Boffin says public Wi-Fi hotspots are too dangerous

A SECURITY BOFFIN who works at a major ISP down under gave an interesting keynote last month at a FOSS conference: "Man in the Middle" attacks and how to prevent them. In this interview, he talks security - or lack thereof - SSH encryption, hotspots, and the Next Big Thing.

One of the many keynotes running in parallel at the nice CaFeConf conference that we reported about last month was about security. Pablo Bullian heads the IT department at Sion, a small but growing ISP that thrives in a market dominated by the incumbent telcos, so he has some experience with this TCP/IP thing. Here's our chat with him.

FC: When was your wake up call with regards to network security and the importance of encryption, and how did you end dealing with IT security?
PB: I got interested when I first had to deal with a LAN. Knowing how it works and its structure makes you think about how vulnerable it is, starting with the basic information traffic at a hub, it is almost scary.

Later, when I started managing a LAN I had to start implementing policies for it, that was exciting, thrilling, and led me to understand many issues that as an end user you do not value. Obviously, had I never ran across GNU/Linux, I don't think I'd have understood subjects related to IT security as clearer as I do now, nor would I have the tools that are a must have for me nowadays.

FC: Speaking about 'Man-in-the-middle' attacks, would you, or do you connect to a public hotspot without encryption?
PB: Yes, but I wouldn't use it to deal with any personal or private information, I would just use it as one does a public coffee shop terminal, read the news or read blogs if I'm bored. These kind of hotspots, typical in coffee shops, are too dangerous. People is not aware of these issues, which can lead to disasters. Information is too valuable and few people value it as needed.

FC: OK, so how about a hotspot with WEP?.
PB: Again, I would not traffic private information with it, the algorithm used by WEP is weak, and by this I mean that given a certain number of packets (around 250,000 or more) you can begin guessing by applying math and statistics, what is the shared encryption key. Obtaining that key we can begin sniffing all the traffic running through it -we must think of hotspots as big hubs, they have no policies like switches to route traffic-, and all this without even having to apply Man-in-the-Middle (MiM) attacks.

FC: Are you confident that WPA2 won't be cracked as it happened to WEP?
PB: My first rule in IT, so to speak, is that nothing is totally safe. Actually there's no reliable mechanisms to break this encryption, but that doesn't mean it couldn't be compromised in the future. The key here is implementation, besides, for instance if we have APs which suffer from other security vulnerabilities, you won't need attacking the wireless encryption, you could access the data flowing from it be exploiting other security holes.

FC: What is your approach to prevent MiM attacks?
PB: Depends on the design of the network we're in charge of, according to that design we can or cannot apply certain policies. In the best scenario, where the network is "static" and by static I mean the number of clients or servers exchanging information, the key is establishing and having good control of static routes in clients and servers, having good control and manually check the certificates on every of the terminals we connect with, and finally to have a good packet sniffer or IDS like Snort, to control possible attacks.

We should not forget also, in the case of SSH, that the connections are "two way" that is, the attack can come from any of the two ends of the connection, the client or the server. It's very important to have a clear understanding of the environment we are dealing with and what we can or cannot do on it, security-wise.

FC: is SSH secure enough?

PB: Actually, SSH is the best we have when it comes to security. An important rules is to only use SSH version two. SSH version one has many vulnerabilities and subject to MiM attacks which can compromise all the information flowing through it. Security is, as Einstein would put it, relative. It's relative depending how we apply SSH connections, what security parameters we apply to each connection. Security is given by us, the users and admins.

FC: I personally choose blowfish encryption for my SSH connections, as I found it less CPU intensive than other algorithms, should I worry about the security of it?
PB: The kind of attacks used in a MiM scheme is a bit independent from the encryption cipher we choose; by using a private key (single, shared), there's always the chance there's an attack. The key here, pardon the redundancy, is key administration: we have to keep track of changes, as in most attacks, the human factor is fundamental in the majority of attacks.

FC: Would you personally use for your daily residential connectivity a wireless broadband link, say, WiMAX?
PB: I work a lot form home, and I deal with high security environments, so today I would not trust my connections to a wireless technology that is new and still not mature. In the long run, this could improve.

Don't get me wrong, wireless connectivity is a great advance, but the number of security vulnerabilities we find daily is very high. Due to my usage patterns, I'd choose a more traditional (wired) connection.

FC: are you happy with your move towards open source software, is it "good enough"?
PB: I love the Free Software movement, its philosophy when it comes to disclosure and peer review is very important. Specially on the issue of security, Free and Open Source Software (FOSS) gives me much more trust than any other commercial "black box", it's flexibility is paramount.

FC: so what's next for you, what's the next challenge?
PB: right now, wireless security is the next big thing. It's a great challenge in terms of security. Being a relatively new technology we find great challenges to implement security on a wireless environment, but also this brings the opportunity to develop creative solutions to these challenges. µ