Tuesday, June 9, 2009

Starbucks and Network Security

Mike Burke likes to share the spotlight with his co-workers so Tom Ring - IQ Services' Information Security Manager - is stepping in to let you know what he is thinking about these days.

You’re in your local coffee shop, and they are nice enough to provide free WiFi for the use of their patrons. You fire up the laptop and see that there are multiple access points available there. You pick one and connect. You just connected to a poisoned hotspot being run from a parked car. You’ve got network access through their cell provider, and they are sniffing every packet. Just because an access point says it is Joe’s Coffee Shop doesn’t mean that it really is.

You’re in another coffee shop that uses authentication and encryption and you only see one access point to connect to, which you then do. Everything is just fine and you get down to work. The problem is that within just a few minutes every packet you send and receive is being logged by the guy 2 tables down. Your company email account is now wide open to him. What happened? The encryption that the shop uses is just a little out of date. In fact, current wireless encryption methods have probably all been cracked. WEP was cracked in 2005 and currently takes less than 60 seconds, WPA v1 can be broken using aircrack-ng, WPA TKIP (currently the best method commonly available) was demonstrated in November of 2008 to be crackable in as little as 12 minutes regardless of the password or key length. Current WiFi encryption is not to be trusted.


So what are you to do? There is a solution, and your IT department probably already provides it – it’s a VPN tunnel. A VPN tunnel is a virtual private network connection back to your network at work. This is an authenticated encrypted tunnel that securely transports data to and from the internal network at your office. It can be used regardless of how insecure the coffee shop is, and it has another advantage – it gives you access to all the resources that you have when in the office. Files servers, wikis, chat server, everything, assuming that no limitations have been put into place by IT for VPN users.

Please note that you still need to have your laptop protected against incoming attacks. So no open shares, have a firewall in place, no services available on any ports, etc. Again, look to your IT department for assistance in making sure that everything else, as well as your VPN, is ready for the road.

Tom Ring










IQ Services
6601 Lyndale Ave South Suite 330
Minneapolis MN 55423
612-243-5114
http://www.iq-services.com/




No comments:

Post a Comment