Flaw let’s hackers read data over secure WIFI

Yes this is real. Yes it is bad. Yes it’s going to take some time to fix.

You will need to carefully think about how you use wifi for your devices. My recommendations off the top of my head are as follows

1) Do not use wifi in public spaces if you are doing anything that needs to be kept private. Even HTTPS can be vulnerable in these environments.
2) Switch to Cellular Data to do banking and personal information sharing
3) Check with your ISP if your modem and wifi are in the same device.
4) Use a cable to connect your laptop at home if possible, until a fix can be applied to your setup.
5) If you can and know how, use a VPN service.

Back in the day it was common for people to drive around and see what WIFI was open so they could break in or use your wifi for their own pruposes. This could cause a revival of this behaviour.

Belgian researchers have discovered a flaw in a widely used system for securing Wi-Fi communications that could allow hackers to read information that was previously understood to be encrypted, or infect websites with malware, they…
CBC.CA
 

Cisco 2014 Annual Security Report: Why the Before/During/After Approach to Security Offers Better Protection from Threats

Cisco 2014 Annual Security Report: Why the Before/During/After Approach to Security Offers Better Protection from Threats

Security and the Internet of Things, redux…

It seems like everyone wants to talk about smart devices these days.  Since Google bought Nest, an explosion of discussion about the Internet of Things has sprung up, centering on conversations about privacy and security.  The fact that this debate has been started by Google of all companies, the proverbial good guy in the fight for enterprise stewardship and good intentions is somewhat ironic, but the real irony is that we are having this conversation at all.  These devices have been available for ages.  It’s the media fuelling the debate, they’ve practically designed it to fill the dead air between 2013 best of lists and the olympics.  There are so many other things that we do where we haplessly give away information that is far more dangerous than the threat of some bored kid turning your heat up or down. Or is there?

In the space of things “bigger than a watch but smaller than a refrigerator” to be afraid of I want to talk about an example most people wouldn’t include : those quaint little family stickers you put on the back of your people mover.  

Consider the Family Set.  We’ve all seen them – Dad in a baseball hat, bat in hand, Mom with a briefcase, wearing a power suit, Little Jimmy as a mini-me version of dad, little suzi with her violin, and maybe Furry Purry the cat.  Aww.  It’s so cute. The thing is you’ve given away everything that someone needs to do real harm to you and your family.  With some careful inferences and something that psychics use called the Barnum effect, I can commit some very large hacks against your family.

1) Dad likes Baseball – I can infer he likely plays or is on a team

2) Little Jimmy likes ball too – Dad probably put him on a team, and maybe he even coaches

3) Mom is a professional – she likely works pretty long hours

4) Dual income? 2 Kids? Middle class family

5) Little suzy and her violin – with Baseball, work and music lessons, this is a busy family, spending lots of time away from home

6) Cat but no dog?  No one home and no one to bark when I break the window

7) Thanks to your ultimate vehicle tattoo – I can now recognize your vehicle on the street, in the parking lot at the mall, and at your place of work.  Maybe I even recognize you at the school where you drop of the kids.  Wherever I find you, I can track you now.  I can follow you home.  I can read your mail.  Now I know your name. 

This is where things get really scary if you aren’t already.  There are any number of scenarios that someone can use this information to perpetrate a social engineering hack against you.  

Aunt Wiki tells us “Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information.”

Let’s say I intend to use this information to break into your house.  How many of you give your keys to a neighbour?  Possibily many of you.  What would happen if, lets say in the middle of the day in the summer I started knocking on doors with the following story

“Oh hi! I’m a friend of Jerry and Dawn’s.  Jerry got held up coaching his sons little league game and Dawn is out at music lesson’s with their daughter.  They asked me to come check on the cat and said you would have a key? Have I got the right place? ”

There are a couple of things going on here – 

1) I’m using personal information that it is assumed only someone in the inner circle would know

2) I’m deflecting my true purpose – I’ve asked if I have the correct location, not if I could have the key.  I’ve inferred that getting the key will be no problem.  Instead, I’m putting your neighbour off centre by asking them to corroborate a different question. This achieves both the psychological destabilizing and soliciting info about whether this is the neighbour with the key, or if one exists. From there, I repeat till I have the key, and … well you can see where this is going.

I got all this with a sticker.  Google wants to collect much more specific information about you , including whether or not you are currently at home, when you are typically away and when you get back.  Each of us will have to weigh the pros and cons of convenience against privacy.   Just don’t get lulled into the false sense of security given just because someone wrote “Don’t be  evil” in the business plan…