UPDATE3: On a website dedicated to the “Key Reinstallation Attacks,” https://www.krackattacks.com/, the researcher who brought attention to this vulnerability describes what it is, presents a demo of the attack against an Android device as client, and suggests practical steps in a rich Q&A article.
UPDATE2: More companies have updates available. Microsoft also has released an update for client devices. (Source: Pileum Corporation)
If you have a Meraki access point, they have released a patch to address this issue. See below link for more information.
If you have an Aerohive access point, they have released a patch to address this issue. See below link.
SonicWALL has announced that their firewalls and access points are not vulnerable to the flaws in WPA2.
Cisco has released patches for some of their products that are affected. You can check for those products and updates as they are released here:
Microsoft has released a patch that provides additional protection on the client workstation. We recommend that this be installed on all workstations immediately.
UPDATE1: Several Wi-Fi AP manufacturers have started developing and releasing Updates. Please check the CERT website below for updates. One of the most recent ones is Meraki access point.
In a research paper titled “Key Reinstallation Attacks: Forcing Nonce Reuse in WPA,” Leuven, Belgium researchers Mathy Vanhoef and Frank Piessens just proved that WPA2 handshake traffic can be manipulated to induce nonce and session key reuse. Here is an overview of the announcement from CERT:
Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to induce nonce and session key reuse, resulting in key reinstallation by a wireless access point (AP) or client. An attacker within range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocols being used. Attacks may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast and group-addressed frames.
The simplest solution is to install updates provided by your Wi-Fi device vendor.
More on this here:
Just as as announced in June 2017, Google just released this July 12 2017 a brand new product called Backup and Sync. In addition to brand new functions like backing up pictures and files from USB connected media, this tool comes to gather the functionalities that were present in Google Photos and Google Drive into one product.
Backup and Sync for Google Photos and Google Drive is available for Mac and Windows comes to move your clutter from your desktop into the cloud. Backup and Sync can be customized to only sync certain folders, to ask you what and where to delete files, and so forth. You can read more about it
With that said, if you are an Enterprise, Business, Education or Nonprofit user, Google made sure to mention that Backup and Sync is not for G Suite users just yet. These will need to wait for Drive File Stream (to be released to “soon” to the public as of the publication of this article).
Google Backup and Sync for Mac
Some Security Considerations
Having all your data stored on the cloud could be a good or a dangerous thing, though. If you already used Google Drive or Google Photos you most likely understand the risks attached to having your life in the cyber cloud. The risks include having all your data stolen by anyone with your password if the password is your last line of defense. So, if you are going to use this or any of the cloud storage of personal or corporate data that is not for public release, please add 2-step authentication as part of your security practices. We would recommend it for all of your accounts where possible.
If you are like me, you did not want to open an apparently random text from firstname.lastname@example.org or whatever the email@example.com that just came to your phone. So you did a quick search in your favorite search engine and this article came up.
So, nothing to worry about. It’s just your optometrist or your dentist (one of those medical professionals you recently visited) reminding you of an appointment or a prescription to pick up.
Alright, with that said, here is a little disclaimer: be careful! Some crazy dude could forge this and spoof that sender’s email address. So, do not download or open any attachment if you can help it. First call your doctor to confirm (or check your email) and see if they sent you any notification.
Great! I hope you have a some peace of mind now. I did once I was reassured and run the antivirus and all the good stuff any cautious person would wanna do.
And, oh, one more thing. If you have considered blogging on WordPress.com or Jetpack before, get it it now! They have a 30% Off promotion if you use coupon code HOLIDAY30 by December 31, 2017.