DOD IT projects come under fire

Wireless LAN security lapse at defense agency

For weeks, the agency responsible for the U.S. Department of Defense's global networks and classified command and control systems had a gaping security hole in its own front yard. Security cameras at its Arlington, Va., headquarters were connected to a nonsecure wireless LAN until last week.

Chris O'Ferrell, chief technology officer at NetSec Inc. in Herndon, Va., which provides intrusion-detection services to numerous federal agencies and commercial customers, detected the nonsecure wireless LAN at the Defense Information Systems Agency (DISA) on May 10.

While parked across the street from DISA's headquarters, O'Ferrell was able to view the Service Set Identifier (SSID) numbers of access points and numerous IP addresses. Using a standard 802.11b wireless LAN card attached to his laptop computer and AP detection software from San Diego-based, he was able to scan the network in less than half an hour.

Lackadaisical Safeguards

O'Ferrell, who didn't attempt to enter the network, also determined that DISA had failed to protect the system with the most basic form of 802.11b security, the Wired Equivalent Privacy (WEP) protocol.

The lack of encryption and other protections could make it possible for an intruder to enter the security camera system by launching a denial-of-service attack against a specific access point, allowing the intruder to "spoof" that access point. That would enable him to view what security personnel see with the closed-circuit TV camera.

The wireless LAN allows security personnel to remotely pan, tilt or zoom the cameras, according to Betsy Flood, a DISA spokeswoman.

That information could make it easier for intruders to conduct a physical penetration of the compound, which houses the Defense Department's Global Network Operations Center, Computer Emergency Response Team and Network Security Operations Center.

O'Ferrell expressed concern that DISA had taken what he considered to be a casual approach to wireless networks operating at its headquarters.

Flood confirmed that DISA had operated a closed-circuit TV security camera system for about 45 days without encryption while it was being tested. During that time, she said, anyone sniffing the nonencrypted system could indeed "see what we see on our video monitors, i.e., the parking lot, the front gate, the fence line, etc."

Flood, who said on May 16 that the agency planned to encrypt the network by the end of that day, also acknowledged that one of the cameras was broadcasting the "AP-BLDG 12" SSID, an access point SSID for one of the cameras in the compound. She said DISA is working with its vendors to change settings to make the system more secure.

Flood said DISA's closed-circuit TV wireless LAN would be encrypted with 64-bit WEP and a trademarked 128-bit encryption algorithm from Bedford, Mass.-based RSA Security Inc. called RC4. She added that it would also be protected by a control table for Media Access Control addresses, the unique identifier for each computer on a network.

Flood emphasized that the wireless LAN security camera system was separate from other DISA networks.

O'Ferrell said the SSID of the access point he detected had an obvious name; AP-BLDG 12 easily correlated with the building number painted on the DISA headquarters. Such information could help an intruder "launch a 10-second [denial-of-service attack] against the DISA [access point], knock it out, set up their own [access point] with the SSID, and DISA would never know," he said.

O'Ferrell said it's both prudent and easy to turn off an SSID.

Joe Weiss, vice president of the network application division at Aeronautical Radio Inc. in Annapolis, Md., which provides wireless communications services to the airline industry, said it's a good idea for DISA to encrypt traffic to and from closed-circuit TV cameras running over an 802.11b wireless system. Operating them in the open would make it easy for non-DISA personnel to take control of the system, he said.

Earlier this year, Weiss said, an 802.11b wireless camera installed by one airline at Dallas/Fort Worth International Airport was inadvertently controlled by personnel at another airline.

Jim Lewis, a technology and public policy analyst at the Center for Strategic and International Studies in Washington, said DISA's security lapse illustrates the problems that the proliferation of wireless systems and devices poses for government and commercial organizations.

"This could happen to anyone, because people are deploying systems before thinking about security," he said.

Reporter Dan Verton contributed to this story.


Stop the Sniffers

Wireless LAN detection, sniffing and hacking tools have become more sophisticated over the past year and are widely available on the Web. To protect their wireless networks, enterprises should:

Disable the Service Set Identifier

on all access points and wireless devices. If an SSID is broadcast in the clear, snoopers could set an access point with the same SSID and route network traffic through their device.

Encrypt all IP addresses.

Broadcasting IPs in the clear makes it easy for an attacker to determine network topology.

Encrypt all sensitive traffic

using the 128-bit Advanced Encryption Standard algorithm.

Sniff their own buildings.

Increasingly, users are making end runs around IT and plugging an access point into the office LAN for convenience.

Check "war driving" bulletin boards

such as to see if their access points have been sniffed and identified.

Confine the signal

to a building or corporate campus by using tuned, directional antennas in lieu of omnidirectional antennas that come with off-the-shelf access points.

Copyright © 2002 IDG Communications, Inc.

Shop Tech Products at Amazon