Last week, we wrote about a study from Darmstadt Technical University in Germany in which new tools that could break the Wired Equivalent Protocol (WEP) in seconds were demonstrated. Commentary around the Web essentially said that WEP, which has been superseded by a far more effective protocol called Wi-Fi Protected Access (WPA), would finally and completely be swept into the dustbin of security history.
Not so fast. This posting at CSO Online provides two reasons that this isn't going to happen. One is that a lot of companies simply run whatever protocol originally ran on their networks -- if they bother to run anything at all. People, it seems, don't always wear their seat belts, exercise, floss or switch to software that is orders of magnitude more secure than what they are running.
The other problem identified by Michael Overly is home networks. This is, perhaps, an even greater challenge. It's true that many companies protect themselves well. They even may require a virtual private network (VPN) to ensure security between the home network and the office. But even the most rigorous organizations have little control over how home workers protect their own wireless networks. This backdoor can provide crackers with access to potentially valuable data on the home computer and make the corporate local-area network (LAN) more vulnerable.
A third problem, identified by Network Computing's Sean Ginevan, is that many devices only support WEP. Upgrading (where it's possible) or replacing all of these devices isn't realistic. Instead, network designers must find a way to limit potential damage, such as segregating the WEP-only devices onto a separate virtual local-area network (VLAN).
There is some good news, however. AirDefense earlier this month introduced WEP Cloaking, a product that is aimed at retailers. The company claims that it solves the WEP issue without demanding new hardware and software investment. Another positive note comes from Oliver Rist, an editor with the InfoWorld Test Center. He describes how WEP can be made more secure on Windows machines running Vista or post-Windows XP Pro Service Pack 2 machines. The idea is to replace WEP's pre-shared key with 802.1x. The bottom line is that it doesn't seem like it would be too difficult for a computer-savvy individual to do.
WEP is going to be with us for a long time. Despite the growing ease with which it can be cracked, a certain and probably large segment of the corporate population will carry on as usual, and they will be at ever-increasing risk. The glass is half-full in this case, however, because there are many things that security-savvy companies can do to protect themselves without ripping out WEP.
Keep in mind, also, that crackers usually gravitate to the most vulnerable networks. Call it the LoJack principle: Upgrading protection -- whether it be a bar across the steering wheel or reinforced WEP -- not only improves the security itself, but also makes it more like that the bad guys will move on.