|
|
This is a full, online-duplication of the story originally printed in the Bowling Green Daily News on Tuesday, August 16, 2005, Money Section, B1. For the actual newspaper in pdf format: Page B1, B2.
Open Secrets
Wireless Internet connections aren't as secure as people think
Reporter RAED G. BATTAH
So you've owned your laptop for a couple of years and recently upgraded with a wireless card that keeps you on line no matter where you go. You consider security risks, but tell yourself no one has any interest in you. Besides, the worst you've ever done is keyed a nasty breakup letter to your significant other, or maybe viewed a risqué Web site your mother wouldn't approve of.
You're convinced you're safe from would-be IT assailants. Anyone interested in lifting private information from your computer must be a tech-savvy hacker with thousands of dollars worth of decrypting hardware.
Wrong. The truth is, you're as exposed as a newborn baby, even with the most popular commercially available security applications.
Richard Pickett is a network security specialist who serves the major communications firm Nortel. He's a former Marine and most recently made his way through town documenting unsecured wireless Internet access points.
He demonstrated how vulnerable networks downtown are. With software from the Internet, a few special pieces of hardware and an old laptop, Pickett revealed a highly unguarded secret about wireless use.
"If (users) are using the most up-to-date, off-the-shelf wireless equipment with all the security features turned on, their network is not secure and any information passing over the network is available to the public," he said. "Any business that uses its computer systems for sensitive information such as law firms, financial services organizations and medical offices that have wireless networks have an obligation to their clientele, and in some cases a federal requirement, as is the case with HIPAA, to take additional measures to secure their wireless networks."
One objective of the Health Insurance Portability and Accountability Act of 1996 was to guarantee security and privacy of health information.
Dr. Jeffrey Morgan operates a dental office on Rockingham Lane in Bowling Green . Morgan, like all medical specialists, physicians and health care administrators, is required to adhere to HIPAA regulations and ensure patient information is secure and confidential. Morgan said his office uses a number of computers. For ease of use and portability, Morgan wanted his internal office network to be wireless, but secure.
"We use a wireless router," he said. "To be HIPAA compliant, we have to have a secure encrypted signal so someone can't just drive up to my office and get on my network."
Not all the tenants in Morgan's building are HIPAA compliant, he said.
And not everybody has an encrypted signal.
Pickett said Morgan's network is configured to not accept wireless traffic unless it's coming from the secured connection and the security server doesn't grant access to any traffic from the wireless network except the traffic coming from the authenticated and secured connections.
Pickett said while average home wireless users may not face the same legal liabilities as a business, they open themselves up to possible identity theft by not having a secure wireless connection.
"While they may not have important information on their computer, allowing unsecured wireless access to their computer opens them up to virus infection and network-based attacks over their wireless network from nearby wireless-enabled computers that are already infected," he said.
Pickett also said users may feel secure by enabling their stock security applications, but security applications are not all the same.
Some may think that public WiFi spots are secure because so many people are using them. In fact, these spots are some of the most vulnerable and lucrative for attackers.
Pickett said most public WiFi spots purposely have security turned off, which means even the most casual observer can watch everything going across the wireless network.
"People often use public WiFi spots to check e-mail, and most e-mail servers don't support a secured connection from the local computer to the server," he explained. "This means their password and all their e-mail is transmitted over the wireless network in clear text. A would-be attacker not only gets to read all the e-mails, but now they also have the all-important password. Most users don't use different passwords for their different accounts, so once an attacker obtains one password they will have access to most of the accounts of that user.
"Another common activity done at public WiFi spots is to check online banking," he said. "While it is good that the banking industry uses a secured connection from the client computer to their server, the attacker observing the wireless network now sees which bank the user has an account with. Armed with the password, their first and last name obtained from reading their e-mail, and their online bank, they can now try to guess the account name and use the password from the e-mail session."
To make "off-the-shelf" security hardware more effective, Pickett said users should use commercial-grade virtual private network connections from the client computer across the wireless network to a server located beyond the wireless network (on the LAN). Pickett said he can help make that affordable for residential use.
Pickett said the wireless industry flooded the market with hardware and software before a clear understanding of the technology was established. Users are now susceptible to heinous attacks without really understanding the source of their vulnerability.
According to "Wireless Hacks: 100 Industrial-Strength Tips & Tools," by Rob Flickenger, Pickett's claims about wireless networks are right on. In the industry acclaimed book, Flickenger sets up a pseudo network with a laptop and desktop with a secured connection and additional encryption, and using Kismet, the same free, downloadable software Pickett used, was able to break into the network in less than two hours.
"Using inexpensive hardware and freely available tools, a typical Wi-Fi network can be easily cracked in a mere hour and a half ... if you are concerned about wireless security, you must use strong application-layer encryption and authentication," Flickenger wrote.
Rick Mitchell is CEO of Sirque Wireless Internet in Bowling Green . Mitchell works with a different kind of wireless technology than the kinds Pickett describes, but many of the technologies overlap when it comes to service and accessibility.
Mitchell markets Frequency Hopping radio equipment from Alvarion. Frequency hopping was invented by Hedy Lamarr and is not the same modulation scheme used by Direct Sequence radios that are labeled WiFi.
"WiFi was created for ease of operation and simplicity, not for security," Mitchell said.
"I looked at both technologies when I set up my company. I felt like the frequency hopping technology was more secure and more survivable."
Mitchell and Pickett are colleagues, customers and even competitors. But Mitchell said Pickett was essentially on the mark when describing wireless accessibility.
Pickett said since inexpensive accessories have made wireless use so widespread, securing, especially business networks, is essential.
Pickett said in the end, the liability lies on the shoulders of the end user or business that implements the wireless.
"In the case of a publicly available WiFi spot, the liability is on the user of the WiFi spot, but the WiFi provider can take steps to not only inform their patrons, but relieve themselves of any liability," he said. "They can post a 'terms-of-use' policy with examples of risks, suggestions for safe usage, and a statement that the end user takes all the risks when using the network."
Richard Pickett at CSR Technologies can be reached at (270) 746-0324, online at http://www.CSRTechnologies.com or e-mail at Richard.Pickett@CSRTechnologies.com.
|
