Wireless not worth hacking?
Times have changed
Opinion For four years, I've been pretty clear about my personal opinions on wireless hackers. I don't worry about them. So when I say: "It's time to worry about wireless hackers," it's not just another security consultant scare story being recycled - it's because I think things have changed.
What has changed? Easy: corporate networks have changed. It's no longer as easy as it was to penetrate a corporate firewall and compromise PCs on the LAN.
By comparison, the Wireless LAN is a softer target.
Ever since the first WiFi devices went on sale, people worried about the fact that other computer users might "share" their own wireless internet. And within days of the first warnings being posted about that, consultants began whipping up business by saying: "I drove down Whitehall and I saw a hundred insecure wireless networks!" or whatever town they lived in.
I was very relaxed about it. "It's not a problem," I said. "Nobody is going to hack into your computer. What on earth would they get out of it?
When the first easy hack of Wired Equivalent Privacy (WEP) encryption was published, I remained relaxed. Yes, it's possible to park a van outside my house with a PC inside, and run a WEP-cracker program. After two hours or so, you will probably be able to log onto my PC network, and use my internet. So... why would you?
My logic was pretty simply explained:- There are easier ways of getting an internet connection. If the hacker is one of my neighbours, then I think it's pretty unlikely they'll do it just to get internet. After all, the sort of person who has hacking skills is, typically, the sort of person who has a higher speed connection already than mine.
Are they going to spy on my computer? Hardly. The chances of hitting pay dirt look dim. My disk is packed with photographs of my family, and if you want to see the good ones, they're on FLICKR like everybody else's pix. All you get is the dross - out of focus, camera shake. Oh, and there's the incredibly tempting treasure trove of archive material - Personal Computer World columns going way back. Yes, I can just see a hacker cracking evil knuckles over the discovery of such a rich seam... NOT.
I do recommend using WEP. It's like shutting your front door: nobody is going to pretend that a front door would stop a serious criminal with a battering ram. But it will stop your neighbours from marching in and helping themselves from your fridge. And it's frankly a nuisance if your neighbours don't realise that the hotspot they are using isn't their own. They log onto "Linksys" because you set yours up with the default identity, and then they try to print something - and it comes out on your printer. An email from Auntie Nora. Oh, boy, boy, boy...
And the alternative hacker would be someone with a van. If you had a van equipped for hacking, why would you drive all the way into my street, feed the meter, and sit outside draining your car battery, when all you get is access to some nerd's PC?
But this isn't true, not any more. I think it was true a year ago, but over the last year, intrusion detection and prevention software - and hardware - has become really very clever.
Professional hackers exist. They work for shady groups involved in organised crime, and their way of making money is to compromise ten thousand PCs around the world with a virus or a trojan, and then launch all ten thousand in a denial of service attack on some corporate web site. With ten thousand machines all pinging one web site a hundred times a second, legitimate customers are crowded out, and massive damage is done to business.
The standard scam is to target an online bookmaker. Wait till the day before a big race or a global football match, and then release your bots for half an hour. Then send the message: "Send money, or we do the same thing tomorrow."
But you need a lot of bots. Once compromised, these PCs are quite easily to spot. So, within a few day or weeks you need new ones.
And it's not as easy as it was. Corporate virus protection is good. Intrusions are quickly spotted, compromised machines easily detected. You have to find ways of getting at that soft chewy centre before they know there's an exploit in the wild, and you have to do it without triggering safeguards.
What the pro hackers are doing, I'm told, is using the corporate laptop as their target.
Two nice, easy ways to do that. Either, sit outside the corporate campus with a powerful WiFi beacon, and create a link that looks like the corporate LAN. Then wait for users to log onto you, instead of the official signal, and collect passwords.
Alternatively, wait till the owner leaves the building.
At Air Defense, they say they're seeing deliberate targeting of individual PC owners. The financial director, in his office, is a tough nut to crack. But when he takes his laptop home for the weekend, he's logging onto a domestic wireless hotspot, which has none of the sophisticated safeguards that protect it at the office. And, typically, a senior executive has not yet been trained to leave important corporate information on the office server. They have an 80 gigabyte disk! - it's full of spreadsheets and databases.
And they also say they're seeing the coffee bar being targeted. Good, old-fashioned hacking tricks like the "evil twin" and "man in the middle" hacks mean that you can behave in all respects like the official Starbucks hub, but record all the transactions. Next thing you're logged onto the corporate LAN with full user privileges. Or you've loaded a trojan onto the laptop, and you know that next time it connects to the office LAN, a brand-new virus will compromise all the office PCs.
The logic of this depends on having a new exploit, which the office anti-virus software hasn't heard about. But chances are, the mobile user hasn't connected to the office anti-virus network for a day or so, and is vulnerable.
The trend is starting to frighten corporate IT managers. They are taking simple, direct action: insisting that employees work from desktop PCs, and stop being given laptops.
If that's a large-scale trend which gathers momentum over the next twelve months, you might expect to see the PC business suffer. The margins on portable machines are noticeably better, and costs of desktop machines are absurdly low - a $500 machine is good for anybody who isn't a mad gamer.
I think, though, the opposite may happen. I think people will continue to want notebook machines at home, and if the company doesn't give them one to take home, they may buy one of their own, thus effectively doubling the nmber of computers used.
We'll see which way it goes.
Copyright © Newswireless.net
Sponsored: Global DDoS threat landscape report