[ISN] AirDefense: N+I = No Wireless Security

From: InfoSec News (isnat_private)
Date: Thu May 08 2003 - 22:52:10 PDT

  • Next message: InfoSec News: "RE: [ISN] [defaced-commentary] ISS Defaced (2 messages)"

    Forwarded from: William Knowles <wkat_private>
    
    http://www.80211-planet.com/columns/article.php/2203421
    
    By Ed Sutherland
    May 8, 2003 
    
    Although wireless security was center stage during last week's
    Networld+Interop trade show in Las Vegas, behind the scenes was a
    convention floor full of misconfigured hardware resulting in malicious
    attacks on computers and undoubtedly many red faces.
    
    While N+I is the premiere get-together for networking professionals,
    when it came to securing the countless wireless networks, participants
    "were not talking the talk or walking the walk," according to Fred
    Tanzella, chief security officer for AirDefense, a maker of wireless
    security products.
    
    In a two-hour monitoring sweep of the 100,000-square foot convention
    floor, AirDefense detected hundreds of instances of mis-configured
    devices with results ranging from re-broadcasting information in 'the
    clear' to faking identities for the purpose of corporate snooping.
    
    The results of the passive monitoring were surprising, since you would
    think networking professionals "are more savvy than regular folks,"  
    Tanzella said.
    
    "With all the attention given to the security concerns of wireless
    LANs, you would think vendors would take extra precaution to secure
    their wireless LANs at the conference," said Jay Chaudhry, chairman
    and CEO of AirDefense.
    
    While N+I was the coming-out party for Wi-Fi Protected Access (WPA),
    the stop-gap security measure meant to replace Wired Equivalent
    Privacy (WEP), the security firm found forty percent of the 230 access
    points monitored failed to encrypt wireless traffic using WPA, 802.1x,
    or even the now-discredited WEP.
    
    Along with insecurity of vendor's own gear, the passive monitoring
    revealed many "attacks and suspicious events," including 224 wireless
    devices employing the freely-available Netstumbler and MiniStumbler
    software to scan the networks.
    
    More ominous were ten identity thefts allowing people to impersonate
    Media Access Control (MAC) addresses and 16 Denial-of-Service attacks,
    both allowing attackers to "dig into intellectual property" on the
    laptops of convention attendees, Tanzella said.
    
    Tanzella said the attacks were intentional and indicated convention
    members "were not satisfied with what they are sharing with the
    public."
    
    The AirDefense security official said at most conventions, vendors
    don't bring along their main networking gurus. "They are at home
    guarding the company network," said Tanzella.
    
    Still, after the months-long drumbeat pointing out how misconfigured
    networks can pose security threats, simple errors were found to create
    potential headaches.
    
    There were 30 instances of wireless devices with peer-to-peer
    networking enabled -- great for sharing that PowerPoint slide or a
    company printer, but allowing such automatic connections gives hackers
    the "run of your machine and access to your documentation," said
    Tanzella.
    
    More than 70 WLAN devices searched for previously connected to
    networks, allowing open corporate networks to be uncovered.
    
    Many of the access points monitored were connected directly into hubs,
    causing the AP "to openly broadcast all wired traffic into the
    airwaves," according to AirDefense.
    
    Nearly 100 access points were overwhelmed by network interference.
    
    Tanzella said AirDefense did not notify vendors attending the N+I
    conference of the results and would not identify the offending network
    owners. Previously the company conducted a similar wireless security
    'audit' of four major U.S. airports and discovered problems. The
    company said it 'got its hands slapped' after naming the individual
    airports.
    
    Despite the amount of technology and the layers of protection, "the
    issue always comes down to the human factor," Tanzella said.
    
    The security monitoring was part of a two-hour demonstration at the
    show of the company's AirDefense Guard security system.
    
    
     
    *==============================================================*
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    ================================================================
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    *==============================================================*
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri May 09 2003 - 00:38:23 PDT