Wireless technologies may be gaining in popularity, but around 60 per cent of sites deploying wireless LANs have not enabled the encryption – leaving the door wide open to hacker attacks, says an Australian security expert.
According to Kim Valois, Australian-based director, global information security services, at Computer Science Corp. (CSC), most system owners and users have no knowledge about where their data is going and do not realize that wireless networks are ‘always on’.
The key weakness to wireless networks, Valois said, is not the wired equivalent privacy (WEP) security protocol, which can be broken within 15 minutes, or even WEP2, which has not been released but has already been broken, but human factors.
“IT departments need to read the (wireless) manual so they know how to set up the security within the box.”
Joseph Church, senior member technical staff for CSC and part of the company’s strike force – a ‘white hat’ ethical hacking group based in the United States – said his group has found most companies have WEP turned off.
“If a wireless network is set up out-of-the-box, the network is wide open.”
Church said this vulnerability has been demonstrated time and again and likened the level of skills required to complete a hack into a wireless network as something a “seven-year old could do.”
He said by using a sniffer program – such as Netstumbler – a free tool downloadable from the Internet, which finds the Media Access Control (MAC) address of the wireless access point (WAP), hackers are able to get the SSID (service set ID) of a network.
“Netstumbler does not announce itself it just listens. It doesn’t look at the content of the data, but finds the traffic. (Picking up) passive detection is very difficult.”
Valois points out that it is not illegal to turn on tools, which can scan the airwaves, but said to look at or track information is “improper.”
Church said that, unknown to many systems administrators, the default network name of wireless access points is the vendor name, and the default key for every vendor is available on the Internet.
“So, even if wired equivalent privacy is enabled, the hacker can simply find the numbers, put them in and then be seen as a host on the network.”
The next step for a hacker – once (he) has reached this stage – is to run a vulnerability test and find a back door, so (he) doesn’t have to use the wireless access point to access the network next time.
“Layers of defense are important as hackers then have to work harder and may leave clues for owners,” which, he said, may give them time to stop the hack.
However, Valois said, due to resource issues, IT departments do not have the people to be proactive when it comes to security.
“A lot of people don’t consider monitoring and logging. An incredible amount of work is required to put these types of procedures in place. Before Y2K, no one was spending money on security as everyone was focused on the date; only this winter and post-September 11 has interest (in security) been heightened.”
Valois said few Internet service providers retain logs for more than three days; if the IT department is not monitoring its own networks, the trail will go cold during a post-hacking investigation and the infiltrator may never be tracked down.