Opinion: Wireless is 'in'- How to use it wisely.

by Marcia J. Wilson, CCSP Staff Writer
March 02, 2004


"Reprinted from September 26, 2k3"

"Hot spots" are in vogue. I cringe when I think about Intel Corp.'s new push to provide free Wi-Fi access across the country so people can try it out. The promotion promises "free wireless access for a day" and "cool things to do unwired" and encourages business travelers to check out the hot-spot locations at hotels, cafes, airports and restaurants across the country.

I'm concerned. Business travelers need to understand the security risks involved with using wireless technology. As employees become more mobile, companies need to have good security awareness programs, as well as strict wireless policies.

The lure of the latte and the convenience of Wi-Fi

I must admit, it's enticing to think of sipping a latte at Starbucks with smooth jazz playing in the background while finishing up a corporate presentation and sending e-mail on my laptop using a wireless connection. All those wait times in the airport due to the security measures could become so much more productive if I could catch up on some work instead of sitting there staring at other miserable passengers.

At a recent client visit, I was offered an office and told that I could connect to its wireless network if I had my wireless network interface card with me. I asked if the client had secured its wireless network. The gentleman showing me around suddenly got a very insecure look on his face and mumbled something about Wired Equivalent Privacy. I smiled and declined the offer.

Hackers and snoops

In trying to convince a business associate who is also a constant traveler that it's not a good idea to connect to local hot spots without any thought of the security implications, I did a live demo for her.

I fired up Netstumbler, a wireless network scanner, and began to scan the area for wireless devices. Within 10 minutes, my scanner had picked up 65 wireless devices. The output of the scanner provided the Service Set Identification (SSID), Media Access Control address, network mode of the device, vendor name and other useful information that would make it easier to compromise the user's system. My Global Positioning System software gave me the latitude and longitude for each device and the street address. From the initial scan, I had a list of SSIDs and vendors; I consulted a list of default SSID, password and channel information for the same list of devices. This information would come in handy were I to turn my sights on compromising or attacking a system. But I didn't need to go that far.

The next step was to fire up a wireless sniffer that allowed me to capture traffic. Traffic capture allows for "grabbing" wireless transmissions. For example, if a business traveler sent an e-mail containing confidential information about something such as an impending merger, a layoff, a promotion or salary information, I could view the contents of that transmission in plain text. I could obtain the log-in and password information along with the e-mail server IP address. That would allow me to log into the e-mail server and obtain the victim's e-mail. Here are some sample screenshots.

Here's the victim's log-in information:



Here's the e-mail server's password request:



Here's the password reply:



And finally, here's the plain text message:



The live demo hit home. My colleague begged me to tell her how to secure her wireless activities while on business travel. That should have been the job of her employer, but I obliged with the standard advice that follows. But I urged her to bring the issue to the attention of her management.

Why does any of this matter?

The business traveler doesn't care about the details of wireless security. The traveler wants unencumbered and simplified mobility. But with the freedom of wireless connectivity comes responsibility. The end user's responsibility is to understand at a basic level why 802.11 wireless access is insecure and then to ensure that company information is protected. Wi-Fi hot-spot connections are vulnerable to attack because traditional security measures, such as authentication and encryption, aren't deployed.

Hot-spot Wi-Fi security

If you want to work wirelessly, here's what you should do:

1. Install firewall software on your laptop. These are some good choices:
   • Norton Internet Security 2004
   • Sygate Personal Firewall Pro
   • ZoneAlarm Plus
2. Make use of virtual private networking if you're accessing the corporate network that provides an encrypted "tunnel" for communications.
3. Encrypt e-mail communications. Try Pretty Good Privacy.
4. Use an intrusion-detection system, which is integrated into many personal firewalls.

Business travelers need to take steps to protect the corporate information that's in their care while working outside the office. If connected to a hot spot, they need to think about everything they do while online and assume that information is accessible to anyone. Do you have confidential information on your laptop? If you do, whatever transactions occur are vulnerable to theft. The guy in the coffee shop or airport or hotel nearby may be sniffing the wireless network gathering confidential corporate information.

Where the buck stops

Some companies don't allow wireless access on corporate systems inside or outside the organization. I have a colleague who works for a large telecommunications company. When the company issues a laptop to an employee, it makes it very clear that the company owns that laptop, not the employee. The laptop configuration is locked down so that employees can't install software, can't change operating system settings in any way, can't change network settings and can access only the corporate network through dial-up access to a private modem bank using three-factor authentication (using RSA Security Inc.'s SecureID).

Another colleague works for a research organization that doesn't believe in controlling the end user's interactions with the computer issued to him. However, the company spends a lot of time monitoring the network searching for rogue access points. Wireless installations are forbidden, and if found, the employee involved may be terminated.

Organizations must decide at the corporate level whether to allow their mobile travelers to use wireless. Clearly, the increase in productivity provided by wireless creates a return-on-investment scenario that makes a solid business case. Wireless is here to stay. The questions that need to be answered are: What is the company's wireless security strategy? How do employees implement wireless inside and outside the organization? And how does the company secure its current wireless implementation? How does the company migrate from its ad hoc wireless implementation to an integrated, centrally manageable, secure setup?

I'll examine those questions and make some suggestions in future columns.

*Note: Some links to stories may no longer function or now require you to register to view.





by Marcia J. Wilson ComputerCops Staff Writer


Marcia J. Wilson holds the CISSP designation and is the founder and CEO of Wilson Secure LLC, a company focused on providing independent network security assessment and risk analysis. She is also a free lance columnist for Computer World and Security Focus.


She can be reached at . Corporate website: wilsonsecure.com (see Prime Choice top left)
Copyright ©Marcia J. Wilson All Rights Reserved 2004.