Hackers use Wi-Fi invisibility cloak

[InfoSec News <isn () c4i org>]

Forwarded from: "eric wolbrom, CISSP" <eric () shtech net>

http://techupdate.zdnet.co.uk/story/0,,t481-s2119788,00.html

Thursday 25th July 2002
Michael Sutton

Insecure Wi-Fi does not just put your data at risk. If hackers use it
to hack other companies, you could be vulnerable to lawsuits

Out of the box, Wi-Fi hardware is designed for ease of use and not
security. Basic Wi-Fi implementations include some security controls,
and while far from perfect, they do provide a deterrent to hackers.
However, unless the security controls are turned on, they're about as
useless as a screen door on a submarine.

Wi-Fi also completely changes the concept of physical security. In a
wireless world, security guards and surveillance cameras count for
very little.

Consider the following scenario:

You're a network administrator at a midsized company moving into a new
office who needs to establish network access quickly on a minimal
budget. After procuring the necessary hardware, you set up a wireless
access point for a Wi-Fi network. It works like a charm and employees
can now access company resources while working outside in the
courtyard.

Security has never been a problem for the company, but a week later
the FBI shows up investigating a hacking attempt at a defense
contractor 3,000 miles away. After conducting an extensive forensic
investigation, the bureau is convinced the attack originated from your
network.

Here was the weak link: The network administrator mistakenly assumed
that the physical security controls put in place to protect the wired
LAN would also do for the Wi-Fi network. Bad assumption. If employees
can access these resources from outside the building, the chances are
that hackers can too.

When conducting an attack, hackers employ various methods to cover
their tracks. Another approach is to hide behind the use of someone
else's network. Attackers don't need to be subtle or care whether the
attack gets traced back to its source because the source isn't theirs.

During a recent 15-minute cab ride in Manhattan, 77 of the 106 Wi-Fi
networks I found used no encryption. If attackers use a Wi-Fi network
as a launching pad, there's very little chance that they'll be caught.
As with traditional attacks, log files will lead authorities back to
the source network. Once they arrive, the hacker will be long gone.

It's a corporate nightmare scenario: All signs point to your network
as the source even though you have no knowledge of any wrongdoing.
Even if an outside perpetrator is suspected, the network owner may not
be able to escape liability. After all, he or she still provided the
resources used by the attacker.

Companies with insecure Wi-Fi networks used in hacking attacks could
become vulnerable to lawsuits. The cleanup from an attack can be very
costly, and victims will be looking for someone to foot the bill.
Since the hacker who perpetrated the attack might never be found,
victims will target corporations that unknowingly aided the hacker.

A plaintiff may convince a court to award damages after demonstrating
that the network owner failed to exercise "reasonable due care"
securing the system. There is not a significant body of legal
precedents in this area, but the Computer Emergency Response Team
(CERT) Coordination Centre co-authored a report on downstream
liability in which it theorised that companies could be held liable if
their networks are used in attacks.

The concept of downstream liability is being tested in Scottish
courts. FirstNet Online Management, a Scottish Internet service
provider, sued Nike last year after hackers redirected Nike's Web site
traffic to the protest Internet site s11.org, resulting in a temporary
service disruption for some of FirstNet's clients. FirstNet blamed
Nike's poor security for the incident.

Further underscoring just how seriously corporations consider these
risks, insurance companies now offer protection from downstream
liability lawsuits.

The Wi-Fi encryption scheme can be cracked, and unencrypted networks
can easily be identified during "war driving" expeditions. However,
the weakest link in Wi-Fi networks continues to be the human factor.

If the objective is to locate an insecure network to launch an attack
from, a hacker is likely to ignore networks with basic security
controls and search for "out of the box" implementations.

Corporations will find it hard to argue against negligence when even
the most basic security controls were not implemented. Even though
hackers can penetrate insecure Wi-Fi networks, basic security measures
such as enabling encryption still go a long way toward preventing a
network from being used in an attack.

 
_______________________________________________________________________
eric wolbrom, CISSP                     Safe Harbor Technologies
President & CIO                         190 Goldens Bridge Ct.
Voice 914.767.9090 ext. 6000            Katonah, NY 10536
Fax   914.767.3911                              http://www.shtech.net
_______________________________________________________________________



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.