We All Weep for WEP - Page 2
May 04, 2007
Yes, disaster is a strong word, but consider what WEPs failures have resulted in. From its earliest days of existence, WEP has been the whipping boysorry, thats too easy of a pun even for an engineerof the infosec community. So many WEP is broken articles were published that I firmly believe many people avoided Wi-Fi altogether for fear of being compromised by a war driver in a white van in the parking lot with a [famous name brand] potato chip can Yagi antenna. (Those fears werent entirely unwarranted.)
Indeed, I am convinced many organizations still fear wireless networks because of all the uproar caused by WEP.
|Recent Alignment Articles|
Spammers Find New Ways Around Filters
Vista Exploit Looking For Achilles' Heel
These days, Wi-Fi Protected Access (WPA), in its various shapes and sizes, is readily available and supported, and by all accounts, it is substantially more secure than its predecessor. However, in many ways, the damage has already been done. Im sure that WPA was slow to gain acceptance because of its association (by perception) to WEP.
In my own travels, I rarely find WPA protected networks in public places. Almost all of the commercial hotspot services have opted to use no network encryption and to move their security inwardleaving the customers responsible for defending their own data.
So, where are the big lessons in this debacle? Here are a few to consider:
Scrutinize designs rigorously prior to releasing them. Im a big believer in public scrutiny, but if thats not feasible, then ensure an independent team thoroughly reviews all designs before theyre released.
Infrastructure security defects have long-term negative impacts. As such, deciding on how to secure them should be a matter of extreme importance, which may take longer than commercial organizations want, but the longer-term payoffs are worth it.
Weve got to demand more of our product vendors. We cant afford mistakes like WEP to happen.
Dont put all your security faith in one mechanism. Even if WPA proves itself to be highly adequate for most purposes, multiple security layers are still a good idea considering the fact that our business data is flying through the air and can be easily intercepted by miscreants who wish us harm.
Ill bet most of the world is blissfully unaware of the problems in WEP, but were all feeling the pain nonetheless. I have no doubt at all that Wi-Fi would be vastly more accepted in enterprises today had it not been for WEP. Lets not let it happen again.