• A primer on WEP/WPA hacks & why it doesn’t matter

    26 Jan 2009

    If you can’t justify spending $18.99 on the book I co-authored Hacking Wireless Networks For Dummies, then there’s an alternative resource for you to at least be able learn about how WEP and WPA can be exploited. In this recent SearchNetworking.com tip, Lisa Phifer has taken the volumes and volumes of technical jabber about the known attacks against WEP and WPA and distilled them into a simple 5 minute read. Definitely worth checking out.

    After reading it though, I thought….man, all of these technical details, all of these attacks, all of this effort to lock down wireless. With all due respect to the people who figured all of this stuff out, I still think it’s pretty naive to focus a lot of security effort on this when there’s so much other silly/simple/stupid stuff that needs to be fixed I’ve seen recently like:

    1. Web sites with spreadsheets containing Social Security numbers protected only by a really short and really easy to guess password
    2. Web apps with supposed multi-factor authentication controls that can be easily overridden and disabled
    3. Network shares sharing out entire drives full of sensitive files – all accessible by anyone on the network
    4. Firewalls with default installs and no passwords
    5. VoIP phones sitting in unmonitored lobbies that can simply be unplugged and provide direct network access to strangers
    6. Smartphones without even a trace of security enabled – not even a power-on password
    7. Laptops without encrypted drives
    8. Database servers without passwords
    9. Backups stored onsite in fireproof safes that aren’t media rated
    10. Physical security CCTV control systems without passwords viewable/configurable by anyone on the network
    11. Missing patches that are easily-exploited with free tools providing full admin access to the system without the attacker ever having to log in

    So stop focusing on the details and fix the obvious stuff first. And you can’t assume everything’s OK. You’ll never know where you’re vulnerable and where things stand unless and until you test your systems and your processes. Period.

    Can you tell I’m passionate about this stuff? I could go on and on and on….but I won’t.

Resources

view all

Client Testimonials

“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.

His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”

(IT managed services firm)
Read More

 

I’ve written/co-written 12 books on information security including:

 

Tags

application security appsec basics books careers censorship CISO CISSP cities compliance coronavirus covid-19 cybersecurity data breaches hacking Hacking For Dummies heads in sand health incident response information risk keynote speaker leadership macOS networked cameras passwords patching racing resilience Russian hacking SDLC security culture security leadership security program management security speaker selling security social engineering speaking engagements spec miata sql injection tiktok time management training vulnerability and penetration testing web security

© Copyright 2001-present, Principle Logic, LLC - All Rights Reserved.

For your convenience I accept