Wireless Security – What is the issue?

November 1, 2004

Wireless technology (or WiFi) provides individuals and organisations with computing mobility. A laptop is able to connect to the Internet or Local Area Network (LAN) without using any cables. It is also possible to access data on computers without even being physically within the building. (It is also possible for a laptop to connect to another laptop – without even knowing it, and that is an area of some concern.)

The push to wireless technology comes from several fronts:

  • Point of sale/scanning
  • Personal flexibility/mobility – “anywhere/anytime” access
  • Physical infrastructure limitations – areas where physical cabling is impractical or costly
  • Heritage buildings where cabling cannot be plugged through walls
  • Individuals wishing to establish a free broadband wireless network.

The commercial providers of wireless technology, whether to the general public or large corporations, have made wireless access a completely hassle-free operation. It is now possible for anyone to set themselves up for wireless access at home or work without the need to have very much in the way of technical knowledge. The only trouble is that, once they are “set up”, there is no way of knowing just who they are set up for.

Many organisations are now installing wireless “hot spots” in coffee shops and other public spaces. These organisations earn their revenue by charging for Internet access through their wireless access points. At it’s simplest:

ø Every Intel “Centrino” based laptop comes with wireless enabled as standard.

ø You can purchase a wireless ADSL modem from any computer shop for less than £100.

ø .and then you are wireless.

but you are not secure.

The type of security generally used here is referred to as set and forget or hide-your-head-in-the-sand security. The hot-spot operator, while taking care of its own system’s security, bears no responsibility for your computer security. It is the user who has to take the necessary steps. The truth of the matter is that for every authorised user connected to such a system there could be two or three who are just hacking in. As long as the hot-spot manager does not know about it, they are “not there”, even if taking the bandwidth and downloading anything they want. The greater danger is that these people could be targeting your computer.

In the same way, many innocent users are adding Access Points to their homes and are inadvertently creating a mini-network neighbourhood, providing free Internet access for their neighbours. In a real life situation late last year, a Korean company was servicing the Internet needs of the student housing block next door to their premises. After dark (and through the day), their network was being used by the students for their work and other things. The company had 35 users, but there were over 100 unauthorised users on the system when it was scanned.

At the other end of the scale, a “rogue Access Point”, one connected covertly into a bank’s network to make life easier for a bank operator, allowed other users to openly connect into the core server architecture, bypassing a very significant DMZ and firewall designed to prevent this. This was invisible until scanned and found.

If you operate a corporate wireless LAN, the Internet address of your company’s LAN could well be published on a number of hacker Web sites where they document open hot- spots in the CBD.

Many individuals and organisations are adopting wireless due to its mobility, but are not fully considering the risk or security implications. Firms are purchasing Centrino laptops and connecting them to their LANs, often not realizing that Centrino laptops are capable of Wireless peer-to-peer networking (which allows one laptop to talk directly to another computer by-passing the corporate LAN, thereby opening a clear channel for the compromising of their corporate data). Organisations may not be aware of a “rogue” access point that may have been installed on their network either by an authorised or unauthorised person.

The technology on which wireless is built is called MAC addressing. This technology pre-dates the Internet protocols (TCP/IP), consequently all security mechanisms that exist using TCP/IP are not applicable – MAC addressing technology is below Internet protocol and therefore below the radar of standard security measures. Even with encryption, the MAC addresses and SSID (channel ID) are broadcast in clear text, giving the potential hacker enough information to stage an assault on a network.

The biggest advantage to the unauthorised hacker in a badly configured wireless LAN is that the MAC address is freely advertised to the world. Even in a well configured wireless network, the MAC addresses will be openly displayed to the unauthorised listener during the connect phase and, as the MAC address uniquely identifies every different wireless device, it is the perfect way to locate and potentially impersonate an authorised wireless device. There are no silent numbers in the wireless world.

Popular Beliefs and Myths

Everyone, it seems, has their own idea of what security is all about, particularly when it comes to IT.

It is usually seen that, within any organisation, there are numerous people “responsible” for security but all too often each person has their own ideas about security and many of these are compartmentalised to the extent that, as the differing rules cross departmental boundaries and interfaces, they ultimately deliver a “solution” that is collectively full of holes and disjointed standards. It is possibly very secure within one department, but once it crosses that boundary gaps are often created through the application of another set of rules and processes.

The truth of it all is that there may be little real security at all in these transition zones.

The FBI database access procedures manual is one of the most secure documents it has. Any user with access to this file would know exactly how to look up any record of anyone on the file and is even shown how to use the procedures, the colloquial language and the rules for valid access. Despite being of critical importance to the FBI, it was shared across many other different Government agencies who did not really appreciate the significance of the document. Finally, it not only wound up on many non-FBI desks, but also on the Internet before it was brought to the Government’s attention. The reason this happened was that not everyone shared the level of concern the FBI did about the document. As they did not “own” the document, they did not really care about how important it was.

Often meetings hear about the extensive security a company employs. Much of this will be relayed through a senior executive or director who has been told of the systems in place. Usually, they will actually be discussing a system that they have only ever been told about, not one they have seen first hand for themselves – and perhaps it is one that they do not really understand. At the keyboard, it looks fine and works as it should, but is it really doing what you expect “behind the scenes”?

What really is meant by a “strong and reliable security system”. In most cases, trust is placed in others. If this trust is not met and the system is compromised or abused, as it was with the FBI, it is likely that the system security administrator will be sanctioned and the Director will have to do some explaining and then it will all be over.

Consider this scenario. Assume that you are hungry and want a pizza. The normal way for you to get a pizza is to purchase one from a pizza store. The counter at the store is the normal type, where you order and pay for it and get a receipt (either a docket or a plastic table tab). Then you either sit down to eat it there or pick it up from the take-away counter.The sales counter is the focus for security.

But suppose you do not have any money. How could you still get a pizza? (Hacker mode)

· You could act as a waiter and after a pizza is delivered to the table, go up to the unsuspecting customer and take it back, apologise, tell them that you have made a mistake and that their pizza is still coming.

· You could also walk past the pizzas lined up outside the kitchen ready to deliver to the tables and take one.

· You could go into the kitchen and just (as the acting waiter) take a pizza or two and walk out. They’ll be too busy to notice.

· You could snatch one from a table (especially at the pavement) and run off or take one from a waiter when he is delivering more than one and push him over to keep everyone occupied and diverted while you escape.

· You could set off the fire alarm and, after everyone has left, help yourself to as many pizzas as you want.

How is this relevant to the security of your organisation? It is very relevant because it demonstrates that you have managed to get what you wanted (a pizza), but at no time did you ever have to get close to the controlled part of the ordering system (cashier and order counter). By exploiting existing weaknesses within the surrounding environment, such as the work habits of the organisation and employees, the trust relationships between the customers and the perceived waiter or the pre-conditioning we all have for a fire-alarm, you have got your pizza.

The alarming thing is that it is likely that in many cases (unless you have used force) no-one will have even noticed and put the missing pizza down to a genuine error. In the hustle and bustle of the pizza shop, it is highly probable that the person will not have been noticed and the pizza will be overlooked and replaced without question, particularly if the pizza cooks are covering up what they think could be an error. In a nutshell, securing the payment and ordering system has done nothing to prevent the pizzas from being stolen.

How many “pizzas” has your organisation lost? How many lost “pizzas” has your organisation put down to some other cause and replaced without looking into it? How many people, fearing the worst, have covered up a small anomaly or loss without saying anything? How will you ever find out?

As far-fetched and seemingly ridiculous as this example might look, the activities could parallel those in any organisation.

In the pizza example, we didn’t need to fake a credit card or steal money or do anything dangerous, we just did some “social engineering” as Kevin Mitznik calls it and “worked the system”.

More than 30 years ago, the US Military realised that it was almost impossible (not to mention astronomically costly) to totally secure a central system from everyone and every type of attack. Instead, they chose to develop a system, the Internet, that did not seek to prevent every attack (many of which still had to be developed) but left a visible trail of intrusion so they could determine what had been done and limit the damage.

Today, not learning from this lead, large organisations still seek to develop these “vaults” of data, hiding them behind a DMZ or firewall system and assuming that they are secured. These organisations are looking inwards only and base their security in the same way. This approach also runs against the positive trends to share information with the market and the firm’s clients. It is a matter of balance between the benefits and risks to the business. Wireless networking offers many benefits but the risks must be quantified and dealt with.

Protecting the Core

True or false? Protect the central core and the network will be safe. Answer: False.

The trouble is that people have to access the central core to work and this causes the weakness. Sitting immersed within a veritable “soup” of fallible procedures and processes and the ever shifting complexities of human nature, there are inherent weaknesses that are perfect targets for attack. Furthermore, many of these attacks are from legitimate sources that have been compromised by a host of different weaknesses, are accepted by the security systems and will never be detected.

Wireless computing adds another totally new dimension to the security matrix. Wireless intrusion is completely invisible. Previously, you had to have at least a dial-up link to the organisation to access anything, but now you can do the same from outside of the organisation and still no-one will ever know.

You can add encryption, but how can you be sure that it is working? Does it work the way it was intended to and does it integrate exactly as it was designed to, with the operating systems you are using? Current estimates state that networks secured using standard encryption can be cracked within 12 to 36 hours.

The added danger of wireless is that it is almost impossible for anyone to even know who is looking at your system at any time, unless you have an intrusion detection system. WIFI Intrusion Detection Systems actively monitor the airspace around your network to detect and report on potential attacks or access attempts.

With a simply executed man-in-the-middle attack using a link to a staff member’s laptop, the intruder could attack your system as they need to and legitimately access it. You would never know. It might once have been possible to secure wired LANs to a high level, but now there are no wires and there are more and more opportunistic “squatters” searching the airwaves for weaknesses and open access points.

What is Security?

Security is not a product, it is a process.

The security of a site is not a due to a mixture of hardware and software, but is more a function of an interlocked balance of good procedures, reliable tools and a clear, achievable strategy, driven by information about your site that tells you what is happening out there.

Security is something that must be clearly understood and fully appreciated by both the system administrator and the executives of the organisation.

The identification and management of a sound set of procedures that underpin a policy with clear objectives and achievable, measurable outcomes still relies on the biggest threat to security – human nature. This is an intangible thing, it is unique, totally unpredictable and yet organisations continue to be compromised by it. The organisation must look at ways to automate the monitoring and reporting of unauthorised access to the network, whether successful or not, and act proactively to continually enhance the systems overall integrity based on the information provided.

Sandra Potter and Phil Farrelly are co-chairs of the VSCL Practice and Procedures Focus Group and directors of 3C Consulting Group, which provides specialist knowledge management advice to the legal profession, justice agencies and government organisations. They can be contacted at sandra.potter@3ccg.com and phil.farrelly@3ccg.com respectively.

Adam Todhunter is the Chief Technology Director of KxSolutions, a leading wireless security company based in South Melbourne.