Over the past month we received a few hard hits to our security world. The reports started with a new WiFi problem called KRACK, then followed with a vendor providing a weak encryption device vulnerable to ROCA.
What do these attacks and vulnerabilities mean? Let's talk briefly about each:
KRACK allows a physically present attacker to force client computers and mobile devices to weaken and even remove their wireless encryption protection layer. This is concerning and is best handled by patching your devices. All the major vendors have patched this issue at this time (Apple, Microsoft and Android, though Android updates are reliant on your provider and so-far mobile providers have not applied the patch everywhere).
This attack is worrisome, however has limited success since many of our communication paths are now encrypted as well (ex: HTTPS). Also the attacker must be local.
ROCA is a hardware mistake in many security devices like Smart Cards. The City does not use any of these devices, however you may have one personally (rare). The fix for this issue is to contact your vendor and obtain a replacement.
(Smart Cards are a second way to authenticate you to a service. The City uses RSA tokens, which is a similar technology)
These Smart Cards or other security devices are supposed to give us really reliable random numbers and these chips were found to not do that well. This caused a problem where someone can break the encryption of a hard drive or communication channel with a low amount of resources. The reports say it costs approximately $70,000 for the computer time to break one of these communication channels or encrypted drives. Some say it can be done for less with cloud provider computer resources.
Both of these issues are mitigated for City owned solutions. Patch your personal compute devices, including phones/tablets and check your vendors if you have a Smart Card or other personal security device.