Posts

Tom Cross Joins Forbes Technology Council

We are pleased to report that our CTO, Tom Cross has been accepted into the Forbes Technology Council, an invitation-only community for world-class CIOs, CTOs and technology executives. 

Tom joins other Forbes Tech Council members, who are hand-selected to submit thought leadership articles on Forbes.com. As an expert in cyber security, cyber conflict, malware and vulnerability research, Tom will cover these topics and more.

In his first article for Forbes, Tom weighs in on recent changes to international export controls covering computer network intrusion software.

The Wassenaar Arrangement is a governing body that crafts export control rules for technology with military and civilian applications. There are 42 member states that are party to the Wassenaar Arrangement, including the United States.

The new rules represent a significant victory for computer security practitioners, since they remove obstacles that have interfered with the ability of researchers in different countries to exchange security intelligence on vulnerabilities and malware.

In the article, Tom explores the reasoning behind the old rules, why they were flawed and how the new changes will benefit the cyber security industry. He also discusses why, despite this important victory, more work remains to be done before the new rules are implemented in the United States. You can read Tom’s full article here.

What You Need to Do – Major Wifi Encryption Vulnerability

The vulnerability:

A set of significant vulnerabilities have been disclosed in the encryption of Wifi networks (specifically the WPA2 protocol). An attacker who is within range to connect to a Wifi network can exploit these vulnerabilities to completely decrypt traffic as well as manipulate or inject data. These vulnerabilities impact nearly every vendor of Wifi client software. The impact on Linux and Android devices is particularly severe.

How to mitigate:

The best way to mitigate these vulnerabilities is to install patches. The vulnerabilities impact multiple vendors, so CERT/CC is hosting a webpage with links to security advisory and patch information for each affected vendor. This page will be updated over time as new patches are released: http://www.kb.cert.org/vuls/id/228519

Deploying a second layer of encryption can be a useful mitigation while patches are unavailable. The simplest way to achieve this is to require users on Wifi networks to employ their corporate VPN clients while connected to Wifi. An ACL or firewall rule could be used to block traffic destined from the Wifi network to every destination other than the VPN.

Switching your Wifi network from WPA2 to WEP encryption is not advised as WEP has more significant security problems.

Learn more:

A detailed description of the vulnerabilities and the research surrounding them is available at this link: https://www.krackattacks.com

Briefly, the vulnerability impacts the WPA2 protocol. Part of the handshake for that protocol can be replayed to a client, causing the client to reuse an old encryption key. This key reuse can lead to effective cryptanalysis and decryption. In the case of Linux and Android devices, the encryption key can be reset to an all-zero key, with catastrophic consequences.