Security concerns loom in new wireless world

[InfoSec News <isn () c4i org>]

http://www.suntimes.com/output/news/cst-nws-protect21.html

[One of the odd things about this article is that Chicago information
security professionals have written about this at least once before in
the Chicago Tribune back in July 2001, the writer had a good technical
story for the audience, but the editor then really dumbed the article
down to below the level of Joe Sixpack.

Chicago is home to two daily newspapers, The Chicago Tribune which is
considered to be more white collar, and the Chicago Sun-Times, printed
tabloid style is considered as a blue collar paper, and here has the
more technically written article of the two. I'll see if I can find
the original Tribune article from July 2001 later in the week.  - WK]

-=-


BY HOWARD WOLINSKY 
BUSINESS REPORTER 
July 21, 2002

Arrival gates. O'Hare International Airport. July 13. 11:48 a.m. 

A Sun-Times reporter turns on a hand-held computer and fires up 
MiniStumbler, a software program for scanning radio signals.

Immediately, the program's small green, yellow and red lights begin to 
flash. The scanner has picked up 11 different signals--each one a 
possible entry point into somebody else's wireless computer network.

The name of one network jumps off the computer's small display screen. 
It's BAGSCANUAORD. In English, that means "bag scan at United Airlines 
(UA) at O'Hare Airport (ORD)." 

And just as crucial is what is not showing up on the screen--a little 
padlock symbol that would indicate this network is encrypted, 
protecting it against hackers--or as they are called in the wireless 
world, "whackers."

The Sun-Times reporter is not a terrorist. He stops right there. He 
means no harm. 

But if he were a terrorist, computer security experts say, he might 
quickly move to the next step. Using a laptop computer and one of 
several other easily available software programs, he might attempt to 
whack his way right into the BAGSCANUAORD network and, conceivably, 
into back-end, operating systems to create all kinds of havoc.

He might, for example, manipulate coding within the bag scanning 
system to get an orphan piece of luggage on a plane, past inspectors, 
by assigning it to a nonexistent passenger--precisely the sort of 
thing the bag scan network is supposed to prevent.

And one can only shudder at what might be in that luggage.

Chris Nardella, spokeswoman for United Airlines, confirmed that the 
reporter had, indeed, detected the airline's international bag scan 
system. But she emphasized, "It poses no threat to United [computer] 
networks. It is not in any way connected to any other United back-end 
systems."

Nardella also said "no sensitive data" is transmitted over the 
network, and that the international check-in soon will be switched to 
the bag-match system used on domestic flights.

But independent security experts are less than sold by United's 
reassurances.

"This is not a surprising answer. I imagine on Sept. 10, they would 
have said the same thing about the metal detectors and how security in 
airports was then: 'Everything is fine.' " said Thubten Comerford, 
chief executive officer of White Hat Technologies Inc., a Denver 
computer security firm, which earlier this year conducted a scan that 
revealed potential problems at Denver International.

"[The airlines] don't take measures until there is a disaster. United 
may not be at risk. But it is surprising that they are willing to take 
any risk at all," by broadcasting the network name and not turning on 
encryption. "It's a dangerous wireless world," he said.

Brave new wireless world

The world is in the throes of a wireless revolution, a technological 
transformation that promises to make computing, on the Internet or 
through private networks, dramatically more convenient and useful. 
Freed of wired tethers to phone and cable lines, computers will be 
more portable than ever before. We'll download our e-mail at coffee 
shops, tap into our office's computer system from a picnic table in a 
nearby park or from a wireless connection anywhere in the world.

But the wireless revolution, the hottest trend since the creation of 
the Internet, also poses a profound threat to our security and 
privacy. By tapping into these wireless networks--essentially radio 
broadcasts--whackers might readily break into computer networks in 
homes, businesses and government offices and read private memos, files 
and financial information. They might "piggyback" on a stranger's 
network and ride the Internet on their dime. And they might, as the 
bag scan scenario suggests, apply their whacking skills to more 
nefarious ends.

The threat is real. While there have been no widely publicized cases 
of people cracking into computer networks via wireless access points, 
there have been scares.

In April, for example, Best Buy deactivated wireless cash registers 
after a customer reportedly intercepted credit card numbers while 
testing wireless equipment outside a store. Last month, with new 
security in place, Best Buy began using the wireless devices again.

In June, Joseph Konopka of Milwaukee, whose nickname was "Dr. Chaos," 
was indicted in Chicago on two counts of possessing chemical weapons 
after allegedly storing cyanide in a CTA subway storage room, near 
several large banks and federal and local government offices. 
According to an FBI affidavit, Konopka used a laptop--found with the 
deadly chemicals--to tap into nearby wireless networks.

All over Chicago area

On several days earlier this month, a Sun-Times reporter with a 
scanner walked and drove all over the Chicago area--from O'Hare to La 
Salle Street to suburban corporate parks--and detected access points 
to 1,064 wireless networks. He discovered networks operated by stock 
brokers, insurance companies, law offices, a federal judge and all 
types of businesses--from the Fortune 500 to car dealers, restaurants, 
food stores and a funeral home.

The names of some of the networks, such as the bag scan site, made 
their purpose clear. The names of others--just a jumble of numbers and 
letters--were less revealing. But given where the scanner picked up on 
these networks--immediately outside banks, tech companies and the 
like--their sources often were obvious.

Of the 1,064 networks detected by the reporter, only 401 were 
padlocked, but security experts say that may not matter much anyway. 
They warn that encryption, known as Wired Equivalent Privacy, or WEP, 
is only a mild deterrent.

"Crackers can break WEP in 30 minutes to an hour," said Patrick 
Mueller, a security analyst with Chicago-based Neohapsis.

Wireless networks fill the airways with chatter using a technology 
known as Wi-Fi, or wireless fidelity. If you have a laptop with the 
new Windows XP operating system and an inexpensive network card, you 
can sit down in a plaza downtown or an airport lounge and suddenly be 
asked if you want to connect to a network.

"I've found myself inadvertently on someone else's network using the 
Internet," a Chicago businessman confessed.

In fact, "borrowing bandwidth" to joy ride on private networks has 
become a sport for otherwise law-abiding techies. A computer 
subculture, known as "war drivers" or "Net Stumblers," has emerged to 
detect and map these wireless networks.

A NetStumbler typically buys a can of Pringles, eats the "potato 
crisps" and fills the can with hardware and hooks up a pigtail 
connector to build an antenna to zone in on wireless networks. 
Stumblers claim the cost can be less than $10.

Then, they go to a Web site to download free NetStumbler software on a 
laptop or MiniStumbler software on a hand-held computer to create a 
scanner to sniff out networks. As they discover new networks, they 
post them--along with Global Positioning System coordinates--at a Web 
site, www.netstumbler.com .

Each wireless network is represented by a red cross on a national map. 
The major population centers, from coast to coast, look like burning 
bushes as cross is layered upon cross.

The operators of the NetStumbler site say their goal is simply to warn 
about the inherent security dangers of Wi-Fi.

Eighteen months ago, Pete Shipley, an unemployed Berkeley, Calif., 
security consultant, invented the mapping tools for war driving. But 
he said wireless networks are so common now that war driving is 
unnecessary: Criminals need only find a nearby parking lot to find a 
network to tap into.

In fact, they don't really have to get too close. Using a powerful 
antenna, Shipley has linked to networks 50 miles away.

Is this legal? 

"The legality of 'war driving,' or finding and mapping access points 
is a gray area," said Chicago attorney Benjamin Kern, an expert on 
wireless technology at Gordon & Glickson. "Courts have not generally 
imposed liability for simply locating open networks."

It is clearly illegal, however, to intercept an encrypted message 
transmitted over a wireless network, Kern said, or even to connect to 
someone else's Internet link without permission.

But then, terrorists don't ask permission.

Protecting top secrets

The security risks of Wi-Fi are giving people responsible for the 
nation's biggest secrets the willies.

In January, the U.S. Department of Energy's Lawrence Livermore 
National Laboratory near San Francisco, where much of the country's 
weapons research is done, banned wireless networks in "safe" 
unclassified areas. The lab previously prohibited wireless networks 
and even wireless phones in classified areas.

Livermore spokesman David Schwoegler said the lab was concerned that 
wireless devices inadvertently could be left in secure areas, creating 
breaches. Also, he said the lab was worried about the growing number 
of devices, such as laptops, that come with wireless capabilities 
built in.

Wireless networks have not been banned at Argonne National Laboratory, 
the southwest suburban lab that traces its roots to the Manhattan 
project and development of the atomic bomb. But a spokesman said they 
are used only "in a controlled fashion."

Stacy M. Williams, chief cyber security officer at Argonne, said all 
networks must be approved by his group and must be established outside 
the lab's protective computer firewall--software and hardware used to 
bar unauthorized users. Also, access to internal systems is allowed 
only through highly encrypted private networks using devices 
registered by Williams' unit.

For further protection, Williams said, Argonne has released the 
cyberhounds: "We use a couple of wireless network sniffing 
applications to monitor our wireless environment, in an effort to 
guarantee that rogue networks don't pop up."

And now the lab is looking at sniffers that will reveal anyone trying 
to probe their wireless network from a particular building on the 
campus or from a car.

Home safe home?

Nuclear secrets are one thing. What about family secrets?

As the Sun-Times reporter wandered around with his scanner, the 
potential for whackers to snoop into people's lives became clear.

Numerous home wireless networks showed up on the scanner, especially 
in affluent suburbs such as Highland Park, Hinsdale and Flossmoor. 
Early technology adopters there are adding the convenience of 
wireless, typically without trying to disguise their networks or 
turning on minimal security measures. The Sun-Times spotted a string 
of 17 unprotected home networks along Sheridan Road on the North 
Shore.

Security experts generally downplay the threat to home networks. "The 
corporations have the gems computer hackers want," said Sandeep 
Singhal, chief technology officer with ReefEdge, a New Jersey 
developer of software to protect wireless networks.

But Singhal conceded that whackers might be interested in breaking 
into home networks to probe personal finance files, e-mail or other 
personal information.

And with more and more people connected to the office via wireless 
links, said Mueller, whackers could try to enter corporate networks 
from home networks.

Once someone breaks into a home network, he could destroy files, erase 
hard drives, perhaps make purchases using online accounts, plant 
computer viruses and mount attacks on other networks.

"The wireless access point can be a backdoor into a network," Mueller 
said. "The problems are potentially nightmarish."

Drive-by snooping

Most people consider information about their finances and health to be 
especially private. But as the Sun-Times reporter roamed about, he saw 
real potential for data leaks there.

Driving in Naperville, near the Merrill Lynch building, the reporter 
detected an unprotected network named marshallgrange. A call to the 
brokerage turned up a broker team run by Paul Marshall and Jeff 
Grange.

Marshall was astonished to learn that his network could be spotted on 
the street.

"That's 300 feet away. The guys who put this network in said the range 
would only be 75 feet," said the broker. "They're going to be back 
here in about two minutes."

Fortunately, Marshall said, no client information was available 
through the wireless connection, which is mainly used to coordinate 
schedules. "It's not very exciting," he said. He said many offices in 
his building use Wi-Fi. The reporter didn't spot any. But tools are 
available to reveal even seemingly invisible networks.

There also were several networks broadcasting in the Illinois Medical 
District on Chicago's West Side. One was "CCHBURN." Calls to a 
spokesman at Cook County Hospital yielded no information about whether 
that could be "Cook County Hospital Burn" unit. But the next time the 
reporter drove by, someone had turned on the encryption.

Downtown Chicago is abuzz with Wi-Fi traffic. From the top of the 
Sun-Times building, MiniStumbler detected 67 access points, most of 
which were wide open.

Several were named Leo1. Could that be the Leo Burnett ad agency 
across the river? 

The reporter called Burnett and left his questions, but nobody called 
back. Then the reporter saw that the WEP encryption had been switched 
on for Leo1. A spokeswoman for Burnett, Sheri Carpenter, later left a 
voice mail: "What you found was a test network. They have obviously 
gone in and secured whatever needed to be secured."

The scanner detected hundreds of other access points along Michigan 
Avenue, the La Salle Street financial district, Sears Tower and the 
John Hancock Center. Many access points had default settings and no 
encryption on, suggesting that they were particularly vulnerable to 
attack.

The Wi-Fi industry is gearing up to spread its technology, known in 
the business as 802.11, and promising tougher security measures to 
protect wireless networks.

But University of Maryland computer science professor William Arbaugh, 
a lead author of a widely discussed article on the vulnerability of 
networks, entitled "Your 802.11 Wireless Network has No Clothes," said 
the current situation reminds him of the early days of the Internet 
when organizations rushed in to create Web sites without considering 
the security holes they were creating to vital computer systems.

Manufacturers insist their wireless systems are relatively secure with 
the proper precautions, such as using authentication systems to force 
users to identify themselves.

Arbaugh doubts it.

"Unfortunately, nothing could be further from the truth," he said. 
"While the current access points provide several security mechanisms, 
our work combined with the work of others shows that all of these 
mechanisms are completely ineffective. We believe that the current 
wireless access points present a larger security problem than the 
early Internet connections."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.