The Author – Bart Busschots
Creative Commons
Unless otherwise stated, the content on this site is licensed under Creative Commons Attribution, Noncommercial, No Derivative Works 3.0 License
Oct
22
Eircom And Security – They Still Don’t Get It
Filed Under Computers & Tech, Security on October 22, 2007 at 11:43 pm
The letters which Eircom promised to send out to users to inform them of the security flaw I described previously have started arriving and one of the boards.ie users was good enough to post a scan on his website. In this post I’m just going to go through some of the choice bits of this letter and rip them apart. I really wish Eircom had made a competent reply so this wouldn’t be necessary, but sadly it really is. They still don’t get security and seem more interested in glossing over the problems rather than addressing them.
[tags]Eircom, Security, WEP, WPA, Wireless, WiFi[/tags]
The security standard is called Wired Equivalent Privacy (WEP) and is a global standard for this type of technology and provides customers with an uncomplicated and easy-to-use level of security.
WEP is a deprecated standard. It is obsolete. It is fundamentally flawed and provides no actual security, just the illusion of security. WEP networks can be cracked in a matter of minutes. You don’t have to take my word for it, Steve Gibson addresses the problems with WEP in a number of episodes of the Security Now podcast. Particularly relevant is episode 108. Here’s a choice quote:
Now WEP is so badly broken that someone with the latest WEP cracking tools, which are, again, freely downloadable and available on the Internet, it takes them about a minute to crack the WEP key on a WEP-encrypted network. Only WPA is safe. And any version of WPA is safe enough.
It should also be noted that the Netopia’s come with WPA and that WPA is no more difficult to set up on anything but obsolete machines (I define obsolete as any OS that is no longer supported or which is dramatically un-patched). In fact, under the hood WPA is just WEP with the fatal flaws taken out. It’s the same basic maths going on. WPA was created as the natural successor to WEP which was known to be flawed.
A more honest though less flattering paragraph might go something like:
We continue to use WEP because it’s easy for us. However, WEP is obsolete and actually provides almost no security. You really should change to WPA, as indeed we should have done ages ago.
OK, lets continue further down the letter from Eircom:
This is the same method of security provided for other international operators using Netopia modems.
So what? It’s OK for Eircom to provide rubbish security because other companies do too? That just looks like ass-covering to me. “Don’t blame us, we were just blindly following the others”. That’s no excuse in my book. Anyhow, lets continue
The wireless access security issue makes it possible for a person with an advanced working knowledge of encryption and coding techniques to illegally access an Eircom customer’s Internet connection
This statement is technically true, a person with advanced knowledge can indeed do this, BUT SO CAN SOMEONE WITH NO KNOWLEDGE. Eircom are misleading their customers here. It is possible that they did so out of ignorance but I find that very hard to believe. This information is out there. I have seen web-based versions of this program where you just enter the Eircom SSID of a network and it spits out the default WEP key. This does not take any kind of advanced knowledge. Best-case, Eircom are out of touch with what’s going on, which is not good enough in my book, or worst-case they are trying to make themselves look better by intentionally misleading their customers, totally unacceptable. How ever, why the letter is misleading is not important, the key point is that it is. This makes people feel safer than they are.
Eircom then compound things by reinforcing the false sense of security many of their customers probably have:
However, when a customer generates their own unique WEP key or password and does not use the default setting, this security risk is removed.
This would lead users to falsely assume that they are safe because they have changed their WEP key. It does not mention the fundamental flaws in WEP, or the fact that to actually get a reasonable level of secure you should change to WPA, use a LONG passphrase, and set a password on your router.
The Eircom letter then blunders on into some totally hollow-sounding platitudes about how they take security very seriously:
In light of recent reports in the media we would like to take this opportunity to reassure our Broadband customers that eircome takes all issues relating to the security of its products and services very seriously. It is our absolute priority to help out customers minimise any wireless security risks on their broadband connection.
I find the last sentence in particular nothing short of insulting. Actions speak louder than words, and from their actions it is clear that Eircom still don’t get security. Were it to really be a priority they would educate themselves on the realities of WEP and on the importance of setting a password on your router, and then pass this knowledge on to their customers. Rather than doing this, Eircom continue to push WEP on their users and tell them it is secure. I see that as nothing short of an outrage.
Bart you have rembmer tha 90% of eircoms user no nothin about computers all they want to do is check e-mail and surf the web.So they have to make it as easy as possile
Also WAP is ona little easier to crack as WEP, so the best security is no security.Eircom want keeps ther customers the don’t want to frighten them away
Mach,
Firstly WPA _IS_ a lot better than WEP _IF_ people set a long pass-phrase (over 30 characters). As for WEP being easier than WPA, how? The procedure is exactly the same! Enter a key on the router, enter the same key on each client. How exactly does that make WEP easier?
Eircom’s current setup tool (the flawed one) happens to set up WEP so that makes WEP appear easier, were it to use WPA then WPA would seem easier.
Bart.
Bart.
…and so it came to pass, after having ignored all the warnings and displaying total ignorance of effective security practices, Eircom has now left its customers exposed and those customers are now having their routers and computers piggybacked and used as spam transmitters and for other illegal internet activities while they sleep in their beds!!!!!
Hardened security products like Cisco’s ASA 5520 with Trend Micro are tapping into the QIl short term IP blocking list which lists 100’s of Eircom users as potential threats.
The net effect of this is that these Eircom customers will have their e-mail dumped by compliant businesses who do not want to receive spam or other security vulnerabilities into their networks.
Its happening now !!!!!!!!!