WASHINGTON, D.C. -- It's not every day you get to ride shotgun on a war drive in the most strategic and sensitive city in the world.
But that's just what I got to do Monday morning.
Packed into a jet-black Hummer as wide as Massachusetts Avenue, myself, a driver, and three representatives of security services provider Guardent Inc. toured the busy streets of the nation's capital, on the prowl for unsecured wireless access points. Security companies have dubbed these trips war drives because they are an offshoot of war-dialing where computers dial hundreds of telephone numbers in order to find a receptive modem.
Wireless computing is in big demand in the enterprise, and it's up to security officers and IT administrators to figure out how to implement these architectures and technologies securely. Yet wireless is currently one of the biggest security concerns in play, because of faulty security in the wired equivalent protocol (WEP) standard. WEP's encryption technology is based on static keys that do not change and which can be deciphered using readily available software, according to the Wi-Fi Alliance.
Wi-Fi Protected Access (WPA) is expected to cure those ills this summer, by assigning different encryption keys for each data packet that passes through a wireless network. WPA is already being integrated as standard into many LAN products, but that doesn't help those still mired in the mud with WEP.
And, in D.C.,
During our 20-minute war drive through Washington's residential and business districts, 221 access points where detected; 138 of those had WEP turned off. As Guardent director of security services Todd M. Waskelis pointed out, just because WEP was not turned on did not mean a particular wireless network was wide open. Some could be using a third-party virtual private network or authentication technology, or could be restricting entry according to MAC addresses.
The frightening reality, however, is that war drives like this one are inexpensive journeys for hackers. All the hardware we needed for our trip was a standard laptop, wireless network card, a 12 DB directional antenna and a global positioning system receiver. On the software end, we downloaded NetworkStumbler freeware off the Internet. It provides information like whether WEP is turned on, signal strength, Service Set Identifiers (SSIDs) being broadcast, the access point's name and even longitude and latitude of the access point, among other information.
All of these details are invaluable to a hacker who has malicious intent, and they're dangerous to expose if you're an enterprise transmitting intellectual property or other sensitive data.
"It depends on a hacker's end goal," said Waskelis. "If they are targeting an organization, they are going to look for access points within that organization. Some just want free Internet access. The thing there is that the outsider assumes your identity online and could use that connection as a launching pad for a distributed denial-of-service attack (DDoS). Then the liability would be yours."
Once on a local network via an unsecured wireless access point, a hacker could eventually deface an enterprise Web site or, worse, crack a database or DMZ and enter back-end systems that way.
"All you need is an entry point, and you are a hop, skip and a leap away from your eventual target," said Waskelis.
War drives get a lot of attention because they're a dramatic statement. But they're probably the hardest and least efficient way to attack a wireless network, Waskelis said.
"If your neighbor is also your competitor, all you have to do is sit across the street from them and get access to their network," said Waskelis.
Waskelis pointed out that it is not illegal to war drive, but it is illegal to associate with a network. SearchSecurity.com agreed not to report on specific locations running unsecured wireless access points.
Inside enterprises, rogue access points are also contrary to security policies, but that doesn't stop someone in accounting from going to an electronics store like Best Buy, buying a wireless access point and setting up shop in a conference room, for example, said Waskelis, whose company added a wireless component to its Managed Vulnerability Protection Services this week. Guardent remotely detects rogue wireless access points inside companies, eliminating the need to do on-site radio frequency scans to detect wireless vulnerabilities.
In fact, NetworkStumbler picked up an access point with an SSID named "Conference Room" during our war drive; it had WEP turned off. Many access points were also clearly still in out-of-the-box configuration and either came up as "Linksys" [for the popular home router] or "Default" on the freeware application.
The ease of implementation and use of wireless networks will keep it in the forefront for security officers and administrators. Those currently saying "no" to wireless may have to soon cave in to the demands of their users and figure out a way to do wireless safely.
"If more and more people say they want wireless, enterprises have to provide their users with the tools they need to do their jobs," Waskelis said. "If you can make a business case for wireless, more networks will be rolled out, and they have to be controlled properly. A policy is self-defeating if it says no to wireless, because people are going to do it any way."
FOR MORE INFORMATION:
FEEDBACK: Has your enterprise found a way to safely deploy wireless?
Send your feedback to the SearchSecurity.com news team.