Friday, October 20, 2017

KRACK safety precautions

I've had a chance to track down more information about the KRACK attack and what can be done to protect against it.

It's what is known as a "Man in the Middle" attack. Someone has to be physically on your network in order to execute an attack on your router or devices. This makes it unlikely to be a problem for home users. And probably not a huge issue for a small library wifi network. But it's always better to patch devices when you can and take precautions.

A few points that can stand further clarification:

  • Windows and iOS devices are not particularly susceptible to this breach as WPA2 was never implemented entirely correctly in these operating systems. The protocol didn't work as planned. Neither does the hack. Regardless, both Microsoft and Apple have patches in the works.
  • Android 6.0 and higher are most vulnerable to attack. Google is working on patches for Android. Whether or not your device gets an update is largely up to the manufacturer. Most current models will most likely get the patches eventually. Many old ones won't. But these devices have always been vulnerable to attacks. This is just another one to add to the list.

Information of a highly confidential nature that requires a good measure of privacy protection should probably never be done over wifi. If you have such a network, the best advice is to turn off the wifi router and use ethernet cabling to make it a wired LAN. It's always a good practice to use ethernet for secure transmissions.

Other general good practices for wifi networks will help protect you in this instance as well:

  • Use a VPN (Virtual Private Network) when you're connected to a wifi network. This creates a kind of tunnel connecting your device to a server owned by the VPN company. That information is not accessible to anyone on the wifi network with you. When your request reaches the company's server, it then proceeds the rest of the way to its destination via the wired Internet. But don't rely on a free VPN. They may not to be reliable or trustworthy. Remember the adage, if the service is free, you're what's being sold. But even a paid VPN can slow you down and they don't work with every site.
    We'll look at VPN options in a future post.
  • Https Everywhere:
    Electronic Freedom Foundation offers an extension for your browser that chooses the secure web protocol https over the unsecured general protocol http when more than one is available on a website. It's available for Chrome, Firefox and Opera browsers. The impetus behind this is reasonable. A secure website connection is better for many reasons including protection from attacks like KRACK. Financial and shopping sites, in particular, should be using this protocol and you should look for it. And, opting for it, when it's available, as this extension is supposed to do, is a good practice. Unfortunately, the extension can also break some sites if there is no https available. Or if the transfer from one protocol to another cannot be completed smoothly. Possibly worth a try, but don't be surprised if you hit some snags.
  • Cellular data - using a cell phone's data option is almost always more secure than public wifi. If you're concerned about security, you should probably consider increasing your data plan and reducing your use of public wi-fi. You can also use your cell phone as a modem and tether a laptop or tablet to it for use outside the home.

Steve Gibson makes the point on Security Now that is CLIENTS not ACCESS POINTS that particularly need to be patched. This cartoon shows a reason why.

That said, the other option to protect a network from a man in the middle attack is to update the router. Many router manufacturers are offering firmware updates. It's a good idea to check your make and model number on the manufacturer's website to see if there are updates available. Protecting the router becomes particularly important when you're running a network with a lot of IoT (Internet of Things) gadgets on it: doorbells, cameras, light switches, thermostats, etc. Cheaper gadgets, like cheap Android phones, will probably never get updates or patches. So they are best protected from the router side. If your wireless router is so old that you have no way to update it, it may be time to get a replacement. 

For more information on the KRACK Attack

Monday, September 11, 2017

How to protect yourself in a massive data breach

Hopefully, everyone is aware of the data breach at Equifax, one of the major credit bureaus. Reportedly, the data of 143 million people has been compromised, including social security numbers, names, addresses, phone numbers, credit card numbers, in short everything someone would need to commit identify theft.

Equifax is offering a website where you can go and enter your name and part of your social security number to see if you are among those whose information has been compromised. Some hackers and tech enthusiasts claim that the viability of this system is questionable as it provides different results to the same information entered in subsequent queries. It also has provided positive results for fabricated data. It's probably safe to assume that your data has been compromised and proceed from that assumption.

Equifax also provides a solution for that possibility: a year's free enrollment in their identity protection program: Trusted ID. Many are skeptical as to whether they want to trust the company whose potential gross negligence resulted in the problem in the first place.

CNET offers A guide to surviving the Equifax data breach (without Equifax's help). Not all of the information provided in this piece is uniformly agreed upon. For example, apparently enrolling in the Equifax Trusted ID program no longer requires you to opt out of a class action lawsuit. I think most of the advice about checking credit reports, freezing credit, setting fraud alerts and being vigilant during tax season is good advice.

Update 9/12/2017 - Thanks to Diane Van Gorden and Alex Clark
How to Protect Yourself from Identity Theft - Montana Legal Services Association

Update 9/14/2017 - Thanks to Steve Gibson on Security Now
Credit Freeze Guide: The best way to protect yourself against identity theft

Here is more information and background on the data breach from some of my preferred sources:

Wednesday, August 23, 2017

Unlimited data - can it replace your home broadband?

The FCC has recently released an inquiry on the current state of broadband in the U.S. One of the questions they raise is whether or not it's necessary to have a wired broadband connection (fiber or cable) and to reach the previously set targets of 25 Mbps down and 3 Mbps up for home users. Or is a cellular connection enough?

This report from 2016 shows that the U.S. lags well behind most of the rest of the world in cellular data download speeds at around 10 Mbps.
See how painfully slow 4G LTE is in the U.S. compared to the rest of the world
That's also about what I've gotten on personal tests on Verizon in my area.

But there are also questions about data caps and throttling. So, along come new unlimited data plans from the major cellular carriers.

You can see there are limits on mobile tethering. So, the data is not unlimited if you want to use it with a tablet or PC. Plus there are limits on video quality and the data can be throttled even if you stay under a given level.

This may be good news for some cellular users. But it doesn't look like an adequate replacement for high speed broadband, particularly in areas with spotty cell service.

Friday, August 18, 2017

Passwords Guidelines Changed

Finally the guidelines about passwords that made me crazy - change every 90 days, include an upper case, lower case, number and other character - are being changed as we see in this NPR article.
Forget Tough Passwords: New Guidelines Make It Simple

I'd often thought it couldn't be terribly secure if we had to write it down to remember it. Of course, I find the best solution is still a password manager.

Here's some information and a review of some of the best rated ones from PC Magazine:
The Best Password Managers of 2017

I use LastPass and have generally been quite happy with it but it can be a challenge to use with mobile apps and sites.

Friday, June 9, 2017

Internet of Things article from Pew Research

There was a fascinating if long article from Pew Research Center on Internet and Technology on:
The Internet of Things Connectivity Binge: What Are the Implications?

Well worth at least a scan to remind you of the potential risks in unbridled connectivity with no questions asked.