Connections +
Feature

Taking Aim at The WLAN Hacker

In theory, wireless provides an easier point of access to a network than wireline. In reality, it's probably not your biggest worry.


April 1, 2004  


Print this page

While living in Ottawa several years ago, I woke up one day to discover that somebody had tried to break into my house. (Bear with me, there’s a wireless point to this.)

After filing a report with the police, I called three alarm companies and booked appointments to have my security needs assessed. Each representative had a unique approach to the type and placement of sensors, motion detectors, and so on — and any of these solutions would’ve done the job. How to decide?

In the end, I went with the company whose salesperson said, “for $300, you get as many alarm company stickers as you want. Stick ’em on every door, every window, every brick on the house. I’ll give you a great big one for the centre of the garage door. Stick ’em on every tree and shrub, and one on each cat. And by the way, I’ll throw in a free alarm system.”

To my mind, this salesperson best understood the nature of burglars since that given a choice, they’ll go for the house with the worst security. The very presence of an alarm system is enough to make them move on, but only if they know it’s there. So it’s not the system but the stickers that make it clear yours is not the house they want.

Houses and hackers

In the telecom world, the corporate network is the house. While hackers often have different motives than burglars — many do like a challenge — the best defense is to make the network secure enough to deter all but the most determined. The others will look for easier targets.

Anybody following the development of Wireless LAN systems will have seen media reports about protocols being broken and wireless security being hacked, usually by people who set out to prove the system was insecure.

Through groups such as the Wi-Fi Alliance, vendors collaborate on new standards to make Wireless LAN security harder to break.

But the best security solution on the market doesn’t do a bit of good if it’s not turned on. It’s worth nothing if the default network name and password — the one shipped with the equipment — hasn’t been changed.

The Wi-Fi Alliance web site (www.weca.net) includes many tips for maximizing the security on Wireless LAN networks.

I urge everyone to read it. Some of the tips are forehead-slapping obvious, yet it’s a sure bet many Wireless LAN networks are on the air without a single one of these steps being implemented.

Ostrich solution

Some companies feel the best solution is to not install Wireless LANs, and consider the problem solved. But some employees use inexpensive, easy-to-install Wireless LAN equipment at home and want to enjoy similar freedom at work. They install an access point on the corporate network without first clearing it with IT and do an end-run around the corporate firewall in the process.

IT managers need one of the many solutions now available that detect these “rogue hotspots” on a network, even if the company doesn’t deploy Wireless LANs. Without one, a company is simply sticking its head in the sand.

The point is, slamming the door on a potential wireless security threat does not guarantee the network is safe. Even as companies audit themselves for wireless security, they should revisit all of their security protocols.

In fact, a good security policy is just as important as good security technology.

For example, follow the basic rules of passwords: make them difficult to guess, don’t write them down, change them regularly, and don’t share them with others.

Also, make sure remote access key generators and door-passes are never left unattended, where they can be stolen. Don’t use public Internet access terminals for sensitive company business.

If entering passwords or working on confidential material, make sure others cannot see the keyboard and screen. Again, much of this advice is obvious, and yet it’s often ignored.

To paraphrase a cynical friend, “If network security technology is actually used properly, those engaging in corporate espionage will have to revert to their traditional method: they’ll have to bribe or hoodwink employees.”

Trevor Marshall is a Toronto-based reporter, writer and observer of the Canadian wireless industry. He can be reached at 416-878-7730 or tpmarshall@eol.ca.


Print this page

Related