Security

,

KRACK WPA2 Wi-fi Exploit

,

You may well have heard of the security exploit that was discovered in the WPA2 key implementation that is widely used in all Wi-Fi network installations/devices, commonly referred to as the ‘KRACK’ exploit.

This does affect Wi-Fi networks, computers that use Wi-Fi connections, including laptops/desktop/smart phones/tablets, etc.

Information about the exploit can be found here (this is a technical document): https://en.wikipedia.org/wiki/KRACK

It should be pointed out in this document that it stresses that the weakness/exploit is in the WPA key management itself, (i.e. the software implementation), not in the encryption standards that are used to encrypt data for Wi-Fi connections, or the products that use Wi-Fi for data transmission.

For clients of FlightPath IT, we want to assure you that we have taken steps to apply a security upgrade to your Wi-Fi networking hardware that we manage at your organization, to protect your Wi-Fi communications from this exploit. We are also working to insure that any workstations or other devices that we manage for your organization will be updated with security patches from the vendor of the operating systems (Windows/Mac OS X, etc.)

To date, there are no reported exploits of this weakness in the WPA protocol key handling, but we are working proactively to insure that there is no risk in your organization.

Also, please be aware that if you are using a VPN connection over your Wi-Fi network, the data traveling over that connection would not be vulnerable to this exploit, since the VPN client software will encrypt that data separately.

If you have questions or concerns about this, please reach out to us and we will be happy to discuss in detail the steps we have taken to secure your infrastructure.

,

Ccleaner Ccompromised

,

Several publications are reporting that Windows efficiency tool Ccleaner has been compromised and the compromised version was distributed for over a month to over 2.3 million computers. Our company has never deployed or used this tool, nor advocated it's use. It was originally designed as a way to free up space on hard drives and evolved into a psuedo-privacy tool. I personally used it once in college and it removed some things that I needed, so it left a bit of a distate in my mouth, and I haven't given it a second look.

Anyway, if you use Ccleaner, make sure you are now using the current version, released on or after September 12th - and then once you are up to date with the latest version, I recommend unisntalling it - you don't really need it.

,

Equifax

,

US credit reporting bureau Equifax has released details of a massive breach that exposed social security numbers and other important credit details for 143 million Americans. This is ludicrous, one of the most imoprtant services this company should provide is protecting data - especially since most people don't even realize theeir credit worthiness and personal info is being tracked by this company.

Especailly reprehensible is that the breach occured for over 2 months and was discovered and stopped more than a month ago, but only became public today. In the meantime, 3 top executives sold off stock in the company.

You can see if you are victim of the breach by visiting here; though you have to endure a dubious, lenghty enrollment program.

Replacing Passwords

I recently read this article from Bloomberg concerning the progress of technology that could help replace passwords for security access. Passwords have lots of problems, the foremost of which is that the average person isn't aware how vulernable they are to password breaking or cracking.

The article discusses presence detection, voice recognition, facial recognition and other biometric measures, and while some of these technologies are promising, there are always people working tirelessly to break these technologies.

I personally believe we are a long way from getting rid of passwords. Essentially, even biometric measures just end up passing passwords behind the scenes, though the end user may not have knowledge of what that password is.

If we are a long way from getting rid of passwords, that means that our password are necessarily going to need to get longer and more complex and thus harder to rememebr.

When I started out in the industry, it was standard that a 6 character password was nearly impossible to crack with techniques available at the time. In the 16 or so years that have elapsed since I've graduated college, that safe number is more like 12 characters.

Best to practice safe secs.

,

Yahoo!

,

By now you've probably heard about the Yahoo! breach. This is almost certainly the largest known breach of passwords and user information of all time. What makes it worse is that the breach not only includes passwords and email accounts, but also security questions and answers.

If you've ever been a Yahoo! user, which I suspect is almost everyone reading this, you should first change your Yahoo! password and all your security questions and answers, but secondly, and this is very important, you should enable multi-factor authentication for Yahoo! which provides a second layer of protection. You should actually enable multi-factor authentication for any service that allows you to do so, but especially for email accounts, banking and social media (the most likeley targets of hacking).

The worst part about this is that it is likley Yahoo! has known about this for several months, and it may just be coming out now only the purchase of Yahoo! by Verizon.

Good luck, and please contact us with any questions.

Some advice about security questions

Security questions, typically used to recover a forgotten password, are a frankly unheralded hole in password security. Typical questions include your mother's maiden name, the street you grew up on, or your high school mascot.

It is very easy to see that these questions can be answered by almost everyone you know, and can easily be detected by people you don't really know if they look hard enough.

As a best practice, I recommend never answering these questions with the exact answer, either use a short phrase that you know that someone else would not be able to guess, or use a random string of characters. Either way, you should alreayd be using a password manager, which will then allow you to store the questions and the corresponding answers.

Check out this article from Wired for more background.

Remeber, there is no one solution to the problem of password security, a multi-pronged approach is paramount.