Got wireless? Most organizations have some form of 802.11 (aka Wi-Fi) lurking on their networks, whether they know about it or not. The network managers who are aware of their wireless systems claim they're secure because they have Wired Equivalent Privacy (WEP) or WPA (Wi-Fi Protected Access) encryption enabled. As for those who aren't aware of the wireless systems in their environments, that's an even bigger issue. My point is many businesses are still grossly underprepared when it comes to keeping their airwaves -- and the sensitive information traversing them -- under wraps.
Merely "enabling" wireless encryption isn't enough. The original form of 802.11 wireless encryption, WEP, was broken from the get-go. The way encryption is implemented in WEP allows just about anyone to crack it and gain access to the wireless network -- something that can often be done in just a few hours using free tools off the Internet.
More PCI resources
- PCI group releases wireless security guide
- What does being PCI DSS compliant really mean?
Enter WPA, the next generation of wireless network security that fixed all of the known issues with WEP. During the past couple of years, many people have jumped on the WPA encryption bandwagon with their wireless deployments. The assumption is that WPA and its successor, WPA2, have finally fixed the wireless security problems of the past. They have, to an extent. Even the PCI Security Standards Council LLC is going to require robust encryption and authentication such as WPA2 for wireless networks after June 2010.
If it's good enough for them, then surely it's good enough for you, right? Well, not so fast.
If you look at your network from an IT audit perspective (policy vs. controls), you're going to come out smelling like roses. You have a policy that requires WPA (or WPA2) using pre-shared keys (PSK) for encryption. Your systems are configured with WPA- or WPA2-PSK encryption (like what many organizations use). Everything's rosy. Furthermore, you've "passed" your internal audit, and, thus, you're "compliant" with whatever regulations (HIPAA, PCI, Massachusetts 201 CMR 17, etc.) you're up against. But this is the very mind-set regarding compliance vs. security that gets organizations in trouble over and over again. Just because you have whatever fancy encryption enabled on your wireless, that doesn't mean it's secure. Let me demonstrate.
Using Elcomsoft Wireless Security Auditor to crack a WPA pre-shared key.
(Click for larger view.)
There are both open source and commercial tools that can be used for cracking WPA and WPA pre-shared keys. Aircrack-ng has been around for a while, and it works well if you're a techie who's comfortable with open source security tools. More recently, a commercial tool by Elcomsoft Co. Ltd. called Elcomsoft Wireless Security Auditor (EWSA) takes WPA and WPA2 pre-shared key cracking to an entirely new level.
As long as you have some WPA or WPA2 data capture files -- something that can be gleaned using a wireless network sniffer such as Airodump-ng (part of the Aircrack-ng suite), CommView for WiFi or AirMagnet WiFi Analyzer -- EWSA can harness the processing power of certain Nvidia Corp. and ATI video cards and perform dictionary cracks against WPA and WPA2 pre-shared keys in a fraction of the time it would normally take a computer's standard CPU by itself. EWSA can also be used to dump the pre-shared key hashes from the Windows registry (yet another reason to encrypt your laptop hard drives!).
Using a PC's standard CPU combined with additional mathematical acceleration provided by the system's video card, EWSA can be used to crack up to 50,000 WPA/WPA2 pre-shared keys per second. The screenshot above shows the average speed for cracking to be just over 19,000 passwords per second, which is certainly no slouch.
For comparison, while running EWSA on my relatively powerful test system powered by a dual-core Intel processor minus a supported video card, I was able to crack only 400 passwords per second on average. Now those are numbers that should get your attention, as such a tool proves that unauthorized access into your "protected" wireless environment can be achieved relatively easily if your WPA/WPA2 pre-shared keys aren't reasonably complex.
I'm a big believer that some security is better than nothing at all. This is the case with WEP. Running a WEP-enabled wireless network is still a lot better than having an open (i.e., unencrypted and freely accessible) network like a good number of people still use. But it's not good enough. WPA and WPA2 when configured to use weak pre-shared keys aren't either.
Even though the wireless network security protocols are blamed for these weaknesses, when you look a little deeper you can see that it's not the technology creating the problems -- it's the people. It's the same issue we have with passwords, firewalls, antivirus software, you name it. Just because you have security controls in place doesn't mean they've been implemented properly, nor does it mean they're being managed the way they need to be.
So, are WPA and WPA2 safe for today's businesses? Are they going to help facilitate compliance and keep sensitive information secure on your wireless networks? Absolutely yes to both! Even WPA and WPA2 with pre-shared keys are fine. But there's a caveat: if, and only if, you bring some common sense into the process and do it the right way. This is where mere compliance stops and true information security begins.
Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. He has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He can be reached at www.principlelogic.com.
Growing networks and the expanded scope of Internet is complicating infosec