Oh our love of wifi. We have all seen the funny access point
names and usually it is nice to see them instead of the generic
“Linksys”. Wifi has come a long way in its short history from
being totally insecure to a relative state of being secure we have
today. What is really crazy to me is that there are still people
utilizing WEP. It makes me wonder why the manufacturers are even
including WEP into their equipment when it has been cracked for a
long time now.
Due to the way that WEP encrypts its data there is a weakness in
the algorithm. Thankfully there has been evolutions in the way wifi
is encrypted and we now have WPA and WPA2. Here is the deal though.
Your data is only kind of secure. Wireless is transmitted to places
you probably didn't think of someone can pick up the signal when you
really didn't want them to. Do you have a shared bathroom for your
workplace with another company? Someone could be sitting in the
stall capturing traffic on their lunch break. Sound like it would
never happen right? Wifi can go further than you may think and if
someone has the time to spend sniffing your network then you could be
compromised.
Another aspect to this is the rogue access point. If your company
allows personal devices in the workplace they may still want to get
on the internet with that device. Thing is your company doesn't
allow them to connect it. Next thing you know they have brought an
access point from home and connected it to your network without you
knowing. In a worst case situation they even left it unsecure and
now you have all sorts of people accessing your network and using
your internet connection for crazy things.
On the lesser side of the scale is bluetooth. Its great for
connecting small devices to your phone or laptop but is still an area
of concern for security professionals. Blue jacking and bluesnarfing
are the main things that come to the front when addressing bluetooth
issues. Ever got some strange spam message on your phone and your
not sure where it came from? That would be blue jacking. The name
is a little missleading as they are not actually taking over your
phone. Bluesnarfing is where they actually are able to gain access
to your phone and check out your contacts, files, etc.
I was once on a forum where someone wrote their company was 99%
wireless. This made me really nervous for their company. There is a
common misconception that your network is secure with WPA2 and that
no matter what, no one will see your data. Well I am sure that is
what they said for WEP too. Here is the deal. Wifi traffic can be
captured and saved forever and then decrypted later. Lets say a
competitor has been logging your wifi traffic for the last 6 months.
They havn't been able to see what is on it but they still have it.
Tomorrow there is a crack released for WPA2 allowing an attacker to
see your network key, network traffic, etc with the click of a
button. Not only is the attacker able to see the traffic moving
forward but they would be able to use the crack against the logged
network traffic. They now have all your company secrets for the last
6 months.
-- Joe McShinsky
Sunday, June 17, 2012
Subscribe to:
Posts (Atom)