[ISN] Hackers use Wi-Fi invisibility cloak

From: InfoSec News (isnat_private)
Date: Fri Jul 26 2002 - 01:49:47 PDT

  • Next message: InfoSec News: "[ISN] Big software pushes hard for national Gestapo"

    Forwarded from: "eric wolbrom, CISSP" <ericat_private>
    Thursday 25th July 2002
    Michael Sutton
    Insecure Wi-Fi does not just put your data at risk. If hackers use it
    to hack other companies, you could be vulnerable to lawsuits
    Out of the box, Wi-Fi hardware is designed for ease of use and not
    security. Basic Wi-Fi implementations include some security controls,
    and while far from perfect, they do provide a deterrent to hackers.
    However, unless the security controls are turned on, they're about as
    useless as a screen door on a submarine.
    Wi-Fi also completely changes the concept of physical security. In a
    wireless world, security guards and surveillance cameras count for
    very little.
    Consider the following scenario:
    You're a network administrator at a midsized company moving into a new
    office who needs to establish network access quickly on a minimal
    budget. After procuring the necessary hardware, you set up a wireless
    access point for a Wi-Fi network. It works like a charm and employees
    can now access company resources while working outside in the
    Security has never been a problem for the company, but a week later
    the FBI shows up investigating a hacking attempt at a defense
    contractor 3,000 miles away. After conducting an extensive forensic
    investigation, the bureau is convinced the attack originated from your
    Here was the weak link: The network administrator mistakenly assumed
    that the physical security controls put in place to protect the wired
    LAN would also do for the Wi-Fi network. Bad assumption. If employees
    can access these resources from outside the building, the chances are
    that hackers can too.
    When conducting an attack, hackers employ various methods to cover
    their tracks. Another approach is to hide behind the use of someone
    else's network. Attackers don't need to be subtle or care whether the
    attack gets traced back to its source because the source isn't theirs.
    During a recent 15-minute cab ride in Manhattan, 77 of the 106 Wi-Fi
    networks I found used no encryption. If attackers use a Wi-Fi network
    as a launching pad, there's very little chance that they'll be caught.
    As with traditional attacks, log files will lead authorities back to
    the source network. Once they arrive, the hacker will be long gone.
    It's a corporate nightmare scenario: All signs point to your network
    as the source even though you have no knowledge of any wrongdoing.
    Even if an outside perpetrator is suspected, the network owner may not
    be able to escape liability. After all, he or she still provided the
    resources used by the attacker.
    Companies with insecure Wi-Fi networks used in hacking attacks could
    become vulnerable to lawsuits. The cleanup from an attack can be very
    costly, and victims will be looking for someone to foot the bill.
    Since the hacker who perpetrated the attack might never be found,
    victims will target corporations that unknowingly aided the hacker.
    A plaintiff may convince a court to award damages after demonstrating
    that the network owner failed to exercise "reasonable due care"
    securing the system. There is not a significant body of legal
    precedents in this area, but the Computer Emergency Response Team
    (CERT) Coordination Centre co-authored a report on downstream
    liability in which it theorised that companies could be held liable if
    their networks are used in attacks.
    The concept of downstream liability is being tested in Scottish
    courts. FirstNet Online Management, a Scottish Internet service
    provider, sued Nike last year after hackers redirected Nike's Web site
    traffic to the protest Internet site s11.org, resulting in a temporary
    service disruption for some of FirstNet's clients. FirstNet blamed
    Nike's poor security for the incident.
    Further underscoring just how seriously corporations consider these
    risks, insurance companies now offer protection from downstream
    liability lawsuits.
    The Wi-Fi encryption scheme can be cracked, and unencrypted networks
    can easily be identified during "war driving" expeditions. However,
    the weakest link in Wi-Fi networks continues to be the human factor.
    If the objective is to locate an insecure network to launch an attack
    from, a hacker is likely to ignore networks with basic security
    controls and search for "out of the box" implementations.
    Corporations will find it hard to argue against negligence when even
    the most basic security controls were not implemented. Even though
    hackers can penetrate insecure Wi-Fi networks, basic security measures
    such as enabling encryption still go a long way toward preventing a
    network from being used in an attack.
    eric wolbrom, CISSP			Safe Harbor Technologies
    President & CIO				190 Goldens Bridge Ct.
    Voice 914.767.9090 ext. 6000		Katonah, NY 10536
    Fax   914.767.3911				http://www.shtech.net
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Jul 26 2002 - 04:33:46 PDT