Steve McCuchin knew he had to do something about 802.11b
finding out how easy it was to download tools designed to break into his
network.
A senior network administrator for the State of North Carolina’s Department
of Public Instruction, overseeing the security of 2,400 K-12 schools in the
state, he was well aware of the potential problems a hacker could cause if
given access to PCs eyeballed by thousands of school children.
“We hadn’t had any known problems, but like everybody else, we started to
see things come up,” McCuchin said. “We downloaded some free tools and
started to see how easy it was to find wireless networks around the
city. So we decided before we get hacked, we’d try to be a little
proactive.”
His solution? Get his bosses to approve more resources to beef up the state’s
wireless network before an incident happened. With almost 100 of the
schools in the state already sporting wireless access points (APs) and many
more exploring the technology, he was able to convince the bureaucracy to
free up more money pay the IT staff to properly configure WiFi-connected
networks before something happened.
Not all corporate IT departments are as lucky as McCuchin; in most cases,
IT departments are under-funded and under-qualified to deal with their own
802.11b networks, a situation that leaves corporate intranets open to a
growing legion of wireless enthusiasts looking to sniff out wireless
hotspots, whether it’s legal or not.
Wardriving is in
Wardriving has received a lot of attention in the press lately. Stories of
people around the country with a lot of time on their hands — armed with
Pringles cans for antennas, a laptop running a wireless AP network
“sniffer” program, a PMCIA card and a piece
of chalk — and mapping out a national “hotspot” map should be enough to send executives scrambling to ensure their network is up to snuff.
NetStumbler, by far the most popular — though not the only one — for example,
has 18,474 registered users. Most of its users spend their free time
driving throughout the city looking for the next “open” network.
The Web site’s national map has tagged hotspots throughout the U.S., with
breakouts by city and state. Two University of Kansas researchers have
even come up with a method for cr
eating
full-color images showing the reach of wireless networks on maps.
NetStumbler’s creators, to their credit, give businesses the option to have
their AP taken off the map, so to speak, but if an IT staff doesn’t know
enough to set up a wireless network in the first place or have enough time
to set it up correctly, they aren’t likely going to know their network’s
availability is general knowledge.
According to Mark Coley, a security consultant with HCS Systems, most IT
departments don’t have the money or inclination to fix their wireless
vulnerabilities.
“There’s an increasing amount of apathy when it comes to wireless
security,” he said. “In many cases, you’ll see networks where they’ve put
the access point inside the firewall and mistakenly place them on
workstation subnets where DHCP from the servers is available. My advice is
to place them outside the firewall and treat them as external interfaces.”
The end result is a comprehensive wired-network intranet that is loaded
with virtual private networking (VPN) equipment, secure routers and
firewalls — all for naught because of an AP sitting inside the firewall,
open to the world for anyone with a little know-how to access.
Risk assessment needed
The National Institute of Standards and Technology warns executives the
need for continued scrutiny of their wireless networks throughout its life
cycle.
“Agencies should understand that maintaining a secure wireless network is
an ongoing process that requires greater effort than for other networks and
systems,” said Tom Karygiannis and Les Owens in a draft report NIST
released July 24. “(They) should not undertake wireless deployment for
essential operations until they understand and can acceptably manage and
mitigate the risks to their information, system operations and risk to
continuity of essential operations.”
Coley said he’s found many companies do take risk assessment, but many IT
departments are rushed to deploy equipment so companies can take advantage
of the technology’s benefits, namely portability.
Legal issues
The legalities behind wardriving and packet-sniffing are still being
hammered out at the federal level, though the industry is still so new, it
seems regulators and law enforcement officials have some catch-up work to
accomplish.
The Federal Communications Commission (FCC) doesn’t have much to say in the
matter, minus a legislative mandate, outside its existing Part 15 rules,
which govern the use of APs and other wireless equipment. The rule is used
to prevent 2.4 GHz operators (the spectrum 802.11b runs on) from
interfering with licensed spectrum owners.
The Federal Bureau of Investigation (FBI) is in similar
straits. According to Coley, “sniffing” out wireless networks isn’t
illegal, and to a large extent neither is connecting with the AP — even if
it’s being used to access the Internet for free. There is a case, he said,
in Texas to change that rule; a man is being tried for wire-tapping fraud
for associating his laptop with an open wireless network.
According to federal law, he said, the only time a person is committing a
crime is if they knowingly bypass Wired Equivalent Privacy (WEP) security
to get to the intranet or Internet.
“And it’s only going to get worse,” Coley said. “(IT departments) are
buying gateways that are going to be around for a long time — to get their
money’s worth — using today’s technology.”
Is it such a threat?
Not everyone is convinced WiFi is such a serious threat. Chris Rangel,
assistant vice president for marketing at equipment manufacturer Alvarion,
said the incidences of wireless break-ins are happening in controlled
environments, not in the real world.
“I’m not trying to minimize the vulnerability, it is there, but this
wide-range breaking into just doesn’t happen,” he said. “I think that in
terms of actual break-ins, this has been much more of a media event.
“Not to say the risk isn’t there, but these break-ins and insecurities have
come about through university research, not hackers,” he continued.
The real danger, he said, is that the press is disseminating information
not normally found and giving would-be hackers ideas to circumvent existing
security measures. Once the tools to circumvent WEP and other standards,
like 802.1x, get out, no amount of prevention will keep networks safe.
“If someone’s really going to go after you, those things aren’t going to
stop them,” he said. “It’s like locking your door; it’s only going to keep
the halfway-honest people from coming in.
He agrees with Coley’s assessment, however, on improperly configured
wireless equipment on the corporate network. Many companies, he said,
don’t even enable WEP security on their APs, as well as leaving the default
service set identifiers (SSIDs) password on the machine. SSIDs are used to
differentiate WLAN environments.
“It’s quite easy to go out with a default PC card and get on a network,
because no one’s gone and changed the defaults,” he said.
McCuchins, the N.C. network administrator, said the time and effort putting
into securing a wireless network can be easily solved, even if
administrators aren’t able to get more funding and training help from its
executives.
“Change the passwords, don’t broadcast your AP’s make and model number;
that just gives hackers a launching ground to see where to get around the
security,” he said. “Take a
laptop outside, see how far your network extends, and turn the power down
if its going too far.”