Question about the terms "encypt" and "secure"

[gem at cigital.com (Gary McGraw)]

This is a very good question and is worth a careful answer.

For most "off the shelf" users and press people, "securing" and
"encrypting traffic on" do amount to the same thing when it comes to
wireless networks.  In this case, the encryption they turn on is
hopefully WPA and not WEP.  Early versions of 802.11b were not secure
even when WEP was enabled.  (Possibly the most interesting invasion of
privacy around that problem was the X10 camera interception attack:
http://www.g4tv.com/techtvvault/features/36722/Cracking_X10_Cams.html).
The problem was a serious design flaw in WEP itself...that's the kind of
stuff we all talk about here.  Google up Avi Rubin's WEP crack work.

But turning the security feature "on" may not be enough to really secure
a wireless installation.  Some people go to great lengths to re-key
often, hardwire MAC addresses, etc to protect their wireless networks.
It all depends on what you use your wireless net for.

My wireless net is completely open out at my house.  But the nearest
neighbor is 1/2 a mile away.  For someone to steal my signal without
investing in a more powerful antenna, they would be very much visible
from the house.  (BTW, this is not an invitation to come borrow my
wireless net bruce!)

There are a number of good books on wireless security.  The one I
recommend most highly is Bill Arbaugh's book
http://www.amazon.com/gp/product/0321136209/qid=1141652351/sr=1-2/ref=sr
_1_2/102-4633854-8331342?s=books&v=glance&n=283155.  I am also a fan of
Bruce Potter's book
http://www.amazon.com/gp/product/0596100523/ref=pd_bxgy_img_b/102-463385
4-8331342?%5Fencoding=UTF8.

For the purposes of this list, we use the term "securing" to mean
"designing and implementing properly"...sometimes with the additional
implied "oh yeah and installing and operating properly too."

As Mike Howard says pithily, "software security is not security
software."

gem
www.swsec.com 




----------------------------------------------------------------------------
This electronic message transmission contains information that may be
confidential or privileged.  The information contained herein is intended
solely for the recipient and use by any other party is not authorized.  If
you are not the intended recipient (or otherwise authorized to receive this
message by the intended recipient), any disclosure, copying, distribution or
use of the contents of the information is prohibited.  If you have received
this electronic message transmission in error, please contact the sender by
reply email and delete all copies of this message.  Cigital, Inc. accepts no
responsibility for any loss or damage resulting directly or indirectly from
the use of this email or its contents.
Thank You.
----------------------------------------------------------------------------