Wireless Hackers Leave No Tracks

Unprotected WLANs give hackers an untraceable way to launch attacks across the Internet.

I'm a parasite. I didn't pay for the bandwidth I'm using right now. I didn't ask for permission to use it -- I don't even know whom to ask. But I'm on holiday, I have a few bits of work to finish up before I can relax, and I need to send my e-mail.

The broadband service in the rented house doesn't work, so I stuck in my wireless LAN card and found two WLANs covering the house. One has a Secure Set Identifier of "lopez" and has Wired Equivalent Privacy turned on; the other has an SSID of "default" and no WEP.

My wireless card has automatically associated with the "default" base station, which gave me a Dynamic Host Configuration Protocol address. Now I'm connected to the Internet at 11Mbit/sec. with no fee and no restrictions on what I can do.

When WLANs hit the mainstream a few years ago, the security focus was on confidentiality, and vendors included WEP to encrypt data in the air. WEP has flaws -- it might not stop a snooper in your parking from reading your data -- but just the fact that "lopez" had it turned on was enough to turn my attention elsewhere. Why hack "lopez" when "default" is sending in the clear?

But having data sniffed from the air isn't the real threat that wireless poses. That problem is easily solved by using cryptography. A bigger worry is "de-perimeterization," which is a fancy way of saying that the walls of the normal fortress model are falling away, thanks in part to wireless. In the good old days, you inventoried all external connections and put firewalls in front of them. Now, nearly every organization has so many connections to the outside that it isn't feasible to set up firewalls to control access to all of them. If your wireless users need access to all of the internal services, what can you block with a firewall?

And if you're a hacker, why bother trying to intercept data from the traffic flying about when you can just connect to the network and pretend to be a legitimate client? Once you become a full node on the network, you don't have to wait for a client to connect to download the information you want and sniff it. Instead, you can just waltz right in and take what you want. This is a lot less covert, but unless the target has a hair-trigger intrusion-detection system configuration and very good triangulation equipment, you probably won't be discovered.

My company's authorized wireless access points have strong authentication, so only legitimate clients can connect, but all our exterior defenses might be for naught if a staff member plugs in a $99 access point.

To protect against this, my team and I run regular sweeps to check for illegitimate access points that might allow unauthorized users to connect. We had a few early run-ins with staff when we began the sweeps, but now the authorized service is so good that everyone is happier using that than they would be trying to sneak new equipment into the office.

Insecure Access

In these sweeps, we've detected many access points that are transmitting from outside the company walls. It's interesting to see that all the bars and restaurants near our offices have WLANs for waiters to send orders to the kitchen. All are insecurely configured. However, since the worst anyone could do is jump the queue for ordering drinks, perhaps the low level of protection is all that's necessary.

The only time I really went white was when a sweep at my company identified more than 30 unauthorized access points on a single floor. I couldn't imagine why an entire department would go crazy and try to provide its own competing WLAN service.

But when I tried to connect to one of the access points, I could get only a printer service Web page. It turned out that our printer vendor had shipped a batch of printers with wireless printing support enabled by default. Each was functioning as a WLAN access point. We disabled the cards and asked the vendor to do the same with future orders.

Rogue access points in the office are a problem we can solve, but the real WLAN problem that strikes terror into my heart is the home user.

Before WLANs, if I were a hacker or virus writer or if I wanted to download or share illegal material, I had limited options. I could use my own account and eventually get caught after the feds tracked the abuse back to me. I could steal an AOL account by phishing until the feds used phone traces to catch me. Or I could wander into a Web cafe, do my evil deeds and flee, leaving closed-circuit TV footage, fingerprints and physical evidence the feds could use to put me behind bars.

With WLANs, things have changed. On most streets in big metropolitan areas, a few people have broadband, and at least one uses it with an insecure wireless connection. Perhaps half of those people turn on the Windows XP firewall, but that won't stop an attacker. They just get within range and connect. There's no physical evidence, no closed-circuit TV, and the poor schmuck whose broadband connection gets used is the one whom the feds raid.

So while the WLAN connection I'm using now is helpful to me as I finish up my work while on holiday, someone else could just as easily be using it to launch attacks before disappearing anonymously back into the night.

There's no chance that home users will move to two-factor authentication for their wireless networks, so I'm making sure that my current designs for Web-facing infrastructure don't rely on being able to track down and stop attackers. Clearly, that's no longer possible.

What do You Think?

This week's journal is written by a real security manager, "Vince Tuesday," whose name and employer have been disguised for obvious reasons. Contact him at vince.tuesday@hushmail.com, or join the discussion in our forum at QuickLink a1590

To find a complete archive of our Security Manager's Journals, go to computerworld.com/secjournal.

Copyright © 2004 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon