You have probably heard a good deal about the earlier discovered and recently publicized flaw in WPA2 encryption used by WiFi providing devices. This flaw allows attackers in close proximity of your WiFi providing device to “read” your data from what you thought was a secured connection. This includes your home and cellphone WiFi devices.
Even if your WiFi providing device is vulnerable, and currently under attack, you can still safely use your WiFi signal, IF you do one of the following;
1. Install and properly configure a personal VPN (virtual private network) client on every device using the WiFi connection. Example: PrivateInternetAccess.com
2. Connect to your corporate/business systems by way of their Corporate VPN.
3. Access ONLY web sites that are fully encrypted. These websites will have the httpS prefix to every website page.
Using any of these three ways to access your data is still safe despite the recent vulnerability. Each way makes your data “unreadable” to the attackers. Everyone should be using a personal VPN anyway to anonymize their Internet traffic.
Update your WiFi device as soon as patch software becomes available.
Brian R. Kunick, is a CIO/CSO servicing the operational and security requirements of the enterprise.
Brian, I like the point about using a personal VPN. Do you have any recommendations on types of VPN?
I would recommend doing some research to find the one that you feel is best for you.
All of my devices are secured with PrivateInternetAccess.com. They are one of the only VPN's that do not collect and store any data regarding your data usage. If nothing is stored, nothing can be compromised by someone else. It seemed most of the other VPN providers do collect and store at least some data regarding your usage. The price included up to 5 devices.
Let the group know what you decide to use, and which features you found most beneficial!
I find #3 not practical at all. There are plenty of legit sites needed for my work as a software developer, where I get patches, libraries, etc., which are NOT https.
This is a good reason to use a personal VPN such as PrivateInternetAccess.com.
These are all good ideas in principle. Unfortunately in a large application where you have many diverse types of devices using WiFi for lots of reasons this just doesn't scale. And even if you could engineer it rolling it out quickly is almost impossible in any kind of production environment. Possibly good advice for home users but it doesn't seem like a practical solution for a work environment. Some other additional form of network access control that can be rolled out quickly that doesn't reach up to the application Level and impact installed software seems like a better approach. I know it's a kludge and not a complete fix but something like mac address whitelisting as part of a defense in depth. This might at least buy you a little time to come up with something more permanent and more rigorous.
This is a perfect reason highlighting the importance of using a personal VPN such as PrivateInternetAccess.com
Anyone knows if there is a list of patched WIFI devices posted online. For example, Apple router, Cisco, etc.
I know I can go to their respective vendors. I thought I asked first, before making a list.
In the home arena, given that New Zealand is 90% made up of Small to Medium Enterprises (SMEs) with up to 4 people only. Although people are aware of the issue, there are only a number of options available:
1) Change Router by purchasing another one - quite a few have taken this approach
2) Request an update from their broadband supplier - probability - low
3) Use web sites such as: https://www.bleepingcomputer.com/news/security/list-of-firmware-and-driver-updates-for-krack-wpa2-vu... or forums
4) Just hope they are not affected or live in a large block of land with a 300 metre gap around them.
5) Just don't bother at all or that the approach of it just won't happen to me
6) Or simply wait for a patch eventually.
Thanks Bruce, no I don't think this iis nefficient, even my organisation suspend VPN connections, after a period of time, as a means of reducing the overall footprint.
I agree with your point "C" Many think I am inefficient turning my wifi on and off but it is a small step to take to ensure security.
Great points - thanks!
Good succinct advice, and it touched off a good discussion of some finer points, especially around HTTPS. But I think there is a wider perspective in all this. That is, never rely on an access point alone to secure your communications. The discussion is reminiscent of concerns over (wired) network security when people first started putting open access points into their offices.Securing the access points was really a distraction from the underlying issue, which was once inside a network, there was no security and never was. For all the intervening time, we still seem caught in the same Tootsie Pop mentality: Cover our soft and chewy networks with a single "hard" layer. We freak out when when someone bites into that hard outer shell, but the real problem is the lack of additional network encryption.