So Wifi Isn’t Secure – What Now?

Researchers have found a fundamental flaw in the security mechanisms of WiFi. The KRACK vulnerability—nuts and bolts described here—allows malicious actors to access a WiFi network without the password or key, observe what connected devices are doing, modify the traffic amongst them, and tamper with the responses the network’s users receive. Everyone and anything using WiFi is at risk. Computers, phones, tablets, gadgets, things. All of it. This isn’t just a flaw in the way vendors have implemented WiFi. No. It’s a bug in the specification itself.

But don’t panic. There’s no need to burn your WiFi router or wrap your devices in tinfoil because KRACK can’t break HTTPS. The weaknesses that make a WiFi network vulnerable are made irrelevant when communications over the Hypertext Transfer Protocol are encrypted by Transport Layer Security, which, right now, means that you can safely access about 50% of the world’s websites. Even on a compromised network.

However, the Internet isn’t exclusively web browsing, and there’s a lot of activity that HTTPS can’t protect. For example, HTTPS can’t protect the infrastructure that keeps the Internet alive and accessible to people around the world. Things like time syncing, domain name resolution, routing, and network management. It also can’t shield activities like file sharing, email, remote login and remote control. Linux installations using wpa_supplicant 2.3 – 2.6 and Android devices using a variant of it (Android 6.x—roughly ⅓ of all Android installations) are especially vulnerable. Their reaction to it is even worse than most.

And keep in mind that this is not an attack that can be executed remotely. Attackers need to be within range of your network. So in densely populated areas, you may not be personally targeted, but you could be caught out by someone sifting through the neighborhood traffic. And WiFi services offered at work, at the gym, at your favourite cafe, at the airport? All potentially compromised.

Best Case Scenario

Keep going on like you’ve been going on. Nothing changes. No one bothers to attack your home network, and no one bothers to attack the sweet, sweet honeypots that are large public WiFi networks.

Worst Case Scenario

Many individuals and many organizations treat their router and WiFi network as a security perimeter. “The hostile world is outside. The warm, friendly, safe world is here, on our side of the fence.” The result is relaxed security inside the fence—printers anyone can talk to, media players with no passwords, open file sharing. Not to mention all the insecure IoT devices that may be on their network.

For an individual, the worst case scenario is that intruders get inside your own personal security perimeter and are able to access personal information, print jobs, email, and media; are able to capture passwords. An intruder might be able to plant malware in insecure IoT devices. They may be able to leverage vulnerabilities in your device’s software and plant malware directly onto your computers or phones or tablets. And this malware may include keyloggers and other software that can circumvent HTTPS and read and corrupt your files.

The fun doesn’t stop there: IoT malware can turn your personal worst case scenario into a global nightmare. Infected devices and computers on your network can be turned against fragile parts of the Internet infrastructure, forcibly recruited in the attempt to bring down the domain name system, routers, time servers, or other vital parts of the Internet, just as the Mirai Botnet did.

“So WTF Do I Do?”

Update your software. ASAP.

Update every single computer, phone, tablet and device on your network. Any devices running older software will remain vulnerable when connected to a WiFi network—whether it’s your own network or someone else’s. Yes, this is a bug in the specification, but there are ways to mitigate it via software, and major vendors are already releasing fixes:

  • Microsoft already addressed the problem in a Windows Update issued on October 10, 2017.
  • Apple already has a fix in their beta versions of iOS 11.1, watchOS, tvOS and macOS 10.13.1, but has not announced a release date for the final versions.
  • Google will release an Android update fixing the problem on November 6, 2017. People with Google-branded Android phones—Nexus and Pixel phones—should see this fix right away. Other Android device owners are at the mercy of their phone’s manufacturer and cellular provider and may never see the fix.
  • Many Wifi access point vendors have already issued updates. You should install these promptly. However, updating your access point will not protect other devices on your network.

Security Is An Onion

Because enhanced security is often at odds with usability, we tend to treat what’s on our side of the firewall in a relaxed way. We let our hair down and refuse to let security concerns prevent ease of use. Of course, this approach undoes us if an attacker gets past the security perimeter.

Do you have a safe or lockbox in your home, even though you lock your door? We often use multiple layers of security as backups in case a layer fails or is compromised. In the online world, each element—whether it’s network infrastructure, a web connection, an email, a login—should have its own protections, independent of anything else. That way, when one or more layers of the security onion fail, you still have other layers to protect you.

But don’t be fooled into thinking that security is all or nothing. Sure, it’s easy to feel overwhelmed with all the bad security news. It feels like every few weeks some fatal bug is found and now everything is insecure. Some people feel that, because they don’t have perfect security, they should just give up. If there’s one vulnerability then they’re screwed—even some technically astute people who should know better take this attitude.

In reality, all attacks aren’t equally likely. Some attacks cost a lot or are very difficult to carry out. Other attacks are very easy or very cheap. Some attacks can only be carried out with personal information about their target; others are effective on large groups of anonymous targets. Some attacks are happening around you constantly, invisibly—you’re immune because they can’t reach you or you’re not running vulnerable software.

Think about how secure you are on a spectrum, rather than using the false dichotomy of “secure” or “insecure”. You can lose a few layers of your security onion and still be unlikely to be successfully attacked. That is, if you actually use the security that’s available to you.

Security Only Works When You Use It

The computers, devices, apps and online services that you use all have a variety of built-in security mechanisms. Use them.

  1. Update your computers, phones and tablets—all the time, not just for this incident. I understand that this can be risky and painful. I find many people who are several versions behind on their software updates. And sometimes updating your software to fix a security issue may bring big changes you didn’t want (I’m looking at you here, Apple—leaving people no choice but to update to the latest major version of iOS and never patching older major versions forces many people to choose to forgo updates). But. Keeping your software up to date is one of the most effective ways to protect yourself. That Windows fix that Microsoft did a great job getting out there isn’t going to help you if you don’t install it.
  2. Use HTTPS whenever possible. Use the browser extension HTTPS Everywhere. HTTPS will protect your web browsing from eavesdropping and manipulation.
  3. Use multi-factor authentication on every account that you can. A physical token or an app is better than an SMS/text message second factor, but SMS is still better than no second factor.
  4. Use a VPN when you’re on a public network. While VPNs are by no means a perfect security mechanism—they trade off concerns about privacy with your ISP for concerns about privacy with your VPN provider—they will protect your traffic from snooping on a public network. So while they will not give you perfect privacy—and after all, there is no perfect security—they will up the difficulty, and thus reduce the likelihood, of someone eavesdropping on you.
  5. Update your devices. If you have IoT devices on your network—smart lights, thermostats, garage door openers, ceiling fans, unfortunate refrigerators with sad tablets embedded in them… whatever they may be—make sure their firmware is updated. Some devices are smart enough to silently update themselves. Unfortunately, many devices give you no notification that they have an update available. The only way to find out may be to open the device’s app and check for an update. Do that until you get one. If you don’t see updates available promptly, contact the device’s vendor and demand to know when they’ll fix this vulnerability.

What The Future Holds

KRACK isn’t an attack that script kiddies using attack packages off Github would come up with, though it’s possible to package KRACK up so that they could use it. It’s actually very sophisticated. As its author points out, the part of the WiFi protocol specification that it attacks has been proven correct—KRACK succeeds because it attacks assumptions the protocol makes.

While we’re still seeing plenty of simple attacks—devices shipped with default logins that never get changed, simple buffer overflows, weak protocols, incorrect SSL/TLS implementations—we’re also seeing new, sophisticated attacks which take advantage of deep technical implementation and design details. These are attacks that are based on the timing of electrical signals in chips, on overflow vulnerabilities in WiFi chipsets rather than software running on a CPU, timing attacks on crypto protocols.

These classes of vulnerabilities have been under an umbrella that gave us some protection because they required deep technical knowledge to discover and exploit. There are relatively few people out there who are competent enough to guess at vulnerabilities in chipsets, and there are much easier ways to break into a system. But we’ll be seeing more of this type of vulnerability in the future. The shadowy underpinnings of the technology we depend on are ripe for exploitation: they’ve had the chance to be examined by very few eyes at this point.

Often specifications are behind an expensive paywall—some can cost thousands of dollars to get access to. Few people will have had a chance to examine, comment and contribute to them. On the other hand, open specifications—like those IP layer and higher Internet technologies are built upon—have benefited from an open process where many minds have been able to analyze and contribute to them.

So, I expect to see more major vulnerabilities in WiFi chipsets, and especially Bluetooth, Zigbee and Z-Wave as more people start to crack them open and see how they work. As attackers peer deeper into the technology stack that the networked world is built on they’ll find more sophisticated, exotic and difficult to remedy vulnerabilities that have until then stayed hidden in shadow.

In the meantime, you can help yourself by taking security seriously: apply updates and use the security mechanisms you have available to you. Avoid single points of failure and armor yourself in as many layers of security as you can.

Equifax’ Massive Data Leak and You

If you haven’t been busy this week choking on smoke and running from forest fires in the western US, recovering from flooding in Texas, preparing for one of the strongest Atlantic hurricanes ever in Florida and the Caribbean, or simply fighting the good fight, you might have heard about the Equifax data leak – Equifax, a consumer credit reporting company, admitted that their database was breached and information on roughly 143 million US citizens (and some in the UK and Europe).

Equifax collects data about you and sells it to third parties. They’re an integral part of the credit infrastructure both in the US and worldwide. When you apply for a student or car loan, a mortgage or rent an apartment, car or even just tools, the organization you’re applying to will very likely check you out via Equifax. They’re one of the companies that calculates the “credit score” that determines how much will be extended to you. They collect and store the information that’s used to determine that you are you, and to decide whether to extend credit to you. And they just leaked the data they had on more than half the adults in the US.

While it’s possible that your business may be Equifax’ customer, you as an individual are not – you’re their asset. You may occasionally wrestle with them to try to correct information about you that they use to advise the business world on whether to extend credit to you, but you have no say and no control over what they know about you.

And now there’s a very good chance that they’ve leaked what they know about you – social security number, address, phone number, possibly credit card or bank account information – to thieves who’ll sell it to the highest, or possibly, any bidder. They’ve taken five weeks to let us all know about this, and they’ve set up a half-assed, insecure site to collect more information from you before they’ll let you know whether they did leak information about you (assuming they even know).

Ars Technica has two fine writeups about the situation:

https://arstechnica.com/information-technology/2017/09/equifax-website-hack-exposes-data-for-143-million-us-consumers/

https://arstechnica.com/information-technology/2017/09/why-the-equifax-breach-is-very-possibly-the-worst-leak-of-personal-info-ever/

How do you protect yourself, especially given that you cannot prevent Equifax from collecting information about you, and even if you did, you would then be unable to use credit?

First, some of this information has been out in the wild before. There’s a good chance your address and even your social security number has already been compromised.

For each credit card, bank or investment account that you use, be sure to enable any extra security that they offer – second factor will help a lot, especially if it uses an app rather than SMS (text messages), though second factor SMS is better than no second factor.

Update your personal security questions to use strong passwords (like “bzkev8Yq4zcHC%8jTz”) as answers rather than real answers (like “pizza”, which is easily guessable).

If you’ve been thinking about closing an account or switching banks, now might be a great time to do that.

Keep an eye on your charges.

And keep an eye on your credit score. The information that’s been stolen not only enables crackers to get into your existing accounts, it enables them to open new accounts in your name.

Consider signing up for a credit protection service. Equifax’ crappy web site will offer you a year of free service. It’s likely this is better than not having a year of service.

The impact of this breach may go on for years – the best way to protect yourself is to stay vigilant and monitor all your financial information regularly.

Wired has more suggestions as well.

Machine Learning Baby Photos

I’m lucky. I was here a long time before Instagram, so all the photos of me as a child have vanished into time. Or been lost in someone’s attic. Today, however, there are plenty of babies whose histories are slavishly recorded online by their parents, and I often wonder how these kids, when they become teenagers and adults, are going to feel about this indelible photographic history, which includes a high proportion of diaper pooping.

That’s one thing I love about the computer industry; its technology is still in its infancy, the baby photo stage. Okay, maybe it’s toddling. But the point is that while hardware and software have both evolved incredibly over the decades I’ve been in the industry, there’s still so much potential for growth in both areas.

Continue reading

Protect Your Domain Registrations and Privacy

When you register a domain name, you may expose personal information about yourself: your address, phone number email address. Let’s take a look at domain name registration and privacy.

I was a domain name hoarder: uvjobs.com… uvfood.com… uvweather.com… thermonster.com… pdxlead.org… wattsense.com… shouldisellitnow.com… buyr.biz… trackr.biz… recovr.org… wstlk.us… wowstalker.com… 23meals.com… stuffthatshouldnthavesugarinit.com… unwishlist.com… thingsijustlearned.com… These are just a few from the collection.

Whenever I bought domains like this I also picked up all the .org and .net versions. Because while you think that the .org/.net forms of your domain names don’t matter, they do. If, for example, you’re a presidential candidate, it might be embarrassing for someone who’s opposed to your policies to get ahold of them. And it’s definitely embarrassing to let the .com version of your domain slip through your fingers, especially if it ends up in the hands of Donald Trump and he redirects all your traffic to his site.

Continue reading

How I Learned To Stop Worrying And Love Apple Pay

You get a call from an unknown number. You ignore it. But they call again, and again, and again, and sometimes they leave you a silent voicemail. Spooked, you google the phone number. There are several reports saying the callers are credit card scammers, but there are also comments saying that the callers really are your credit card company.

Unsure, you decide to check your credit card statement online. You see strange charges: a subscription to a Latvian gaming site, a deluxe membership on a porn site, five subscriptions to Christian Mingle. And if you’re really unlucky, a motorhome.

If you actually use your credit card, a variant of the above scenario has likely happened to you. Possibly several times. It occurs because a business you used the card with didn’t protect their data and got broken into, and in the process, your personal details and card information were stolen.

Continue reading

%d bloggers like this:
var _gaq = _gaq || []; var pluginUrl = '//www.google-analytics.com/plugins/ga/inpage_linkid.js'; _gaq.push(['_require', 'inpage_linkid', pluginUrl]); _gaq.push(['_setAccount', 'UA-239812-12']); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://' : 'http://') + 'stats.g.doubleclick.net/dc.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })();