A Guide to Effective Network Penetration Testing


Do you want to discover vulnerabilities before a hacker exploits them? Are you already aware of network vulnerabilities, but need an authority to testify that your network security needs additional investments? Or does your company need penetration testing services to comply with a certain security regulation?

It is useful to become pentest-savvy to assess the vendor before and after the penetration testing. Here is guide that encompasses best practices to be implemented before, during and after network penetration testing.

Pre-Test Stage

This section lists the activities to pay attention to before a penetration testing.

  • Define the scope. Regardless of the penetration testing type, state the number of networks, the range of IP addresses within one network, subnets and computers to avoid any misunderstanding. Otherwise, pentesters might leave some network systems unattended or, what’s worse, hack some third party.
  • Define the time frame. Penetration testing should not disrupt your company’s everyday business operations. Imagine if a pentester used a technique involving heavy network traffic. If used at high-peak times, it will overload the network and lead to its crash.
  • Decide if you want your information security and technical stuff to be in the know. There’s no bright line rule here. Unannounced penetration testing is good to assess the response of your security team. Yet, they may slow down the process or even block it, for example, by cutting access from internet for pentesters.
  • Expect a “get out of jail free” statement from the vendor. This document protects providers of penetration testing services, so don’t be suspicious about signing one. What penetration testers do is breaking into someone else’s network, which, per se, is illegal. The “get out of jail free” statement specifies that all pentester’s operations are permitted and you are authorized to give permission.

Test Stage

This section covers best practices followed by pentesters while conducting network penetration testing. This knowledge helps you to understand whether a certain penetration testing vendor provides the service of a decent quality.

  • Gather as much customer information as possible. Pentesters use the customer’s website, WHOIS databases, web search engines. Netcraft offers an online data mining service that monitors the web and provides datasets of visible hosts.
  • Conduct a network survey. This process provides pentesters with domain and server names, the range of IP addresses owned by the organization, information about closed and open network ports, running OS and services. There is an array of open source, as well as commercial tools available for network survey, most popular being Nmap, Zmap, DirBuster, Burp Suite and Metasploit.
  • Determine existing vulnerabilities. At this stage, pentesters scan the network looking for vulnerabilities to use for penetration attempt. Vulnerability scanning can be automated and manual. A combo of the two methods boosts the effectiveness of the process considerably. Automated scanning tools, such as Nessus, quickly cover a lot of ground, but produce a high degree of false positives and false negatives (vulnerabilities are falsely identified or unidentified at all). So, automation should be followed by manual checking.
  • Identify suitable targets. Penetration testing is always conducted within the timeframe set by you. So, out of the pool of vulnerable network targets, it’s essential to choose the proper ones not to waste time and effort doing unnecessary job. For example, a network consists of 1,000 machines, and pentesters have already determined that most of the machines are staff PCs with only 20 servers. It’s sensible to choose the servers, as the primary targets for penetration testing. Very often the task of finding proper targets is simplified, as the names of machines reflect their purpose (for example, Int_Surf for a computer performing Internet surfing).
  • Attempt penetration. To exploit vulnerabilities, pentesters use standard tools, such as Metasploit, Burp Suit or Wireshark. These tools categorize vulnerabilities based on the severity. This helps to provide a customer with the report that accentuates the vulnerabilities to be fixed immediately. However, to test the network at realistic threat levels, pentesters need to customize standard tools and to employ custom built exploits.

A common practice at this stage is to use password cracking methods and. Password cracking methods are a dictionary attack (use of a dictionary file), a brute-force attack (trying all possible password combinations) and a hybrid attack (a combination of both).

Additionally, pentesters may resort to social engineering. This technique involves interaction with your staff to fish out for critical information, for example, credentials.

Post-Test Stage

Network penetration, as such, is over. But the penetration testing procedure isn’t. Two important stages are left: report generation and cleaning up.

  • Report generation. A well-structured report is a helping hand in risk management. You should expect it to start with an overview of the penetration testing process followed by the most critical network vulnerabilities that need to be addressed in the first place. Afterwards, fewer critical vulnerabilities should be highlighted.
  • Cleaning up. Pentesters’ code of practice doesn’t allow to leave any surprises (backdoors) in your network. To keep it clean, pentesters should maintain a detailed record of all actions performed throughout the stages of penetration testing. Still, double checking by your security staff won’t go amiss.

Source

Protecting Your Data: The Future Is Now | Cybersecurity


Protecting Your Data: The Future Is Now

If you could spend just a few minutes talking to your high school self about life in the future, how do you think your younger half would react? What would you say about this thing called the internet, or smartphones, or always listening virtual assistants or self-driving cars?

But then the conversation takes a dark turn as you explain crimes like hacking and data breaches and identity theft, telling Teenager You that your identity has been stolen repeatedly over the years by cybercriminals and scammers. You explain to the wide-eyed innocent version of yourself what credit monitoring is, and how you have to check your credit reports from time to time to make sure no one is using your Social Security number to commit fraud. You describe changing your email password every time someone hacks your account, sending spam messages to your contacts list.

There’s a good chance your younger version is tuning out, eyes glazing over, wondering about this dark future laid before you.

Fortunately, the future is not all that bleak, and technological innovation over the past few decades has certainly changed life for the better. However, wouldn’t it be great if you did have the chance to talk to a “you” from the future to understand some of the risks that innovation can bring?

Now that we understand the risks associated with new technology, we can start paying closer attention to how that tech can affect our privacy before a criminal can use it against us. Autonomous ride-hailing services, facial recognition scanning for identification, microchips implanted under our skin, medical devices that connect to our physical bodies while also connecting to the internet…there is an exciting world of change happening, and now is the time to think about how it will impact our personal privacy and security.

We’re coming up on an era when artificial intelligence (AI) will be implemented in far more ways than ever before. That means our every word, internet search, and social media comment can be used to help develop the “personality” of robots and to create a more customized approach to a very impersonal world wide web. Are you prepared to hand over the keys to your privacy? If not, how do you plan to protect your information and your activity?

Some future technologies may be required for practical daily life, like online forms for school registration and autonomous capabilities in our vehicles. Are you prepared to put your child’s identifying information on the internet in order to attend school? Are you comfortable with ride-sharing apps on your smartphone that can track your location?

Being aware of your personal data security and taking steps to make sure it stays safe. In this era of oversharing and connectivity, it’s important to be proactive about where your information goes and who can see it, both in the present and the near future.

Source

How to lock apps on iPhone?

Written By Subhali Mukherjee

In my previous articles, I have guided you how to lock your iPhone ( so its safe from unwanted handlers ). But what if you want to keep certain applications out of reach of foreign users. Apple gives you a way out of that too! In this post lets look in detail on How to lock apps on iPhone.

What Restrictions it does here is that if we enable it for certain apps, it tends to remove those apps completely from the app menu, i.e the user can’t see them at all. Here’s how:

Step 1 : From your Home Screen, navigate to Settings > General > Restrictions.

How to lock apps on iPhone

How to lock apps on iPhone?

How to lock apps on iPhone?

Step 2 : Tap on Enable Restrictions.

How to lock apps on iPhone?

Step 3 : You will be redirected to a screen asking you to Enter a Restrictions Passcode. Feed in your desired Passcode. ( Make sure you remember the same! ) Re-enter the Passcode to confirm.

How to lock apps on iPhone?

How to lock apps on iPhone?

Step 4 : Once done, you will be redirected back to the Restrictions screen where you will find a number of apps listed that are allowed.

How to lock apps on iPhone?

Step 5 : Slide the switch Off to remove those apps from the app menu.

In case you want to lock your Apps individually, you will have to Jailbreak your device which is not advisable unless you are absolutely desperate and have no other way. If you are ready to do that, you may download iAppLock. Its an app that locks individual apps. Rest assured, your iPhone is in safe hands. It provides features like Passcode Lock, Pattern Lock, Customize screen locks, Touch ID lock.

Source

Business License Scams: A Barrier for Reentrants

by Lisa Lake

It can be hard for a person starting over in life to earn a living — especially if he or she is reentering society from prison. That’s one reason why many reentrants decide to use the trade skills they’ve learned to go into business for themselves.

But local consumer protection agencies have told the FTC about scammers who lie about being able to help people get professional or business licenses to start barbershops, hair salons, auto repair shops and other businesses. These con artists contact people in different ways and some say they issue licenses themselves. Many reentrants don’t believe they will ever get a business license through the usual channels. That makes them vulnerable to scams.

Some reentrants may find themselves frustrated by occupational licensing regulations that don’t make sense. Maybe their trade is licensed in some states, but not others. That’s confusing.

If you’re looking to get a professional or business license, here are three things you should do before you pay anyone money:

  1. Check with your state or local government first to learn how to get a professional or business license. The requirements and fees depend on the type of business you’re starting, where it will be, what services you will offer, and government rules. Also, the Council of State Governments’ Collateral Consequences database provides detailed information on licensing restrictions based on your record and the type of license you’re seeking.
  2. If a company says it can issue you a professional or business license, check it out first. Typically, government agencies issue professional and business licenses. Contact the agency that oversees licensing for your trade to see if the company is legitimate. You also can search online using the company’s name and the term “scam.”
  3. Visit the U.S. Small Business Administration’s website for information on licensing and starting a small business.

Source

Android backdoor is secretly sending user data and texts to China, and no one knows why

androidsurveillanc.jpg

By Conner Forrest

A new backdoor that was recently discovered in budget Android devices is sending user location data, text message, and call logs to a server in China every 72 hours, and no one seems to know the reason why. First reported on by the New York Times on Tuesday, the backdoor was discovered by Security firm Kryptowire.

According to the New York Times report, the backdoor comes in the form of pre-installed monitoring software that collects the above-mentioned information. The Times said that American authorities are unsure if the data is being collected for advertising purposes, or if it is and actual governmental effort at surveillance.

One of the most interesting aspects of this backdoor is that it is an intentional piece of the software on these devices. That, as noted by The Verge, makes it a feature of the device and not an exploited vulnerability.

The software was developed by a Chinese company called Shanghai Adups Technology Company, which claims the code is active on more than 700 million Android devices. According to the Times, it predominantly affects international users and those who use prepaid Android devices, but the total impact of the backdoor isn’t fully known. However, the Times did note that American Android manufacturer, BLU Products, had 120,000 of its phones affected.
According to documents provided to BLU by Shanghai Adups Technology Company, the code was originally written for another Chinese company, to help them monitor phones, the Times reported. Additionally, Shanghai Adups Technology Company’s website claims they work with smartphone manufacturers ZTE and Huawei.

However, a Huawei spokesperson said: “Huawei takes our customers’ privacy and security very seriously, and we work diligently to safeguard that privacy and security. The company mentioned in this report is not on our list of approved suppliers, and we have never conducted any form of business with them.”

Additionally, an official statement from ZTE USA read: “We confirm that no ZTE devices in the U.S. have ever had the Adups software cited in recent news reports installed on them, and will not. ZTE always makes security and privacy a top priority for our customers. We will continue to ensure customer privacy and information remain protected.”

A Google official told the New York Times that it had asked Shanghai Adups Technology Company to remove the software from devices running the Google Play Store. Also, Kryptowire has taken its findings to the US government.

The discovery comes at a turbulent time for Android, as recent malware discoveries claimed to put millions of devices at risk of dealing with fake advertising and other issues. The news also adds more fuel to the conversation around backdoors in smartphones, sparked by Apple’s battle with the FBI over privacy concerns earlier this year.

The 3 big takeaways for readers:
A backdoor on some Android devices is sending call logs, location data, and full text messages to a Chinese server, as reported by the New York Times.
The backdoor appears to be a feature and not an exploit, as the code was intentionally added to the operating system for the purpose of gathering information, the Times reported.
The discovery of this backdoor could reopen the conversation around smartphone privacy started by Apple and the FBI in early 2016.

Source

Call from 877-000-0000? Hang up.

Scammers are using fake caller ID information to trick you into thinking they’re someone who can be trusted. The practice is called caller ID spoofing, and scammers can fake anyone’s phone number.

Scammers are constantly picking new phone numbers to spoof. Here are a few tips for staying ahead of scammers and their unexpected calls:

  • If you get a strange call from a government phone number, hang up. If you want to check it out, visit the official (.gov) website for contact information.
  • Don’t give out — or confirm — your personal or financial information to someone who calls.
  • Don’t wire money or send money using a reloadable card. In fact, never pay someone who calls out of the blue, even if the name or number on the caller ID looks legit.
  • Feeling pressured to act immediately? Hang up. That’s a sure sign of a scam.

Source

Researchers find bug in Wi-Fi network encryption

by Phoebe Rouge

If you have a smartphone, laptop, or IoT device connected to a Wi-Fi network, the information you send over that network could be at risk. Researchers recently found a bug that lets attackers break the encryption that protects most wireless networks – leaving data you send exposed.

The bad news is that this is not a problem with a specific device, or even manufacturer – it’s a problem with the WPA2 encryption standard nearly all Wi-Fi devices on the market today use to scramble communications, preventing eavesdropping and tampering. Basically, if you use a device to connect to a wireless network at home, work, or elsewhere, this bug means you cannot rely on that connection being secure.

The good news is that the bug can be fixed with a security update or patch. Device manufacturers and software companies are aware of the bug and updates for affected devices should be rolling out in the near future, if they haven’t already.

In the meantime, connections other than Wi-Fi (like your smartphone’s 4G/3G carrier connection, or a connection with an Ethernet cable) are not affected. So, consider using them instead of Wi-Fi until the updates are available.

Even so, this bug is a reminder that there’s no single solution to secure your data, and all of the other tips for protecting your sensitive information and security online are more important than ever, including:

  • Keep up with the latest updates for your software and devices, including updates for your smartphone, computer, and any IoT devices around your home.
  • Avoid sending sensitive information over public Wi-Fi, whether or not it’s encrypted.
  • When you do send sensitive information to a website, make sure the address starts with “HTTPS” – this will at least ensure the data you send to that one website is encrypted.
  • A VPN (Virtual Private Network) app or service can give you another layer of protection for your personal data. VPNs encrypt traffic between your computer and the internet – even on unsecured networks. You can get a personal VPN account from a VPN service provider. If you decide to use one, be aware some VPNs are more secure and easier to use than others, so shop around. Read reviews from several sources, including impartial experts.

Source

The next big thing in cybercrime? Here are the FBI’s ones to watch…

Nathan House

If you’re a Federal Agent who happens to fight cybercrime, what sort of stuff lands on your desk? The latest Internet Crime Report paints a picture. And as well as featuring an annual summary of the activities of the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3), it also includes a useful roundup of trends to watch.

Based on nearly 300,000 complaints filed in the previous calendar year, here are the FBI’s “Hot Topics”: three specific threat types that the Feds say we should be most worried about…

Business Email Compromise (BEC)

We’re not talking about email hacking just for the sake of it here (that’s classed as Email Account Compromise – and although it’s a necessary part of BEC, it’s not the whole story).

With BEC, we’re dealing with a very specific kind of threat; a sophisticated scam based around wire transfer payments. With a little digging (LinkedIn, website bios, that sort of thing), a criminal can quickly identify who’s likely to hold the purse strings within an organisation. The scam is carried out when a hacker compromises legitimate business email accounts through social engineering or hacking techniques to conduct
unauthorized transfers of funds.

It’s a global problem. On this side of the Pond, we know it better as mandate fraud and only this month, City AM was reporting that fraudsters had used it to make off with £32 million in the previous year. The Met says that it’s now the third most popular way of scamming a business, behind fraudulent bank cards and employee theft.

So here’s a piece of research that shouldn’t come as any surprise: of all the people in your company most likely to be targeted in an email scam, your Chief Financial Officer comes top.

The moral? Regardless of what she tells you, your CFO hasn’t got “more important things to do” than turn up to your next cyber security scrumdown.

Ransomware

Never mind a year; a week is a long time in cyber security. Last year, IC3 apparently received 2,673 complaints linked to ransomware with losses of over $2.4 million.

Although it has long been on the radar of the cyber security community, it’s fair to say that as 2016 drew to a close, the issue of ransomware wasn’t yet mainstream headline news. The WannaCry attack in May – closely followed by Petya – changed all that.

WannaCry infected an estimated 300,000 endpoints and such was the scale of the attack that it warranted a meeting of the UK government’s Cobra crisis committee.

Threat detection, strategic backup, proper patch management and adequate hygiene (not least, making sure your people know what and what not to click on): these are the areas all businesses should be focused on to reduce the threat.

Tech support fraud

IC3 received 10,850 complaints relating to this type of fraud, with losses exceeding $7.8 million. Again, it’s a highly-targeted strategy, only this time it’s more likely to involve your IT team than your accounts staff.

The perpetrator makes contact with the business and offers what sounds like a fantastic tech support package. The victim bites – and is subsequently asked for remote access to a device. The request sounds reasonable (after all this person is now the company’s remote ‘support guy’). Once in, there’s the potential to cause all manner of damage, from a quick “smash and grab” of customer account data through to the installation of spyware.

The fact that this has been flagged up by the FBI is a reminder of the importance of doing your homework. A swish website, a convincing salesman, a too-good-to-be-true deal: these should never be enough in themselves to cause you to enter into any kind of relationship with a third party provider.

What do all three of the FBI’s “Hot Topics” have in common? For one, they each demand some action on the part of your people to become live. And especially when it comes to BEC and tech support fraud, these are honed, targeted and personal attacks. If you’re worth compromising, chances are that threat actors will be willing to do a little digging to get the attack right. So be ready for it.

Source

Shopping for airfare deals | Consumer Information


You want the best deal for your next flight, but the choices can be overwhelming. Will you book directly on an airline’s website, or buy through a site that lets you compare costs across multiple airlines? These tips will help you weigh your options and avoid surprises you didn’t bargain for.

On cost comparison sites, what seem like apples-to-apples comparisons may not be – if baggage or other fees aren’t included. Cost comparison sites can also charge you more than the airline’s fees for services like changing or canceling a flight. When you make a reservation for a flight that is at least a week away, the airline must allow you to cancel for free within the first 24 hours after booking, but you could still be charged if you didn’t book directly with the airline.

Having a reservation is not the same as having a ticket. Normally, you make your reservation and then the airline issues a ticket, but things can go wrong. We’ve heard from people who used unfamiliar booking sites and learned at the airport that they did not have a ticket to fly. People also have told us that small errors like misspelled passenger names caused big headaches. Some people had to pay fees to fix mistakes, and some even missed their flights.

If you’re thinking of using an unfamiliar booking site to reserve tickets, first look for reviews and ratings of the site to make sure it’s reputable. You can search the site’s name with words like “complaint,” “review,” or “scam.”

Also:

  • consider fees as you comparison shop, and take change and cancelation policies into account
  • check cost comparison and airline sites to find the best overall deal, and keep in mind that some airlines only book directly
  • confirm directly with the airline well before the day of your flight that you have a ticket and everything is in order

Source

Serious flaw in WPA2 protocol lets attackers intercept passwords and much more

Dan Goodin

Aurich Lawson / Thinkstock

Researchers have disclosed a serious weakness in the WPA2 protocol that allows attackers within range of vulnerable device or access point to intercept passwords, e-mails, and other data presumed to be encrypted, and in some cases, to inject ransomware or other malicious content into a website a client is visiting.

The proof-of-concept exploit is called KRACK, short for Key Reinstallation Attacks. The research has been a closely guarded secret for weeks ahead of a coordinated disclosure that was scheduled for 8am Monday, East Coast time. A website disclosing the vulnerability said it affects the core WPA2 protocol itself and is effective against devices running Android, Linux, and OpenBSD, and to a lesser extent macOS and Windows, as well as MediaTek Linksys, and other types of devices. The site warned that attackers can exploit the flaw to decrypt a wealth of sensitive data that’s normally encrypted by the nearly ubiquitous Wi-Fi encryption protocol.

“This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on,” researcher Mathy Vanhoef, of the Katholieke Universiteit Leuven in Belgium wrote. “The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.”

Vanhoef provided the following video showing the attack against a device running Google’s Android mobile operating system:

KRACK Attacks: Bypassing WPA2 against Android and Linux

It shows the attacker decrypting all data the phone sends to the access point. The attack works by forcing the phone into reinstalling an all-zero encryption key, rather than the real key. This ability, which also works on Linux, makes the attack particularly effective on these platforms.

The site went on to warn that visiting only HTTPS-protected Web pages wasn’t automatically a remedy against the attack, since many improperly configured sites can be forced into dropping encrypted HTTPS traffic and instead transmitting unencrypted HTTP data. In the video demonstration, the attacker uses a script known as SSLstrip to force the site match.com to downgrade a connection to HTTP. The attacker is then able to steal an account password when the Android device logs in.

“Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations,” the researchers explained. “For example, HTTPS was previously bypassed in non-browser software, in Apple’s iOS and OS X, in Android apps, in Android apps again, in banking apps, and even in VPN apps.”

The researcher went on to say that the weakness allows attackers to target both vulnerable access points as well as vulnerable computers, smartphones and other types of connecting clients, albeit with differing levels of difficulty and effectiveness. Neither Windows nor iOS are believed to be vulnerable to the most severe attacks. Linux and Android appear to be more susceptible, because attackers can force network decryption on clients in seconds with little effort.

Vanhoef said clients can be patched to prevent attacks even when connected to vulnerable access points. Linux patches have been developed, but it’s not immediately clear when they will become available for various distributions and for Android users. Patches are also available for some but not all Wi-Fi access points.

In response to a FAQ item asking if the vulnerability signaled the need for a WPA3 standard, Vanhoef wrote:

No, luckily [WPA2] implementations can be patched in a backwards-compatible manner. This means a patched client can still communicate with an unpatched access point, and vice versa. In other words, a patched client or access points sends exactly the same handshake messages as before, and at exactly the same moments in time. However, the security updates will assure a key is only installed once, preventing our attacks. So again, update all your devices once security updates are available.

KRACK works by targeting the

four-way handshake

that’s executed when a client joins a WPA2-protected Wi-Fi network. Among other things, the handshake helps to confirm that both the client and access points have the correct credentials. KRACK tricks the vulnerable client into reinstalling an already-in-use key. The reinstallation forces the client to reset packet numbers containing a cryptographic nonce and other parameters to their initial values. KRACK forces the nonce reuse in a way that allows the encryption to be bypassed. Ars Technica IT editor Sean Gallagher has

Monday’s disclosure follows an advisory the US CERT recently distributed to about 100 organizations described the research this way:

US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.

According to a researcher who has been briefed on the vulnerability, it works by exploiting a four-way handshake that’s used to establish a key for encrypting traffic. During the third step, the key can be resent multiple times. When it’s resent in certain ways, a cryptographic nonce can be reused in a way that completely undermines the encryption.

Although kept secret for weeks, KRACK came to light on Sunday when people discovered a Github page belonging to one of the researchers and a separate krackattacks.com website disclosing the vulnerability used the following tags:

  • WPA2
  • KRACK
  • key reinstallation
  • security protocols
  • network security, attacks
  • nonce reuse
  • handshake
  • packet number
  • initialization vector

Researchers briefed on the vulnerabilities said they are indexed as: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088. One researcher told Ars that Aruba and Ubiquiti, which sell wireless access points to large corporations and government organizations, already have updates available to patch or mitigate the vulnerabilities.

The vulnerabilities are scheduled to be formally presented in a talk titled Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 scheduled for November 1 at the ACM Conference on Computer and Communications Security in Dallas. It’s believed that Monday’s disclosure will be made through the site krackattacks.com. The researchers presenting the talk are Mathy Vanhoef and Frank Piessens of KU Leuven. The researchers presented this related research in August at the Black Hat Security Conference in Las Vegas.

The vulnerability is likely to pose the biggest threat to large corporate and government Wi-Fi networks, particularly if they accept connections from Linux and Android devices. And once again, attackers must be within Wi-Fi range of a vulnerable access point or client to pull off the attacks. Home Wi-Fi users are vulnerable, too, again especially if they connect with Linux or Android devices, but there are likely easier ways they can be attacked. Researcher and Errata Security CEO Rob Graham has useful information and analysis here.

Microsoft on Monday posted an advisory here that explains the conditions that are necessary for attackers to exploit vulnerable Windows machines. The company issued an update during last week’s Patch Tuesday release that fixes the problem. Windows users who have yet to install the patch should do so right away. Microsoft’s advisory said even when patched, affected Windows system may offload vulnerable WPA2 functionality to installed Wi-Fi hardware when devices enter low-power standby modes. To fully protect themselves, users should also install new Wi-Fi device drivers if available, in addition to the Windows fix.

If possible, people with vulnerable access points and clients should avoid using Wi-Fi until patches are available and instead use wired connections. When Wi-Fi is the only connection option, people should use HTTPS, STARTTLS, Secure Shell, and other reliable protocols to encrypt Web and e-mail traffic as it passes between computers and access points. As a fall-back users should consider using a virtual private network as an added safety measure, but users are reminded to choose their VPN providers carefully.

Source