Article Credit: Tommy Jordan - Twisted Networx of Albemarle, NC
Unless you're a computer geek for a living you probably have no idea of the mind-blowing news that just hit the wire this morning. And even if you are, the titles of the news articles might not catch your attention as something you should be concerned with. Articles with titles such as "WPA2: Broken with KRACK. What now?" might not necessarily trip your spidey sense, but it should.
If you want to read the techno-babble version, you can read it here: https://www.krackattacks.com/
Assuming for the moment that most of you dont' speak geek, we thought we'd take a minute and break it down for you, Barney style.
What does breaking WPA2 mean and why do I care?
We've all bought padlocks in the past to lock up something or other. You buy them to secure valuable items and lock them away, right? Imagine if you found out that the most common lock out there was all of the sudden vulnerable to this new key, and that anyone could buy the key, and that anyone could now get into anything you have locked away. That's about the level of seriousness with which the IT world is taking this news.
WPA2 is the security feature that's most likely installed on your wireless router or wireless access points. It's the thing that requires you to enter a password to get on your wifi, so you can access your network. It's the key that keeps your network secure.
Well... someone just found a way (called an exploit or a hack) to make that key totally useless if the right person were to want to get into your wireless network. If you're a home user, you might think you don't really care. In the big scheme of things, you might be right. Who cares what a 65 year old retiree does on their WiFi? Then again, if you bank online, you might should care if you knew someone could read everything you're doing over your shoulder.
If you're a business user, you DEFINITELY should care!
What's going to happen now?
Well, to put it mildly, once the collective geek universe stops soiling their pants about it, they will quickly get on the phone with their vendors that make the wireless access points and routers they sell to you. Then they'll yell and scream that the manufacturer had better hurry up and release a security patch to address this. (Don't worry, by the time you read this, these conversations are already happening. I found out about this one hour ago. My first search on our most common manufacturer's website showed someone had already beat me to the punch by six hours and the manufacturer had replied 5 hours ago that they were already working on a patch and we could probably expect it to hit the market by Wednesday for download.)
If you have a managed services provider, they will (or should, anyway) put the patches in place for you as soon as they become available. As it is still your butt on the line, I'd be sure I was on the phone with them to be sure they know about this and are planning to react to it for you.
If you manage your own network, well, then the burden falls to you to handle yourself. Get your routers and access points patched.
Is it that serious?
Remember when Equifax got hacked and you only learned about it five months later after the personal data of 145.5 million people had already been stolen? Remember reading about the lawsuits that are just now starting to bombard Equifax because they failed to respond to a security patch in a timely manner? Yeah, this is that... except it is on YOU to patch your networks to prevent being vulnerable (read as liable) if your network gets penetrated using this attack.
What do I do now?
As our customer, or simply a person that uses wifi to browse the internet, here are a few things you should know to help you remain relatively safe for now.
- If you have both a staff-only and public wifi at your work location, always keep your smartphones and tablets on the public or guest wifi. That keeps them off your office network. This attack DOES affect smart devices and they can be used to penetrate the work network and gain access to other resources, such as computers and financial systems. Of course, keep your work-laptops on the company staff wireless. This keeps the devices separate and your phone can't be used to gain access to your computer systems.
- To make use of this exploit, an attacker has to be able to physically get on your wireless network - so they need to be in the building, or the parking lot, or somewhere close enough to get on your wireless network. This does NOT affect wired networks.
- If you have the capability to do so, physically monitor the wireless devices on your network and immediately disconnect any rogue devices you don't recognize. Trust me, if Jane from accounting can't get her iPad online, she'll let you know shortly. But if it's someone else that doesn't belong on your network, blocking their mac address is a good start.
- Try to do all your browsing with secure sites. I realize that sounds ridiculous to some, but many end-users don't know what that means. Here is an example:
- Going to a website with http://mywebsite.com is not secure.
- Going to a website with https://mywebsite.com IS secure.
- See the difference? (Hint: notice the "s" after the http?)
If you are browsing sites such as gmail.com, they will automatically redirect you to the secure version of the site. But you can always put https:// in front of the web site you're trying to access to be sure you get the secure version of the site. Secure site traffic can't be viewed or sniffed remotely as long as the site has updated security, and most of the common ones you would visit today do.
- If you have to use mobile devices on the internet and you aren't sure your routers are patched, consider using mobile data instead of wifi until you know you have been patched.
- Do not forget to patch your IOT devices! This will likely be your responsibility rather than your IT department, depending on what you have in your location. Things like wireless cameras, smart home devices, blu-ray players, game consoles, and a variety of other devices like these will NOT be quick to be patched, if ever. Only customer complaints can force those companies to upgrade their device security and some of them might be very delayed in doing so if ever.
What does this mean for older equipment?
Unfortunately, this is going to suck for a lot of people. There's no way around it. In a perfect world you would be able to hold someone accountable for your losses, but this isn't a perfect world. This is one of those "you get what you pay for" lessons in life we try to warn people about.
If you're running a $70 wireless router that's five years old there is a pretty good chance no one is going to issue a patch for it. It's too old for the manufacturer to invest time and money in bothering to fix. If you have a mainstream router or access points, brands such as Linksys, Netgear, Cisco, Ruckus, Ubiquiti, then you can probably expect a patch to be forthcoming shortly. Keep in mind, just because patches are available doesn't mean they apply themselves. If you're not maintaining your network security, it's not going to maintain itself.
What are the chances I'll get hacked?
What are the chances you'll get killed in a head-on collision when you leave to get Starbucks later today? The risk is always there, but you probably don't even think about it until you're driving and hear the sound of brakes locking up and tires squealing and see the growing front bumper of the sedan in your rear-view mirror. THEN you stop for a second and think about it, right?
This is the same. No one, especially me, is going to say "you're safe. No one will bother hacking you." That's just not something we can say with certainty. The fact that this kind of attack requires someone to by physically nearby to implement is somewhat good news. Hackers can't sit across the internet in Bigjerkistan and get to you. They need to be in the building, the parking lot, or somewhere in range of your network the first time to get in.
The concrete thing we can warn you of is liability. If you get "hacked", and you weren't patched due to negligence on the part of your business, then you are open to liability. As of today, the entire world knows of this security hole. Therefore, as of today, you're on notice that you're liable if you get hacked and someone decides to sue because it is later discovered you weren't patched accordingly. If you run a business and you find out your door locks are vulnerable to anyone with a key from Walmart and you didn't change your locks -then yes, that's liability and you're on the hook for it.
If you have a managed services provider, call them and talk about it. A word of caution - don't necessarily expect them to have any idea what you're talking about. As of 11:05 Am EST on October 16, 2017 this information is only a few hours old. If I hadn't been sitting here drinking coffee two hours ago reading the news, I might not know about it yet either. Don't expect them to have a solution today, or even this week. They are at the mercy of the manufacturers to release a patch for them to implement on your network. I'd expect this issue to take a few weeks to get resolved across managed service providers.
If you don't have a managed services provider, well... I'd suggest you get one. Meanwhile, use the steps we outlined above to stay as safe as you can until your network is patched. If we come up with any new information or steps we think you should take to remain safe, we will update this article accordingly so feel free to share it with friends or colleagues.
If we can be of assistance, feel free to Contact us.
AUTHOR'S EDIT #1:
As of a few minutes ago, Bleeping Computer has a list of vendors and their patch status available here.
Credit: Tommy Jordan of Twisted Networx