KRACK!

The foundation of secure home wireless networks cracked this week. (I apologize for the pun. Well, No, I don’t!) KRACK is a Key Reinstallation AttaCK on WPA and WPA2 (Wireless Protected Access and Wireless Protected Access II). If you read my book, Personal Cybersecurity, you know that WPA2 is the best choice for protecting your home wireless system from intrusion. It still is, but without some timely updates, WPA2 is vulnerable to hacking.

Don’t panic

No intrusions have been reported yet, although there almost certainly will be some in coming weeks and months. The vulnerability is in the WPA and WPA2 standard. Consequently, everything that follows the standard is vulnerable. The problem is not with particular implementations. Anything that uses WPA or WPA2 correctly is vulnerable. The security of a component that uses WPA or WPA2 incorrectly is anyone’s guess, but there is a good chance it was insecure even before KRACK was discovered.

What must be patched

The Windows operating system (all versions), Linux, and Apple all are affected.  Internet of Things (IoT) gear such as wireless security cameras, smartphone controlled wireless door locks, thermostats, and light switches are also vulnerable. Practically anything wireless must be patched. Fortunately, the necessary patches have already been written for many components that need them.

Your wireless router must be patched. I read a comment in a Comcast forum that the common Xfinity Technicolor TC8305C combined cable modem and wireless router does not need patching, but I haven’t found any acceptable confirmation of that, and therefore I assume it is wishful thinking. I would appreciate a comment here from anyone who knows more.

Microsoft’s automatically delivered October security update fixed the issue for supported versions of Windows, so you are most likely already safe there. Linux distributions have patches written and it is possible your Linux installation is already safe too. I’m not as well tapped in to the Apple world, so I am not sure what the status is there, but I’m sure lights are burning late in Cupertino if they haven’t spiked it already.

The good news is that the patches are backwards compatible— that means patched components can work side by side with unpatched components without interrupting service.

The bad news

The bad news, and very bad news it is, is that a hacker can use the vulnerability to get into your wireless network from any unpatched component. The IoT is scary: Windows is easily patched automatically and is likely to be safe already, but many IoT devices have no automated patch mechanism and the device manufacturer has no means to even inform you that you are vulnerable. White label gear is especially dangerous because you have few ways to contact the manufacturer. In other words, you are on your own in the IoT.

Some reports say that Android phones are the most vulnerable. For them, you are dependent on your cellular carrier for patches to your phone. Some are more prompt than others. If you are worried, to protect yourself, turn off wireless support on your phone and only use the cellular network for network connections. When your carrier gets around to patching your device, turn wireless back on to save on data charges, if that is an issue.

Switch to wire where you can

If you have a means to switch IoT gear to a wired ethernet connection, that will render the device no longer vulnerable. Same applies to any computer or printer that you are unsure of that uses a wireless connection; turn off wireless and jack the device into your wired network if you can. If you can’t connect by wire, turn the device’s wireless service off or turn the device off entirely. You may have to turn wireless back on to download patches when they are available.

Other reasons for optimism

If you live in a low density population area, you may be less vulnerable. In order to exploit the vulnerability, a hacker must have access to your wireless signals in the air. Ordinarily, that is only within 300 feet from your wireless access point (usually your wireless router). Special antennas can extend that limit, but if strangers can’t get closer than 300 feet, you are pretty safe. The exception to that is if a hacker happens to have taken control of a computer within the 300 foot sphere that can connect to your wireless network. Still, many people in low density areas are fairly safe from intrusion.

Final advice

If you know you are in area where wireless hackers are active, turn off all unpatched wireless devices or use a wired connection. Take inventory of your IoT devices and make sure they are all secure. One way to do this is to log on to your wireless router and review the list of attached devices. Some may be turned off and only appear on the inactive list. If there is any chance that the device might connect in the future, put it on your list of devices to be secured. I estimate that you have some weeks to react, but that margin will disappear quickly. You can expect that criminals are working weekends to write cheap exploit kits for sale to script kiddies on the dark web. The kids will then drive around with laptops looking for vulnerable wireless. It has a name: “war driving.” Stay in front of them. If you have to trash some unsafe unpatchable IoT gear, do it now, swallow the loss, and take a lesson.

Even if your network is vulnerable, you are much safer using secure HTTPS connections. If you haven’t installed HTTPS Everywhere from the Electronic Frontier Foundation on your browsers, now would be a good time. Get it here.

For further technical information on KRACK, check out Brian Krebs and this post from the discoverers of the vulnerability.

Late update

A friend pointed me to this article in Ars Technica. The gist is that most Android phones are not yet patched against KRACK as of December 1, 2017, but the Android layers of security are strong enough to render the threat negligible. I will not rest easy until my Android phone is patched, but my fears are likely excessive.

Bluetooth Is Not Getting Safer

Over a year ago I published Seven Rules for Bluetooth at Starbucks. Recently, Armis, a security firm specializing in the Internet of Things (IoT), announced a new set of Bluetooth vulnerabilities they call BlueBorne. If you read “Seven Rules”, you have a good idea of what BlueBorne is like: hackers can get to your devices through Bluetooth. They can get to you without your knowledge. Windows, Android, Apple, and Linux Bluetooth installations are all vulnerable. Most of the flaws have been patched, but new ones are almost certain to be discovered.

Some of the flaws documented in BlueBorne are nasty: your device can be taken over silently from other compromised devices. Using BlueBorne vulnerabilities, hackers do not have to connect directly to your system. Someone walks within Bluetooth range with a hacked smartphone and you are silently infected. Ugly. Corporate IT should be shaking in their boots, and ordinary users have good reason to be afraid.

What should I do?

A few simple things make you much safer.

  • Be aware of your surroundings. Bluetooth normally has a range of 30 feet. More with special equipment, but whenever you don’t know who might be snooping within a 30-foot radius sphere, you are vulnerable. That’s half way to a major league pitcher’s mound and roughly three floors above and below.
  • Keep your systems patched. The problems Armis has documented in BlueBorne have been patched. Don’t give the bad guys a free ticket by leaving known soft spots unprotected. Make them discover their own holes. By patching regularly and quickly, you cut out the stupid and uninformed hackers. Smart hackers are rare.
  • Turn Bluetooth off when you are not using it or you enter a danger zone. When Bluetooth is turned off, you are safe from Bluetooth attacks, although you may still be affected by malware placed on your device while Bluetooth was turned on.

The seven rules for Bluetooth I published a year ago are still valid. Follow them.

Seven basic rules for Bluetooth

  1. Avoid high-stakes private activities, like banking transactions, when using Bluetooth in public.
  2. If you are not using Bluetooth, turn it off!
  3. Assume your Bluetooth connection is insecure unless you are positive it is encrypted and secured.
  4. Be aware of your surroundings, especially when pairing. Assume that low security Bluetooth transmissions can be snooped and intercepted from 30 feet in any direction, further with directional antennas. Beware of public areas and multi-dwelling buildings.
  5. Delete pairings you are not using. They are attack opportunities.
  6. Turn discoverability off when you are not intentionally pairing.
  7. If Internet traffic passes through a Bluetooth connection, your firewall may not monitor it. Check your firewall settings.

Equifax Dumpster Fire

Brian Krebs called it a dumpster fire, and I agree. I can’t add any facts to Krebs’ report on the Equifax breach. It happened, and it is bad. The current number of people said to be affected is 176 million and I doubt that number is final. Equifax’s response has not been good.

Self-dealing response

First, there was a long delay between discovery of the breach and informing the public. The delay gave several Equifax insiders an opportunity to dump shares before the inevitable fall in Equifax stock prices. More on that below.

Second, the response has been weak and possibly self-dealing. Equifax is offering a free year of credit monitoring. Many experts, including Krebs and myself, feel that an individual can do a better job of monitoring their own credit than any service if they are willing to make the effort. Credit monitoring is simply watching your accounts for unexpected activity. The services use algorithms to detect unexpected activity, but you know what is happening on your accounts better than any algorithm and you are more likely to catch something out of order than the service. But you have to review account activity frequently— daily is great, weekly is good, monthly at a bare minimum.

The nasty part of the Equifax response is that it is only for a year. The data that was stolen will be useful to crooks for years, perhaps decades. The offer, at least at this writing, is only for a year and they will start to bill you when the year is up. Yes, Equifax’s credit monitoring service may have a windfall of new paying customers a year from now.

Just a bit self-serving, wouldn’t you say?

Potential for mayhem

The credit reporting services (Equifax, TransUnion, Experian, and Innovis) collect data on credit activity and assign individuals credit ratings that your creditors use to decide risks and rates for extending credit to you. If you have a credit card, buy on credit, or have a mortgage, you have a credit rating with the reporting services and they have your data. You don’t send the information to the service, your creditors do. An individual has little control of the data collected by these services. To protect yourself, you should request a credit report at least once a year and check it for accuracy. You might find, for example, that your credit rating has been dinged because a creditor neglected to report that you paid your bill. Honest mistakes happen, and it is up to you to get them corrected.

The point here is that the data is collected without your approval. Credit ratings are not “opt in.” In fact, you can’t opt out. In my opinion, that places extra responsibility on the credit reporting services to keep the data accurate and private, although credit reporting services are largely unregulated. From the reports I have seen on the breach, Equifax was not following best security practices and I am not surprised that hackers got in. That is bad. I will not expect the picture of extent of the breach to be complete for weeks or even months to come.

This breach could force the entire credit industry to change its practices. Certainly, this is a warning shot across the bow to the other credit reporting services. The data that was stolen, names, addresses, phone numbers, credit card numbers, and driver’s license and social security numbers are everything a criminal needs to steal your identity, rack up phony credit purchases, and file a fake tax return in your name. Who knows what other damages the dark side will hatch from this treasure trove. The potential for mayhem is staggering, and the public outcry could equal that over the Enron debacle or the junk mortgage bubble, both of which inspired new regulations that changed corporate governance.

Insider trading and Sarbanes-Oxley

Now back to accusations of insider trading. I have no idea what the insiders knew or did not know, but I have some familiarity with the Sarbanes-Oxley Act which assigns criminal liability to corporate executives and officers who neglect critical security controls. The act, often called SOX, was in response to the Enron collapse of 2001. One of the security controls that SOX often demands is rapid notification of executive management of critical security lapses. If SOX applies, the corporate insiders who dumped their stock could face jail time for not knowing about the breach as soon as it was detected. If they knew about the breach, they are guilty of insider trading. If they didn’t know, they are in violation of SOX. This is something for the SEC to sort out. I find it hard to believe that they were that benighted, but the possibilities for negligence surrounding this event are goggling.

Advice

Krebs recommends that everyone should put a security freeze on their credit reports from each of the big four. I agree, but I also caution that a security freeze is a hassle; you must temporarily unfreeze and refreeze whenever you want to get a loan or open a new line of credit, but it does stop some of the most devastating attacks. Nevertheless, a freeze is not complete protection. You still must keep a hawk eye on your accounts, get your tax returns in early, and monitor your credit rating reports. That does not guarantee you won’t be hit, but it will make you safer than most.

Checklist to Avoid the Next Cayla Doll

The Cayla doll story is frightening. The unintended consequences of a clever child’s toy amount to an invasion of  child privacy. I expect more such stories. Devices now in homes don’t just offer entertainment and convenience. They can also open doors to corporate and criminal intrusion. TV’s, refrigerators, along with our phones and laptops can all have cameras and microphones. Without your permission, someone could control these from outside your home.

Threat assessment

Security professionals follow a procedure called “threat assessment” to spot potential dangers. Threat assessment is a series of questions. Their answers yield a clear picture of threats. The questions are common sense, but you may not always think to ask them.

I recommend that before you install any device in your home or business, especially those connected to the internet, you go through a threat assessment. You may already do so without realizing it. Think through each of the five questions below. These questions apply to almost all computer security. The next five apply to non-computer devices connected to the network.

The basic checklist

  • What am I protecting? Most often, it is privacy of your family or business. Cayla can listen to you and your child and transmit what it hears to an unknown intruder or a cloud data business. The business or an intruder can speak to your child without your knowledge. Your television may record and analyze the conversations in your living room. Other devices may have similar abilities. Most often, you are protecting yourself from outside interference in your life.
  • Where does the threat come from? The source could be a business putting together a portfolio on you that they will use to sell things to you. Less likely, but still possible, the source may be a sinister criminal planning some kind of assault. A government agency, for good or bad, could use the device to collect information on you.
  • How likely is the threat? You probably know that data organizations collect data on you. And you have noticed that they have guessed whether you prefer heavy equipment parts or needlework supplies. On the other hand, the FBI probably hasn’t picked your refrigerator to monitor.
  • How great is the danger? Ads targeted to your online search profile may annoy you, but the danger to your person is slight. But a criminal stalker monitoring your phone conversations through your Bluetooth headset may be dangerous.
  • What are you willing to sacrifice for protection? Threats can be stopped, but is the effort is worth the benefit? All direct cyberthreats can be stopped or severely curtailed by going cash only and abstaining from the use of all electronic devices. Does the threat justify the sacrifice?

The Internet of Things

The threats here are from the Internet of Things (IoT), devices connected to the network but not usually called computers. The IoT is uniquely dangerous in two ways. First, IoT devices sneak in on us. We see them, but don’t think of them as computers connected to the internet. Even though many people have an idea of the threats involved in network computing, the IoT slips beneath their radar. Second, the designers of IoT devices often have no concept of good security practices and the devices are often shockingly vulnerable.

Questions for IoT security

  1. Find out how it connects to the network. Hard wiring, Wi-Fi, Bluetooth, and cellular are the main ways.
  2. Can you unplug it from the network? How easily? The first step when you suspect some kind of intrusion is to disconnect from the network. Make sure you can. Many IoT devices can’t be switched off like a laptop or desktop. If hackers remotely unlock your front door, you must stop them immediately. Don’t put yourself in a position where you must call a locksmith to install a new lock to keep your door closed.
  3. Are logs kept of who tinkers with the device? When the tinkering happened? The location of the tinkerer?
  4. Does the device collect data? If so, what is it and who has access to it? Can you control what is collected and who has access?
  5. Can the device firmware be updated with security fixes? Can it be done automatically?

These questions may not be easy to find answers for. Marketing literature is often sketchy or even deceptive on security. Engineering documents are better, but hard or impossible to get. However, even partial answers help evaluate the threat and underpin informed choices.