Wednesday, April 6, 2005

WEP is even easier to crack than we thought

A proof of concept demonstration by the FBI, using some tools available in the public domain, showed that it is possible to break the security that is provided by WEP in three minutes. Previously it took a while longer because so many packets had to be captured to run a full analysis on them. The new tools use statistical techniques that focus on semi random 24 bit (IV) numbers that are captured and then a dictionary attack completes the method used to obtain the key in such a short period of time.

Considering that a lot of wireless access points are not even using WEP, one one think that it's not too much of a problem as most are wise open anyway. Although totally true, it's just as bad having no security as thinking you are safe when really you're not. In fact, it could pose more of a problem when a false sense of security is in place. For example, if someone knew their network was wide open they would be less likely to store sensitive information. It's not always the case, but would be most of the time.

If they thought their network was secure and locked down, they'd impose less restrictions on storing sensitive information so have have a false sense of security is asking for trouble. Security through obscurity doesn't always work, but it can help. Although it should not be the only line of defence, in regards to wireless there are some easy things you can do.

Using certain tools, you can create thousands of fake access points, which protects your real one to a certain degree. Using this approach along with WPA instead of WEP greatly reduces the chances of your network being penetrated via a wireless access point. There are firmware upgrades for most wireless devices now which will allow you to use WPA instead of WEP. Of course, all of this does not apply if your access point is wise open and most are, a lot of them are not even rogue!

Post ID: 719, posted by jase at 01:58 PM
Permalink | TrackBack ID: 692, (0) | Category: Security | Google Search
Comments
Post a comment

Thanks for signing in, . Now you can comment. (sign out)

(If you haven't left a comment here before, you may need to be approved before your comment will appear.)


Remember me?


Valve Media Ltd
Search Engine Compliance