Google Search


Wednesday, July 11, 2007

Understanding the Risks to Your Data on Wireless Networks

Keeping data secure and safe from unauthorized access is the raison d'être for an entire security industry. That said, however, the risks increase in the wireless world. Default passwords, lack of security, and many other reasons leave numerous wireless implementations sorely lacking and vulnerable to attack. On a positive note, a recent "Report on Technical Standards" released by a CyberSummit taskforce on security in the United States made some very promising recommendations for vendors to follow in their product life-cycle. There are over 20 recommendations including the following:

  • Produce more realistic security testing of products using real-world situations.

  • Provide better security recommendations, configuration checklists, and best practices in product documentation.

  • Make products secure by default.

  • Include a tool or capability that allows a user to quickly and easily report on the security posture of the installed product.

These and all the other recommendations, if followed, will lead to a more secure environment and will require less effort on behalf of system staff to ensure a sound overall security posture. You can find the report at the Web site for the group that produced the report.

You call that encryption?!

The more common encryption protocol for access points is Wired Equivalent Privacy (WEP). But before getting into that, a really brief primer on encryption is necessary. In a nutshell, encryption is the process of turning a cleartext message into a data stream that looks like a random sequence of bits, hiding the actual clear text message. How this is accomplished is way beyond the scope of this book, but if you really need to know, look into Cryptography For Dummies.

So you want to hide your cleartext from others yet allow those you want to see the original message. WEP performs this step in your basic access points. When implemented, each time a user connects to the access point, his network packets are encrypted across the wireless airwaves and are decrypted by the access point. This means that encryption is only useful on the wireless portion, and, after you connect to your wired LAN, the data is no longer encrypted. This is usually fine because you are attempting to protect the more vulnerable wireless network.

WEP uses two key lengths. This is where the base strength of the encryption is derived. It's like having a really locked down server: It's very secure unless you happen to have a weak administrator password. The key can be likened to the password. Your secret key is typically a 40-bit number or a 104-bit number. This is increased by WEP through a 24-bit initialization vector (IV) number that is managed by the software. You often see vendors touting a 64-bit key and a 128-bit key. 64-bit WEP is the same as 40-bit WEP! The lowest level of WEP uses a 40-bit user key with the 24-bit IV. It's just that some vendors refer to this level of WEP as 40-bit, others as 64-bit.

So WEP then uses the shared secret key you supply and the 24-bit initialization vector as the complete key. It is the use of this random IV and a static user key that weakens WEP security. Most people rarely change their WEP key. This, combined with the small initialization vector, allows a persistent hacker to eventually crack the key and access all your encrypted data.

Some vendors are addressing this weakness with larger keys, such as Agere Systems with a 152-bit key and D-Link with its 256-bit key length, but these are also susceptible to attack; they just take longer to crack because they are not addressing the inherent WEP weakness. The new 802.11i protocol looks to address this fundamental weakness. Of course, you can always implement a VPN solution, which would dramatically improve your overall security.

Accidental associations

Your wireless network usually cannot be easily contained within your organization; therefore, accidental associations can occur with neighboring networks.

The WLAN-friendly Windows XP operating system in particular makes it easy to enable your wireless users to automatically associate and connect to this neighboring wireless network without your users being aware of what is happening. To know whether you have this problem, you can visit, an active site that collects wireless access point locations, over a million locations listed. It might be illuminating to see all your neighbors listed. If you enter Boston in the city search section, for example, you see a massive map covered in red, indicating wireless networks.

Whether you're talking guilt or network connectivity by association, you need to be aware that you might connect to the wrong network without realizing, and therefore send confidential data across someone else's network. In fact, it's not hard to imagine installing one on purpose in the office next door in order to try and steal your trade secrets. The ultimate defense against this type of attack is to purchase defensive hardware.


It isn't difficult to eavesdrop on wireless connections, even if it may be illegal or at least unethical. In the wireless telephone industry, as with your wireless network, you basically use radio transceivers to accomplish your call. Your voice or data transmits through the air on radio waves. You receive the data from the person you are talking with the same way. Of course, as you already learned, radio waves are not directional. They disperse in all directions, and anyone with the proper radio receiver can listen in.

You can readily purchase scanners that listen in on analog wireless telephones. Think about that next time you're having a candid conversation on your cell phone. Such eavesdropping can be accomplished for less than $100 today. Digital communications has made it more difficult, but it is still possible — they are still radio waves. It just takes more sophisticated gear to accomplish the task.

Eavesdropping on your wireless network is trivial, requiring only a strong antenna, along with the normal wireless networking tools you might have, such as NetStumbler and a packet sniffer. The better the antenna, the easier it is to eavesdrop on someone's network. How much information you get is then a combination of your skill and the degree to which the network is protected using encryption or turnkey vendor solutions.

You always need to be aware of what you are transmitting on your cell or wireless network. If you really don't want it known, then you shouldn't use these technologies without strong encryption. If you think about it, the accidental association we mention above is a form of inadvertent eavesdropping, isn't it?

Man-in-the-middle attacks

A man-in-the-middle attack is where a rogue agent acts as an access point to the user and as a user to the access point, ending up in the middle of the two ends. All information is then routed through the rogue agent. Man-in-the-middle attacks work in wireless networks in part because 802.1x uses only one-way authentication. There is an implicit trust that the access point you are connecting to is the correct access point. When a man-in-the-middle attack occurs, that trust is abused to trick you into connecting. Your connection is then forwarded to the real access point you wanted to get to, completing your connection and allowing you to go about your business. Meanwhile, all your traffic is being captured and viewed.

Consider doing regular wireless site surveys to see if someone is violating your network by placing unauthorized access points on the network.


Hijacking is similar to the man-in-the-middle-attack. Unfortunately, hijacking is fairly easy to do, especially if users are connecting to a free wireless access point in a hotel or coffee shop.

While sitting in a coffee shop sipping a latte, connect a laptop to the wireless network. Instead of doing the normal activity of opening a browser on the Web, open up a scanning tool to see who else is connected. You might use a security tool called NMAP or one called Look@Lan to see what else is on the network.

After you find some computer addresses, probing them for open ports is easy, and, unless they are running firewall software or intrusion detection, they'll never know. After you locate open ports, it becomes a matter of time to see whether you can access the data on the machine, using open shares they may have left available or a myriad if hacking tools. Most workstations and laptops are poorly secured and therefore fairly vulnerable to attack. Using a free wireless network is one way to be hijacked. There are numerous tools for performing this sort of attack, including:

  • Superscan

  • SNScan

  • Look@Lan

  • Nessus

  • Netcat

Luckily, you can secure your network (securing your access point at the local coffeehouse might be more challenging). But every little bit helps.

No comments: