(source: krebsonsecurity.com)

Researchers this week published information about a newfound, serious weakness in WPA2— the security standard that protects all modern Wi-Fi networks. What follows is a short rundown on what exactly is at stake here, who’s most at-risk from this vulnerability, and what organizations and individuals can do about it.

Short for Wi-Fi Protected Access II, WPA2 is the security protocol used by most wireless networks today. Researchers have discovered and published a flaw in WPA2 that allows anyone to break this security model and steal data flowing between your wireless device and the targeted Wi-Fi network, such as passwords, chat messages and photos.

“The attack works against all modern protected Wi-Fi networks,” the researchers wrote of their exploit dubbed “KRACK,” short for “Key Reinstallation AttaCK.”

“Depending on the network configuration, it is also possible to inject and manipulate data,” the researchers continued. “For example, an attacker might be able to inject ransomware or other malware into websites. The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected.”

What that means is the vulnerability potentially impacts a wide range of devices including those running operating systems from Android, Apple, Linux, OpenBSD and Windows.

As scary as this attack sounds, there are several mitigating factors at work here. First off, this is not an attack that can be pulled off remotely: An attacker would have to be within range of the wireless signal between your device and a nearby wireless access point.

  (source: wired.com)

A VULNERABILITY IN Wi-Fi encryption has sent the entire tech industry scrambling; the so-called Krack attack affects nearly every wireless device to some extent, leaving them subject to hijacked internet connections. In terms of scope, it doesn’t get much worse—especially for the Internet of Things.

The extent of the Krack fallout remains to be seen. Security analysts say it’s a tricky vulnerability to take advantage of, and major platforms like iOS, macOS, and Windows are either unaffected or have already been patched. But given the millions of routers and other IoT devices that will likely never see a fix, the true cost of Krack could play out for years.

“For the general sphere of IoT devices, like security cameras, we’re not just underwater,” says Kevin Fu, a computer scientist at the University of Michigan who focuses on medical device security. “We’re under quicksand under water.”

Krack exposes just how deeply those problems run—and how slowly the industry has moved to fix them.

Catastrophe

Whatever advice you may have heard for dealing with Krack, only one actually has tangible benefit: Patch your devices. (You can find a running list of companies that have provided one here.)

If you have an iPhone, Mac, or Windows computer, you really should patch right now. If you have an Android device, an update’s in the offing, though it may take some time to reach you if you have anything but a Pixel or Nexus. But after that, you're all set! Those are in good shape.

 
 

“We’re probably still going to find vulnerable devices 20 years from now,” says HD Moore, a network security researcher at Atredis Partners.

That’s because even under the best of circumstances, IoT devices rarely receive the necessary software updates to correct security issues. For a problem as complex as Krack, which impacts the industry at a protocol level and requires a coordinated effort to fix, in many cases your best bet is just to buy new equipment once patched options are on the market.

The challenges also go beyond the mere availability of a patch. Take Netgear. To its credit, the company made fixes available for a dozen of its router models the day that Krack went public. But it makes over 1200 products, each of which needs to be tested for specific Krack impact. In many cases, Netgear also can’t make those fixes alone; it needs its chipset partners to tackle the issue as well.

 

 (source: linuxinsider.com)

Many software developers and enterprise users have been lax or oblivious to the need to properly manage open source software, suggest survey results Flexera released Tuesday.

Companies are not mindful of open source components and fail to monitor security implications, according to the report, which highlights the consequences of failure to establish open source acquisition and usage policies, and to follow best practices.

Flexera polled more than 400 commercial software suppliers and in-house software development teams within enterprises about their open source practices.

More than half of the software products currently in use contain open source components, based on the survey's findings.

Open source software allows companies to be nimble in their development, but the risks and security implications are grossly overlooked and not adequately managed, according to Flexera's research team.

"We did this study to put some numbers behind what we have been seeing with open source developers over the last decade," said Jeff Luszcz, vice president of product management at Flexera.

What still is surprising in the 2017 process is how little process and control there is around the use of open source and commercial code in software development, he told LinuxInsider.

 

 (source: informationweek.com)

Organizations frequently overlook printer security, leaving systems exposed to malware and theft. New tools aim to lessen the risk.

 PC security has become a priority for security leaders following global ransomware attacks earlier this year. If they didn't before, everyone from CISOs to everyday consumers knows it's a bad idea to ignore security updates or use simple, breakable passwords.

This heightened awareness does not extend to printers, however, and hackers are exploiting poor printer security practices.

"Unlike PCs, where there's a full appreciation for the need to secure those devices, there's much less awareness to the need to secure print devices," says Ed Wingate, VP and GM for HP's JetAdvantage Solutions, noting that strong security practices for protecting PCs and other nodes on the network are not consistently deployed to printers.

Weak link in the IoT

Sam McLane, who runs the security engineering team at Arctic Wolf, says he is far less concerned about today's printers than about yesterday's printers. Many organizations, especially smaller ones, use printers around five to eight years old, and haven't updated them.

"Printers, specifically, have a much longer shelf life than any of the other IoT devices, and they were the earliest of the adopted devices," he explains. "People will run them into the ground and then some before they start replacing them."

This poses an especially big problem to small offices using consumer-grade devices, McLane continues. SMBs don't have the need or budget for high-end enterprise level printers, and make the mistake of sending corporate data into the cloud with lower levels of protection on a device meant to be in someone's house and not necessarily in a corporate environment.

"Someone could get into a computer via malware; printers advertise themselves well," says McLane. "If a laptop or desktop gets compromised, a printer is a great spot to put malicious code that everyone talks to … it's a built-in platform to launch attacks."

Common printer slip-ups

Most frequent mistakes include employing weak or default passwords, and neglecting to update firmware. "Printers are not always updated with the latest firmware," HP's Wingate adds. "In fact, we see heavy use of old firmware with printers, some with known vulnerabilities that are not being patched to the latest version. That represents an opportunity for hackers to come in."

Mismanagement of printer settings and ports leaves the door "wide open" for remote entry onto devices and into corporate infrastructure, he continues. Lack of active monitoring for printers also leaves businesses vulnerable to unauthenticated actors.