I came across two stories recently that made me wonder what the outcome would be if they were seen in parallel. The first, reported by Wired.com, showed how, despite being repeatedly told about the importance of security, people seem to block these warnings out and consciously, out of convenience, choose insecure practices.
The second, reported on the CloudCracker Blog, deals with a fundamental insecurity in the MS-ChapV2 Protocol. In a nutshell, this report shows how a 2138 challenge can be reduced to a 257 challenge. This essentially means that a brute force attack using specialized hardware can break any MS-ChapV2 password in less than 23 hours.
If you take people’s attitudes towards security in the first story as a baseline, I wonder how many people who could be affected by this discovery will simply ignore it and the implications because it is too much of an inconvenience to migrate to a new solution. I am confident that this will happen; after all MS-ChapV2 has been criticised in the past, even industry giants like Bruce Schneier.
This is not the first time an established standard has been compromised, to the point that using it became a huge security risk. When looking for an open wireless connection to use, for example, many people are still using WEP to protect their wireless network. It takes less than one minute to crack WEP.
Anyone can just sit in their car, crack the WEP and connect their device to that network. They can subsequently sniff any traffic, which may include sensitive data such as credentials. If the victim uses the same login and password for different accounts, this will give the hacker access to the victim’s machine and do what s/he wants – install key loggers, malware and dozens of other nasty stuff.
Why does this happen? As the feature in Wired.com explains, we become complacent because until nothing happens, everything is just fine. Unfortunately, when one day something does happen it will be too late to take action.
It might take a lot of work to migrate legacy systems to modern technologies but that’s a lot more desirable then having to deal with the repercussions of a security breach or widespread infection. If you ever hear that a security system you use has been compromised, take notice and proactively find an alternative as soon as you can. Do not try to convince yourself that it is worth waiting a little to see how things will pan out. Cliché or not, ‘prevention is better than cure’ – if a cure is ever possible!