After reading this piece about the recently released report on the TJX breach from the Office of the Privacy Commissioner of Canada and the office of the Information and Privacy Commissioner of Alberta, I had a thought about the false sense of security that wireless encryption gives us. TJX was apparently using both WPA and WEP for wireless encyrption but it was the WEP that got them into trouble. The thing is, whichever one is used, it’s easy to believe that the airwaves are protected. “Encryption” is being used after all..that’s good enough, right?
Based on my own experience and that I’ve from others, I guarantee you most of the times that aircrack (or any of the other wireless encryption cracking tools) are run against a wireless network, the results come back negative. No weak encryption implementation – no cracked passphrases – nothing. All’s well in 802.11-land. Management sees this and assumes that the business network is safe.
The devil’s in the details though. If you look closer at how most wireless “hacking” or penetration tests are carried out, the techniques are often flawed:
All of these provide just enough false sense of security to justify leaving things the way they are.
My point is that just because your wireless environment checks out OK, it doesn’t mean it really is secure. With the right tools and enough time and effort, it very well could be cracked. Whether it’s protected by WEP or WPA using pre-shared keys – if it’s implemented incorrectly, wireless encryption can eventually be broken leading to a TJX-like mess.
If you’re using wireless, make sure your testing is done the right way…Spend the time, money, and effort to get a real-world view of how secure or unsecure it really is. There’s no logical excuse for using WEP in a business environment either. Get everything off of it as soon as you can. TJX apparently didn’t do this and they – and a lot of people – are paying the price.
“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.
His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”