You can't secure what you don't acknowledge.SM

Wednesday, November 13, 2013

Reaver Pro: a simple tool for cracking WPA on a LOT of wireless networks

If wireless security testing is on your radar, you need to get Reaver Pro. As I outlined in this Hacking For Dummies, 4th edition chapter, Reaver Pro is a great tool for cracking the WPA pre-shared key on all those consumer-grade wireless APs/routers that everyone installs in the enterprise.

The latest version of Reaver Pro is very simple to use. No live CDs or VMs to boot. You simply connect the device into your test system's Ethernet port, connect the power adapter, browse to 10.9.8.1, login, and you're ready to roll. Here is a quick video overview and here is a screenshot showing its interface:






Terry Dunlap with Tactical Network Solutions (the company that created and sells Reaver Pro) has a great team of sharp guys...and they've been very responsive when prompted with my mostly dumb questions.

If anything let Reaver Pro be a reminder of two things:
  1. WPA is a proven wireless security control that's only as good as the weakest link on your network
  2. Consumer grade wireless APs and routers don't have a place in a business setting - although on practically every network I see.
It seems to me that with the advent of WPA, WPA2, and enterprise-grade wireless security controls that people have let their guard down a bit with wireless security.

Don't be that guy.

As I like to say, you can't secure what you don't acknowledge! WPS is enabled by default in most situations. It's broken. Even if you have the option to throttle PIN requests, you need to find WPS and disable it (even on your home wireless). The convenience factor it provides is just not worth the risk of someone gaining full access to your wireless (and likely wired) network.

Tuesday, November 12, 2013

Low information users and the challenges they create

Thanks to the political elite and the dumb masses they inspire, you've probably heard the term low information voter…In a nutshell, this term refers to people making a critical decision without knowing all the facts.  As Winston Churchill once said “The best case against Democracy is a five minute conversation with the average voter.”

Interestingly, this concept and quote make me think of information security and why we need to prepare ourselves for today’s threats. Have a five minute conversation with an average user on your network. Talk to them about what they do and don’t do, the decisions that they’re making regarding their computer usage, and so on and it will likely become clear that we have a problem that we must solve.

If you're looking for answers to this human psychology challenge, here is a piece I wrote with tips for getting (and keeping) users on your side with IT and security.

Check out a related piece I wrote for Rapid7's blog:
Why business execs know more about security than you do

Best of luck! Keep in mind that sticktuitiveness is the key to all of this.