and what I tend to do
We can't live without them, they are everywhere, in our houses, cafés, pubs train stations, toilets, bloody everywhere. And most of the time, the people that install these networks, albeit with the best will in the world, don't have a clue what the implications are if this kind of thing isn't done correctly. I know you may be saying that "oh it doesn't matter" or "we're only a small company so whats all the fuss about". You won't be saying that when the shit hits the fan, will you.
If you operate a wireless network, no matter how small you are or how fancy your equipment is, if you have data running through it, you are responsible for the security of this data. Simple.
I have installed a great deal of wireless networks in my time, I started out installing 802.11b-compliant networks! And they were a ballache to say the very least. The security back then wasn't very clever either, WEP, 655,360 possible combinations, with a 10HEX Key anyway, very quick to crack, and the most common used in public wireless infrastructure. These were also the default in the early "Home Hubs" provided by everyone's favourite Telco.
Let me get back on the topic of the post, public WiFi. You go to Starbucks, you grab a coffee, get the laptop out, Ooh, unsecured WiFi, let's get online!
The captive portal page has a lock, and the URL is HTTPS, everything is good in the world. No, no it isn't. Referencing back above, UNSECURED WIFI. While your logon session may be being delivered by HTTPS, as soon as you're 'authenticated', you're on the net, but, from experience, they block some HTTPS transactions, like Google searches for instance. At that point, everything that's transmitted is plaintext.
"But the café has a security code they give out?", and?, if everyone knows a password, what's the point in securing the system in the first place?
When this is done right, it's great, everyone has their own username and password, no shared credentials. Sound's like the perfect solution, but when it's not done right, you can make your entire network vulnerable, not just your wireless network, for example:
WPA2 Enterprise Encryption
PEAP Authentication with MS-CHAPv2 as the Phase 2 negotiation method, this was great, until someone broke MS-CHAPv2, MS (I've got other links, but I'm not posting them). So essentially, if someone managed to crack your password in transit to the access point, which is easier than you think, plus you have the cert and most of the time these were self signed, you now not only have the users username/password for logging on to the WiFi, you can use that to connect to any machines that use the same SSO, tadah, thanks Microsoft.
Allow me to elaborate on that certificate point I mentioned. We've all done it, too lazy to sign a cert properly, or too stingy to pay for a proper cert from a legit CA, hell my old university did it, in the long run, it makes sense as you just self sign the cert, chuck it on the RADIUS server and there you have it, SSO-ish wireless security. As I mentioned, the only real issue that surrounds this is that the cert is self signed, meaning that it will always flag up a security alert, you will grow to this complacency, just hitting accept, much like we do when we "read" terms and conditions, Dr Pepper it.
What's to stop me signing a certificate now with a CN of wireless.infrastructure.symantec.com? Nothing, absolutely diddly squat, sure it will flag a security error, but it looks good, it's got Symantec's name in it, so it must be secure, just like the fact that everything on the internet must be true. Right?, well... no.
I could go grab a Linksys WRT54G, whack DD-WRT on it, and a FreeRADIUS server, with that cert, you will connect to it and then I'll start inspecting your traffic, very simple. Don't try this one at home kids
It's a bit of a catch 22 situation to be honest, everyone want's secure WiFi, but nobody wants to shell out for things like Certificates. Hopefully things like Let's Encrypt will start letting us fix these issues.
By and far one of the safest Wireless authentication mechanisms is device certificates, PKI kind of thing, but that's still fraught with issues.
Go back to an ethernet cable, it's just better.
Subscribe to ForenSec Blog
Get the latest posts delivered right to your inbox