Wireless Mischief

[David Farber <dave () farber net>]

Begin forwarded message:

From: "John F. McMullen" <observer () westnet com>
Date: December 8, 2004 1:30:18 AM EST
To: johnmac's living room <johnmacsgroup () yahoogroups com>
Cc: Dave Farber <farber () cis upenn edu>
Subject: Wireless Mischief

From the Wall Street Journal -- www.wsj.com

E-COMMERCE/MEDIA
Wireless  Mischief
Hackers, Thieves Use Laptops, Other WiFi Devices to Access
Corporate Computer Systems
By WILLIAM M. BULKELEY

Is your wireless computer network dangerously promiscuous?

By their very design, wireless devices are constantly sending out 
signals called "probes" indicating that they are available and seeking 
to "hook up" with a nearby access point. In turn, every access point -- 
which serves as a gateway into the Internet or to an internal computer 
network -- transmits "beacons" inviting probes to link up.

Because wireless networking is designed to be simple to install and 
easy to use, the devices don't automatically distinguish between an 
authorized user and an intruder. And with the exploding use of wireless 
networks, laptops and other electronic devices, evidence is growing 
that some amateur and professional hackers are taking advantage of the 
technology's inherent openness to break into once-secure corporate 
computer systems.

In September, three young men pleaded guilty to hacking at a Lowe's 
Cos. store in Southfield, Mich. Without even entering the store, the 
men were able to link to a wireless network of bar-code readers and get 
onto the corporate computer system. Then they installed a program 
designed to capture credit-card information as shoppers checked out.

A spokeswoman for Lowe's says no customer information was lost, and 
adds that the system has been made secure. One of the men was sentenced 
to 12 years in prison -- a record for computer hacking, according to 
the Justice Department.

Other corporate network administrators report similar problems. Steve 
Lewack, a computer technician at a Columbus, Ga., hospital, was trying 
out new security software when he noticed signs of an intruder using 
the hospital's wireless network. A salesman for a supplier was sitting 
in the hospital's cafeteria and using his laptop to scan e-mails sent 
to the purchasing department, in an apparent effort to find new 
business.

"It was a wake-up call that made it clear we needed a full-time 
monitoring system," says Mr. Lewack of the 2002 incident. He has since 
persuaded the hospital to buy the AirDefense Inc. program that detected 
the intruder.

Not long ago, nearly all corporate computer networks were limited to 
hard-wired connections with desktop PCs. Although many employees had 
laptops, they generally connected via modems and phone lines, which are 
easy to secure.

But wireless computing, both at home and at the office, is soaring. 
Market-researcher IDC estimates that next year 27.7 million wireless 
network devices will be shipped world-wide, up 44% from 19.2 million 
this year -- and a big jump from just 4.5 million in 2002. Most are 
used in homes or by small businesses, but corporations increasingly are 
going wireless as well.

Spurred by the technology's popularity and low cost, laptop makers 
equipped some 79% of their products sold this year with built-in 
wireless connections, and that number will rise to nearly 100% next 
year, according to Instat/MDR, a market researcher. In addition, a 
growing number of other devices, ranging from nurse's carts at 
hospitals to machine tools on factory floors, use wireless links to 
communicate with central computer systems.

Wireless networks can be protected with passwords, and transmissions 
can be encrypted to prevent eavesdroppers from reading the signals. But 
many buyers never figure out how to change the password from the 
default configuration. On a technology-oriented Web site called 
Slashdot.org, a user posted an easy way to get access to unprotected 
Linksys wireless networks made by Cisco Systems Inc. "Anyone can 
connect" with full administrative control by logging in with the 
default password and browser setting published in Linksys manuals, the 
person wrote. A Linksys spokeswoman says, "We encourage our users to 
change their passwords and implement all their security features."

What's more, the most widely used wireless encryption standard can be 
cracked with programs available at no charge on hacker Web sites. A new 
encryption standard is about to be released, but many existing devices 
won't be able to use it.

Many company computer chiefs are aware of the problem. Most are careful 
to maintain password-protected and encrypted communications. Others use 
special software to monitor wireless access, such as that made by 
AirDefense or Boston-based Newbury Networks Inc. Some forbid use of 
wireless networks inside company walls, just as the Defense Department 
does in classified areas.

But wireless technology has a way of sneaking in anyway. Employees who 
have gotten used to the convenience of wireless networks at home 
sometimes surreptitiously create networks in their offices so they can 
carry their laptops into conference rooms and stay connected. Such 
unauthorized use can circumvent corporate firewalls.

Joshua Lackey, an "ethical hacker" who works for International Business 
Machines Corp. tracking security threats, says another company's 
network was shut down this year by a virus that didn't come over the 
Internet or through e-mail. IBM's consultants concluded that a computer 
in a passing car may have accidentally linked up with the company's 
wireless network and transmitted the virus. The incident, says Mr. 
Lackey, was a "drive-by virus infection."

Anil Khatod, president of Atlanta-based AirDefense, says one of his 
large customers discovered a breach created by its team of outside 
auditors. Working in a conference room with just one high-speed 
connection to the corporate network, the auditors had installed a 
wireless router so they could all be online. That inadvertently put 
sensitive financial information out in the air. He isn't aware of any 
problems that developed from the event.

When employees take laptops on the road, other risks arise. Ryan Crum, 
senior associate with PricewaterhouseCoopers LLP's security division, 
says one danger is employees who use a home wireless network sometimes 
forget to turn off the wireless feature on their laptop when they 
leave. "If you're in a hotel, and plug into a wire, your machine is 
still looking for access points," Mr. Crum says. "You don't know you've 
connected to someone in the next room." He says such a connection could 
enable another person to scan e-mails or files on the hard disk. "If 
you have a bunch of competitors at a convention, you could see what 
your competitors have," he says.

Technology is making it easier for would-be hackers. A new $69 device 
called a QueTec 4-in-1 card can turn any laptop into both a wireless 
transmitter and a wireless access point. So a hacker equipped with such 
a device could sit quietly at, say, an airport departure lounge 
equipped with a public wireless "hotspot." When an unsuspecting 
traveler tries to connect to the hotspot, the hacker could intercept 
the transmission, mimic the hotspot's screen, and collect credit card 
and password information -- a process known as phishing.

And then there is corporate vandalism. Paul Funk, president of Funk 
Software Inc., Cambridge, Mass., says a hacker recently broke into a 
computer-store chain's wireless network that connected PCs on display. 
Mr. Funk, whose company makes software to control network access, says 
the hacker apparently just guessed at the wireless password, then 
"brought down a number of stores" by instructing a central computers to 
run a "remote configuration utility" in the operating system that shut 
down several servers.

Write to William M. Bulkeley at bill.bulkeley () wsj com

Copyright  2004 Dow Jones & Company, Inc.
*** FAIR USE NOTICE. This message contains copyrighted material whose 
use
has not been specifically authorized by the copyright owner. The
'johnmacsgroup' Internet discussion group is making it available without
profit to group members who have expressed a prior interest in receiving
the included information in their efforts to advance the understanding 
of
literary, educational, political, and economic issues, for non-profit
research and educational purposes only. I believe that this constitutes 
a
'fair use' of the copyrighted material as provided for in section 107 of
the U.S. Copyright Law. If you wish to use this copyrighted material for
purposes of your own that go beyond 'fair use,' you must obtain 
permission
from the copyright owner.

For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml

   "When you come to the fork in the road, take it" - L.P. Berra
   "Always make new mistakes" -- Esther Dyson
   "Any sufficiently advanced technology is indistinguishable from 
magic"
    -- Arthur C. Clarke
    "You Gotta Believe" - Frank "Tug" McGraw (1944 - 2004 RIP)

                          John F. McMullen
   johnmac () acm org johnmac () computer org johnmac () m-net arbornet org
                  johnmac () tmail com johnmac () echonyc com
           jmcmullen () monroecollege edu johnmac () alumni iona edu
              ICQ: 4368412 Skype, AIM & Yahoo Messenger: johnmac13
                  http://www.westnet.com/~observer
                 BLOG: http://johnmacrants.blogspot.com/

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/