Security

,

KRACK WPA2 Wi-fi Exploit

,

You may well have heard of the security exploit that was discovered in the WPA2 key implementation that is widely used in all Wi-Fi network installations/devices, commonly referred to as the ‘KRACK’ exploit.

This does affect Wi-Fi networks, computers that use Wi-Fi connections, including laptops/desktop/smart phones/tablets, etc.

Information about the exploit can be found here (this is a technical document): https://en.wikipedia.org/wiki/KRACK

It should be pointed out in this document that it stresses that the weakness/exploit is in the WPA key management itself, (i.e. the software implementation), not in the encryption standards that are used to encrypt data for Wi-Fi connections, or the products that use Wi-Fi for data transmission.

For clients of FlightPath IT, we want to assure you that we have taken steps to apply a security upgrade to your Wi-Fi networking hardware that we manage at your organization, to protect your Wi-Fi communications from this exploit. We are also working to insure that any workstations or other devices that we manage for your organization will be updated with security patches from the vendor of the operating systems (Windows/Mac OS X, etc.)

To date, there are no reported exploits of this weakness in the WPA protocol key handling, but we are working proactively to insure that there is no risk in your organization.

Also, please be aware that if you are using a VPN connection over your Wi-Fi network, the data traveling over that connection would not be vulnerable to this exploit, since the VPN client software will encrypt that data separately.

If you have questions or concerns about this, please reach out to us and we will be happy to discuss in detail the steps we have taken to secure your infrastructure.

,

Ccleaner Ccompromised

,

Several publications are reporting that Windows efficiency tool Ccleaner has been compromised and the compromised version was distributed for over a month to over 2.3 million computers. Our company has never deployed or used this tool, nor advocated it's use. It was originally designed as a way to free up space on hard drives and evolved into a psuedo-privacy tool. I personally used it once in college and it removed some things that I needed, so it left a bit of a distate in my mouth, and I haven't given it a second look.

Anyway, if you use Ccleaner, make sure you are now using the current version, released on or after September 12th - and then once you are up to date with the latest version, I recommend unisntalling it - you don't really need it.

Replacing Passwords

I recently read this article from Bloomberg concerning the progress of technology that could help replace passwords for security access. Passwords have lots of problems, the foremost of which is that the average person isn't aware how vulernable they are to password breaking or cracking.

The article discusses presence detection, voice recognition, facial recognition and other biometric measures, and while some of these technologies are promising, there are always people working tirelessly to break these technologies.

I personally believe we are a long way from getting rid of passwords. Essentially, even biometric measures just end up passing passwords behind the scenes, though the end user may not have knowledge of what that password is.

If we are a long way from getting rid of passwords, that means that our password are necessarily going to need to get longer and more complex and thus harder to rememebr.

When I started out in the industry, it was standard that a 6 character password was nearly impossible to crack with techniques available at the time. In the 16 or so years that have elapsed since I've graduated college, that safe number is more like 12 characters.

Best to practice safe secs.

Another day, another security hole

This article is slightly older, but still relevant. Approximately 900 million Android devices containg Qualcomm add-on software and chipset, are vulnerable to Quadrooter, an enermous number. The good news is the vulnerability has already been patched, so you should be safe as long as you keep your Android device (and all your devices) up to date, a practice we highly recommend and adapt ourselves.

,

Yahoo!

,

By now you've probably heard about the Yahoo! breach. This is almost certainly the largest known breach of passwords and user information of all time. What makes it worse is that the breach not only includes passwords and email accounts, but also security questions and answers.

If you've ever been a Yahoo! user, which I suspect is almost everyone reading this, you should first change your Yahoo! password and all your security questions and answers, but secondly, and this is very important, you should enable multi-factor authentication for Yahoo! which provides a second layer of protection. You should actually enable multi-factor authentication for any service that allows you to do so, but especially for email accounts, banking and social media (the most likeley targets of hacking).

The worst part about this is that it is likley Yahoo! has known about this for several months, and it may just be coming out now only the purchase of Yahoo! by Verizon.

Good luck, and please contact us with any questions.

Some advice about security questions

Security questions, typically used to recover a forgotten password, are a frankly unheralded hole in password security. Typical questions include your mother's maiden name, the street you grew up on, or your high school mascot.

It is very easy to see that these questions can be answered by almost everyone you know, and can easily be detected by people you don't really know if they look hard enough.

As a best practice, I recommend never answering these questions with the exact answer, either use a short phrase that you know that someone else would not be able to guess, or use a random string of characters. Either way, you should alreayd be using a password manager, which will then allow you to store the questions and the corresponding answers.

Check out this article from Wired for more background.

Remeber, there is no one solution to the problem of password security, a multi-pronged approach is paramount.

Be careful with wireless keyboards

Another day, another article about data vulnerabilities. This time the problem is wireless keyboards. Apparently several brands of wireless keyboards use no encryption whatsoever, and merely rely on obscure radio frequencies for minimal security. This leaves the end user open to key logging as well as key insertion. In other words someone could capture everything you type, or type directly on your computer. Your only recourse would be to unplug your wireless keyboard dongle / receiver. If you have a wireless keyboard from one of the brands listed in the article, you should switch to another brand or even a wired keyboard. I have been using the Logitech K750 for a few years and I love it. First off, Logitech is not one of the brands listed in the article. The keyboard has a low profile, tactile keys and the best part: it is solar powered so there are no batteries to die and replace. I recommend it.