Month: October 2017

KRACK: Key Reinstallation Attacks

Mathy Vanhoef and Frank Piessens of KU Leuve have discovered a critical flaw in the way WPA2 encryption for all known WiFi implementations. Some time to caveat on the width of the discovery, the attacker needs physical access to the network, and will only see non-encrypted transmissions. Until the vendors patch their implementations the only interim solution is to treat your home WiFi as you would a public WiFi, using HTTPS and in an ideal world VPN form the individual client.
This overview on Github shows the current state of fixes from the vendors. I somewhat sadly note that the majority of my HW is under the “No Known Official Response” category!

 

Sports Hacking

This is (I suppose) an logical evolution of technology and its use: The Boston Redsox have been caught using Apple Watches to steal New York Yankees pitching calls. For those that don’t follow baseball, the pitcher and the catcher will through hand signals agree on the required pitch. The Red Sox relayed this info to the batting coach, and the batter was informed the most likely pitch to come.
An informed write-up can be found on NY Times. 

When should you stop trusting you vendors?

There has always been an uncomfortable relationship between a customer and their security vendors, in particular with the relationship between the vendor and state agencies. Normally a concern with US vendors, bur lately Kapersky has been accused of  providing Russian Agencies access to their customers. It should be pointed out that the proof provided is not good, but enough for actors like the US Government banning the use of all Kapersky products. An breakdown of the allegation can be found in this analysis from ArsTechnica, summing up  the info from primarily sources behind pay-walls.