Your CEO is sitting in the cafe before your next meeting
using instant messenger to talk to his vice-president of marketing
while sending an e-mail to the financial director asking about next
month's results. The guy in the corner sipping his coffee and
staring intently at his laptop is not reading the news, he is
reading your CEO's conversation. And when he is finished, he is
going to install a trojan program on his laptop. How? And what
should IT managers do to stop things like this
happening?
Wi-Fi security is both a client and a server-side issue, and
many businesses, especially small ones, may be leaving themselves
and their networks unprotected. An internal wireless local area
network (Lan) can be a great productivity tool, as can wireless
laptops. They create the potential for everything from hotdesking,
to wireless voice over IP (VoIP) phones. But they can also create
some serious security loopholes. Given the move toward targeted
attacks, the threat is becoming a practical one. Reports indicate
that TJX Group, the retail giant which for months ran software
planted by criminals on its network, was initially compromised via
a wireless network.
"
TJX is of the view that the intruder initially gained access to the
system via the wireless local area networks (WLans) at two
stores in the United States," said a report from the Canadian
Privacy Commissioner.
Even if a company's own servers are sufficiently protected
against attack, allowing anyone access to its wireless network
creates the opportunity for crimes perpetrated against others using
its infrastructure. If criminals use a firm's network to send spam
or hack other people's computers and the owner of the network
becomes implicated, it could create headaches, says Guy Bunker,
chief scientist at Symantec. "A lot these things come down to
reputation. It is not the sort of thing where you want to have to
argue whether you were at fault, if you can prevent that from
happening in the first place," he says.
The options for protecting systems were more limited in the
early days of wireless Lans than today. The Wireless Equivalent
Privacy (WEP) protocol encrypted transmissions happening over the
air, but Bruce Potter, CTO of security company Ponte Technologies,
says that it was fundamentally flawed. "The concept behind WEP was
not bad, but the implementation was poor, which is what led to the
weaknesses in it," he says. Someone leaving a computer running with
some open source wireless network sniffing software for a few days
or less would eventually be able to crack a WEP-enabled
network.
WEP was replaced by WPA, an updated version that used similar
concepts but executed them more effectively, Potter says.
Unfortunately, rival standardisation efforts led to an alphabet
soup of different acronyms - WPA2, WPA PSK, and WPA Enterprise.
This led to such confusion, says Potter, that many companies simply
fall back to using WEP, in spite of the fact that it has now been
deprecated. Consequently, many networks - where encrypted at all -
can be cracked relatively easily using publicly available
software.
When implemented properly, another technology called
802.1x helps to lock down a network still further. The standard
was introduced to help separate the authentication of computers
from the encryption of the data that they exchange using the
wireless network. An 802.1x network requires a computer to
authenticate itself before joining a network. The computer sends
its credentials to an access point, which then checks with the
network's authentication server. If the computer passes the test,
it is allowed onto the network.
The problem is that many companies do not implement 802.1x
properly, Potter says. It should be implemented on both wired and
wireless infrastructures. Otherwise it becomes possible for an
attacker to walk into a building and simply install a Wi-Fi access
point on an open Ethernet port, enabling them to break into the
network from a safe location next door at their leisure. He says
that a large proportion of companies do not have 802.1x installled
on both networks. "I could easily walk past the security guard in a
building and install a rogue access point," says Emma Leith, an
analyst at
security consultancy Comsec Consulting.
Potter provides an even more worrying scenario: exploitation of
wireless clients that are already attached to a corporate network.
Generally, laptops will try to
connect to wireless networks using a service set identifier (SSID -
the public name of a wireless network) that they have already
connected to. Broadcasting a common SSID such as "default",
"linksys" or "T-Mobile" will often cause wireless clients to
connect to you. If those clients are inside a building, and
attached to a corporate network, it provides a way to infect them
with malware across the air and use them as vectors to compromise
large parts of the network that they are attached to, he says.
If misconfigured networks and wireless clients inside companies
can cause wireless security loopholes, mishandling of client
computers in public wireless situations can be even more damaging,
says Ken Munro, managing director of security consultancy and
penetration testing firm SecureTest. For example, one mistake that
users often make is to log into web-based services on public Wi-Fi
networks, he says.
Many web mail systems use secure,
encrypted SSL sessions for exchanging passwords. However, as
soon as the user is authorised to access the web service, the
communication session drops back into clear text again. An employee
divulging sensitive information via web mail or even plain text
Simple Mail Transfer Protocol (SMTP) e-mail is likely to be
giving it away to anyone with a wireless network sniffer in the
area, and this software is readily available online.
"You will not know whether you were hacked over Wi-Fi or via
some other transactions that you were doing somewhere else. Wi-Fi
hacking has bought hacking from an expert sport into an amateur
sport. There are freely downloadable sniffer programs that you can
use to sniff information being sent to and from a hotspot," says
David Blumenfeld, senior vice-president of marketing at JiWire, a
company specialising in Wi-Fi-based advertising. "It is not just
e-mail. It is things like instant messenger, which is used for a
lot of corporate communication these days. You put a sniffer in
place, and there you go - it is easy to see the contents of that
e-mail," he says.
One answer to this is to surf across wireless networks using a
virtual private network (VPN) system, which tunnels back from the
laptop to the back-end server in an encrypted state. JiWire also
offers an encryption service for small businesses with no VPN setup
of their own, which encrypts information sent back to its servers
from a Wi-Fi connected client, acting as a proxy to the internet.
Other techniques to mitigate the problem include using an
SSL-encrypted e-mail service, and relying on encrypted corporate
versions of popular instant messaging programs. But neither of
those things alone will stop people watching where your CEO surfs
when he is using a public Wi-Fi hotspot.
Other potential attacks on wireless clients include the "evil
twin" method, in which an attacker simply sets up a fake Wi-Fi
hotspot using their own laptop and some special software. Users in
an airport that see the fake SSID (usually something like Free
Public Wi-Fi) connect to it, which then gives the attacker intimate
access to their network traffic and file system.
Some evil twin attacks can be even more aggressive, says Munro.
An attacker finds a public Wi-Fi hotspot, and uses a tool to knock
wireless clients off the network by sending a "disassociate" packet
that forces them to disconnect. The attacker uses his own software
to replicate the wireless access point, impersonating it with his
laptop. Making sure that the signal from their own laptop is
stronger (perhaps simply by sitting closer to the victim than the
access point is) causes the victim's computer to reconnect to the
attacker's laptop.
In addition to using a VPN, much of the protection against such
attacks comes down to common sense. Warning employees not to
connect to an unknown Wi-Fi access point, or to watch for duplicate
SSID, will help to minimise the likelihood of such attacks
succeeding. Auditing the Wi-Fi access points within your company
and installling 802.1x authentication on both the wired and
wireless infrastructures (or at least monitoring devices connected
to Ethernet ports) will help to avoid the rogue access point
problem. Using strong passwords or pass phrases will minimise the
chance of the encrypted networks being cracked.
Where a company does feel the need to run a public Wi-Fi system,
such as for visitors or contactors, putting it in a demilitarised
zone separate to the main corporate network is imperative, and some
traffic analysis hardware on that network to stop, say, repeated
suspicious traffic or large amounts of data being sent on ports
traditionally served for SMTP e-mail might help to prevent people
using it for nefarious purposes.
With a little common sense and best practice in design, wireless
networks can be a boon for a company. But get it wrong, and the
same firm could find its data hanging in the wind. In this
situation, it is more important than ever that security
professionals and users are on the same wavelength.