U
user3
Guest
From a Riseup.net security update. Personal Note: Riseup is an email provider I use, along with RiseupBlack on my Linux desktop. Use Linux (Debian or Arch) and free yourself from “Defective by Design” operating systems.
Wi-Fi Advisory
===================================================
There is a new class of attacks against Wi-Fi networks. Most Wifi
networks these days use a technology called WPA2 to protect the network
from eavesdropping. Researchers found a way to break this.
These attacks allow an adversary within Wi-Fi range to read your network
traffic and potentially to also send your device nefarious traffic,
depending on what device you are using.
Who does this affect?
---------------------------------------------------
Nearly all Wi-Fi devices and operating systems are vulnerable, to
varying degrees. This includes nearly all laptops, mobile phones, and
Wi-Fi connected devices. In particular, most Android and Linux devices
are highly vulnerable.
What is the danger?
---------------------------------------------------
There are many attacks that are made possible with this vulnerability.
For example:
* An attacker could read your login username and password if not
transmitted using HTTPS (encrypted browser connection). Riseup requires
HTTPS on all servers -- but many services do not.
* An attacker could downgrade your secure HTTPS web browser connection
to an insecure HTTP connection, depending on the configuration of the
server (Riseup servers are protected against this).
* If you click on a link to download a file, an attacker could attach a
virus to that file while it was in transit to your device (in some
cases).
What can I do to protect myself?
------------------------------------------------
If you have an Android device, you should disable Wi-Fi and use your
telco's data plan whenever possible. When possible, keep Wi-Fi disabled
until an update becomes available for your device.
You should update your devices as soon as possible. Unfortunately, there
are not fixes yet for most operating systems or Wi-Fi access points.
The use of HTTPS is always a good idea, particularly now. We recommend
that everyone install the browser extension "HTTPS Everywhere" which
will automatically switch your browser to use HTTPS when a website
supports it. The new Wi-Fi attack makes it much easier for an attacker
to try to downgrade your web browsing to use an insecure connection, and
the HTTPS Everywhere extension will prevent this for most popular
websites. See https://www.eff.org/https-everywhere to install this
extension.
The use of a personal VPN is always a good idea, particularly now. A
personal VPN encrypts your traffic to the entire internet, while a
corporate VPN just encrypts your traffic to the corporate network. To
read more about Riseup's VPN service, see https://riseup.net/vpn.
Current update status
------------------------------------------------
Android: There is no fix yet for Android. Devices with Android 6.0 or
later are highly vulnerable.
iOS: No update is available yet.
macOS: No update is available yet.
Windows: Update is available.
Ubuntu and Debian Linux: Security patches are available. Run `sudo apt
update; sudo apt upgrade`.
Red Hat Linux and Fedora: No fix yet released. See
https://access.redhat.com/security/cve/cve-2017-13077 for latest status.
You can keep trying to run `sudo yum update` until you see
wpa_supplicant get updated.
Access points and home routers: check the website of the manufacturer.
More information
-----------------------------------------------
For an updated list of the state of security patches to client operating
systems and AP firmware, see:
https://www.reddit.com/r/KRaCK/comments/76pjf8/krack_megathread_check_back_often_for_updated/
https://www.bleepingcomputer.com/news/security/list-of-firmware-and-driver-updates-for-krack-wpa2-vulnerability/
http://www.zdnet.com/article/here-is-every-patch-for-krack-wi-fi-attack-available-right-now/
For more information on the flaw in WPA2, see:
https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/
Wi-Fi Advisory
===================================================
There is a new class of attacks against Wi-Fi networks. Most Wifi
networks these days use a technology called WPA2 to protect the network
from eavesdropping. Researchers found a way to break this.
These attacks allow an adversary within Wi-Fi range to read your network
traffic and potentially to also send your device nefarious traffic,
depending on what device you are using.
Who does this affect?
---------------------------------------------------
Nearly all Wi-Fi devices and operating systems are vulnerable, to
varying degrees. This includes nearly all laptops, mobile phones, and
Wi-Fi connected devices. In particular, most Android and Linux devices
are highly vulnerable.
What is the danger?
---------------------------------------------------
There are many attacks that are made possible with this vulnerability.
For example:
* An attacker could read your login username and password if not
transmitted using HTTPS (encrypted browser connection). Riseup requires
HTTPS on all servers -- but many services do not.
* An attacker could downgrade your secure HTTPS web browser connection
to an insecure HTTP connection, depending on the configuration of the
server (Riseup servers are protected against this).
* If you click on a link to download a file, an attacker could attach a
virus to that file while it was in transit to your device (in some
cases).
What can I do to protect myself?
------------------------------------------------
If you have an Android device, you should disable Wi-Fi and use your
telco's data plan whenever possible. When possible, keep Wi-Fi disabled
until an update becomes available for your device.
You should update your devices as soon as possible. Unfortunately, there
are not fixes yet for most operating systems or Wi-Fi access points.
The use of HTTPS is always a good idea, particularly now. We recommend
that everyone install the browser extension "HTTPS Everywhere" which
will automatically switch your browser to use HTTPS when a website
supports it. The new Wi-Fi attack makes it much easier for an attacker
to try to downgrade your web browsing to use an insecure connection, and
the HTTPS Everywhere extension will prevent this for most popular
websites. See https://www.eff.org/https-everywhere to install this
extension.
The use of a personal VPN is always a good idea, particularly now. A
personal VPN encrypts your traffic to the entire internet, while a
corporate VPN just encrypts your traffic to the corporate network. To
read more about Riseup's VPN service, see https://riseup.net/vpn.
Current update status
------------------------------------------------
Android: There is no fix yet for Android. Devices with Android 6.0 or
later are highly vulnerable.
iOS: No update is available yet.
macOS: No update is available yet.
Windows: Update is available.
Ubuntu and Debian Linux: Security patches are available. Run `sudo apt
update; sudo apt upgrade`.
Red Hat Linux and Fedora: No fix yet released. See
https://access.redhat.com/security/cve/cve-2017-13077 for latest status.
You can keep trying to run `sudo yum update` until you see
wpa_supplicant get updated.
Access points and home routers: check the website of the manufacturer.
More information
-----------------------------------------------
For an updated list of the state of security patches to client operating
systems and AP firmware, see:
https://www.reddit.com/r/KRaCK/comments/76pjf8/krack_megathread_check_back_often_for_updated/
https://www.bleepingcomputer.com/news/security/list-of-firmware-and-driver-updates-for-krack-wpa2-vulnerability/
http://www.zdnet.com/article/here-is-every-patch-for-krack-wi-fi-attack-available-right-now/
For more information on the flaw in WPA2, see:
https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/
Last edited by a moderator:
