« Google Changes to Privacy Practices
Filing your taxes online? »

More news on Wireless Insecurity

April 5th, 2007 by Lance Cottrell

I was just sent a link to an improved attack on WEP for WiFi. WEP (Wired Equivalent Privacy) is no such thing. Erik Tews, Andrei Pychkine and Ralf-Philipp Weinmann at the technical university Darmstadt in Germany have a paper and proof of concept implementation of an improved attack on WEP. This attack should be able to compromise WEP security in under a minute under normal conditions with an inexpensive laptop.

In reality over half of deployed wireless nodes have no security enabled at all, so WEP is certainly an improvement on that. A much better solution exists called WPA. It is available on almost all WiFi devices, and should be used wherever possible. While WPA is not perfect, there are no efficient attacks against WPA, however experts are still not confident in its security. If you have a high security application, stick with a wire, and/or use a strong VPN within the WiFI connection. I am a belt and suspenders kind of guy, so I like to use multiple layers of security whenever possible.

- Lance Cottrell

Posted in Security Breaches, Wi-Fi
PermaLink
Digg this Add to del.icio.us Add Redit
This entry was posted on Thursday, April 5th, 2007 at 3:05 pm and is filed under Security Breaches, Wi-Fi. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “More news on Wireless Insecurity”

  1. Ardan Michael Blum Says:
    May 3rd, 2007 at 2:14 pm

    The best security is the good old computer MAC ADDRESS on the router and then to switch all your communication onto a ssh proxy.

    To use a “secure” WPA is starting off with a myth: Every type of WIFI connection can be gotten to with simple open source tools such as aicrack AND wireshark, etc.

    Safe surfing is, to me:

    1) PGP or cryptoheaven.com emailing.
    2) ssh or TNS from the great Anonymizer.com
    3) anti-keylogger set up
    4) Trend Micro PC or F-Secure walls
    5) a few extra things.

    AM

  2. lance Says:
    May 4th, 2007 at 9:18 am

    Fundamentally, I agree with you. To my mind, WEP is broken, while WPA is untrustworthy. There is clearly a huge difference in the level of security between the two, but neither should ever be trusted with sensitive content.

    PGP, SSH and TNS (thanks for the plug) are very effective. PGP and SSH are very flexible and powerful tools. In my experience they are beyond the skills of most Internet users.

    MAC Address (the hardware address of the WiFi or Ethernet card) authentication is very important, but is not difficult to spoof.

    At the end of the day it is all about layered security and risk management. Risk elimination is unachievable.

Leave a Reply