[ISN] Insecure wireless networks exposed

From: InfoSec News (isnat_private)
Date: Wed Sep 11 2002 - 02:01:19 PDT

  • Next message: InfoSec News: "[ISN] Microsoft to build great wall of Yukon"

    By Tyler Hamilton
    Technology Reporter
    Sept. 10, 2002
    A local consulting firm launched a controversial Web site yesterday
    that shows gaping security holes in hundreds of wireless networks
    throughout the downtown core, including many in the financial district
    and some government and university areas.
    The consulting firm, irreverently called IpEverywhere, says about 75
    per cent of the more than 1,000 downtown wireless networks it has
    detected so far have no evidence of security and leave organizations
    wide open to information theft, data destruction, networking spamming
    and other cyber attacks.
    The company plotted its findings on a map found at
    http://www.nakedwireless.ca, which went live on the Internet yesterday
    afternoon. The map marks vulnerable networks with red pins, while
    black triangles indicate networks protected with WEP - "wireless
    equivalent privacy" - encryption.
    "We never anticipated finding so many (open networks)," said J.P.  
    Tanguay, chief executive officer of IpEverywhere. "The initial map
    only took one day to do. The first night we picked up more than 500
    access points in under an hour."
    He plans to release similar maps for Oakville, Mississauga, Markham,
    Scarborough and other areas in and around the GTA, with a longer-term
    goal of mapping cities across the country.
    "It's a neat tactic," said Lawrence Surtees, telecommunications
    analyst with IDC Canada Ltd. "Anything groups or experts can do to
    promote awareness is a great idea."
    Despite media reports about the lack of security in wireless networks
    based on the 802.11b standard - dubbed "Wi-Fi" - Tanguay said
    companies using these networks continue to ignore the risks and
    falsely believe the products they use are secure by default, when the
    opposite is often true.
    Wireless networks are typically connected to internal corporate
    networks. Unprotected wireless networks can provide a back door to an
    organization's larger network, offering intruders free Internet access
    and a way to impersonate employees, tamper with sensitive company data
    or send in destructive computer viruses.
    Tanguay said the Web site was launched to draw more attention to the
    issue, which he considers a "growing national crisis."
    "If the site is controversial, that's great," Pat Mason, chief
    operating officer of IpEverywhere, said. "We want to have more
    discussion about this problem. Knowledge and awareness is good. The
    enemy in this issue is complacency and ignorance."
    The company, which provides network-security consulting services for
    large businesses, acknowledges its actions may be perceived as a way
    to drum up business for itself. But Tanguay said companies visiting
    the site have no obligation to use IpEverywhere's services.
    Other experts in the community confirmed the company's findings.
    "I'd say their findings are not surprising," said Keith D'Sousa,
    senior manager of information security services at KPMG LLP in
    Toronto. "From our own experience, we've had a 50-per-cent hit rate."
    A study done by RSA Security Inc. found that 67 per cent of all Wi-Fi
    networks detected in London, England, were unencrypted and open to
    Last year, reporters from The Star went "war driving" with KPMG and
    found 43 Wi-Fi networks in less than 15 minutes  80 per cent of which
    were not secure. War driving is when a person drives around city
    streets and attempts to intercept unprotected wireless networks, using
    mainly a laptop, some free software and a cheap antenna.
    When using a plane, the practice is called "war flying." Meanwhile,
    "war chalking" is when hackers mark buildings or sidewalks with chalk
    to signal vulnerable networks to other hackers.
    "For some reason, companies have woken up to security on their
    computers and the Internet, but they've fallen asleep on wireless,"  
    said Surtees.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Sep 11 2002 - 04:38:32 PDT