If you get lost in the alphabet soup of acronyms or get lost in the "over your head" technology, don't miss this one point: Wireless networks built with Common-Off-The-Shelf equipment (COTS) with all the security bells and whistles turned on is still insecure. It's so insecure that it doesn't meet the legal requirements of due diligence for any company that has private information on it's network or should have restricted access to it's computer systems.
Due Care and Due Diligence. These are terms that come up in every aspect of business planning and practice, especially in the area of security. Due Care is defined as the responsibility a company takes for the activities that take place within the corporation and has taken the necessary steps to help protect the company, it's resources, and employees from possible risks. Due Diligence is defined as the activities that ensure the protection mechanisms are continually maintained and operational. Due Care is the initial actions to ensure security, Due Diligence is the maintaining of the security initiated by Due Care.
If a company does not practice Due Care and Due Diligence pertaining to the security of it's assets, it can be legally charged with negligence and held accountable for any ramifications of that negligence. Employees, shareholders, customers, others involved, and even the government can sue successfully for negligence if it can be proven that Due Care or Due Diligence were not kept up to par with the current standards and security measures that are widely accepted and recommended by the IT security community.
Wireless networks use special cards and Wireless Access Points (WAP or just AP) to connect together instead of using wires. Wireless cards and APs are radios that operate at 2.4 GHz (the most common) and 5 GHz, the same frequencies used by cordless phones and microwaves. Just as people have scanners today that pick up cordless phones, there are freely available tools that allow wireless users to eavesdrop on wireless networks. Imagine having a private conversation on a loud speaker phone in the middle of a room full of people - that's what it's like to use a wireless network. Everything that is being said to you and everything you are saying is said loud enough for everyone around you to hear. Just like a scanner can pick up cordless phone signals, other wireles-enabled computers can pick up nearby wireless networks, whether that network was intended for that computer or not.
Business Risk. Here are a few examples of companies with sensitive information that can be leaked by using wireless without adequate security:
- A business that keeps track of sensitive information like credit cards or competitive information.
- A medical office or hospital that cannot allow patient information to be leaked to the public or be publicly accessible in accordance with HIPPA.
- A law firm dealing with highly sensitive information for clients or current legal proceedings.
- An accounting office that handles a number of client's account numbers and financial standings.
- A business person traveling with their laptop accessing sensitive email via wireless access points.
In every case the liability falls back to the company unless they have a solid wireless usage policy in place signed by each employee, in which case the employee caries the full burden of liability. Click Here For Our Business Solutions.
Home User Risk. Here are a few examples of instances when home users put themselves at risk by using wireless:
- The home user reads email over their private wireless network. Most email servers today don't use any form of security to encrypt the user's password or the email read or sent. Often users will have one password they use with all of their online accounts. This allows an eavesdropper to easily access other people's online banking accounts using the following steps. The eavesdropper (1) sees the password sent to the email server when the user retrieves their email, then they (2) wait to see what online bank the user will access (which can be hours later) and then (3) they can easily guess the user name as a mix of first and last name (from all the email they read) or social security number (which can be found online within an hour or so).
- The home user doesn't have their computer properly firewalled and can be directly attacked by another individual that accesses their files or who may destroy files or install a virus. This home user can also be indirectly attacked by another computer already infected with a virus that looks for nearby wireless computers to infect.
In home-use risks the burden of liability isn't so much an issue because of course the individual bears the liability. The key factor is the individual has to deal with a disabled computer (at the least) or stolen identity (at the most). Click Here For Our Personal Solutions.
Public Access Point Provider Risk. One last example to cover all the bases. The local coffee shop sets up a public Access Point for it's patrons to use while they relax. While using their network a user reads their email and accesses their various bank and credit card accounts. Any number of problems can develop from their online usage ranging from identity theft to public disclosure of private details covered in an email read while using the Access Point. Since the Access Point provider didn't take the necessary steps to inform their patrons of the risks they can face litigation which at the least is troublesome and time-consuming. Click Here For Our Public Access Point Solutions.
The need for wireless security for everyone is obvious. Wireless security on common wireless equipment comes in two basic flavors today, WEP and WPA.
Wired Equivalent Privacy (WEP) was originally developed to be just that - as private as wired networks, but it never has been. With WEP each computer has a secret key, and they use their secret key and something called an Initialization Vector (IV) to encrypt each packet. The IV is added in because if only the secret key was used the encrypted packets (blocks of data going over the wireless network) can be easily cryptographically analyzed and the secret key will be discovered within seconds. By adding the IV to the key, each packet is encrypted differently and they cannot be easily analyzed to determine the WEP key. The problem arises from two factors: (1) the IV is not encrypted but is transmitted "clear text" along with the packet it was used to encrypt and (2) eventually two packets will be transmitted with the same IV. Once two packets are captured that have the same IV the same process of cryptographical analysis is done that would have been done as if no IV were used at all and the WEP key is obtained within seconds. Most wireless networks have enough traffic to duplicate the IV every few hours. That means an eavesdropper would only have to collect wireless network traffic for a few hours before the WEP key would be obtained and the eavesdropper could see all of the data unencrypted and even join the network to use it for himself, including accessing and destroying files of the computers on the network. The bottom line, WEP can be cracked within a few hours.
WiFi (or Wireless) Protected Access (WPA) was developed from the 802.11i standard which addresses the wireless networking security concerns. 802.11i was very promising but after 4 years of work the 802.11i standard hadn't been released. Manufacturers feeling the pressure from the negative aspect of WEP's security failure went ahead and implemented some parts of 802.11i that had been developed at that time. WPA is much more secure than WEP, but it is still not secure enough to meet Due Care and Due Diligence liabilities. WPA's weakness lies in the initiation of each session using the pre shared secret key. Just like with WEP, once enough key-encrypted packets are collected, the key can be cryptographically deduced. With WPA, the most significant packets (the ones that are encrypted with the shared key) only happen at the beginning of a wireless session so it would appear that a much longer period of time would be required before the key could be uncovered, but it's not the case. WPA attackers now have tools that can force client computers to re-initialize their wireless session and thus send the important packets again. Attackers just use the tool repeatedly to make clients reinitialize their sessions until enough packets are captured to cryptographically analyze the packets and obtain the WPA key. The bottom line, since the attacker forces clients to send duplicate session initialization packets the delay seen in WEP waiting for duplicate IV packets is skipped and WPA can be broken into faster and easier than WEP.
There are other forms of security available on wireless equipment, but there are several problems that prohibit their use. First, they are more expensive because they offer "commercial grade" security. Second, since they are more expensive they are not commonly available, local computer stores don't think the more expensive equipment will sell to the end user so they don't cary it. Third, because the security is more advanced, it's also not user friendly, and user friendly is what sells in wireless. The average wireless consumer doesn't want to take an expensive wireless package home and then not get it to work because it's a little to complicated, so the wireless industry aims at satisfying the "plug-n-play" attitude prevalent in today's computer market. A fourth reason is in most cases in order to implement more secure wireless the existing equipment cannot be used, so there is a large expense of new equipment and a complete loss of the initial investment in the original equipment that isn't cryptographically strong enough.
You can now see how insecure common wireless equipment is and that the manufacturing and sales industry has their own profitability as a motivating factor to not inform the public about the insecurity. In all of this there is good news.
For Businesses with wireless networks. Using your existing wireless equipment (or equipment used on a new install) we can add one of our proprietary Security Servers just behind your Wireless Access Point that will secure all your wireless computers with your existing network and prevent attackers from connecting to any of your wireless computers and the rest of your wired network. The Security Server can also secure your high-speed Internet connection (if you have one) much more than any hardware firewall that exists today on the market. The security used for the wireless network meets or exceeds current security Due Care and Due Diligence standards (depending on your usage). Contact Us today for your free Business wireless security evaluation.
For individuals connecting to public Access Points. We are currently developing a product that will secure your wireless connection over any public access point you may use. You can travel the world and connect to the Internet with any available wireless network and completely secure your connection over the wireless network. The wireless security meets or exceeds current security Due Care and Due Diligence standards (depending on your usage). Sign up today for your Wireless Personal Security Account.
For business or individuals providing public Access Points. We are currently developing a product that will pop-up a "user assumes all risks" agreement form for the user to "accept" or not be able to use the public Access Point. This alleviates the burden of liability from the public Access Point provider and places it squarely on the user. CSR Technologies can work with any public Access Point provider to provide this solution at no cost, and it can turn into an avenue for income for the public Access Point provider. Contact Us today to discuss your public Access Point and how we can help inform your users and generate additional income for your business.
.
