<<< Date Index >>>     <<< Thread Index >>>

[IP] Wireless Mischief





Begin forwarded message:

From: "John F. McMullen" <observer@xxxxxxxxxxx>
Date: December 8, 2004 1:30:18 AM EST
To: johnmac's living room <johnmacsgroup@xxxxxxxxxxxxxxx>
Cc: Dave Farber <farber@xxxxxxxxxxxxx>
Subject: Wireless Mischief

From the Wall Street Journal -- www.wsj.com

E-COMMERCE/MEDIA
Wireless  Mischief
Hackers, Thieves Use Laptops, Other WiFi Devices to Access
Corporate Computer Systems
By WILLIAM M. BULKELEY

Is your wireless computer network dangerously promiscuous?

By their very design, wireless devices are constantly sending out signals called "probes" indicating that they are available and seeking to "hook up" with a nearby access point. In turn, every access point -- which serves as a gateway into the Internet or to an internal computer network -- transmits "beacons" inviting probes to link up.

Because wireless networking is designed to be simple to install and easy to use, the devices don't automatically distinguish between an authorized user and an intruder. And with the exploding use of wireless networks, laptops and other electronic devices, evidence is growing that some amateur and professional hackers are taking advantage of the technology's inherent openness to break into once-secure corporate computer systems.

In September, three young men pleaded guilty to hacking at a Lowe's Cos. store in Southfield, Mich. Without even entering the store, the men were able to link to a wireless network of bar-code readers and get onto the corporate computer system. Then they installed a program designed to capture credit-card information as shoppers checked out.

A spokeswoman for Lowe's says no customer information was lost, and adds that the system has been made secure. One of the men was sentenced to 12 years in prison -- a record for computer hacking, according to the Justice Department.

Other corporate network administrators report similar problems. Steve Lewack, a computer technician at a Columbus, Ga., hospital, was trying out new security software when he noticed signs of an intruder using the hospital's wireless network. A salesman for a supplier was sitting in the hospital's cafeteria and using his laptop to scan e-mails sent to the purchasing department, in an apparent effort to find new business.

"It was a wake-up call that made it clear we needed a full-time monitoring system," says Mr. Lewack of the 2002 incident. He has since persuaded the hospital to buy the AirDefense Inc. program that detected the intruder.

Not long ago, nearly all corporate computer networks were limited to hard-wired connections with desktop PCs. Although many employees had laptops, they generally connected via modems and phone lines, which are easy to secure.

But wireless computing, both at home and at the office, is soaring. Market-researcher IDC estimates that next year 27.7 million wireless network devices will be shipped world-wide, up 44% from 19.2 million this year -- and a big jump from just 4.5 million in 2002. Most are used in homes or by small businesses, but corporations increasingly are going wireless as well.

Spurred by the technology's popularity and low cost, laptop makers equipped some 79% of their products sold this year with built-in wireless connections, and that number will rise to nearly 100% next year, according to Instat/MDR, a market researcher. In addition, a growing number of other devices, ranging from nurse's carts at hospitals to machine tools on factory floors, use wireless links to communicate with central computer systems.

Wireless networks can be protected with passwords, and transmissions can be encrypted to prevent eavesdroppers from reading the signals. But many buyers never figure out how to change the password from the default configuration. On a technology-oriented Web site called Slashdot.org, a user posted an easy way to get access to unprotected Linksys wireless networks made by Cisco Systems Inc. "Anyone can connect" with full administrative control by logging in with the default password and browser setting published in Linksys manuals, the person wrote. A Linksys spokeswoman says, "We encourage our users to change their passwords and implement all their security features."

What's more, the most widely used wireless encryption standard can be cracked with programs available at no charge on hacker Web sites. A new encryption standard is about to be released, but many existing devices won't be able to use it.

Many company computer chiefs are aware of the problem. Most are careful to maintain password-protected and encrypted communications. Others use special software to monitor wireless access, such as that made by AirDefense or Boston-based Newbury Networks Inc. Some forbid use of wireless networks inside company walls, just as the Defense Department does in classified areas.

But wireless technology has a way of sneaking in anyway. Employees who have gotten used to the convenience of wireless networks at home sometimes surreptitiously create networks in their offices so they can carry their laptops into conference rooms and stay connected. Such unauthorized use can circumvent corporate firewalls.

Joshua Lackey, an "ethical hacker" who works for International Business Machines Corp. tracking security threats, says another company's network was shut down this year by a virus that didn't come over the Internet or through e-mail. IBM's consultants concluded that a computer in a passing car may have accidentally linked up with the company's wireless network and transmitted the virus. The incident, says Mr. Lackey, was a "drive-by virus infection."

Anil Khatod, president of Atlanta-based AirDefense, says one of his large customers discovered a breach created by its team of outside auditors. Working in a conference room with just one high-speed connection to the corporate network, the auditors had installed a wireless router so they could all be online. That inadvertently put sensitive financial information out in the air. He isn't aware of any problems that developed from the event.

When employees take laptops on the road, other risks arise. Ryan Crum, senior associate with PricewaterhouseCoopers LLP's security division, says one danger is employees who use a home wireless network sometimes forget to turn off the wireless feature on their laptop when they leave. "If you're in a hotel, and plug into a wire, your machine is still looking for access points," Mr. Crum says. "You don't know you've connected to someone in the next room." He says such a connection could enable another person to scan e-mails or files on the hard disk. "If you have a bunch of competitors at a convention, you could see what your competitors have," he says.

Technology is making it easier for would-be hackers. A new $69 device called a QueTec 4-in-1 card can turn any laptop into both a wireless transmitter and a wireless access point. So a hacker equipped with such a device could sit quietly at, say, an airport departure lounge equipped with a public wireless "hotspot." When an unsuspecting traveler tries to connect to the hotspot, the hacker could intercept the transmission, mimic the hotspot's screen, and collect credit card and password information -- a process known as phishing.

And then there is corporate vandalism. Paul Funk, president of Funk Software Inc., Cambridge, Mass., says a hacker recently broke into a computer-store chain's wireless network that connected PCs on display. Mr. Funk, whose company makes software to control network access, says the hacker apparently just guessed at the wireless password, then "brought down a number of stores" by instructing a central computers to run a "remote configuration utility" in the operating system that shut down several servers.

Write to William M. Bulkeley at bill.bulkeley@xxxxxxx

Copyright  2004 Dow Jones & Company, Inc.
*** FAIR USE NOTICE. This message contains copyrighted material whose use
has not been specifically authorized by the copyright owner. The
'johnmacsgroup' Internet discussion group is making it available without
profit to group members who have expressed a prior interest in receiving
the included information in their efforts to advance the understanding of
literary, educational, political, and economic issues, for non-profit
research and educational purposes only. I believe that this constitutes a
'fair use' of the copyrighted material as provided for in section 107 of
the U.S. Copyright Law. If you wish to use this copyrighted material for
purposes of your own that go beyond 'fair use,' you must obtain permission
from the copyright owner.

For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml

   "When you come to the fork in the road, take it" - L.P. Berra
   "Always make new mistakes" -- Esther Dyson
"Any sufficiently advanced technology is indistinguishable from magic"
    -- Arthur C. Clarke
    "You Gotta Believe" - Frank "Tug" McGraw (1944 - 2004 RIP)

                          John F. McMullen
   johnmac@xxxxxxx johnmac@xxxxxxxxxxxx johnmac@xxxxxxxxxxxxxxxxxx
                  johnmac@xxxxxxxxx johnmac@xxxxxxxxxxx
           jmcmullen@xxxxxxxxxxxxxxxxx johnmac@xxxxxxxxxxxxxxx
              ICQ: 4368412 Skype, AIM & Yahoo Messenger: johnmac13
                  http://www.westnet.com/~observer
                 BLOG: http://johnmacrants.blogspot.com/

-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/