Information Feeding Frenzy
Mar 1, 2004 12:00 PM, By Jacqueline Emigh
At more and more organizations today, people can plug into the Internet from just about anywhere — conference rooms, the lobby, even hallways. With the rise of 802.11 wireless local area networks (LANs), costly wiring is no longer an absolute requirement for computer networks. Still, though, some companies and government agencies are resisting. Experts say wireless security risks range from “rogue” (or unauthorized) LANs inside the building to laptop-toting interlopers, also known as “war drivers” or “war walkers,” sometimes lurking in parking lots.
With some training, physical security professionals can work with IT departments to do a good job of fighting back.
WLANs are made up of wireless-enabled PCs and PDAs, together with separate hardware devices, known as access points (APs), now widely and cheaply available at retail stores. “Wireless LANs are very convenient, and an increasingly prevalent way for businesses to connect,” says Charles Cresson Wood, an independent consultant specializing in security.
Yet companies contemplating WLANs need to weigh some tradeoffs. “One of the good things about wireless LANs is that they go out over the airwaves,” says Fred Stivers, manager for standards and technology at Texas Instruments. “Then again, one of the bad things about wireless LANs is that they go out over the airwaves.”
Currently, 57 percent of U.S. businesses are using WLANs to some extent, according to Jupiter Research. In another study, conducted by Sage Research, 72 percent of companies with WLANs listed “productivity” as the main benefit. Even those companies, though, cited “security improvements” as their number one priority for wireless communications over the coming year. Meanwhile, some other organizations — especially in the government and R&D sectors — still ban WLANs entirely.
Many experts insist that, when properly set up, WLANs are as safe as any other sort of network. Unfortunately, though, a great many users — in businesses as well as homes — have yet to learn their lessons about wireless settings configuration.
From amateur thrill-seekers tohardened felons
Who are the perpetrators of wireless abuse? Some are young thrillseekers. Others want nothing more than a free ride on an ISP service. Other motives are less benign.
Last fall in Toronto, a wireless hacker was stopped for a traffic violation, and police saw he was viewing pornography from the Internet on his laptop over an allegedly hijacked wireless connection. The man was charged with, among other things, “theft of telecommunications,” a crime in Canada, although not in the United States. Earlier that year, three men were arrested and charged with stealing customers' credit card information from a Lowe's home improvement store in Southfield, Mich. The trio allegedly accessed the retail store's WLAN from a parking lot.
Unscrambled information
The main issue in wireless security turns on the fact that most APs ship without encryption — a technology for “scrambling” data. According to some widely accepted estimates, as many as 70 percent of WLAN users never bother to turn on encryption. When encryption is left off, WLANs are left wide open to eavesdropping, access and even attack, says Alan T. Panezic, director of RIM's BlackBerry Solutions Group.
Steve Sebastian, IT director at Bradley Arant Rose and White LLP, gives a first-hand example. Recently, Sebastian visited his law firm's branch office in Jackson, Miss. While running special “sniffing” software on his laptop, Sebastian detected a WLAN in the building.
“At first, I thought we must have a rogue LAN right in our own midst,” Sebastian recalls. “As it turned out, though, the WLAN was located at a major accounting firm in the same building. Somebody there had gone out to the store, bought an AP, and set it up in his office without even telling his company's IT department. This guy was a senior vice president of his company.”
If employees use WLANs to connect to their corporate networks, wired networks can become similarly compromised, Panezic says.
War driving, walking and chalking
Among college students and other young adults, WLANs have given birth to a new breed of cybersports, dubbed war driving, war walking, and “war chalking.” War walkers and war drivers have instituted a tradition of posting the results of their exploits on the Internet — often complete with maps showing the network names and physical locations of unencrypted WLANs.
War chalkers go a step further in telling their tales by using chalk to draw symbols about their findings on the sidewalks outside of buildings. “Reputational damage can represent a huge risk to organizations,” Wood says. “People might think that if a company's wireless security is lax, the rest of its security is lax as well.”
Physical security tips — nailing intruders
Security guards can be easily trained to look for war drivers parked in “vehicles with bizarre-looking antennas,” Panezic notes.
Meanwhile, war chalking doesn't seem to be nearly as common as either war driving or war walking. What are some possible reasons? It's probably a lot easier to catch “chalkers” in the act. Moreover, defacement of property (whether with chalk or any other method) is against the law just about everywhere. On the other hand, companies might find it tougher to prove that a war driver actually committed any kind of crime — especially in the United States.
As a general rule, it's actually simpler to physically defend against a wireless intruder than an Internet hacker, experts say. In RF (radio frequency), the type of wireless technology used by wireless LANs, signals typically extend only a few hundred feet. “So if there is a wireless attack, it really has to be local,” Stivers says.
Clearing up some alphabet soup — WEP and WPA
The wireless industry has worked wonders over the past few years in raising the level of wireless security, according to Stivers, who gives much of the credit to groups such as the WiFi Alliance and the Institute of Electronic and Electrical Engineers (IEEE).
Wireless Encryption Protocol (WEP), the first type of encryption to show up in wireless LANs, is now being largely replaced with another type of encryption, called Wireless Protocol Access (WPA). Down the road, WPA will in turn make way for a third kind of encryption, known as 802.11i.
APs that use WPA receive stronger encryption than WEP APs. WPA also replaces WEP's “static” or unchanging software encryption key for APs with a “dynamic” or changing key, much harder for intruders to break. The encryption in 802.11i will add a “preshared” encryption key, under which all PCs, PDAs and other wireless devices will get their own dynamic encryption keys.
“WEP will protect against everything but the active attack,” Stivers says. “WPA is secure enough for today, and for the foreseeable future.”
To ban or embrace?
Should WLANs be banned or warmly embraced by organizations? A lot depends on the type of data that needs protection. “For pharmaceutical firms, research into new medicines is the lifeblood, especially before these medicines are patented. All access points to the network need to be sealed off,” Wood says. “Some government agencies — especially those related to the military — don't have enough confidence in wireless LANs to start using them yet,” he adds.
Most organizations that do allow WLANs also prohibit rogues. Under such policies, all WLANs must be configured and approved by an internal IT department.
Physical security tips — tracking down rogues
IT departments often conduct “sweeps” for wireless LANs, generally using laptops loaded with sniffing software. Alternatively, outside consultants can be hired for this job. “There's really no reason why physical security personnel couldn't be trained to perform wireless sweeps. Many of these guys have already been trained to sweep for (electronic) bugs,” Wood says.
Protection of authorized WLAN APs is another area where physical security can come into play. Usually, the APs are located either on the wall, just below the ceiling or in trap doors inside the ceiling. Tampering is one possible problem, but theft can be another. More feature-rich than their retail counterparts, higher-end APs can cost more than $1,000.
So if a security officer happens to observe someone climbing up a stepladder, it might not be someone about to change a lightbulb, after all. And if people are out on the sidewalk with chalk in their hands, they might have more than hopscotch on their minds.
FOR THE RECORD
About the companies
For information, circle the Reader Service number (listed below) or visit securitysolutions.com
| Symbol Inc. | 25 |
|---|---|
| Texas Instruments | 26 |
| Vernier Networks | 27 |
IT SECURITY
Beyond Encryption
On the IT security side, experts largely agree that it's best to use more security methods than WEP, WPA, or 802.11i encryption alone. For one thing, IT departments ought to add two-factor authentication, says Alan Panezic, director of RIM's Wireless Solutions Group.
In two-factor authentication, people are required to use two or more methods of showing that “they are who they say there are” in order to get network access. An organization might require a password, for example, together with a smart card containing some sort of biometric identifier. Panezic also suggests segmenting the wireless LAN to give different access rights to different groups.
Wireless vendors are also taking a variety of other approaches. Some vendors, including Symbol Inc., have changed the architectural setups of wireless equipment, placing most of the intelligence in a central wireless switch instead of in the APs.“The switch can easily be protected inside the corporate data center,” according to Bindo Gill, director of Symbol's Wireless Infrastructure Division.
Vernier Networks, on the other hand, produces systems designed to automatically enforce an organization's wireless policies. The City of Long Beach, Calif., is using Vernier's approach to enforce greater network access privileges for city employees than for visitors.
Furthermore, many experts recommend buttressing the wireless LAN with the same sort of “layered security” found in wired networks. The layered security approach requires the use of additional network hardware devices, known as firewalls, routers and Radius servers.
Want to use this article? Click here for options!
© 2012 Penton Media Inc.
Today's New Product
|
Privaris Biometric Verification SoftwareIn support of the Privaris family of personal identity verification tokens for secure physical and IT access, an updated version of its plusID Manager Version 2.0 software extends the capabilities and convenience to administer and enroll biometric tokens. The software offers multi-client support, import and export functionality, more extensive reporting features and a key server for a more convenient method of securing tokens to the issuing organization. |
advertisement
This month in Access Control
- Targeting The Customer
- Electronic Pedigrees
- One Hero Among Many
- Who? What? When? Where? Why?
- More from September's issue
Latest Jobs
advertisement
