Category Archives: Google

KRACK Wi-Fi vulnerability: what you need to know

Last week, security researchers identified a series of vulnerabilities affecting almost all Wi-Fi devices, from computers to refrigerators. The vulnerability could allow attackers to intercept wireless communications and potentially steal credentials and other sensitive information. The vulnerabilities are collectively referred to as KRACK.

The good news is that computers running Windows and Linux already have patches available. Microsoft included fixes in the October 2017 Patch Tuesday updates.

Apple says that fixes are ready for MacOS, but there’s no word on exactly when they will actually be made available.

The bad news is that mobile devices, particularly those that run Google’s Android operating system, are vulnerable, and in some cases, might stay that way indefinitely. That’s because even though Google has prepared fixes for Android, those fixes won’t get to devices made by other vendors until those vendors make them available. Some vendors are better than others at pushing updates to their devices. Worse, some devices running older O/S versions may never get updates at all, rendering them permanently insecure.

There are mitigating factors. First, because of the responsible way in which these vulnerabilities were reported, Microsoft and other major players have had time to develop fixes, while details of the vulnerabilities were kept relatively secret until recently. That means we have a head start on the bad guys this time.

Second, exploiting these vulnerabilities requires close proximity. Attacks based on these vulnerabilities can’t be executed over the Internet.

Use caution with unpatched devices

If you use a public Wi-Fi access point with an unpatched device, you’re exposed. So until patches for your device become available, you might want to disable its Wi-Fi when you’re not at home. Most devices have settings that prevent automatically connecting to Wi-Fi networks it finds in the vicinity.

IoT devices may remain vulnerable forever

‘Internet of Things’ (IoT) devices, including thermostats, cars, appliances, and basically anything that can have a computer stuffed into it, often connect to the Internet using Wi-Fi. There are no security standards for IoT devices yet, and many are extremely unlikely to ever be patched.

Recommendation: identify all of your IoT devices that have the ability to connect to the Internet. For each, make sure that you’re using a wired connection, or disable networking completely, if possible. As for devices that connect to the Internet via Wi-Fi and cannot or won’t be patched or disabled, consider taking them to the nearest landfill.

References

Chrome 62.0.3202.62: thirty-five security fixes

If you want to test your web browser’s performance and memory management, just point it to the full change log for Chrome 62.0.3202.62. It’s a behemoth, documenting over ten thousand distinct changes.

Given the number of changes in Chrome 62.0.3202.62, I decided to skip reading the log and trust that Google would point out anything interesting in the release announcement.

The announcement for Chrome 62.0.3202.62 documents thirty-five fixes for security vulnerabilities, so clearly this is an important update. As for the other changes, Google says only this:

Chrome 62.0.3202.62 contains a number of fixes and improvements — a list of changes is available in the log. Watch out for upcoming Chrome and Chromium blog posts about new features and big efforts delivered in 62.

Chrome usually updates itself within a few days of a new release. You can trigger an update by navigating to the About page: click the three-vertical-dots menu button, then Help > About Google Chrome.

Chrome 61.0.3163.100

There are exactly fifty-seven items in the change log for Chrome 61.0.3163.100. Some of those changes are version increments and other housekeeping; about forty are actual changes to functionality. Most of those changes are fixes for minor issues. Three of the fixes are for security issues.

If you’ve stopped trying to prevent Chrome from updating itself, it will no doubt proceed with this update automatically. But since the new version includes security fixes, it’s a good idea to make sure. Click the main menu button (three vertical dots at the top right of Chrome’s window), then Help > About Google Chrome.

Chrome 61.0.3163.79 includes 22 security fixes

The change log for Chrome 61.0.3163.79 is another browser-challenging page, this one having over 10,000 entries. Google didn’t bother to highlight any of the changes, aside from the twenty-two security issues addressed in the new version.

Unless you’ve gone out of your way to disable the various auto-update mechanisms Google installs alongside its software, Chrome should update itself within a day or so of the new version becoming available. If not, you can usually trigger an update by visiting Chrome’s About page: click the three-dot menu button, then select Help > About Google Chrome.

Chrome 59.0.3071.86

With thirty security fixes in Chrome 59.0.3071.86, I would expect Google to emphasize the need for users to update as soon as possible. Instead, the release announcement says “This will roll out over the coming days/weeks.” Presumably Google feels that the fixed security issues are too obscure to represent any imminent threat.

To be fair, personal experience has shown that Chrome is great at detecting updates, often very soon after they become available. Visiting the About page is usually enough to trigger an update. Click the three-vertical-dots menu button, then choose Help > About.

If you have several hours to kill, you might want to check out the change log for Chrome 59.0.3071.86, which by my count contains 10,911 entries.

Google’s new Chrome ad blocker raises questions

Google is giving web advertisers until the end of the year to comply with the standards set by the Coalition for Better Ads, after which a new ad-blocker in Chrome will start blocking non-compliant ads.

This raises some interesting questions.

Google is the biggest provider of advertising services on the web. Will Google block ads from its own platform if they don’t meet the new standards? That scenario, while interesting to ponder, is unlikely to occur, since Google’s ad creation tools will presumably prevent it.

If Google’s ads are unlikely to be blocked, won’t this be viewed as anti-competitive behaviour by other advertisers? Google will point to the independent standards set up by the CBA, but will that be enough? Less-reputable advertising providers — those allowing the sorts of ads Google wants to block — stand to lose significant revenue. These days it doesn’t take much to trigger a lawsuit, and Google is a favourite target for litigation, because it has enormously deep pockets.

From the user perspective, Chrome’s new ad blocker will be purely beneficial. Opera already has a built-in ad blocker, and it’s likely that the other major browser makers are working on similar features. But there are weird times ahead for Google.

Google improves GMail security

I’ve tried other search services, but I always end up back at Google, because the search results are consistently better. Google does collect information about its users, and uses that information to target advertising. Google also looks at the content of GMail messages for the same reason. If that bothers you, there are ways to prevent it, or you can stop using Google’s products and services.

That said, in all my years of using Google’s services, I’ve never encountered anything that made me want to stop using them. Google does occasionally annoy me by dropping services like Reader, and Google’s advertising is ridiculously overpriced, but on balance the company provides far more benefit than any potential harm.

For example, Google spends enormous amounts of time and resources on making the web safer for everyone. Much of that effort goes unheralded, but occasionally we catch glimpses in the form of blog posts, like this one, describing recent improvements to GMail security. Compare that with Yahoo’s recent track record, which clearly shows that user security and privacy are not a priority at that company.