Slashdot Mirror
Fixing Wireless Security By Pulling The Plug
An anonymous reader writes "It seems as though the Japanese government is paying attention to some security concerns of wireless networks, and rather than addressing the problem, taking a more aggressive but perhaps not as thorough approach to the issue at hand. Not very technical, but at least its good to see governments actually doing something about it."
Government agencies plug leaks in wireless networks
The Asahi Shimbun
Since anyone with the software could pry, cable is back in style.
The Meteorological Agency and the Tokyo metropolitan government stopped using wireless local area networks (LAN) last week after learning data was wide open to anyone with the will and the right software.
Wireless LANs are increasingly popular because they can be introduced or expanded quite simply without cumbersome cables.
But when Kazuo Tanabe, a computer consultant in Sabae, Fukui Prefecture, studied LAN emission risks around government office LANs in his own prefecture, then in Tokyo, he found that data transferred on wireless LANs could be intercepted and read by anyone using software freely available on the Web.
Tanabe said he first assessed the risk of LAN signals radiating from the municipal buildings of Sabae and Fukui, then came to Tokyo last week to measure the risk around some central government office buildings, especially in the Kasumigaseki district.
There he found that data stored in the Meteorological Agency's personal computers-even personnel records and minutes of meetings-was especially vulnerable.
The risk was highest at the agency's department dealing with volcanic activity, which lacked proper firewalls such as data encryption and password-protected access.
When The Asahi Shimbun inquired about data vulnerability, the agency found two of seven wireless LANs could be monitored from outside. A LAN management official there said the network was shut down immediately, departments were informed and all computers on wireless LANs were switched to cable.
At the Tokyo metropolitan government offices, several bureaus, including construction and environmental protection, did not encrypt the data moving over their LANs.
At the office that administers public hospitals, most of the 80 PCs used by supervisors could be read from outside. Data exposed to prying eyes included payment to doctors and patient records.
An official said network personnel were not well informed about security, but said all the wireless LANs were swapped for cable over the weekend.
During his experimental foray at the Ministry of Economy, Trade and Industry, Tanabe said he found pirate versions of movies, including ``Harry Potter,'' TV dramas and video clips of entertainment personalities, which an official later said were for personal use.
Encryption had not been used in some LANs at the Foreign Ministry or the Ministry of Agriculture, Forestry and Fisheries until September, when data vulnerability was pointed out.
``Use of wireless LANs is inappropriate for government agencies that handle personal information,'' Tanabe said. ``One hole in the network lets hackers in. Data can easily be stolen or altered. Or the opening can be used to spread viruses or other misdeeds.''
(12/26)
I fought the corporate America, and the corporate America bought the law.
>NO WAIT! What happens if they pull the hard drive out and connect it to another computer? I know, lets chop up the hard drive into little pieces to make sure that doesn't happen, then we'll be REALLY SECURE!
I remember talking to someone at IBM about this. They told me that at the end of every shift, they were to remove the HDD from their computer (I assume it was on some sort of tray) and place it in a locked storage cabinet.
I'm very sure if IBM did this, then the government would be more than willing to do it...
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
I worked for a company that sold systems for use in classified environments. They all wanted removable hard drives for this very reason.
It's not wasting time, I'm educating myself.
Being the person who submitted this story, what i meant by "maybe not the most thorough" is that, if that information was so "easily" obtained wirelessly, then its probably not extremely secure on wire either, and they need to have better policies in place, but at least this is an intelligent start.
Securing a wireless network is by no means simple, but it can be done. What we did here is implement 802.1x PEAP(Protected Encrypted Authentication Protocol) and 10 second key rotations PER connection (128-bit of course). All of this security is just to get you into a DMZ network. The DMZ is firewalled off by a Pix. To get into the real network, you have to fire up a VPN connection through the firewall.
It is up and running right now, using cisco and MS hardware and software. A similar solution could be done using cisco LEAP with slightly less security for the DMZ authentication servers.
Unfortunately, a cross platform solution does not fully exist at his point. Windows has the best security at this point. Go figure. PEAP so far is only supported on windows. LEAP runs on quite a few platforms including linux and OS X.
So please... stop posting uninformed slams on 802.11. Its all about knowledge and implimentation. Our wired network here is no where near as secure as out wireless one!