Wired has an article about a possible vulnerability in WPA that allows a
fairly trivial DoS attack.
http://www.wired.com/news/business/0,1367,56350,00.html
Now, silly me, I would expect Wired to publish reasonably well
researched and accurate articles, but most of it is the same old "Shock
Horror - WiFi dangerous" twaddle.
Now maybe I'm missing something here, but what really puzzles me about
all this is the belief that a wireless connection can ever be as secure
as a wired connection. And even more than that, that a wired connection
can be treated as implicitly secure. We all use SSL, SSH, VPNs and such
like to access important systems one the internet. Why don't we just do
the same when accessing the same systems over wireless? It seems as
though the thinking got stuck somewhere that we don't need to use
encryption inside the firewall and when we started using WiFi we just
assumed that we'd be able to do the same thing. Then when WiFi was
exposed as inherently insecure we threw our hands up in horror at what
we'd done and blamed WiFi.
There's a classic example in the article. "This past summer, electronics
retail store Best Buy, removed the wireless scaners in their stores
because of the security risks associated with WEP. They were more
concerned about outsiders getting their customers' credit card
information" So Best Buy's systems were shipping credit card numbers
over the wire unencrypted? And then they put in WiFi? Like DOH!
On the basis that bad security is worse than no security, I'm tending
towards an approach that turns off all security on WiFi. Don't use WEP,
WPA, MAC authentication, IP authentication or whatever else they come up
with. Do all your security at the application level. If you start by
assuming that the transport layer is always insecure, maybe then you'll
be more careful about what you send over it.
Am I completely off beam with this?
BTW. Are there any verified instances of WEP being attacked and broken
in the wild? How about verified instances of more mainstream hacker
attacks being launched over WiFi?
--
Julian Bond Email&MSM: [EMAIL PROTECTED]
Webmaster: http://www.ecademy.com/
Personal WebLog: http://www.voidstar.com/
CV/Resume: http://www.voidstar.com/cv/
M: +44 (0)77 5907 2173 T: +44 (0)192 0412 433
--
general wireless list, a bawug thing <http://www.bawug.org/>
[un]subscribe: http://lists.bawug.org/mailman/listinfo/wireless
- Re: [BAWUG] WPA DoS attack Julian Bond
- Re: [BAWUG] WPA DoS attack David Wolfskill
- Re: [BAWUG] WPA DoS attack Drew from Zhrodague
