London homeowners are more careful about defending their wireless networks against trespassers than their corporate counterparts. One in five business networks fail to use any form of wireless encryption while 90 per cent of Londoners use encryption of some kind at home. RSA's seventh annual wireless security survey also found …
It's certainly better than it was two years ago. Then, of the 15 or so wireless points (mixed business/domestic) I could detect from my house, only 1 in 3 were encrypted. Now it's 95% of the (grown to 30) points, although just under half still use only WEP.
I can see the odd home user still using WEP. Lets face it, wireless for the lay person can tend to be: "WEP, WPA, WPA2...? where's the porn button and why is this dude poke'ing me??". For some folk you may as well tell them to smear bacon fat on their routers and sacrifice a lamb on the solstice. At least the house will smell delicious till it smells rancid. Time to upgrade the bacon fat!
I still have a few friends who abandoned the aging WEP AP to the visigoths and instead built their fortresses on homebrew VPN and two-factor authentication. It can be hard to give up the VPN when it impresses the ladies so!
Some folks simply don't care one way or another and, you know what? God bless 'em, those happy little hippies!
What I am having trouble visualising is the "Network Administrator" for whom WEP is somehow still such a viable security measure that they have left all their man-eggs in the big basket lined with severance notices and, if the imagery wasnt yet ironic enough, filled to the brim with loose packed unsheathed razor blades.
I guess some folk are into that sort of thing.
Where did free acces go?
I really wanted to live in a world where you could find free wifi access anywhere you went. For a while there the Linksys/belkin/dlink defaults community network made this possible. But now I'm finding that every access point I can see is locked down. It's a downside of the journalists and commentators pushing the manufacturers to make security the default.
So although there are some downsides to leaving wifi open, there's a downside to closing it all up as well. I find that sad.
Maybe this has something to do with the fact that most home users only have one modem/router/AP and a couple of wireless NICs, whereas businesses have lots of interconnected equipment, some of it quite old and only able to encrypt to WEP, so they have to set the whole network to the 'lowest common denominator'. Been there, done that, not entirely happy about it.
We need a 'banging head against wall' icon
First, WEP vs WPA - this may well be because there are more 'older' systems in London than in Paris. While it's true that WEP is broken, from a personal point of view, why would anyone (who simply wants free Internet access) bother with cracking WEP, when there's almost certainly a completely unprotected network 200m down the road?
The corporate networks have no excuse. I've been involved in providing advice to a city-based outfit whose US head office wanted to set up open WiFi network 9with an air gap to the corporate network and its own ADSL). The argument was that visitors from the States could logon to the head office network using a secure VPN. They were already doing this at head office, with no problems.
I pointed out that their head office was on a 30-acre campus in wooded New England with very little in the way of passing traffic - the new network was in the heart of the City. It only needs one bad guy (or an aggrieved ex-employee) to download some paedo material or send an email to OBL and they would have the cops breaking down their door demanding to see their logs - and unlikely to be very picky when it came to distinguishing between the 'separate' open WiFi network.
One final thought - maybe these unprotected networks are coming from unauthorised WAPs (or even misconfigured laptops). That's still no excuse - the internal security bods should be conducting regular scans to find any such holes.
So, my question is, did the survey encompass high-rise and skyscraper properties, or was it just a street level survey? Id imagine that New Yoik has a greater population density living vertically, and if these wern't taken into account, it could squew the results.
Paris, because, well, she's in the survey and knows all about the dangers of the internet.
WEP enforced by BT
BT wireless "Home hubs", at least the early ones, came with fixed WEP and passkey. If you have one of those, you are using WEP whether you know better or not. Hey, if BT makes you use it, it must be OK, right? I wonder what the current ones use?
There has been a severe lack of education around wireless for the masses, a lot of people probably get it free with their broadband without knowing anything about it. At best, if they are lucky, it is already encrypted (probably with WEP) and has a sicker on it with the password.
I doubt the majority of people with wireless even know their router has a configuration screen, never mind how to access it and change things.
Although it's a barrier for people, they need to be shipped in a severely crippled state, ie no net access, other pc's on the network not visible, with nice clear instructions (a disk with a setup wizard!) on how to set them up for use and secure them.
WEP on home wireless networks.
Using WPA is all well and good and I would have no hesitation in using it if not for one small problem, which I'm sure is shared by a number of other home wifi users - some of the older (and not so old) devices I own do not support WPA. The most notable of these devices (though by no means the only) is the Nintendo DS, which seems to stubbornly only support WEP.
Upgrade without delay...
Yeah great, assuming that your company can afford / is willing to ditch all the old kit which is still working but is only capable of WEP...
Wifi capital? Not per capita, no sir.
I was in Leiden (NL) last week, and tried in three locations. At each, between 15 and 27 good-strength accesspoints in view, and every single one of them protected. Most people tell me they haven't seen an unprotected one in Holland since a year or two (my last: 09/2006 in Amsterdam).
In London Kings X I can regularly see 5 good-strength accesspoints of which 3 protected.
Where I'm sitting now in the West Country, I see 4 of which 1 protected.
What a crock of shite!
Decent enterprise wireless kit like Cisco is normally configured as WEP with PEAP. That's encryption + user authentication.
If your "enterprise researchers" couldn't be bothered emphasizing this point, then they really are the talentless hacks they first appear to be.
The WEP (as well as certificate) encryption is there so that the machines can encrypt the user's login to the network in the background. What's more, you can set the machine's mac as part of the authentication just to make sure no home machines end up on the network either.
Is it any wonder we don't really trust any of them with data security.
so much gravitas, so little content
Having read the report linked to, I can't help feeling that the London part of this "survey" was carried out by a couple of people with a lappy from the upper deck of a bus, on a short hop from Holborn to Canarf Wharf - and then back again.
> The survey was carried out by a team of independent security consultants using a laptop computer and commercial scanning software.
It certainly didn't cover much ground (literally) and the amount of "normal" residential property in among the swanky loft apartments doesn't sound much like the vast majority of suburbia.
The report itself is very professionally finished: lots of business graphics in nearly identical, themed colours (so as not to spoil the "design" of the product, by drawing attention to it's actual content). Lots of often repeated conclusions and a large amount of space dedicated to explaining what all this stuff is, in nice soothing tones so as not to surprise the CEOs, who they hope will read it. This is obviously where it wins. If the average techy had written this, I (sorry, they) would've got it down to a single page, with a table of results and a summary saying "mostly harmless". Maybe it's time to polish up the old marketing skills and worry less about the actual content?
Maybe it's because....
that home users have operator-branded routers with WEP or WPA pre-configured and that the setup CD does everything for you, and that corporate kit is generally brand name supplied blank and just "plugged in and go" by some of the highly paied erks who no nothing about sefcurity (yes, there is no "f" in....)...
Of by the management who get pissed when the resident BOFH says that he has to enter a password, and it's too difficult. Just make it work...
Too many of the damn things anyway
We (London) may have good security but there's too much data flying around the airwaves anyway. In our Zone 3 flat (i.e.: 7 miles from the centre) I can find fifteen different wireless networks using my Windows Mobile phone and WiFiFoFum. Fifteen!
If I want to play on-line games I have to hook the Xbox up to the router using a cable because the unpredictability of wireless lag makes it tricky, even with a 16 Mb connection.
Paris, because she's blonde and lags behind the conversation a bit.
Most ISPs in the UK now provide wireless routers pre-configured with a key. BT's are all WEP, and i'd imagine many of the other big ones are similar.
Does WDS support WPA yet?
last time I reconfigured I was forced to use wep as my routers WDS relied upon it, although both routers were capable of WPA the WDS would not run, go figure!
@15 networks from a london flat
I am surprised its not more, I get 12 networks from a house in Nottingham! majority are default home hubs sky boxes and the like, three are re-named and I presume configured correctly... none are open!
It's a bit poor to link use of Wireless security to the use of WEP. The sophisticated hacker is just some skiddiot with a copy of airhack. Its far more secure to have an open access point, and then to have a firewall on the inside.
But in this test the "open wireless + firewall" approach would be marked down as less secure than WEP. Which is daft.
It's worth noting that the city of Paris provides free Wi-Fi internet access in all parks, even the tiny ones; so there's not a great deal of point in trying to hack someone's Wi-Fi network, unless you have particularly nefarious purposes in mind.
Security != encryption
Encryption is one aspect of security. Is a Wifi router with WEP that only accepts connections from know MAC addresses less secure that a router that uses WPA but accepts connections from any computer? And what about routers that don't advertise their ESSID? Where they included in the survey? And what about firewalls?
Lies, damn lies and statistics...
"London kept its position as the ‘most wireless city"
As far as domestic premises are concerned, what they're actually counting is the number of people with broadband.
Is anyone still selling non WiFi routers?
BT, get a grip
As touched upon above, BT's HomeHubs come pre-configured using 64-bit(!) WEP! I don't think I've ever known anyone to use 64-bit WEP.
Once I'd figured that out a quick read of the manual (it does happen) and a google, and I got my brother's kit set up for WPA.
From my corporate experience the wireless networks in offices tend to be the visitors network (because they need internet access) and they are not allowed on the internal network. This internal network will be wired not wireless. As such limited security on the wireless is not a problem.
And paid for networks e.g. hotels
Hotels and other public access points usually have no security but a captive portal page where you enter payment, personal details or voucher codes. Insecure by design and not accident.
In case you weren't being rhetorical, I choose answer 1.. YES!
WEP + non-broadcast SSID + MAC Address security: 1) Crack 2) Sniff 3) Spoof 4) Connect
WEP: 1) Crack 2) Connect
The significant thing being that only "1" actually takes any time and with WEP it is a significantly shorter time. Firewall wont protect you from terribly much at Layer 2 and by the time they have gotten to TCP/IP.. well.. to co-opt an old horror motif, the bad guy ".. is calling from INSIDE YOUR HOUSE!!" (cue scream).
WPA and WEP dont just provide encryption, they provide an implicit authentication and authorisation step. WEP's flaws make it too easy to leap over these and unless you replace them with something else (eg VPN + Firewall, maybe - if you are into that sort of thing) you have nothing.
It is fine to stick with WEP - just dont put any trust in it. If you treat your WEP's Wi-Fi interface with the same level of trust you would an unmanaged public access network and protect your resources (your systems, your data, your Internet feed) appropriately, you can certainly soldier on with it. It seems like a lot of work though.
This is not to say that WPA is perfect. You still need to be thinking about those things, regardless. Especially if you have something important to protect. It is just that when you are at the low end of the food chain - not at all attractive to sophisticated hackers, and not that much to lose on the LAN - you need WPA. WEP will let the smelly script kiddies in to play with your skimpies and do things with your toothbrushes..
@AC - see my comment above for why (IMHO) completely open visitors' networks are a really bad idea, even if there's an air gap to the corporate network. Post a daily userid/password on the intranet, so any legit visitor can be given access - there, that wasn't too difficult!
@Chris Miller Re: Visitors Networks
I think you are rather inflating the OBL link risk from a companies visitors network. Any enforcement with the technical ability to track down the company from the network would have the nous to understand the different networks rather quickly! Unlike, for instance the RIAA, they don't have any reason to cause collateral damage (at least where companies are involved since they have lawyers to sue with!), and are motivated to get the right target.
P.S. I was not recommending completely open, just pointing out that it is not THAT bad. (Ours have logins for instance.)
@Apocalypse Later and all the others referring to BT
My sister had issues with using encryption on her router. BT's solution? Don't broadcast the SSID, disable encryption and enable MAC filtering. As far as I known BT use WEP because their Fusion phone doesn't support WPA (or at least it usen't). Says it all really.
The other problem with WEP is that it's like using a Hubbed network, much amusement to be had using Wireshark in public places even if they're using WEP. Can anyone say stealing cookies?
As an aside, my sister also had issues using WPA with her macbook, it refused to remember the key. Not trolling, but I wasn't too impressed. It was quite happy with WEP for some reason.