That's good enough for me!

Sunday, October 12, 2008

Time to start scaring wireless users again...

For those who don't pay attention to the IT/Security news, WPA-PSK has taken another hit.

For those who don't know me, I have spent too much time working with wireless technology, and tend to indicate that the sky is falling, or that evil monkeys are going to steal our kidneys.

I tell people to make sure they have encryption (and WEP doesn't count) on their wireless routers, or people can find a way to nab their personal information from a distance. I've been told that I seem to enjoy scaring people. It might be true.

But with the new advances in using graphics cards to speed up the cracking process make it possible for someone with too much time on their hands to take down a home network. Products have even been released using this technology that help you, uh, recover your forgotten WPA password. Doing a bit of number crunching reveals that about 50% of the home networks out there can be cracked with about 3k USD of gear in about a week. While this doesn't quite make it as bad as the WEP situation, where a hacker could casually watch everything you type with about a minute of effort, it does mean that a geek with an expensive gaming rig can take apart a small business network and listen in on, well, anything they feel like.

There are still ways to protect yourself, or at least minimize your risk of being vulnerable to this, listed here from simple to safest:
  • Change your SSID (network name) to something non-standard - Using a simple SSID puts you in that 50% up easily hackable networks.
  • Use long, high entropy passwords - anything in English has very low entropy, so if you want it to be secure but memorable, make it an entire sentence. Or two. And change it once a month.
  • Use WPA-enterprise - either create a bunch of certificates and pass them out, or make everyone use their own password to log on (PEAP or TTLS).
  • Use a VPN, and live with the network performance hit.
For my own part, my wireless network has a nonstandard name and a long (but plain English) password. I would imagine that in the near future I will take some time to start tightening things up a bit - more on that later if I find a neat and tidy way to pull it off.

No comments: