Wireless not worth hacking?

Times have changed

High performance access to file storage

Opinion For four years, I've been pretty clear about my personal opinions on wireless hackers. I don't worry about them. So when I say: "It's time to worry about wireless hackers," it's not just another security consultant scare story being recycled - it's because I think things have changed.

What has changed? Easy: corporate networks have changed. It's no longer as easy as it was to penetrate a corporate firewall and compromise PCs on the LAN.

By comparison, the Wireless LAN is a softer target.

Ever since the first WiFi devices went on sale, people worried about the fact that other computer users might "share" their own wireless internet. And within days of the first warnings being posted about that, consultants began whipping up business by saying: "I drove down Whitehall and I saw a hundred insecure wireless networks!" or whatever town they lived in.

I was very relaxed about it. "It's not a problem," I said. "Nobody is going to hack into your computer. What on earth would they get out of it?

When the first easy hack of Wired Equivalent Privacy (WEP) encryption was published, I remained relaxed. Yes, it's possible to park a van outside my house with a PC inside, and run a WEP-cracker program. After two hours or so, you will probably be able to log onto my PC network, and use my internet. So... why would you?

My logic was pretty simply explained:- There are easier ways of getting an internet connection. If the hacker is one of my neighbours, then I think it's pretty unlikely they'll do it just to get internet. After all, the sort of person who has hacking skills is, typically, the sort of person who has a higher speed connection already than mine.

Are they going to spy on my computer? Hardly. The chances of hitting pay dirt look dim. My disk is packed with photographs of my family, and if you want to see the good ones, they're on FLICKR like everybody else's pix. All you get is the dross - out of focus, camera shake. Oh, and there's the incredibly tempting treasure trove of archive material - Personal Computer World columns going way back. Yes, I can just see a hacker cracking evil knuckles over the discovery of such a rich seam... NOT.

I do recommend using WEP. It's like shutting your front door: nobody is going to pretend that a front door would stop a serious criminal with a battering ram. But it will stop your neighbours from marching in and helping themselves from your fridge. And it's frankly a nuisance if your neighbours don't realise that the hotspot they are using isn't their own. They log onto "Linksys" because you set yours up with the default identity, and then they try to print something - and it comes out on your printer. An email from Auntie Nora. Oh, boy, boy, boy...

And the alternative hacker would be someone with a van. If you had a van equipped for hacking, why would you drive all the way into my street, feed the meter, and sit outside draining your car battery, when all you get is access to some nerd's PC?

But this isn't true, not any more. I think it was true a year ago, but over the last year, intrusion detection and prevention software - and hardware - has become really very clever.

Professional hackers exist. They work for shady groups involved in organised crime, and their way of making money is to compromise ten thousand PCs around the world with a virus or a trojan, and then launch all ten thousand in a denial of service attack on some corporate web site. With ten thousand machines all pinging one web site a hundred times a second, legitimate customers are crowded out, and massive damage is done to business.

The standard scam is to target an online bookmaker. Wait till the day before a big race or a global football match, and then release your bots for half an hour. Then send the message: "Send money, or we do the same thing tomorrow."

But you need a lot of bots. Once compromised, these PCs are quite easily to spot. So, within a few day or weeks you need new ones.

And it's not as easy as it was. Corporate virus protection is good. Intrusions are quickly spotted, compromised machines easily detected. You have to find ways of getting at that soft chewy centre before they know there's an exploit in the wild, and you have to do it without triggering safeguards.

What the pro hackers are doing, I'm told, is using the corporate laptop as their target.

Two nice, easy ways to do that. Either, sit outside the corporate campus with a powerful WiFi beacon, and create a link that looks like the corporate LAN. Then wait for users to log onto you, instead of the official signal, and collect passwords.

Alternatively, wait till the owner leaves the building.

At Air Defense, they say they're seeing deliberate targeting of individual PC owners. The financial director, in his office, is a tough nut to crack. But when he takes his laptop home for the weekend, he's logging onto a domestic wireless hotspot, which has none of the sophisticated safeguards that protect it at the office. And, typically, a senior executive has not yet been trained to leave important corporate information on the office server. They have an 80 gigabyte disk! - it's full of spreadsheets and databases.

And they also say they're seeing the coffee bar being targeted. Good, old-fashioned hacking tricks like the "evil twin" and "man in the middle" hacks mean that you can behave in all respects like the official Starbucks hub, but record all the transactions. Next thing you're logged onto the corporate LAN with full user privileges. Or you've loaded a trojan onto the laptop, and you know that next time it connects to the office LAN, a brand-new virus will compromise all the office PCs.

The logic of this depends on having a new exploit, which the office anti-virus software hasn't heard about. But chances are, the mobile user hasn't connected to the office anti-virus network for a day or so, and is vulnerable.

The trend is starting to frighten corporate IT managers. They are taking simple, direct action: insisting that employees work from desktop PCs, and stop being given laptops.

If that's a large-scale trend which gathers momentum over the next twelve months, you might expect to see the PC business suffer. The margins on portable machines are noticeably better, and costs of desktop machines are absurdly low - a $500 machine is good for anybody who isn't a mad gamer.

I think, though, the opposite may happen. I think people will continue to want notebook machines at home, and if the company doesn't give them one to take home, they may buy one of their own, thus effectively doubling the nmber of computers used.

We'll see which way it goes.

Copyright © Newswireless.net

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story


Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.