Is Your Office WiFi Security Vulnerable to Hacking? How?

  • 3

office wifi password hackingA recent article in Ars Technica rekindled a healthy nerve with many professionals and business owners regarding general password and office WiFi security… 

Passwords are the keys that secure virtually everything nowadays. Use a weak password and the outcome could be disastrous.  And one of the areas where passwords are the weakest are the standard issue office and home WiFi networks now universally ubiquitous.

 office wifi security alertRelatedly, at our Cloud Summit last November, K2’s Randy Johnston stressed the increased importance of stronger passwords and passwording our smart phones and tablets as well.

Earlier this month Cloud9 execs attended the ABA Tech conference and one of the more provocative presentations was that of John Simek, VP at Sensei Enterprises, who demonstrated the relative ease of cracking most office WiFi security using a $99 device called the Pineapple Mark IV to identify local WiFi networks and their weaknesses.

 hacking wifi security with pinappleAs reported in ABA Journal, Simek noted that, using the device at home, he was able to track Internet activities of his neighbor who works for a security firm hired by the federal government.  The Pineapple (available from HakShop) is ostensibly being marketed for “penetration testing” on office WiFi security (no questions asked).

Most WiFi networks are protected by either WPA or WPA2 security protocols. 

“In theory, these protections prevent hackers and other unauthorized people from accessing wireless networks or even viewing traffic sent over them, but only when end users choose strong passwords. I was curious how easy it would be to crack these passcodes using the advanced hardware menus and techniques that have become readily available over the past five years. What I found wasn’t encouraging,” writes Dan Goodin at Ars Technica.

The Good News About Office WiFi Security

The good news is that WPA and WPA2 use very intense password-storage protocol that greatly reduces the speed of automated cracking programs.  By using the PBKDF2 key derivation function along with 4,096 iterations of the SHA1 cryptographic hashing algorithm, attacks that took minutes to run against the recent LinkedIn and eHarmony password dumps of last year would require weeks or even months to complete against such WiFi encryption scheme.

Further, WPA and WPA2 passwords require a minimum of 8 characters, removing the possibility that users will choose shorter passphrases that could be brute-forced in reasonably short timeframes. WPA and WPA2 also use a network’s SSID, preventing garden-variety hackers from using pre-computed tables to crack the coding.

The Bad News About Office WiFi Security

The bad news is that office WiFi security password cracks can still be accomplished with relative ease on many if not most home, small business and professional practice networks.

The first step is to capture the “four-way handshake,” a cryptographic process a device uses to validate itself to a wireless access point and vice versa. This handshake takes place behind a cryptographic veil that simply cannot be pierced. But there’s nothing stopping a hacker from capturing the packets that are transmitted during the process and then seeing if a given password will complete the transaction. 

To capture the working handshake, a hacker’s target network, once identified by the Pineapple, must be monitored while an authorized device is validating itself to the network node. 

Wifi Office Hacking made easyThis requirement may sound daunting, considering that many of our office devices stay connected to the office (or home) WiFi around the clock. But that’s easy to get around, Goodin points out, by sending out a ‘deauthorization signal packet’ – devices that encounter the deauthorization signal will promptly drop and then rejoin the network, and that’s when the handshake is captured. The deauthorization packet can be generated by a device like ‘Silica,’ a wireless risk assessment tool sold by Immunity.

After the handshake is acquired a cyber sneak can then upload the resultant datafile to CloudCracker, an SaaS website that charges $17 to check the raw handshake for a WiFi password against 600+ million possible passwords. If even more semantic firepower is needed, for an extra $34 there is an additional 1.2 billion password enhancement.

“With less than two hours practice, I was able to do just that and crack the dummy passwords “secretpassword” and “tobeornottobe” I had chosen to protect my test-target networks,” adds Goodin.

And what typically gets taken when a professional practice gets their network hacked? According to a report from a law practice that received FBI notice of breach, “They had all of our client files.”

An Immediate Solution for Super Increased Office WiFi Security

So, what to do?  Use stronger passwords, of course.  Besides changing your WiFi password every few months or so and NOT using ANY 10-digit phone numbers, WPA allows for passwords with up to 63 characters.

One easy secure approach is to string together five or six randomly chosen words, like “orangecrackerpickleeaterpushover” (32 characters)* – simple enough to remember and repeat but very hard to crack, even for the 1.8 billion word CloudCracker.

*(27 to the 32nd power or 6 followed by 51 zeros)

So, ‘get cracking’ yourself and shore up your WiFi achilles heel now, before its too late!


Remember us, Cloud9 Real Time was chosen by more accountants polled as best cloud platform for the accounting industry.  In 2012 Cloud9 won more industry awards than all of its competitors combined.  Get a demo or take a 7 day test drive and find out what all the excitement is about!
—————
wifi office hackingD. Marcus Keith is a partner in ADMAX, a local and national; “Internet Marketing Optimization” agency that has been performing SEO-related services for Cloud9 Real Time since 2009.

AUTHOR

D. Marcus Keith

All stories by: D. Marcus Keith
7 comments
  • Gail Houston

    The Wi-Fi Alliance recommends that users of wireless networks exercise the same level of caution they've learned to use to avoid scams in the wired world. End users should change their passwords regularly, not respond to questionable e-mails, and look for secure connections. As Wi-Fi continues to grow in reach and popularity, consumers need to make some new simple security precautions a habit, like connecting through a provider that uses encryption with a list of trusted hotspots, using a VPN, and always enabling security within a home network. Also, users should make it a point to look for products that are Wi-Fi CERTIFIED for or WPA2 security.

  • Keisha Q. Case

    From the start, wireless routers and access networks have their security settings turned off, according to ITWorld, so it is important for people to to enable internet security on these devices before starting to heavily use them.One development in recent years as a major Wi-Fi security threat is tools that allow people to eavesdrop and steal passwords from wireless networks. The website said this isn't something to be concerned about with home networks, but business Wi-Fi networks should look to guard with enterprise internet security tools. The website also said to be sure to use strong passwords at all times."Your WPA and WPA2 passwords are susceptible to brute-force dictionary-based cracking (basically, where hackers guess your password using software tools that repeatedly guess)," the website said. " If your router's password is a word listed in the dictionary–or something close to such a word–it's highly vulnerable to cracking. Use a long passphrase (one of at least 13 characters and as many as 63 characters) with mixed case and random letters, numbers, and other ASCII characters."PCWorld said the first wave of protection for wireless networks is encryption, with other internet security precautions including firewalls and antivirus software to keep these networks safe.

  • Laurel Avery

    Our wireless internet security service creates a shield around your laptop, desktop or handheld. This prevents criminals from attacking or scanning the system from the local network that you're using to connect to the Internet. It also encrypts all traffic destined for the Internet. Web site addresses, instant messaging, personal information, plain text usernames and passwords and other important information can be broadcast in the clear when using publicly accessible wireless Internet connections. Cyber criminals can easily intercept these broadcasts.

  • Trey Brock

    In general, the longer the password the longer it will take someone to find it using password-cracking programs. Use words that aren’t in the dictionary and that contain combinations of lower-case and upper-case letters, numbers and special characters. And change them if you have any reason to suspect they might have been violated, such as by a keystroke-capture program. (Most businesses require changing things like email passwords regularly.) If you are curious to see how easily your password can be cracked, check out tools like @Stake LC4 or Cain & Abel .

  • Kari T. Dodson

    When using public WiFi hot spots there are several additional security precautions you should keep in mind. From safe shopping to password grabbing, learn how to keep your public WiFi experiences safe and rewarding [ More Info ].

Leave a Reply