http://www.lvbusinesspress.com/articles/2006/12/07/news/iq_11044250.txt By Matt Ward December 07, 2006 They have quirky names, such as AirSnort, Aircrack, CoWPAtty and THC-LEAPcracker. They are the implements of 21st century burglary. Widely available online -- tutorials sometimes included -- these are a few of the latest tools hackers are using to pilfer information from supposedly secure wireless networks. Experts in the field agree it no longer takes much interest in computers, or much skill, to penetrate all manner of networks, from the typical user's home connection to those used by small businesses and local governments. Whole communities exist online for the purpose of sharing tips and techniques for breaking into wireless networks -- www.churchofwifi.org, www.netstumbler.com and www.kismet wireless.net to name a few. Many wireless users are already familiar with the ease with which they can tap into someone else's network connection simply by being at the right spot at the right time. Similarly, it is easy for hackers to target those openings. The same technology allows coffee shops and bookstores to offer WiFi hotspots. Computer manufacturers counter with a wide variety of security products. However, as one expert pointed out at the Global Gaming Expo last month, there is disagreement even among IT professionals over whether any of the standard security protocols go far enough. "It's not like the incompatibilities are running rampant. But there are incompatibilities that are rather serious," said Joe Tomasone, a senior network-security engineer with Florida-based Fortress Technologies. Fortress builds military-grade secured networks for the Department of Defense. Tomasone says many hackers access a wireless user's computer by sitting out in the parking lot of a business or the street near a home. Employing tools available online, it usually takes as little as 10 minutes to start collecting sensitive data or to start downloading illicit material using an innocent person's IP address. Some hackers even build their own antennas, hoping to tap into larger streams of wireless networks, some as far as 100 miles away. CASINOS THREATENED With wireless gambling coming into play in Nevada, issues surrounding network security could become much more acute. "Wireless is a very promiscuous technology. It's designed to talk to anything," Tomasone said. "Convenience and security usually have an inverse relationship." Casino operators and gaming regulators, he explained, will need to pay close attention to security issues surrounding wireless gaming devices. If securing such products isn't constantly monitored, he said, casinos may see network penetrations that wreak havoc on their system: theft of customers' personal information, compromised casino-security procedures, manipulation of the gaming devices themselves ... all done remotely and, most likely, without a trace. "Mobile devices are transient and hard to track. That's why networks are easily breached," Tomasone said. Users can't count on state and federal officials to protect them from Internet crimes like identity theft and corporate espionage, because most law enforcement computer-crime units are focused on catching sexual predators. Gerald Gardner, chief deputy of the Nevada Attorney General's Las Vegas office, says the problem of computer crime is so large that many agencies don't have the resources to do much about it. "It's extremely hard to track those people down. We've done a handful of prosecutions," he said. "It's exceedingly hard to get our arms around these offenders." IDENTITY THEFT GROWING IN LAS VEGAS ALONE, MORE THAN 2,400 REPORTS OF IDENTITY THEFT WERE MADE TO METRO LAST YEAR. THIS YEAR, THE NUMBER WAS OVER 2,500 BY MID-OCTOBER. THOSE NUMBERS DO NOT INCLUDE CREDIT CARD FRAUD. POLICE DON'T BREAK THIS CATEGORY DOWN FURTHER TO DETAIL WHICH THEFTS ARE COMPUTER-RELATED AND MANY VICTIMS PROBABLY AREN'T AWARE HOW THEIR IDENTITIES WERE STOLEN IN THE FIRST PLACE. "People are conducting more and more personal business online," said Gardner, who also serves as chief counsel to the state's Technological Crime Advisory Board. "It's frightening. We can't even get a search warrant for a computer unless we know its location." The issue will never be solved by police, Gardner said, and can only be mitigated by financial institutions, Internet service providers and software manufacturers. The problem with leaving security up to software manufacturers is that everything is standardized, created to work with as many different vendors as possible, which often allows weaknesses to slip into finished products. "Instead of choosing something that works the best, they choose something that works for everybody," Tomasone said, referring to the Institute of Electrical and Electronics Engineers. Tomasone says the worst thing consumers can do is depend on their local computer-store clerk for advice on securing their wireless networks. He suggests homeowners secure them by installing a WPA protocol, creating a complicated password and unplugging the access point when the computer isn't in use. This will also work for small businesses. Above that, he said, the security should match the threat level a hacker could pose. "Security is a gray area. What is secure? Saying my house is burglary-proof is a pretty strong statement." Tomasone said. "Do I want to be secure from someone using my Internet connection, the casual hacker or (from) someone committing corporate espionage?" Copyright 2006, Las Vegas Business Press _____________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Thu Dec 07 2006 - 22:47:13 PST