Campus Response to Wi-Fi vulnerabilities (aka KRACK)
Dear Community Members,
Today the Internet is buzzing with reports of newly discovered vulnerabilities in WPA2, a security protocol that protects the confidentiality of Wi-Fi network connections. A bad actor could exploit these vulnerabilities on an unpatched Wi-Fi network or client to read encrypted communication and in some cases, do additional harm such as change the content of communications and spread malware.
Computing Services has already patched wireless network infrastructure on the Pittsburgh campus and is working with other campuses to confirm that patching is comprehensive. This secures CMU's networks. However, other Wi-Fi networks, your home wireless network, and your client devices (computers, mobile devices, etc) may still be vulnerable. It will take time for all vendors to create patches and even more time for those patches to be applied.
So what should you do?
- As always, watch for updates, whether at work or home, and apply patches when available.
- Exercise caution when using any untrusted Wi-Fi network. Look for the locked icon and/or "https:// " in URLs before submitting credentials or other sensitive information like credit card data.
- If you are connecting to a CMU resource from an off-campus wireless network, consider using a VPN connection for additional security.
Note that I'm offering very little new advice. These, combined with other basic security best practices, will protect you from old threats and vulnerabilities as well as new ones.
Steps to safeguard your identity, devices and data are outlined for you at www.cmu.edu/computing/safe/.
As a reminder, these include:
- Protect your Andrew userID and password.
- Configure your devices securely from the outset.
- Stay up to date with software patches and don't delay restarting your computer after patches have been applied.
- Verify the authenticity of links and unexpected attachments in email before clicking.
- Use a separate non-administrator account for day-to-day use.
- Run anti-virus software with current malware signatures.
- Have recoverable backups of your files and store them in a safe, off-line location.
- Report concerns immediately - if you see something, say something.
Thank you for following these best practices and for partnering with us to keep the university and each other safe on-line.
Please feel free to email me if you have questions, concerns, or suggestions for how we can improve.
Sincerely,Mary Ann Blair
Chief Information Security Officer
Information Security Office
Carnegie Mellon University
ISO Hotline: 412-268-2044