The issue of wireless encryption ‘cracking’ has been in the news again recently thanks to Thomas Roth and his claim to be able crack WPA-PSK passwords in a matter of minutes. The basic methods used are nothing new, primarily a hybrid brute force and dictionary attack, which essentially is like you sitting at a computer and trying every word you can think of as the password. What was different in this case is the use of cloud computing to harness enormous processing power – enough to try 400,000 passwords per second bringing the time to guessing the password down considerably. This all sounds rather concerning, but is it really?
If you fit the best lock money can buy to your front door and then you leave it on the latch, can you really complain when someone opens the door and burgles your house? The important thing with encryption is the complexity of the password as the time it takes to crack a password depends very significantly upon the password strength. Roth himself said “If [the password is] in a dictionary it’ll be very fast, but if you have to brute force it and it’s longer than eight characters and its complexity is okay, it’ll take a very long time.” By ‘long time’ he means years and years, and the longer the password the longer it takes, in fact exponentially longer.
So, nothing to worry about then?…well not quite when you consider the way WPA-PSK is often used. The clue is in the name – PSK stands for Pre-Shared Key – and as it suggests the key is shared between all users. If you take a typical event site where organisers, press and crew require a ‘secure’ wireless network often WPA-PSK will be used, but it’s often not as secure as intended for two reasons.
Firstly, the password or key is being given to many people and it only takes one person to release the password into the wild and the whole network is compromised. Once compromised the only way to secure the network again is to change the shared password which means all users need to be notified of the new key, not very practical in the middle of an event.
The second issue is that because the password is being shared between many people generally a short, easy to remember one is used, opening up the network to the type of attack described above. Visit many media centres, event HQ’s etc. and you will see the network password printed on A4 pieces of paper stuck to the wall.
Network security is often seen as a hassle, along with the “it won’t happen to us” mentality but there are more and more reasons to take it seriously. Prior to the news about the WPA-PSK crack there was also news about a plugin for the Firefox browser that could ‘listen’ to other users’ data on a wireless network (either an open network or one where the key is known). Increasingly at events more and more data is transmitted across the network and much of it is sensitive. Yes there are secondary mechanisms such as VPN and SSL that are used to protect some data but often you will find file shares, websites and other data all unencrypted and open to see on the network.
We do take network security very seriously and have been offering individual user names and passwords for network access for several years which gives us access control with a much better level of granularity, along with the ability to provide a full audit of users. For 2011 we are going a step further and at the Event Production Show in February we will be launching an additional service known as DPSK or Dynamic Pre-Shared Key. Using this service once a user logs onto the network they are transparently given a dynamic, unique encryption key. This means that all users have a different (and very strong) encryption key, ensuring all data transmitted is well protected and users do not need to know the key or share it with anyone. All the user needs to know is their username and password (which stills needs to be ‘strong’) but if that user’s details are compromised the only impact is to that user and that user’s account can be quickly blocked.
We understand that every event has different needs and aspects such as network security are a balance between risk and complexity so we have developed a range of solutions to meet those different needs. If you are concerned about the security of your IT systems at events then drop in for a chat at the Event Production Show or contact us for a discussion.