Some of the wireless security measures being employed by organizations today are useless or worse than useless and only education of the potential security risks of wireless access can help keep an organization secure, according to wireless security specialist Ronald Van Kleunen, managing director of Globeron.
Speaking at the monthly meeting of the Bangkok Chapter of the Project Management Institute (PMI), Van Kleunen explained how wireless security today needs to be on every project manager's agenda because its ubiquity means that even if you do not want wireless, today you will have it.
Bluetooth and WiFi in particular is a major risk that can expose company information, but there are also risks involved in organizations using RFID tags or even wireless barcode scanners, wireless headsets and portable radios. In Singapore, even the taxis and buses are connected to a wireless data network.
''Back in 2002, Gartner predicted that by 2005, 80 percent of us will be connected through Wi-Fi. Today, in 2007, you see public hotspots everywhere here in Bangkok,'' he pointed out.
Van Kluenen said that in Singapore, three people have been jailed for using their neighbor's wireless access points. And unlike Bangkok, most access points in Singapore are secured to some extent.
However, not all security works well. Some organizations ''secure'' their wireless LAN by allowing only certain MAC addresses to connect. This security is worse than useless as MAC addresses are publicly transmitted with no encryption all the time as part of the Wi-Fi protocol. Pretending to be a MAC address you are not is a trivial matter, he noted.
WEP encryption can today be broken within seconds and though WPA security fixed a lot of things, it forgot to rotate keys, making it susceptible to a ''replay'' attack. Today, the only wireless security that works is WPA2. However, it can be a bit complicated to set up and many people assume that because WEP and WPA are still available, it is enough for home use.
''Today you don't have to be in an organization to enter it. If you work from home, you have a VPN connection which is a very long cable from your office to your home, but your laptop still has a wireless interface. If I'm at your home I can still break into your laptop, go through your VPN tunnel and into your enterprise,'' he claimed.
The situation gets worse, as today many people work via wireless hotspots in cafes. This allows the ''evil twin'' attack, where someone sitting next to you in the cafe can set up a hotspot and pretend to be the cafe's hotspot provider.
They will have a web server with an evil twin fake page trick that looks like the real login screen. Depending on what information is entered, the evil twin can then go on a shopping spree with your credit card number or ruin your life with identity theft.
Van Kleunen demonstrated how he was able to scan the ports on each of the PCs in the room that connected to his wireless hub. In many cases, this could identify a way to attack the PC and gain control.
To solve many of these network problems, system administrators should use SSL encryption (HTTPS) and employ the use of certificates in login screens, use 802.11i (WPA2) wireless encryption and generally educate their employees.
Later, he demonstrated a Bluetooth hack that allowed him to read the messages, phone numbers and even change the language of a mobile phone.
This would require the phone to be paired. However, he pointed out that this is easily done by social engineering. For instance, he could pretend to be sending someone in the room a nice picture from his phone while at the same time reading all the other information from their phone.
Van Kleunen said that many organizations today employ security staff to try and penetrate their networks and find vulnerabilities. However, before anyone does this in their company network, he reminded them to get a signed letter from their CIO authorizing the exploration.
Play video
spirits told me
I was on wifi and logging in to my bank account,when my sisters spirit said"they will see your money."Unaturally I thought so what.What can seeing it do any harm.A few weeks later my account was emptied from currency transaction in Maylasia.I was in the usa.I had notice some asians sitting near me with a smart phone but hesitated to believe tourist would ripped me off.
Posted by Robert Ledford on Thursday, August 14 2008 04:46 PM