RealTime IT News

Public Database Shows Wireless Weaknesses

Security companies like to make sure the world knows that there are lots of security problems out there to fix. Network Chemistry, which bills itself as "the wireless security experts" thanks to its RFprotect line of WLAN intrusion detection/prevention tools, is doing more than just making sure customers know the latest. It's helping launch a new Web site just to catalog issues on wireless networks.

"We looked at the market and considered what was needed to increase awareness of wireless threats," says Brian de Haaff, Vice President of Product Management and Marketing at Network Chemistry. He says they soon realized "there's no repository for cataloging and naming [such threats]. We're not talking just Wi-Fi, but everything wireless. So we're going to spearhead an effort to make the first public database to communicate about wireless vulnerabilities and exploits."

The name of that database is, unsurprisingly, Wireless Vulnerabilities & Exploits, or WVE for short. The site is live today at www.wirelessve.org.

The site won't be specific to things Network Chemistry can fix. De Haaff stresses that it's vendor neutral — Network Chemistry only has stewardship, and "we won't drive the day-to-day management," he says. Other sponsors include the CWNP and the Center for Advanced Defense Studies:

Anyone can submit a wireless vulnerability, whether it's something very general like use of the open source Hotspotter tool, or something more vendor-specific like using Asleap to do dictionary attacks against Cisco's LEAP authentication.

The site won't be able to be used in vendettas, either. All submissions are vetted by an editorial board that includes software authors, CTOs and security experts (including some from CWNP and Network Chemistry). "We've got about 12 people now, and will probably grow to 25," says de Haaff. "They're responsible, when an entry is made, for vetting to see if it becomes a candidate [for the database]. Once we've got consensus, it becomes an official entry."

Network Chemistry piggy-backed this announcement with news that it's also introducing a product called RFprotect Endpoint to set security policy on Windows-based laptops in the office or on the road. The product will work with all connections, from Wi-Fi to Ethernet to dial-up. The agent software running on the computer also uploads usage info every time it logs into the corporate network — de Haaff says this can be used to start the process of recovering a stolen notebook. The Endpoint software should be available in early 2006. (For more, see Network Chemistry Goes on Wireless Security Spree.)