Do you secure your wireless?

Originally posted 07/05/2011 on lubbockonline.com

In the Defensive Computing blog at Computerworld Michael Horowitz updates us on the fate of Barry Ardolf. Barry was the genius who hacked his neighbors wifi network then proceeded to try to frame them with crimes ranging from child pornography to death threats on Vice President Biden. He was sentenced to 18 years in prison for his efforts.

Barry was able to hack his neighbors wifi because the neighbor used the totally cracked WEP encryption. With the proper software you can crack a WEP network in well under a minute. WPA has the same problem if you don't use strong passwords.

If Barry Ardolf had been a little smarter he might have actually gotten away with framing his neighbor as he'd planned. All because the neighbor used the weakest encryption on his network. Sort of like using 1/8" balsa wood for the door of a bank vault. Sometimes you don't have any choice because of legacy equipment, but you should always use the strongest encryption available. A WEP encrypted network almost got an innocent man implicated in child pornograghy and threatening the vice president.

There are a lot of different routers, and setting the security is different on all of them. The fastes way to learn how to setup the security on your router is to go to the manufacturers website and download the manual.

Wikileaks is a symptom, not the disease

Wikileaks has created a tempest with the release of millions of stolen U.S. secret documents. It's also created serious problems for it's founder. Problems that may exist more for the convenience of the embarrassed governments than for any real events. But that's not the reason for this post. Wikileaks has forced governments in general, and the U.S. government in particular to look at just what types of security they have, and how close it really is to what they need.

Redorbit.com reports that the U.S. lags behind safeguarding against cyber attacks. I don't know if anyone really finds that idea surprising. If we can't even prevent a soldier (trusted with clearance or not) from physically stealing secret documents, why should we think we're successfully securing the networks that hold those documents from outside intruders?

The Department of Homeland Security (DHS) has plans to secure those networks, but they will take time to implement. Steps are being taken to plug the holes that made the wikileaks revelation possible, too. The problem is, those steps should have been taken years ago. There should have been no thumb drives allowed, and the ability to burn CD's should have been limited to particular people, if it was allowed at all.

For at least a decade government agencies have been getting a failing grade when it comes to network and computer system security. The DHS has been receiving failing grades since it's creation - though I think last year for the first time it received a "D." It was one of the few sections of our government to do so. If we want to remain a real player in the world - not just in politics, but in economics, science, and technology - we have to step back and look at what we are doing. We have to honestly evaluate everything. Is this policy effective? Or does it just "look good?" Is there a more effective way? If it is effective, is it effective at the right thing? If we are trying to keep thieves from stealing data off of our networks, do our policies at least make it harder to get data off of our network, even if you are sitting on a computer inside the network perimeter?

If I am trying to keep our businesses competitive with foreign companies, are my policies doing that, or are they actually hurting the competitive capabilities of U.S. companies?

We have to look at ourselves honestly, evaluate ourselves dispassionately, and work at improving diligently if we are going to secure our networks and our borders. If we aren't willing to do that, we should fold up now.