Langattomien lähiverkkojen uusin salausstandardi WPA3 esiteltiin aikoinaan korjauksena kaikkiin niihin puutteisiin, jotka tekivät WPA2-suojaustavasta altin hyökkäyksille. Uuden standardin piti estää salasanojen murtaminen offline-tilassa, torjua valelaitteiden luominen ja suojata langattoman verkon ohjausliikenne, jota hyökkääjät ovat vuosia käyttäneet laitteiden pakottamiseen irti verkosta. Sveitsiläis-saksalaisen yliopiston (SGU) tuore katsaus kuitenkin muistuttaa, että todellisuus on mutkikkaampi. WPA3 on kaukana haavoittumattomasta.

Suurimmat ongelmat liittyvät WPA3:n keskeisiin turvamekanismeihin. Niistä merkittävin on Simultaneous Authentication of Equals eli SAE-kättely, jonka tarkoitus on estää salasanan löytämistä arvioimalla verkon vastauksia ulkopuolella. Tutkijat löysivät kuitenkin jo 2019 Dragonblood-nimisen haavoittuvuuden, jonka avulla kättelyä voi yhä käyttää vihjeiden keräämiseen salasanasta. Ajoituksen analysointi riittää antamaan hyökkääjälle mahdollisuuden murtaa salasana offline-hyökkäyksellä – juuri sellainen, jonka WPA3 lupasi estää.

Myös WPA3:n toinen kulmakivi, Management Frame Protection, osoittautuu käytännössä puutteelliseksi. Standardin tulkinnanvaraiset säännöt tarkoittavat, että osa laitteista hyväksyy edelleen suojaamattomia ohjausviestejä. Lisäksi niin sanotut beacon-kehykset, jotka kertovat verkon asetuksista, ovat kokonaan suojaamatta.

Infosec In Brief Researchers have urged users of the glob file pattern matching library to update their installations, after discovery of a years-old remote code execution flaw in the tool’s CLI.

Glob is used to find files using wildcards, is typically run as a library API, and is an all but universal part of the JavaScript stack. This vulnerability lives in glob’s CLI tool – specifically the tool’s –c flag used to execute commands on matching files.

Spotted by security researchers at automated infosec outfit AISLE, the project’s GitHub page describes the 7.5-rated vuln (CVE-2025-64756) as follows.

A firm considered one of the leading global voices in encryption has cancelled the announcement of its leadership election results after an official lost the encrypted key needed to unlock them.

The International Association for Cryptologic Research (IACR) uses an electronic voting system which needs three members, each with part of an encrypted key, to access the results.

In a statement, the scientific organisation said one of the trustees had lost their key in “an honest but unfortunate human mistake”, making it impossible for them to decrypt – and uncover – the final results.

The IACR said it would rerun the election, adding “new safeguards” to stop similar mistakes happening again.

The Association used an open source electronic voting system called Helios for the process.

The browser-based system uses cryptography to encrypt votes

Three members of the association were chosen as independent trustees to each be given a third of the encrypted material, which when shared together would give the verdict.

Whilst two of the trustees uploaded their share of the encrypted material online, a third never did.

‘Irretrievably’ lost
The IACR said in a statement that the lack of results was due to one of the trustees “irretrievably” losing their private key, leaving it “technically impossible” for the firm to know the final verdict.

American cryptographer Bruce Schneier told the BBC that failures in cryptographic systems often lie in the fact that “to provide any actual security” they have to be “operated by humans”.

“Whether it’s forgetting keys, improperly sharing keys, or making some other mistake,” he said, “cryptographic systems often fail for very human reasons”.

Voting for the IACR positions has been renewed and will run until 20 December.

https://vote.heliosvoting.org/

A sophisticated phishing campaign is currently leveraging a subtle typographical trick to bypass user vigilance, deceiving victims into handing over sensitive login credentials. Attackers utilize the domain “rnicrosoft.com” to impersonate the tech giant.

By replacing the letter ‘m’ with the combination of ‘r’ and ‘n’, fraudsters create a visual doppleganger that is nearly indistinguishable from the legitimate domain at a casual glance.