Secure Coding mailing list archives
Question about the terms "encypt" and "secure"
From: gem at cigital.com (Gary McGraw)
Date: Mon, 6 Mar 2006 08:42:01 -0500
This is a very good question and is worth a careful answer. For most "off the shelf" users and press people, "securing" and "encrypting traffic on" do amount to the same thing when it comes to wireless networks. In this case, the encryption they turn on is hopefully WPA and not WEP. Early versions of 802.11b were not secure even when WEP was enabled. (Possibly the most interesting invasion of privacy around that problem was the X10 camera interception attack: http://www.g4tv.com/techtvvault/features/36722/Cracking_X10_Cams.html). The problem was a serious design flaw in WEP itself...that's the kind of stuff we all talk about here. Google up Avi Rubin's WEP crack work. But turning the security feature "on" may not be enough to really secure a wireless installation. Some people go to great lengths to re-key often, hardwire MAC addresses, etc to protect their wireless networks. It all depends on what you use your wireless net for. My wireless net is completely open out at my house. But the nearest neighbor is 1/2 a mile away. For someone to steal my signal without investing in a more powerful antenna, they would be very much visible from the house. (BTW, this is not an invitation to come borrow my wireless net bruce!) There are a number of good books on wireless security. The one I recommend most highly is Bill Arbaugh's book http://www.amazon.com/gp/product/0321136209/qid=1141652351/sr=1-2/ref=sr _1_2/102-4633854-8331342?s=books&v=glance&n=283155. I am also a fan of Bruce Potter's book http://www.amazon.com/gp/product/0596100523/ref=pd_bxgy_img_b/102-463385 4-8331342?%5Fencoding=UTF8. For the purposes of this list, we use the term "securing" to mean "designing and implementing properly"...sometimes with the additional implied "oh yeah and installing and operating properly too." As Mike Howard says pithily, "software security is not security software." gem www.swsec.com ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ----------------------------------------------------------------------------
Current thread:
- Question about the terms "encypt" and "secure" William L. Anderson (Mar 05)
- Question about the terms "encypt" and "secure" ljknews (Mar 06)
- Question about the terms "encypt" and "secure" Steven M. Bellovin (Mar 06)
- <Possible follow-ups>
- Question about the terms "encypt" and "secure" Gary McGraw (Mar 06)
- Question about the terms "encypt" and "secure" Jeremy Epstein (Mar 06)
- Question about the terms "encypt" and "secure" ljknews (Mar 06)
- Question about the terms "encypt" and "secure" Wachdorf, Daniel R (Mar 06)