab neighbors hacked into my wifi. I keep getting adds in their squiggly alphabet. With hijabs and shit.

Yeah of course he wasn't lying. Like he said they had 50 days to fix it and they said fuck it who cares WiFi security has always been shit.

Nobody cares.

get out of here chad

>krackattacks.com/

how about you read the other article? https is useless since you intercept the traffic coming from the attacked computer

>us-government-warns
>(((us)))
Oy vey, quick Trump we need a new backdoor asap, the goyim know!

hsts and certificate pinning make mitm much harder to do, even with dns spoofing. its still possible though but does not work on every site

It's been 24+ hrs after uncoordinated reveal/OpenBSD patch.

>not keeping your wifi open for plausible deniability and using https/vpn

Not him but isnt https mitm-proof? I just came to this thread, have yet to read all that.

>thinking the NSA only has one exploit for wpa2
lmaoing at you right now

Malcolm in the Middle?

Migger in the middle

I mean I know nothing is actually hacking-proof and that https can be compromised under certain very specific circumstances but its generally safe.

Does this affect windows or is this just for linux and android?

just you're moms pussy lmao she public property now lol

It affects TempleOS only

Are you retarded?

>Check my junk email (Yahoo)
>See video on this
>They recommend to hide your SSID

that's why ppl should use wired ethernet if they can. unless the line is tapped, no one can see it like wi-fi, which is broadcast all around.

ye ok, i have a similar setup and probably much more cables than you, but still, how you solve the phone problem?

You don't know what a VPN is, do you?

This.
Furthermore, if all wires are exposed it would be really hard for tapping to go unseen.

need smartbone with ederned pord

I was talking to my sister today, and she was all "should my bf and I disable our PS4?!?!"
First of all, everything about your internet security was already more concerning than this new problem, and second, just hook them up with a fucking 2 foot cable! The connection's better, and they're on the same fucking shelf as the router!
I fucking hate how everybody thinks wifi is the only way to get internet now. If a device is stationary, just plug it the fuck in and stop complaining that your internet keeps cutting out.

>b-b-but muh Linux is safer

So does this mean i can get personal info from my crush next door by tapping into her router yes or no? If the answer is yes, then how?

Ok reading more into, once the script is made available, there will be application for dummies developed so we can easily exploit it

As soon as I'm done with roommates I'm never picking WiFi back up. It's convenient, but clearly not safe. I'd much rather use Ethernet (with better speeds) and pay for a bit more data on my retardphone

what would happen if someone actually hacked into your wifi?

People on Twatter were talking about it, that OP was LARPing.

Not just use HTTPS, make sure you've got HTTPS Everywhere installed. Otherwise they can use sslstrip with this attack and rip HTTPS off of the connection. Don't forget that there is still a ton of stuff that isn't transmitting over HTTPS yet as well. And there are other insecure protocols besides HTTP.

If you are vulnerable then they can fully decrypt your WiFi connection and inject traffic. Worst case that traffic is from an application that has a known vulnerability (e.g. an unpatched web browser) and they inject a malicious payload into the connection then rootkit your computer to mask a keylogger that harvests all of your financial information and redirects your loli figure shipments to their house.

Here, nigger. made me search the archive:

>Just thought you should know in advance, Sup Forums. Details will be splashed everywhere tomorrow.

Very surprised to see someone actually tell the truth on Sup Forums. I wonder if he was one of the researchers?

Lots of shit, user.

go to bank.com -> attacker forces his own bank.com -> gets credentials -> profits

just one of many examples. this user covered it good

>tfw Sup Forums laughed when I asked for a phone with an ethernet port

That's actually possible on Android if you buy a USB-OTG to Ethernet adapter. Have fun.

is the world ready for the inevitable script kiddy kali tools?

>2017
>still saying script kiddy

.t a script kiddy.

>.t

>t. a retard

...

That's what people that can't write their own exploits are. Script kiddies. You're just mad because you thought you were cool when you downloaded Kali.

i swear to god kali is the worst thing to ever happen. now every pajeet and hillbilly with a youtube account thinks he's a leet haxor.

Does this mean Applefags who own macbooks are kill?

>mahhh advanced lack of ports.......

>wireless is the fuuuuture

>what are you, poor? you can't even afford an advanced macbook that does away with obsolete ports?

So everyone's talking about routers and mobile phones. What about handhelds and gaming consoles, how fucked are they?

Gaming consoles are less fucked because they do not leave your network. That means you will have no issues as long as your wireless access point is patched. I doubt handhelds will be patched so they will still be an issue on unpatched public networks, but they don't really transmit sensitive data so it's not a big issue.

Lies

*poisons your ARP table*

There are patches for APs for some of the vulns, and patches for clients for others (unless you are on Android in which case lol update your wpa_supplicant by hand, or on an old consumer router that won't be updated which is a surprising number of them so lol throw away your router and buy something good like a Microtik).

This isn't going to be as interesting had it landed before Let's Encrypt was a thing, or god forbid 10 years ago. But there are still some potentially interesting targeted attacks.

And the full potential isn't fully realised. This researcher is not done with the 802.11i analysis. There are more issues likely to be uncovered, because it is a trashball and nobody asked a cryptographer to review the whole thing, just one tiny part (see Matthew Green's post). Thanks, IEEE.

Insider is a bit much. I found out about it from Kenn's tweet, and thought Sup Forums should probably know as I expected most of Sup Forums isn't one of the girls in the infosec Twitter gossip echochamber and so it wouldn't spread very far until quite a bit later in the day or the day after. I did say I didn't know the technical details at that point, which was quite true.

I am not the only person in infosec who reads/facepalms at this board, but this board is not well regarded.

That surprised me. Someone forgot Theo doesn't do embargoes, so you have to do them for him.

>taking Yahoo's advice on security
>after every account had its password breached
Patch your router.

Won't make you any less of a creep, user.

Are you that genuinely surprised Sup Forums isn't quite 100% shitposting?

Patch your AP.
>implying you go out

Re: LineageOS, patch should land in the next nightly for your device I gather. Didn't make it in time for Monday's nightlies.

>his computer is connected to router by ethernet
Nothing to see here unless you are mobile plebian

https doesn't protect shit, everyone can see that you're going to sadpanda irregardless.

How is this worse than any other regular ol' MITM or WiFi-targeted attack? Any fifteen y/o with half a brain and Kali could do this shit already, I don't get why this is being so blown up.

That was WEP/http. This is WPA/https we're talkin' bout, dweeb.

Back to facebook normie.

>this whole fucking thread
Now tell me, honestly, how many of you fucks have actually read about what the vulnerability actually is? I don't think even 5 of you have desu

So what exacly does that mean for the common populas, do I have to dlt my pr0n?

Yeah, like I said...

>all around me are familiar faces

all of us

>worn out places

Even if you patch your AP you're still fucked if your client is unpatched.

well thank fuck i got an asus rou- im fucked.

>in a few years
A new wireless attack against ethernet has been developed. A totally wired plug gives off small amounts of radio waves that can now be intercepted.

>todokete setsunasa ni wa

So can I use this right now in my apartment block and get nudes or what?

>Turns out we have an actual security insider browsing this anime board
this is but a fraction of Sup Forums 's true power.

the krack page said it's possible to inject/receive packets, could someone access stuff (internet, local) that way, even without knowing the wpa password?

It says someone can install a new key which decrypts all your traffic.

with a specific configuration it seems like sent packets can be manipulated too,
what i don't understand is if by 'forge' it means creating packets, without intervention of the client, which in that case you could use that client's connection as yours? correct me if i'm wrong

almost everything uses some encryption so this wont be very useful

You can still sit in an airport lounge or public wifi area and use your illegal tower to spoof origin AP even with this WPA2 pile of bugs, nothing has changed wifi has never been safe which is why you're supposed to use end-to-end encryption with your phone like an IPSeC VPN, + https + cert pinning in apps. Can rent a digital ocean VPS and run Wireguard VPN on it if you wanted too should you be doing things like accessing a business email address you don't want to risk losing to some rando fraudsters.

Yes, also somebody can already do this with your regular network if they ever get into it (forge packets, inject galore, troll on cruise control). The big issue is IT contractors can't hide this like they usually do since it affects normies and their Iphones so there's big panic.

Yes basically, you create packets and simply inject them into that network to do whatever you want. You can learn this from any TCP/IP book that shows you the inner workings of libpcap and other network libraries you can manipulate, CMU has a good course/recommendations for books: cs.cmu.edu/~prs/15-441-F16/syllabus.html

because, if the Guardian prints something it must be true, right?

Remember, these are the people who said Brexit was impossible, and that Liebor would win the last election. They are the people who said immigration has a beneficial effect on a nation

You forget that just yesterday the Guardian ran a story about that Viking "allah" cloth that was debunked this morning as well by actual researchers the Guardian never bothered to ask for commentary twitter.com/stephenniem/status/919897406031978496

Is android 7 safe?

Already stoppped all wifis in my home.
What to do next?
Is there any other way to encrypt the Wifi connection?

Linux users with the latest updates are no longer vulnerable to krack attacks