XPost: alt.security, alt.survival
https://techxplore.com/news/2024-08-scientists-vulnerabilities-popular-protocol.html
A widely used security protocol that dates back to the days
of dial-up internet has vulnerabilities that could expose
large numbers of networked devices to an attack and allow
an attacker to gain control of traffic on an organization's
network.
A research team led by University of California San Diego
computer scientists investigated the Remote Authentication
Dial-In User Service (RADIUS) protocol and found a vulnerability
they call Blast-RADIUS that has been present for decades.
RADIUS, designed in 1991, allows networked devices such as
routers, switches or mobile roaming gear to use a remote
server to validate login or other credentials.
The root of this vulnerability stems from the fact RADIUS
was developed before proper cryptographic protocol design
was well understood, the authors say. It uses an authentication
check based on an ad hoc and insecure construction based on
the MD5 hash function, which has been known to be broken
for two decades.
However, the RADIUS protocol was not updated when MD5 was
broken in 2004, the authors note. Before their work, the
maintainers of the protocol standards defining RADIUS
thought that the MD5-based construction used in RADIUS
was still secure.
. . .
HOW many orgs/banks/etc STILL use this ???
Apparently quite a LOT - or we'd have not seen
this article ....
Anything these days needs to be triple-tough.
Russia/China/NK state-funded perps spend LOTS
of time looking for weaknesses and backdoors.
Huge damage can be done in a VERY short period.
We LIKE to think our online-whatever apps are
reasonably secure. Really, NOT true.
Whatever protocols/tricks they are always one
step behind the little hacks. 'Security' is
mostly REACTIVE, not proactive.
The reasons are partially based in willful
ignorance - but mostly in ECONOMICS. Changing
things, esp in Big Institutions, is just plain
hyper-EXPENSIVE and prone to BIG EXPENSIVE
PROBLEMS in the transition period.
So, 'security' is gonna ALWAYS be Behind The
Curve. NOT good. NOT Real. Just corporate/govt
BULLSHIT designed to dupe the masses.
Sorry folks, but we're essentially ALREADY in
an all-out Cyber-War with hostile govts. This
can do HUGE damage across a WIDE spectrum, all
at the push of a North Korean button.
Russia/China WILL use NK ... 'plausible
deniability' and nobody can DO much with NK ...
Fixes ? Yes, they exist - but, again, the $$$
and Customer Confidence issues .......
So ... we're gonna get SCREWED, BADLY, OVER
AND OVER AND OVER until all 'confidence'
totally crashes and we're back to the dark
ages.
How many piglets for how many turnips ?
No, I'm not trying to be funny.
At the very least, does your bank/broker/etc
actually KNOW YOUR FACE ? RECOGNIZE you and
the kinds of biz you do ??? Know your voice,
your history, yer relatives and such ??? For
anybody past the Boomers the answer becomes
increasingly "NO !". A wire-transfer from a
NK address with some arab-accent 'conf' ...
FINE With Them - they really don't/can't
know better ............
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)