[ISN] Security concerns loom in new wireless world

From: InfoSec News (isnat_private)
Date: Mon Jul 22 2002 - 01:07:48 PDT

  • Next message: InfoSec News: "[ISN] FC: Doonesbury, Allen Hutchinson on 802.11 networks and security"

    [One of the odd things about this article is that Chicago information
    security professionals have written about this at least once before in
    the Chicago Tribune back in July 2001, the writer had a good technical
    story for the audience, but the editor then really dumbed the article
    down to below the level of Joe Sixpack.
    Chicago is home to two daily newspapers, The Chicago Tribune which is
    considered to be more white collar, and the Chicago Sun-Times, printed
    tabloid style is considered as a blue collar paper, and here has the
    more technically written article of the two. I'll see if I can find
    the original Tribune article from July 2001 later in the week.  - WK]
    July 21, 2002
    Arrival gates. O'Hare International Airport. July 13. 11:48 a.m. 
    A Sun-Times reporter turns on a hand-held computer and fires up 
    MiniStumbler, a software program for scanning radio signals.
    Immediately, the program's small green, yellow and red lights begin to 
    flash. The scanner has picked up 11 different signals--each one a 
    possible entry point into somebody else's wireless computer network.
    The name of one network jumps off the computer's small display screen. 
    It's BAGSCANUAORD. In English, that means "bag scan at United Airlines 
    (UA) at O'Hare Airport (ORD)." 
    And just as crucial is what is not showing up on the screen--a little 
    padlock symbol that would indicate this network is encrypted, 
    protecting it against hackers--or as they are called in the wireless 
    world, "whackers."
    The Sun-Times reporter is not a terrorist. He stops right there. He 
    means no harm. 
    But if he were a terrorist, computer security experts say, he might 
    quickly move to the next step. Using a laptop computer and one of 
    several other easily available software programs, he might attempt to 
    whack his way right into the BAGSCANUAORD network and, conceivably, 
    into back-end, operating systems to create all kinds of havoc.
    He might, for example, manipulate coding within the bag scanning 
    system to get an orphan piece of luggage on a plane, past inspectors, 
    by assigning it to a nonexistent passenger--precisely the sort of 
    thing the bag scan network is supposed to prevent.
    And one can only shudder at what might be in that luggage.
    Chris Nardella, spokeswoman for United Airlines, confirmed that the 
    reporter had, indeed, detected the airline's international bag scan 
    system. But she emphasized, "It poses no threat to United [computer] 
    networks. It is not in any way connected to any other United back-end 
    Nardella also said "no sensitive data" is transmitted over the 
    network, and that the international check-in soon will be switched to 
    the bag-match system used on domestic flights.
    But independent security experts are less than sold by United's 
    "This is not a surprising answer. I imagine on Sept. 10, they would 
    have said the same thing about the metal detectors and how security in 
    airports was then: 'Everything is fine.' " said Thubten Comerford, 
    chief executive officer of White Hat Technologies Inc., a Denver 
    computer security firm, which earlier this year conducted a scan that 
    revealed potential problems at Denver International.
    "[The airlines] don't take measures until there is a disaster. United 
    may not be at risk. But it is surprising that they are willing to take 
    any risk at all," by broadcasting the network name and not turning on 
    encryption. "It's a dangerous wireless world," he said.
    Brave new wireless world
    The world is in the throes of a wireless revolution, a technological 
    transformation that promises to make computing, on the Internet or 
    through private networks, dramatically more convenient and useful. 
    Freed of wired tethers to phone and cable lines, computers will be 
    more portable than ever before. We'll download our e-mail at coffee 
    shops, tap into our office's computer system from a picnic table in a 
    nearby park or from a wireless connection anywhere in the world.
    But the wireless revolution, the hottest trend since the creation of 
    the Internet, also poses a profound threat to our security and 
    privacy. By tapping into these wireless networks--essentially radio 
    broadcasts--whackers might readily break into computer networks in 
    homes, businesses and government offices and read private memos, files 
    and financial information. They might "piggyback" on a stranger's 
    network and ride the Internet on their dime. And they might, as the 
    bag scan scenario suggests, apply their whacking skills to more 
    nefarious ends.
    The threat is real. While there have been no widely publicized cases 
    of people cracking into computer networks via wireless access points, 
    there have been scares.
    In April, for example, Best Buy deactivated wireless cash registers 
    after a customer reportedly intercepted credit card numbers while 
    testing wireless equipment outside a store. Last month, with new 
    security in place, Best Buy began using the wireless devices again.
    In June, Joseph Konopka of Milwaukee, whose nickname was "Dr. Chaos," 
    was indicted in Chicago on two counts of possessing chemical weapons 
    after allegedly storing cyanide in a CTA subway storage room, near 
    several large banks and federal and local government offices. 
    According to an FBI affidavit, Konopka used a laptop--found with the 
    deadly chemicals--to tap into nearby wireless networks.
    All over Chicago area
    On several days earlier this month, a Sun-Times reporter with a 
    scanner walked and drove all over the Chicago area--from O'Hare to La 
    Salle Street to suburban corporate parks--and detected access points 
    to 1,064 wireless networks. He discovered networks operated by stock 
    brokers, insurance companies, law offices, a federal judge and all 
    types of businesses--from the Fortune 500 to car dealers, restaurants, 
    food stores and a funeral home.
    The names of some of the networks, such as the bag scan site, made 
    their purpose clear. The names of others--just a jumble of numbers and 
    letters--were less revealing. But given where the scanner picked up on 
    these networks--immediately outside banks, tech companies and the 
    like--their sources often were obvious.
    Of the 1,064 networks detected by the reporter, only 401 were 
    padlocked, but security experts say that may not matter much anyway. 
    They warn that encryption, known as Wired Equivalent Privacy, or WEP, 
    is only a mild deterrent.
    "Crackers can break WEP in 30 minutes to an hour," said Patrick 
    Mueller, a security analyst with Chicago-based Neohapsis.
    Wireless networks fill the airways with chatter using a technology 
    known as Wi-Fi, or wireless fidelity. If you have a laptop with the 
    new Windows XP operating system and an inexpensive network card, you 
    can sit down in a plaza downtown or an airport lounge and suddenly be 
    asked if you want to connect to a network.
    "I've found myself inadvertently on someone else's network using the 
    Internet," a Chicago businessman confessed.
    In fact, "borrowing bandwidth" to joy ride on private networks has 
    become a sport for otherwise law-abiding techies. A computer 
    subculture, known as "war drivers" or "Net Stumblers," has emerged to 
    detect and map these wireless networks.
    A NetStumbler typically buys a can of Pringles, eats the "potato 
    crisps" and fills the can with hardware and hooks up a pigtail 
    connector to build an antenna to zone in on wireless networks. 
    Stumblers claim the cost can be less than $10.
    Then, they go to a Web site to download free NetStumbler software on a 
    laptop or MiniStumbler software on a hand-held computer to create a 
    scanner to sniff out networks. As they discover new networks, they 
    post them--along with Global Positioning System coordinates--at a Web 
    site, www.netstumbler.com .
    Each wireless network is represented by a red cross on a national map. 
    The major population centers, from coast to coast, look like burning 
    bushes as cross is layered upon cross.
    The operators of the NetStumbler site say their goal is simply to warn 
    about the inherent security dangers of Wi-Fi.
    Eighteen months ago, Pete Shipley, an unemployed Berkeley, Calif., 
    security consultant, invented the mapping tools for war driving. But 
    he said wireless networks are so common now that war driving is 
    unnecessary: Criminals need only find a nearby parking lot to find a 
    network to tap into.
    In fact, they don't really have to get too close. Using a powerful 
    antenna, Shipley has linked to networks 50 miles away.
    Is this legal? 
    "The legality of 'war driving,' or finding and mapping access points 
    is a gray area," said Chicago attorney Benjamin Kern, an expert on 
    wireless technology at Gordon & Glickson. "Courts have not generally 
    imposed liability for simply locating open networks."
    It is clearly illegal, however, to intercept an encrypted message 
    transmitted over a wireless network, Kern said, or even to connect to 
    someone else's Internet link without permission.
    But then, terrorists don't ask permission.
    Protecting top secrets
    The security risks of Wi-Fi are giving people responsible for the 
    nation's biggest secrets the willies.
    In January, the U.S. Department of Energy's Lawrence Livermore 
    National Laboratory near San Francisco, where much of the country's 
    weapons research is done, banned wireless networks in "safe" 
    unclassified areas. The lab previously prohibited wireless networks 
    and even wireless phones in classified areas.
    Livermore spokesman David Schwoegler said the lab was concerned that 
    wireless devices inadvertently could be left in secure areas, creating 
    breaches. Also, he said the lab was worried about the growing number 
    of devices, such as laptops, that come with wireless capabilities 
    built in.
    Wireless networks have not been banned at Argonne National Laboratory, 
    the southwest suburban lab that traces its roots to the Manhattan 
    project and development of the atomic bomb. But a spokesman said they 
    are used only "in a controlled fashion."
    Stacy M. Williams, chief cyber security officer at Argonne, said all 
    networks must be approved by his group and must be established outside 
    the lab's protective computer firewall--software and hardware used to 
    bar unauthorized users. Also, access to internal systems is allowed 
    only through highly encrypted private networks using devices 
    registered by Williams' unit.
    For further protection, Williams said, Argonne has released the 
    cyberhounds: "We use a couple of wireless network sniffing 
    applications to monitor our wireless environment, in an effort to 
    guarantee that rogue networks don't pop up."
    And now the lab is looking at sniffers that will reveal anyone trying 
    to probe their wireless network from a particular building on the 
    campus or from a car.
    Home safe home?
    Nuclear secrets are one thing. What about family secrets?
    As the Sun-Times reporter wandered around with his scanner, the 
    potential for whackers to snoop into people's lives became clear.
    Numerous home wireless networks showed up on the scanner, especially 
    in affluent suburbs such as Highland Park, Hinsdale and Flossmoor. 
    Early technology adopters there are adding the convenience of 
    wireless, typically without trying to disguise their networks or 
    turning on minimal security measures. The Sun-Times spotted a string 
    of 17 unprotected home networks along Sheridan Road on the North 
    Security experts generally downplay the threat to home networks. "The 
    corporations have the gems computer hackers want," said Sandeep 
    Singhal, chief technology officer with ReefEdge, a New Jersey 
    developer of software to protect wireless networks.
    But Singhal conceded that whackers might be interested in breaking 
    into home networks to probe personal finance files, e-mail or other 
    personal information.
    And with more and more people connected to the office via wireless 
    links, said Mueller, whackers could try to enter corporate networks 
    from home networks.
    Once someone breaks into a home network, he could destroy files, erase 
    hard drives, perhaps make purchases using online accounts, plant 
    computer viruses and mount attacks on other networks.
    "The wireless access point can be a backdoor into a network," Mueller 
    said. "The problems are potentially nightmarish."
    Drive-by snooping
    Most people consider information about their finances and health to be 
    especially private. But as the Sun-Times reporter roamed about, he saw 
    real potential for data leaks there.
    Driving in Naperville, near the Merrill Lynch building, the reporter 
    detected an unprotected network named marshallgrange. A call to the 
    brokerage turned up a broker team run by Paul Marshall and Jeff 
    Marshall was astonished to learn that his network could be spotted on 
    the street.
    "That's 300 feet away. The guys who put this network in said the range 
    would only be 75 feet," said the broker. "They're going to be back 
    here in about two minutes."
    Fortunately, Marshall said, no client information was available 
    through the wireless connection, which is mainly used to coordinate 
    schedules. "It's not very exciting," he said. He said many offices in 
    his building use Wi-Fi. The reporter didn't spot any. But tools are 
    available to reveal even seemingly invisible networks.
    There also were several networks broadcasting in the Illinois Medical 
    District on Chicago's West Side. One was "CCHBURN." Calls to a 
    spokesman at Cook County Hospital yielded no information about whether 
    that could be "Cook County Hospital Burn" unit. But the next time the 
    reporter drove by, someone had turned on the encryption.
    Downtown Chicago is abuzz with Wi-Fi traffic. From the top of the 
    Sun-Times building, MiniStumbler detected 67 access points, most of 
    which were wide open.
    Several were named Leo1. Could that be the Leo Burnett ad agency 
    across the river? 
    The reporter called Burnett and left his questions, but nobody called 
    back. Then the reporter saw that the WEP encryption had been switched 
    on for Leo1. A spokeswoman for Burnett, Sheri Carpenter, later left a 
    voice mail: "What you found was a test network. They have obviously 
    gone in and secured whatever needed to be secured."
    The scanner detected hundreds of other access points along Michigan 
    Avenue, the La Salle Street financial district, Sears Tower and the 
    John Hancock Center. Many access points had default settings and no 
    encryption on, suggesting that they were particularly vulnerable to 
    The Wi-Fi industry is gearing up to spread its technology, known in 
    the business as 802.11, and promising tougher security measures to 
    protect wireless networks.
    But University of Maryland computer science professor William Arbaugh, 
    a lead author of a widely discussed article on the vulnerability of 
    networks, entitled "Your 802.11 Wireless Network has No Clothes," said 
    the current situation reminds him of the early days of the Internet 
    when organizations rushed in to create Web sites without considering 
    the security holes they were creating to vital computer systems.
    Manufacturers insist their wireless systems are relatively secure with 
    the proper precautions, such as using authentication systems to force 
    users to identify themselves.
    Arbaugh doubts it.
    "Unfortunately, nothing could be further from the truth," he said. 
    "While the current access points provide several security mechanisms, 
    our work combined with the work of others shows that all of these 
    mechanisms are completely ineffective. We believe that the current 
    wireless access points present a larger security problem than the 
    early Internet connections."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Jul 22 2002 - 03:51:15 PDT