How to stop Wi-Fi hackers cold

Recently a neighbor told me she was getting cease-and-desist warnings about downloading copyrighted material. She was confident that she had never downloaded anything of the kind.

I checked her computer, and it did not contain any malware. She had not given anyone else her Wi-FI access code, and she had changed the default Wi-Fi access point admin password. But when I turned on auditing on her Wi-Fi router, we could see that someone else in her neighborhood was using her Wi-Fi network to illegally download copyrighted material using Tor.

[ Deep Dive: How to rethink security for the new world of IT. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

I reset the Wi-Fi router to its defaults, downloaded the latest firmware, established a new SSID, and created even longer Wi-Fi and admin passwords. The illegal downloading stopped -- or so we thought. Within a few weeks, my friend received more warning emails from her Internet provider, this time threatening to turn off her Internet without prior notice and recommending that she obtain legal counsel.

I went back on her router and it showed that the same computer (identified by MAC address) had gained access to her Wi-Fi router and was again downloading illegal material. Although there are many ways to hack Wi-Fi routers, I was convinced that it had to do with WPS (Wi-Fi Protected Setup) hacking.

The WPS saga

Nearly every new feature intended to make computer security easier is bound to open up new vulnerabilities. Such is the case with WPS.

A Wi-Fi router typically requires either a digital certificate or a long and complex series of characters to protect Wi-FI channels against unauthorized access. WPS is a feature that allows anyone to push a button or enable a software mechanism that will automatically connect your computing device to your Wi-Fi router without onerous security prerequisites.

WPS comes in a few flavors. The most common method is where someone pushes the WPS button on the Wi-Fi router, and for a limited time anyone in the range of the Wi-Fi network can enable WPS on their device and connect. Alternatively, you can use a USB-storage device to transfer information between the device and the router.

But there's a third method that most people don't use: Located on the outside of most Wi-Fi routers is a sticker containing a PIN. Users can enable WPS and enter the PIN to authenticate to the Wi-Fi router. The thinking is that unauthorized hackers lack physical access to the Wi-Fi router and can't see the sticker.

An easy brute-force hack

A few years ago, however, hackers discovered that WPS is vulnerable to brute-force password guessing. All (unfixed) versions of WPS come with a (randomly selected) 8-byte PIN, which if guessed, essentially lets the guesser connect as an authorized device. Think about the inherent weakness of 8-byte protection: Today, the bare minimum number of acceptable bits of symmetric cryptographic protection is 128 bits (16 bytes).

But it's much worse. The 8-byte PIN is really only seven bytes long; the last byte is a checksum byte for the first seven characters. Moreover, the first seven characters are broken down into two sections: one four bytes long, and the other only three bytes. This means WPS is protected by a maximum of four bytes of protection! (And you thought LAN Manager hashes were weak.)

Attackers literally have to make only a few thousand guesses (which usually takes four to eight hours). Most WPS-enabled routers do not have a guess-attempt lockout protection. Many newer Wi-Fi routers come with some sort of protection, like guess-attempt lockouts for a preset period of time, but often, this isn't enabled by default. Worse yet, on some routers, even if you disable WPS, the vulnerability stays active. It's insane!

WPS-guessing attack tools are readily available. Reaver was one of the first and most popularly used. With these tools pointed toward a typical Wi-FI router, the router coughs up its protection in less than a day, which in today's password-guessing world is ridiculously quick. In 2014, another method, dubbed Pixie Dust, attacked WPS and claimed to be able to break it in less than 30 minutes (though I haven't verified this method).

WPS-cracking was a big deal back in December 2011, when it was first announced, and was used a lot in 2012, when all the Linux hacking distros added the necessary programs to their Wi-FI hacking toolsets. Since then, the attack has languished in media circles even though it remained possible on most Wi-Fi routers. You'll still occasionally read stories where gangs of hackers used the method to compromise a bunch of Wi-Fi routers in the service some larger evil.

Hacking the neighbors

I had disabled my WPS feature a few years ago on my own home router, and I don't do a lot of Wi-Fi penetration testing, so I had mostly forgotten about this attack vector. But with this recent event, I decided to test most of my neighborhood. Living on an island, I know most of my neighbors. They all have Wi-Fi routers. I contacted each of them, explained the situation, and asked if I could hack their Wi-Fi routers. They all gave me permission. Within the day, I was able to break into all but one.

Being the friendly computer security guy that I am, I updated everyone's router firmware code (none were even remotely up to date), changed any default passwords I found, and either disabled their WPS-feature or made sure that guessing lockout feature was enabled. The lockout feature essentially locks out WPS connections for a preset period of time and then automatically re-enables it. The feature locks out WPS for only a few minutes, but it's enough to stymie WPS PIN guessing.

Initially, I wasn't a 100 percent sure my friend's Wi-Fi router was being compromised by the WPS PIN guessing method, but after we disabled the WPS feature, the neighborhood hacker wasn't able to get back in. I'm guessing they were pretty frustrated. After all, I had locked up the whole neighborhood at the same time.

My advice to you? Update your Wi-Fi firmware to the latest version possible. Use a long and complex Wi-Fi network passphrase and admin password -- and disable WPS. That way you'll be less likely to be accused of downloading something illegally or doing something maliciously if it wasn't you.

How to stop Wi-Fi hackers cold

Recently a neighbor told me she was getting cease-and-desist warnings about downloading copyrighted material. She was confident that she had never downloaded anything of the kind.

I checked her computer, and it did not contain any malware. She had not given anyone else her Wi-FI access code, and she had changed the default Wi-Fi access point admin password. But when I turned on auditing on her Wi-Fi router, we could see that someone else in her neighborhood was using her Wi-Fi network to illegally download copyrighted material using Tor.

[ Deep Dive: How to rethink security for the new world of IT. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

I reset the Wi-Fi router to its defaults, downloaded the latest firmware, established a new SSID, and created even longer Wi-Fi and admin passwords. The illegal downloading stopped -- or so we thought. Within a few weeks, my friend received more warning emails from her Internet provider, this time threatening to turn off her Internet without prior notice and recommending that she obtain legal counsel.

I went back on her router and it showed that the same computer (identified by MAC address) had gained access to her Wi-Fi router and was again downloading illegal material. Although there are many ways to hack Wi-Fi routers, I was convinced that it had to do with WPS (Wi-Fi Protected Setup) hacking.

The WPS saga

Nearly every new feature intended to make computer security easier is bound to open up new vulnerabilities. Such is the case with WPS.

A Wi-Fi router typically requires either a digital certificate or a long and complex series of characters to protect Wi-FI channels against unauthorized access. WPS is a feature that allows anyone to push a button or enable a software mechanism that will automatically connect your computing device to your Wi-Fi router without onerous security prerequisites.

WPS comes in a few flavors. The most common method is where someone pushes the WPS button on the Wi-Fi router, and for a limited time anyone in the range of the Wi-Fi network can enable WPS on their device and connect. Alternatively, you can use a USB-storage device to transfer information between the device and the router.

But there's a third method that most people don't use: Located on the outside of most Wi-Fi routers is a sticker containing a PIN. Users can enable WPS and enter the PIN to authenticate to the Wi-Fi router. The thinking is that unauthorized hackers lack physical access to the Wi-Fi router and can't see the sticker.

An easy brute-force hack

A few years ago, however, hackers discovered that WPS is vulnerable to brute-force password guessing. All (unfixed) versions of WPS come with a (randomly selected) 8-byte PIN, which if guessed, essentially lets the guesser connect as an authorized device. Think about the inherent weakness of 8-byte protection: Today, the bare minimum number of acceptable bits of symmetric cryptographic protection is 128 bits (16 bytes).

RESOURCES

• 

  VIDEO/WEBCAST
  Going Mobile: Why Build Versus Buy is Only Half the Conversation

• 

  WHITE PAPER
  Mud, Desert or Jungle...You're Going to Need a Map-Adopting Best Practices for Windows Server Migration

SEE ALL

 

But it's much worse. The 8-byte PIN is really only seven bytes long; the last byte is a checksum byte for the first seven characters. Moreover, the first seven characters are broken down into two sections: one four bytes long, and the other only three bytes. This means WPS is protected by a maximum of four bytes of protection! (And you thought LAN Manager hashes were weak.)

Attackers literally have to make only a few thousand guesses (which usually takes four to eight hours). Most WPS-enabled routers do not have a guess-attempt lockout protection. Many newer Wi-Fi routers come with some sort of protection, like guess-attempt lockouts for a preset period of time, but often, this isn't enabled by default. Worse yet, on some routers, even if you disable WPS, the vulnerability stays active. It's insane!

WPS-guessing attack tools are readily available. Reaver was one of the first and most popularly used. With these tools pointed toward a typical Wi-FI router, the router coughs up its protection in less than a day, which in today's password-guessing world is ridiculously quick. In 2014, another method, dubbed Pixie Dust, attacked WPS and claimed to be able to break it in less than 30 minutes (though I haven't verified this method).

WPS-cracking was a big deal back in December 2011, when it was first announced, and was used a lot in 2012, when all the Linux hacking distros added the necessary programs to their Wi-FI hacking toolsets. Since then, the attack has languished in media circles even though it remained possible on most Wi-Fi routers. You'll still occasionally read stories where gangs of hackers used the method to compromise a bunch of Wi-Fi routers in the service some larger evil.

Hacking the neighbors

I had disabled my WPS feature a few years ago on my own home router, and I don't do a lot of Wi-Fi penetration testing, so I had mostly forgotten about this attack vector. But with this recent event, I decided to test most of my neighborhood. Living on an island, I know most of my neighbors. They all have Wi-Fi routers. I contacted each of them, explained the situation, and asked if I could hack their Wi-Fi routers. They all gave me permission. Within the day, I was able to break into all but one.

YOU MIGHT ALSO LIKE

• VMware updates desktop virtualization software for Mac and PC
• 
  Vint Cerf: 'Sometimes I'm terrified' by the IoT
• 
  Comcast plans for nationwide 1-gigabit cable service by 2018

Being the friendly computer security guy that I am, I updated everyone's router firmware code (none were even remotely up to date), changed any default passwords I found, and either disabled their WPS-feature or made sure that guessing lockout feature was enabled. The lockout feature essentially locks out WPS connections for a preset period of time and then automatically re-enables it. The feature locks out WPS for only a few minutes, but it's enough to stymie WPS PIN guessing.

Initially, I wasn't a 100 percent sure my friend's Wi-Fi router was being compromised by the WPS PIN guessing method, but after we disabled the WPS feature, the neighborhood hacker wasn't able to get back in. I'm guessing they were pretty frustrated. After all, I had locked up the whole neighborhood at the same time.

My advice to you? Update your Wi-Fi firmware to the latest version possible. Use a long and complex Wi-Fi network passphrase and admin password -- and disable WPS. That way you'll be less likely to be accused of downloading something illegally or doing something maliciously if it wasn't you.

What is Information Security?

According to the UK Government, Information security is:

"the practice of ensuring information is only read, heard, changed, broadcast and otherwise used by people who have the right to do so" (Source: UK Online for Business)

Information systems need to be secure if they are to be reliable. Since many businesses are critically reliant on their information systems for key business processes (e.g. webs ites, production scheduling, transaction processing), security can be seen to be a very important area for management to get right.

What can go wrong?

Data and information in any information system is at risk from:

Human error: e.g. entering incorrect transctions; failing to spot and correct errors; processing the wrong information; accidentally deleting data

Technical errors: e.g. hardware that fails or software that crashes during transaction processing

Accidents and disasters: e.g. floods, fire

Fraud - deliberate attempts to corrupt or amend previously legitimate data and information

Commercial espionage: e.g. competitors deliberately gaining access to commercially-sensitive data (e.g. customer details; pricing and profit margin data, designs)

Malicious damage: where an employee or other person deliberately sets out to destroy or damage data and systems (e.g. hackers, creators of viruses)

How Can Information Systems be Made More Secure?

There is no such thing as failsafe security for information systems. When designing security controls, a business needs to address the following factors;

Prevention: What can be done to prevent security accidents, errors and breaches? Physical security controls (see more detailed revision note) are a key part of prevention techniques, as are controls designing to ensure the integrity of data (again - see more detailed revision note)

Detection: Spotting when things have gone wrong is crucial; detection needs to be done as soon as possible - particularly if the information is commercially sensitive. Detection controls are often combined with prevention controls (e.g. a log of all attempts to achieve unauthorised access to a network).

Deterrence: deterrence controls are about discouraging potential security breaches.

Data recovery - If something goes wrong (e.g. data is corrupted or hardware breaks down) it is important to be able to recover lost data and information.

Business benefits of good information security

Managing information security is often viewed as a headache by management. It is often perceived as adding costs to a business by focusing on "negatives" - i.e what might go wrong.

However, there are many potential business benefits from getting information system security right: for example:

- If systems are more up-to-date and secure - they are also more likely to be accurate and efficient
- Security can be used to "differentiate" a business – it helps build confidence with customers and suppliers
- Better information systems can increase the capacity of a business. For example, adding secure
online ordering to a web site can boost sales enabling customers to buy 24 hours a day, 7 days a week
- By managing risk more effectively – a business can cut down on losses and potential legal liabilities

Direct-access attacks

An unauthorized user gaining physical access to a computer is often able to compromise security by making operating system modifications, installing software worms, keyloggers, or covert listening devices. They may be able to easily download data. Even when the system is protected by standard security measures, these may be able to be by passed by booting another operating system or tool from a CD-ROM or other bootable media. Disk encryption and Trusted Platform Module are designed to prevent these attacks.

Eavesdropping[edit]

Eavesdropping is the act of surreptitiously listening to a private conversation, typically between hosts on a network. For instance, programs such as Carnivore and NarusInsight have been used by the FBI and NSA to eavesdrop on the systems of internet service providers. Even machines that operate as a closed system (i.e., with no contact to the outside world) can be eavesdropped upon via monitoring the faint electro-magnetic transmissions generated by the hardware; TEMPEST is a specification by the NSA referring to these attacks.

Spoofing[edit]

Spoofing of user identity describes a situation in which one person or program successfully masquerades as another by falsifying data.

Tampering[edit]

Tampering describes an malicious modification of products. So-called "Evil Maid" attacks and security services planting of surveillance capability into routers^[3]are examples.

Repudiation[edit]

Repudiation describes a situation where the authenticity of a signature is being challenged.

Information disclosure[edit]

Information disclosure (privacy breach or data leak) describes a situation where information, thought to be secure, is released in an untrusted environment.

Privilege escalation[edit]

Privilege escalation describes a situation where an attacker gains elevated privileges or access to resources that were once restricted to them.

Exploits[edit]

Main article: Exploit (computer security)

An exploit is a software tool designed to take advantage of a flaw in a computer system. This frequently includes gaining control of a computer system, allowingprivilege escalation, or creating a denial of service attack. The code from exploits is frequently reused in trojan horses and computer viruses. In some cases, a vulnerability can lie in certain programs' processing of a specific file type, such as a non-executable media file. Some security web sites maintain lists of currently known unpatched vulnerabilities found in common programs.

Social engineering and trojans[edit]

Main article: Social engineering (security)

See also: Category:Cryptographic attacks

social engineering aims to convince a user to disclose secrets such as passwords, card numbers, etc. by, for example, impersonating a bank, a contractor, or a customer.^[4]

Indirect attacks[edit]

An indirect attack is an attack launched by a third-party computer. By using someone else's computer to launch an attack, it becomes far more difficult to track down the actual attacker. There have also been cases where attackers took advantage of public anonymizing systems, such as the Tor onion router system.

cybersecurity or IT security,

Computer security, also known as cybersecurity or IT security, is security applied to computers, computer networks, and the data stored and transmitted over them.

The field is of growing importance due to the increasing reliance of computer systems in most societies.^[1]Computer systems now include a very wide variety of "smart" devices, including smartphones, televisions and tiny devices as part of the Internet of Things, and networks include not only the Internet and private data networks, but also Bluetooth, Wi-Fi and other wireless networks.

Computer security covers all the processes and mechanisms by which digital equipment, information and services are protected from unintended or unauthorized access, change or destruction and the process of applying security measures to ensure confidentiality, integrity, and availability of data both in transit and at rest.^[

Vulnerabilities

Main article: Vulnerability (computing)

A vulnerability is a system susceptibility or flaw, and an exploitable vulnerability is one for which at least one working attack exists. Many vulnerabilities are documented in the Common Vulnerabilities and Exposures (CVE) database and vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities.

To understand the techniques for securing a computer system, it is important to first understand the various types of "attacks" that can be made against it, and these threats can typically be classified into one of the categories in the sections below:

Backdoors

A backdoor in a computer system, a cryptosystem or an algorithm, is any secret method of bypassing normal authentication or security controls.

Denial-of-service attack

Main article: Denial-of-service attack

Denial of service attacks are designed to make a machine or network resource unavailable to its intended users. Attackers can deny service to individual victims, such as by deliberately entering a wrong password enough consecutive times to cause the victim account to be locked, or they may overload the capabilities of a machine or network and block all users at once.

An attack from a single IP address can be blocked by adding a new firewall rule, but many forms of Distributed denial of service (DDoS) attacks are possible, where the attack comes from a large number of points - and defending is much more difficult. Such attacks can originate from the zombie computers of abotnet, but a range of other techniques are possible including reflection and amplification attacks, where innocent systems are fooled into sending traffic to the victim.