Computerworld - No matter how much detail one provides to upper management regarding a vulnerability or a security issue, sometimes a technology that isn't in the company's best interests is approved.
My problems started when an executive within the company proposed building a LAN infrastructure using an 802.11b wireless LAN. By his figures, rolling out wireless would help the company avoid more than $2 million per year in lost productivity. I have a hard time believing that we would save that much, and I've yet to see any supporting documentation. Most of our employees have offices or cubicles with wired connections, and each conference room has enough Ethernet drops so that anyone who wants to connect his laptop to the corporate network can do so easily.
A few months ago, when the decision was made to implement a wireless network, Windows NT administrators within the IT department did the initial implementation on our development network. They're very good administrators, but they knew nothing about wireless technology and installed everything using the default settings. This included using the notoriously insecure 40-bit Wired Equivalent Privacy (WEP) protocol encryption and the default Service Set Identifier (SSID) codes that identify the wireless hubs on the network.
Weaknesses Revealed
Upon reviewing the install, my team was able to demonstrate how weaknesses in the implementation would allow a hacker with freely downloadable software and a $100 wireless LAN card to sit outside our building and gather information that would then let him gain access to our corporate network. We positioned ourselves on the street in front of our building and used these tools to start collecting packets and crack the WEP algorithm. I'm not a cryptographer and don't know the details of WEP encryption. But by using these tools, which compiled easily on our Unix server, I was able to collect network packets and crack the WEP key.
After I demonstrated this to our CIO, he trashed the wireless project, and that appeared to be the end of it - until three weeks ago. Suddenly, the executive staff was at it again, deciding that we should implement a wireless LAN anyway. We were being forced to implement a technology that has a history of being insecure. Although I didn't think the benefits outweighed the security risks, the deployment was happening anyway. So we had to make the best of it.
Fortunately, I was able to convince management that my team should at least specify the products and configuration to improve security. After reviewing the options, we decided to
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
