IT fuel

Oct 19,2007
Source:bbc

More holes have been picked in the security measure designed to protect the privacy and data of wi-fi users.

The latest attack lets criminals defeat firewalls and spy on where someone goes and what they do online.

It comes after a series of other attacks that, experts say, have left the basic protection in wi-fi comprehensively "broken".

But compatibility issues mean that many will have no alternative but to use the much weakened protection system.

Lock picking

The basic security measure in the technical specification for wireless networks, 802.11, is known as Wired Equivalent Privacy.

WEP encrypts data flying back and forth between a computer and an access point to stop people spotting and stealing confidential information.

It does this using an encryption key but numerous attacks have shown how easy it is to get hold of this key and unlock access to the wi-fi network or your data.

"WEP as a security measure is so broken that your (and everyone else's) kid sister can easily circumvent it," said computer security researcher Ralf-Philipp Weinmann, co-author of the aircrack-ptw tool that can crack WEP in minutes.

Anyone caring about their privacy, said Mr Weinmann, should not use WEP to stop others using their wi-fi hotspot.

Mr Weinmann and his colleagues unveiled aircrack in early 2007 but prior to that three other research teams, in 2001, 2004 and 2005 showed how to circumvent WEP.

The latest attack, created by Vivek Ramachandran of AirTight Networks, tricks a computer into thinking it is logged on to a wi-fi network it trusts. It exploits the basic hand-shaking system in wi-fi to get hold of lots of data it can analyse to crack a key.

While the chance that someone will piggyback on your wi-fi network is low, there have been cases in the UK where this has happened.

In London one man has been arrested and charged under the 2003 Communications Act for using someone else's wi-fi link without permission.

Alongside this is the risk of people using your broadband connection for potentially criminal activity.

However, said Mark West of the home tech help company Geek Squad, many people are forced into using WEP despite its shortcomings.

"WEP might be all they can run," he said.

The well-publicised problems with WEP have resulted in improved security systems for wireless networks known as Wi-fi Protected Access (WPA).

An improved version of this, called WPA-2, appeared in 2004 but is not yet widely used.

Mr West said backwards compatibility problems might mean that people cannot opt for the better protection found in WPA or WPA-2.

Using either of these requires Windows XP fitted with Service Pack 2, Vista or OS X on the Mac.

Drivers for wi-fi access cards might also need to be updated and the firmware on a hub might also need refreshing. Any other device that tries to link via wi-fi will also need updating.

For many, said Mr West, updating all these separate components could be too much to ask.

A spokesman for BT said that it used WEP on its home hub products because of the compatibility issues.

"We use WEP for a very sensible reason," said the spokesman, "there are a number of devices out there in the marketplace that do not use WPA."

When helping people install wi-fi networks Geek Squad started trying to use WPA-2 but often had to fall back on the weaker protection.

WPA-2 was only made mandatory on wi-fi access points manufactured after September 2006, which means much wireless hardware still relies on WEP.

"It's often the lowest common denominator," said Mr West, adding that it was better than nothing.

He said: "It's more of a deterrent that will prevent most people being able to access that router."

October 6,2007

Source:bbcnews.com(by bbc's dan simmons)

We see a lot of impressive hacking in the movies, not just taking over individual PCs but whole traffic systems and top security databases.

Waterloo Station formed the back drop for The Bourne Ultimatum, one of the biggest movies of the year, in which Americans take over all of the CCTV cameras. But just how realistic is that scenario and worse, what about a hostile takeover?

According to Sarb Sembhi, IT systems analyst at ISACA, local authorities and the police use network TV because they can take advantage of the technology that allows them to view cameras on any system.

"Unfortunately not only does it enable them to view any camera on their system from anywhere, it also means that other people who shouldn't have access to the system may end up having access to the system.

"Anyone can do this if they know what they're doing," he said. "It may not be friendly governments, it could be any government anywhere, it could be criminals, it could be terrorists, they can use the system for their own advantage."

Paul Docherty of Portcullis Security is paid by governments and blue-chip companies to hack into their systems. He has been doing it for 20 years and believes hijacking Waterloo's cameras would be a difficult feat

"The Waterloo scenario is a wired system, whereby they're wired back to a central control station. You would need access to the control station in order to gain access to the data.

"In a wireless network the camera has to broadcast whatever it's picking up across a wide area in order for it to be picked up by another system and then relayed to whoever is looking at the data. In those instances anyone can sit nearby and intercept the data.

"Potentially they could inject [data] packets in that so they could control the camera and point it in the direction they wanted it to go."

'Drastic attacks'

What about our critical infrastructure. Could undercover hackers take down a power plant or bring transport to a standstill?

An Associated Press report was posted on the internet last month showing an internal test by Homeland Security in the US to see if hackers could tap into the power network and shut down a turbine. The test succeeded.

"If you know something about SCADA technologies you can introduce yourself inside the network of power plants, nuclear plants, pipelines, hospitals, traffic lights in the city, airports and so on," said security evangelist Alessio Pennasilico. "Once you are inside the network you can do whatever you want."

SCADA is an older system that is still very common today. It allows you to acquire data from multiple systems.

Mr Docherty said: "In terms of how realistic the attacks are, personally I think it's somewhat over dramatised, the stuff of James Bond movies.

"However, what we're seeing is a convergence of technologies, and many SCADA systems are now connected to other systems which are connected to the internet via the IP protocol.

"So potentially the theory of the attacks is true. I think the realism of them is not so true. Someone would very much have to understand many, many proprietary systems in order to make such drastic attacks happen."

Personal safety

Hackers can also target individual mobile phone users if they are using a Bluetooth headset or a handset with Bluetooth switched on.

Bluetooth headsets rely on the phone to transmit radio waves to the earpiece. But they are vulnerable. That two way connection can also be a gateway into your handset.

"If there is a specific flaw in the Bluetooth implementation in the model of the phone you won't even know that a hacker is getting into that specific phone," said Dino Covotsos of Telspace Systems.

"A lot of different techniques include bluesnarfing and bluebugging. You can actually do something called STP tooling."

STP tooling is a method for establishing the services that are supported by the phone.

Mr Docherty showed BBC Click how easy it was to pull off all the contacts from a phone placed 10 metres away from him. Using a laptop and a free computer program available on the internet it took him about a minute. The target's phone did not make a sound.

He could also have lifted calendar and diary entries and even have made a call without the phone owner's knowledge.

Fortunately, newer Bluetooth phones now warn the user.

Portcullis Security also hacked into the programme's wi-fi system in 10 minutes. It was "protected" by a 128-bit WEP encrypted password. Again the programme they used is free and it is available on the internet.

You still need a degree of expertise to pull off a movie-style spying attack but it does seem that wireless systems in particular, while convenient for us, have made the hackers' lives a little easier, and those spy scenarios just a little more realistic.