A month or so ago, it transpired that the UK retailer, TK Maxx, who are owned by the US retailing giant, TJX, has been subjected to the largest single credit card fraud in history. In the UK, the Information Commissioner launched an investigation into whether or not the company had breached data-protection laws. A report in the Wall Street Journal Online has now stated the cause of the security breach, and frankly it scary.Putting it simply, there wasn't really a security breach because it looks like there wasn't really very much security. According to the WSJ, the retailing giant was using a largely unsecured wireless network to transfer the data between tills, pricing scanner and other devices. This meant that anyone with an antenna and a laptop could sit outside a store and sniff the network, all that was left to do was decode the network traffic, et voila!
What worries me most is that this is not the first time I have heard of such things happening. I recall a conversation I read once whilst on an IRC channel on Dal.Net. It was a number of years ago when IEEE 802.11 was still a fresh and new technology to most. A tiny group of hackers had sat outside the store of a multinational retailer (they didn't say who) and discovered that they had total access to the companies corporate network.
Now these guys were not, in my opinion at least, stealing anything more than bandwidth. It was at a time when wardriving and more importantly warchalking was a very niche hacky type thing to do. The mission was to find free bandwidth and use it, downloads to get you know, Napster was still king back in those days (N.B. Stealing bandwidth will get you prosecuted today in case you don't know).
The point was though, that concern over security when coupled with wireless was rarely thought of, and the impact has the potential to be disastrous. This sort of "network leak" is not new of course, there are tales years ago of the manager who would bring a modem into work and connect his machine to the Internet whilst still being on his corporate network creating a route in for the black hat mischief maker.
Another story I recall was of a hospital in the UK where someone had installed an unsecured wireless access point for their own usage without speaking to the internal system and network team. The result was a wardriver found it. Thankfully that wardriver was also ethical and informed the hospital that they had a massive security hole (imagine the mess someone could do shutting down key hospital systems? It doesn't bear thinking about).
I also know of one major UK ISP which actually ended up disabling its entire wireless network when it was realised that the team who set it up had failed to segment it properly. When the more nerdy people in the company found that the ISP's geographical location was mapped on a warchalking website it was turned off straight away.
Wireless is undoubtedly a fantastic technology, but it seems that even though it's been around for ten years, there is a still a lack of consideration taken by "professionals" when they implement it. In a corporate network, wireless should only really be used within a DMZ if you can help it.
The bottom line is simple, if you're going to use wireless in your business then first thing to do is to secure it with a strong 128bit encryption key, and the second thing to do is demilitarize it too... unless of course you actually want someone else to own your network.
9 comments:
There was a really nice (therefore now closed) pub in Edinburgh that did all of its tills on open Wi-Fi in about 2002-4. It was amazing how amusing sitting there with a laptop, a beer and a sandwich could be, at the time.
S-E
Sorry, techie comment. Entirely correct on the DMZ bit but 128-bit encryption key is (almost) irrelevant (unless you are talking about having an open network, in Wi-Fi terms and running all comms across it using a VPN.)
For more normal setups, the negotiation protocol should be WPA2 (WPA just about permissible) not WEP, and with a reasonable (i.e. a sensible length and not trivially predictable) key. If it doesn't defeat the business point of the exercise, the generic "you" should also consider MAC address filtering and disabling SSID broadcast. These won't keep the clever out but on the traditional "I don't need to run faster than you; I just need to run faster than the bear!" grounds, they are reasonably good for swatting ankle-biters.
S-E
I was talking about encrypting all traffic on a wireless network generally. The overhead isn't that much anymore.
'CommView for Wifi', a very simple app, so if one wished, all ones neighbours bandwidth and computer networks could very easily be 'explored'. Some neighbours don't have any encryption, and most are on default password settings.
I don't use Windows, but I don't see exactly what the "tool" does that isn't freely available info with a basic network sniff and dump with freebie software
Yes, you do need to encrypt the data. However, you don't need to do it within the wi-fi protocols but this is sensible for normal users, hence my comments about WPA(2) as opposed to WEP or open networks. However, there is a legitimate business case for doing the encryption at the Transport rather than the Network layer, hence the VPN comment.
Encryption overhead has never been that much, with wi-fi, SSL or IPSEC - around 10% processor use and a bit more memory. Your problem, both with wi-fi and other protocols is in the key negotiation.
With wi-fi, the earlier negotiation protocols were weak and, WEP especially, could be broken if enough of certain packet types were intercepted. With SSL / TLS, the negotiation (using asymmetric crypto) takes significant processor power and memory, unlike the subsequent symmetric encryption of the data. With IPSEC, the key exchange, with mutual auth, is the main problem in establishing the VPN, hence why SecureID is such a money-spinner for RSA.
This is too much like work - I had better go back to being rude about politicians and lawyers. But I repeat myself ...
S-E
processing power is not expensive these days :)
Dizzy - it basically allows anybody to do what advanced computer users can do, in terms of easily breaking common wifi securities, which is surely a bit worrying if the masses can easily do it.
I think you might be overegging the pudding on its ability.
Post a Comment