Fatal WPA2 protocol flaw puts most Wi-Fi enabled devices at risk
By now, you may have heard of the most recent high-profile security vulnerability to surface in the last couple weeks. You may even know the name attached to it – “KRACK attacks”. This vulnerability mainly exists within WPA2, which is a level of security certification developed by the Wi-FI Alliance, and is the standard protocol for many public and private access points. The vulnerability allows an attacker to intercept, decrypt, manipulate and hijack a victim’s wireless traffic, and doesn’t even need to connect to the network itself. Microsoft, Linux, Cisco, Apple and others have all released or announced patches.
The real difficulty with a vulnerability of this size is the sheer scope of the amount of devices affected. Certainly, some devices won’t be updated for a number of reasons, like end-of-support, or simply being overlooked. This could result in thousands to millions of IoT devices, smartphones, and computers vulnerable to attack. It is no doubt that this vulnerability will have implications for years to come. To learn more, check out this month's issue of SIMformation.
Google introduces the Advanced Protection Program
To celebrate CyberSecurity Awareness month in October, Google has announced a series of security improvements and programs on their blog. The latest entry details a new offering for Google users who are at increased risk of online attack. The Advanced Protection Program consists of 3 core defenses: Defense against phishing; protection from accidental sharing; and fraudulent account prevention.
Defense against phishing has been augmented by the introduction of support for “security keys”, an enhanced form of 2-factor authentication. These security keys can take a couple forms, such as a USB drive or similar wireless devices, and they act essentially as a “key” that authenticates and allows access to your digital data. This tool prevents hackers from logging into accounts using a stolen password.
Protection from accidental sharing is ensured by allowing applications limited access to user’s Google accounts, like Gmail and Drive. This will prevent malicious apps that were accidentally downloaded from accessing account information. Right now, only Google apps are allowed full access, but Google has said they plan to expand to include more apps.
To prevent fraudulent accounts from being created and accessed, Google has made the account recovery process much more rigorous. It is aimed at making it more difficult for hackers to impersonate the account owners during an account recovery process, for example, caused by a lost password. The additional steps include demanding more detailed information and performing more reviews.
Right now, anyone with a consumer Google Account can enroll in the Advanced Protection Program, and it is especially recommended you do so if you are in a line of work that involves sending and receiving sensitive, political, or otherwise critical information. You can learn more about the program here.
National CyberSecurity Awareness month is almost over!
As October comes to a close, so too does the Department of Homeland Security's National CyberSecurity Awareness month. Intended to improve the security posture of the nation as a whole, the campaign is designed to engage and educate business owners and individuals alike on the importance of cybersecurity. If you haven't taken any steps toward better security hygiene this month, it isn't too late. Head here to read about all of the kinds of securities offered by SIM2K, and choose one, or all, that fit your business needs. Here at SIM2K, we believe in defense in depth.
Tom X. McShane