Wireless not worth hacking?

Times have changed

Seven Steps to Software Security

Opinion For four years, I've been pretty clear about my personal opinions on wireless hackers. I don't worry about them. So when I say: "It's time to worry about wireless hackers," it's not just another security consultant scare story being recycled - it's because I think things have changed.

What has changed? Easy: corporate networks have changed. It's no longer as easy as it was to penetrate a corporate firewall and compromise PCs on the LAN.

By comparison, the Wireless LAN is a softer target.

Ever since the first WiFi devices went on sale, people worried about the fact that other computer users might "share" their own wireless internet. And within days of the first warnings being posted about that, consultants began whipping up business by saying: "I drove down Whitehall and I saw a hundred insecure wireless networks!" or whatever town they lived in.

I was very relaxed about it. "It's not a problem," I said. "Nobody is going to hack into your computer. What on earth would they get out of it?

When the first easy hack of Wired Equivalent Privacy (WEP) encryption was published, I remained relaxed. Yes, it's possible to park a van outside my house with a PC inside, and run a WEP-cracker program. After two hours or so, you will probably be able to log onto my PC network, and use my internet. So... why would you?

My logic was pretty simply explained:- There are easier ways of getting an internet connection. If the hacker is one of my neighbours, then I think it's pretty unlikely they'll do it just to get internet. After all, the sort of person who has hacking skills is, typically, the sort of person who has a higher speed connection already than mine.

Are they going to spy on my computer? Hardly. The chances of hitting pay dirt look dim. My disk is packed with photographs of my family, and if you want to see the good ones, they're on FLICKR like everybody else's pix. All you get is the dross - out of focus, camera shake. Oh, and there's the incredibly tempting treasure trove of archive material - Personal Computer World columns going way back. Yes, I can just see a hacker cracking evil knuckles over the discovery of such a rich seam... NOT.

I do recommend using WEP. It's like shutting your front door: nobody is going to pretend that a front door would stop a serious criminal with a battering ram. But it will stop your neighbours from marching in and helping themselves from your fridge. And it's frankly a nuisance if your neighbours don't realise that the hotspot they are using isn't their own. They log onto "Linksys" because you set yours up with the default identity, and then they try to print something - and it comes out on your printer. An email from Auntie Nora. Oh, boy, boy, boy...

And the alternative hacker would be someone with a van. If you had a van equipped for hacking, why would you drive all the way into my street, feed the meter, and sit outside draining your car battery, when all you get is access to some nerd's PC?

But this isn't true, not any more. I think it was true a year ago, but over the last year, intrusion detection and prevention software - and hardware - has become really very clever.

Professional hackers exist. They work for shady groups involved in organised crime, and their way of making money is to compromise ten thousand PCs around the world with a virus or a trojan, and then launch all ten thousand in a denial of service attack on some corporate web site. With ten thousand machines all pinging one web site a hundred times a second, legitimate customers are crowded out, and massive damage is done to business.

The standard scam is to target an online bookmaker. Wait till the day before a big race or a global football match, and then release your bots for half an hour. Then send the message: "Send money, or we do the same thing tomorrow."

But you need a lot of bots. Once compromised, these PCs are quite easily to spot. So, within a few day or weeks you need new ones.

And it's not as easy as it was. Corporate virus protection is good. Intrusions are quickly spotted, compromised machines easily detected. You have to find ways of getting at that soft chewy centre before they know there's an exploit in the wild, and you have to do it without triggering safeguards.

What the pro hackers are doing, I'm told, is using the corporate laptop as their target.

Two nice, easy ways to do that. Either, sit outside the corporate campus with a powerful WiFi beacon, and create a link that looks like the corporate LAN. Then wait for users to log onto you, instead of the official signal, and collect passwords.

Alternatively, wait till the owner leaves the building.

At Air Defense, they say they're seeing deliberate targeting of individual PC owners. The financial director, in his office, is a tough nut to crack. But when he takes his laptop home for the weekend, he's logging onto a domestic wireless hotspot, which has none of the sophisticated safeguards that protect it at the office. And, typically, a senior executive has not yet been trained to leave important corporate information on the office server. They have an 80 gigabyte disk! - it's full of spreadsheets and databases.

And they also say they're seeing the coffee bar being targeted. Good, old-fashioned hacking tricks like the "evil twin" and "man in the middle" hacks mean that you can behave in all respects like the official Starbucks hub, but record all the transactions. Next thing you're logged onto the corporate LAN with full user privileges. Or you've loaded a trojan onto the laptop, and you know that next time it connects to the office LAN, a brand-new virus will compromise all the office PCs.

The logic of this depends on having a new exploit, which the office anti-virus software hasn't heard about. But chances are, the mobile user hasn't connected to the office anti-virus network for a day or so, and is vulnerable.

The trend is starting to frighten corporate IT managers. They are taking simple, direct action: insisting that employees work from desktop PCs, and stop being given laptops.

If that's a large-scale trend which gathers momentum over the next twelve months, you might expect to see the PC business suffer. The margins on portable machines are noticeably better, and costs of desktop machines are absurdly low - a $500 machine is good for anybody who isn't a mad gamer.

I think, though, the opposite may happen. I think people will continue to want notebook machines at home, and if the company doesn't give them one to take home, they may buy one of their own, thus effectively doubling the nmber of computers used.

We'll see which way it goes.

Copyright © Newswireless.net

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story


Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.