With World Cup fever sweeping most of the globe, this snippet of the Wireless SSID and password for the World Cup’s security center being accidentally exposed in the background of a media photo made me chuckle!

We've probably all done it. I have. You know you have too. Go on, admit it!
Done what you ask? Scrounged around for some free WiFi when travelling. With data roaming costs being so high, free wifi can be a blessing - except when it's a curse!

Here's a fun article from tripwire highlighting how easy it can be to capture credentials from unwitting travellers at an airport and how poor the information security practices in some hotels can be.

What Nabil describes in his article about default passwords and poorly segmented networks pretty much matches some of the stuff I've seen when travelling. What makes it worse is when the place is charging a small fortune for daily internet access - where is that money going? Not on security apparently!

Long story short - don't let down your guard even when connected to 'safe' networks and VPN is your friend!

Oh and Nabil's http://www.toolswatch.org/ page is pretty cool too. Go check it out!

Threat Post has an article about some researchers who have found that iOS 6 default mobile hotspot random passwords are not so random after all (there are 1,842 different words) and therefore not too hard to brute force. Additonally...

“It should be noted that all generated keys are only valid for the lifetime of a single session and that generation of those keys only relies on the PSK,” the paper said. “This implies that the security level of the whole mobile hotspot depends on the quality of the passphrase.”

The original paper "Usability vs. Security: The Everlasting Trade-Off in the Context of Apple iOS Mobile Hotspots" is here [pdf]. The title says it all - this is a true example of Usability vs. Security, and as too often seems to be the case, security loses.

Best option - use a long, custom non-dictionary password....

The Cloud. These days it seems all-encompassing and unescapable. Perhaps we should have called it 'fog computing' as it seems to have the ability to bamboozle and confuse non-techie types with promises of milk and honey for little or no effort. While it certainly has it's merits, a lack of true definition and standards show it's immaturity at present.

But even in world of magical clouds there's a darkside, for with a greater availability in cheap computing power comes the opportunity for shady-types or in this case, researchers, to use the 'power of the cloud' to crack WPA encryption. WPACracker allows you to run a 285 million word dictionary-based attack to crack WPA-PSK and ZIP file encryption. Purely for research purposes of course!

Using Clouds or 'cloud-like' constructs for crime is nothing new, shown by the prevelance of botnets such as the massive Conficker botnet (estimated at 10-15 million hosts) or the spam spewing Cutwail botnet that could blast out 74,000,000,000 spam messages a day (that's 51,000,000 a minute!).

While I'm on Cloud matters, I spotted a recent interesting little tidbit about personal cloud storage provider Evernote. It seems for their customers, security is an add-on extra that is only available to premium subscribers....

Apparently 'excellent security' means encrypting authentication information only with the remainder sent in the clear. Are we past the age of better security being basically a good idea or advertised as a lure for customers and it turning into a premium extra charge? I hope not.

(thanks for some of the info in the post above to a Circus contributor who must remain anonymous - you know who you are!)

Darkreading has a great article on Weaponizing the ipod touch.

In short it is an article from a DefCon presentation about turning the ipod touch into a wireless network penetration tool. Although not blessed with great processor or memory capability it does have a generous storage capability and with some specialized versions of tools such as TCPDump and NMap it can quickly become a rather stealthy headache for the corporate security guy.
While the guy (or gal!) sitting in the lobby of your building or in the carpark with a laptop out may arouse some suspicion, the same person pecking away on their iphone or ipod touch wouldn't even warrant a second glance in most cases.

As processing power becomes more and more portable, from smarter phone and personal entertainment devices to wearable computers ensuring any wireless security in your company is properly secured will become more and more crucial. Standards and configurations that may have been sufficiently secure a year or two ago will need constant review to ensure security is maintained. The wired network is far from immune from danger, as smaller and smaller devices can be plugged into rarely used network ports in conference rooms or unused offices can be used to sniff traffic and beam data back to an attacker, or simply collect information until they are retrieved.

Educating the corporate user base to ensure they understand the dangers of using wireless networking outside the office will also become increasingly important. With more and more corporate users demanding access to increasing amounts of corporate data from home or on the move, from cafes and airport lounges, the danger increases of malicious networks performing MITM (man in the middle) attacks or capturing credentials by impersonating 'free' wireless services.

While for some, simply not providing wireless access is the current option, the day where that is acceptable for business is coming to an end, so get ready. Even the wireless police can only do so much!

Now where did I put my ipod touch?