http://www.computerworld.com/mobiletopics/mobile/story/0,10801,97352,00.html Opinion by Demetrios Lazarikos NOVEMBER 10, 2004 COMPUTERWORLD For most people, summer is about taking a vacation with family or heading to a secluded place to get away. Earlier this year, I read an article about the number of wireless hacks that were increasing globally. What I found interesting was that the hacks were pretty basic and that most of the information on how to break into default systems, how to look for Wired Equivalent Privacy (WEP) being enabled and other wireless steps could be found in a Google search. I had decided at the beginning of the summer that I wasn't going to take any downtime or a vacation per se. Instead, I would validate through "war driving" in five cities that wireless networking isn't ready for prime time. My itinerary involved Omaha; Chicago; Ann Arbor, Mich.; Denver and Atlanta. War driving is driving around an area with a laptop computer and an 802.11 network card to identify the presence of wireless networks. One common thread through this mission was that the cities involved had some aspect of high-tech or higher education with an emphasis on IT security. Another common thread was that I had friends and family in these cities, so I had a place to stay. Let me preface my experience with wireless networks. I embrace new technologies and try to understand how to make the workplace safe with security controls. It's not uncommon for individuals or organizations to speed up the process of implementation and not put security controls in place. I've been involved with many aspects of security and try to be proactive by educating. In my opinion, wireless security can be implemented safely, effectively and efficiently. While on this mission, it was critical for me to identify if the following could be picked up from the war drive: 1. If WEP was enabled. The WEP encryption method was designed to provide wireless networks with the same security available in wired networks; however, there are some challenges with this standard. 2. The presence of the service set identifier (SSID), the name assigned to a wireless network. Usually, the SSID comes by default using the vendor's name and should be changed to something nondescript. With these two pieces of information, an unauthorized user could be able to acquire access to a wireless network. Think about it. You're surfing the Net at home or in the office, and someone just hops onto your network connection. With information about whether or not WEP is disabled and SSID default settings, an unauthorized user could access your documents, financials or other sensitive information. Packing my car with the necessary gear -- my Dell Inspiron laptop, a newly purchased Orinoco wireless network card, lots of CDs and my wireless 2-GHz antenna (code-named Jasmine) -- I started a cross-country trip from my home in Denver. Omaha The initial drive on my way to the Midwest was pretty mellow, with lots of time to think about what I was going to pick up on my first destination. As soon as I started to exit from I-80, Jasmine and NetStumbler started to pick up multiple wireless access points. I pulled over and started to collect data in downtown Omaha. The results were incredible for the short period of time that I spent there: * 59 media access control (MAC) addresses identified in a 30-minute period * 57 SSIDs were able to be identified * 25 had WEP enabled * 24 didn't have WEP enabled Inventory of the manufacturers discovered: * (2) Agere Systems Inc./Lucent Technologies Inc. * (2) Apple Computer Inc. * (3) Cisco Systems Inc. * (2) D-Link Corp. * (26) Linksys (which was acquired by Cisco last year) * (7) NetGear Inc. * (5) Symbol Technologies Inc. I figured this would be a good baseline. If I could drive in a city for 30 minutes and gather this information, I felt my summer experience would prove that wireless security still needs a great deal of attention. I pulled into my friends' driveway and started to haul the gear into their house. Mr. Mom's (my friend is a stay-at-home dad) eyes popped out of his head. "What the heck is that?" he asked. Jasmine is always a nice conversation piece to have with me at the airport, at the house or on a vulnerability assessment. I demonstrated how it worked, and while doing so, I picked up another five wireless networks within five minutes. I left early the next morning. I wanted to get to Chicago at a reasonable time so I could do some quality war driving before people went home for the day. Chicago I arrived in Chicago by early afternoon and checked in with some friends who live downtown. The Captain and his wife have been friends for some time. Actually, the Captain is responsible for my being on a computer. He gave me my first Commodore VIC-20 and taught me how to make those early computers sing with 64KB of memory. We got into the car and loaded the gear. I was driving slowly downtown, and with my car's Colorado marker plates, it was only a matter of time before we were gathering stares from local cops on horses. Our patience paid off. We spent about a little over half an hour downtown and were able to gather the following information: * 165 MAC addresses identified in a 30-minute period * 164 SSIDs were able to be identified * 28 had WEP-enabled * 137 didn't have WEP enabled Inventory of the manufacturers discovered: * (2) Agere/Lucent * (18) Apple * (10) Cisco * (29) D-Link * (52) Linksys * (16) NetGear Inc. * (1) Senao International Co. Ann Arbor After a brief visit in Chicago, the Captain told me that they were going up north to see his in-laws and I was welcome to tag along. I accepted, and several hours later we picked up another friend, Old Timer. I also bought a battery charger for the car from RadioShack. I was quickly burning through laptop batteries, but I needed to keep the laptop charged for more driving efforts. We arrived at the University of Michigan around midday. As we approached Greek Row, Jasmine lit up, and we were capturing more data. Old Timer commented on how many "thunk" sounds NetStumbler was making as we gathered more statistics: * 222 MAC addresses identified in a 30-minute period * 221 SSIDs were able to be identified * 75 had WEP enabled * 147 didn't have WEP enabled Inventory of the manufacturers discovered: * (1) Acer Inc. * (13) Agere/Lucent * (6) Apple * (11) Cisco * (20) D-Link * (56) Linksys * (22) NetGear * (3) Senao International Denver I was feeling pretty good about my drive, and I headed back to Colorado after spending time with my family back in the Midwest. When I arrived in Denver, I drove through downtown like I did the other cities. Operating on autopilot, I fired up Jasmine and started to gather my data. It wasn't that hard driving and managing the computer by now. With three cities under my belt, it was easy to manage this by myself. Setting up Jasmine in the back window, I drove for 40 minutes while gathering information. Here's what I found: * 175 MAC addresses identified in a 40-minute period * 168 SSIDs were able to be identified * 29 had WEP enabled * 146 didn't have WEP enabled Inventory of the manufacturers discovered: * (4) Acer * (9) Agere/Lucent * (12) Apple * (18) Cisco * (24) D-Link * (37) Linksys * (15) NetGear I was satisfied. Or so I thought. Atlanta Toward the middle of August, I received a phone call from some friends in Atlanta, which got me thinking about Atlanta as another city where I could gather war-driving data. Two weeks after the call, I arrived in my final war drive city. After lunch and catching up with my friends, I walked through the business district and let Jasmine do her thing. This time, I was on foot so I could take my time and gather data at a relaxed pace. Atlanta was alive with wireless networks: * 392 MAC addresses identified in a 2-day period on foot * 343 SSIDs were able to be identified * 119 had WEP enabled * 273 didn't have WEP enabled Inventory of the manufacturers discovered: * (12) Acer * (7) Agere/Lucent * (26) Apple * (37) Cisco * (48) D-Link * (63) Linksys * (24) NetGear Overall, I was pleased with the time I took off this summer. I was able to demonstrate some basic data gathering from vulnerable wireless networks. I was reminded of several issues while writing this article: 1. People who use wireless networks should implement secure controls before going live with a wireless network. 2. Wireless networks are ready for prime time if security controls are implemented properly. 3. The cyberworld never sleeps. This summer project really has me thinking of what research I could accomplish if I take some time off during the winter holidays. Demetrios "Laz" Lazarikos, CISM, is an IT security consultant and auditor who has worked with small to midsize businesses, Fortune 500 companies and government agencies for more than 18 years. He is the co-author of Cover Your Assets: A Guide to Building and Deploying Secure Internet Applications, which has been used to help define the security awareness training for companies including Galileo International Inc. He can be reached at security (at) laz.net _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/
This archive was generated by hypermail 2.1.3 : Thu Nov 11 2004 - 03:56:41 PST