There’s no jokes with security

Security as we knew no longer exists. What does it mean and what can I do?

Hacked WPA2, what does it mean and what can I do?

This morning your security got a heart attack and you are not quite sure why all the IT people went to panic mode. At least in Eficode it started as a tweet [1] that promised huge information about protocol level issue in WPA2. What does this mean? Shortly, it means that almost every device in the world with Wi-Fi is now hacked. Therefore, now when you set your phone to hotspot mode as Wi-Fi or you connect to Wi-Fi without certain configurations all the traffic is accessible by malicious hacker.

General things to help prevent attacks from happening:

- Update devices to the latest firmware possible

- Always change default settings (Passwords, WIFI Security Levels (eg. WPA -> WPA2)

- Do not expose device management interfaces to public networks

- Subscribe to Viestintävirasto's security alerts to stay alert about latest threats

- If possible, try to limit transmit power of WLAN devices

- Always use HTTPS when usernames or passwords are sent

- Lastly, don’t use Wi-Fi if possible...

What do advanced users do? [2]

- Add VPN to your Wi-Fi

- Add radius auth to your Wi-Fi

- Limit access to your network the best you can

- Offer alternatives to Wi-Fi when possible.

As owner of an website/web service, can I protect my customer data somehow and does this affect me?

This is a Wi-Fi level security flaw, so it doesn’t really take into account for example, cloud services. However, if you are not offering secure connections to your users, such as https or ssh or comparable in your service, you can increase security by adding such to your system, which also mitigates damage from this kind of attack.

How does the hack work?

Basically you just hack the encryption key on the fly [3] and it causes the system to default into certain key which allows you to read all traffic traveling in the system. You can read detailed description from the links below. [4]

Can this be fixed?

Yes, this can be fixed by vendors with a firmware upgrade as backwards compatible upgrade. Hence, update your devices as soon as they have security upgrades. [3]

My thoughts:

Friday the 13th . strikes again and it’s Monday. I will now go purchase a better Wi-Fi box or cable for my house with RJ-45 and CAT-6 to enforce security.

Hack number 2, your PKI hierarchy might be in danger

As our editor wasn’t faster than internet, here’s how RSA was hacked today.

What

“Only the knowledge of a public key is necessary and no physical access to the vulnerable device is required. The vulnerability does NOT depend on a weak or a faulty random number generator - all RSA keys generated by a vulnerable chip are impacted. The attack was practically verified for several randomly selected 1024-bit RSA keys and for several selected 2048-bit keys.”[5]

This means, a lot of secure systems are now broken instead of secure. Plenty of security systems, such as security tokens etc., were affected by this and for example, Google and Microsoft have issued fixes to their systems.

How to protect yourself?

Check your keys for vulnerability
Install security updates to all machines
Change the keys you are not sure of
Install upgrades to your machine

So what does this mean?

A lot of PKI infrastructure has been hacked to pieces. For example, some social security systems are vulnerable to this and so are lot of other systems, such as SSH if you have an vulnerable key.

Who does it affect?

This affects SSH users and everyone who uses SSH.

How long until we are hacked to pieces?

The time complexity and cost for the selected key lengths (Intel E5-2650 v3@3GHz Q2/2014):

512 bit RSA keys - 2 CPU hours (the cost of $0.06);

1024 bit RSA keys – 97 CPU days (the cost of $40-$80);

2048 bit RSA keys – 140.8 CPU years, (the cost of $20,000 - $40,000).

Can I check my keys?

There’s a website for checking keys if you feel it is necessary to check them.[6]

My thoughts?

This is becoming a really fun Monday.

And yes, we know it affects other stuff like PGP, 2FA and CI if the keys have been generated using RSA, SSH is just an easy example.