Bonus tip: How quitting coffee will improve your cybersecurity posture.

 

KRACK makes your wireless network insecure


Don’t let the absurdity of Modernity make you blue!
Subscribe to our Modernity Alerts mailing list for more inspiringly actionable cybersecurity info!


 

Why should I read this? I haven’t even eaten breakfast today.

The evidence continues to mount that Modernity has trapped the very species that invented it.

Last week, researchers announced that all wireless networks are insecure. Yes, all. The “KRACK vulnerabilities” allow anybody within range of your computer to read all your unencrypted wireless traffic, decrypt some of your encrypted traffic, and even inject data (including ransomware or malware) into your connections. The attacker doesn’t even need to be connected to the same wireless network as you.

Oh, snap! How many people have been attacked so far?

That’s the silver lining: KRACK was discovered by a security researcher. There’s no evidence that KRACK has been exploited in the wild yet. However, there’s no way to know for sure; who knows what the NSA has had up their sleeves for years? If no malicious actors have yet exploited KRACK, it’s only a short matter of time.

Phew!  So we’re safe?

That’s not exactly what we said. There are plenty of Mensa-quality brains out there who have way more time on their hands than retirement savings, and now they have the treasure map.

So stop yammering and tell me what to do!

Okay, okay. First, calm down — as someone’s grandmother surely has said, haste makes waste. Here goes:

Patch all your computers and devices.

To Microsoft’s credit, they have already released a patch. Windows users: update! If you subscribe to Ignition’s Startup In a Box patch management service, we have already pushed this fix to your computer; please restart if prompted to finalize the installation. We will be monitoring supported systems to ensure patches are being implemented.

Apple’s patch is available in the beta version of macOS High Sierra (v10.13) and iOS 11. Ignition recommends against installing beta software, since it can cause more problems than it solves. We’ll push these updates to Startup In a Box subscribers when Apple releases the final versions, which are anticipated in coming days. In lieu of any official statement, it is currently unclear whether Apple’s patch will apply to earlier versions of macOS and iOS.

There’s currently no patch available for Android devices, which is unfortunate because they are the most vulnerable. Google promises one “in the coming weeks.” Again, if you’re a Startup In a Box subscriber, we’ll get this done for you when it’s available.

Patch all of your wireless access points.

There are too many network equipment vendors to mention here; Google to find out when patches are available for your wireless access points. Don’t forget to actually install them!

Our preferred network vendor, Meraki, has already released a fix; Ignition clients who subscribe to our All-You-Can-Eat support service needn’t worry; we’ve already patched your Merakis and will patch other devices as their patches are available.

Don’t bother changing your wireless network password.

The KRACK attack doesn’t manipulate passwords. It manipulates math, which you can’t change.

Minimize use of wireless networks until your devices are patched.

We frequently tell our clients to activate all Ethernet drops in their offices, as a matter of policy, just in case of emergency. Dig out your Ethernet cables and hope somebody listened to us!

Wifi cafes should make you very wary now…

Oy vey, this one’s hard for us Road Warriors. In order to fully protect against KRACK, both your device and the wireless access points need to be patched. Where does that leave your relationship with anonymous wifi cafes, whose networks will probably never be fixed?

Quit coffee.

Without getting too technical, let’s summarize the quandary:

  1. Patching only the device you’re using defends you against the worst-case scenario, in which an attacker can access all of your traffic today, while sipping a dry cappuccino at the next table.
  2. However, if the wireless access point isn’t also patched, the attacker could still use KRACK to glean meta-insight into your (patched) device’s traffic, and eventually devise a way to exploit that into full access. How they would do that is not known… yet. But you can bet there’s at least one disaffected Cybersecurity Ph.D. dropout who’s itching to prove to the thesis committee that they were all wrong about his potential to change the world.

… and commercial VPNs should make you wary, too.

Please pay attention to the highlighted text in the following paragraphs.

The quickest way to surf safely at wifi cafes is by using your company’s internal VPN.  Properly configured, the VPN will encrypt all traffic and keep it safe against even a successful KRACK attack.

If your organization doesn’t have a privately-owned corporate VPN, here’s why you might ask us to install one rather than using commercial, third-party VPN services:

Commercial VPN services create a new set of security concerns. While it’s true that the traffic sent via your VPN provider is safe against KRACK attacks, the business and security models of most commercial VPN services are highly suspect: by definition, VPN services gain full access to all of your traffic.

So who exactly are these people to whom you’re giving all your delicate traffic?

In reviewing an analysis of 181 VPN providers, Ignition found only four with no glaring operational or political problems — and we can’t vouch for that study’s methodology or authorship.

Essentially, commercial VPN services are providing, in the words of one cybersecurity researcher, “Pinky-Promise-as-a-Service” security.

Because it’s hard to tell which commercial VPN services are merely shell companies for malicious hacking activities, which ones are operationally irresponsible, and which precious few are definitely trustworthy, the Ignition team has never officially recommended any commercial VPN service to our clients.

Our recommendation is that you set up an internal, corporate VPN on equipment and software that your organization owns. Ask us if you need help.

Don’t forget your other devices!

What about all your other wifi-enabled devices — especially your portable Internet hotspot? You connect to that via wireless, don’t you? Yes, that needs to be patched, too. What about Amazon Dash, Echo, and Alexa? Nest, Sonos, and Google Home? Couldn’t a KRACKer theoretically send fake video images to your security cameras while calmly burglarizing the building? Okay, so maybe you don’t care if someone taps into your Spotify stream, but what if they force you to listen to “Enter Sandman” relentlessly when you were feeling kinda Billy Joel? Anything that connects via wifi is vulnerable. Choose a cozy evening, have a warm drink, and get a-patching… where those patches exist, anyway.

Equifax already gave away my social security number and ruined my credit-worthiness. Why should I care anymore?

Let us know if you’d like a referral to qualified professionals who can help you defend against spiritless nihilism and other agonies of the human spirit. We just work here.

How can I learn more?

Not everybody cares to spend as many hours thinking about this as we have, but if you still have unanswered questions, either email us directly or just subscribe to our Modernity Alerts announcement list, and we’ll send you more information as it becomes available.

In the meantime, stay calm and patch on!

Luv,

The Gang @ Ignition

 

Michael Bricker, one of Ignition’s likeable and handsome consultants, contributed research, reporting, and Ignition’s patented Give-a-S**t Attitude to this article. Thanks, Bricker!