Security News > 2000 > December > Wireless Acrobatics
----------------------------------------------------------------------- Wireless Acrobatics By Carole Fennelly Performing high-wire acrobatics wire without a safety wire requires a great deal of skill and confidence. The same could be said for running a secure network without wires. Wireless is definitely in vogue these days. Cell phones and PDAs abound on commuter trains and, more annoyingly, in restaurants. Some people seem almost neurotic if they are away from the Net, even for a short while. The wireless network at the recent LISA conference in New Orleans brought scores of techies to the lobby bar -- to silently socialise over IRC. Like children on a playground, corporate managers always want the latest toys and you'd be hard pressed to attend a meeting without someone whipping out their PDA. Wouldn't it be cool to be able to read company email and update your calendar while killing time at the airport? If only we had wireless access to the corporate LAN. Management's wish equals the IT department's command -- especially if other companies' managers have wireless access. Establishing wireless access is becoming a high-priority issue at many companies, no doubt over the corporate security curmudgeon's objections. CNN: Wireless technology presents new security challenges http://www.cnn.com/2000/TECH/computing/09/07/wireless.risks.idg/index.html Wireless technology sets data free from the physical confines of wire, which also means problems controlling who receives the data. Peter Shipley commented to me about his new hobby driving around Silicon Valley picking up networks on his laptop. "War driving" is replacing "war dialing" in the wireless age. In some ways, wireless LANS actually offer better security than wired LANS. A corporate spy attaching a sniffer to a wired network and collecting all sorts of unencrypted data is certainly not outside the realm of possibility. But only an idiot would configure a wireless LAN to a corporate network without some form of encryption. However, many wireless vendors turn encryption off by default and the end user rarely thinks to check. By their very nature, public wireless LANS -- hotels and airport lounges -- cannot be encrypted. While the term "encryption" gives people warm fuzzies about security, it is no panacea. 40-bit DES, which many people use to satisfy encryption requirements, isn't even that difficult to brute force. Another issue is key exchange. Most 802.11 implementations rely on a never-changing single key, even if a laptop is lost or an employee leaves the company. But even if strong encryption is employed, data headers remain unencrypted and allow anyone to see the source and destination of the data stream. Perhaps the most underestimated threat to wireless network security is a Denial of Service attack. An intruder does not need to steal or compromise data to cause financial harm. If someone were foolish enough to implement a wireless network on a mission-critical system, such as a trading floor, an attacker would merely need to clog the network with bogus radio transmissions. The SEC takes particular interest in delayed trades. Wireless technology is certainly convenient; however, like any new technology, security and quality will undoubtedly take second place to new features. Sure, I can browse the Web with my cell phone but I really just wish my phone would stop dropping calls. About the author(s) ---------------- Carole Fennelly is a partner in Wizard's Keys Corporation, a company specializing in computer security consulting. She has been a Unix system administrator for almost 20 years on various platforms, and provides security consultation to several financial institutions in the New York City area. She is also a regular columnist for SunWorld (http://www.sunworld.com). Visit her site (http://www.wkeys.com/) or reach her at carole.fennelly () sunworld com ----------------------------------------------------------------------- ADDITIONAL RESOURCES Wireless LANs finally make their way to standardization http://www.itworld.com/jsw/unxsec_nl/swol-05-1998/swol-05-connectivity.html Handhelds, Wireless LANs Raise Security Flag Experts say choose passwords carefully http://www.itworld.com/jitw/unxsec_nl/cma/ett_article_frame/0,2848,1_647,00.html Wireless LAN Security http://www.wlana.com/learn/security.htm Known vulnerabilities in Wireless LAN Security http://www.niksula.cs.hut.fi/~mkomu/docs/wirelesslansec.html A good paper with more cautions: http://www.tml.hut.fi/Studies/Tik-110.300/1999/Wireless/vulnerability_4.html Wireless LAN Security Issues (good checklist!) http://isds.bus.lsu.edu/fall98/7520/WirelessLANs/audit.htm Slides from Chris DiBona's presentation on wireless LANS http://www.dibona.com/slides/bazaar/index.html Wireless Networking Product Comparison Charts http://www.practicallynetworked.com/networking/wireless_chart.htm United to Offer Wireless Web access at airports: http://www.idg.net/go.cgi?id=380212 Privacy on Mobile Internet Studied http://dailynews.yahoo.com/h/ap/20001213/tc/mobile_privacy_2.html ----------------------------------------------------------------- http://www.itworld.com ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
News URL
http://www.cnn.com/2000/TECH/computing/09/07/wireless.risks.idg/index.html