Security


Security researcher Mathy Vanhoef revealed on Monday, October 16 2017, what he has labeled KRACK, an exploit that attacks a vulnerability in the handshake of the WPA2 protocol that you most likely use to protect your Wi-Fi at home and millions of small businesses around the world use, too.


Are you vulnerable? Here are a couple of sites with good, but not all inclusive lists.
http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4
https://www.androidcentral.com/these-are-router-makers-have-patched-krack-wpa2-wi-fi-flaws


Here is a current status of patches for some (not all) devices.
http://www.zdnet.com/article/here-is-every-patch-for-krack-wi-fi-attack-available-right-now/


Recommendations – https://www.androidcentral.com/krack

  • Avoid public Wi-Fi at all costs. This includes Google’s protected Wi-Fi hotspots until Google says otherwise. If your carrier forces your phone to Wi-Fi when in range, visit the forum for your phone to see if there’s a workaround to stop it from happening.
  • Only connect to secured services. Web pages that use HTTPS or another secure connection will include HTTPS in the URL. You should contact any company whose services you use and ask if the connection is secured using TLS 1.2, and if so your connection with that service is safe for now.
  • If you have a paid VPN service that you trust you should enable the connection full-time until further notice. Resist the temptation to rush and sign-up for any free VPN service until you can find out if they have been vetted and will keep your data secure. Most don’t.
  • Use a wired network if your router and computer both have a spot to plug in an Ethernet cable. This exploit only affects 802.11 traffic between a Wi-Fi router and a connected device. Ethernet cables are relatively cheap and an eyesore strung across the carpet is worth it. Look for a Cat6 or Cat5e spec cable and there should be no configuration needed once plugged in.
  • If you use a Chromebook or MacBook, this USB Ethernet adapter is plug-and-play.


Here’s how to make sure you’re up-to-date on your Galaxy S7:

  • Launch Settings from your home screen, the Notification Shade, or the app drawer. Tap About device. Tap Download updates manually. Your phone will then check for and download any updates.
  • Tap Later, Install overnight, or Install now to choose when you want the update installed.


Another vulnerability known as “ROCA” was also announced today. This vulnerability involves an attack on public key encryption which may weaken the way we authenticate software when installing it. It affects many other systems that rely on public/private key encryption and signing. Fixing this also requires you to update your devices using vendor-released software updates, so keep an eye out for security updates for your devices and workstations that fix any ROCA-related issues.