You can't secure what you don't acknowledge.SM

Monday, January 26, 2009

A primer on WEP/WPA hacks & why it doesn't matter

If you can't justify spending $18.99 on the book I co-authored Hacking Wireless Networks For Dummies, then there's an alternative resource for you to at least be able learn about how WEP and WPA can be exploited. In this recent SearchNetworking.com tip, Lisa Phifer has taken the volumes and volumes of technical jabber about the known attacks against WEP and WPA and distilled them into a simple 5 minute read. Definitely worth checking out.

After reading it though, I thought....man, all of these technical details, all of these attacks, all of this effort to lock down wireless. With all due respect to the people who figured all of this stuff out, I still think it's pretty naive to focus a lot of security effort on this when there's so much other silly/simple/stupid stuff that needs to be fixed I've seen recently like:
  1. Web sites with spreadsheets containing Social Security numbers protected only by a really short and really easy to guess password
  2. Web apps with supposed multi-factor authentication controls that can be easily overridden and disabled
  3. Network shares sharing out entire drives full of sensitive files - all accessible by anyone on the network
  4. Firewalls with default installs and no passwords
  5. VoIP phones sitting in unmonitored lobbies that can simply be unplugged and provide direct network access to strangers
  6. Smartphones without even a trace of security enabled - not even a power-on password
  7. Laptops without encrypted drives
  8. Database servers without passwords
  9. Backups stored onsite in fireproof safes that aren't media rated
  10. Physical security CCTV control systems without passwords viewable/configurable by anyone on the network
  11. Missing patches that are easily-exploited with free tools providing full admin access to the system without the attacker ever having to log in
So stop focusing on the details and fix the obvious stuff first. And you can't assume everything's OK. You'll never know where you're vulnerable and where things stand unless and until you test your systems and your processes. Period.

Can you tell I'm passionate about this stuff? I could go on and on and on....but I won't.

No comments:

Post a Comment