|
||
Research and retrieval of news articles by: SPECIAL NOTE TO ALL VISITORS: |
THE WEAKEST LINKWithout security walls, many wireless networks become vulnerable to hackersSource: Toronto StarPosted on October 1, 2001 Information is flying all over downtown Toronto, streaming out of the wireless computer networks of small businesses, financial firms and law offices. Without proper security for these networks, anyone on the street can eavesdrop on their e-mail and files. But most wireless computer networks simply aren't equipped with security systems. A wireless local area computer network is made up of one or more computers and a central hub - just like a regular computer network, only without wires between the machines. Instead, information travels back and forth between the hub and computer using radio waves. Wireless networks are becoming popular with small businesses that don't have the money to rip up walls for new wiring. A report by Forrester Research Inc. released in March indicated almost 75 per cent of the companies surveyed said they would be implementing a wireless network in the next two years. `It's like putting a (computer) jack on the outside of your building and inviting the public to plug in.' - Ben Sapiro, Senior consultant, Information Risk Management, KPMG But the technology does have unique security issues. The radio waves used in wireless computer networks aren't blocked by windows and walls, just like the radio waves that transmit the Top 10 songs to your car stereo. So a hacker can pick up the signal of a wireless computer network from the sidewalk. Wi-Fi, or 802.11 as it's often called, is a standard protocol for wireless computer networks developed by the Institute of Electrical and Electronics Engineers Inc. It is arguably the most popular system currently in use, but not all wireless computers use it. (Cellular phones use an entirely different system to transmit messages and therefore aren't subject to the same security flaws.) Wi-Fi networks do have some built-in security, a message scrambling system known as Wired Equivalent Privacy (WEP). WEP scrambles, or encrypts, the data on the network into a kind of secret code that can only be read by authorized users with the special unscrambling key. But WEP can't work if it's turned off. And Sapiro said it's a surprisingly common situation. To test his claim, Sapiro took a cab ride in Toronto's downtown core with his laptop and an antenna. The wireless card in his laptop was set up to search for wireless networks. The extra antenna would help pick up weaker signals that might be missed by the tiny antenna in the laptop's wireless card. In 15 minutes, Sapiro detected 43 Wi-Fi networks. And only nine are using the standard encryption. The rest are exposed. Any data sent from one of the wireless computers on the network to its central hub can be picked up by Sapiro's antenna and read on his laptop. An e-mail to a partner about their new licensing agreement, or a database of employee salaries - it could be anything. "If I wanted to stick around and break the law, I'm rather certain we'd find something very interesting,'' Sapiro said, adding that an unprotected wireless network can be used for industrial espionage. A quick read through a couple of files from a Wi-Fi network could be enough to reveal some useful passwords, ultimately giving Sapiro control over the company's entire computer network. Files could be altered or deleted. A wireless computer network used by a design studio, for instance, could be used by a hacker to launch an attack against another company - and all clues would point back to the designers. Sapiro isn't the first one to do this kind of testing. Searching for unprotected wireless networks, or "war driving'' as it's commonly called, was first started by Peter Shipley, a computer security researcher from California. Now it's a popular pastime for security professionals across North America. War driving field tests in cities such as San Francisco and New York yield similar results. Sapiro estimates 70 per cent of all Wi-Fi networks aren't protected with WEP. He wouldn't reveal the identity of any of the vulnerable companies, but he said the list included small law offices, investment firms and consulting companies. Ren Hamel, senior manager for KPMG's forensic technology group, found the results of his war driving in New York "scary.'' "I was at the World Trade Center a month ago with the Secret Service and they were talking about war driving,'' he said. They did a war driving tour in what was one of New York's hottest financial districts - right around trade centre's twin towers, now collapsed by terrorist attacks Sept. 11. There were lots of wireless networks, but not a lot of security. "The Bank of New York was the only one using encryption,'' said Hamel. Security professionals speculate there are a few reasons why only a small percentage of business are using WEP. Bruce Comeau, 3Com Corp.'s regional sales manager for Western Canada, said many firms don't even realize their employees are running wireless networks - so they don't even know they are exposed. "Employees view it as kind of a cool technology, so they set up a rogue (wireless) network and just don't tell anyone,'' Comeau said. Using WEP, just like any kind of encryption, will also slow down your data transmission. It takes time for each file to be encoded and decoded. A lack of faith in WEP may be another part of the problem. WEP is certainly not invisible. Earlier this year, researchers at the University of California at Berkeley reported on several security problems with WEP. The vulnerabilities could be exploited to defeat the encryption scheme. But it's still a complicated hack, so industry experts recommend using WEP anyway. It's a strong deterrent, like locking your front door even though you know someone could still break in with a crowbar. "The key issue is that some security needs to be implemented,'' said Jeff Abramowitz, executive director of the Wireless Local Area Network Association. The association works to educate the public about wireless computer networks out of its headquarters in Ohio. "WEP prohibits casual eavesdropping and is certainly better than no security,'' Abramowitz said. He and Sapiro agree that there are other types of security that should be implemented in addition to WEP, mostly other kinds of encryption and password systems that provide extra layers of protection. Sapiro said he believes the underlying cause of WEP's limited use is simply a lack of education and that people don't know the risks or understand the solutions. "If we could raise awareness and have people fix the security upfront, it would make our lives easier,'' he said. He hopes his war driving demonstration will educate the public about wireless security. He isn't out to steal corporate secrets or take down the Internet. But there are plenty of hackers up to the task.
E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes. |
ALERT WebTrust Is Your Best Defense Against Privacy Breaches. Get WebTrust Working For Your Site. |