in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Wireless Encryption: TJX Lessons Not Learned At TimeWarner?

Remember how TJX had that massive breach?  The one that's considered to be the largest to date?  Well, it looks like not all major companies learned the lesson.  The issue came down to the data encryption used to protect wireless data transfers.  Well, Time Warner has been caught using the same encryption standard on routers provided to customers.

The TJX Lesson - Don't Use WEP!

As mentioned above, the TJX breached occurred due to a weak wireless encryption standard used at its stores.  This encryption standard--WEP, Wired Equivalent Privacy--has been considered less than inadequate (you read that right, "inadequate"...it's that bad) since 2001.  In 2004, the IEEE had declared WEP as incapable of meeting any security goals.  In other words, it's useless in the year 2009.

TJX had neglected to upgrade from WEP to WPA, and has been fending off lawsuits and fines for precisely this reason.  There is no other reason.  It can be traced back directly to the use of WEP and the decision not to upgrade to WPA.

TimeWarner's Router/Modems At Issue

The issue came to see the light of day when David Chen, co-founder of pip.io, was helping a friend set up his wireless network.  He found a number of issues with the security on the router, a model that's provided by TimeWarner.

To start off, he found that the router had been crippled to provide WEP encryption only.  With a little digging he also found that access to the admin portion was disabled via Javascript (meaning, he could access it by turning Javascript off).  And, he was able to read the admin login creds when he did a data dump because it was saved in plaintext format.

Now, I would be the first to defend TimeWarner and go after the router manufacturer.  After all, TimeWarner is not in the business of building routers.  However, from Chen's blog,

Of course I got in touch with Time Warner’s security department and warned them about the security issue but their response was simply “we are aware of it but we cannot do anything about it”.

Okay.  In other words, since it's their customers at risk, the company is willing to do nothing?  The lack of security on these routers doesn't really affect TimeWarner that much.  The risk lies with anyone using the router to connect to the internet, since the lack of adequate security means they're at risk of digital eavesdropping.

However, it looks like going public with the issue has prompted the company to act.  According to thestandard.com, TimeWarner is waiting for the manufacturer to come through with a permanent fix.

Keeping Up To Date

Remember, there is encryption and then there is encryption.  A musket and an UZI are both firearms, but one is outdated and nearly useless in most situations.  Likewise, you've got to make sure you're using an encryption standard that can protect your data, first and foremost by not being outdated.

Currently, that standard is 129-bit AES or equivalent.  Make sure your encryption software is using the right stuff.


Related Articles and Sites:
http://www.databreaches.net/?p=7908
http://www.thestandard.com/news/2009/10/21/gaping-security-hole-turned-64-000-time-warner-cable-modems-hacker-prey
http://chenosaurus.com/2009/10/

 
<Previous Next>

Backup Data Encryption: Zurich Financial Services Loses Tape In South Africa

Hard Drive Encryption Software: Roane State Community College Data Breach

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.