Nowadays pretty much everyone uses wireless networking from your smart phone to your home and/or business networks. There are many security issues with wireless networking; the one that I see the most is security carelessness of some ISP’s contractors and installation personnel.

ISP based WEP Vulnerability:

    I have noticed from work and personal experience a preventable ISP (Internet Service Provider) based WEP vulnerability that can be prevented through security training in wireless networking on the ISP’s end of things. Some ISP’s still uses the old and unsecure version of WEP (Wired Equivalent Privacy) with an easy to crack password. Can you guess what it is? Still don’t know? Ok your phone number associated with your ISP account which when entered could be entered as an example 3105556666 or 6666555013, that’s right either, forward or backward. Your probably asking yourself, why is this insecure? Good question, the answer is simple; most if not all hackers and leecher’s know the ISP’s that use this method of a quick insecure setup and all it takes is a little cyber tracking to find out all of the phone numbers associated with that address and then try them forward and backward. If a black hat hacker gets into the router problems can occur, such as being locked out of your router, hijacked internet traffic and even network infiltration which includes any computers on that network. There is also the risk of ID Theft as well that can come from either the network infiltration or through the cyber tracking part of the attack.

What is WEP?

Wired Equivalent Privacy: WEP is a security protocol based in 64 or 128 bit encryption for your network. It was one of the first wireless encryption protocols. It is extremely unsecure, easily cracked. WEP when it first came out was the start of a great idea but since then it has been replaced by WPA which was replaced with WPA2-P2K (WPA2-Personal) and WPA2-Enterprise which are more secure than WEP. WEP can also be replaced with VPN (Virtual Private Network) and other various protocols.

ISP Responsibilities:

As for the ISP’s using this insecure but easy setup I would like to make a suggestion. Please train your technicians and contractors in cyber security techniques and procedures to prevent unwanted activity on both your clientele’s wireless networks.

I’m not sure if this has become a law yet or not as I could not find anything on it, but the ISP should be using good risk management procedures which include training their employees and as such the contractors in wireless and wired security.

An ISP’s responsibility should be to their clientele’s security and well-being but from what I have seen there are some that have chosen not to make it a priority and it shows unfortunately like an ink blot on a bright white shirt.

Security Training for ISP Personnel and Contractors:

Basic internet users that want to click and go are defiantly at risk of this vulnerability and are easily caught up in the ploy by certain ISP’s and their contractors. I ask that you the reader please do not get my words wrong; this is not a conspiracy to hurt certain ISP’s consumers but rather a lack of security training and knowledge.

This brings me to my main point of ISP’s training their field crews as well as using contractors trained in security procedures so as to secure their clienteles home and business wireless and wired networks.

    Where I live we have three main ISP’s two of which use the much more secure WPA2-PK2 encryption protocols. For these two ISP’s the encryption key is on the wireless router itself, but for the third the contractors they use don’t understand the security ideology behind the WEP, WPA, WPA2-Personal, or the WPA2-Enterprise based encryption. I have heard many stories from different clientele as well as a personal experience before I got into the security game. In all of the accounts the story is much the same as the next, what they have heard from the contractor for this ISP is that “the WEP key used is just to logon to the internet service which is why the telephone number is used”. This is true in a sense but in all reality highly unsecure, the real reason for using an encryption key such as WEP, WPA, WPA2-Personal, or WPA2-Enterprise is to keep unauthorized individuals from using your wireless signal to gain access to the internet and your network.

    I am not trying to say the ISP or its employees are evil black hat lovers but just the opposite, they are more like an average user who just wants to get up and go and not concerned about security. This is where security training for the contractor installation personnel as well as the ISP installation personnel would really pay off in the long run. First the misconception of the WEP encryption key would be stopped. Second the user could be instructed in basic wireless security procedures. Third the users home or business network would be a lot safer than it would be if the ISP was to not train their contractors and personnel.

    Why is using WEP inadvisable especially with a key as simple as the users phone number? Well WEP is one of the oldest versions of encryption for a wireless network and has since become easily cracked by both leecher’s and hackers alike. Some people may say that hackers are in it for the challenge why would they waste their time with a simple WEP crack especially if they know the ISP uses the user’s phone number? At this time I would like to welcome you to the “lifestyles of the hackers of cyber tracking”. What is cyber tracking and how can it be used to find a WEP key? Well, cyber tracking is kind of like stalking your prey in the field but instead of attacking them right off you get to learn everything about them from the public information to the very deep secrets of the users. That’s the challenge.

How to stop the Leechers!

    You may ask what are the symptoms of someone leeching off my network? The symptoms for the network can be the same as a network aware worm such as conficker, SQLslammer, IRCBots; minor to major network slowdown (this all depends on how many leeches you have connected to your wireless network), unknown IP Addresses showing up in the router logs, on rare occasions if you get too many leeches the network may crash. If you have one leech on your network it’s guaranteed that there are more around sucking the bandwidth from the network. You may be asking, why are they called leeches? The answer is simple, in swamps there are little worm like creatures called leeches that attach themselves to your skin and suck your blood, they are also used as a natural blood letting solution to get rid of an infection. As with the worm like leeches internet leeches also drain you of precious bandwidth should they attach themselves to your network. Usually a leech is an individual that wants the internet but refuses to pay for internet services. It could be a teenager up to an adult that wants to get free internet.

WEP vs. WPA2-Personal Question:

Here is a fun question for the readers of this post; I would love to see what you ladies and guys have to say about this.

If a hacker were to choose a wireless hit to gain access to a target system which one do you think they would want to hit and why?

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.