http://www.suntimes.com/output/news/cst-nws-protect21.html

[One of the odd things about this article is that Chicago information
security professionals have written about this at least once before in
the Chicago Tribune back in July 2001, the writer had a good technical
story for the audience, but the editor then really dumbed the article
down to below the level of Joe Sixpack.

Chicago is home to two daily newspapers, The Chicago Tribune which is
considered to be more white collar, and the Chicago Sun-Times, printed
tabloid style is considered as a blue collar paper, and here has the
more technically written article of the two. I'll see if I can find
the original Tribune article from July 2001 later in the week. - WK]

-=-

BY HOWARD WOLINSKY
BUSINESS REPORTER
July 21, 2002

Arrival gates. O'Hare International Airport. July 13. 11:48 a.m.

A Sun-Times reporter turns on a hand-held computer and fires up
MiniStumbler, a software program for scanning radio signals.

Immediately, the program's small green, yellow and red lights begin to
flash. The scanner has picked up 11 different signals--each one a
possible entry point into somebody else's wireless computer network.

The name of one network jumps off the computer's small display screen.
It's BAGSCANUAORD. In English, that means "bag scan at United Airlines
(UA) at O'Hare Airport (ORD)."

And just as crucial is what is not showing up on the screen--a little
padlock symbol that would indicate this network is encrypted,
protecting it against hackers--or as they are called in the wireless
world, "whackers."

The Sun-Times reporter is not a terrorist. He stops right there. He
means no harm.

But if he were a terrorist, computer security experts say, he might
quickly move to the next step. Using a laptop computer and one of
several other easily available software programs, he might attempt to
whack his way right into the BAGSCANUAORD network and, conceivably,
into back-end, operating systems to create all kinds of havoc.

He might, for example, manipulate coding within the bag scanning
system to get an orphan piece of luggage on a plane, past inspectors,
by assigning it to a nonexistent passenger--precisely the sort of
thing the bag scan network is supposed to prevent.

And one can only shudder at what might be in that luggage.

Chris Nardella, spokeswoman for United Airlines, confirmed that the
reporter had, indeed, detected the airline's international bag scan
system. But she emphasized, "It poses no threat to United [computer]
networks. It is not in any way connected to any other United back-end
systems."

Nardella also said "no sensitive data" is transmitted over the
network, and that the international check-in soon will be switched to
the bag-match system used on domestic flights.

But independent security experts are less than sold by United's
reassurances.

"This is not a surprising answer. I imagine on Sept. 10, they would
have said the same thing about the metal detectors and how security in
airports was then: 'Everything is fine.' " said Thubten Comerford,
chief executive officer of White Hat Technologies Inc., a Denver
computer security firm, which earlier this year conducted a scan that
revealed potential problems at Denver International.

"[The airlines] don't take measures until there is a disaster. United
may not be at risk. But it is surprising that they are willing to take
any risk at all," by broadcasting the network name and not turning on
encryption. "It's a dangerous wireless world," he said.

Brave new wireless world

The world is in the throes of a wireless revolution, a technological
transformation that promises to make computing, on the Internet or
through private networks, dramatically more convenient and useful.
Freed of wired tethers to phone and cable lines, computers will be
more portable than ever before. We'll download our e-mail at coffee
shops, tap into our office's computer system from a picnic table in a
nearby park or from a wireless connection anywhere in the world.

But the wireless revolution, the hottest trend since the creation of
the Internet, also poses a profound threat to our security and
privacy. By tapping into these wireless networks--essentially radio
broadcasts--whackers might readily break into computer networks in
homes, businesses and government offices and read private memos, files
and financial information. They might "piggyback" on a stranger's
network and ride the Internet on their dime. And they might, as the
bag scan scenario suggests, apply their whacking skills to more
nefarious ends.

The threat is real. While there have been no widely publicized cases
of people cracking into computer networks via wireless access points,
there have been scares.

In April, for example, Best Buy deactivated wireless cash registers
after a customer reportedly intercepted credit card numbers while
testing wireless equipment outside a store. Last month, with new
security in place, Best Buy began using the wireless devices again.

In June, Joseph Konopka of Milwaukee, whose nickname was "Dr. Chaos,"
was indicted in Chicago on two counts of possessing chemical weapons
after allegedly storing cyanide in a CTA subway storage room, near
several large banks and federal and local government offices.
According to an FBI affidavit, Konopka used a laptop--found with the
deadly chemicals--to tap into nearby wireless networks.

All over Chicago area

On several days earlier this month, a Sun-Times reporter with a
scanner walked and drove all over the Chicago area--from O'Hare to La
Salle Street to suburban corporate parks--and detected access points
to 1,064 wireless networks. He discovered networks operated by stock
brokers, insurance companies, law offices, a federal judge and all
types of businesses--from the Fortune 500 to car dealers, restaurants,
food stores and a funeral home.

The names of some of the networks, such as the bag scan site, made
their purpose clear. The names of others--just a jumble of numbers and
letters--were less revealing. But given where the scanner picked up on
these networks--immediately outside banks, tech companies and the
like--their sources often were obvious.

Of the 1,064 networks detected by the reporter, only 401 were
padlocked, but security experts say that may not matter much anyway.
They warn that encryption, known as Wired Equivalent Privacy, or WEP,
is only a mild deterrent.

"Crackers can break WEP in 30 minutes to an hour," said Patrick
Mueller, a security analyst with Chicago-based Neohapsis.

Wireless networks fill the airways with chatter using a technology
known as Wi-Fi, or wireless fidelity. If you have a laptop with the
new Windows XP operating system and an inexpensive network card, you
can sit down in a plaza downtown or an airport lounge and suddenly be
asked if you want to connect to a network.

"I've found myself inadvertently on someone else's network using the
Internet," a Chicago businessman confessed.

In fact, "borrowing bandwidth" to joy ride on private networks has
become a sport for otherwise law-abiding techies. A computer
subculture, known as "war drivers" or "Net Stumblers," has emerged to
detect and map these wireless networks.

A NetStumbler typically buys a can of Pringles, eats the "potato
crisps" and fills the can with hardware and hooks up a pigtail
connector to build an antenna to zone in on wireless networks.
Stumblers claim the cost can be less than $10.

Then, they go to a Web site to download free NetStumbler software on a
laptop or MiniStumbler software on a hand-held computer to create a
scanner to sniff out networks. As they discover new networks, they
post them--along with Global Positioning System coordinates--at a Web
site, www.netstumbler.com .

Each wireless network is represented by a red cross on a national map.
The major population centers, from coast to coast, look like burning
bushes as cross is layered upon cross.

The operators of the NetStumbler site say their goal is simply to warn
about the inherent security dangers of Wi-Fi.

Eighteen months ago, Pete Shipley, an unemployed Berkeley, Calif.,
security consultant, invented the mapping tools for war driving. But
he said wireless networks are so common now that war driving is
unnecessary: Criminals need only find a nearby parking lot to find a
network to tap into.

In fact, they don't really have to get too close. Using a powerful
antenna, Shipley has linked to networks 50 miles away.

Is this legal?

"The legality of 'war driving,' or finding and mapping access points
is a gray area," said Chicago attorney Benjamin Kern, an expert on
wireless technology at Gordon & Glickson. "Courts have not generally
imposed liability for simply locating open networks."

It is clearly illegal, however, to intercept an encrypted message
transmitted over a wireless network, Kern said, or even to connect to
someone else's Internet link without permission.

But then, terrorists don't ask permission.

Protecting top secrets

The security risks of Wi-Fi are giving people responsible for the
nation's biggest secrets the willies.

In January, the U.S. Department of Energy's Lawrence Livermore
National Laboratory near San Francisco, where much of the country's
weapons research is done, banned wireless networks in "safe"
unclassified areas. The lab previously prohibited wireless networks
and even wireless phones in classified areas.

Livermore spokesman David Schwoegler said the lab was concerned that
wireless devices inadvertently could be left in secure areas, creating
breaches. Also, he said the lab was worried about the growing number
of devices, such as laptops, that come with wireless capabilities
built in.

Wireless networks have not been banned at Argonne National Laboratory,
the southwest suburban lab that traces its roots to the Manhattan
project and development of the atomic bomb. But a spokesman said they
are used only "in a controlled fashion."

Stacy M. Williams, chief cyber security officer at Argonne, said all
networks must be approved by his group and must be established outside
the lab's protective computer firewall--software and hardware used to
bar unauthorized users. Also, access to internal systems is allowed
only through highly encrypted private networks using devices
registered by Williams' unit.

For further protection, Williams said, Argonne has released the
cyberhounds: "We use a couple of wireless network sniffing
applications to monitor our wireless environment, in an effort to
guarantee that rogue networks don't pop up."

And now the lab is looking at sniffers that will reveal anyone trying
to probe their wireless network from a particular building on the
campus or from a car.

Home safe home?

Nuclear secrets are one thing. What about family secrets?

As the Sun-Times reporter wandered around with his scanner, the
potential for whackers to snoop into people's lives became clear.

Numerous home wireless networks showed up on the scanner, especially
in affluent suburbs such as Highland Park, Hinsdale and Flossmoor.
Early technology adopters there are adding the convenience of
wireless, typically without trying to disguise their networks or
turning on minimal security measures. The Sun-Times spotted a string
of 17 unprotected home networks along Sheridan Road on the North
Shore.

Security experts generally downplay the threat to home networks. "The
corporations have the gems computer hackers want," said Sandeep
Singhal, chief technology officer with ReefEdge, a New Jersey
developer of software to protect wireless networks.

But Singhal conceded that whackers might be interested in breaking
into home networks to probe personal finance files, e-mail or other
personal information.

And with more and more people connected to the office via wireless
links, said Mueller, whackers could try to enter corporate networks
from home networks.

Once someone breaks into a home network, he could destroy files, erase
hard drives, perhaps make purchases using online accounts, plant
computer viruses and mount attacks on other networks.

"The wireless access point can be a backdoor into a network," Mueller
said. "The problems are potentially nightmarish."

Drive-by snooping

Most people consider information about their finances and health to be
especially private. But as the Sun-Times reporter roamed about, he saw
real potential for data leaks there.

Driving in Naperville, near the Merrill Lynch building, the reporter
detected an unprotected network named marshallgrange. A call to the
brokerage turned up a broker team run by Paul Marshall and Jeff
Grange.

Marshall was astonished to learn that his network could be spotted on
the street.

"That's 300 feet away. The guys who put this network in said the range
would only be 75 feet," said the broker. "They're going to be back
here in about two minutes."

Fortunately, Marshall said, no client information was available
through the wireless connection, which is mainly used to coordinate
schedules. "It's not very exciting," he said. He said many offices in
his building use Wi-Fi. The reporter didn't spot any. But tools are
available to reveal even seemingly invisible networks.

There also were several networks broadcasting in the Illinois Medical
District on Chicago's West Side. One was "CCHBURN." Calls to a
spokesman at Cook County Hospital yielded no information about whether
that could be "Cook County Hospital Burn" unit. But the next time the
reporter drove by, someone had turned on the encryption.

Downtown Chicago is abuzz with Wi-Fi traffic. From the top of the
Sun-Times building, MiniStumbler detected 67 access points, most of
which were wide open.

Several were named Leo1. Could that be the Leo Burnett ad agency
across the river?

The reporter called Burnett and left his questions, but nobody called
back. Then the reporter saw that the WEP encryption had been switched
on for Leo1. A spokeswoman for Burnett, Sheri Carpenter, later left a
voice mail: "What you found was a test network. They have obviously
gone in and secured whatever needed to be secured."

The scanner detected hundreds of other access points along Michigan
Avenue, the La Salle Street financial district, Sears Tower and the
John Hancock Center. Many access points had default settings and no
encryption on, suggesting that they were particularly vulnerable to
attack.

The Wi-Fi industry is gearing up to spread its technology, known in
the business as 802.11, and promising tougher security measures to
protect wireless networks.

But University of Maryland computer science professor William Arbaugh,
a lead author of a widely discussed article on the vulnerability of
networks, entitled "Your 802.11 Wireless Network has No Clothes," said
the current situation reminds him of the early days of the Internet
when organizations rushed in to create Web sites without considering
the security holes they were creating to vital computer systems.

Manufacturers insist their wireless systems are relatively secure with
the proper precautions, such as using authentication systems to force
users to identify themselves.

Arbaugh doubts it.

"Unfortunately, nothing could be further from the truth," he said.
"While the current access points provide several security mechanisms,
our work combined with the work of others shows that all of these
mechanisms are completely ineffective. We believe that the current
wireless access points present a larger security problem than the
early Internet connections."

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
in the BODY of the mail.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]