NetStumbler proves a vulnerability point

When Gartner Inc. security analyst John Pescatore wants to illustrate the wide-open nature of wireless LANs to enterprise clients, he tells them to check out the Web site. On the site is a map that starkly illustrates the vulnerabilities of 25,000 exposed wireless LANs across the country.

The NetStumbler Web site offers freeware written by Marius Miner, a San Francisco Bay area software developer, that allows anyone with an 802.11b wireless LAN access card to sniff out key details about wireless LAN access points. That includes their Service Set Identifiers (SSID), which Pescatore said are equivalent to a person yelling, "I'm here." In the case of wireless LANs, the listener is a laptop or handheld computer outfitted with a wireless LAN access card.

NetStumbler software also allows users to determine the Media Access Control address of an access point, and can help a user determine whether the built-in Wired Equivalent Privacy (WEP) protocol is turned on or off. The software also has hooks that allow the use of a Global Positioning System receiver to precisely determine the location (within 10 meters) of a given access point. also features online forums where users relate their "war drives," in which they look for wireless LANs around the country. A map shows the number of networks users have discovered and reported in the past year. The map currently displays 25,000 access points, 80% of which fail to have basic, built-in security turned on.

Pescatore said the number of wireless LANs that NetStumbler users have discovered over the past year might have reached the kind of critical mass that will cause corporate users to tighten up their security. Pescatore said he believes that could do for wireless LAN security what the release of the "Satan" (Security Administrator Tool for Analyzing Networks) did in illustrating the vulnerability of wired networks in the late 1990s.

"Corporate America has a long way to go" to get its wireless LAN security act together, said Wayne Slavin, founder and webmaster of the NetStumbler Web site. Slavin bases his assessment on the number of networks discovered that run the out-of-the-box default SSID of "tsunami." That's the default SSID of wireless LANs manufactured by Cisco Systems Inc. on expensive gear more likely to end up in enterprise rather than home networks, Slavin said.

Rick Doten, a program manager at NetSec Inc., a network security firm in Herndon, Va., said enterprise IT managers also need to be aware of other wireless LAN tools freely available to "war drivers", including two programs that can crack WEP: Airsnort and WEPcrack. Though it takes considerable computer horsepower to run either of these tools, Doten said, they can crack WEP and help users extract passwords from encrypted data.

Finally, Doten said, enterprise managers need to defend against the threat from within, which he described as "rogue wireless networks." Just as office workers hauled PCs into a mainframe environment 20 years ago without the knowledge of the IT department, workers are now installing, without permission, their own wireless LAN access points. And if they leave WEP off and keep the default SSID, it's an open invitation to NetStumbler-equipped war drivers, Doten said.

Copyright © 2002 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon