November 29, 2008

Wireless WPA Encryption Component Hacked -- How to Protect Yourself

Beware, security researchers have discovered a way to do a partial hack of some wireless networks using WPA (Wi-Fi Protected Access). WPA is used by many to encrypt and secure their wireless networks. I first read about this announcement a few weeks ago, and preferred to wait until after the findings were published for confirmation. ARS Technica has an excellent and balanced article, "Battered, But Not Broken: Understanding the WPA Crack", describing the hack, and the researchers published their paper online.

There's a lot of FUD (Fear, Uncertainty & Doubt) floating around on this, so I decided to add my perspective and tips for legal professionals. The sky isn't falling. It's important to understand that WPA itself hasn't been cracked, just one of the algorithms used with it, known as TKIP (Temporal Key Integrity Protocol). If you're using AES (Advanced Encryption Standard) encryption with WPA, you're still safe. If you're still using WPA with TKIP, you just need to make a simple change in your wireless router and any wireless device that connects to it, such as your laptop. I've posted an example below on how to change the settings in a Linksys router.

Basically, if you have your wireless router configured to use WPA with TKIP, your wireless network is now vulnerable over that connection. One of the researchers, Erik Tews, stated that for routers using WPA with TKIP, he can access and manipulate the network traffic being sent from your wireless router. While they're not yet able to break the TKIP keys, it's still serious. Supposedly, the traffic sent from your PC back to the router is still safe, but now it's probably only a matter of time before that gets compromised as well.

What Should You Do?

I'll try to keep the jargon to a minimum, but need to mention a few acronyms throughout because that's what you'll see in your router and laptop options. Keep these guidelines in mind:

  • First, using any encrypted network is better than a non-encrypted network, even if it only stops the casual or amateur snoops in the area.

  • Use a long and strong passphrase for your encryption key -- at least 20 characters with a mix of upper- and lower-case letters, numbers, and symbols.

  • Keep in mind that cheap and home-made wireless antennas can access your wireless signal even a mile away.

  • Never, ever use WEP (Wired Equivalent Privacy) if you have a better choice -- WEP has been cracked for years now and is considered very insecure.
That leaves us two categories of WPA (Wi-Fi Protected Access) security to select for your wireless connection:
  1. WPA (think of it as WPA1) and

  2. WPA2, which is more secure than WPA.
Most Importantly: Regardless of the version of WPA you have available, use AES instead of TKIP, preferably with WPA2. If you have it, it should be selectable in your wireless router's configuration screen. You'll need to log into your router, typically via your web browser, to change this. As for where to change the settings, here's an example from a Linksys router:

The Best Choice You Can Make At Home Currently Is Using WPA2 With AES

AES encryption is used by the U.S. government, as it's considered much more difficult to crack. If your wireless router doesn't support WPA2 (i.e., doesn't have it listed), then you probably need a firmware update from the manufacturer, which you can usually download from their web site. If your router is too old that it doesn't have WPA2 and there isn't a firmware upgrade for it, then it's probably time to buy a new router. I'd suggest buying one of the new "n" routers for better speed and coverage, as new laptops have been coming out with "n"-capable wireless cards for well over a year. While "g" routers are still very usable, 802.11n is the platform to use going forward if you need to upgrade.

Also, you may need to configure all of your wireless network devices (PC's, wireless printers, BlackBerries, etc.) to use WPA2 if available in their setup options. Windows Vista supports WPA2 out of the box, whereas you'll likely need a patch for Windows XP (see the end of this post for details). I've found my new HP wireless printer and BlackBerry Curve also both support WPA2. If you have some devices or PCs that cannot use WPA2, then you'll need to use WPA for all of them, including your wireless router.

Why Some Sources Reported WPA Was Hacked

It's a matter of semantics. In many wireless routers, WPA comes with two types of encryption algorithms, TKIP and AES. It's important to know that TKIP was only intended as an interim industry solution until they could come up with something better (AES encryption). I explained this back in 2004, when I published my "Wireless Networking Best Practices: Version 2.0" on this blog:

Due to the relative ease in which WEP (Wired Equivalent Privacy) is cracked, WPA (Wi-Fi Protected Access) is vastly preferred. For home use, most people will want to enable WPA Pre-shared Key (WPA-PSK) and use a long key name with a mix of upper and lower case letters, numbers, and odd characters (such as ~!@#$%^&*).

For the WPA Algorithm, at a minimum choose TKIP (Temporal Key Integrity Protocol). Better yet, use AES (Advanced Encryption Standard) if your router, Wi-Fi card, and software support it. TKIP is an interim industry solution, but it adds the ability to automatically generate new keys at preset intervals. (...) Again, AES is the stronger encryption method that the wireless networking industry is moving toward. If you have it, use it. (emphasis added)

That advice still holds true today, just with the added suggestion to use the newer WPA2 if available to provide more security, and practically, to buy you more time as less secure options continue to be hacked. Consider that it's taken a number of years for researchers to find a crack in WPA-TKIP's armor. Like WEP, don't use WPA with TKIP if you have a better option. Keep in mind that home users will likely want to select the WPA2 Personal (aka "WPA2-PSK" or "WPA2 Pre-shared Key") option, while enterprises will use simply "WPA2". The main difference is that the "Personal" or "Pre-shared Key" options require you to enter the passphrase (the pre-shared key) into each device that needs to connect to your wireless network.

Adding Some Perspective

Again, keep in mind the sky is not falling. While serious, this is a limited hack. It's far better to use some level of encryption than nothing, since the latter leaves your wireless network wide open. Use the most secure option available to you. If you do any work from home, I'm sure your employer will appreciate it as well.

Consider this from the ARS Technica article:

Don't hyperventilate yet; you're (mostly) safe
Now let's back up a little. The early coverage of this crack indicated that TKIP keys were broken. They are not. "We only have a single keystream; we do not recover the keys used for encryption in generating the keystream," Tews said.

To describe the attack succinctly, it's a method of decrypting and arbitrarily and successfully re-encrypting and re-injecting short packets on networks that have devices using TKIP. That's a very critical distinction; this is a serious attack, and the first real flaw in TKIP that's been found and exploited. But it's still a subset of a true key crack.

Tews pointed out that "if you used security features just for preventing other people from using your bandwidth, you are perfectly safe," which is the case for most home users. Someone can't use this attack to break into a home or corporate network, nor decipher all the data that passes.


So WPA isn't broken, it turns out, and TKIP remains mostly intact. But this exploit based on integrity and checksums should argue for a fast migration to AES-only WiFi networks for businesses who want to keep themselves secure against further research in this area-research already planned by Tews and Beck. And now that these two have opened the door, WPA will certainly become subject to even closer scrutiny by thousands of others interested in this space: black-, gray-, and white-hatted.

With all that said, if you have the option of using AES instead of TKIP, use AES. If nothing else, you'll sleep better knowing you're using the most secure encryption currently available.

For those of you still running Windows XP: You might not see the option for WPA2 in your wireless client settings. A while back, Microsoft released a patch to add the WPA2 protocol to XP's wireless settings. Please note this patch is only for 32-bit versions of XP running SP2 (Service Pack 2). While I've successfully installed this patch on several PCs, I always recommend performing a full backup of your system using a drive imaging tool such as Norton Ghost. I also recommend creating a "restore point" in XP as a precaution before installing any patch. While this patch installed just fine for me, I take no responsibility for it or any resulting consequences as it is a Microsoft patch. I'm merely pointing you to it as a resource. Let's be safe out there.

Topic(s):   Privacy & Security  |  Trick or Treat
Posted by Jeff Beard   |   Permalink

November 01, 2008

E-Discovery Career Choices: Know the Operational Differences Between Corporate Departments & Law Firms (& Vendors Too!)

Deena Coffman, Discovery Director at Johnson & Johnson, offers a comparison for E-Discovery staff between large corporate law departments and law firms. I've read these types of articles before, which usually focus on the pros and cons of the positions and other likely fodder. However, Deena presents candidates with much-needed insight into both the stark and subtle differences between corporate legal and law firm approaches to evaluating projects, investments, and managing careers. While this isn't a "grass is greener" article per se, I'd say the "Your Agenda" section at the end tends to pitch the corporate side's benefits a bit more, which leads me to perceive this as a recruiting vehicle.

With that aside, she puts forth a fairly straightforward comparison of how both types of organizations operate, consider project proposals, manage headcount and workload, and the types of experience one would obtain at each. She did a superb job of describing the difference in how corporate legal departments are often perceived across a company (as opposed to law firm practice groups), and discussing the more subtle effects of political capital.

I too have had career-enhancing experiences with both a Fortune 50 legal department and a large national law firm. For E-Discovery professionals evaluating their career choices, it is a rare "deep look" that candidates considering their futures should definitely read. Here's the money quote:

Work life in corporations and law firms affords advantages and disadvantages. To make the best choice for you, understand how those advantages and disadvantages align with your personality, goals and motivations. It is analogous to matching a boat with a captain. The speedboat captain does not want to carry cargo. Rather, he or she is focused on moving simply and quickly through a clear course. The freightliner captain appreciates that with patience and time, he or she can deliver enormous results.

Be sure you are boarding the right ship to get to your destination.

I'll add that the article is incomplete in one key respect: A very good and satisfying personal and professional life can also be obtained outside law firms and corporate law departments. There are numerous E-Discovery service providers, software developers, and consultancies to consider, as well as starting your own. I have many friends and colleagues who, after evaluating all their options, chose one of these paths. These organizations tend to be more nimble than either law firms or corporations, and provide the opportunity to gain a wide range of experience across many clients in a rather short period of time. Even with the competitiveness of this market, or perhaps in spite of it, there is a sense of collegiality that cannot be easily discounted.

This isn't to say one of the above choices is inherently better or preferred over the other. I heartily agree with Deena -- it helps to know what kind of captain you are, so you can choose the right boat for you. Even in these turbulent economic times, there are more boats and harbors than one may initially realize.

Topic(s):   Electronic Discovery
Posted by Jeff Beard   |   Permalink