The Investigators: Password Stealers

By Andy Wise - bio | email

Wi-Fi PROTECTION CHECKLIST:

* WPA or WPA 2-ENCRYPTED ROUTERS

* 8-CHARACTER PASSWORDS:  MIXING LETTERS, DIGITS, SYMBOLS & CASES

* UPDATE SOFTWARE "PATCHES"

* UPDATE OPERATING SYSTEM (WINDOWS, ETC.)

MEMPHIS (WMC-TV) - If you're on a wireless network, safe web browsing is only as secure as your router.

If your router has no encryption -- or it has Wireless Encryption Protocol (WEP) encryption -- Jeff Horton could grab whatever comes across your wireless network.

"I could capture passwords," said Horton, owner of One Point Solutions Group of Germantown, TN (http://www.onepointsg.com/), a network security auditing company. "I could see e-mails going in and out, credit card authorizations...I could do that without anybody knowing it."

Horton said WEP encryption was the industry's first attempt at wireless security more than six years ago. But he said hackers learned to pick right through WEP within six months of its introduction to the market.

"Really quickly, there were some hackers and security professionals who were able to demonstrate that WEP can be broken," he said. "It has to do with processing power. Encryption security, that evolves over time."

Not only did Horton demonstrate that he could compromise non-encrypted wireless networks, but he also broke into my WEP-encrypted wireless network. He was able to watch me browse the Internet in real time:  the sites I surfed, the keys I stroked, even a password I temporarily changed in an attempt to cross him up.

We discovered mine isn't the only wireless network at risk.

Horton and the Action News 5 Investigators cruised a corridor of Poplar Avenue West from Kimbrough Woods subdivision in Germantown to Chickasaw Gardens in East Memphis. With his laptop rigged with tools to detect not only wireless networks, but also their encryption status, Horton detected 1,738 commercial and residential networks.

462 had no encryption at all, nearly 27 percent.

511 had WEP encryption.

But 765 -- 44 percent -- had what Horton called the standard in wireless encryption:  Wi-Fi Protected Access (WPA, WPA 2).

"If you have a router that is six or seven years old and doesn't support (WPA or WPA 2), I would recommend that you would go out to any of the big-box retailers, and you can get a newer device that will support any of those for $40 or $50," said Horton. "WPA is much stronger encryption and authentication. Any router that you would buy now would probably support either WPA or WPA 2."

Until you upgrade your router, Horton recommended downloading FREE anti-virus/spyware software at either http://free.avg.com/us-en/download-avg-anti-virus-free or http://www.malwarebytes.org/ to bolster your computer's virus protection.

Spec. Agent Rick Harlow, the agent-in-charge of the U.S. Secret Service's Memphis office, recommended being more creative with passwords. He said professional hackers can compromise a 5-character, non-case sensitive password of just letters and digits in ten minutes.

Harlow and the Payment Card Industry Data Security Standard (PCI DSS) recommended passwords of 8 CHARACTERS with at least 1 UPPER CASE, 1 LOWER CASE and 1 SPECIAL CHARACTER (#$%, etc.).

Harlow also said you should upgrade "patches" to software applications like Java and others when prompted.

"The reason those patches are out there is because a vulnerability has been discovered," said Harlow. "Anytime you have an open portal...any time you have the ability to get into a system remotely, that's another vulnerability."

Horton also suggested updating your operating system every time its manufacturer upgrades it (Ex:  if it's Windows, used Windows Update to upgrade its security).

Copyright 2010 WMC-TV. All rights reserved.