Secrets in the Air
Computerworld -
Even as you read this, some of your corporate gear-heads are installing wireless base stations and network interface cards (NIC) behind your back. They may not know it, but they're essentially broadcasting the message "Here I am" to the world around them.
In that world are hackers like Dr. Who (in the Boston area) and Pete Shipley (in the San Francisco area), who drive around with their own wireless NICs in what's called promiscuous mode. The hackers' NICs are picking up the signals and Media Access Control (MAC) addresses of your company's broadcasting devices and using them to map your network access points. They can then impersonate those MAC addresses to waltz right into the wired network.
"Corporate information is floating through the air, and the company doesn't even realize they're wireless," says Ed Skoudis, vice president of security strategy at Predictive Systems Inc., an IT services firm in New York. "Of your Fortune 100 companies, the vast majority of them have wireless [networks]; they just don't know it yet."
It's too late to outlaw wireless access, because die-hard users will find ways to use it behind your back. But your company can mitigate risk with an effective wireless deployment policy that covers internal, remote and traveling workers.
The Risks
Rogue wireless access points open new avenues for old attacks, says Skoudis, who covers wireless security in his new book, Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses (Prentice Hall, 2001).
Uncontrolled wireless access means attackers can read e-mail, sniff for superuser accounts and passwords, and gain root or administrative access to certain machines. They can also drop in Trojan horses (hidden executable programs) like Back Orifice for remote monitoring and open other back doors into the network.
Wireless access points can also be subverted to launch attacks against other businesses, something that's trivial to do, according to Chris Wysopal, who runs a wireless hacking lab as director of research and development at @Stake Inc., a security services firm in Cambridge, Mass.
A comprehensive user and wireless security policy will help reduce those risks. Start by scanning your networks to find and map access points, the way Shipley and Dr. Who do. You can use your own wireless device to do this (the NICs ship in promiscuous mode), or you can use freeware and commercial wireless scanning tools to help map these access points.
Then start a user awareness campaign, suggests Katherine T. Fithen, senior manager of the cybercrime prevention and response unit at PricewaterhouseCoopers in New York. Tell them why wireless LANs need to be secured and update your user policy to treat wireless access points the same way you do modems.
Mobile/Wireless
Additional Resources



Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.
White Papers & Webcasts
Southern Company
Download Now
Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!
Defending Against the Storm
Download Now
Managing Mobility: Improve Data Security, Compliance and Manageability
Download This Resource Now!
Ponemon Study: The Business Risk of a Lost Laptop
Download Now
Managing Laptops Outside the Office
Learn how you can reduce costs by tracking mobile computers no matter where they are located.
Airport Insecurity: The Case of Lost Laptops
Download Now
4G Ahead Video Program
Uncover the features and benefits of the two leading 4G technologies for enterprises considering future deployment.
Case Study: Roughing IT
Download Now
Complimentary Webcast: Taking a Strategic Approach to Enterprise Mobility
Download This Webcast Today!
