Date: Tue, 17 Oct 2017 10:27:05 +0200 From: "WhiteWinterWolf (Simon)" <freebsd.lists@whitewinterwolf.com> To: "Ronald F. Guilmette" <rfg@tristatelogic.com>, freebsd-security@freebsd.org Subject: Re: WPA2 bugz - One Man's Quick & Dirty Response Message-ID: <49252eda-3d48-f7bc-95e7-db716db4ed91@whitewinterwolf.com> In-Reply-To: <25911.1508192029@segfault.tristatelogic.com> References: <25911.1508192029@segfault.tristatelogic.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Ronald, I have yet to investigate this WPA2 thing on my side, too much contradictory informations depending on the sources yet. Let me however add my two cents regarding your issue: A network can be divided in several logical layers: the data link layer (here WiFi), the networking layer (here TCP/IP), and the application with the data it manipulates, both in transit and at rest. Ideally, you would use a specific protection for each of these layers, so that an vulnerability affecting one layer would be compensated by other layers. But this "ideal solution" is not always feasible. What you did is secure only the lowest layers and put no security on the higher ones, the security of the complete stack relying on the lowest layer security. This is usually weak and prone to be vulnerable (if it wasn't due to this WPA2 weakness, it would be something else). There are however techniques allowing to secure higher layers without having to trust the lower ones. That's how, for instance, HTTPS work for online payment: neither you nor the bank or merchant trusts the Internet network, but all sensitive operations are done within a secure tunnel created between you and the remote party and isolating you form any threat affecting networks in between. This WPA2 crisis strongly reminds me WEP (even-though I don't know yet if it is really as scary: again different source gives completely different information). But nevertheless at that time it was simply assumed that the Wi-Fi was just to be considered as an untrusted network, the same way as you (should) consider Internet. A sane approach which was usually recommended was as follow: 1) Sensitive accesses must be properly secured. As you cannot trust lower layers, use something like a VPN, which is able to authenticate both the source and destination hosts and create a secure tunnel between them. At the time of the WEP issue, there was a movement to completely drop any kind of WiFi "security" and use plain, open WiFi instead but rely on VPN to authenticate the hosts and provide appropriate access and security. This was maybe an extreme position, but still this shows the idea and remains secure indeed, as long as all your hosts support VPN of course. 2) Non-sensitive accesses *may* use lower security if needed. In particular, I don't think that your Amazon TV supports any kind of VPN tunneling, but also I don't know if it requires write access to your network share or if it uses it only to read non-sensitive media files. A common scenario is to allow read-only access limited to non-sensitive documents over the untrusted WiFi network. Yes, an attacker can take over your network and copy your movies and musics, but is this really problem for you? IT security is always a question of trade-offs depending on your particular situation, but for the "few zillions" you mentioned this is usually not a problem (and actually the attacker will most likely not even care of such files). All sensitive operations should be done using secure channels. The most versatile secure channel is setting-up a custom VPN within your LAN, but there are other alternatives. For instance, to update the content of your shared directories, you can use SFTP instead (the SSH file transfer protocol) instead of a writable share: this is very easy to setup (FileZilla is an easy to use and well-known SFTP client) and the whole communication will be secured by SSH. At last remains Internet access. There are two threats there: 1) An attacker may intercept your connection. He will not be in measure to bypass HTTPS security though, so assertion such a "hacker can now steal your passwords and credit card numbers" as heard this morning in the news is bullshit as long as you ensure that your connection is indeed secure through HTTPS thanks to the little padlock. There are paid VPN services available on the Internet, some of them even proposing smartphone apps. They are commonly and effectively used on public WiFi network which are by definition untrusted, and would be an easy way to secure your Internet access through an untrusted WiFi without having to learn to setup a VPN server yourself. 2) An attacker may use your Internet access for his own purposes. At the peak of the WEP crisis, maps of location of weak WEP Internet access points were shared (for a fee, I guess, everything is a matter of business) on shady forums (typically pedo-pornographic forums) so their users can take advantage of such unsecured networks to access illegal content anonymously. Your WiFi access point firewall may offer the possibility to restrict outgoing connections to only the VPN server. This would effectively restrict Internet access to hosts and devices able to authenticate against the VPN server. Not the ideal solution in case of a public VPN server (where everyone can subscribe), but enough to deter such low-tech attackers who just seek for ready-made available Internet accesses. So, to summarize: - Unsecure shares must be read-only and offer access to only non-sensitive files. - Write accesses and access to sensitive files must be done through secure channels authenticating both the server and the client. SFTP is a common solution, with FileZilla a widely used client. - If an Internet access is needed over the WiFi, public VPN services offer ready-to-use solutions. - Restricting outgoing access to the VPN server will prevent casual attackers from taking advantage of your Internet connection. None of this requires high amount of technical knowledge and allows to provide a good level of security independently of your WiFi security level. I hope these few elements help you to see things a bit clearer and, maybe, give you some useful ideas. Regards, Simon. -- WhiteWinterWolf https://www.whitewinterwolf.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49252eda-3d48-f7bc-95e7-db716db4ed91>