UN Advised on Wireless Insecurity

otisaardvark writes "There's an article on the BBC about how the UN is being briefed on the problems of wireless networks. Predictable conclusions - security is mainly compromised through human, not technological factors."

Secure?

[vidarlo]

What would be secure?
Although it is encrypted, it is most likely that within two years, it will be possible to crack this.
Cables are securer.

It's like cellphones all over again

[wackybrit]

Back in the 80s you could buy a cellphone and then by using a scanner, could tune into the frequency used by the phone to intercept calls. If you were really clever, and had the right *cough* 'dodgy' software you could send control messages to the phone to activate the mouthpiece, so you can literally tap people.

Cellphones were new, and people just wanted them for the coolness/convenience factor and didn't realize the security ramifications.

In the corporate world there's a certain apathy to hackers. Many execs think.. 'No hacker would be interested in our data, it's just boring business stuff'. That may be so, but when the cops are sniffing your CEO downloading kiddy porn and some script kiddie has just deleted all of your mail, you will think again.

Wireless networks are similar to cellphones in this regard. Companies think they're cool and convenient, so they're hopping on the bandwagon.

So, we need to do what they did with cellphones. Digitally modulate the data over the wireless network and encrypt it within the hardware. Waiting for people to install their own security systems is futile. The manufacturers should make wireless devices encrypt on the fly, just like cellphones do.

This will benefit most companies, since they can dabble in inside trading, downloading warez, etc, and the Feds won't be able to track it, so it benefits everyone really.

Re:It's like cellphones all over again

[LostCluster]

It always seems to go that every new technology is designed to be a straightforward as possible at first, and we all realize that there's a need to encrypt for the sake of security.

Why doesn't anybody ever release the secure version in the first place?

Tuned-in and turned-on

[Trane+Francks]

Yeah, back in the late-'70s, I had a multi-band radio that could pick up cellular conversations. As a teenager back then, I had an absolute blast listening to calls. It was better than TV. And I promise you, covertly listening in to a hot call between a guy and his girl when you're 16 years old is pretty impressive stuff! :lol:

I never got into blue-box stuff, but pre-scrambled cellular was heaps of fun.

the major problem with wireless...

[MarvinMouse]

Is that it is so darned easy to listen into the communications. If you can listen in, and interfere with little effort, instantly many attacks become available to you, especially man in the middle attacks.

But, not only can you break into the network, most of the time, you can actively listen in, and just record everything until you get the encryption code in the future (which is actually a pretty easy thing to do with some social engineering.)

If you want the data to be secure use fiberglass wiring, it is the most secure, but if you want convinience, then you'll have to trade off some of the security in enchange for a easier system to use. It's really as simple as that. It's not the human factor, is the human desire for convinience that commonly leads to the largest security breaches.

Why is it insecure

[goombah99]

I hear referecnes to wireless security issues but I dont understand why wireless is insecure. Can anyone offer a primer or a few good examples?

For example, are the data links insecure--I dont think so as most are now 128bit encrypted, right?

could it be that access to the local net offering a way around the firewall? Dont some, or maybe all, wi-fi links have built in capabitlity for password protected connections. If so does this not make them as good as any firewall?

So is the whole problem just people not activating these feature? if so is this not just the same as any other unprotected wired network when people dont turn on their firewall?

Re:Why is it insecure: follow up

[goombah99]

> Beacon frames are not encrypted, MAC addresses are not encrypted. Capture approx 1Gb of network traffic and you can decrypt the WEP key.

COuld someone elaborate here. Why is a WEP key more vulnerable than say an SSH key? Why is it insecure to have unencrypted Beacon frames and MAC addressses. What info is being given up by these or how can these be exploited in a way particular to wireless?

and given encrypted transmissions why is WiFi more suceptible to man-in-the-middle attacks than any SSH connection?

"Good enough" wireless?

[MacAndrew]

I'm using an 802.11b network with 128-bit encryption, meaningless passwords (not "admin" or "router"), and the WAP will recognize only the MAC of the portable (yes, that can be spoofed, but it keeps out random strangers). Finally, the access point is in the basement, so its reception zone is mostly up, not horizontal.

There could be specific weaknesses in my brands of hardware, but that's another problem.

Am I mistaken that this provides reasonably good security? I don't expect to screen out the NSA, but do most snoops. If not, can someone type up a checklist for the well-meaning but slight clueless 802.11 administrator?

Human error certainly includes misconfiguration, but if configuration is too hard for most people to understand I think it is the technology that is faulty -- human factors design and all that.

I'm glad they're making these weaknesses more public. Doonesbury did a good job in the Sunday strip a while ago.

I don`t use WEP because..

I haven`t trusted WEP since it was introduced because I didn`t know how it worked. When the flaws were discovered it really came as no suprise to me to be honest.

I think it makes sense to treat your WLAN like a direct Internet connection, ie. all packets could be snooped/intercepted/changed etc. If you want security use ssh or https.