With Wireless, Easy Road is Riskiest Path
When it comes to a wireless connection at home, convenience and ease-of-installment could lead you to an unsafe set up. eSecurityPlanet columnist Bob Hillery walks you through a safer connection -- for you and your corporate laptop.
I spend a lot of time dealing with information systems and technology people, so I tend to lose sight of what everyone else 'knows' about technology. Ask a neighbor, ''Do you have a computer? Do you know how to use it?'' They will probably reply, ''Sure I do. I bring work home from the office all the time. The rest of the family uses the computer, too. The kids email Granny and their friends. The kids do their homework on it, and we shop online all the time.''
However, if you ask how they wired their computer up to the Internet, they often say they found a much easier way -- wireless. Just hook up a wireless gadget to the cable or DSL modem, then they can use the computer anywhere in the house.
Cool. Isn't it?
Let me explain.
I live in a rural area of New England -- farms, horses, houses, some encroaching suburbia, and streets that see 10 or fewer cars per day. While driving around, however, you don't have to look too hard to see various corporate and city parking permit stickers. It's clear that a lot of people commute to the many nearby business parks, tech corridors, and universities.
That's a hint about what sort of networking might be happening at home.
I drove from my office four and a half miles to the town library where we are working on a program of community Internet safety and security presentations. During the short trip, I was running a FreeBSD UNIX laptop with dstumbler to detect wireless access points along the way.
I was not using a sniffer to capture packets -- just detecting the wireless stations. Looking at packets just opens too many ethical questions and tends to start heated debate over legal issues. I simply choose to not go there unless specifically under agreement with a particular client for network assessments or penetration testing.
In just four and a half miles, I found 42 different wireless stations broadcasting. More than 75 percent were not showing any encryption (WEP) in use. There were even a few laptops that were most likely in peer-to-peer or adhoc network mode.
Given the likelihood that those would be Windows systems, and the default Windows system has file and printer sharing ON, with netbios enabled for network neighborhood discovery, it's trivial to join the net and just browse through the other systems' files. In fact, Windows XP would give you a pop-up box alerting you to a new network and ask if you wanted to join.
This means that, if I had malicious intent, I easily could have captured the traffic from computer to access point. Free analyzers like Ethereal simply reassemble the TCP streams for reading email, user names, passwords, and account information from any Web transactions.
Almost half of the access points were default installations -- indicated by a small 'd' on the dstumbler screen. That is, the channel and SSIDs were 'out of the box' setups. It would be a pretty safe guess that the admin login and passwords also were defaults in many of those systems. There's even more risk if you realize that many people use one password for several purposes -- say, the linksys router AND the computer -- and that password has probably been sent clear text over the wireless connection.
Oh, 'short range' you say?
You can't connect from the family room, let alone from outside the house? Check out any of the many antennae you can buy for wireless cards to significantly improve receiver sensitivity range. You even can build your own for less than $15.
That means anyone with a connection from the street could not only read your email at the same time you are, but they also could take control of your home network, reconfiguring to ensure they have future access.
It wouldn't really matter which computer was used to get access -- the kids' desktop, the one in the home office, or that laptop from work that's wirelessly connecting to both the home and then, tomorrow, to the office. How many traveling laptops get screened by network security when they come back from home or from business trips? Most are simply reconnected to the corporate network at their docking stations -- behind the protection of the firewalls.
The last point to make here is that about one-third of these systems (including some that had at least used WEP for some measure of security) had personal information embedded in the SSID they assigned. That's right -- names, phone numbers, a home business name, and things that looked like kids' or teenagers' nicknames or screen-names.
Full names, company names, the name of the equipment manufacturer all reveal the kind of information attackers gather during their reconnaissance phase. Why should you give it away?
There are steps you can take:
True, all of this takes some added planning and effort. And, yes, there may be ways for elite hackers to get around some of these simple security measures. But it will stop the script kiddies of the neighborhood. And stopping the first 20,000 probes on you network is a pretty good morning's work.
I don't want easy access to be so easy that anybody can connect to my access point.
And if you think using these basic corporate security ideas at home is inconvenient, try reinstalling every piece of software on all the computers in your house. And try explaining to your boss how a hacker gained access to the corporate network because your laptop was unsecured at home.
Now, that would be inconvenient!
Bob Hillery, a former computer and security manager for the U.S. Navy, is a founder of Intelguardians, LLC, a security consultancy. With experience in the corporate, military and academic worlds, he now also is an instructor with the SANS Institute.
By Bob Hillery
July 12, 2004
eSecurityPlanet columnist Bob Hillery takes us into the trenches as he flies in to help a client after an attack took down the company's key servers. Could IT and business communications be the biggest hurdle in front of him?