[ISN] Security fears force cancer center to shelve wireless plan

From: InfoSec News (isnat_private)
Date: Wed Aug 29 2001 - 22:43:05 PDT

  • Next message: InfoSec News: "[ISN] Two Men Arrested for Planning to Smuggle High-Tech Encryption Devices to China"

    August 29, 2001
    ASPEN, COL. -- The MD Andersen Cancer Center in Houston last week
    abruptly put an 18-month effort to provide wireless LAN access to
    11,000 users on its five building campus on hold due to security
    Ernest Teves, research and development director at the facility, said
    research has shown "it is so easy to crack" the built-in security of
    industry standard 802.11B wireless LANs, the Wired Equivalent Protocol
    (WEP). Speaking here at a Delphi Group wireless conference yesterday,
    Teves said that as a result of that research -- some of which was
    conducted by a student at Rice University, located just five minutes
    from the center -- he decided to put the ambitious wireless LAN
    project on hold.
    Teves said he doesn't believe WEP will meet the stringent security
    requirements of the federal Health Insurance Portability and
    Accountability Act (HIPAA). He said he has asked Cisco Systems Inc. in
    San Jose, which has already performed an extensive site survey of the
    MD Andersen campus, to help beef up security.
    Additional security measures, Teves said, could throttle down real
    throughput on the wireless LAN from 7M bit/sec to 4M bit/sec. If
    that's true, Teves said, the wireless LAN installation could be
    stalled until manufacturers release products that provide 54M bit/sec
    raw throughput in the 2.4-GHz frequency band, an industry standard
    known as 802.11g.
    John Pescatore, an analyst at Gartner Inc. in Stamford, Conn., said
    security concerns about wireless LANs and WEP are justified because of
    the vulnerability of the over-the-air interface.
    "Our basic advice to clients is to treat wireless like the Internet,
    not like a LAN. Encrypt the data you send over it. Firewall your
    connection to it. Essentially, run a [virtual private network] or
    [Secure Sockets Layer] over all connections over WLANs until
    second-generation standards are stable," which will probably be in the
    first quarter of 2003, he said.
    C. Brian Grimm, a spokesman for the Wireless Ethernet Compatibility
    Alliance (WECA) in Mountain View, Calif., said that since HIPAA
    requires end-to-end security, running a VPN would satisfy any concerns
    a health care provider would have about WEP.
    Phil Belanger, marketing director for WECA, said the industry group
    also recommends additional security measures, such as a VPN.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Aug 30 2001 - 00:13:02 PDT