[ISN] Defense agency found using unsecure WLAN security camera

From: InfoSec News (isnat_private)
Date: Fri May 17 2002 - 02:43:05 PDT

  • Next message: InfoSec News: "[ISN] Fanatics with Laptops: The Coming Cyber War"

    Date: MAY 16, 2002
    Author: Bob Brewin and Dan Verton
    The Defense Department agency that runs global networks, including
    secure classified command and control systems for the U.S. Department
    of Defense, has a gaping security hole in its front yard -- security
    cameras at its headquarters in Arlington, Va., are connected to a
    nonsecure and unencrypted wireless LAN.
    Chris O'Ferrell, chief technology officer at NETSEC Inc. in Herndon,
    Va., which provides intrusion-detection services to numerous federal
    agencies and commercial customers, detected the nonsecure wireless LAN
    at the Defense Information Systems Agency (DISA) last Friday.
    While parked across the street from DISA's headquarters, O'Ferrell was
    able to easily map the topology of the agency's network, including the
    Service Set Identifier (SSID) numbers of access points and numerous IP
    addresses. Using a standard 802.11b wireless LAN card attached to his
    laptop computer and "sniffer" software, he was able to probe the
    network in less than half an hour.
    O'Ferrell, who didn't attempt to enter the network, also determined
    that DISA hadn't even bothered to protect the system with the most
    basic form of 802.11b security, the Wired Equivalent Protocol.
    The lack of encryption and other protections could allow an intruder
    to join the security camera system by launching a denial-of-service
    attack against a specific access point, allowing the intruder to
    "spoof" that access point -- thereby allowing him to view what
    security personnel see with the closed-circuit TV camera.
    The wireless LAN allows security personnel to remotely pan, tilt or
    zoom the cameras, according to Betsy Flood, a DISA spokeswoman.
    That information could make it easier for intruders to conduct a
    physical penetration of the compound, which houses the Defense
    Department's Global Network Operations Center, Computer Emergency
    Response Team and Network Security Operations Center.
    O'Ferrell said he found it scary that the DISA had such a casual
    approach to wireless networks operating at its headquarters.
    Flood confirmed that the DSIA has operated a closed-circuit TV
    security camera system for about 45 days without encryption while it
    was being tested. During that time, she said, anyone sniffing the
    unencrypted system could indeed "see what we see on our video
    monitors, i.e, the parking lot, the front gate, the fence line, etc."
    Flood, who said the agency plans to encrypt the network by the end of
    today, also acknowledged that one of the cameras was broadcasting the
    "AP-BLDG 12 SSID" -- an access point SSID for one of the buildings in
    the compound, and that DISA is working with its vendors to change
    settings to make the system more secure.
    She said that the DISA's closed-circuit TV wireless LAN will be
    encrypted with trademarked 64-bit Wired Equivalent Privacy, a
    128-encryption algorithm from RSA Security Inc. called RC4, as well as
    a control table for Media Access Control addresses, the unique
    identifier for each computer on a network.
    Flood emphasized that the wireless LAN security camera system was
    separate from other DISA networks.
    O'Ferrell said he found it disturbing that the SSID of the access
    point he detected had such an obvious name -- "AP Bldg 12", which
    easily correlated with the building number painted on the DISA
    headquarters, Building 12. Such information could help an intruder
    "launch a 10-second DNS [denial of service attack] against the DISA
    AP, knock it out, set up their own [access point] with the SSID, and
    DISA would never know."
    O'Ferrell said it's both prudent and easy to turn off an SSID.
    Joe Weiss, vice president of the network application division at
    Aeronautical Radio Inc. (ARINC) in Annapolis, Md, which provides
    wireless communications service to the airline industry, said it's a
    good idea for DISA to encrypt traffic to and from CCTV cameras running
    over an 802.11b wireless system. Otherwise, operating them in the open
    would make it easy for non-DISA personnel to take control of the
    Earlier this year, Weiss said, an 802.11b wireless camera installed by
    one airline at the Dallas airport ended up being inadvertently
    controlled by personnel at another airline.
    Jim Lewis, a technology and public policy analyst at the Center for
    Strategic and International Studies in Washington, said that DISA's
    security problems illustrates the problems that a proliferation of
    wireless systems and devices poses for government and commercial
    "This could happen to anyone, because people are deploying systems
    before thinking about security," he said.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri May 17 2002 - 06:33:55 PDT