Rogue Access Point Leads to Embarrassment
An unauthorized and undetected wireless access point lets a visitor into the corporate LAN.

Security Manager's Journal by Mathias Thurman

( COMPUTERWORLD ) - My company is now down one employee. The person I wrote about last time [QuickLink 41938], who authorities suspected was using his workstation to trade child pornography, was escorted from the premises last week.

Since receiving the search warrant that led to his dismissal, I haven't heard anything from the investigators, but I'm sure the guy is in big trouble.

We had a chance to analyze the image of his hard drive, and there were extensive directories with different categories of porn. Not that you'd notice unless you opened the files: He had saved almost all of the images with innocuous-sounding file names. I'm sure this was done to bypass our filters, which detect files that have words related to pornography. I don't think my company will suffer any loss as a result of this guy's departure, as he seems to have spent most of his time at work on his illicit collection.

Surprise Guest

This week I received a message from a friend of mine who works for a vendor my company uses. He suggested that my security team and I review our wireless policy, because he was able to connect to our corporate intranet via an open wireless access point while visiting another department recently. This was both surprising and embarrassing, since we have established a policy on wireless LAN use and thought we had rooted out problem devices months ago.

I called my friend, and he said he had been visiting one of our software development centers to give a demonstration of his company's debugging software when he noticed a problem. During the presentation, his personal firewall started popping up messages, asking for permission to allow connections to the Internet.

But he wasn't physically attached to the network and was in the middle of giving a PowerPoint presentation. After the meeting, he did some checking and noticed that his laptop's integrated WLAN adapter had automatically connected to an access point in our facility. The Service Set Identifier code on that access point was set to the default name default with no encryption enabled, so he had unfettered access to our corporate intranet.

My team and I try to be proactive in monitoring for these problems. We use the AirWave Management Platform from AirWave Wireless Inc. in San Mateo, Calif., in combination with access points from 3e Technologies International Inc. in Rockville, Md., to scan for rogue devices. But we use it only at our corporate headquarters. We don't have the budget to purchase this infrastructure for remote offices such as the software development center.

I called the IT manager at the software development center, shared the story from my friend and asked him if he knew of any authorized wireless access points there. The manager said he installed two access points about a year ago but said he had removed them when our WLAN policy came out several months ago. Nonetheless, he agreed to walk around his facility to search for the rogue access point.

The manager's search turned up nothing, so I packed up our AirMagnet Handheld, which we bought from Mountain View, Calif.-based AirMagnet Inc., and sent it to him by courier. Two days later, I walked him through operating the device. He immediately picked up a single wireless signal and tried to locate the access point using the signal strength meter. However, because of the construction of the building, he was unable to pinpoint the device's location.

Backtracking

The next step was to try to locate the access point via the Media Access Control (MAC) address on the switch to which it was connected. Every network interface card (wireless or not) has a unique hardware address. The first three octets identify the vendor, and the remaining characters provide an ID number. Since the access point was open, meaning no encryption or other access control was enabled, the manager could use the AirMagnet device to associate to the access point. And since I already knew the MAC address of the wireless PC Card installed in the Compaq iPaq that runs the AirMagnet software, we could trace that back through our network infrastructure.

I called the network engineer responsible for the switch at the development site, gave him the iPaq's MAC address and asked him to conduct a search of the switch ports. A few hours later, he called back with the information: Cat Switch 02, Blade 4, Port 8. The network engineer then gave me another MAC address -- the one for the wireless access point. The access point acts as the hub for wireless devices, so both the access point and the device share the same switch port.

The IT manager at the site then had the facilities manager trace the Ethernet connection from the switch port to the patch panel. Then, using a map, he determined the exact location of the suspected wall jack. It was in a cubicle belonging to one of the software engineers. The offending device was a Linksys access point that the engineer had purchased for $79 at Wal-Mart.

The user hadn't seen our wireless policy and didn't know about security configurations or the ramifications of installing an unauthorized, misconfigured access point. He had simply installed the device as a convenience. The facilities manager removed the access point and gave the engineer a copy of our policy. Other than mentioning the incident to his supervisor, there was nothing else to do.

One lesson I learned is that after we issue a security policy, we should follow up with regular reminders. We'll also make some changes to our employee orientation program to include a short discussion on current security policies (especially wireless) and to reiterate existing policies and acceptable-use guidelines.

ComputerWorld