由买买提看人间百态

boards

本页内容为未名空间相应帖子的节选和存档,一周内的贴子最多显示50字,超过一周显示500字 访问原贴
Military版 - 最安全的WPA2协议被破解,全世界的WIFI不再安全 (转载)
相关主题
Wi-Fi曝惊天漏洞!五大系统命运迥异 Android最惨我老来科普下中国黑客方面的
明年诺贝尔和平奖得主病毒 (转载)特大喜讯:Trump向伊斯兰开战ZT路透社
烙印原来是全球变暖的最大受害国本版都是人才,大家来说说给你多少钱能攻克感冒
狗咬狗了:微软大骂NSA让它的病毒软件在世界做孽逆转录病毒 是最厉害的病毒
今天看到的第一个明白人中国码农在硅谷:思乡情节、印度三哥与回国创业
惭愧,航空母舰英文?索尼之死起于外包:某忽悠麻痹神经大国 (转载)
中青网:美国思科路由器预置“后门”意欲何为代考托福SAT骗签证 15华人恐坐20年牢zt
日军偷袭珍珠港后直接登陆如何?Intel诡异中止赞助年度科学人才选秀
相关话题的讨论汇总
话题: wpa2话题: fi话题: wi话题: security话题: wifi
进入Military版参与讨论
1 (共1页)
p*******m
发帖数: 20761
1
【 以下文字转载自 Hardware 讨论区 】
发信人: pathdream (求包养买保10洁), 信区: Hardware
标 题: 最安全的WPA2协议被破解,全世界的WIFI不再安全
发信站: BBS 未名空间站 (Mon Oct 16 20:59:05 2017, 美东)
对于路由器来说,这绝对是一个悲催的消息,因为有黑客已经发现了能够轻松干掉WPA
或WPA2加密Wi-Fi网络的方法。
据外媒TheNextWeb报道称,攻击者在联网设备和无线接入点之间读取到无线通信协议,
甚至还能将其修改,把恶意软件嵌入到网站中,macOS、Windows、iOS、Android和
Linux都不能躲避这个漏洞。
WPA2加密协议被攻破!路由器等一大波设备遭殃
其实出现这个问题,也没有让我们太意外,因为WPA2加密协议已经服役差不多13年,其
被破解对于普通用户来说是难受的,因为攻击者不需要破解Wi-Fi密码,就可以轻松来
窃取用户的信用卡卡号、密码、聊天信息、照片、电子邮件以及在线通讯工具内容。
研究人员还强调,Android 6.0及以上版本系统都存在这个漏洞,而这种毁灭性的无线
网络攻击可以瞬间让41%的安卓设备挂掉,其通过读取无线网络流量的方式实现(利用
了WPA2协议4-way handshake的漏洞),并不针对接入点。
你更换WiFi密码是不能解决这个问题的,只能等待相应路由器客户端针对这个漏洞的更
新,当然还有其他设备的补丁更新。
h******k
发帖数: 15372
2
因为攻击者不需要破解Wi-Fi密码,就可以轻松来窃取用户的信用卡卡号。扯淡,即使
用不加密的WiFi也破不了信用卡号,除非上脑残网站。正常交易网站都是https加密的
E*********9
发帖数: 244
3
The hack will cause browser to drop https for http. The hack only work at
the login stage and allow to capture username and password since they were
sent in plain text. The login will fail. However, at this stage, the
password might be stolen and used to retrieve stored credit card number.

【在 h******k 的大作中提到】
: 因为攻击者不需要破解Wi-Fi密码,就可以轻松来窃取用户的信用卡卡号。扯淡,即使
: 用不加密的WiFi也破不了信用卡号,除非上脑残网站。正常交易网站都是https加密的
: 。

S******r
发帖数: 4421
4
哪有那么好drop的
你以为都是mitbbs这种垃圾网站呢
certificate验证是浏览器行为 不受传输层影响

【在 E*********9 的大作中提到】
: The hack will cause browser to drop https for http. The hack only work at
: the login stage and allow to capture username and password since they were
: sent in plain text. The login will fail. However, at this stage, the
: password might be stolen and used to retrieve stored credit card number.

z****g
发帖数: 3509
5
瞎扯

【在 E*********9 的大作中提到】
: The hack will cause browser to drop https for http. The hack only work at
: the login stage and allow to capture username and password since they were
: sent in plain text. The login will fail. However, at this stage, the
: password might be stolen and used to retrieve stored credit card number.

c****3
发帖数: 10787
6
这种算是不错的了,破解了还公布。为啥大家觉得破解了一定要公布,这是义务吗?
所以RSA,DSA之类密钥交换协议都有可能不安全,有人破解了不公布完全可能。
假如是军方破解,就没有公布的义务
m********5
发帖数: 17667
7
大陆大部分网站都不能用https也没见着什么被盗
你说的这种几乎不可能,现代浏览器只要设置正确,你输入密码的时候如果不是https
都会提示。

【在 E*********9 的大作中提到】
: The hack will cause browser to drop https for http. The hack only work at
: the login stage and allow to capture username and password since they were
: sent in plain text. The login will fail. However, at this stage, the
: password might be stolen and used to retrieve stored credit card number.

h******k
发帖数: 15372
8
有两类人,一类是靠公布赚钱,一类是靠不公布赚钱,其实这两类人之间是有密切的交
流的,他们的工作是一样的。

【在 c****3 的大作中提到】
: 这种算是不错的了,破解了还公布。为啥大家觉得破解了一定要公布,这是义务吗?
: 所以RSA,DSA之类密钥交换协议都有可能不安全,有人破解了不公布完全可能。
: 假如是军方破解,就没有公布的义务

p*******m
发帖数: 20761
9

https
手机不会
https://www.krackattacks.com/
来来来 大家来学点文化 我家的都是有线的哦

【在 m********5 的大作中提到】
: 大陆大部分网站都不能用https也没见着什么被盗
: 你说的这种几乎不可能,现代浏览器只要设置正确,你输入密码的时候如果不是https
: 都会提示。

d*b
发帖数: 21830
10
one time password,你们政屁究竟懂不懂啊

【在 E*********9 的大作中提到】
: The hack will cause browser to drop https for http. The hack only work at
: the login stage and allow to capture username and password since they were
: sent in plain text. The login will fail. However, at this stage, the
: password might be stolen and used to retrieve stored credit card number.

相关主题
惭愧,航空母舰英文?我老来科普下中国黑客方面的
中青网:美国思科路由器预置“后门”意欲何为特大喜讯:Trump向伊斯兰开战ZT路透社
日军偷袭珍珠港后直接登陆如何?本版都是人才,大家来说说给你多少钱能攻克感冒
进入Military版参与讨论
E*********9
发帖数: 244
11
That's true, it is hackable but not very practical, the hack can only be
done within user's wifi range and user fails to notice his communication is
no longer https.

https

【在 m********5 的大作中提到】
: 大陆大部分网站都不能用https也没见着什么被盗
: 你说的这种几乎不可能,现代浏览器只要设置正确,你输入密码的时候如果不是https
: 都会提示。

p*******m
发帖数: 20761
12
Monday morning was not a great time to be an IT admin, with the public
release of a bug that effectively broke WPA2 wireless security.
WPA2 security flaw puts almost every Wi-Fi device at risk of hijack,
eavesdropping
WPA2 security flaw puts almost every Wi-Fi device at risk of hijack,
eavesdropping
Security experts have said the bug is a total breakdown of the WPA2 security
protocol.
Read More
As reported previously by ZDNet, the bug, dubbed "KRACK" -- which stands for
Key Reinstallation Attack -- is at heart a fundamental flaw in the way Wi-
Fi Protected Access II (WPA2) operates.
The security protocol, an upgrade from WEP, is used to protect and secure
communications between everything from our routers, mobile devices, and
Internet of Things (IoT) devices, but there is an issue in the system's four
-way handshake that permits devices with a pre-shared password to join a
network.
According to security researcher and academic Mathy Vanhoef, who discovered
the flaw, threat actors can leverage the vulnerability to decrypt traffic,
hijack connections, perform man-in-the-middle attacks, and eavesdrop on
communication sent from a WPA2-enabled device.
US-CERT has known of the bug for some months and informed vendors ahead of
the public disclosure to give them time to prepare patches and prevent the
vulnerability from being exploited in the wild -- of which there are no
current reports of this bug being harnessed by cyberattackers.
The bug is present in WPA2's cryptographic nonce and can be utilized to dupe
a connected party into reinstalling a key which is already in use. While
the nonce is meant to prevent replay attacks, in this case, attackers are
then given the opportunity to replay, decrypt, or forge packets.
In general, Windows and newer versions of iOS are unaffected, but the bug
can have a serious impact on Android 6.0 Marshmallow and newer.
The attack could also be devastating for IoT devices, as vendors often fail
to implement acceptable security standards or update systems in the supply
chain, which has already led to millions of vulnerable and unpatched IoT
devices being exposed for use by botnets.
The vulnerability does not mean the world of WPA2 has come crumbling down,
but it is up to vendors to mitigate the issues this may cause.
In total, ten CVE numbers have been preserved to describe the vulnerability
and its impact, and according to the US Department of Homeland Security (DHS
), the main affected vendors are Aruba, Cisco, Espressif Systems, Fortinet,
the FreeBSD Project, HostAP, Intel, Juniper Networks, Microchip Technology,
Red Hat, Samsung, various units of Toshiba and Ubiquiti Networks.
Who's on top of the game?
Apple: The iPhone and iPad maker confirmed to sister-site CNET that fixes
for iOS, macOS, watchOS and tvOS are in beta, and will be rolling it out in
a software update in a few weeks.
MORE SECURITY NEWS
WPA2 security flaw puts almost every Wi-Fi device at risk of hijack,
eavesdropping
Homeland Security orders federal agencies to start encrypting sites, emails
​OnePlus dials back data collection after users protest
These fake tax documents spread jRAT malware
Arris: a spokesperson said the company is "committed to the security of our
devices and safeguarding the millions of subscribers who use them," and is "
evaluating" its portfolio. The company did not say when it will release any
patches.
Aruba: Aruba has been quick off the mark with a security advisory and
patches available for download for ArubaOS, Aruba Instant, Clarity Engine
and other software impacted by the bug.
AVM: This company may not be taking the issue seriously enough, as due to
its "limited attack vector," despite being aware of the issue, will not be
issuing security fixes "unless necessary."
Cisco: The company is currently investigating exactly which products are
impacted by KRACK, but says that "multiple Cisco wireless products are
affected by these vulnerabilities."
"Cisco is aware of the industry-wide vulnerabilities affecting Wi-Fi
Protected Access protocol standards," a Cisco spokesperson told ZDNet. "When
issues such as this arise, we put the security of our customers first and
ensure they have the information they need to best protect their networks.
Cisco PSIRT has issued a security advisory to provide relevant detail about
the issue, noting which Cisco products may be affected and subsequently may
require customer attention.
"Fixes are already available for select Cisco products, and we will continue
publishing additional software fixes for affected products as they become
available," the spokesperson said.
In other words, some patches are available, but others are pending the
investigation.
Espressif Systems: The Chinese vendor has begun patching its chipsets,
namely ESP-IDF and ESP8266 versions, with Arduino ESP32 next on the cards
for a fix.
Fortinet: At the time of writing there was no official advisory, but based
on Fortinet's support forum, it appears that FortiAP 5.6.1 is no longer
vulnerable to most of the CVEs linked to the attack, but the latest branch,
5.4.3, may still be impacted. Firmware updates are expected.
FreeBSD Project: A patch is actively being worked on for the base system.
Google: Google told sister-site CNET that the company is "aware of the issue
, and we will be patching any affected devices in the coming weeks."
HostAP: The Linux driver provider has issued several patches in response to
the disclosure.
Intel: Intel has released a security advisory listing updated Wi-Fi drives
and patches for affected chipsets, as well as Intel Active Management
Technology, which is used by system manufacturers.
Linux: As noted on Charged, a patch is a patch is already available and
Debian builds can patch now, while OpenBSD was fixed back in July.
Netgear: Netgear has released fixes for some router hardware. The full list
can be found here.
Microsoft: While Windows machines are generally considered safe, the Redmond
giant isn't taking any chances and has released a security fix available
through automatic updates.
MikroTik: The vendor has already released patches that fix the
vulnerabilities.
OpenBSD: Patches are now available.
Ubiquiti Networks: A new firmware release, version 3.9.3.7537, protects
users against the attack.
Wi-Fi Alliance: The group is offering a tool to detect KRACK for members and
requires testing for the bug for new members.
Wi-Fi Standard: A fix is available for vendors but not directly for end
users.
WatchGuard: Patches for Fireware OS, WatchGuard legacy and current APs, and
for WatchGuard Wi-Fi Cloud have become available.
Apple: Apple has patched the issue in iOS, tvOS, watchOS, macOS betas with
fixes due to roll out to consumers soon.
At the time of writing, neither Toshiba and Samsung responded to our
requests for comment. If that changes, we will update the story.
安装摄像头看看家附近有没有可疑人等出没了
m********5
发帖数: 17667
13
扯淡
这只是传输层面明码,根本没屁关系
你们用有线的99%都没有用IPsec, 基本都是透明的,一个内网大家都免不了被看到包。
这个WiFi漏洞只不过相当于你在一个public network使用网络

【在 p*******m 的大作中提到】
: Monday morning was not a great time to be an IT admin, with the public
: release of a bug that effectively broke WPA2 wireless security.
: WPA2 security flaw puts almost every Wi-Fi device at risk of hijack,
: eavesdropping
: WPA2 security flaw puts almost every Wi-Fi device at risk of hijack,
: eavesdropping
: Security experts have said the bug is a total breakdown of the WPA2 security
: protocol.
: Read More
: As reported previously by ZDNet, the bug, dubbed "KRACK" -- which stands for

s********i
发帖数: 17328
14
不要那么紧张,看清楚browser的小锁就行了。
p*******m
发帖数: 20761
15

WPA2: Broken with KRACK. What now?
BY ALEX ON OCTOBER 15, 2017 IN MISC, PROPRIETARY
On social media right now, strong rumours are spreading that the WPA2
encryption scheme has been broken in a fundamental way. What this means: the
security built into WiFi is likely ineffective, and we should not assume it
provides any security.
The current name I’m seeing for this is “KRACK”: Key Reinstallation
AttaCK. If this is true, it means third parties will be able to eavesdrop on
your network traffic: what should be a private conversation could be
listened in to.
This has happened before with WiFi: who remembers WEP passwords? However,
what is different this time around: there is no obvious, easy, replacement
ready and waiting. This is suddenly a very big deal.
In truth, WPA2 has been suspect for some time now. A number of attacks
against WPA2-PSK have been shown to be successful to a limited degree, WPA2-
Enterprise has shown itself to be slightly more resilient (but doesn’t
protect you from these problems).
I have continued to update this as facts become clear. Please note:
Credit for this goes to Mathy Vanhoef and Frank Piessens at KU Leuven, who
have a great track record of discovering problems here. I want to be clear
about this as I’ve be quoted incorrectly in a couple of places!
www.krackattacks.com is now up! There is a list of vendor announcements
being written, but remember all vendors are potentially affected. Few
vendors appear to have updates ready 🙁
All attacks appear to require a specific type of Man-in-the-Middle – this
means in practice they are difficult to execute. Most of the worst scenarios
are mitigated by this – another fault in WPA2 / WiFi will need to be found
to make this a genuinely practical attack.
Attacks against Android Phones are more damaging and full decryption is
possible. Other platforms only allow a small amount of data to be recovered.
Windows and Mac OS users are safer. Updates for other OSes will come quite
quickly, the big problem is embedded devices for whom updates are slow /
never coming
For the very technical, the CVE list is at the bottom of this post.
The main attack is against clients, not access points. So, updating your
router may or may not be necessary: updating your client devices absolutely
is! Keep your laptops patched, and particularly get your Android phone
updated
Correction: I’ve highlighted specifically that WPA2-Enterprise is
vulnerable.
If you have some great advice to share or corrections to this, please let me
know!
Information here is good as of 2017-10-16 20:00 UTC.
So, this is going to be a horrible Monday morning for IT admins across the
world. The practical question is: what now?
Keep Calm
Remember, there is a limited amount of physical security already on offer by
WiFi: an attack needs to be in proximity. So, you’re not suddenly
vulnerable to everyone on the internet. It’s very weak protection, but this
is important when reviewing your threat level.
Additionally, it’s likely that you don’t have too many protocols relying
on WPA2 security. Every time you access an https site – like this one –
your browser is negotiating a separate layer of encryption. Accessing secure
websites over WiFi is still totally safe. Hopefully – but there is no
guarantee – you don’t have much information going over your network that
requires the encryption WPA2 provides.
So, we’re alright?
In a word, No. There are plenty of nasty attacks people will be able to do
this. They may be able to disrupt existing communications. They may be able
to pretend to be other nodes on the network. This could be really bad –
again, they won’t be able to pretend to be a secure site like your bank on
the wifi, but they can definitely pretend to be non-secure resources. Almost
certainly there are other problems that will come up, especially privacy
issues with cheaper internet-enabled devices that have poor security.
You can think of this a little bit like your firewall being defeated. WiFi
encryption mainly functions to keep other devices from talking on your
network (the security otherwise has been a bit suspect for a while). If that
no longer works, it makes the devices on your network a lot more vulnerable
– attackers in proximity will now be able to talk to them.
Story for your boss
Keep it simple, and ideally get ahead of the game by communicating now. Re-
iterate:
this won’t let people who are not physically present into your networks;
it’s unlikely any data is protected by the encryption WPA2 provides; in
particular, accessing secure websites is still fine;
think about increasing the level of security of the nodes on your network if
possible – make sure your AV is up-to-date, firewalls turned on, etc.;
if you’re paranoid about certain data or systems, turn off WiFi and switch
to one of an internal VPN, a wired ethernet connection or mobile data (for
WAN access);
that you are on top of the situation and monitoring the best next steps.
In terms of what to do, in many ways, we’re at the behest of our vendors.
If you have a high quality vendor (I would include companies like Ruckus and
Cisco in this bracket, for example) I expect new firmware to be available
very shortly to mitigate these problems. This may well result in
incompatibility with existing devices: as a business, you will need to make
a decision in that case (unless you need compliance with PCI-DSS or similar,
in which case you likely have little choice).
Story for friends / family
This is where it gets really sucky. Lots of us have old routers at home,
which have no chance of a firmware upgrade, and lots of WiFi equipment that
may well not get a protocol upgrade if one is required. Right now, it sounds
like all this stuff is going to be worthless from the perspective of
encryption.
Reiterate the same points as above:
secure websites are still secure, even over WiFi;
think about setting your computers to “Public Network” mode – that
increases the level of security on the device relative to “Private / Home
Network” modes. Remember, if third parties can get onto our home networks,
they’re no longer any safer than an internet cafe;
if you’re paranoid about your mobile, turn off WiFi and use mobile data
when necessary;
it sounds like no similar attack against ethernet-over-mains power line is
possible, so home networks based on mains plugs are problem still ok;
keep computers and devices patched and up-to-date.
What for the future?
As I said before, this is a big problem, but not one that was unexpected. A
number of encryption protocols have been problematic over the years; many of
the implementations of those protocols have been even worse.
It’s clear to me that “Internet of Things” type devices will be the
hardest hit. Devices with embedded WiFi for secondary functional purposes,
like TVs and baby monitors, are unlikely to get proper updates. As a
protocol problem, it’s possible we will be forced to choose between
security and functionality, and many users will choose the latter – it’s a
difficult problem to weigh.
I would love to say there’s an easy answer. I think it’s important that
networks become increasingly software-defined, and that it makes sense that
future standards focus on that runtime rather than the protocol itself. We
cannot rely on vendors to keep devices up-to-date either (for many reasons),
but previous attempts at standardising a runtime (like UEFI) aren’t
promising, either technically or security-wise.
As consumers, we have to continually question the security credentials of
devices we buy, and demand the best evidence of their security. This is a
tough ask; even in the IT world, buying “secure” is difficult. In tech we
must strive for better.
CVEs involved
If you don’t know what these are, don’t worry – they are the “official
notifications” of a problem, if you like. If you have a vendor of WiFi
equipment, you will want to ask them if they’re affected by any of these,
and if so, what the solutions are:
CWE-323
CVE-2017-13077
CVE-2017-13078
CVE-2017-13079
CVE-2017-13080
CVE-2017-13081
CVE-2017-13082
CVE-2017-13083
CVE-2017-13084
CVE-2017-13085
CVE-2017-13086
CVE-2017-13087

【在 m********5 的大作中提到】
: 扯淡
: 这只是传输层面明码,根本没屁关系
: 你们用有线的99%都没有用IPsec, 基本都是透明的,一个内网大家都免不了被看到包。
: 这个WiFi漏洞只不过相当于你在一个public network使用网络

s********i
发帖数: 17328
16
楼上说的没错,相当于你在公共图书馆用电脑,没那么恐怖。只要看清https就行了。
m********s
发帖数: 55301
17
太好了,设备升级能带来GDP,初步估算至少直接贡献3000亿
m********5
发帖数: 17667
18
haha说明你根本看不懂别人在说啥,和我说的哪一点有矛盾?

the
it
on

【在 p*******m 的大作中提到】
:
: WPA2: Broken with KRACK. What now?
: BY ALEX ON OCTOBER 15, 2017 IN MISC, PROPRIETARY
: On social media right now, strong rumours are spreading that the WPA2
: encryption scheme has been broken in a fundamental way. What this means: the
: security built into WiFi is likely ineffective, and we should not assume it
: provides any security.
: The current name I’m seeing for this is “KRACK”: Key Reinstallation
: AttaCK. If this is true, it means third parties will be able to eavesdrop on
: your network traffic: what should be a private conversation could be

L******i
发帖数: 3027
19
不懂装懂
session key不过是agreed key的一个hash而已
且不说你明文已知攻击未必能得到session key
你得到session key也未必能得到agreed key
你得到agreed key也未必能得到user password

is

【在 E*********9 的大作中提到】
: That's true, it is hackable but not very practical, the hack can only be
: done within user's wifi range and user fails to notice his communication is
: no longer https.
:
: https

p*******m
发帖数: 20761
20

What You Should Know About the ‘KRACK’ WiFi Security Weakness
Researchers this week published information about a newfound, serious
weakness in WPA2 — the security standard that protects all modern Wi-Fi
networks. What follows is a short rundown on what exactly is at stake here,
who’s most at-risk from this vulnerability, and what organizations and
individuals can do about it.
wifi
Short for Wi-Fi Protected Access II, WPA2 is the security protocol used by
most wireless networks today. Researchers have discovered and published a
flaw in WPA2 that allows anyone to break this security model and steal data
flowing between your wireless device and the targeted Wi-Fi network, such as
passwords, chat messages and photos.
“The attack works against all modern protected Wi-Fi networks,” the
researchers wrote of their exploit dubbed “KRACK,” short for “Key
Reinstallation AttaCK.”
“Depending on the network configuration, it is also possible to inject and
manipulate data,” the researchers continued. “For example, an attacker
might be able to inject ransomware or other malware into websites. The
weaknesses are in the Wi-Fi standard itself, and not in individual products
or implementations. Therefore, any correct implementation of WPA2 is likely
affected.”
What that means is the vulnerability potentially impacts a wide range of
devices including those running operating systems from Android, Apple, Linux
, OpenBSD and Windows.
As scary as this attack sounds, there are several mitigating factors at work
here. First off, this is not an attack that can be pulled off remotely: An
attacker would have to be within range of the wireless signal between your
device and a nearby wireless access point.
More importantly, most sensitive communications that might be intercepted
these days, such as interactions with your financial institution or browsing
email, are likely already protected end-to-end with Secure Sockets Layer (
SSL) encryption that is separate from any encryption added by WPA2 — i.e.,
any connection in your browser that starts with “https://”.
Also, the public announcement about this security weakness was held for
weeks in order to give Wi-Fi hardware vendors a chance to produce security
updates. The Computer Emergency Readiness Team has a running list of
hardware vendors that are known to be affected by this, as well as links to
available advisories and patches.
“There is no evidence that the vulnerability has been exploited maliciously
, and Wi-Fi Alliance has taken immediate steps to ensure users can continue
to count on Wi-Fi to deliver strong security protections,” reads a
statement published today by a Wi-Fi industry trade group. “This issue can
be resolved through straightforward software updates, and the Wi-Fi industry
, including major platform providers, has already started deploying patches
to Wi-Fi users. Users can expect all their Wi-Fi devices, whether patched or
unpatched, to continue working well together.”
Sounds great, but in practice a great many products on the CERT list are
currently designated “unknown” as to whether they are vulnerable to this
flaw. I would expect this list to be updated in the coming days and weeks as
more information comes in.
Some readers have asked if MAC address filtering will protect against this
attack. Every network-capable device has a hard-coded, unique “media access
control” or MAC address, and most Wi-Fi routers have a feature that lets
you only allow access to your network for specified MAC addresses.
However, because this attack compromises the WPA2 protocol that both your
wireless devices and wireless access point use, MAC filtering is not a
particularly effective deterrent against this attack. Also, MAC addresses
can be spoofed fairly easily.
To my mind, those most at risk from this vulnerability are organizations
that have not done a good job separating their wireless networks from their
enterprise, wired networks.
I don’t see this becoming a major threat to most users unless and until we
start seeing the availability of easy-to-use attack tools to exploit this
flaw. Those tools may emerge sooner rather than later, so if you’re super
concerned about this attack and updates are not yet available for your
devices, perhaps the best approach in the short run is to connect any
devices on your network to the router via an ethernet cable (assuming your
device still has an ethernet port).
From reading the advisory on this flaw, it appears that the most recent
versions of Windows and Apple’s iOS are either not vulnerable to this flaw
or are only exposed in very specific circumstances. Android devices, on the
other hand, are likely going to need some patching, and soon.
If you discover from browsing the CERT advisory that there is an update
available or your computer, wireless device or access point, take care to
read and understand the instructions on updating those devices before you
update. Failing to do so with a wireless access point, for example can
quickly leave you with an expensive, oversized paperweight.
Finally, consider browsing the Web with an extension or browser add-on like
HTTPS Everywhere, which forces any site that supports https:// connections
to encrypt your communications with the Web site — regardless of whether
this is the default for that site.
For those interested in a deeper dive on the technical details of this
attack, check out the paper (PDF) released by the researchers who discovered
the bug.

【在 m********5 的大作中提到】
: haha说明你根本看不懂别人在说啥,和我说的哪一点有矛盾?
:
: the
: it
: on

相关主题
逆转录病毒 是最厉害的病毒代考托福SAT骗签证 15华人恐坐20年牢zt
中国码农在硅谷:思乡情节、印度三哥与回国创业Intel诡异中止赞助年度科学人才选秀
索尼之死起于外包:某忽悠麻痹神经大国 (转载)烙印停资的INTEL奖老中公司要不要接下? (转载)
进入Military版参与讨论
s********i
发帖数: 17328
21
靠,看看那个demo不就知道了?就是个man in the middle attack,本质是让你用不了
https,你只要看清楚https就行了,哪那么多废话?除非你家里的网路被hack了,你在
内网不加密传东西才会有问题。
p*******m
发帖数: 20761
22

同学 我们是来忽悠不懂的人的 这年头 大家都是用手机平板
如果你的路由打了补丁 你用果果 都没问题
如果你的路由没打补丁 你还用猪猪 lol 这些移动设备没有提示你有没有https哦 大傻
app

【在 s********i 的大作中提到】
: 靠,看看那个demo不就知道了?就是个man in the middle attack,本质是让你用不了
: https,你只要看清楚https就行了,哪那么多废话?除非你家里的网路被hack了,你在
: 内网不加密传东西才会有问题。

m********5
发帖数: 17667
23
那个pathdream是老邢的老版机器人
回复只会贴大段英文刷屏,根本不管贴出来的是啥
比现在的新中文机器人差得不是一星半点
中文机器人至少部分对得上号

【在 s********i 的大作中提到】
: 靠,看看那个demo不就知道了?就是个man in the middle attack,本质是让你用不了
: https,你只要看清楚https就行了,哪那么多废话?除非你家里的网路被hack了,你在
: 内网不加密传东西才会有问题。

m*****n
发帖数: 4015
24
黑客要截获明码的密码 需要做个假网站 骗用户输入密码。他们可以截获密码以后 重
新定向到 真银行网站 恢复 https。
但是貌似至少还是需要用户输入两次密码。只需要注意一下 如果登陆提示第一次失败
之后 网址有没有被改掉。
S******r
发帖数: 4421
25
除非是垃圾网站用http登陆
但凡你用https browser是要检查证书的
你假网站没有私钥 通过不了验证
别说什么假网站了 你就是dns劫持 也没用

【在 m*****n 的大作中提到】
: 黑客要截获明码的密码 需要做个假网站 骗用户输入密码。他们可以截获密码以后 重
: 新定向到 真银行网站 恢复 https。
: 但是貌似至少还是需要用户输入两次密码。只需要注意一下 如果登陆提示第一次失败
: 之后 网址有没有被改掉。

p*******m
发帖数: 20761
26

lol

【在 m********5 的大作中提到】
: 那个pathdream是老邢的老版机器人
: 回复只会贴大段英文刷屏,根本不管贴出来的是啥
: 比现在的新中文机器人差得不是一星半点
: 中文机器人至少部分对得上号

s********i
发帖数: 17328
27
你看没看demo啊?那上面安卓系统清清楚楚的显示着,attack之前是 https, 之后是
http。怎么没有显示?

【在 p*******m 的大作中提到】
:
: lol

d*b
发帖数: 21830
28
靠,你难道不知道这里全是政屁么?你一phd跟人争智商?

【在 s********i 的大作中提到】
: 你看没看demo啊?那上面安卓系统清清楚楚的显示着,attack之前是 https, 之后是
: http。怎么没有显示?

c****3
发帖数: 10787
29
中间人攻击,你的流量都是通过中间人路由器的,这个中间人是恶意的,你就没办法了。

【在 S******r 的大作中提到】
: 除非是垃圾网站用http登陆
: 但凡你用https browser是要检查证书的
: 你假网站没有私钥 通过不了验证
: 别说什么假网站了 你就是dns劫持 也没用

p*******m
发帖数: 20761
30

同学 我说的是app

【在 s********i 的大作中提到】
: 你看没看demo啊?那上面安卓系统清清楚楚的显示着,attack之前是 https, 之后是
: http。怎么没有显示?

相关主题
Re: 帮女友问下Fortinet这个公司怎么样?明年诺贝尔和平奖得主病毒 (转载)
据说几个unicorn烙印原来是全球变暖的最大受害国
Wi-Fi曝惊天漏洞!五大系统命运迥异 Android最惨狗咬狗了:微软大骂NSA让它的病毒软件在世界做孽
进入Military版参与讨论
p*******m
发帖数: 20761
31
有app会显示https吗?
p*******m
发帖数: 20761
p*******m
发帖数: 20761
33
邻居
p*******m
发帖数: 20761
34
邻居
1 (共1页)
进入Military版参与讨论
相关主题
Intel诡异中止赞助年度科学人才选秀今天看到的第一个明白人
烙印停资的INTEL奖老中公司要不要接下? (转载)惭愧,航空母舰英文?
Re: 帮女友问下Fortinet这个公司怎么样?中青网:美国思科路由器预置“后门”意欲何为
据说几个unicorn日军偷袭珍珠港后直接登陆如何?
Wi-Fi曝惊天漏洞!五大系统命运迥异 Android最惨我老来科普下中国黑客方面的
明年诺贝尔和平奖得主病毒 (转载)特大喜讯:Trump向伊斯兰开战ZT路透社
烙印原来是全球变暖的最大受害国本版都是人才,大家来说说给你多少钱能攻克感冒
狗咬狗了:微软大骂NSA让它的病毒软件在世界做孽逆转录病毒 是最厉害的病毒
相关话题的讨论汇总
话题: wpa2话题: fi话题: wi话题: security话题: wifi