Feeds

Wireless not worth hacking?

Times have changed

The Essential Guide to IT Transformation

Opinion For four years, I've been pretty clear about my personal opinions on wireless hackers. I don't worry about them. So when I say: "It's time to worry about wireless hackers," it's not just another security consultant scare story being recycled - it's because I think things have changed.

What has changed? Easy: corporate networks have changed. It's no longer as easy as it was to penetrate a corporate firewall and compromise PCs on the LAN.

By comparison, the Wireless LAN is a softer target.

Ever since the first WiFi devices went on sale, people worried about the fact that other computer users might "share" their own wireless internet. And within days of the first warnings being posted about that, consultants began whipping up business by saying: "I drove down Whitehall and I saw a hundred insecure wireless networks!" or whatever town they lived in.

I was very relaxed about it. "It's not a problem," I said. "Nobody is going to hack into your computer. What on earth would they get out of it?

When the first easy hack of Wired Equivalent Privacy (WEP) encryption was published, I remained relaxed. Yes, it's possible to park a van outside my house with a PC inside, and run a WEP-cracker program. After two hours or so, you will probably be able to log onto my PC network, and use my internet. So... why would you?

My logic was pretty simply explained:- There are easier ways of getting an internet connection. If the hacker is one of my neighbours, then I think it's pretty unlikely they'll do it just to get internet. After all, the sort of person who has hacking skills is, typically, the sort of person who has a higher speed connection already than mine.

Are they going to spy on my computer? Hardly. The chances of hitting pay dirt look dim. My disk is packed with photographs of my family, and if you want to see the good ones, they're on FLICKR like everybody else's pix. All you get is the dross - out of focus, camera shake. Oh, and there's the incredibly tempting treasure trove of archive material - Personal Computer World columns going way back. Yes, I can just see a hacker cracking evil knuckles over the discovery of such a rich seam... NOT.

I do recommend using WEP. It's like shutting your front door: nobody is going to pretend that a front door would stop a serious criminal with a battering ram. But it will stop your neighbours from marching in and helping themselves from your fridge. And it's frankly a nuisance if your neighbours don't realise that the hotspot they are using isn't their own. They log onto "Linksys" because you set yours up with the default identity, and then they try to print something - and it comes out on your printer. An email from Auntie Nora. Oh, boy, boy, boy...

And the alternative hacker would be someone with a van. If you had a van equipped for hacking, why would you drive all the way into my street, feed the meter, and sit outside draining your car battery, when all you get is access to some nerd's PC?

But this isn't true, not any more. I think it was true a year ago, but over the last year, intrusion detection and prevention software - and hardware - has become really very clever.

Professional hackers exist. They work for shady groups involved in organised crime, and their way of making money is to compromise ten thousand PCs around the world with a virus or a trojan, and then launch all ten thousand in a denial of service attack on some corporate web site. With ten thousand machines all pinging one web site a hundred times a second, legitimate customers are crowded out, and massive damage is done to business.

The standard scam is to target an online bookmaker. Wait till the day before a big race or a global football match, and then release your bots for half an hour. Then send the message: "Send money, or we do the same thing tomorrow."

But you need a lot of bots. Once compromised, these PCs are quite easily to spot. So, within a few day or weeks you need new ones.

And it's not as easy as it was. Corporate virus protection is good. Intrusions are quickly spotted, compromised machines easily detected. You have to find ways of getting at that soft chewy centre before they know there's an exploit in the wild, and you have to do it without triggering safeguards.

What the pro hackers are doing, I'm told, is using the corporate laptop as their target.

Two nice, easy ways to do that. Either, sit outside the corporate campus with a powerful WiFi beacon, and create a link that looks like the corporate LAN. Then wait for users to log onto you, instead of the official signal, and collect passwords.

Alternatively, wait till the owner leaves the building.

At Air Defense, they say they're seeing deliberate targeting of individual PC owners. The financial director, in his office, is a tough nut to crack. But when he takes his laptop home for the weekend, he's logging onto a domestic wireless hotspot, which has none of the sophisticated safeguards that protect it at the office. And, typically, a senior executive has not yet been trained to leave important corporate information on the office server. They have an 80 gigabyte disk! - it's full of spreadsheets and databases.

And they also say they're seeing the coffee bar being targeted. Good, old-fashioned hacking tricks like the "evil twin" and "man in the middle" hacks mean that you can behave in all respects like the official Starbucks hub, but record all the transactions. Next thing you're logged onto the corporate LAN with full user privileges. Or you've loaded a trojan onto the laptop, and you know that next time it connects to the office LAN, a brand-new virus will compromise all the office PCs.

The logic of this depends on having a new exploit, which the office anti-virus software hasn't heard about. But chances are, the mobile user hasn't connected to the office anti-virus network for a day or so, and is vulnerable.

The trend is starting to frighten corporate IT managers. They are taking simple, direct action: insisting that employees work from desktop PCs, and stop being given laptops.

If that's a large-scale trend which gathers momentum over the next twelve months, you might expect to see the PC business suffer. The margins on portable machines are noticeably better, and costs of desktop machines are absurdly low - a $500 machine is good for anybody who isn't a mad gamer.

I think, though, the opposite may happen. I think people will continue to want notebook machines at home, and if the company doesn't give them one to take home, they may buy one of their own, thus effectively doubling the nmber of computers used.

We'll see which way it goes.

Copyright © Newswireless.net

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.