幹壞事是進步最大的原動力
在 Hacker News Daily 上看到的文章,作者遺失了 Kindle,但是確定在家裡 (因為在 router log 上看得到):「Any way to find a lost Kindle inside a house?」。
然後作者發現每天早上五點半到六點半 Kindle 會自己同步,所以塞了一個夠大的 PDF 進去以確保有夠長的時間連在網路上,然後用三台跑 Kali Linux 的筆電定位,完全是一個殺雞用牛刀的概念 XDDD (還是他家真的超大?)
但記得這要在剛遺失的時候就要找,不然等到 Kindle 的電池也沒電就沒救了 XDDD 以原文作者的情況,如果真的是這種 case 說不定到時候會拿金屬探測器掃 XDDD
在「Encoding your WiFi access point password into a QR code」這邊看到的,不過之前在公司頻道裡面也有看到類似的東西...
產生這樣的 QR code 讓使用者掃就可以了:
WIFI:T:WPA;S:<SSID>;P:<PASSWORD>;;
放在家裡也不錯就是了,讓客人來可以直接掃,尤其是密碼超級長的時候...
再 OSnew 上看到「Windows 10 to disallow WEP encryption」這個消息,裡面題到了 Windows 10 打算要幹掉無線網路的 WEP 支援。裡面是引用了「Windows 10 features we’re no longer developing」這則消息,可以看到除了 WEP 以外,還有 TKIP 也打算拔掉:
Since the 1903 release, a warning message has appeared when connecting to Wi-Fi networks secured with WEP or TKIP (which are not as secure as those using WPA2 or WPA3). In a future release, any connection to a Wi-Fi network using these old ciphers will be disallowed. Wi-Fi routers should be updated to use AES ciphers, available with WPA2 or WPA3.
之前去日本的時候還是有不少飯店用 WEP 啊,看起來總算有動力要淘汰了...
在這邊看到的,把整個惡意晶片藏在 USB cable 裡面,讓攻擊者可以透過 Wi-Fi 控制主機的 O.MG Cable:「WiFi Hides Inside a USB Cable」。
是個大家都有想過的情境,不算是特別的技術,困難點在於空間有限 (要藏在接頭裡面),現在有人做出 prototype 了... 在 demo 影片內可以看到可以透過 Wi-Fi 開啟主機本身的 browser 並且連線,不知道是模擬鍵盤還是其他方式做的?
看到「The curious case of the Raspberry Pi in the network closet」這篇有趣的過程,先從開頭與最後面開始看。首先是他們在辦公室裡面發現有個奇怪的設備:
追查後發現不是公司的人放的,最後發現是前員工放的,後來轉給法務部門處理了:
I checked the DNS logs and found the exact date and time when the Pi was first seen in the network. I checked the RADIUS logs to see which employee was at the premises at that time and I saw multiple error messages that a deactivated account tried to connect to wifi.
That deactivated account belongs to an ex employee who (for some reason) made a deal with management that he could still have a key for a few months until he moved all his stuff out of the building (don't ask..).
中間的過程還蠻有趣的,包括研究是什麼擴充卡 (以及用途),然後從 SD card 上面挖資料,配合 Google 找線索,還有透過 WiGLE 定位,以及透過內部系統交叉比對,最後找到兇手...
然後發現是離職員工以搬東西當作理由,讓他在離職後還有辦公室鑰匙而導致的 XDDD
看到用鋁箔紙改善無線網路死角的文章 XDDD:「How I amplified my home's Wi-Fi with aluminum foil.」。完成品長這個樣子:
然後從下面的第一張變第二張 XDDD:
然後這幾天他又把鋁箔紙變大,但是好像沒有更好 XDDD
I didn't see any difference in terms of coverage, it's still the same.
是個家裡太大的煩惱 XDDD
在「Randomize your WiFi MAC address on Ubuntu 16.04」這邊看到作者在介紹如何在 Ubuntu 上藉由改變無線網卡的 MAC address 保護自己的隱私:
Your device’s MAC address can be used to track you across the WiFi networks you connect to. That data can be shared and sold, and often identifies you as an individual. It’s possible to limit this tracking by using pseudo-random MAC addresses.
成果像是這樣:
主要應該是給 Ubuntu 的筆電使用者用...
話說 WPA2 也撐了十三年了:
WPA2 became available in 2004 and is a common shorthand for the full IEEE 802.11i (or IEEE 802.11i-2004) standard.
這次的漏洞可以參考「Severe flaw in WPA2 protocol leaves Wi-Fi traffic open to eavesdropping」這邊。
PoC 稱作 KRACK (Key Reinstallation Attacks),漏洞將會在十一月正式發表,從會議的標題名稱大概可以知道方向,是對 Nonce 下手:「Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2」。另外站台 www.krackattacks.com 已經放好,等後續的發表更新了。
對於無線網路的各種漏洞,老方法還是目前最有效的方法,也是這次的 workaround 之一:上強度足夠的 VPN。
Update:補上論文「Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2」。
這次 iOS 11 的無線網路與藍芽需要到 Settings (設定) 裡面才能有效關掉的設計,讓 EFF 不爽寫了一篇文章:「iOS 11’s Misleading “Off-ish” Setting for Bluetooth and Wi-Fi is Bad for User Security」。
On an iPhone, users might instinctively swipe up to open Control Center and toggle Wi-Fi and Bluetooth off from the quick settings. Each icon switches from blue to gray, leading a user to reasonably believe they have been turned off—in other words, fully disabled. In iOS 10, that was true. However, in iOS 11, the same setting change no longer actually turns Wi-Fi or Bluetooth “off.”
不過藍芽的洞真的不少,儘量避免吧... +_+
算是為什麼企業要提供 Full Routing VPN 的一個攻擊管道的說明...
這篇介紹了在飯店裡透過 WiFi 攻擊企業的高階主管,想辦法塞木馬取得資訊,或是滲透進企業內部的網路:「Hackers are using hotel Wi-Fi to spy on guests, steal data」。
Those behind the campaign have continually evolved their tactics and malware payloads, blending phishing and social engineering with a complex Trojan, in order to conduct espionage on corporate research and development personnel, CEOs, and other high-ranking corporate officials.
有點介於 APT 與一般性的攻擊中間...