ealert-iconTAX E-ALERTS

SVA Cyber Security Update - Wi-Fi Krack: Steps you can take to help protect yourself

October 20, 2017

Many of us have read the alarming warnings stating “All Wi-Fi networks are vulnerable to hacking” and inferring “no one is safe”.The challenge many have is deciphering the technical jargon to understand the steps individuals and organizations can take to protect themselves.

The problem is essentially the way Wi-Fi devices start a conversation and identify who can join the network is flawed. The Wi-Fi router or access device is guarding the wireless “door” to the network, and challenges computers to identify “who goes there”.This flaw allows the bad guys (hackers) to listen to that conversation and impersonate the good guys (you) to sneak into the network and possibly your computer, phone, tablet or IoT device.

The most vulnerable systems are computers running Linux, Android devices, Unix, and old or unpatched Windows and Apple. Many companies like Microsoft, Apple and Cisco have fixed the flaw, but only if you have installed the updates.

Here are the steps to help protect yourself from being “KRACK-ed” (KRACK = Key Reinstallation Attack):

  1. Update and Patch -This is critical. Many software publishers like Microsoft, Apple and Cisco rushed to produce updates and patches to protect people from getting "KRACK-ed". It is very important you patch every single device you own. Every day you delay updates and patches is a day you are exposed to hackers. Remember all devices must be updated including the routers, IoT devices, phones, tablets and computers.
    See CERT and Homeland Security’s update to see if there is an update from your device vendor.
  2. Skip Wi-Fi – Use Mobile / Cellular Data or hard network connection -The flaw requires you to join a Wi-Fi network with an active hacker physically in range (close).It’s never a good idea to join public Wi-Fi “HotSpots”. These are not safe and with KRACK, the risk is very high. SVA suggests not using Wi-Fi until you are certain your devices have been patched. For mobile phones affected, turn off Wi-Fi until your device(s) are updated and only join known, updated Wi-Fi networks. For computers, use a ‘hard wired’ network connection.
  3. Use your organization’s VPN and HTTPS for all web access -If your company has a VPN (Virtual Private Network), use it at all times. This hides your information by encrypting it. Be careful downloading one of the hundreds of “VPN Apps” that are available for download. Many are not trust worthy.If you do not have a VPN and you must use Wi-Fi, limit your use on only what is necessary and only connect using HTTPS.One option to consider is a web browser extension called HTTPS Everywhere from the Electronic Frontier Foundation (for Google Chrome, Firefox or Opera), but the safest approach is not to take the risk.
  4. Take Inventory -Now is the best time to get a full inventory of all devices on your Wi-Fi network and make sure all have been updated and protected.We all forget about things but now is the best time to “scan” your Wi-Fi network to make sure all devices are either been updated or disconnected. Think of this like spring cleaning for the Wi-Fi network.

For additional information, contact SVA Consulting’s resident cybersecurity experts.

About the author
Clint Crigger is the Chief Information Security Officer for SVA Consulting.With over 30 years of experience, Clint is a recognized leader in the field of Information Security, Risk Management and Regulatory Compliance.His expertise has been utilized by notable organizations such as NASA, Microsoft, IBM, Lockheed Martin, BOEING, QBE, Bank of America, Wells Fargo, Booz Allen Hamilton, Circle K, AIG, CSC and the US Air Force. Clint has also been featured in the Newsweek article How a White Hat Hacker Breaks Into a Business.