http://www.suntimes.com/output/news/cst-nws-protect21.html [One of the odd things about this article is that Chicago information security professionals have written about this at least once before in the Chicago Tribune back in July 2001, the writer had a good technical story for the audience, but the editor then really dumbed the article down to below the level of Joe Sixpack. Chicago is home to two daily newspapers, The Chicago Tribune which is considered to be more white collar, and the Chicago Sun-Times, printed tabloid style is considered as a blue collar paper, and here has the more technically written article of the two. I'll see if I can find the original Tribune article from July 2001 later in the week. - WK] -=- BY HOWARD WOLINSKY BUSINESS REPORTER July 21, 2002 Arrival gates. O'Hare International Airport. July 13. 11:48 a.m. A Sun-Times reporter turns on a hand-held computer and fires up MiniStumbler, a software program for scanning radio signals. Immediately, the program's small green, yellow and red lights begin to flash. The scanner has picked up 11 different signals--each one a possible entry point into somebody else's wireless computer network. The name of one network jumps off the computer's small display screen. It's BAGSCANUAORD. In English, that means "bag scan at United Airlines (UA) at O'Hare Airport (ORD)." And just as crucial is what is not showing up on the screen--a little padlock symbol that would indicate this network is encrypted, protecting it against hackers--or as they are called in the wireless world, "whackers." The Sun-Times reporter is not a terrorist. He stops right there. He means no harm. But if he were a terrorist, computer security experts say, he might quickly move to the next step. Using a laptop computer and one of several other easily available software programs, he might attempt to whack his way right into the BAGSCANUAORD network and, conceivably, into back-end, operating systems to create all kinds of havoc. He might, for example, manipulate coding within the bag scanning system to get an orphan piece of luggage on a plane, past inspectors, by assigning it to a nonexistent passenger--precisely the sort of thing the bag scan network is supposed to prevent. And one can only shudder at what might be in that luggage. Chris Nardella, spokeswoman for United Airlines, confirmed that the reporter had, indeed, detected the airline's international bag scan system. But she emphasized, "It poses no threat to United [computer] networks. It is not in any way connected to any other United back-end systems." Nardella also said "no sensitive data" is transmitted over the network, and that the international check-in soon will be switched to the bag-match system used on domestic flights. But independent security experts are less than sold by United's reassurances. "This is not a surprising answer. I imagine on Sept. 10, they would have said the same thing about the metal detectors and how security in airports was then: 'Everything is fine.' " said Thubten Comerford, chief executive officer of White Hat Technologies Inc., a Denver computer security firm, which earlier this year conducted a scan that revealed potential problems at Denver International. "[The airlines] don't take measures until there is a disaster. United may not be at risk. But it is surprising that they are willing to take any risk at all," by broadcasting the network name and not turning on encryption. "It's a dangerous wireless world," he said. Brave new wireless world The world is in the throes of a wireless revolution, a technological transformation that promises to make computing, on the Internet or through private networks, dramatically more convenient and useful. Freed of wired tethers to phone and cable lines, computers will be more portable than ever before. We'll download our e-mail at coffee shops, tap into our office's computer system from a picnic table in a nearby park or from a wireless connection anywhere in the world. But the wireless revolution, the hottest trend since the creation of the Internet, also poses a profound threat to our security and privacy. By tapping into these wireless networks--essentially radio broadcasts--whackers might readily break into computer networks in homes, businesses and government offices and read private memos, files and financial information. They might "piggyback" on a stranger's network and ride the Internet on their dime. And they might, as the bag scan scenario suggests, apply their whacking skills to more nefarious ends. The threat is real. While there have been no widely publicized cases of people cracking into computer networks via wireless access points, there have been scares. In April, for example, Best Buy deactivated wireless cash registers after a customer reportedly intercepted credit card numbers while testing wireless equipment outside a store. Last month, with new security in place, Best Buy began using the wireless devices again. In June, Joseph Konopka of Milwaukee, whose nickname was "Dr. Chaos," was indicted in Chicago on two counts of possessing chemical weapons after allegedly storing cyanide in a CTA subway storage room, near several large banks and federal and local government offices. According to an FBI affidavit, Konopka used a laptop--found with the deadly chemicals--to tap into nearby wireless networks. All over Chicago area On several days earlier this month, a Sun-Times reporter with a scanner walked and drove all over the Chicago area--from O'Hare to La Salle Street to suburban corporate parks--and detected access points to 1,064 wireless networks. He discovered networks operated by stock brokers, insurance companies, law offices, a federal judge and all types of businesses--from the Fortune 500 to car dealers, restaurants, food stores and a funeral home. The names of some of the networks, such as the bag scan site, made their purpose clear. The names of others--just a jumble of numbers and letters--were less revealing. But given where the scanner picked up on these networks--immediately outside banks, tech companies and the like--their sources often were obvious. Of the 1,064 networks detected by the reporter, only 401 were padlocked, but security experts say that may not matter much anyway. They warn that encryption, known as Wired Equivalent Privacy, or WEP, is only a mild deterrent. "Crackers can break WEP in 30 minutes to an hour," said Patrick Mueller, a security analyst with Chicago-based Neohapsis. Wireless networks fill the airways with chatter using a technology known as Wi-Fi, or wireless fidelity. If you have a laptop with the new Windows XP operating system and an inexpensive network card, you can sit down in a plaza downtown or an airport lounge and suddenly be asked if you want to connect to a network. "I've found myself inadvertently on someone else's network using the Internet," a Chicago businessman confessed. In fact, "borrowing bandwidth" to joy ride on private networks has become a sport for otherwise law-abiding techies. A computer subculture, known as "war drivers" or "Net Stumblers," has emerged to detect and map these wireless networks. A NetStumbler typically buys a can of Pringles, eats the "potato crisps" and fills the can with hardware and hooks up a pigtail connector to build an antenna to zone in on wireless networks. Stumblers claim the cost can be less than $10. Then, they go to a Web site to download free NetStumbler software on a laptop or MiniStumbler software on a hand-held computer to create a scanner to sniff out networks. As they discover new networks, they post them--along with Global Positioning System coordinates--at a Web site, www.netstumbler.com . Each wireless network is represented by a red cross on a national map. The major population centers, from coast to coast, look like burning bushes as cross is layered upon cross. The operators of the NetStumbler site say their goal is simply to warn about the inherent security dangers of Wi-Fi. Eighteen months ago, Pete Shipley, an unemployed Berkeley, Calif., security consultant, invented the mapping tools for war driving. But he said wireless networks are so common now that war driving is unnecessary: Criminals need only find a nearby parking lot to find a network to tap into. In fact, they don't really have to get too close. Using a powerful antenna, Shipley has linked to networks 50 miles away. Is this legal? "The legality of 'war driving,' or finding and mapping access points is a gray area," said Chicago attorney Benjamin Kern, an expert on wireless technology at Gordon & Glickson. "Courts have not generally imposed liability for simply locating open networks." It is clearly illegal, however, to intercept an encrypted message transmitted over a wireless network, Kern said, or even to connect to someone else's Internet link without permission. But then, terrorists don't ask permission. Protecting top secrets The security risks of Wi-Fi are giving people responsible for the nation's biggest secrets the willies. In January, the U.S. Department of Energy's Lawrence Livermore National Laboratory near San Francisco, where much of the country's weapons research is done, banned wireless networks in "safe" unclassified areas. The lab previously prohibited wireless networks and even wireless phones in classified areas. Livermore spokesman David Schwoegler said the lab was concerned that wireless devices inadvertently could be left in secure areas, creating breaches. Also, he said the lab was worried about the growing number of devices, such as laptops, that come with wireless capabilities built in. Wireless networks have not been banned at Argonne National Laboratory, the southwest suburban lab that traces its roots to the Manhattan project and development of the atomic bomb. But a spokesman said they are used only "in a controlled fashion." Stacy M. Williams, chief cyber security officer at Argonne, said all networks must be approved by his group and must be established outside the lab's protective computer firewall--software and hardware used to bar unauthorized users. Also, access to internal systems is allowed only through highly encrypted private networks using devices registered by Williams' unit. For further protection, Williams said, Argonne has released the cyberhounds: "We use a couple of wireless network sniffing applications to monitor our wireless environment, in an effort to guarantee that rogue networks don't pop up." And now the lab is looking at sniffers that will reveal anyone trying to probe their wireless network from a particular building on the campus or from a car. Home safe home? Nuclear secrets are one thing. What about family secrets? As the Sun-Times reporter wandered around with his scanner, the potential for whackers to snoop into people's lives became clear. Numerous home wireless networks showed up on the scanner, especially in affluent suburbs such as Highland Park, Hinsdale and Flossmoor. Early technology adopters there are adding the convenience of wireless, typically without trying to disguise their networks or turning on minimal security measures. The Sun-Times spotted a string of 17 unprotected home networks along Sheridan Road on the North Shore. Security experts generally downplay the threat to home networks. "The corporations have the gems computer hackers want," said Sandeep Singhal, chief technology officer with ReefEdge, a New Jersey developer of software to protect wireless networks. But Singhal conceded that whackers might be interested in breaking into home networks to probe personal finance files, e-mail or other personal information. And with more and more people connected to the office via wireless links, said Mueller, whackers could try to enter corporate networks from home networks. Once someone breaks into a home network, he could destroy files, erase hard drives, perhaps make purchases using online accounts, plant computer viruses and mount attacks on other networks. "The wireless access point can be a backdoor into a network," Mueller said. "The problems are potentially nightmarish." Drive-by snooping Most people consider information about their finances and health to be especially private. But as the Sun-Times reporter roamed about, he saw real potential for data leaks there. Driving in Naperville, near the Merrill Lynch building, the reporter detected an unprotected network named marshallgrange. A call to the brokerage turned up a broker team run by Paul Marshall and Jeff Grange. Marshall was astonished to learn that his network could be spotted on the street. "That's 300 feet away. The guys who put this network in said the range would only be 75 feet," said the broker. "They're going to be back here in about two minutes." Fortunately, Marshall said, no client information was available through the wireless connection, which is mainly used to coordinate schedules. "It's not very exciting," he said. He said many offices in his building use Wi-Fi. The reporter didn't spot any. But tools are available to reveal even seemingly invisible networks. There also were several networks broadcasting in the Illinois Medical District on Chicago's West Side. One was "CCHBURN." Calls to a spokesman at Cook County Hospital yielded no information about whether that could be "Cook County Hospital Burn" unit. But the next time the reporter drove by, someone had turned on the encryption. Downtown Chicago is abuzz with Wi-Fi traffic. From the top of the Sun-Times building, MiniStumbler detected 67 access points, most of which were wide open. Several were named Leo1. Could that be the Leo Burnett ad agency across the river? The reporter called Burnett and left his questions, but nobody called back. Then the reporter saw that the WEP encryption had been switched on for Leo1. A spokeswoman for Burnett, Sheri Carpenter, later left a voice mail: "What you found was a test network. They have obviously gone in and secured whatever needed to be secured." The scanner detected hundreds of other access points along Michigan Avenue, the La Salle Street financial district, Sears Tower and the John Hancock Center. Many access points had default settings and no encryption on, suggesting that they were particularly vulnerable to attack. The Wi-Fi industry is gearing up to spread its technology, known in the business as 802.11, and promising tougher security measures to protect wireless networks. But University of Maryland computer science professor William Arbaugh, a lead author of a widely discussed article on the vulnerability of networks, entitled "Your 802.11 Wireless Network has No Clothes," said the current situation reminds him of the early days of the Internet when organizations rushed in to create Web sites without considering the security holes they were creating to vital computer systems. Manufacturers insist their wireless systems are relatively secure with the proper precautions, such as using authentication systems to force users to identify themselves. Arbaugh doubts it. "Unfortunately, nothing could be further from the truth," he said. "While the current access points provide several security mechanisms, our work combined with the work of others shows that all of these mechanisms are completely ineffective. We believe that the current wireless access points present a larger security problem than the early Internet connections." - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Jul 22 2002 - 03:51:15 PDT