Tag Archives: Save
[unable to retrieve full-text content]
There are more Wi-Fi devices in active use around the world—roughly 9 billion—than there are human beings. That ubiquity makes protecting Wi-Fi from hackers one of the most important tasks in cybersecurity. Which is why the arrival of next-generation wireless security protocol WPA3 deserves your attention: Not only is it going to keep Wi-Fi connections safer, but also it will help save you from your own security shortcomings.
It’ll take time before you can enjoy the full benefits of WPA3; the Wi-Fi Alliance, a trade group that oversees the standard, is releasing full details today but doesn’t expect broad implementation until late 2019 at the earliest. In the course that WPA3 charts for Wi-Fi, though, security experts see critical, long-overdue improvements to a technology you use more than almost any other.
“If you ask virtually any security person, they’ll say don’t use Wi-Fi, or if you do, immediately throw a VPN connection on top of it,” says Bob Rudis, chief data officer at security firm Rapid 7. “Now, Wi-Fi becomes something where we can say hey, if the place you’re going to uses WPA3 and your device uses WPA3, you can pretty much use Wi-Fi in that location.”
Start with how WPA3 will protect you at home. Specifically, it’ll mitigate the damage that might stem from your lazy passwords.
A fundamental weakness of WPA2, the current wireless security protocol that dates back to 2004, is that it lets hackers deploy a so-called offline dictionary attack to guess your password. An attacker can take as many shots as they want at guessing your credentials without being on the same network, cycling through the entire dictionary—and beyond—in relatively short order.
“Let’s say that I’m trying to communicate with somebody, and you want to be able to eavesdrop on what we’re saying. In an offline attack, you can either passively stand there and capture an exchange, or maybe interact with me once. And then you can leave, you can go somewhere else, you can spin up a bunch of cloud computing services and you can try a brute-force dictionary attack without ever interacting with me again, until you figure out my password,” says Kevin Robinson, a Wi-Fi Alliance executive.
This kind of attack does have limitations. “If you pick a password that’s 16 characters or 30 characters in length, there’s just no way, we’re just not going to crack it,” says Joshua Wright, a senior technical analyst with information security company Counter Hack. Chances are, though, you didn’t pick that kind of password. “The problem is really consumers who don’t know better, where their home password is their first initial and the name of their favorite car.”
If that sounds familiar, please change your password immediately. In the meantime, WPA3 will protect against dictionary attacks by implementing a new key exchange protocol. WPA2 used an imperfect four-way handshake between clients and access points to enable encrypted connections; it’s what was behind the notorious KRACK vulnerability that impacted basically ever connected device. WPA3 will ditch that in favor of the more secure—and widely vetted—Simultaneous Authentication of Equals handshake.
There are plenty of technical differences, but the upshot for you is twofold. First, those dictionary attacks? They’re essentially done. “In this new scenario, every single time that you want to take a guess at the password, to try to get into the conversation, you have to interact with me,” says Robinson. “You get one guess each time.” Which means that even if you use your pet’s name as your Wi-Fi password, hackers will be much less likely to take the time to crack it.
The other benefit comes in the event that your password gets compromised nonetheless. With this new handshake, WPA3 supports forward secrecy, meaning that any traffic that came across your transom before an outsider gained access will remain encrypted. With WPA2, they can decrypt old traffic as well.
When WPA2 came along in 2004, the Internet of Things had not yet become anything close to the all-consuming security horror that is its present-day hallmark. No wonder, then, that WPA2 offered no streamlined way to safely onboard these devices to an existing Wi-Fi network. And in fact, the predominant method by which that process happens today—Wi-Fi Protected Setup—has had known vulnerabilities since 2011. WPA3 provides a fix.
Wi-Fi Easy Connect, as the Wi-Fi Alliance calls it, makes it easier to get wireless devices that have no (or limited) screen or input mechanism onto your network. When enabled, you’ll simply use your smartphone to scan a QR code on your router, then scan a QR code on your printer or speaker or other IoT device, and you’re set—they’re securely connected. With the QR code method, you’re using public key-based encryption to onboard devices that currently largely lack a simple, secure method to do so.
“Right now it’s really hard to deploy IoT things fairly securely. The reality is they have no screen, they have no display,” says Rudis. Wi-Fi Easy Connect obviates that issue. “With WPA3, it’s automatically connecting to a secure, closed network. And it’s going to have the ability to lock in those credentials so that it’s a lot easier to get a lot more IoT devices rolled out in a secure manner.”
Here again, Wi-Fi Easy Connect’s neatest trick is in its ease of use. It’s not just safe; it’s impossible to screw up.
That trend plays out also with Wi-Fi Enhanced Open, which the Wi-Fi Alliance detailed a few weeks before. You’ve probably heard that you should avoid doing any sensitive browsing or data entry on public Wi-Fi networks. That’s because with WPA2, anyone on the same public network as you can observe your activity, and target you with intrusions like man-in-the-middle attacks or traffic sniffing. On WPA3? Not so much. When you log onto a coffee shop’s WPA3 Wi-Fi with a WPA3 device, your connection will automatically be encrypted without the need for additional credentials. It does so using an established standard called Opportunistic Wireless Encryption.
“By default, WPA3 is going to be fully encrypted from the minute that you begin to do anything with regards to getting on the wireless network,” according to Rudis. “That’s fundamentally huge.”
As with the password protections, WPA3’s expanded encryption for public networks also keeps Wi-Fi users safe from a vulnerability they may not realize exists in the first place. In fact, if anything it might make Wi-Fi users feel too secure.
“The heart is in the right place, but it doesn’t stop the attack,” says Wright. “It’s a partial solution. My concern is that consumers think they have this automatic encryption mechanism because of WPA3, but it’s not guaranteed. An attacker can impersonate the access point, and then turn that feature off.”
Even with the added technical details, talking about WPA3 feels almost still premature. While major manufacturers like Qualcomm already have committed to its implementation as early as this summer, to take full advantage of WPA3’s many upgrades, the entire ecosystem needs to embrace it.
That’ll happen in time, just as it did with WPA2. And the Wi-Fi Alliance’s Robinson says that backward interoperability with WPA2 will ensure that some added security benefits will be available as soon as the devices themselves are. “Even at the very beginning, when a user has a mix of device capabilities, if they get a network with WPA3 in it, they can immediately turn on a transitional mode. Any of their WPA3-capable devices will get the benefits of WPA3, and the legacy WPA2 devices can continue to connect,” Robinson says.
Lurking inside that assurance, though, is the reality that WPA3 will come at a literal cost. “The gotcha is that everyone’s got to buy a new everything,” says Rudis. “But at least it’s setting the framework for a much more secure setup than what we’ve got now.”
Just as importantly, that framework mostly relies on solutions that security researchers already have had a chance to poke and prod for holes. That hasn’t always been the case.
“Five years ago the Wi-Fi Alliance was creating its own protocols in secrecy, not disclosing the details, and then it turns out some of them have problems,” says Wright. “Now, they’re more adopting known and tested and vetted protocols that we have a lot more confidence in, and they’re not trying to hide the details of the system.”
Which makes sense. When you’re securing one of the most widely used technologies on Earth, you don’t want to leave anything to chance.
More Great WIRED Stories
Efforts to put cleaner cars on American roads are being threatened. In a few days, The New York Times reports, the Environmental Protection Agency will move to weaken the regulations that demand automakers producer cleaner and more efficient vehicles.
The existing standards, which Barack Obama pushed for in 2012, demand each automaker nearly double the average fuel efficiency of its cars, to deliver 36 miles per gallon. But before President Donald Trump, EPA head Scott Pruitt, or anyone else can knock that number down, they must tangle with California. The state had rules to battle govern tailpipe emissions before a 1970 amendment to the Clean Air Act gave the EPA the authority to govern vehicle efficiency. Because of its early bird status, and especially grave pollution problem at the time, Congress gave California the unusual right to keep making its own regulations, even though federal rules should supersede state ones. No other state can do this, but they may opt to follow California’s rules, which tend to be more stringent than whatever Washington drums up. Today, 13 states and Washington DC do so.
Together, those states (which, unsurprisingly, cover most of the East and West Coasts) account for a third of the American car market. So automakers have long built vehicles that meet California’s tougher rules. It may sound like a pain, but it’s cheaper than building two versions of every car—the cleanish one for most of the country, and the cleaner one for the folks who like their air salty but clean. And so lowering the national standards is only effective if you can get California to lower its too.
Pruitt, a climate change skeptic, has signaled he’s ready—and right—to wrestle the grizzly bear. “California is not the arbiter of these issues,” he told Bloomberg this month. But four decades of legal precedent don’t vanish without a fight, certainly not quickly. “We’re prepared to do everything we need to defend the process,” the state’s attorney general, Xavier Becerra, told the Times.
Okay, but say Pruitt gets his way, California loses its special status, and automakers no longer have to meet such tough efficiency and emissions standards. First off, don’t expect coal rolling poor Prius drivers to become the new national sport. “We’re not gonna go sliding back to the gas guzzling 80s,” says Rebecca Lindland, an industry analyst with Kelley Blue Book. That’s because automakers plan years ahead. They have already spent the money developing the turbochargers, lightweight materials, low resistance tires, and other tech they need to meet the current rules. They’re not going to change their carefully laid plans now.
That’ll keep the fumes away for a few more years, at least. But there’s better news for anybody worried about driving the Earth into climatic disaster: The electric cars—the ones that make the entire notion of miles per gallon outdated, the emission zero heroes—are still coming, thanks to two parties: China, and the millennials.
Let’s start with China. The country is already the world’s largest car market, buying about 23 million vehicles a year, and its appetite is growing by about five percent year over year, according to a McKinsey report. For automakers who have already flooded American streets with their wares, fresh territory is a vital resource. “The US [luxury] market in my view is going to remain relatively stagnant. It won’t decline, but it won’t grow,” Cadillac head Johan de Nysschen said this week at the New York International Auto Show. “The Chinese market, in the next 10 years, is going to triple.”
And China—where pollution is a serious problem—insists that any automaker doing business within its borders sell lots and lots of electric cars. That’s a big part of the reason why General Motors plans to roll out 20 new fully electric cars by 2023 and Ford is putting $ 11 billion into building 16 new models by 2022. Volvo is making its entire fleet “electrified” (a term that includes hybrids), and even Jaguar Land Rover, which debuted its first all-electric car just last year, says that by 2020, it will offer electric or hybrid versions of every car it makes. In an increasingly globalized industry, you can expect to see those models hit US and European shores as well—the more of each they sell, the faster automakers can amortize heavy R&D costs.
And the youths will help the process along. Right now, Lindland says, “the push to develop and deploy electric vehicles has been driven by regulations…consumers are not demanding these products.” Forcing people to change their habits—where, when, and how they fuel their vehicles—is hard. But that could change with the generation just now learning to drive. “I think people born after 2003 are those who will demand electrification,” Lindland says. “Those who haven’t bought a car yet. It’s not even a conversion.” Indeed, she says, that may help along China’s push for battery-powered cars. “They have more first time buyers at their disposal.”
Automakers play a very long game, and they know this new generation is coming. “As we see more millennials coming into the marketplace, companies are looking to strike a more efficient picture,” says Carla Bailo, CEO of the Center for Automotive Research. That means more electric cars, fewer emissions, and cleaner air.
So millennials—the kids who kill everything—along with whatever generation comes next, just might save the planet.
Is it just me or is the cyber landscape getting more scary? Even as companies and consumers get better at playing defense, a host of new cyber threats is at our doorsteps—and it’s unclear if anyone can keep them out.
My doom-and-gloom stems from the dire predictions of Aviv Ovadya, the technologist who predicted the fake news epidemic, and now fears an “information apocalypse” as the trolls turbo-charge their efforts with AI. He points to the impending arrival of “laser phishing” in which bots will perfectly impersonate people we know by scraping publicly available images and social media data. The result could be the complete demolition of an already-crumbling distinction between fact and fiction.
Meanwhile, the phenomenon of crypto-jacking—in which hackers hijack your computer to mine digital currency—has quickly morphed from a novelty to a big league threat. Last week, for instance, hackers used browser plug-ins to install malignant mining tools on a wide range of court and government websites, which in turn caused site visitors to become part of the mining effort.
The use of browser plug-ins to launch such attacks is part of a familiar strategy by hackers—treating third parties (in this case the plug-ins) as the weakest link in the security chain, and exploiting them. Recall, for instance, how hackers didn’t attack Target’s computer systems directly, but instead wormed their way in through a third party payment provider. The browser-based attacks feel more troubling, though, because they take place right on our home computers.
All of this raises the question of how we’re supposed to defend ourselves against this next generation of threats. One option is to cross our fingers that new technologies—perhaps Microsoft’s blockchain-based ID systems—will help defeat phishing and secure our browsers. But it’s also hard, in an age when our machines have run amok, to believe more machines are the answer.
For a different approach, I suggest putting down your screen for a day and picking up How to Fix the Future. It’s a new book by Andrew Keen, a deep thinker on Silicon Valley culture, that proposes reconstructing our whole approach to the Internet by putting humans back at the center of our technology. Featuring a lot of smart observations by Betaworks founder John Borthwick, the book could help us fight off Ovadya’s information apocalypse.
Have a great weekend.
Jeff John Roberts
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
The limits of public transit in a city that needs much more. The post Detroit’s New Streetcar Is OK, But It Can’t Save a City appeared first on WIRED.
Refueling a destroyer or any other large piece of military hardware is incredibly dangerous because it leaves troops very vulnerable to attack, especially if it requires a huge convoy. U.S. troops have lost their lives trying refuel vessels that are ultra-dependent on oil. The Department of Defense knows this, and as…
Anyone who has ever gone fishing knows that you don’t always catch what you’re trying to catch. In industrial fishing, that problem is called “bycatch,” and it can have grave consequences.