Slashdot Mirror
UN Advised on Wireless Insecurity
otisaardvark writes "There's an article on the BBC about how the UN is being briefed on the problems of wireless networks. Predictable conclusions - security is mainly compromised through human, not technological factors."
Whenever any product ships with pre-set default passwords or settings, there is always a segment of the population who will plug it in, see that it's working, and walk away. When a user plugs in a WiFi router, it should require the user to either turn on WEP, or make the user very aware that using the router in its default mode allows any other WiFi device that comes within range to connect, and that includes people who you might not want to let in.
Some people actually want to provide free bandwidth to the community, and I can't blame them for that. However, users need to know when they set themselves up with no security, that will be interpreted by the world as an open invitation for the public to come on in. If you want to block that, enable some sort of security.
Last time I checked (and it's my job to) WEP and wireless security are still broken, as far as standards are concerned. 802.1x (PEAP, LEAP, whatever you want to call it) isn't appropriate in all (or even most, IMHO) situtations, and fixes to WEP like TKIP aren't widely deployed.
Wireless will continue to have security issues as long as the underlying security technology is broken and is hard to deploy in a secure, stable, and manageble fashion.
That's a technology factor in my book.
Predictable conclusions - security is mainly compromised through human, not technological factors.
Presumably this is referring to the human failing that was responsible for the flaws in 802.11b design? 802.11b simply *cannot* be made secure. Beacon frames are not encrypted, MAC addresses are not encrypted. Capture approx 1Gb of network traffic and you can decrypt the WEP key. Once you do that, you are in. There is little difference between the time needed to crack 40bit and 128bit WEP keys.
Do not deploy an 802.11b network in an environment where you would not fix cabled LAN ports to the outside of your building with flashing neon signs pointing to them with "PLUG IN HERE!" written on them.
Roll on a truly secure standard.
Then they won't be able to charge you twice.
This has been pointed out before by a zillion different people but some might be new to the thought; If all traffic were encrypted in the first place then we wouldn't ever have had all these problems with sniffing. Of course any packet sniffing you want to do would have to be done on the destination or the endpoint, so perhaps only the significant part of the payload should be encrypted while the control messages (at least those for handshaking) should be let alone.
If ALL traffic were encrypted the difficulty of intercepting "important" encrypted messages would go up and become much more difficult.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Why doesn't anybody ever release the secure version in the first place?
Why sell anyone the secure version when you can sell them the insecure version AND the secure version, in that order?
Short answer: Yes, you are mistaken.
Longer answers: Here, here, or here.
Assuming your neighbors are clueless luddites who have to call you when their printer runs out of paper, WEP will prevent them from borrowing you Internet uplink bandwidth. Against a determined attacker, WEP, MAC filtering, and most of the other features built into modern 802.11a/b APs are ineffective.
On the other hand, you may not care.
Eg, my home machines are all secured and I do regular audits and scans. Any sensitive communication (eg, logging into a machine at work) happens over ssh and so is protected. So the only thing a script kiddie can do is watch my web traffic (which he is welcome to do), borrow my bandwidth (which would probably be noticed, and maybe try DoSing my home network (which is easy to fix).
All of the above was also true when my home network was wired. The move to 802.11b just traded a decrease in security for an increase in convenence (ah, reading /. while sitting on the deck).
As Schneier has said, security just buys you time. In the case of 802.11 (or for that matter, any wireless protocol), it takes significantly less time for the security to be breached than it would if the wired protocol was in use. If that worries you, don't use 802.11 networking, cordless phones, or cell phones, or adjust the sensitivity of your traffic to suit the medium.
Security is about risk management, nothing more. Is it possible that some kid can break your connection? Yeah. Sure. Are they going to? I *seriously* doubt it. Why would they bother? To sniff your traffic? Ooooh. They'll see me reading slashdot. They may even get my slashdot password! Darn. They'll steal my Visa number! Um, nope, because that's over SSL. And my terminal connections are SSH. Email? Maybe, but I consider that a "public postcard" anyways, and I can and do use GPG when necessary. There is no traffic from my network that would make me a deliberate target of a snoop. Nobody would ever -plan- to hit my network and snoop my traffic or attack my boxes. Of course, if I was a business or had some kind of trade secrets, maybe they would (and this would change the situation).
So what does that leave? That leaves people who happen on my network at random, and decide to try to use it for access or for kicks.
Maybe your area is different, but in my neighbourhood, I can't drive more than half a block without finding a completely wide-open wireless lan. The usual density is much higher -- three or four to a block. And this is just me driving with my iBook propped open! Imagine if I actually used an external antenna! What does this mean? Nobody is going to go bother randomly cracking my network just to get bandwidth, when they can simply select another network and get it instantly.
The moral of the story? Consider your risks. I feel I have very little to risk: I have no "intellectual property" to protect, really. My email is essentially public anyhow. My boxes are up to date and as secure as they can be (I think). Wireless network has the benefit of amazing convenience. It is a small risk that I mitigate to an acceptable level. Therefore, it's a managed risk. That's all that matters in security.
In any field, find the strangest thing and then explore it. -John Archibald Wheeler
How many heists of credit card numbers are done online? Compare this to how many heists of credit card numbers are done meatside.
Meatside wins. You know why? It's a hell of a lot easier to make Joe Blow think you're someone you're not, than it is to neutralize computerized security.
Remember kids, Mitnick "hacked" the minds of people more than he did computers. So did the other famous 'ev1l l33t h4x0rZ!'.
"Code Red!" you shout. "Nimda!" you cry. These incidents and others aren't even related to the above. These were the result of script kiddies and the weakness of human security. Any dolt who got nailed by Code Red, for example, deserved it - Microsoft had a patch out long before the shit hit the fan.
Wireless is a nightmare waiting to happen. It isn't secure out of the box. It isn't 'as secure' as hard wire, even if it is encrypted. One can just pull data out of the air with wireless; one needs to actually defeat rent a cops with water pistols to jack into a hard-wired system with a laptop.
What happens when the clueless do a wireless install at the office, fail to utilize encryption, and pretty much leave things wide open? Won't happen? It's happening now, and if the infamous Microsoft worms weren't enough of a display that it *will* happen..
Security. Ahh, blessed security. Fire your damnable MCSE's, take the donuts out of the rent-a-cop office and give out higher salaries all around.
Oh, and remember, make sure the 'computer-knowledgable' secretaries know NOT TO GIVE OUT THEIR FRIGGIN PASSWORDS TO ANYONE.
K thx bye.