14 Sep Wireless – Are you at Risk and Liable?
Recently, I was at a security conference and stayed at a hotel, which promoted wireless Internet service for $9.95 per day. They claimed that they had implemented it so only those on the first floor could get wireless Internet access.
I do not purchase wireless Internet service when I’m at seminars because I usually get access to my network at the seminar host’s office. Out of curiosity, on my second night at the hotel I plugged my Linksys wireless card into my laptop and was authenticated to the hotel’s wireless network and had pretty good Internet access for free. I was on the second floor and I did not have to do anything special to gain Internet access. I was using it anonymously and completely free of charge. Even worse, there were many wireless users on the wireless network that probably purchased the service. I noticed by browsing around that most of the systems had complete drives shared and no passwords to access their systems.
If you’ve been to an airport, coffee shop, library, hotel or any other public place that offers wireless Internet access, you may notice some places with easy and anonymous access to free wireless Internet service. This has many serious implications for information security:
Are you vulnerable?
1. Intruders can use these wireless networks to gain high bandwidth and anonymous access to attack other networks on the Internet.
2. Intruders could find vulnerable systems that are unpatched or mis-configured using the wireless network. These intruders could install malicious programs, like keyloggers or Trojans, and use those attacked systems to attack the victim’s corporate offices.
3. Intruders could find information about the guests that have personal laptops and steal their identities from the information contained on their computers (such as the information within Quicken, Contact List, etc.)
4. Intruders get free Internet access while other law-abiding people have to pay for the services.
5. Many systems that are sold today have wireless built into the systems. Often times computer users may not even know their systems are vulnerable to attackers.
As an information security professional, it is very discouraging to see how easy it is to perform breaches to information security when it can be prevented. Most often the common reason for not securing systems (in this case wireless networks) is because strengthening the system increases administration and management of the system. It also makes it harder for the users of the system. One hospitality manager that I talked to stated that if it isn’t easy to use, then guests will not buy it. He would rather have a weak network rather than lose an amenity.
Are you liable?
My question is, “Where is the due diligence from the owners of the wireless systems?” “Shouldn’t there be a law requiring wireless network owners to secure their systems to prevent attackers from abusing the system?” I have performed a lot of research looking for cases where wireless networks were used as sources to attack systems and have found no real strong cases to show that wireless networks owners are penalized for weak wireless infrastructures. My only theory is that it hasn’t happened yet or the cases are settled before they make it to court. Either way, as more victims recognize they are victims due to weak wireless network configurations, more cases should occur. Most likely the cost of the cases will penalize the law-abiding community in the form of higher guest rates, coffee prices or increased taxes due to the amount of traffic in the court system.
What can be done about it?
The technology exists but it is more difficult for the user and the wireless network administrator to use. In my opinion, the cost of prevention outweighs the cost of the ease of use, especially for the rest of the Internet community.
Here is an excerpt from the National Institute of Standards and Technology (NIST) Special Document 800-48 regarding Securing Wireless Network Configurations:
· Maintain a full understanding of the topology of the wireless network
· Label and keep inventories of the fielded wireless and handled devices
· Create backups of data frequently
· Perform periodic security testing and assessment of the wireless network
· Perform ongoing, randomly timed security audits to monitor and track wireless and handheld devices
· Apply patches and security enhancements
· Monitor the wireless industry for changes to standards that enhance security features and for the release of new products
· Monitor wireless technology for new threats and vulnerabilities
· Implement intrusion-detection systems to enhance monitoring
Many NIST documents can assist in providing “due-diligence” for protecting information security.
I recommend wireless owners who offer public access consider these implementations:
· Post your information security policy at the front desk, entry ways and in your public access areas
· Assure the guests of these services understand the consequences of using the service if their systems are not configured securely
· Assure that the staff of your organization is properly trained to prevent or identify attempted security breaches
· Invest in the value of security by implementing, configuring and accepting the security over the ease of use
If you take a laptop and drive around your city you will see wireless networks that are not secure. You could also evaluate organizations in your city by looking them up on the Internet because most “War Drivers” have mapped and published the weak wireless networks out there.
When I realized I had free access, I immediately removed my Wireless card and informed them of the free Internet capability on the second floor. The front desk person said that they would tell their manager. What are the odds of them securing the wireless system?
I recently read that identity theft is growing at a phenomenal rate and it has a lot to do with weaknesses in information security practices. The weak wireless networks are out there and until organizations that own weak wireless networks realize the impact of how it is affecting the public, or a legal precedence is set instead of settling out of court, it will continue to occur.
Larry Boettger GIAC, MCSE, CHA, CHP, CHSS, is an Information Systems Data Security and Business Technology Specialist with Inacom Information Systems in Madison, Wisconsin. He can be reached at firstname.lastname@example.org.