 |
| - |
|
by Brian Reichow
I remember the first time I got to use WiFi/AirPort with my PowerBook seven years ago. It was so liberating being able to use my laptop pretty much anywhere. Since then, with convenient access points sprouting pretty much everywhere I went, I grew to take wireless for granted. The first warning signs that I took notice of were in 2003, when WEP encryption -- what pretty much everyone used at the time to secure their wireless networks -- was cracked by some very smart people. By 2005, software tools had been created that made it trivial for the average person to do the same thing -- to jump onto a wireless network, even if they didn't have the password, and even if the wireless network was invisible or restricted to allow only specific machines (another popular security technique). In response, the entire world shifted to WPA, an even stronger encryption method. (If you are still using WEP on your own wireless access points, for the love of God, switch to WPA immediately.) Though WPA encryption is still intact today, that first major wireless attack was like the arrival of the first email spams - just the beginning. I knew it would only get worse. Since then, the problem has moved in other directions. Not only are there serious security issues
on public wireless access points -- there's plenty to be worried about even on your company's wireless
network. This document will discuss four major public WiFi security concerns and one that can lurk within
your own office. |
|
#1: Fake wireless networks There are a shocking number of 'pirate' or 'rogue' wireless access points showing up in hotels, coffee shops, and even airports. These are set up not by the venue's designated wireless providers, but rather by unscrupulous identity thieves. Much like 'phishing' email scams, these access points are designed to look like the real thing -- believable wireless network names, greeting pages, requests for authentication, even secure credit-card payment screens. Unlike phishing emails, however, there aren't any strange URLs originating from web sites in Russia to tip you off. You don't know you've been had until it's too late and there's $5,000 in charges on your card. Steps to take: If you use wireless, make sure you're truly on the REAL wireless network, particularly if you have to pay via credit card in order to use it. If possible, find out the legitimate wireless network name and IP address range the hotel, cafe, coffee shop or airport uses. Never connect to unknown 'ad hoc' (computer-to-computer) networks. |
|
|
#2: WiFi wiretapping This is nothing new, but it bears repeating since it's the most popular attack vector. ANYONE who is on the same wireless network as you can eavesdrop on ANY traffic you or anyone else send. It's so easy, the average 12-year-old can do it -- and that's no joke coming from one of the least paranoid people around. Unless you're using a secure (SSL-enabled) mail server or provider (most aren't), or are using a VPN connection, every last bit of data -- passwords, email addresses, message bodies, attachments, complete folder names within your IMAP folder hierarchy -- is sent 'in the clear' (human-readable text) over the wireless network. Since most ISPs don't offer this level of security, it's another big reason to host your own email in-house. (Mac OS X Server 10.4 does secure email and secure webmail.) |
|
With those passwords and knowledge of your email addresses in hand, it's party time for identity thieves, particularly since most people still insist on using the same passwords everywhere. They'll try them out at Amazon, eBay, PayPal, Skype, major banks -- everywhere. Also, unless you're encrypting your instant-message conversations, or are using a VPN connection, your IM sessions can be eavesdropped upon. Again, any 12-year-old can do this. But it gets worse... |
|
#3: Man-in-the-middle attacks
In this, someone on the same network as you employs clever software tools to replace data on the fly. One example of this is AIMject, a program that makes it possible to replace/override the content of instant-message conversations (both sent and received) without either party knowing it's happened. There are means of modifying email messages while they're being transmitted from your computer to your mail server, too.
|
Do you discuss things over IM that you would not want heard by unrelated third-parties? Something that could tip off competitors or the media? How would you feel if your IM conversations were being received with four-letter words peppered throughout, or with spam-style ads inserted, or simply were coming out incomprehensible due to one of these attacks? |
There are spammers who are capturing IM 'handles' by eavesdropping on wireless traffic; later, they start sending unwanted IM messages to you. This new spin on spam is known as spim.
Steps to take: Secure your email server by using SSL; this will protect against some man-in-the-middle email attacks. Use VPN or encrypted IM; this will protect against man-in-the-middle IM attacks. Make sure both you and all your key business contacts use 'personal certificates' like those issued by Thawte and VeriSign; this will further protect against man-in-the-middle email attacks. Use secure (SSH-tunneled) file server connections or a VPN connection; this will secure your file server traffic.
|
#4: Old-fashioned hacking Let's not forget about old-school, brute-force attacks...over wireless. Never turn on anything in the Sharing panel of your Mac's System Preferences, particularly Remote Login and Personal File Sharing. Your machine is at risk of an easy, automated attack by the average 12-year-old if you do. They'll turn your Mac into a spam factory or porn distribution center faster than you can possibly imagine. These opportunists specifically target IP address ranges used by hotels; studies have shown that automated attack robots ('bots') start pounding machines on hotel wireless networks within seconds. If Remote Login is enabled, and you have an easy-to-guess password, you're going to be toast in a New York minute. Better (longer) passwords simply lengthen the amount of time it takes. When your compromised machine is brought back into the office, it can then be manipulated remotely to launch attacks on other machines, or your server, or even somebody else's servers via the Internet. When the latter happens, your ISP will shut off your Internet connection in a heartbeat. See how much your staff gets done while that gets sorted out. |
|
|
#5: Inside information leakage So far, we've talked about serious problems that exist using WiFi/AirPort outside the office. Now, let's turn our attention to what can be done within the confines of your own office. While everything I've said earlier in this document applies equally within your office, it's the notion of inside information leakage that is of primary concern. You may think you've taken steps to make some special project truly 'double top secret', but if an employee is eavesdropping on the wireless, they could have intercepted the document the last time you saved it. Or eavesdropped on an email or IM conversation you had with others inside or outside the company. Perhaps an employee was monitoring the wireless when your HR staff was working on employee reviews, or was preparing for an employee separation. Perhaps they're even the one that is the target of the separation. Scary, isn't it? |
Steps to take: Use secure (SSH-tunneled) file server connections to protect against eavesdropping on files while you're opening/saving them. Use secure (SSL-enabled) email. Use encrypted IM. Or, don't use WiFi/AirPort.
Consider all of the external WiFi security risks (#1-#4). Then consider an alternative option: EVDO cellular broadband.
|
WiFi/AirPort issues
Using EVDO - which is available in virtually every major U.S. metropolitan area - avoids
every one of these issues as well as anything out there. Its speed approaches that of WiFi except in
rural areas, where the speed drops to about twice that of dialup. Service through Verizon or Sprint costs approximately $60/month. The broadband access cards
cost anywhere from $80 to $300, depending on the type purchased, the specific incentives
offered by the provider and the term of the contract. There are also cell phones that can be used
as a tethered or Bluetooth EVDO access point with an appropriate broadband access plan, like the
Treo 700p. Contact us if you're as concerned about these issues as we are. |
|