Government Technology Magazine interviewed me recently for a story on wireless security. The reporter did a pretty good job on the story, and covered some important issues in wireless internet access security. Very wisely, the reporter quoted me when I recommended 20+ character pass phrases when setting up a wireless network’s access “key.”
There are two important areas of the interview that ended up on the cutting room floor.
#1 Many wireless access points have NO provision to disable wireless access to the administrator’s control panel on the device that sends out the wireless signal (the “access point”). Therefore, an attacker has unlimited time, from far distances, to attempt multiple attacks on the network. If the attacker penetrates the access point, he can use that to springboard other attacks against users and that network.
A good access point will allow a configuration that allows the total shutdown of any admin control of the access point from a wireless connection. This setting requires an admin to physically plug-in to the access point or, in some models, plug into the UTM/Firewall that protects the network. Physical access is a much harder hurdle for an attacker, and does not give unlimited time to an attacker.
This physical access feature is mandatory for networks that have to comply with PCI-DSS mandates to protect credit card data. I put this feature on my must have list, with or without PCI-DSS requirements.
In general if you walk into a consumer computer store, none of the wireless access points have strong security in mind, and you are not likely to find an access point with this critical feature.
#2 I have also found that the companies that make the cheaper, less secure gear do not support long pass phrases for their encryption keys or for passwords to gain entry to the access point, or allow you to change the factory default user name. Combine a factory user name, a short password with unlimited wireless attacks, and you have a non-secure attack made much easier.
Why do the computer stores only sell the less secure gear? Price and poorly trained sales people. I have heard many computer salespeople tell customers: “Unless you are in the CIA, you don’t need to worry to much about wireless security issues.”
As Mark Twain famously said, “It ain’t what you don’t know that gets you into trouble. It’s what you know for sure that just ain’t so.”
In computer and retail stores, the expensive, safer wireless gear just does not sell well, and it is “chased” off the shelf by the less expensive, less security wireless equipment.
The original story in Government Technology Magazine