Slashdot Mirror
UN Advised on Wireless Insecurity
otisaardvark writes "There's an article on the BBC about how the UN is being briefed on the problems of wireless networks. Predictable conclusions - security is mainly compromised through human, not technological factors."
What would be secure?
Although it is encrypted, it is most likely that within two years, it will be possible to crack this.
Cables are securer.
Assembling etherkillers for fun an profit
Back in the 80s you could buy a cellphone and then by using a scanner, could tune into the frequency used by the phone to intercept calls. If you were really clever, and had the right *cough* 'dodgy' software you could send control messages to the phone to activate the mouthpiece, so you can literally tap people.
Cellphones were new, and people just wanted them for the coolness/convenience factor and didn't realize the security ramifications.
In the corporate world there's a certain apathy to hackers. Many execs think.. 'No hacker would be interested in our data, it's just boring business stuff'. That may be so, but when the cops are sniffing your CEO downloading kiddy porn and some script kiddie has just deleted all of your mail, you will think again.
Wireless networks are similar to cellphones in this regard. Companies think they're cool and convenient, so they're hopping on the bandwagon.
So, we need to do what they did with cellphones. Digitally modulate the data over the wireless network and encrypt it within the hardware. Waiting for people to install their own security systems is futile. The manufacturers should make wireless devices encrypt on the fly, just like cellphones do.
This will benefit most companies, since they can dabble in inside trading, downloading warez, etc, and the Feds won't be able to track it, so it benefits everyone really.
mogorific carpentry experiments
Whenever any product ships with pre-set default passwords or settings, there is always a segment of the population who will plug it in, see that it's working, and walk away. When a user plugs in a WiFi router, it should require the user to either turn on WEP, or make the user very aware that using the router in its default mode allows any other WiFi device that comes within range to connect, and that includes people who you might not want to let in.
Some people actually want to provide free bandwidth to the community, and I can't blame them for that. However, users need to know when they set themselves up with no security, that will be interpreted by the world as an open invitation for the public to come on in. If you want to block that, enable some sort of security.
Yeah, back in the late-'70s, I had a multi-band radio that could pick up cellular conversations. As a teenager back then, I had an absolute blast listening to calls. It was better than TV. And I promise you, covertly listening in to a hot call between a guy and his girl when you're 16 years old is pretty impressive stuff! :lol:
I never got into blue-box stuff, but pre-scrambled cellular was heaps of fun.
Last time I checked (and it's my job to) WEP and wireless security are still broken, as far as standards are concerned. 802.1x (PEAP, LEAP, whatever you want to call it) isn't appropriate in all (or even most, IMHO) situtations, and fixes to WEP like TKIP aren't widely deployed.
Wireless will continue to have security issues as long as the underlying security technology is broken and is hard to deploy in a secure, stable, and manageble fashion.
That's a technology factor in my book.
Predictable conclusions - security is mainly compromised through human, not technological factors.
Presumably this is referring to the human failing that was responsible for the flaws in 802.11b design? 802.11b simply *cannot* be made secure. Beacon frames are not encrypted, MAC addresses are not encrypted. Capture approx 1Gb of network traffic and you can decrypt the WEP key. Once you do that, you are in. There is little difference between the time needed to crack 40bit and 128bit WEP keys.
Do not deploy an 802.11b network in an environment where you would not fix cabled LAN ports to the outside of your building with flashing neon signs pointing to them with "PLUG IN HERE!" written on them.
Roll on a truly secure standard.
Is that it is so darned easy to listen into the communications. If you can listen in, and interfere with little effort, instantly many attacks become available to you, especially man in the middle attacks.
But, not only can you break into the network, most of the time, you can actively listen in, and just record everything until you get the encryption code in the future (which is actually a pretty easy thing to do with some social engineering.)
If you want the data to be secure use fiberglass wiring, it is the most secure, but if you want convinience, then you'll have to trade off some of the security in enchange for a easier system to use. It's really as simple as that. It's not the human factor, is the human desire for convinience that commonly leads to the largest security breaches.
~ kjrose
For example, are the data links insecure--I dont think so as most are now 128bit encrypted, right?
could it be that access to the local net offering a way around the firewall? Dont some, or maybe all, wi-fi links have built in capabitlity for password protected connections. If so does this not make them as good as any firewall?
So is the whole problem just people not activating these feature? if so is this not just the same as any other unprotected wired network when people dont turn on their firewall?
Some drink at the fountain of knowledge. Others just gargle.
COuld someone elaborate here. Why is a WEP key more vulnerable than say an SSH key? Why is it insecure to have unencrypted Beacon frames and MAC addressses. What info is being given up by these or how can these be exploited in a way particular to wireless?
and given encrypted transmissions why is WiFi more suceptible to man-in-the-middle attacks than any SSH connection?
Some drink at the fountain of knowledge. Others just gargle.
Ok... that's it now, I'm gonna sit on my roof watchin for those black helicopters, the UN world government ain't gonna get any wireless network of mine, that's if I had one, anyway, nobody is taking my dirt farm off me!
Hrm... where's that foil hat, I hope I don't find another of those inside out cows.
Over and out.
But surely if you want to provide wireless capabilities on your corporate network you put the access point in a DMZ and have users come in via a VPN, just as if they were working from home and connecting over the "public" Internet.
I'm using an 802.11b network with 128-bit encryption, meaningless passwords (not "admin" or "router"), and the WAP will recognize only the MAC of the portable (yes, that can be spoofed, but it keeps out random strangers). Finally, the access point is in the basement, so its reception zone is mostly up, not horizontal.
There could be specific weaknesses in my brands of hardware, but that's another problem.
Am I mistaken that this provides reasonably good security? I don't expect to screen out the NSA, but do most snoops. If not, can someone type up a checklist for the well-meaning but slight clueless 802.11 administrator?
Human error certainly includes misconfiguration, but if configuration is too hard for most people to understand I think it is the technology that is faulty -- human factors design and all that.
I'm glad they're making these weaknesses more public. Doonesbury did a good job in the Sunday strip a while ago.
First thing in a Google search for WEP:f aq.htm l
http://www.isaac.cs.berkeley.edu/isaac/wep-
The difference is that openssl is implemented more rigourously than WEP. IANAC (I am not a cryptographer), but it sound like the WEP folks put it into place without sufficient review and now we are stuck with a less-than-robustly-designed standard.
Sometimes, combining two encryption methods can result in something weaker than either of the two original methods, in that they kind of partially decrypt each other.
There are two kinds of sysadmins: paranoids and losers. I'm both kinds.
Although it is encrypted, it is most likely that within two years, it will be possible to crack this.
Cables are securer.
With a wire cutter I can crack a cable today. Cables are not more secure. They are just slightly less accessible.
"I have opinions of my own, strong opinions, but I don't always agree with them." -- George H. W. Bush
No way.
Chances are I could walk into you company, put a box on a desk, plug it into the wall and come back next week to collect it without anyone noticing.
Your cables are just as naked as your wireless is.
You want real security? Think biometrics. Think Faraday Cage.
"There's an article on the BBC about how the UN is being briefed on the problems of wireless networks. Predictable conclusions - security is mainly compromised through human, not technological factors."
So... what does the UN not want the general public to know? Heck, should the UN even be making calls like that?
I haven`t trusted WEP since it was introduced because I didn`t know how it worked. When the flaws were discovered it really came as no suprise to me to be honest.
I think it makes sense to treat your WLAN like a direct Internet connection, ie. all packets could be snooped/intercepted/changed etc. If you want security use ssh or https.
You can make wireless (802.1x) as secure as wired by putting all your wireless users on a VPN. Unsecured wireless users are just like having open access to the insides of your network and completely bypassing peripheral security measures like firewalls. The real question is how to make *all* your computing and networking resources more secure. Wirelessness per se won't be the problem.
CERIAS is part of Purdue University, not Indiana University. I'm sure heads will roll when Coach Keady finds out about this. 8)
--
Ed
The paper by Fluhrer, Mantin & Shamir talks about several weaknesses in the key scheduling algorithm of RC4. The paper by Borisov, Goldberg and Wagner "Intercepting Mobile Communications" talks about keystream reuse. I am quite puzzled between the two. I believe the earlier is a direct weakness to RC4 but Borisov's paper does not reference this at all. Can somebody please fill me in?
- Very insecure (no passwords, all users can do everything).
- Have a bad GUI (noone knows how the users will use it yet).
- Filled with bugs.
And since noone ever has time for a complete refactoring of the code (not a rewrite from scratch)... then that stuff usually never gets fixed in future versions.Sex - Find It
Furthermore, the Aberdeen Group reports that more than 50 percent of all security advisories that CERT issued in the first 10 months of 2002 were for Linux and other open-source software solutions. The report muddles the argument that proprietary software such as Windows is inherently less secure than open solutions. And here's another blow to the status quo: Proprietary UNIX solutions were responsible for just as many security advisories as Linux in the same time period. Could Windows be the most secure mainstream OS available today? Let me see, Linux in the first ten months was responsible for 50% of security advisories. Prop. Unixes were responsibile for just as many, which equals the other 50%. So alltogether Linux/Unix were responsible for all the advisories, M$ DOG/3.1/95/98/2000/XP none, Mac none, all the other non-unix OS none. Yeah, and Saddam really got 100% of the votes in Iraq.
My favourite quote from the whole article:
"Wireless technology is going to be deployed across the globe either securely or insecurely" --David Black, Accenture
Now that doesn't seem obvious does it?
The Welkin: Online Music Reviews
To the responders, thank you. I'd like to draw folks' attention to the "good enough" portion of my query. After all, encryption is just a game of staying a step ahead of the decrypters.
:)
Because any practical encryption can be cracked -- I assume SSL and whatever underlies ssh and, with difficulty, PGP -- what is "adequate" under what is currently readily available? ANything? I get the sense that breaking into a secured (not "secure") 802.11 link at least requires more than just getting a scanner to tap analog cellphones. (Remember Newt Gingrich's indiscretion?
Last, it should be reiterated that human weakness such as social engineering and administrator goofs is the most likely and traditionnal sources of security breaches. Thus a need for regular independent audits by trusted (gasp) humans.
One more time, in regular English? I understoon everything up to "nope." :)
VPN does raise the security bar, but isn't a direct answer to wireless security. I'd prefer all of my wireless communications to be private.
I also posted a follow-up to the original post which may clarify my intent.
I dont' get what the fuss with relying on WEP for wireless security is. Regular ethernet is not encrypted. You could just plug a laptop into a hub and run tcpdump to sniff if you really wanted to. If we use the same security measures over wireless that we do over wired ethernet (VPN, SSL/SSH, Kerberos), who cares about WEP?
How many heists of credit card numbers are done online? Compare this to how many heists of credit card numbers are done meatside.
Meatside wins. You know why? It's a hell of a lot easier to make Joe Blow think you're someone you're not, than it is to neutralize computerized security.
Remember kids, Mitnick "hacked" the minds of people more than he did computers. So did the other famous 'ev1l l33t h4x0rZ!'.
"Code Red!" you shout. "Nimda!" you cry. These incidents and others aren't even related to the above. These were the result of script kiddies and the weakness of human security. Any dolt who got nailed by Code Red, for example, deserved it - Microsoft had a patch out long before the shit hit the fan.
Wireless is a nightmare waiting to happen. It isn't secure out of the box. It isn't 'as secure' as hard wire, even if it is encrypted. One can just pull data out of the air with wireless; one needs to actually defeat rent a cops with water pistols to jack into a hard-wired system with a laptop.
What happens when the clueless do a wireless install at the office, fail to utilize encryption, and pretty much leave things wide open? Won't happen? It's happening now, and if the infamous Microsoft worms weren't enough of a display that it *will* happen..
Security. Ahh, blessed security. Fire your damnable MCSE's, take the donuts out of the rent-a-cop office and give out higher salaries all around.
Oh, and remember, make sure the 'computer-knowledgable' secretaries know NOT TO GIVE OUT THEIR FRIGGIN PASSWORDS TO ANYONE.
K thx bye.
Thank God, the UN has finally been briefed. I guess we can look forward to some sort of wireless security "task force", perhaps a number of UN Conferences on Wireless Security, and then some resolutions blaming wireless insecurity on the US and Israel.
At least with cleartext, people who care about security, but might not know how secure something is, will turn on encryption via SSL or SSH.
With WEP, people may think that since it isn't sent in the clear, they don't have to go and encrypt their IP traffic which is going over it.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
Seems to me that if everything was encrypted there would be more money being spent by [insert favourite government agency here] to crack the encryption. This would suck, because we'd continually need to come up with new encryption methods, generate larger keys, etc. in order to keep out prying eyes.
So I say, let most of the traffic be unencrypted so that the [insert same favourite government agency here] doesn't have a hard time finding illegal activity so that their "need" to crack encryption (at least from [government agency]'s point of view) is small.
That said, most of the really bad evils already use encryption, so maybe it's a moot point. Maybe.
[insert witty comment here]
And an undeserved -1 at that.
Your western pal
It is an important and popular fact that things are not always what
...
they seem. For instance, on the planet Earth, man had always assumed
that he was more intelligent than dolphins because he had achieved so
much -- the wheel, New York, wars and so on -- whilst all the dolphins
had ever done was muck about in the water having a good time. But
conversely, the dolphins had always believed that they were far more
intelligent than man -- for precisely the same reasons.
Curiously enough, the dolphins had long known of the impending
destruction of the of the planet Earth and had made many attempts to
alert mankind to the danger; but most of their communications were
misinterpreted
-- Douglas Admas "The Hitchhikers' Guide To The Galaxy"
- this post brought to you by the Automated Last Post Generator...