Slashdot Mirror
Fixing Wireless Security By Pulling The Plug
An anonymous reader writes "It seems as though the Japanese government is paying attention to some security concerns of wireless networks, and rather than addressing the problem, taking a more aggressive but perhaps not as thorough approach to the issue at hand. Not very technical, but at least its good to see governments actually doing something about it."
But it is one the most secure ones. Any network can be hacked, and all it takes is time, as long as you have access to the network. Now that there is no access to a wireless LAN, they have solved their problem, unless they are worried about people who already have access to computers on the network.
And so we go, on with our lives
We know the truth, but prefer lies
Lies are simple, simple is bliss
But if it's wireless, how can there be any plug to pull?
I'm a signature virus. Please copy me to your signature so I can replicate.
Has anyone read the new O'Reilly book on securing 802.11b networks? Does it offer any cross-platform, cross-vendor solutions to general 802.11b insecurity?
Government agencies plug leaks in wireless networks
The Asahi Shimbun
Since anyone with the software could pry, cable is back in style.
The Meteorological Agency and the Tokyo metropolitan government stopped using wireless local area networks (LAN) last week after learning data was wide open to anyone with the will and the right software.
Wireless LANs are increasingly popular because they can be introduced or expanded quite simply without cumbersome cables.
But when Kazuo Tanabe, a computer consultant in Sabae, Fukui Prefecture, studied LAN emission risks around government office LANs in his own prefecture, then in Tokyo, he found that data transferred on wireless LANs could be intercepted and read by anyone using software freely available on the Web.
Tanabe said he first assessed the risk of LAN signals radiating from the municipal buildings of Sabae and Fukui, then came to Tokyo last week to measure the risk around some central government office buildings, especially in the Kasumigaseki district.
There he found that data stored in the Meteorological Agency's personal computers-even personnel records and minutes of meetings-was especially vulnerable.
The risk was highest at the agency's department dealing with volcanic activity, which lacked proper firewalls such as data encryption and password-protected access.
When The Asahi Shimbun inquired about data vulnerability, the agency found two of seven wireless LANs could be monitored from outside. A LAN management official there said the network was shut down immediately, departments were informed and all computers on wireless LANs were switched to cable.
At the Tokyo metropolitan government offices, several bureaus, including construction and environmental protection, did not encrypt the data moving over their LANs.
At the office that administers public hospitals, most of the 80 PCs used by supervisors could be read from outside. Data exposed to prying eyes included payment to doctors and patient records.
An official said network personnel were not well informed about security, but said all the wireless LANs were swapped for cable over the weekend.
During his experimental foray at the Ministry of Economy, Trade and Industry, Tanabe said he found pirate versions of movies, including ``Harry Potter,'' TV dramas and video clips of entertainment personalities, which an official later said were for personal use.
Encryption had not been used in some LANs at the Foreign Ministry or the Ministry of Agriculture, Forestry and Fisheries until September, when data vulnerability was pointed out.
``Use of wireless LANs is inappropriate for government agencies that handle personal information,'' Tanabe said. ``One hole in the network lets hackers in. Data can easily be stolen or altered. Or the opening can be used to spread viruses or other misdeeds.''
(12/26)
I fought the corporate America, and the corporate America bought the law.
And if you really want to be secure, unplug your computer from the network completely! No one will be able to hack you then!
BUT WAIT! If they get access to the computer they might, so lets unplug it from electricity, then the data will be REALLY secure.
NO WAIT! What happens if they pull the hard drive out and connect it to another computer? I know, lets chop up the hard drive into little pieces to make sure that doesn't happen, then we'll be REALLY SECURE!
Just don't write any thing down on a piece of paper, you never know into whose hands it might end up.
HallmarkOrnaments.Com
You can get into a wireless network from VERY far away with the right antennas and equipment. Sensitive data should stay as far away from wireless as possible. The Japanese government did the right thing in pulling the plug. Most companies would just try to use the wireless network anyhow cause they already spent the money on the equipment. Wireless has it's uses. They just do not include sensitive networks.
check out the best blog ever:
http://oehlberg.com
That there's a project on Sourceforge to implement strong encryption on WANs to overcome the WAP problem.
Can anyone elaborate on this, please?
It's Christmas everyday with BitTorrent.
...Pringles have announced record sales, especially among the computing demographic. This announcement also ties in with their plans to introduce MEGA-size Pringles... just for those who can't stop when they pop (or they need extra signal catchment from the bigger tube).
[End Joke]
Are you local? There's nothing for you here!
Casinos and nuclear power plants. Anything that is remotely sensitive is kept off of any network that eventually attaches to the internet. Firewalls, DMZs, encryption, all this stuff is great, but if its really important, no outside connections are the only way to go.
so, I agree with Japan on that. and on the ps2.
Unless you are doing a weekly sweep of your network, and documenting the changes, any network, wired or wireless is suspectable to comprimise.
Using any cheap hub, a few gel cell batteries, and some cat5 wiring knowledge, a person with physical access to the building could hide a 802.11 unit in the ceiling tile, crawlspace, outdoors in the bushes, and for the duration of the charge create a gateway into said network. Add a device (such as the dreamcast) or comprimise a computer internally to broadcast and it becomes darn near untracable.
The major problem with most 802.11 installs is the admin simple does not do enough accounting and locking down on their network. If they would just reject all unknown mac addresses and accept from a known list WITH the added benifit of encypting all the traffic there would be NOTHING to worry about.
Why doesn't someone just point that out to them? Hey Japan out of work IT dude right here in USA--I stay up all night PST playin EQ so we're on the same time zone pretty much (ba-bump)
I can SSH remotely I'll work cheaper than any indian too (baBumpTa!)
Looks like someone's porn stash got found.
The risk was highest at the agency's department dealing with volcanic activity, which lacked proper firewalls such as data encryption and password-protected access.
It's sure that removing wlan APs will encrypt data and put some password mechanisms...
#include "coucou.h"
If they would just reject all unknown mac addresses and accept from a known list WITH the added benifit of encypting all the traffic there would be NOTHING to worry about.
A little too confident here? WEP encryption is flawed and hackable without too much effort. MAC addresses can be spoofed pretty easily.
Wireless is very tempting, but it should be considered a "public" network. Run all of your traffic through encrypted IPSec tunnels.
My company tried to fix the wireless that way. Unfortunately, our network was still vulnerable after pulling the plug. We ended up shutting off the wireless nodes instead.
Like this.
"Not very technical, but at least its good to see governments actually doing something about it."
Define good. I don't think it's good that their way of dealing with it is to avoid it. If it's broken, they should be investing in getting it fixed. Seriously, the Government's adoption of technologies like this really helps drive small businesses to innovate.
"Derp de derp."
I have absolutely no problem with individual users or agencies making choices (i.e. wireless vs. wired) like these for themselves...the problem comes when somebody, usually a government type, decides for EVERYONE what's acceptable and not acceptable. As posted here before, our "government types" are starting to get itchy fingers over this wireless thing...."must stop anyone from having open AP"...in the name of National Security.
If you don't want your data open for everyone to look at, don't use wireless or spend the time to create a really secure VPN/SSH connection that you trust. You shouldn't ever consider wireless any more secure/private than shouting across a couple of rows at the ball game.....that said, there are some situations where you do WANT everyone within a limited range to hear what you are saying, or simply don't care if they evesdrop...wireless is perfect for that....
We tech types have a responsibility to help educate the folks who are still trying to hook up their X-mas gifts. If people understand what's going on with wireless, they will be less likely to gripe about the problems with it and we all will be less likely to have a government solution imposed upon us...
The risk was highest at the agency's department dealing with volcanic activity, which lacked proper firewalls
If the fire can't get in, how can the volcanologists study it?
After I bought it and plugged it in, and I sat down and read up on security, and I was simply shocked at how the Linksys equipment have completely zero security.
The most you can do to protect yourself is:
1) disable SSID broadcasts
2) filter based on MAC addresses
3) use 128 bit WEP to obfuscate your data to only the casual
Of course, WEP can be broken by any hacker worth his-or-her salt, and filtering based on MAC addresses doesn't work because you can spoof MAC addresses. There is zero security from a determined hacker.
The Linksys APs also have a severe security issue where anyone can get the ssid through a simple udp broadcast, meaning they don't even need a valid IP address. Once they get your SSID, it makes it way easier to connect to the AP.
From what I've heard, Linksys even isn't doing anything about it.
It really seems as though 802.11X is going to only find a place at home where consumers care more about getting rid of wires than about security. There is no valid reason for a business or governments, where their information is worth much much more, to be using such a security-free mechanism.
I'm okay because I needed the wireless stuff for my gf's computer, and all she does is surf the web. I put in place a FreeBSD firewall just in case, so I'm not too worried about my neighbors or wardrivers getting connected. But for those people that don't care about security, this is probably the way that untraceable hacking in the 21st is going to go through - via some idiot that left his 802.11b connection open to hackers that live across the street, or just happened to pull by in their car to try and hack into some military site, etc.
Yes but not if the MAC address is on a list that's already on the locked-down network.
Also http://www.winton.org.uk/zebedee/ should do for a secure connection - at least no one has contradicted me regarding it yet.
It's Christmas everyday with BitTorrent.
OpenBSD, OS X, pen and paper. Most alternatives are more trustworthy.
The real problem is organizations grip tightly to the idea that physical security exists.
The truth is that its only slighty harder for a attacker to get a physical connection to your network than for that same hacker to sit in your parking lot and wirelessly surf.
But, wait, we have id badges, and a security gurd at the door, no one can get to our cables: I once worked with a guy who was paid to do penetration testing, he spent a week wandering around inside the corporate headquarters, until the company IT director declared his attacks unsuccessful (they had no firewall logs of his intrusions, so he must have not got in.) The IT director was displeased with the final report, showing all the data he had accessed (some from the consoles of the "secure" machines) and with the CEO who had agreed that the testing included physical site security.
It becomes even easier when you accept that the vast majority of intrusions come from inside the company, from people who already likely have access to the network.
Sending confidential data in the clear on a wired or wireless network is not a good idea, period.
Wireless networking is evolving. Although any encryption can be cracked if you have enough encrypted data to analyze the idea is to change the keys often enough that it won't happen. For example, say that it would take about 500MB of encrypted data in order for the key to be discovered. So after sending 300MB of data the key is automatically changed. That way there is never enough data that was encrypted under the same key to allow the key to be cracked.
Wireless will get there.
The race isn't always to the swift... but that's the way to bet!
a) Pulling the plug on a wireless network - inappropriate metaphor, doubt it was a pun, in light of literary skills - see below.
b) Addressing the problem - means deal with it - I think banning wireless networks because they can be cracked is a way of addressing/dealing with the cracking problem, in the same way that changing your front door to a steel one 'addresses' the burglar-getting-through-glass-door problem.
c) Aggressive but not thorough - how can you not be more thorough in fixing a problem then by completely removing the source of the problem? Wireless suffers from warwalking / wardriving problems. Remove wireless, remove the warwalking problems.
Okay, you might not agree with me on the technical issues but I was adressing the problems that the submitter had with expressing himself. If you can't express yourself properly, then people will not listen to, consider or internalise what you're trying to tell them.
Some explain to me again how 802.11b is so much more insecure than a wired, hubbed network? *hears silence* It's not. For 5 years I worked in an environment where we have a hubbed network. In case you don't know, that means any computer on the network can see all packets (assuming the viewer is in promiscuous mode). So what do you do? You use ssh to log in to machines. You use HTTPS for secure web data. You use Kerberos for POP3 authentication, or IMAP/SSL for IMAP authentication. You use PGP to encrypt any e-mail you're worried about. Everything else, you suck it up and deal. I don't really care that the guy down the hall knows I'm reading Slashdot.
It's the same with wireless. You want to send sensitive data? Do it over HTTPS or an IPSec connection, or an SSH tunnel, or copy it using FTP over SSHv2, or Kerberos, or one of the numerous other methods for encrypting data. If you can't use one of these methods, then maybe you want to send your data in some other form (like, dead-tree form, or verbal form, or using semaphore signals, or something). But don't pretend that sending data in clear text over a wired network is somehow better than sending it over a wireless link. (Note: I'm discounting leased pairs/dedicated circuits, since those are prohibitively expensive.) If your data is readable by someone other than you, assume that someone other than you will read it. Assuming anything else is like walking into a bank and yelling "OK, Mr. Bank Teller, I'm going to give you my PIN number - everyone else, just don't listen, ok?"
There is no sig, there is only Zuul.
Securing a wireless network is by no means simple, but it can be done. What we did here is implement 802.1x PEAP(Protected Encrypted Authentication Protocol) and 10 second key rotations PER connection (128-bit of course). All of this security is just to get you into a DMZ network. The DMZ is firewalled off by a Pix. To get into the real network, you have to fire up a VPN connection through the firewall.
It is up and running right now, using cisco and MS hardware and software. A similar solution could be done using cisco LEAP with slightly less security for the DMZ authentication servers.
Unfortunately, a cross platform solution does not fully exist at his point. Windows has the best security at this point. Go figure. PEAP so far is only supported on windows. LEAP runs on quite a few platforms including linux and OS X.
So please... stop posting uninformed slams on 802.11. Its all about knowledge and implimentation. Our wired network here is no where near as secure as out wireless one!
Also see AirSnort:
http://airsnort.shmoo.com/
--jeff++
ipv6 is my vpn
Yes how hard is it to type ssh -l . Wireless is only secure as the OS that you use with it. If you decide that you like to use windows, you and you alone are responsible for the insecurity.
Got Code?
Windows has the best secuirty my ass, vpn has already been cracked and rather easily. Try ssh tunneling and then you have something to deal with.
Got Code?
No one else seems to have asked, so I'll give it a shot:
Is anyone else a little slow to associate meteorological information with tough security? I mean, what are they doing over there if they're worried about their department of volcanic activity?
Ironic that the "sensitive data" would be prove to be personnel records. As for minutes of meetings, again, I would like to know what top secret plans were discussed. Perhaps I'm paranoid, or I've seen too many of the 600 Godzilla movies.
One problem with wireless is that people tend to look at security from only one perspective -- "are my secrets safe?" -- and conclude that people without secrets don't need any security.
The reason I use IPSec is not to keep the black hats from reading my credit card data (https keeps that safe enough), but to keep them from using my connection to send packets elsewhere. I just don't want my ISP or the police to break down the doors because some drive-by sent a million spam messages (or worse) with my return address!