Topic: "WPA2 wireless security cracked" & OpenSSL "HeartBleed" bug

Heads up!   yikes    Reference:  http://phys.org/news/2014-03-wpa2-wireless.html

  see also:  Scientists demonstrate first contagious airborne WiFi virus

Plug it in, plug it in!

Last edited by TechDud (2014-03-26 12:53:20)

Re: "WPA2 wireless security cracked" & OpenSSL "HeartBleed" bug

Inderscience Publishers quoting Achilleas Tsitroulis of Brunel University, UK, Dimitris Lampoudis of the University of Macedonia, Greece and Emmanuel Tsekleves of Lancaster University, UK wrote:

... "this wireless security system might now be breached with relative ease by a malicious attack on a network. They suggest that it is now a matter of urgency that security experts and programmers work together to remove the vulnerabilities in WPA2 in order to bolster its security or to develop alternative protocols to keep our wireless networks safe from hackers and malware."

Re: "WPA2 wireless security cracked" & OpenSSL "HeartBleed" bug

Yeah free internet. big_smile

Re: "WPA2 wireless security cracked" & OpenSSL "HeartBleed" bug

Be careful what you wish for, Outbreaker!
  The hunter may become the prey.

  Wireless Routers can also be affected by the OpenSSL bug "HeartBleed".  Presumably, that would include routers with firmware built between early 2012 and April 7th, 2014.

"Heartbleed seems to show that at least systems (read servers, clients, web appliances, phones, etc., etc.) encrypted with OpenSSL have potentially been vulnerable to wholesale pwnage, including certificates" [cryptographic keys] ", login details, financials, etc, etc. etc." [for the past two years]!
...

Bruce Schneier wrote:

"“Catastrophic” is the right word. On the scale of 1 to 10, this is an 11.
Half a million sites are vulnerable, including my own."

     Quoted from:  https://www.schneier.com/blog/archives/ … bleed.html

"Perhaps this is a good time to remember those wonderful words penned years ago by Douglas Adams: “DON’T PANIC”.

Be proactive, not reactive. Head’s up!"

     Quoted from:  http://nuclear-news.net/2014/03/01/rise … ent-214077

“Spock: Are you sure it isn’t time for a colorful metaphor? “"
     Quoted from:  http://www.imdb.com/title/tt0092007/quotes

This also includes software that utilizes OpenSSL in a Windows environment, even though Windows itself is not specifically indicated as vulnerable to this bug.

Add this to the WPA2 vulnerability, and that 11 on a ten-scale may in-effect actually be somewhere around an 18 on a ten-scale!
  Of course, that is only in light of these two specific recent revelations and cannot include that which we are not yet aware of.

It also highlights how the assumption that open source makes such bugs unlikely in the long term is not necessarily true.
  One does wonder how many bugs remain unofficially discovered or patched where Security By Obscurity prevails.

There may yet be another small set of updates officially released by Microsoft for NT5 in the near future.
  That dealing with updated Certificates, as well as the many that have and will soon be Revoked.
    Wondering if this is at least one reason the March 2014 Certificates update was yarded by MS.  (don't know if NT6 update pulled too)

I wonder if Deutsche Bank properly fixed this yet, which allegedly is still using their old certificate.     hmm
  Business should be booming now for Certificate Authorities, yet one wonders how proactive they all were.
    A chain will eventually break at it's weakest link if overloaded.

Last edited by TechDud (2014-04-12 06:39:56)

Re: "WPA2 wireless security cracked" & OpenSSL "HeartBleed" bug

Update:

Bruce Schneier wrote:

"Cloudflare is reporting that it's very difficult, if not practically impossible, to steal SSL private keys with this attack.

CloudFare wrote:

Here's the good news: after extensive testing on our software stack, we have been unable to successfully use Heartbleed on a vulnerable server to retrieve any private key data. Note that is not the same as saying it is impossible to use Heartbleed to get private keys. We do not yet feel comfortable saying that. However, if it is possible, it is at a minimum very hard. And, we have reason to believe based on the data structures used by OpenSSL and the modified version of NGINX that we use, that it may in fact be impossible."
     http://blog.cloudflare.com/answering-th … heartbleed

     https://www.schneier.com/blog/archives/ … artbl.html

The following was left in the aforementioned article's comments though:

Ryan Ries wrote:

"I've already got about half of their private key, and I've only been at it for ~ 3 hours."

Last edited by TechDud (2014-04-12 06:53:18)