RSS Alerts

Share

More services

Related Stories

  • Financial exposure
    Wireless networks are an essential cog in large, modern businesses. But if left unsecured, they leave companies vulnerable, especially in a city abundant with close, competing companies, finds Cath Everett
  • What’s in store for 2010?
    The Noughties are behind us now, but memories of a decade of data breaches will continue to haunt the infosec professional. If only there was a way of knowing what the threat landscape would look like in the months to come. Well you’re in luck as Davey Winder has dusted off the crystal ball and spoken to a broad church of infosec professionals to get some informed predictions for 2010
  • Security on a shoestring: How to get more for less in a recession
    While budgets are still being applied to information security, the demand for ‘more for less’ is keeping vendors on their toes. Kevin Townsend advises on how to achieve greater security at less cost
  • Phone Hacking Scandal: Who's Getting the Message?
    In the wake of the tabloid cellphone hacking scandal, have operators really closed all the loopholes that let snoopers intercept our communications? Jim Mortleman investigates
  • Spotlight on Cloud Computing: Security Risks in the Cloud
    The cost savings of cloud computing versus the anticipated security risks: it’s the broken record that seems to be on continuous loop for security professionals contemplating their strategy. Ted Kritsonis examines the key considerations

Top 5 Stories

News

WPA Cracked

05 December 2008

A newly-discovered vulnerability in a common wireless network encryption standard is a timely warning to business to upgrade to the latest encryption version, say security experts.

The Wi-Fi Protected Access (WPA) standard is more secure than the Wired Equivalent Privacy (WEP) standard it replaced, but not as secure as the latest technology, WPA2, which implements the full IEEE 80.11i specification.

The WPA vulnerability and proof of concept tool published by German researchers in mid-November is not yet a major threat, but could be soon exploited successfully.

The vulnerability can be used only against wireless networks using standard WPA encryption with quality of service (QoS) functionality turned on.

Hackers can use the QoS channels to bypass the basic security controls built into standard WPA and pose as a legitimate access point in the network.

This will not allow hackers to steal information as data is still encrypted, but it could enable denial of service (DoS) attacks to block access to the network.

In the longer term, however, the vulnerability is likely to be exploited, said Ken Munro, director of the penetration testing division of NCC Group.

"When a vulnerability like this is announced, it usually does not take long before someone works out a way of doing something with it," he said.

This is the first weakness to be identified in WPA and has been proven to, work so business should take heed, said Wade Williamson, director of product management at wireless security firm AirMagnet.

Until now, said Williamson, WPA was considered to be invulnerable, but that is no longer true and business needs to take a different approach to wireless security.

"We need to take all the lessons learned in the wired networking world and apply defence-in-depth to wireless networks," he said.

According to Williamson this means switching to the stronger Advanced Encryption Standard (AES) used in WPA2 and installing wireless intrusion detection systems.

"It is no longer good enough to secure wireless access points, businesses need to know what devices and users are talking over the network," he said.

Munro said with more than half of wireless networks in the UK using older technology that is incompatible with WPA2, many companies face costly upgrades.

In the meantime, he said, businesses using WPA can reduce risk from the new vulnerability by turning off QoS functionality.

"The bigger problem at the moment is the failure of business to encrypt data on wireless networks. WPA encryption is better than no encryption at all," he said.

This article is featured in:
Encryption

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012