Slashdot Mirror
Fixing Wireless Security By Pulling The Plug
An anonymous reader writes "It seems as though the Japanese government is paying attention to some security concerns of wireless networks, and rather than addressing the problem, taking a more aggressive but perhaps not as thorough approach to the issue at hand. Not very technical, but at least its good to see governments actually doing something about it."
But it is one the most secure ones. Any network can be hacked, and all it takes is time, as long as you have access to the network. Now that there is no access to a wireless LAN, they have solved their problem, unless they are worried about people who already have access to computers on the network.
And so we go, on with our lives
We know the truth, but prefer lies
Lies are simple, simple is bliss
But if it's wireless, how can there be any plug to pull?
I'm a signature virus. Please copy me to your signature so I can replicate.
Has anyone read the new O'Reilly book on securing 802.11b networks? Does it offer any cross-platform, cross-vendor solutions to general 802.11b insecurity?
Government agencies plug leaks in wireless networks
The Asahi Shimbun
Since anyone with the software could pry, cable is back in style.
The Meteorological Agency and the Tokyo metropolitan government stopped using wireless local area networks (LAN) last week after learning data was wide open to anyone with the will and the right software.
Wireless LANs are increasingly popular because they can be introduced or expanded quite simply without cumbersome cables.
But when Kazuo Tanabe, a computer consultant in Sabae, Fukui Prefecture, studied LAN emission risks around government office LANs in his own prefecture, then in Tokyo, he found that data transferred on wireless LANs could be intercepted and read by anyone using software freely available on the Web.
Tanabe said he first assessed the risk of LAN signals radiating from the municipal buildings of Sabae and Fukui, then came to Tokyo last week to measure the risk around some central government office buildings, especially in the Kasumigaseki district.
There he found that data stored in the Meteorological Agency's personal computers-even personnel records and minutes of meetings-was especially vulnerable.
The risk was highest at the agency's department dealing with volcanic activity, which lacked proper firewalls such as data encryption and password-protected access.
When The Asahi Shimbun inquired about data vulnerability, the agency found two of seven wireless LANs could be monitored from outside. A LAN management official there said the network was shut down immediately, departments were informed and all computers on wireless LANs were switched to cable.
At the Tokyo metropolitan government offices, several bureaus, including construction and environmental protection, did not encrypt the data moving over their LANs.
At the office that administers public hospitals, most of the 80 PCs used by supervisors could be read from outside. Data exposed to prying eyes included payment to doctors and patient records.
An official said network personnel were not well informed about security, but said all the wireless LANs were swapped for cable over the weekend.
During his experimental foray at the Ministry of Economy, Trade and Industry, Tanabe said he found pirate versions of movies, including ``Harry Potter,'' TV dramas and video clips of entertainment personalities, which an official later said were for personal use.
Encryption had not been used in some LANs at the Foreign Ministry or the Ministry of Agriculture, Forestry and Fisheries until September, when data vulnerability was pointed out.
``Use of wireless LANs is inappropriate for government agencies that handle personal information,'' Tanabe said. ``One hole in the network lets hackers in. Data can easily be stolen or altered. Or the opening can be used to spread viruses or other misdeeds.''
(12/26)
I fought the corporate America, and the corporate America bought the law.
And if you really want to be secure, unplug your computer from the network completely! No one will be able to hack you then!
BUT WAIT! If they get access to the computer they might, so lets unplug it from electricity, then the data will be REALLY secure.
NO WAIT! What happens if they pull the hard drive out and connect it to another computer? I know, lets chop up the hard drive into little pieces to make sure that doesn't happen, then we'll be REALLY SECURE!
Just don't write any thing down on a piece of paper, you never know into whose hands it might end up.
Wireless networks are easily hackable, and even if you cant right away, you can just decrypt the packets later and see what juicy contents are inside. I think a sort of dual network thing probably would have been the best solution. Wireless for regular stuff, and physical cable for the other stuff maybe? Is that what would have been considered more thorough?
Damn those mice, and their crazy ideas of planet-sized supercomputers.
HallmarkOrnaments.Com
You can get into a wireless network from VERY far away with the right antennas and equipment. Sensitive data should stay as far away from wireless as possible. The Japanese government did the right thing in pulling the plug. Most companies would just try to use the wireless network anyhow cause they already spent the money on the equipment. Wireless has it's uses. They just do not include sensitive networks.
check out the best blog ever:
http://oehlberg.com
That there's a project on Sourceforge to implement strong encryption on WANs to overcome the WAP problem.
Can anyone elaborate on this, please?
It's Christmas everyday with BitTorrent.
...Pringles have announced record sales, especially among the computing demographic. This announcement also ties in with their plans to introduce MEGA-size Pringles... just for those who can't stop when they pop (or they need extra signal catchment from the bigger tube).
[End Joke]
Are you local? There's nothing for you here!
Casinos and nuclear power plants. Anything that is remotely sensitive is kept off of any network that eventually attaches to the internet. Firewalls, DMZs, encryption, all this stuff is great, but if its really important, no outside connections are the only way to go.
so, I agree with Japan on that. and on the ps2.
I thought everyone knew how wireless gave easier access to networks. Is there a way to simply put hardware encryption on every card, hub, router, etc.? I don't know anythinhg about encryption (or anything else, really =P) But would it be too hard to have hardware encryption that could be programed when the card is installed in the workstation.
I'll go back to my busywork and try not to think about things I know nothing about.
-Derick
A security audit at my workplace (state government agency) recommended that WEP be enabled on the access points in the building. The response was to pull out all access points, instead of enabling WEP.
On the one hand, I see their point, but on the other, it was pretty stupid to buy all of those access points, just to stick them in a closet.
I'm rather ignorant about security on these wireless networks (802.11, Wi-Fi, etc). All my wireless experience is GSM based. I'm also not a user of wireless networks of any kind, for anything other than voice.
My big question is, how much security is needed anyway? What are people using these networks for? If you're just doing simple web browsing at the airport (or even checking email that you don't care about) it shouldn't be much of an issue.
Are many people using this stuff for financial transactions (including HTTPS over the web)? Do people use this to check secure email? Do many people (/. is a biased crowd) use wireless hubs in their homes?
Where do the current security standards fall short? Afterall, you can listen in on any Internet traffic (in theory).
Of course, in time, we'll need good security on wireless links. I just don't think it's reached a point where wireless gets enough use to need much security (yet).
Down with Saudi Arabia!!!
The simple security solution for wireless networks is VPN. This could be a bit of a pain in the ass to set up and maintain in an environment where you've got 80 pc's on at any given time. Which is why you run wired (use gigabit ethernet if you got it-spanks wireless any day) in any significant cluster of pc's and only use secured wireless links between clusters where running cable is impractical. Example would be in and industrial/commercial park where you've got several offices that need to be networked together. Providing general wireless access (rather than Point-to-Point bridging) has to be done in an environment that is understood to be insecure, ie. you have to log into a secured environment in order to handle any sensitive information. The bottom line is that you can't trust a wireless connection to your own network anymore than you can trust any connection to the internet.
The reason most wireless LANs go unsecured is that the equipment is defaulted with minimum security setings to make it easy to install and set up. Typically, once the AP is placed and running, people are just happy that it works, and neglect to apply the necessary security devices within the equipment. Additionally, research into appropriate security practice for wireless is rarely done. I've got the appropriate settings and protections on my home WLAN, and even so, if I'm not using the network, I turn it OFF - no need for unnecessary risk. A little paranoia won't hurt you, besides, they really are out to get you.
What Would Satan Do?
If they've shut down the wireless networks because they can't be adequately secured, how long before they get rid of the Microsoft networks? After all, computer consultant Tanabe was already complaining that "Data can easily be stolen or altered. Or the opening can be used to spread viruses or other misdeeds." Now if that doesn't describe Microsoft, I don't know what does.
Unless you are doing a weekly sweep of your network, and documenting the changes, any network, wired or wireless is suspectable to comprimise.
Using any cheap hub, a few gel cell batteries, and some cat5 wiring knowledge, a person with physical access to the building could hide a 802.11 unit in the ceiling tile, crawlspace, outdoors in the bushes, and for the duration of the charge create a gateway into said network. Add a device (such as the dreamcast) or comprimise a computer internally to broadcast and it becomes darn near untracable.
The major problem with most 802.11 installs is the admin simple does not do enough accounting and locking down on their network. If they would just reject all unknown mac addresses and accept from a known list WITH the added benifit of encypting all the traffic there would be NOTHING to worry about.
Why doesn't someone just point that out to them? Hey Japan out of work IT dude right here in USA--I stay up all night PST playin EQ so we're on the same time zone pretty much (ba-bump)
I can SSH remotely I'll work cheaper than any indian too (baBumpTa!)
Looks like someone's porn stash got found.
The risk was highest at the agency's department dealing with volcanic activity, which lacked proper firewalls such as data encryption and password-protected access.
It's sure that removing wlan APs will encrypt data and put some password mechanisms...
#include "coucou.h"
If they would just reject all unknown mac addresses and accept from a known list WITH the added benifit of encypting all the traffic there would be NOTHING to worry about.
A little too confident here? WEP encryption is flawed and hackable without too much effort. MAC addresses can be spoofed pretty easily.
Wireless is very tempting, but it should be considered a "public" network. Run all of your traffic through encrypted IPSec tunnels.
My company tried to fix the wireless that way. Unfortunately, our network was still vulnerable after pulling the plug. We ended up shutting off the wireless nodes instead.
It is a good thing that Tanabe probed Japanese government networks. If he done this in the US, the government would have thrown him in jail instead of shutting down their wireless networks.
Its pretty sad when a commercial OS ships a debugger with their system but no compiler.
Like this.
"Not very technical, but at least its good to see governments actually doing something about it."
Define good. I don't think it's good that their way of dealing with it is to avoid it. If it's broken, they should be investing in getting it fixed. Seriously, the Government's adoption of technologies like this really helps drive small businesses to innovate.
"Derp de derp."
I have absolutely no problem with individual users or agencies making choices (i.e. wireless vs. wired) like these for themselves...the problem comes when somebody, usually a government type, decides for EVERYONE what's acceptable and not acceptable. As posted here before, our "government types" are starting to get itchy fingers over this wireless thing...."must stop anyone from having open AP"...in the name of National Security.
If you don't want your data open for everyone to look at, don't use wireless or spend the time to create a really secure VPN/SSH connection that you trust. You shouldn't ever consider wireless any more secure/private than shouting across a couple of rows at the ball game.....that said, there are some situations where you do WANT everyone within a limited range to hear what you are saying, or simply don't care if they evesdrop...wireless is perfect for that....
We tech types have a responsibility to help educate the folks who are still trying to hook up their X-mas gifts. If people understand what's going on with wireless, they will be less likely to gripe about the problems with it and we all will be less likely to have a government solution imposed upon us...
Its common thought in security circles that if you can't afford to do something right, its best not to do it at all. And given Japan's monetary issues right now, its quite possible they can't afford to do it right.
Shutting it all off till they can afford to place the resources on it that it requires is perfectly reasonable.
The risk was highest at the agency's department dealing with volcanic activity, which lacked proper firewalls
If the fire can't get in, how can the volcanologists study it?
Now, could be my ADD in action, but I saw NOWHERE in the article any mention of WAP encryption. I know that 64-bit encryption has proven fairly crackable in the past to anyone who has the real knowhow, but what of 128? Granted, it's been a while since I've really paid attention to the latest and greatest in 802.11 breaking, but is this really a hard topic?
What do Japanese officials have to say for encrypted wireless networks?
"The risk was highest at the agency's department dealing with volcanic activity, which lacked proper firewalls such as data encryption and password-protected access."
Oh wow...data encryption and password-protected access are proper firewalls...the one I have must not be doing anything then! I can go ahead and shut it off, and just leave my access password to protect my system, and not have to deal with the headaches of hosting games through my current "improper" one.
Warning: Opinions known to be heavily biased.
After I bought it and plugged it in, and I sat down and read up on security, and I was simply shocked at how the Linksys equipment have completely zero security.
The most you can do to protect yourself is:
1) disable SSID broadcasts
2) filter based on MAC addresses
3) use 128 bit WEP to obfuscate your data to only the casual
Of course, WEP can be broken by any hacker worth his-or-her salt, and filtering based on MAC addresses doesn't work because you can spoof MAC addresses. There is zero security from a determined hacker.
The Linksys APs also have a severe security issue where anyone can get the ssid through a simple udp broadcast, meaning they don't even need a valid IP address. Once they get your SSID, it makes it way easier to connect to the AP.
From what I've heard, Linksys even isn't doing anything about it.
It really seems as though 802.11X is going to only find a place at home where consumers care more about getting rid of wires than about security. There is no valid reason for a business or governments, where their information is worth much much more, to be using such a security-free mechanism.
I'm okay because I needed the wireless stuff for my gf's computer, and all she does is surf the web. I put in place a FreeBSD firewall just in case, so I'm not too worried about my neighbors or wardrivers getting connected. But for those people that don't care about security, this is probably the way that untraceable hacking in the 21st is going to go through - via some idiot that left his 802.11b connection open to hackers that live across the street, or just happened to pull by in their car to try and hack into some military site, etc.
Yes but not if the MAC address is on a list that's already on the locked-down network.
Also http://www.winton.org.uk/zebedee/ should do for a secure connection - at least no one has contradicted me regarding it yet.
It's Christmas everyday with BitTorrent.
Things that happen to foil network security
or
Your PHB is the Enemy
As an informed network guru, you already know that wireless networking is inherently insecure, but you are ordered to implement it anyway. Your proposal includes keeping all wired computers wired, running cable to all new pc's that need the network connection. You've got to have a separate server for the AP so you can segregate the wireless and wired networks. You'll have to load firewall, VPN, and intrusion detection software on the new server as well as EVERY client pc, and set things such that the clients will ONLY connect to the server AP and the AP will ONLY accept authorized client connections without broadcasting info to anonymous clients (knowing full well that snort will pick up the signal anyway). The AP(s) will be placed in such a way that signal leaking out of the target area is minimal or as close to unusable as possible (You know you won't be able to use the Langley method of wire mesh in all exterior walls and windows to contain the signal will NEVER be approved). You also request a pay increase because of the additional workload of managing this second network. Here's what happens:
1) The PHB says "sure" and appropriates the equipment for you to deploy, but assigns you a new task as soon as you have it working but before you get all the security implemented. Result: insecure wireless network.
2) A contractor is hired to install the wireless network, but the security implementation they proposed is declined because the PHB says "Our network guy will set that up" and then neglects to assign you the task. Result: insecure wireless network.
3) Miraculously, you get your way and have the wireless network and security installed exactly the way you wanted. Result: your PHB bitches that the security measures are "inconvenient and slow down the network" and you are told to fix it, leaving you with an insecure wireless network.
4) Your massive proposal is rejected, no wireless network is installed, and you still have time to post semi-intelligent crap on slashdot.
What Would Satan Do?
the wireless network pays attention to YOU!!!
OpenBSD, OS X, pen and paper. Most alternatives are more trustworthy.
The real problem is organizations grip tightly to the idea that physical security exists.
The truth is that its only slighty harder for a attacker to get a physical connection to your network than for that same hacker to sit in your parking lot and wirelessly surf.
But, wait, we have id badges, and a security gurd at the door, no one can get to our cables: I once worked with a guy who was paid to do penetration testing, he spent a week wandering around inside the corporate headquarters, until the company IT director declared his attacks unsuccessful (they had no firewall logs of his intrusions, so he must have not got in.) The IT director was displeased with the final report, showing all the data he had accessed (some from the consoles of the "secure" machines) and with the CEO who had agreed that the testing included physical site security.
It becomes even easier when you accept that the vast majority of intrusions come from inside the company, from people who already likely have access to the network.
Sending confidential data in the clear on a wired or wireless network is not a good idea, period.
If WEP stands for "Wired Equivalent Privacy" isn't that a broad hint that you ought to use SSL or something equivalent for any traffic that might be confidential or contain passwords? At least at our office, we learned several years ago that all traffic on the ethernet should be encrypted if it contained passwords. I don't see why people would expect less of a wireless network.
Actually, if you place the 802.11b network OUTSIDE the firewall it isn't that much of a worry. Afterall, the people on the sidewalk outside the building can't be any worse than the worst that would come over the WAN link.
I'm the network admin for a city govt in Texas. I simply do not allow wireless on our networks, period. Any city employees cuaght plugging a wireless network device anywhere onto our networks get ordered to report to the city clinic to get drug tested exactly the same as any employee who wrecks a city vehicle.
a) Pulling the plug on a wireless network - inappropriate metaphor, doubt it was a pun, in light of literary skills - see below.
b) Addressing the problem - means deal with it - I think banning wireless networks because they can be cracked is a way of addressing/dealing with the cracking problem, in the same way that changing your front door to a steel one 'addresses' the burglar-getting-through-glass-door problem.
c) Aggressive but not thorough - how can you not be more thorough in fixing a problem then by completely removing the source of the problem? Wireless suffers from warwalking / wardriving problems. Remove wireless, remove the warwalking problems.
Okay, you might not agree with me on the technical issues but I was adressing the problems that the submitter had with expressing himself. If you can't express yourself properly, then people will not listen to, consider or internalise what you're trying to tell them.
* Allowing me to specify MAC addresses. This would be ideal, since I only use two wireless clients on my network and it never changes. No clients with non-specific MAC addresses would gain access.
* Allowing me to successfully turn off "beaconing." Beaconing broadcasts the network info, which isn't necessary if the clients already know what it is. However, turning it off means I regularly lose connection, even when the PC is 30 feet away.
* Strong WEP encryption. Encryption is difficult to implement. For example, if I want a 128-bit ASCII or HEX key, I need to MANUALLY type this key into each workstation. It makes tweaking the units difficult. The "passphrase" option exists on the client software but not the WAP software. High levels of encryption are slow and result in connection loss. 64 bit works very well, 128 bit so-so.
*Allow me to run Linux. The Linux driver for the wireless card won't be available until next year.
The cheezy implementation of the standard and the highly variable implementation of various options makes these things unsecure.
enough said.
Some explain to me again how 802.11b is so much more insecure than a wired, hubbed network? *hears silence* It's not. For 5 years I worked in an environment where we have a hubbed network. In case you don't know, that means any computer on the network can see all packets (assuming the viewer is in promiscuous mode). So what do you do? You use ssh to log in to machines. You use HTTPS for secure web data. You use Kerberos for POP3 authentication, or IMAP/SSL for IMAP authentication. You use PGP to encrypt any e-mail you're worried about. Everything else, you suck it up and deal. I don't really care that the guy down the hall knows I'm reading Slashdot.
It's the same with wireless. You want to send sensitive data? Do it over HTTPS or an IPSec connection, or an SSH tunnel, or copy it using FTP over SSHv2, or Kerberos, or one of the numerous other methods for encrypting data. If you can't use one of these methods, then maybe you want to send your data in some other form (like, dead-tree form, or verbal form, or using semaphore signals, or something). But don't pretend that sending data in clear text over a wired network is somehow better than sending it over a wireless link. (Note: I'm discounting leased pairs/dedicated circuits, since those are prohibitively expensive.) If your data is readable by someone other than you, assume that someone other than you will read it. Assuming anything else is like walking into a bank and yelling "OK, Mr. Bank Teller, I'm going to give you my PIN number - everyone else, just don't listen, ok?"
There is no sig, there is only Zuul.
Securing a wireless network is by no means simple, but it can be done. What we did here is implement 802.1x PEAP(Protected Encrypted Authentication Protocol) and 10 second key rotations PER connection (128-bit of course). All of this security is just to get you into a DMZ network. The DMZ is firewalled off by a Pix. To get into the real network, you have to fire up a VPN connection through the firewall.
It is up and running right now, using cisco and MS hardware and software. A similar solution could be done using cisco LEAP with slightly less security for the DMZ authentication servers.
Unfortunately, a cross platform solution does not fully exist at his point. Windows has the best security at this point. Go figure. PEAP so far is only supported on windows. LEAP runs on quite a few platforms including linux and OS X.
So please... stop posting uninformed slams on 802.11. Its all about knowledge and implimentation. Our wired network here is no where near as secure as out wireless one!
...so much for hacking in and downloading archived La Blue Girl episodes.
-=-This sig brought to you by The Cheat; and by Viewers Like You.-=-
Using password as your password not secure.
Yes how hard is it to type ssh -l . Wireless is only secure as the OS that you use with it. If you decide that you like to use windows, you and you alone are responsible for the insecurity.
Got Code?
Windows has the best secuirty my ass, vpn has already been cracked and rather easily. Try ssh tunneling and then you have something to deal with.
Got Code?
No one else seems to have asked, so I'll give it a shot:
Is anyone else a little slow to associate meteorological information with tough security? I mean, what are they doing over there if they're worried about their department of volcanic activity?
Ironic that the "sensitive data" would be prove to be personnel records. As for minutes of meetings, again, I would like to know what top secret plans were discussed. Perhaps I'm paranoid, or I've seen too many of the 600 Godzilla movies.
http://www.taborrampart.org/TaborRampart/vpn.c
On the other side, the question of safe deployment is non-trivial. While t0qer's suggestion to reject all unknown mac addresses and accept from a known list raises the bar, but doesn't eliminate problems. Again, the bad guy can readily manipulate his mac.
Best practice seems to be to put APs on a dedicated VLAN, isolated from resources until authentication is provided. [LEAP and such are nice, but subject to MITM, so make sure that mutual auth with a pre-shared secret is part of the solution, if you really want to isolate resources...] and disallow any traffic that isn't part of an encrypted session.
One problem with wireless is that people tend to look at security from only one perspective -- "are my secrets safe?" -- and conclude that people without secrets don't need any security.
The reason I use IPSec is not to keep the black hats from reading my credit card data (https keeps that safe enough), but to keep them from using my connection to send packets elsewhere. I just don't want my ISP or the police to break down the doors because some drive-by sent a million spam messages (or worse) with my return address!
This is the first numerical problem I ever did. It demonstrates the
power of computers:
Enter lots of data on calorie & nutritive content of foods. Instruct
the thing to maximize a function describing nutritive content, with a
minimum level of each component, for fixed caloric content. The
results are that one should eat each day:
1/2 chicken
1 egg
1 glass of skim milk
27 heads of lettuce.
-- Rev. Adrian Melott
- this post brought to you by the Automated Last Post Generator...