teflon19 says:
May 7, 2010 at 10:51 pm
I know UB has had a checkered past with security, but I think I need to call out PTR on this one. Playing at home on a WPA2 secured network is a moderate-low risk? Total rubbish. Forget WPA being compromised, yes it’s possible, but somebody with the knowledge and equipment to do it has bigger fish to fry than some suburban house, those people target large banks and are interested in trade secrets and credit card numbers, not $100 in a poker account.
If someone has access to your home network they either broke your WEP encryption or they infected a comp on your home network with some malware from the internet. The people capable of breaking wireless encryption are few and far between. Yes it’s fairly straightforward, but not many people are willing to spend the time and effort to learn how to do it and get the necessary equipment. So you can write that one off(although you should be using WPA as it’s easier to use as well as being more secure).
If your comp has malware, everything on it is compromised already, web banking, online shopping, they probably already have your credit card details, who cares about your poker account? A keylogger will get your login details and a simple app like vnc will get your holecards in realtime no problem.
If you run a wireless network with no encryption at home then you are foolish, but tbh you would also have to live next to someone with good knowledge of networking theory. ‘Some guy next door’ isn’t going to cut it. This exploit is simple if you know about TCP/IP and wireless packet sniffing and be malicious. Most hackers are just fooling around, not looking to cause trouble, and even then, they are very rare. Having said all that, _all_ wireless networks you control should be running on WPA unless you have a very good reason, a good enough reason to warrant having your identity stolen.
The fact is, many things are vulnerable if your network is compromised. It’s quite easy to fool a user into giving you his login for most websites/forums etc… once you have local network access. Also, it’s a lot easier to then compromise his/her machine with malware, at which point it’s game over as I mentioned above, bypassing the need for a fancy vulnerability like above.
This vulnerability is only a problem for people who feel the need to log into sensitive accounts on open public networks. Would you feel comfortable doing web banking on an airport’s wireless network? The risk is similar to this vulnerability above in that you shouldn’t use/login to important stuff on open networks, it comes down to common sense. If you don’t have common sense, this vulnerability is a problem for you, if you do exercise common sense then you have nothing to worry about.
As for “However a physical network can also be compromised by any network hops between a victims’s PC and the Cereus servers.” it takes the bisciut. Clearly just trying to scare people with little knowledge of computers. Yes this is true, but unless you can walk into a major ISP which happens to carry all of the victims traffic(very unlikely) and jack into their core routers and then run packet filtering software and feel you can get away with it then you have nothing to worry about. The core of the internet is pretty safe from eavesdropping, partly because there is so much traffic so you need expensive hardware to filter packets and partly because you can’t just jack into core routers, they are behind locked doors. Your home network is the point of failure, you can safely assume the internet itself is secure from eavesdropping.
In a nut shell, this exploit poses the same threat as having your identity stolen online. If your home network is compromised, so many other things are already ****ed you won’t care about your UB account. You probably won’t be able to use your computer anyway because it will be riddled with spamming software.
Props on finding this vulnerability, but the scaremongering is fairly unacceptable. It isn’t a major problem, it really only affects a very small minority of cases where people are being stupid and a pretty knowledgeable hacker just happens to be very close by.
Before anyone asks, I’m not affiliated with Cereus. Even if I were, everything I just said is true, look it up yourself. I just know a little about wireless and wired network security and when I see scaremongering of non-technical users.