The agency responsible for the US Department of Defense's global
networks and classified command and control systems has a gaping
security hole in its front yard - security cameras at its Vancouver
headquarters are connected to a non-secure and unencrypted wireless
Lan (WLAN).
Chris O'Ferrell, chief technology officer at NETSEC which provides
intrusion-detection services to numerous federal agencies and
commercial customers, detected the non-secure wireless Lan at the
Defense Information Systems Agency (DSIA) last Friday.
While parked across the street from DISA's headquarters, O'Ferrell
was able to map the topology of the agency's network, including the
Service Set Identifier (SSID) numbers of access points and numerous
IP addresses. Using a standard 802.11b wireless Lan card attached
to his laptop computer and "sniffer" software, he was able to probe
the network in less than half an hour.
O'Ferrell, who did not attempt to enter the network, also
determined that DISA had not even protected the system with the
most basic form of 802.11b security, the Wired Equivalent Protocol.
The lack of encryption and other protections could allow an
intruder to join the security camera system by launching a
denial-of-service attack against a specific access point, allowing
the intruder to "spoof" that access point - thereby allowing him to
view what security personnel see with the closed-circuit TV camera.
The wireless Lan allows security personnel to remotely pan, tilt or
zoom the cameras, according to Betsy Flood, a DISA spokeswoman.
That information could make it easier for intruders to conduct a
physical penetration of the compound, which houses the Defense
Department's Global Network Operations Center, Computer Emergency
Response Team and Network Security Operations Center.
O'Ferrell said he found it disturbing that the DISA had such a
casual approach to wireless networks operating at its headquarters.
Flood confirmed that the DISA has operated a closed-circuit TV
security camera system for about 45 days without encryption while
it was being tested. During that time, she said, anyone sniffing
the unencrypted system could indeed "see what we see on our video
monitors - the parking lot, the front gate, the fence line, etc."
Flood, who said the agency plans to encrypt the network by the end
of today, also acknowledged that one of the cameras was
broadcasting the "AP-BLDG 12" SSID - an access point SSID for one
of the cameras in the compound, and that DISA is working with its
vendors to change settings to make the system more secure.
She said that the DISA's closed-circuit TV wireless Lan will be
encrypted with trademarked 64-bit Wired Equivalent Privacy, a
128-encryption algorithm from RSA Security called RC4, as well as a
control table for Media Access Control addresses, the unique
identifier for each computer on a network.
Flood emphasised that the wireless Lan security camera system was
separate from other DISA networks.
O'Ferrell said he found it worrying that the SSID of the access
point he detected had such an obvious name - "AP Bldg 12", which
easily correlated with the building number painted on the DISA
headquarters, Building 12. Such information could help an intruder
"launch a 10-second denial of service attack against the DISA AP,
knock it out, set up their own [access point] with the SSID, and
DISA would never know."
O'Ferrell said it's both prudent and easy to turn off an SSID.
Joe Weiss, vice-president of the network application division at
Aeronautical Radio (ARINC), which provides wireless communications
service to the airline industry, said it was a good idea for DISA
to encrypt traffic to and from CCTV cameras running over an 802.11b
wireless system. Otherwise, operating them in the open would make
it easy for non-DISA personnel to take control of the system.
Earlier this year, Weiss said, an 802.11b wireless camera installed
by one airline at the Dallas airport ended up being inadvertently
controlled by personnel at another airline.
Jim Lewis, a technology and public policy analyst at the Center for
Strategic and International Studies in Washington, said that DISA's
security problems illustrates the problems that a proliferation of
wireless systems and devices poses for government and commercial
organisations.
"This could happen to anyone, because people are deploying systems
before thinking about security," he said.