There’s a new KRACK in town …
Posted by Stickyweb in Consulting, Rants
There’s a new KRACK hack that puts pretty much every WiFi network at risk … but the media isn’t making much of a fuss!
Due to new vulnerabilities discoveredy in WPA2, the most widely used Wi-Fi security protocol, virtually all devices are now vulnerable to attack.
To ease your mind – a hacker would have to go to some lengths to exploit this hack – so your home network is probably not much of a target … but institutional networks (i.e. Universities) & Public Networks that require a password are legitimate targets.
To explain in simple terms KRACK allows a hacker to interfere with a process called a four-way handshake that goes something like:
“Hi I want to connect”
“What’s the password?”
“Clever Pa5sw0Rd”
“OK you’re in – here’s an encrypted connection”
Because the hacker interferes with the initial handshake they may be able to decrypt the traffic you exchange over WiFi. This means they’re able to do many, many bad things without even being on the network. Bad things? Like being able to intercept, modify & forge fake data & theoretically be able to inject ransomware or other malware into otherwise safe websites.
If you have a USB drive or are attached to a NAS (Network-attached storage) then it’s a data free-for-all.
It’s worth keeping in mind that in order to pull off such an attack, a KRACK hacker would need to be in your device’s Wi-Fi range and impersonate a network that your device already trusts and would attempt to connect to.
What makes KRACK scary isn’t that it’s going to cause mass destruction
– but that it exploits a protocol that is pretty much used Everywhere.
The GOOD news is the vulnerability is easily patched so most software & hardware vendors have fixed the issue or will so in the near future.
Your job is to make sure that ALL of your devices are patched when it’s available..
There are lists published already – such as Owen Williams’ Charged blog that list the companies that have already fixed it & links to the patches.
So DON’T PANIC … Keep an eye out for patches, apply as soon as possible, and keep in mind that the issue is fixable.
CAN the SPAM
Posted by Stickyweb in Consulting, Rants
A lot of SPAM marketers claim that they are complying with the CAN-SPAM Act of 2003 and so they are lawfully clogging your email inbox
… Only problem with this is that CAN-SPAM is a USA Act signed into law by President George W. Bush on December 16, 2003.
Australian Anti-Spam laws are a little different.
As defined by the ACMA:
The Spam Act 2003 prohibits the sending of unsolicited commercial electronic messages—known as spam—with an Australian link. A message has an Australian link if it originates or was commissioned in Australia, or originates overseas but was sent to an address accessed in Australia.
The only exemption is a clause known as ‘inferred consent‘
– if your email address is conspicuously published & not accompanied by a statement that commercial messages are not wanted. Which is why I add “Unsolicited Commercial Contact Unwelcome” or words to that effect to the footer of every site I publish.
Does it make a difference?
Possibly not – but it does mean that I can legitimately report EVERY spam email received to report@submit.spam.acma.gov.au & also to spamcop.net, a service I subscribe to.
I take the approach that every little bit helps – and reporting spam can help build a database of serial offenders.