Comments on: The State of WiFi security

By: frank kern

frank kern — Tue, 11 Aug 2009 01:26:44 +0000

Now I get cleared my doubts in WiFi security,thank you very much.

By: sebastian nielsen

sebastian nielsen — Sun, 30 Mar 2008 20:52:51 +0000

Client side security is inneccesary, and can always be bypassed. For example using a linux cd to boot up the computer and access every file on the computer.

Its always good to adhere to the following rule:
“If you have physical access to a computer, nothing prevents you to read or access the data stored on it”.

read or access means in some way downloading or reading data. The data may be unreadable (encrypted) but then you take the data with you and do a offline attack.

So the best is to place all security as centrally as possible. A good idea is to never store anything on the laptop.
But instead store everything on central servers. These servers can then verify user in some way.

But keep in mind that user can still copy data that he gets from the server to a USB memory, or just take photos of screen and then OCR them.

So use a VERY strict need-to-know policy, and make sure that if the system is in doubt of if a people is really needing a specific information, make it go through approval by manager before allowing the employer access.

So this means a worker who is working on a software part is only need access to that part of software.

This means that EVEN if a attacker gets physical posession of his laptop, or gets hold of a employer’s authorization card or gets access to a logged-in computer, the attacker cannot access more than the employer is able to access..

Let the users be administrators on their clients, and control access to documents, files and data by storing them at a central server.

By: pdp

pdp — Mon, 24 Mar 2008 12:35:45 +0000

Aod, I agree although I could add that attackers will move to an easier target but probably still within the scope of their goals. Probably, hacking into a network where employs are connecting to, hoping to get control over their computers and use them as a stepping stone to access the secure network, as I explained in the post.

But as you said, nothing is fool proof.

thanks

By: Aodhhan

Aodhhan — Mon, 24 Mar 2008 12:30:40 +0000

To increase security for user log in, increase the required authorization factors. For our secure internal network, you must use a smartcard (PKI of course) along with a pass-phrase (something you have and something you know). You can always add fingerprint scan to give you, “something you are”.

Although nothing is fool proof, a hacker will most likely move on to an easier target. With WiFi, there are plenty of them.

-Aod-

By: DailyWireless » Blog Archive » Friday Links: VoiceCon, Intel’s WiFi/WiMax Chip

Mon, 24 Mar 2008 02:26:56 +0000

[...] GNUCitizen has a mega post on WiFi security. It runs the gamut from physically breaking in to hacks. Read it here. [...]

By: Steve

Steve — Sat, 22 Mar 2008 00:54:36 +0000

But what if the attackers deploy nanopirates against your nanorobots…

By: pdp

pdp — Fri, 21 Mar 2008 15:06:40 +0000

mike, easy. we promote brain augmentation via nano robots which are connected to a security management console :)

By: Mike

Mike — Fri, 21 Mar 2008 13:11:33 +0000

Many enterprise start discussing training, training, training, but I’m pretty sure you are all aware of how well that is going. If human behavior is part of that link (and will probably be the weakest part the majority of the time), how do we cope with human error?

By: commercials

commercials — Fri, 21 Mar 2008 12:21:45 +0000

“…but we keep the best ones for ourselves”…

By: pdp

pdp — Fri, 21 Mar 2008 10:58:43 +0000

Geoffrey, exactly :)

By: Geoffrey Lee

Geoffrey Lee — Fri, 21 Mar 2008 10:55:47 +0000

I think another way to say it is that your security is only as strong as the weakest link, and human behavior is part of that link.

By: Sid

Sid — Fri, 21 Mar 2008 10:28:56 +0000

Well, Wi-Fi security might be after all just a bad answer in a flawed security model. Instead of trying at all cost to prevent people from entering the network by securing layer 2, maybe we should think more of securing layer 3. And bye bye 802.1x, WPA, NAC and similar expensive stuff…

In the end, an open Wi-Fi network with an IPSEC gateway might be easier to deploy.

By: LUPUS

LUPUS — Fri, 21 Mar 2008 09:54:50 +0000

Thanks :)

By: pdp

pdp — Fri, 21 Mar 2008 09:53:54 +0000

well, that business model will change soon.

By: malkav

malkav — Fri, 21 Mar 2008 09:46:54 +0000

red teams/tiger teams should be the standard, as should be the threat modeling based on objective/assets.

but we have a big problem here. users (so clients) where educated technology centric, and are vastly unaware of real world attackers practice. why would i spend time on exploiting your network when i can get the password i need to access your assets with a drunk manager at a local bar ? or in the trash ?

i hope that by offering this kind of services to my clients, some of them will become aware of how easily vital IP can be stolen/destroyed, but the contacts i had proves me wrong for the moment, people still wants NAC, automated nessus scan, and many other pretty useless energy consumption.