[IP] Wireless Mischief
Begin forwarded message:
From: "John F. McMullen" <observer@xxxxxxxxxxx>
Date: December 8, 2004 1:30:18 AM EST
To: johnmac's living room <johnmacsgroup@xxxxxxxxxxxxxxx>
Cc: Dave Farber <farber@xxxxxxxxxxxxx>
Subject: Wireless Mischief
From the Wall Street Journal -- www.wsj.com
E-COMMERCE/MEDIA
Wireless Mischief
Hackers, Thieves Use Laptops, Other WiFi Devices to Access
Corporate Computer Systems
By WILLIAM M. BULKELEY
Is your wireless computer network dangerously promiscuous?
By their very design, wireless devices are constantly sending out
signals called "probes" indicating that they are available and seeking
to "hook up" with a nearby access point. In turn, every access point --
which serves as a gateway into the Internet or to an internal computer
network -- transmits "beacons" inviting probes to link up.
Because wireless networking is designed to be simple to install and
easy to use, the devices don't automatically distinguish between an
authorized user and an intruder. And with the exploding use of wireless
networks, laptops and other electronic devices, evidence is growing
that some amateur and professional hackers are taking advantage of the
technology's inherent openness to break into once-secure corporate
computer systems.
In September, three young men pleaded guilty to hacking at a Lowe's
Cos. store in Southfield, Mich. Without even entering the store, the
men were able to link to a wireless network of bar-code readers and get
onto the corporate computer system. Then they installed a program
designed to capture credit-card information as shoppers checked out.
A spokeswoman for Lowe's says no customer information was lost, and
adds that the system has been made secure. One of the men was sentenced
to 12 years in prison -- a record for computer hacking, according to
the Justice Department.
Other corporate network administrators report similar problems. Steve
Lewack, a computer technician at a Columbus, Ga., hospital, was trying
out new security software when he noticed signs of an intruder using
the hospital's wireless network. A salesman for a supplier was sitting
in the hospital's cafeteria and using his laptop to scan e-mails sent
to the purchasing department, in an apparent effort to find new
business.
"It was a wake-up call that made it clear we needed a full-time
monitoring system," says Mr. Lewack of the 2002 incident. He has since
persuaded the hospital to buy the AirDefense Inc. program that detected
the intruder.
Not long ago, nearly all corporate computer networks were limited to
hard-wired connections with desktop PCs. Although many employees had
laptops, they generally connected via modems and phone lines, which are
easy to secure.
But wireless computing, both at home and at the office, is soaring.
Market-researcher IDC estimates that next year 27.7 million wireless
network devices will be shipped world-wide, up 44% from 19.2 million
this year -- and a big jump from just 4.5 million in 2002. Most are
used in homes or by small businesses, but corporations increasingly are
going wireless as well.
Spurred by the technology's popularity and low cost, laptop makers
equipped some 79% of their products sold this year with built-in
wireless connections, and that number will rise to nearly 100% next
year, according to Instat/MDR, a market researcher. In addition, a
growing number of other devices, ranging from nurse's carts at
hospitals to machine tools on factory floors, use wireless links to
communicate with central computer systems.
Wireless networks can be protected with passwords, and transmissions
can be encrypted to prevent eavesdroppers from reading the signals. But
many buyers never figure out how to change the password from the
default configuration. On a technology-oriented Web site called
Slashdot.org, a user posted an easy way to get access to unprotected
Linksys wireless networks made by Cisco Systems Inc. "Anyone can
connect" with full administrative control by logging in with the
default password and browser setting published in Linksys manuals, the
person wrote. A Linksys spokeswoman says, "We encourage our users to
change their passwords and implement all their security features."
What's more, the most widely used wireless encryption standard can be
cracked with programs available at no charge on hacker Web sites. A new
encryption standard is about to be released, but many existing devices
won't be able to use it.
Many company computer chiefs are aware of the problem. Most are careful
to maintain password-protected and encrypted communications. Others use
special software to monitor wireless access, such as that made by
AirDefense or Boston-based Newbury Networks Inc. Some forbid use of
wireless networks inside company walls, just as the Defense Department
does in classified areas.
But wireless technology has a way of sneaking in anyway. Employees who
have gotten used to the convenience of wireless networks at home
sometimes surreptitiously create networks in their offices so they can
carry their laptops into conference rooms and stay connected. Such
unauthorized use can circumvent corporate firewalls.
Joshua Lackey, an "ethical hacker" who works for International Business
Machines Corp. tracking security threats, says another company's
network was shut down this year by a virus that didn't come over the
Internet or through e-mail. IBM's consultants concluded that a computer
in a passing car may have accidentally linked up with the company's
wireless network and transmitted the virus. The incident, says Mr.
Lackey, was a "drive-by virus infection."
Anil Khatod, president of Atlanta-based AirDefense, says one of his
large customers discovered a breach created by its team of outside
auditors. Working in a conference room with just one high-speed
connection to the corporate network, the auditors had installed a
wireless router so they could all be online. That inadvertently put
sensitive financial information out in the air. He isn't aware of any
problems that developed from the event.
When employees take laptops on the road, other risks arise. Ryan Crum,
senior associate with PricewaterhouseCoopers LLP's security division,
says one danger is employees who use a home wireless network sometimes
forget to turn off the wireless feature on their laptop when they
leave. "If you're in a hotel, and plug into a wire, your machine is
still looking for access points," Mr. Crum says. "You don't know you've
connected to someone in the next room." He says such a connection could
enable another person to scan e-mails or files on the hard disk. "If
you have a bunch of competitors at a convention, you could see what
your competitors have," he says.
Technology is making it easier for would-be hackers. A new $69 device
called a QueTec 4-in-1 card can turn any laptop into both a wireless
transmitter and a wireless access point. So a hacker equipped with such
a device could sit quietly at, say, an airport departure lounge
equipped with a public wireless "hotspot." When an unsuspecting
traveler tries to connect to the hotspot, the hacker could intercept
the transmission, mimic the hotspot's screen, and collect credit card
and password information -- a process known as phishing.
And then there is corporate vandalism. Paul Funk, president of Funk
Software Inc., Cambridge, Mass., says a hacker recently broke into a
computer-store chain's wireless network that connected PCs on display.
Mr. Funk, whose company makes software to control network access, says
the hacker apparently just guessed at the wireless password, then
"brought down a number of stores" by instructing a central computers to
run a "remote configuration utility" in the operating system that shut
down several servers.
Write to William M. Bulkeley at bill.bulkeley@xxxxxxx
Copyright 2004 Dow Jones & Company, Inc.
*** FAIR USE NOTICE. This message contains copyrighted material whose
use
has not been specifically authorized by the copyright owner. The
'johnmacsgroup' Internet discussion group is making it available without
profit to group members who have expressed a prior interest in receiving
the included information in their efforts to advance the understanding
of
literary, educational, political, and economic issues, for non-profit
research and educational purposes only. I believe that this constitutes
a
'fair use' of the copyrighted material as provided for in section 107 of
the U.S. Copyright Law. If you wish to use this copyrighted material for
purposes of your own that go beyond 'fair use,' you must obtain
permission
from the copyright owner.
For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml
"When you come to the fork in the road, take it" - L.P. Berra
"Always make new mistakes" -- Esther Dyson
"Any sufficiently advanced technology is indistinguishable from
magic"
-- Arthur C. Clarke
"You Gotta Believe" - Frank "Tug" McGraw (1944 - 2004 RIP)
John F. McMullen
johnmac@xxxxxxx johnmac@xxxxxxxxxxxx johnmac@xxxxxxxxxxxxxxxxxx
johnmac@xxxxxxxxx johnmac@xxxxxxxxxxx
jmcmullen@xxxxxxxxxxxxxxxxx johnmac@xxxxxxxxxxxxxxx
ICQ: 4368412 Skype, AIM & Yahoo Messenger: johnmac13
http://www.westnet.com/~observer
BLOG: http://johnmacrants.blogspot.com/
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/