This newly discovered flaw exposes passwords, and allows an attacker to view data thought to be encrypted.

Manufacturers are rushing to fix this, but there are a lot of devices out there to patch.  Technical details are in the article below.

Serious flaw in WPA2 protocol lets attackers intercept passwords and much more

DAN GOODIN - 10/16/2017, 12:37 AM

"Researchers have disclosed a serious weakness in the WPA2 protocol that allows attackers within range of vulnerable device or access point to intercept passwords, e-mails, and other data presumed to be encrypted, and in some cases, to inject ransomware or other malicious content into a website a client is visiting.

The proof-of-concept exploit is called KRACK, short for Key Reinstallation Attacks. The research has been a closely guarded secret for weeks ahead of a coordinated disclosure that was scheduled for 8am Monday, East Coast time. A website disclosing the vulnerability said it affects the core WPA2 protocol itself and is effective against devices running Android, Linux, and OpenBSD, and to a lesser extent macOS and Windows, as well as MediaTek Linksys, and other types of devices. The site warned that attackers can exploit the flaw to decrypt a wealth of sensitive data that's normally encrypted by the nearly ubiquitous Wi-Fi encryption protocol.

"This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on," researcher Mathy Vanhoef, of the Katholieke Universiteit Leuven in Belgium wrote. "The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites."
It shows the attacker decrypting all data the phone sends to the access point. The attack works by forcing the phone into reinstalling an all-zero encryption key, rather than the real key. This ability, which also works on Linux, makes the attack particularly effective on these platforms.

The site went on to warn that visiting only HTTPS-protected Web pages wasn't automatically a remedy against the attack, since many improperly configured sites can be forced into dropping encrypted HTTPS traffic and instead transmitting unencrypted HTTP data. In the video demonstration, the attacker uses a script known as SSLstrip to force the site to downgrade a connection to HTTP. The attacker is then able to steal an account password when the Android device logs in.

"Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations," the researchers explained. "For example, HTTPS was previously bypassed in non-browser software, in Apple's iOS and OS X, in Android apps, in Android apps again, in banking apps, and even in VPN apps."

The researcher went on to say that the weakness allows attackers to target both vulnerable access points as well as vulnerable computers, smartphones and other types of connecting clients, albeit with differing levels of difficulty and effectiveness. Neither Windows nor iOS are believed to be vulnerable to the most severe attacks. Linux and Android appear to be more susceptible, because attackers can force network decryption on clients in seconds with little effort.

Vanhoef said clients can be patched to prevent attacks even when connected to vulnerable access points. Linux patches have been developed, but it's not immediately clear when they will become available for various distributions and for Android users. Patches are also available for some but not all Wi-Fi access points."

Many have recently noticed the new “OK, Google” feature being offered when they use Google.  This new feature lets you use your voice on the Google app or Chrome to do things like search, create reminders, get directions, access contacts and much more.

Explained in today’s article in The Guardian, written by Samuel Gibbs, this feature installs software capable of listening in and recording of conversations held in front of the computer and handheld device.

“Without consent, Google’s code had downloaded a black box of code that – according to itself – had turned on the microphone and was actively listening to your room,” said Rick Falkvinge, the Pirate party founder, in a blog post. “Which means that your computer had been stealth configured to send what was being said in your room to somebody else, to a private company in another country, without your consent or knowledge, an audio transmission triggered by … an unknown and unverifiable set of conditions… The default install will still wiretap your room without your consent, unless you opt out, and more importantly, know that you need to opt out, which is nowhere a reasonable requirement.”

"Samsung's warning: Our Smart TVs record your living room chatter"... or what ever room it is in!

"Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition."

Technically Incorrect: Samsung's small print says that its Smart TV's voice recognition system will not only capture your private conversations, but also pass them onto third parties.

by  Chris Matyszczyk  - February 8, 2015 2:10 PM PST



It isn't just your browser tracking your online activity...

Your computer's hardware may be tracking since the day you bought it.

"Lenovo was inserting its PCs. This software could track customers’ every online move, intercept secure web sessions and render their computers vulnerable to hackers." 

Lenovo and Superfish Penetrate the Heart of a Computer’s Security

By Nicole Perlroth


"The Chinese computer-making giant Lenovo was inserting spyware — its defenders would call it adware — in its PCs. This software could track customers’ every online move, intercept secure web sessions and render their computers vulnerable to hackers.

The company buried its software in the lowest level of a PC’s operating system, precisely where customers and antivirus products would never detect it, and had been siphoning data back to servers belonging to Superfish, an Israeli software company headquartered in Silicon Valley that markets itself as a visual search company...."



Fall cleaning time!... and, no, we are not talking about closets. Look at your Desktop screen (both Mac and PC users)... does it look like a patchwork of documents scattered about? Do you cringe every time you need to find a file? Actually, having your documents and files saved directly to the Desktop instead of the Documents folder is more than a visual issue. The operating system does not con...sider the Desktop as the same type of ‘entity’ as your Documents folder and resources (which affects overall speed) will not be used efficiently. If you do not have time to sort your files right away you could create a folder within your Documents folder named “Desktop clean up” then MOVE all of the documents to that folder. Then create a ‘shortcut’ (Mac users call it an ‘alias’) of the “Desktop clean up” folder to keep on the actual Desktop.