WASHINGTON D.C. -- What with country singer Lee Greenwood's recorded rendition of patriot songs like "Glory, Glory, Hallelujah" and "God Bless America" playing over the sound system at 8:30 a.m. in the Commerce Department auditorium in Washington, D.C., one could have been excused for thinking the July 20 conference: "Pharmers and Spimmers, Hackers and Bluejackers: Combating Wireless Security Threats" was taking place during a national...
emergency. Far from it.
True, speakers decried the lack of concern in corporate America over security threats to wireless local area networks (WLANs) and enterprise systems. On the other hand, the threat level doesn't seem to be all that high yet. Mark Henderson, senior analyst, U.S. Computer Emergency Readiness Team, which operates out of the Department of Homeland Security, said U.S. CERT had not been receiving much in the way of reports on wireless network attacks. "That may be because agencies are not reporting them to us, although they are mandated to do that," he added.
In fact, John Pescatore, vice president for internet security for Gartner Research, argued in the opening keynote that the security industry had "overhyped" the security dangers to wireline systems, and was doing
the same with regard to wireless. He noted the past attacks like the Slammer and Blaster worms were successful because computer users had failed to patch security breaches which they previously known about. That kind of mistake along with another typical error -- misconfiguring a corporate network -- are the kinds of easy preventive steps that should make intrusions easy to defend.
He partly faulted wireless device manufacturers, whose products, when installed, typically finish installation by displaying a message on the screen which says, in essence, "If you want to turn security on, it will screw up things."
Rather than take simple security steps with wireless LANs, companies take a "Just Say No" approach. They refuse to develop wireless networks because they are afraid they can never be secured, a foolhardy reaction, according to Pescatore, because employees are trotting down to CompUSA, buying cheap wireless access points, and installing them in the workplace for their own benefit.
Most of the speakers agreed that the next two years or so will be a critical period. System administrators have to get much more serious about establishing security policies. Henderson referred to a recent report from the U.S. Government Accountability Office (GAO). It concluded that U.S. federal agencies -- who one might think would be more sensitive to security issues than many corporations -- had not fully implemented key controls such as policies, practices and tools which would enable them to operate wireless networks securely. The GAO looked a t six federal agencies and found "signal leakage" from all of them. In one agency, 90 laptops were incorrectly configured. Moreover, there was unauthorized wireless activity at all of the agencies that had not been detected by their monitoring programs.
Henderson said that the U.S. CERT was worried about a second type of leakage. When federal officials leave their jobs, they often return their mobile devices, such as Blackberries, to the seller in order to receive a rebate. The government user either doesn't "wipe down" the Blackberry at all, or sufficiently. So when the seller resells the unit to a second user, the Blackberry still has confidential information on it. Henderson says he expects the National Institute of Standards and Technology to issue a standard for wiping.
Mark MacCarthy, senior vice president, public policy, Visa U.S.A., pointed to BJ's Wholesale Club Inc. as an example of the serious problems a company can run into if it doesn't secure its wireless connections. A hacker(s) obtained credit card information about customers from unsecured wireless connections between BJ's and credit card companies, and then made millions of dollars in unauthorized purchases with those stolen credit card numbers. Two of the FTC's charges were that BJ's failed to use readily available security measures to prevent unauthorized wireless connections to its networks and failed to use measures sufficient to detect unauthorized access to the networks or to conduct security investigations. BJ's and the FTC signed a consent decree on June 16.
Underscoring the point made by speaker after speaker -- that companies are paying too little attention to wireless security -- was the relative emptiness of the auditorium. Maybe it was the fact that it was mid-July, high vacation time. But only the first 10 rows of the 30-row auditorium were occupied, and sparsely at that.