Students using Wired Equivalent Privacy, commonly known as WEP, to log onto wireless Internet are increasingly vulnerable to hackers, the FBI said recently. Although University wireless Internet users are safe because campus wireless doesn’t use WEP, Information Services administrators said, some providers still use the technology.
Dale Smith, director of network services for Information Services, said WEP, which uses secret keys to encrypt data, turned out to be less secure than intended.
“It was an early attempt to encrypt wireless signals so eavesdroppers would only see the encrypted traffic that looked like gibberish and could not actually see the network traffic,” Smith said in an e-mail.
WEP attempts to scramble original messages to make them unreadable to outside users. Some Internet Service Providers still use WEP technology. Qwest said some of their modems do use WEP technology.
Bob Gravely, Qwest spokesman for Oregon, said in an e-mail Qwest modems support a variety of security protocols, including WEP keys.
On its Web site, Qwest says WEP offers some degree of security, but the company doesn’t guarantee the privacy of transmissions made through a wireless connection.
Qwest recommends customers maintain sufficient anti-virus, anti-spyware and firewall protection, Gravely said. All are offered through Qwest High-Speed Internet. Consumers should contact their ISP to find out what kind of technology they are using.
Hackers can break into a WEP with a laptop using simple software that eavesdrops on the WEP encrypted traffic and breaks the encryption key, Smith said.
“Once you have the key, then you can decrypt any traffic,” he said.
Hackers can potentially read anything not encrypted, Smith said, including personal data sent through the Internet such as bank information. Smith said with just the encryption key, anything leaving or going to the computer via the Internet could be intercepted.
The University wireless network, which has been available on campus to University students, faculty and staff since 2000, doesn’t use WEP, Smith said.
“Our approach is to say: Wireless and wired networks are susceptible to eavesdropping, so what are we going to do about that?” Smith said. “What we do is to encrypt from end system to end system.”
Smith said all student records and payroll transactions on campus are encrypted end-to-end using web-based Secure Sockets Layer, or SSL, systems that are not susceptible to the simplistic WEP code breaking attacks.
The end-to-end system encrypts data at the origin and decrypts at the destination.
“For example, if a student uses alphamail, all transmissions from their computer to alphamail and back are encrypted with SSL web encryption whether you are wired or wireless,” Smith said.
Smith said he doesn’t recommend WEP because problems may occur when personal data goes through an access point, which is a device that sends a wireless signal to a computer.
“If that encryption was your only protection from eavesdropping, then your traffic is unencrypted on the wired network from the access point on to the destination,” Smith said.
John Kemp, senior security engineer for Information Services, said WEP protects data on a small portion of networks between the client and the access point.
Internet users should be sure they are using trusted Web sites when entering personal information, Kemp said.
He recommended updating browser software and paying attention to certificate warnings on Web sites.
FBI spokesman Paul Daymond said his office in Birmingham, Ala., recently hosted a press conference about Internet security and WEP. He said the FBI division InfraGard originally warned Internet users about the dangers of WEP.
InfraGard is an FBI program that works with the private technology companies and schools to investigate cybercrimes.
Contact the crime, health and safety reporter at [email protected]
FBI releases data security warning
Daily Emerald
May 29, 2007
0
More to Discover