One could say with some justification that it’s vulnerable systems that have not been updated.  Yes that’s very true but that would imply that if every box out there happened to be up to date, running anti-virus and a good firewall, there would be no more hacking. We know that’s not true.   Fortunately or unfortunately, depending on what side you are on, and just like there is more than one way to skin a cat, there are a number of ways to slip in.

     To me, one of the most dangerous things that has developed is all the unsecured wireless access points out there.  Just take an hour and drive around any neighborhood in a reasonably populated city and you will see default installs everywhere! I mentioned this to a security pro once and he responded with “Yeah isn’t that great? Any time I want to pull off the road and check my email I can!”  I responded with “You know that’s considered theft of bandwidth?” He just leered at me.

    It would be so easy to launch any attack I wanted and  it would be completely untraceable! I mean as far as I am concerned.  Just find a place to park that’s not too conspicuous and change my mac address just to be safe. Then hack away to my hearts content. Hmm, maybe send a nasty or threatening email to my local government official? Wow, I don’t even have to worry about spoofing my IP or being all that stealth.  The FBI is going to be showing up at this poor fool’s house not mine!

    There was a very interesting case in Washington DC where a person attempted to blackmail a company by sending emails from several unsecured residential homes. His mistake was that he used the same three places over and over again when he accessed the net to do his blackmail.  The FBI checked out all three homes and realized that the people in those homes couldn’t be connected, so they set up surveillance.  Shortly after that they caught the guy sitting outside of one the three houses in his car with his laptop. I feel sorry for the innocent people that came under the scrutiny of the FBI.

   There is no reason why manufactures of wireless routers can’t warn consumers in a more substantial way.  Package in the box some kind of very obvious warning and tutorial about security.  We as security professionals should do what we can to promote that I think.  Ok, I am done and now will get off my soap box !

Not only entries in the quick start guides of wireless routers, but also a more general awareness is taking place. When you drive around, sure you can find APs with no security, but I'm sure you're finding less and less. Also, as part of the setup, some ISPs that offer wireless routers are putting in security. Even printer vendors are starting to add securing to their internal NICs.

Is the problem solved... No! But I agree that with more awareness comes more compliance. As always, it all comes down to the human factor.

Don

While wireless security is certainly lacking, I think Internet Explorer is the more important vulnerability. There still finding huge exploits in 6.0, wait till 7.0 goes mainstream it will be even worse. IE is the most ubiquitous portal that essentially serves as the gateway to spyware/adware/malware etc. I think that once companies start running a WPA2 wlan with AES encryption and a Radius server, hacking that network becomes extremely difficult and will rely more on trickery then an actual technical flaw.

As illustrated by H.D. Moore's month of browser bugs. H.D. Moore of Metasploit fame, put out a new browser vulnerability every day for the month of July. Suposedly to spite Microsoft and how they handled previously discovered vulnerabilities.

http://browserfun.blogspot.com/2006_07_01_browserfun_archive.html

Everything that has been said in this thread is right - but I think the worse vulnerability is simply the user. If the users would know what they are doing even an unpatched XP with IE running over a wireless network would not be that easy to hack.

I agree, it's people. They're the only ones who can plug the holes and practice safe computing. Sure you can mandate and push updates and quarantine people off the network if they're not up-to-date, etc., but in the end, it's the uninformed/naive user that's the biggest threat, along with the trusted but untrustworthy insider.

IE is bad, too, along with other browsers, but again, users point and click the mouse...

KEV,
Thanks for spacing out your posts. Appreciated.