Types of Wireless Network Attacks: Misconfiguration

There has been much talk concerning the flaws in software, along with the numerous system exploits being disclosed on a daily basis. However, security experts are more concerned that this serves as a distraction to IT professionals who should be focusing on a more severe problem - improperly secured wireless networks. Today's wireless environments are so poorly configured and managed that attackers can virtually walk right through without attracting too much attention.

The concern of mismatched software and hardware

The problem arises from the plethora of mismatched software and hardware, making way for a network infrastructure that is vulnerable to a wide range of attacks. In some cases, the devices may function properly but are terribly misconfigured. While several companies take the first step by implementing a security system, many more fail to maintain them, causing these implementations to be inefficient.

Incorporating SSID

SSID (Service Set ID) is a configurable identification mechanism that enables a client to communicate with the correct base station; all stations come included with their own default SSID. When configured properly, only clients configured with the corresponding SSID can interact with the base station. An attacker can exploit the default SSIDs in attempt to access a base station that may have still have its default configuration. Some will change the default SSID password to something simple, ultimately making the network just as vulnerable.

Those configured with more complex SSIDs are still subject to exploits. For instance, an attacker may attempt to guess the base station SSID using a brute force attack of known dictionary phrases, a trick that attempts to guess every word or phrase possible. What may seem like a time consuming process is made easy with the right hacking utilities. The use of simple SSID passwords is considered to be misconfiguration of network resources and makes it much easier for an intruder to compromise a network.

Unlike most of your data, SSID is not encrypted even when enabling the WEP feature, meaning the password is broadcasted in plaintext. This is a major concern as many access points have SSID broadcasting enabled by default. Even if it is turned off, a packet sniffer can simply wait for the next valid user to make a network connection and spy on the plaintext message.

Expert opinion

Lisa Phifer, Vice President of Core Competence Inc., has been actively involved in the development, implementation and evaluation of internetworking security, communications and network management solutions for more than 20 years. She has advised companies from small to large in regard to product assessment, security needs and the overall importance of using the best practices of emerging technologies. In a recent interview, Lisa noted that the Code Red worm was amazingly still infecting network servers at the end of 2007. This is very unsettling considering the fact that virus signatures and server patches to contain the infection have been readily available since 2001. Like most experts, Phifer blames this continuous outbreak on misconfiguration. She went on to state that Gartner Research has predicted that misconfiguration will account for an estimated 70% of successful wireless LAN attacks through the year 2009.

Log in or sign up to comment.

Post a comment

Log in or sign up to comment.
Identity theft comes in many forms.

A person\92s identity can be 'borrowed' for the purpose of creating fictional credit cards or a person\92s entire identity can be usurped to the point where they can have difficulty proving that they really are who they claim to be.

Up to 18% of identity theft victims take as long as four years to realize that their identity has been stolen.

There are many ways to protect your personal identity and many steps you can take to prevent your identity from being stolen:

*Never give out unnecessary personal information
*Never provide bank details or social security numbers over the Internet
*Always remain aware of who is standing behind you when you type in your personal credit codes at ATM machines and at supermarket checkout swipe machines.