How Secure is your Wi-Fi ?

It probably doesn't need repeating that WEP security for Wi-Fi has long ago been cracked open wider than Humpty Dumpty in an earthquake, nor that WPA is as safe as houses. And yet, a recent survey by a web-hosting outfit in Europe reveals that the public, if asked "is your Wi-Fi connection encrypted?", will typically answer "not bothered". Of those asked, 56% never or rarely check to see whether a hotspot is encrypted before logging into it. These same folk are far more likely to secure their home Wi-Fi, so It isn't just a failure of awareness but more likely an excess of trust. Trust, that is, in the hotel or the coffee shop or the pub that offers Wi-Fi for free - and the service provider.

Such trust is often misplaced, which is where the potential security risk lies, and which lines me up nicely for the actual story that caught my attention - namely, that the Wi-Fi Protected Setup (WPS) protocol has been well and truly compromised. WPS is that button you probably pressed to secure your wireless router when you were setting it up for your home or small-business network, the one that helpfully did away with all the manual security configuration and made setting up wireless security both simple and quick. Or so you thought.

The truth is less encouraging, because WPS is vulnerable to attack, but not the big red button part of it. There's another aspect to WPS that comes not via a button press but via an eight-digit PIN to enter, and it's this PIN version of the WPS protocol that's proved much less secure than everyone assumed. It turns out that in order to crack this encryption via a standard brute-force attack, the hacker doesn't need to uncover all eight digits, which would require a great deal of time and computing power. Instead, they have to decipher only the first four digits of the PIN.

Yes, you read that correctly; that secure-looking PIN isn't all that secure. Sure, bank cards employ a four-digit PIN and both the banks and their customers seem happy enough to place their trust in this when using cards in a cash machine, but there's a big difference between these two seemingly identical instances of authentication. To take your money out of an ATM. any would-be bad suy has to be in possession of your physical card as well as being able to guess or otherwise obtain its PIN. To gain access to your supposedly secure wireless network, on the other hand, he doesn't require physical access to your router, computer or anything else - he can just set his own PC to try every possible combination. (There's a useful "how long to crack my password" calculator at the Steve Gibson GRC security site https://www.grc.com/haystack.htm: maths boffins will point out its shortcomings, but it's good enough for back-of-a-fag-packet estimates.) 

Security researchers have released a tool called Reaver that can exploit this flaw, and enables anyone to crack the simpler WPS PIN and access the deartext version of the router's WPA2 pre-shared key (PSK), which is then revealed as a result. The full PIN would have more than ten million combinations, but the reduced digit PIN has only 11,000 or thereabouts. Remember, it matters not a jot how complex the PSK lying behind your PIN is - by using the WPS PIN method, you've "protected" your Wi-Fi network using what is in effect only four digits.

A Google search for PSK hacking tutorials will demonstrate that even without this WPS PIN vulnerability ifs quite feasible to find a WPA2-PSK by brute force, but it would take very much longer and a potential hacker would need a very good reason to invest the time and resources required. Reduce that time and resource requirement sufficiently and suddenly your router and Wi-Fi network become more attractive targets for a casual hack.

It isn't all bad news: you can simply disable the WPS feature on your router to remove the PIN that the likes of Reaver will be looking for. I believe, but at the time of writing have no details to back up this belief, that a number of router manufacturers have either released or are working on firmware updates to close the vulnerability, one assumes by turning off the PIN (which not all routers have a user configuration option for).

Hacking calculators such as Haystack should frighten you into taking password construction more seriously

Better still, start over again and set up your Wi-Fi network using a long and complex PSK to make brute-force attacks impractical: think in terms of 32 characters or more, with the usual mix of letters, numbers and special characters. Using that Haystack calculator I mentioned above, you'll see that a simple four-digit PIN takes only seconds to crack, but a complex 32-character password would take 6.22 thousand trillion trillion trillion centuries - even under a worst-case scenario of a massive cracking array being used to perform a hundred trillion guesses every second!

WPA2-PSK, the pre-shared key implementation beloved by the stereotypical dangerous small-business man, was cracked a couple of years ago, and WPA2 with TKIP isn't a secure option either, making Wi-Fi - for many people - quite simply insecure. WPA2 with AES is okay, as is WPA2-Enterprise with a RADIUS authentication server or even WPA2-PSK with a 32-character key. Since WPA2-PSK actually supports keys up to 63 characters, and most wireless devices cache that key forever so that it needs to be entered only once, it isn't that difficult to work out what you should do - yet long passwords are still all too often seen as unnecessary and too complex. Sigh...

User-Centric Threat-scape

It should come as no surprise to readers of this column that I firmly believe that the majority of IT security problems are better described as organic rather than mechanical - by which 1 mean the user is the real problem, rather than the malicious program code or the bot that distributes it. According to the latest security threat report from Sophos it would appear that, at long last, people are starting to get that message. 

Facebook profiles reveal a wealth of data that can be used for "spear phishing"

Out of more than 4300 folk around the globe who were surveyed, 61% feel that the biggest threat on the online security landscape is users who don't do enough to protect themselves. This becomes even more of a problem as 20% admitted social networking scams were the top of the current security threatscape; put these two facts together (ingrained user apathy and social networking threats), and it's a recipe for disaster. It doesn't take a genius to spot that the combination of new attack vectors employing integrated apps and social media platforms with increasingly diverse access methods, both in terms of devices used and locations from which they're accessed, has brought a need for a truly "protect everything, protect everywhere" strategy to deal with data security.

Unfortunately, 40% of users fall well below genius level, by failing to understand that they're not only part of the problem but actually the enabling conduit through which malware and, ultimately, compromised data flows, which suggests that things will only get worse. You may think I'm being overly pessimistic, given that 60% do grasp the user-centric nature of the problem, but that would be to miss the point.

The majority of cybercriminals are lazy good-for-nothings who will always take the easiest route to make their riches, and the easiest route as far as data and network breaches are concerned is the user with a poor password or the small business with no patch-management policy - the other 40%.

For more information, read How To Protect Yourself