Government Use of WiFi Not Secure

Terremoto writes "A Congressional report indicates that the use of WiFi by government agencies is being done with little regard for security. The article says, "Government Accountability Office investigators were able to pick up Wi-Fi signals from outside all of the six agencies they tested, and they were able to find examples of unauthorized activity at all six as well.""

Unauthorized access?

[Creepy+Crawler]

Err, doesnt the FCC spank down anybody who does Wi-Fi access control (if it's NOT encrypted)?

YEah, breaking an auth scheme could be grounds of breaking/entering, but when its open invite, isnt it allowed?

You know, public airwaves and all..

Re:Unauthorized access?

[appleLaserWriter]

Err, doesnt the FCC spank down anybody who does Wi-Fi access control (if it's NOT encrypted)?

huh?

Every corporation with any sense of security uses MAC filtering. The FCC doesn't license the 900 MHz, 2.4 GHz and 5.x GHz bands (ISM), but they also don't enforce anyone's access. They used to restrict the kind of amplification that was allowed, but now, AFAIK, there is only a wattage limit.

Re:Unauthorized access?

MAC filtering is absolutely worthless. All I have to do is sniff, find a MAC on your network, and change my MAC to that. Easier than cracking WEP.

Every corporation with any sense of security uses a DMZ + a VPN into the real network.

Re:Unauthorized access?

[xmodem_and_rommon]

not entirely...very few (if any) wifi cards would allow their MAC to be changed in their out-of-the-box state.

You may be able to hack a card to change its mac address, but MAC address filtering will stop all but the most serious wardrivers and hackers.

Re:Unauthorized access?

[zbuffered]

Any wardriver with the capability of decrypting WEP can also change their MAC address. Check out Auditor Linux. All the tools you need at the tip of your fingers.

Re:Unauthorized access?

[xmodem_and_rommon]

ok, a quick google search and it looks like you're right. turns out you shouldn't believe everything you read in the CCNA curriculum. It tells you that MAC addresses cannot be changed.

Re:Unauthorized access?

[johndoe7776059]

That is not entirely untrue. Most cards will not allow you to actually change their MAC address, but since it is up to the OS to read that address and broadcast it, it doesn't really matter.

Re:Unauthorized access?

[sxpert]

well, if they say so, it's the official answer you have to give them for the test if you want to pass. then, nothing prevents you from thinking otherwise :D

Re:Unauthorized access?

[blowdart]

Even Windows supports it, the mac address used can be over ridden in the registry.

Re:Unauthorized access?

[jaseuk]

huh? I've yet to see a card that doesn't have mac address changing. On windows its usually under the advanced settings for the card.

Jason.

Re:Unauthorized access?

[xmodem_and_rommon]

uh, do you want to check that? I just checked it on my laptop and there's nothing about changing the mac address in the advanced settings (both for my wireless pcmcia card and the inbuilt wired NIC).

The whole idea of MAC addresses is that they are unique to each particular card, so that two cards on the same network don't conflict with each other.

according to the ccna stuff, the MAC is stored in the cards ROM and is copied into its onbaord RAM after the card performs its POST

Re:Unauthorized access?

[Homology]

ok, a quick google search and it looks like you're right. turns out you shouldn't believe everything you read in the CCNA curriculum. It tells you that MAC addresses cannot be changed.

Indeed. For instance, from the OpenBSD manual page for ifconfig (option lladdr) :

lladdr etheraddr
Change the link layer address (MAC address) of the inter-
face. This should be specificed as six colon-separated
hex values.

Re:Unauthorized access?

You are simply wrong.

Pretty much every NIC out there can have its MAC changed by software (or at least overridden - it may revert back to the hardware setting if you turn off the software override). I'm sure there are some that can't, but every one I've ever seen can.

BTW, IIRC Windows doesn't call this setting "MAC address". It calls it something else like hardware address or something, and it's just a string of hexadecimal. On Linux the capability of changing this is built directly into the ifconfig command and is trivial to do as well.

MAC addresses are MEANT to be a unique identifier. But obviously an attacker is going to break some "rules" like that if it helps him get into your network. And the fact is that MAC address filtering does not protect you in any significant way.

Re:Unauthorized access?

[xmodem_and_rommon]

I am looking at the 'Advanced' page of the control panel for my 'D-Link AirPlus G+ DWL-G650+' wireless card right now. on none of the pages is there anything about a hardware address or MAC address.

By going to command prompt and typing ipconfig/all, I can see the MAC address and it is reffered to as the "Physical Address". But there is no way to change it.

As I mentioned earlier, a google search found a software that claimed to be able to change it. But I haven't tested it.

MAC address security might not stop many people, but i'd rather have it (even if I'm using WPA, and especialy if I'm using WEP) than not have it.

Re:Unauthorized access?

[zerbot]

Mine lists it as "Locally administered MAC address". It's the built in wireless on my HP laptop.

Re:Unauthorized access?

[stridebird]

That doesn't get you in. Not quite.

Once you have swapped your MAC address to match another on the network, what happens next? How does the conflict resolve between two machines with the same MAC address? Not nicely...

To be stealthy you need to observe MAC addresses, then identify when a machine has disconnected from the network. Then you can walk up and take it's place at the table and eat its porridge - until it comes back. Then there's conflict again.

Re:Unauthorized access?

[Asic+Eng]

I've been wondering about this: if the original machine is broadcasting using the same MAC address, won't this make a mess out of the wardriver's data stream?

Of course, if the MAC address is not used by the original machine it couldn't be a problem. How does a wardriver go about finding the MAC address, though? Does he need to wait for the original machine to broadcast?

Re:Unauthorized access?

[rikkards]

Tools like Kismet will log any Mac addresses it sees and even better will group them with the specific Wireless network it is associated with. Once you have a whole bunch of packets i.e 1.5-3 million packets you can import the dump into Airsnort and should theoretically be able to crack the WEP key.

I live in an apartment building and am amazed at the number of improperly setup WAPs. But what intrigues me more is that running Airsnort against any of the existing encrypted WAPs I get very little information. For example I ran against one specific guy over 3 days and received about 1.5 million packets but I only got 1 "Interesting" packet.
I heard rumours that after the whole WEP fiasco of it being easy to break the manufacturers have fixed WEP so it isn't as predictable. Is this true?

Re:Unauthorized access?

[rikkards]

That is true. I think (huge guess here) there is a corallation between the network cards that can change their MAC address and ones that have builtin capability of going into Monitor Mode which is where the card can sniff all network activity not just data sent to it.

Re:Unauthorized access?

[pcmanjon]

" uh, do you want to check that? I just checked it on my laptop and there's nothing about changing the mac address in the advanced settings (both for my wireless pcmcia card and the inbuilt wired NIC)."

Try the ifconfig command. Its got a flag to change the MAC addr.

man ifconfig

If you're on Windows, tough luck. I'm sure there's a "3rd party" tool that could probably do the trick somewhere.

You can't OFFICIALLY spoof it, but you can spoof it at the network layer. It'll just identify through the network with a false MAC (which would get past mac filtering) but if you write a program to determine the MAC addr, there's no way to change what the program detects.

Re:Unauthorized access?

[JWSmythe]

Zzzz.. That's easy to fix. At least I've done it a lot under various Linux's

1) sniff the traffic.
2) change your MAC address over to theirs
3) change your IP over to theirs.
4) become them.

root @ evil (/root) ifconfig eth1 hw ether 01:01:01:01:01:01
root @ evil (/root) ifconfig eth1 | head -1
eth1 Link encap:Ethernet HWaddr 01:01:01:01:01:01

root @ evil (/root) ifconfig eth0 | head -1
eth0 Link encap:Ethernet HWaddr 10:10:10:10:10:10
root @ evil (/root) ping yahoo.com
PING yahoo.com (216.109.112.135) 56(84) bytes of data.
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=1 ttl=57 time=91.5 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=2 ttl=57 time=80.4 ms

Prism - 802.11b
RealTek RTL8139 100baseTX
Broadcom BCM5704 1000baseTX

That's all I have handy to mess with, but I've done it on others.

My laptop is attached to a Cisco 2924 right now, and it came up fine. Even the switch's mac-address-table shows it.

1010.1010.1010 Dynamic 1 FastEthernet0/8

MAC addresses are nothing, if you can trust that your users won't be changing their information.

Re:Unauthorized access?

[Bert64]

I've not had any difficulties changing mac address, ifconfig eth1 hw ether macaddresshere, same as you would with an ethernet card.. Worked with several different types of card too.

Re:Unauthorized access?

[JWSmythe]

My girlfriend's cablemodem took a dump while I was trying to do something, so I fired up Kismet, and found 6 access points within listening range.

4 were encrypted, named "2wire###", where ### is a 3 digit number. I've been informed that those are SBC DSL routers, which *ALL* have the wireless enabled but encrypted by default.

1 was a very weak signal

1 was a moderately strong signal (60% to 70%), unencrypted, named "DEFAULT". Kismet said it was a DLink (if I remember right).

I asked for an IP by DHCP, and I was on. I didn't do anything but started up ethereal, and logged everything for a few minutes.. I was trying to show my girlfriend the problems with unencrypted traffic on the Internet, and how important network security is.

There are two machines on their network, which were both sending SMB traffic with their machine names (or descriptions). I got their Yahoo! Messenger username. I know they have weatherbug running, and saw he specific zip code. They didn't browse the net, but in one of the rare instances that my girlfriend's own cablemodem was working, I sent a message by Yahoo! Messenger, and she saw it go by in clear text. Based on the information I gathered, I knew exactly which apartment it was.

At an unnamed casino in Vegas, I saw everything about their display boards. It would have been trivial for me to pretend to be their host, and change all the boards (winners, potential winnings, etc). I didn't though. I just emailed them when I got home, with the logs. They thanked me for pointing out the oversight. They were very good about it, so I won't say the name.

Once in a while, I'll fire up Kismet, and go driving. Not really wardriving, just to get an idea of what the area looks like. I can see about 200 AP's from my house with a high gain antenna (24db). I can pick up about 300 driving about 10 miles with a low gain antenna (4db) stuck to the back of my laptop screen. In both cases, more than half of the AP's found are unencrypted. Random samplings showed I could get online with no problems.

Re:Unauthorized access?

[Karl+Tacheron]

I've found that most, if not all wireless cards allow their MAC to be changed out of the box. I use macshift to do it. Unzip it to c:\windows and it will work on the command line easily.

Re:Unauthorized access?

[JWSmythe]

On a switched network, it could be a problem. Switches don't like seeing the same MAC address on two different ports. It would indicate a loop, in which case STP will shut down one of the ports. 50/50 chance of killing off the person you intended to duplicate.

In a wireless or hubbed environment, it's a radio broadcast.. Both MAC's would receive the signal as if they were the same machine. If you **REPLY** to them, that's a different matter.

If two machines were 192.168.1.10 with HW Addr 01:01:01:01:01:01, a ping would have a duplicate response, if both machines responded to ICMP.

If you, as the good little hacker, had your happy little firewall running to drop any incoming packets that you weren't expecting, then you'd remain invisible. You'd get extra noise coming towards you, that your machine isn't expecting, but hey, we get that on the Internet all the time anyways. :)

Re:Unauthorized access?

[spyroux]

IHMO, in Belgium (and Europa?) : to be connected on a network without be granted could be punished if you know you are connected...

Re:Unauthorized access?

[smellystudent]

On the advanced page for my 3Com network interface (docking station), Xircom PC-card, and Netgear W-LAN card, there is an entry called "Network address". This is, apparently, what MS called the MAC address when everyone was looking the other way.

It won't have the 'proper' address in there to start with, but you can just enter your own hex string. I've done it to clone the address between my docking station and my PC-card so that I'll grab the same static IP whichever one I'm using.

Re:Unauthorized access?

4 were encrypted, named "2wire###", where ### is a 3 digit number. I've been informed that those are SBC DSL routers, which *ALL* have the wireless enabled but encrypted by default.

FYI, the WEP key for those 2WIRE### DSL modem/routers is "2wire". My sister had one for a few days in Los Angeles and sent it back after it couldn't keep link for more than a few seconds. That key has worked in numerous DSL-equipped neighborhoods.

Re:Unauthorized access?

Funny I'm studying CCNA and I've not read that anywhere.

configure terminal
interface fastethernet 0/0
mac-address 00:01:DE:AD:BE:EF

Re:Unauthorized access?

That just means the driver doesn't have the functionality to change it via a GUI interface built in.

You can still edit the registry to set MAC addresses.

Re:Unauthorized access?

[xmodem_and_rommon]

that's strange.

My laptop is running winXP.
on the "Advanced" page for the internal 3com nic, the only option is: "Network Link Selection". This has a drop-down box with "Auto negotiation" as the default and "10mbps half-duplex", "100mbps half duplex", "10mbps full-duplex", etc.

As for my wireless card, there are a lot more options:
802.11G Draft Number
Authentication Mode
CCX Security Type
Desired Basic Rate Set
Desired BSS Type
Desired IBSS Protection
Desired SSID
Desired Supported Rate Set
Desired Tx Power
Desired Tx Rate
ELP Support
Fragmentation Threshold
LeapEnabled
LeapUserName
Mixed Mode
Mode4x
MultiRegulatory Domain
Network Type
Power Mode
RTS Threshold
Short Preamble
Spectrum Management

nothing about mac addresses or anything. And I have never seen a network card where this option does show up on windows.

Later I'll boot up my Linux box, and try changing the MAC address with ifconfig. It'll be interesting to see what MAC address my router reports.

Re:Unauthorized access?

[matuscak]

Also in RF land, its a question of "who's talking loudest". Clone the MAC of a "official" network member, aim your high gain antenna at the access point, and your faked node should drown out the legit one.

Re:Unauthorized access?

[SailorFrag]

Err, not quite.

As far as I know, STP only kills ports that STP decides are causing a loop. Seeing a MAC address on two ports just makes it think that the system has moved (think about what happens if you roam between APs) so it will direct all future packets to that MAC address to the last port it saw data come in from. So if both hosts are sending a lot of data, then the ensuing packetloss (because packets are going to the wrong place) makes it pretty miserable. If only one has a lot of traffic going, then they win most of the time, at the expense of the other. Either way, it's probably going to elicit a helpdesk call by the legitimate user if it happens for too long.

The above description only applies when two systems have the same MAC address, but different IP addresses, and the two systems are going through different switch ports.

If you have two machines configured with the same MAC address and the same IP address, then you basically end up with the system being unusable. Whenever a packet to the other computer is seen, the OS sends a TCP reset or ICMP port unreachable (in the case of UDP). So basically, if there's much traffic going through the two computers at all, then neither of them can get anywhere, because the connections keep getting reset constantly (as opposed to mere packetloss when the IPs are different). You'd need a firewall on /both/ systems to avoid sending the reset responses for any hope of it working (and even then, you only end up as good as the two-IP scenario).

If you have two systems with the same MAC address but different IPs on the same AP/hub, then you can at least have a reasonable hope it'd work. I don't know if sane APs would let two instances of the same MAC address successfully associate though. I don't know how the association process works, so I can only speculate.

Re:Unauthorized access?

[pointbeing]

MAC filtering is absolutely worthless. All I have to do is sniff, find a MAC on your network, and change my MAC to that. Easier than cracking WEP.

Standing up WiFi on a federal network is a lot like herding cats ;-)

I'm the project manager responsible for standing up WiFi access on a fair-sized Department of Defense installation. If the wireless network is configured according to DoD security technical implementation guides (STIGs) it can be fairly secure.

You're correct that MAC filtering alone isn't real secure but we use MAC filtering as one component in a 'defense in depth' strategy.

You're also correct that DMZ + VPN is the only way that makes sense to stand up a wireless network and in DoD that's the only way you *can* stand one up if it connects to a trusted network ;-)

The amusing thing for me was than when my boss handed me this project he thought I was gonna throw up a buncha access points and call it a network. This building is 13 stories high and has about 2500 users - and would produce the wireless footprint from hell if I'd let the boss have his way.

Instead, I told him the IDS pieces needed to be in place first - and we're using a reasonably effective network of AirDefense and Cisco WLSE - if you stand up a rogue AP or an ad hoc network in this building the system will close the ethernet ports feeding the device(s) and shoot an email to the federal cops in the building. I figure about ten minutes after you power the thing up someone with a uniform will be tapping on your shoulder ;-)

All WiFi connections to trusted resources on this network are encrypted - as a matter of fact there's a DoD requirement to encrypt the hard drive of any wireless device connecting to a trusted resource.

So far the biggest challenge for us has been antenna selection and tuning WAP outout power so the network doesn't radiate any farther than we'd like it to and we've had pretty fair results so far. But - anybody working for the federal government who thinks you should just throw up a buncha access points and call it a network needs to be fired or killed or both ;-)

My choice for WiFi security is a combination of private networks, the DMZ + VPN idea you had (which is a DoD requirement), MAC filtering, strategic placement of intrusion detection resources, client-server encryption (we use AirFortress), domain policies that prevent network bridging, denying access to anything that isn't 802.11g and so on. There's also a requirement that the WiFi network can't share any physical infrastructure with the trusted network - so the only only infrastructore pieces the wired and wireless network share are patch panels ;-)

If you walk into my building with an unauthorized WiFi device you'll be able to connect to my Comcast cable modems in three or four public areas, but if you really want on my network you might be able to get on -

But I'm gonna make you work for access ;-)

Re:Unauthorized access?

[bdlarkin]

You may be able to hack a card to change its mac address, but MAC address filtering will stop all but the most serious wardrivers and hackers.

Aren't those the ones you REALLY want to keep out of a government agency?

If MAC filtering is your security layer, then your network is accessibly by anybody willing to spend relatively little money to access it.

Re:Unauthorized access?

[freakmn]

That's somewhat correct. The MAC address is burned into the hardware, and you really can't actually change it. This being said, the OS does read it, and many OS's allow you to simulate the change in software. This doesn't actually change the address, as if you put the card in another computer, it will revert to the actual MAC (unless that OS is also configured to simulate a MAC change).

How to change your MAC in Windows 2000/XP

Also, part of the MAC (The first half, I believe) tells which manufacturer made the equipment. You can look up the manufacturer for a specific MAC here.

Re:Unauthorized access?

[rikkards]

The thing I noticed about majority of the WAPs in my range was they were smart enough to change the SSID but never set up any encryption and never turned off SSID Beaconing. All but one of the encrypted had changed their SSID but had left beaconing on as well.

Still can't figure out why I was seeing so little "interesting" packets.

Re:Unauthorized access?

[jaseuk]

Mine has "Locally Administered MAC Address" for Dell Truemobile 1400. Dell D800 laptop.

While not all cards have this option many do.

Jason.

Re:Unauthorized access?

[Q2Serpent]

I know they have weatherbug running, and saw he [sic] specific zip code.

+1 for most bizarre method to determine the zip code you are in right now...

Re:Unauthorized access?

[zbuffered]

You can't just sit around and wait for interesting traffic. You have to make your own traffic.

Re:Unauthorized access?

IS it OK to listen to all your cell phone conversations? (if it's NOT encrypted)?

Re:Unauthorized access?

[chrisnewbie]

If evry MAC adress of all the entire world are different,,how the hell do you plan on changing a MAC adress? It's like saying i want the same adress as my neighbors! Will it not make hadrware confusion (i know the odds of changing a MAC adresse and someone having the same one is pretty low but still) i was alwasy told that it's a unique identifier!

Re:Unauthorized access?

[CodeArtisan]

FYI, the WEP key for those 2WIRE### DSL modem/routers is "2wire". My sister had one for a few days in Los Angeles and sent it back after it couldn't keep link for more than a few seconds. That key has worked in numerous DSL-equipped neighborhoods.

Not on mine, it wasn't. I received mine a couple of months ago, so maybe things have tightened up. Although some of the default settings are pretty horrible.

Re:Unauthorized access?

[wclacy]

All it takes to change your MAC for any Network card in Windows is to change/add a registry key with your new mac. "NetworkAddress=xx:xx:xx:xx:xx:xx"

In Linux you just use "ifconfig eth# hw ether xx:xx:xx:xx:xx"

Re:Unauthorized access?

[Creepy+Crawler]

So web surfing is illegal UNLESS you receive mail statements from each server owner?

Hardly.

Re:Unauthorized access?

[spyroux]

yes... theorically... I think the man who wrote the law didn't understand Internet.

Re:Unauthorized access?

[Creepy+Crawler]

Wow. They really ARE stupid ;P

I guess the way I figure it is its all public UNLESS:

--they ask for no un-auth'ed users (yeah a simple banner)
--have encryption above and beyond basic protocol (like how 802.11b is proto but WEP is encryption)
--faking credentials (like attempting replay attacks on SSHv1)
--just using logins/passwords that you dont have legit access to.

I figure it fair game if those dont occur as long as you "do no harm".

Though, I'd consider servers secured fair game if they harbor MY INFORMATION and have no way for ME to audit it. Then I will hack in, and sanitize my information if they no longer have a valid reason for it (eg. the recent school DB hacking incident).

Re:Unauthorized access?

[rikkards]

Only one problem with void11. It only works with Prism chipsets. I have Hermes based Orinoco so it probably won't work for me.

Re:Unauthorized access?

[JWSmythe]

I was describing both switched and non-switched environments, where I'd make my machine identical to another (same IP and MAC).

I just saw the error on a Cisco switch on Sunday, regarding the STP loops. Lots of fun, especially since they were coming in on an impossible port. Level3 had screwed up. I still haven't figured out how they did it. The only GigE line coming in from them was throwing the error, even after I unplugged everything else.

I think I'm going to play with it a bit more, so I'll have some real-world analysis in hand. What I have is a bit limited, because I've only done it from the "Lets see what we can break" side. :)

Re:Unauthorized access?

[JWSmythe]

I've done it with an Orinoco Gold card too. I just didn't have it with me last night to try it.

Re:Unauthorized access?

[JWSmythe]

I had my iPaq on with ministumbler running a few days ago. I almost drove off the road when I saw one SSID. It was an ASCII art drawing of a penis and a vagina.. :)

Re:Unauthorized access?

[alexburke]

As far as I know, STP only kills ports that STP decides are causing a loop. Seeing a MAC address on two ports just makes it think that the system has moved

A cookie for you, good sir. Indeed the MAC addresses will age out of the table, but as soon as a MAC is noticed on another port, its table entry is updated. (This is why when you change a box's switch port, you can't ping it until the MAC timer expires, at which point it becomes an unknown-destination broadcast to all ports, or until the box sends a frame on the new port, causing the switch to notice it's moved.)

How STP detects loops is with BPDUs (Bridge Protocol Data Units).

And yes, I *am* Cisco certified. :)

Re:Unauthorized access?

[rikkards]

Interesting.. According to void11 documentation you need a proxim chipset. My Orinoco Gold Classic (forgot the classic in last post) has a Hermes.
However if it works it works.
Just wish it was part of gentoo emerge system :)

Re:Unauthorized access?

[JWSmythe]

That's one of my biggest problems with Gentoo, and most distributions. It makes people so dependant on what *THEY* have put together. That's why I *LOVE* slackware. It's generally assumed with Slackware that you're going to install the base system, and then start installing whatever else you want from source. It's all included, and all works, but then I'll go download the currect (as current as I want) source from the author's site, and install it myself.

I love building stuff from source myself. :)

Even with Gentoo, (I have it on my AMD64 machine), I still install from sources, but .....

Unauthorized Activity

[flood6]

...they were able to find examples of unauthorized activity at all six as well.

It wasn't clear in TFA either, but do they mean a little pr0n surfing/p2p going on or active hack attempts were found?

Re:Unauthorized Activity

[jericho4.0]

They probably found that half the people in the apartment building next door got a wireless router for xmas, and think they are surfing the internet they pay for.

Of course!

[mrseigen]

If it's insecure that provides a perfectly valid explanation for unauthorized behaviour.

"I didn't hit porn, must have been some drive-bys on our wireless network"

It is the US government

[Dance_Dance_Karnov]

Can they not afford cat5 or something? 20,000$ for a toliet seat, and this is how you save money.

Re:It is the US government

[FireballX301]

1. In densely packed office buildings, it is in fact cheaper (in terms of material and labor, nobody wants to bust down walls to insert cabling) to just have wireless and put repeater antennas everywhere.

2. $20,000 for a toilet seat breaks down into this:

$19975 for secret black-ops projects nobody will ever hear about.

$24 for the Toilet Seat

$1 for the liability insurance. You know, from the dangers a toilet seat can cause.

Re:It is the US government

[DrMrLordX]

Hey, #2 is the same explanation for government waste that they gave in ID4, so it must be true. (sadly, it probably is true)

Re:It is the US government

[petecarlson]

Here's the actual breakdown:

$10,000 for the prime contractor who subs it out to MRAS.
$4,500 for MRAS who subs it out to a sub

$300 for the sub to build the seats
$50 ea for shipping
$50 for paperwork
$100 for the inspector (contractor) to make sure it meets the spec and upload the dimensions to DCA (or whatever the Defense Dontracting Agency calls themselves these days) using their UNAUTHORIZED wireless network... I was begining to wonder if I could still work the topic in here somewhere :)

Re:It is the US government

[JWSmythe]

You haven't been in a uber-cool office, have you? Executive types always want to show off that they got a $5000 laptop on the company's dime (or in the case, the gov't), so they want to be able to carry it around to various desks, ad nauseum. They want to sit down in the conference room, and/or move to their desk, without reconnecting wires.

Government suits are just as bad as business suits.

Lets not forget all the other associated uber-cool equipment they could have, like PDA's. I'm sure other folks can flesh out the uber-cool list from here. :)

Re:It is the US government

[Elvisisdead]

Spot on. The other part is that the request for the toilet seat stated that it should be able to touch a human ass without freezing it at -10 degrees and still be cool to the touch at 125 degrees. Also needs to be equally comfortable for both sexes and should have a service life of 75 years.

Re:It is the US government

[bill_mcgonigle]

Executive types always want to show off that they got a $5000 laptop on the company's dime

Boy, and I thought they just wanted to show everybody that they have a Blackberry.

Re:It is the US government

[budgenator]

also requires said "toilet seat" be an
1. integrated structural part of the airframe,
2. not release toxic gases on contact with combustion,
3. upon catastrophic failure not pose a physical hazard to the aircrew,

Re:It is the US government

[JWSmythe]

Well, now that you mention it, I have noticed a lot of executives with the blackberry's, and executive wanna-be's with their other cell-phone/PDA/messaging toys. :)

Re:It is the US government

[Elvisisdead]

Agreed, and I would argue almost worse. The SES level guys that I interact with are usually pretty bad. They always demand the newest stuff.

Worse than that, they're always having thier offices painted or buying new furniture or artwork for the walls, etc.

The thing that really irritates me about the whole thing is that they do it with little or no regard to cost. The believe that they're entitled to it. That may be fine in private business, but totally unacceptable in public service.

Re:It is the US government

[JWSmythe]

Ya, where the people are footing the bill, it sucks.

It still sucks in the private sector too. When you see the bosses spend mad money on crap, and can't get budgeting for things that you feel are important for the company, it just leaves you pissed off.

For example, what's more important for an Internet company? Upgrading a bunch of 5+ year old servers, or flying the boss first class to and from Europe once a month? Or spending mad money on something that won't make money (and everyone knows it), or upgrading the equipment for your flagship site.

I know someone that deals with the VA a lot. They're always having buildings built or renovated, for millions a shot. One case in particular was a building that was completely renovated for a nice 7 figure number, which once they're done renovating, they will be basically giving away to a private sector company for pennies on the dollar. Meanwhile, they're trying to give vets the shaft. Ask any vet who's been jumping through the hoops for disability for several years, and still being screwed.

No, I'm not the vet, I just know quite a few.

I wonder how many were also running defualt passes

[cyrax777]

such as admin.

why are they using local 802.11b at all?

[ChipMonk]

Precious few government agencies need wireless access anyway, and those who do generally know how to handle it.

Those who don't, have no business incorporating a technology they don't understand. But, I suppose they have to spend their budget on something, even if it has nothing to do with making their job easier.

Re:why are they using local 802.11b at all?

[appleLaserWriter]

Precious few government agencies need wireless access anyway, and those who do generally know how to handle it.

Could you expand upon that comment please? Why don't government workers need laptops? They seem to make private sector high-tech workers more efficient, why shouldn't the government have access to these efficiencies? After all, government workers were the original Information Technology workers. They didn't just invent digital computers, but also made extensive use of pre-computer information technology.

Re:why are they using local 802.11b at all?

Wireless laptops make some people less efficient. Government worker's porn surfing has increased in efficiency I'm sure.

Re:why are they using local 802.11b at all?

[eskoperkele]

All those jokes about insecure and useless wireless networks aside, but I have seen with my own eyes a wlan of desktop machines. Nothing alarming here, but the wlan is not encrypted in any way, it is build in a new building which has a couple of coppers in every room. To make matters even more entertaining the building is a public school.

Re:why are they using local 802.11b at all?

[terminal.dk]

A laptop without wireless is still a laptop. It isn't that difficult to use a network cable.

Of course it prevents you from bringing the laptop to the bathroom.

Re:why are they using local 802.11b at all?

[colinrichardday]

What? No RJ-45 ports in government restrooms? Oh, the horror!

Re:why are they using local 802.11b at all?

[Skater]

I work for the US Census Bureau. Our DC buildings are located on the Suitland Federal Center, which is actually pretty nice when it isn't under construction, and it'll be a lot nicer when the construction is finished. Before the construction started, I took a laptop or just documents to read outside several times - away from the distractions, enjoying the sunlight. We do not have a wireless network at all, but having one on campus would be a nice perk, as long as the security issues could be resolved. (We take the security of our data very seriously.)

It'd also be useful for people who are trying to work in places like the cafeteria or library, where there aren't any available network drops.

Re:why are they using local 802.11b at all?

[budgenator]

Thanks for making the TIGER database publicly downloadable. I've found lot's of cool ways to do things with it

Re:why are they using local 802.11b at all?

[Skater]

Thanks! Not that I had anything to do with that decision, of course. :)

TIGER is VERY cool. I love playing around with it, and I think it's great there are a number of open source programs that can access it.

If this were 2003.....

then there would be no huge issue. But with tools like - Airsnort for Unix, NetStumbler for Windows and MacStumbler for Mac, there is no excuse for this.

I would consider it to be criminally negligent.

It is a shame that they allow these agencies to recieve funding or for their IS / IT departments to still have jobs.

Lets stop talking about Filibusters and start talking National Security

Re:If this were 2003.....

[TWX]

"It is a shame that they allow these agencies to recieve funding or for their IS / IT departments to still have jobs."

I work for a large IT department for a government-based organization. The users don't call us when they get new equipment frequently unless it doesn't work. With all of these wireless devices coming 'ready to go' out of the box we don't usually find them unless we physically stumble across them or unless the DHCP server in the device is handing out address on the LAN at the site and therefore breaking connectivity for the users.

Yes, it is technically possible to note the MAC address of a device when it comes on the network and compare it to a table of kinds of equipment, but there are 11 field technicians, four network engineers, and two cable/infrastructure technicians for 25,000 machines. We don't get the funding for supplies, equipment, or manpower that we need, we don't get support from higher-ups in the organization, and we are left being reactionary. Even worse yet, some of the agency-level higherups are all about 'new technology' without giving us the resources to thoroughly investigate it and how it will impact our network, and half of the time they don't even figure out why the users need such technology for before allowing them to order it.

We have machines running from average as low as Windows 95 (though I do still encounter Windows for Workgroups 3.11 in rare cases) and MacOS 7.5.3. Most days I'm astounded that things work as well as they do, let alone at all.

Re:If this were 2003.....

[JWSmythe]

That's a maintaince nightmare. Trust me.

I knew a guy who did that on a network of just 20 workstations. He was anal, and wouldn't give anyone else access to authorize MAC addresses. The other techs got rather irate, when they'd change a NIC, add a new machine, or whatever.

Moreover, when the boss brought in his new laptop and couldn't get online, that was the end of MAC address filtering.

Re:If this were 2003.....

[ccharles]

we don't usually find them unless we physically stumble across them or unless the DHCP server in the device is handing out address on the LAN at the site and therefore breaking connectivity for the users

Here's an idea: implement a wireless sniffer of your own.

I'm not trying to troll here; I work in IT, too. This kind of thing can be a real pain. But using the above as an excuse for such a serious security risk is a little silly.

Re:If this were 2003.....

[DarkSarin]

hate to be you.

the place where I work has gone to a simple policy: ALL computer-related purchases MUST go through the IT department then the accounting department. If one doesn't squash it the other usually does.

It makes gettting random things like a wireless AP a pain in the but for the users, but for those of us in IT (who work in the same small building as accounting), it is great.

In your case, MAC filtering and requiring all IT related purchases to be approved through your department would make life much easier.

Re:If this were 2003.....

[JoeZeppy]

the place where I work has gone to a simple policy: ALL computer-related purchases MUST go through the IT department then the accounting department. If one doesn't squash it the other usually does

And have you gone down to the local Best Buy and told the employees there that under NO circumstances are they to sell any computer equipment to your employees?

Re:If this were 2003.....

[straybullets]

ain't it easy this day to change or mascarade a MAC address ?

Re:If this were 2003.....

[DarkSarin]

No, and that isn't necessary if you use MAC filtering. Think about it--if they can't get work money for spending on something to use at work, then they are much less likely to run to best buy. If they also can't hook it up to the company network, then they are even less likely.

So no, we haven't, but that isn't necessary.

Re:If this were 2003.....

[_Sprocket_]

It is a shame that they allow these agencies to recieve funding or for their IS / IT departments to still have jobs.

There's several issues here.

First - the money tends to be tight in government IT. This leads to some impact on hardware but a much, much larger impact on personnel. Government IT shops just don't pay what they should. So you either end up with a staff of the best you could afford (but far from the best) and / or a select few dedicated, really good people who are vastly over-worked.

Secondly - the US Government is the ultimate beuocracy. It rarely resembles a meritocracy in any shape or form. Civil Servents tend to end up in IT positions for any other reason than technical competance. Consequently, IT contracts tend to be fairly inconsistant when it comes to technical performance (although the metrics will always show otherwise).

Finally - this is a security issue. IT shops are concerned about making widgets work, not making them secure. When the pressure is one due to limited funds and limited competance, IT will err on the side of functionality; they'll get a widget running. That tends to tip against the inverse relationship with security.

Having said that... the one thing that I like about that statement is the fact that the Gov't beurocracy lives and dies by its budget. Your group is only as powerfull as your budget makes you. Fat budgets display and bestow power. So affecting an organization's budget is guaranteed to get their attention. The trick would be to do it in a manner that doesn't simply make the problem worse.

One final comment - the US Government just isn't good with Infosec. There are notable exceptions. But as a whole, they make a soft target. Any kiddie who bosts about tagging a .gov is simply showing stupidity. The US Government is not strong in Infosec - but they fully know how to operate Law. Note that the recent stories about arrests and investigations connected with Cisco IOS code leaks didn't happen because of Cisco - they happened because the individual(s) involved also compromised a considerable number of Government systems.

Re:If this were 2003.....

[TWX]

"I knew a guy who did that on a network of just 20 workstations. He was anal, and wouldn't give anyone else access to authorize MAC addresses. The other techs got rather irate, when they'd change a NIC, add a new machine, or whatever."

Thing is, I know exactly which vendors we have ethernet chipsets (and therefore MAC addresses) from. I don't have to disallow all except certain specific addresses, I have to allow certain ranges that conform to known assets. Admittedly this list is fairly lengthy, but there are a lot that specifically shouldn't be on the network that we can later make exceptions for if the users call us.

Re:If this were 2003.....

The users don't call us when they get new equipment frequently unless it doesn't work. With all of these wireless devices coming 'ready to go' out of the box we don't usually find them unless we physically stumble across them or unless the DHCP server in the device is handing out address on the LAN at the site and therefore breaking connectivity for the users.

So fire up your freaking laptop with a freaking decent WiFi antenna and freaking look for AP once in while. Find the offenders and let you freaking manager deal with them. I doubt there are too many freaking goverment employees who are willing to loose their jobs just for the convenience of using WiFi.

Re:If this were 2003.....

[budgenator]

Maybe here should just buy a couple of FBI agents a beer and get them to play "Mr. Anderson and Mr. Smith" with somebody and make a couple of references to the PATRIOT act. Somebody using unauthorized access methods should be good for a few grins and giggles around the water cooler.

Re:If this were 2003.....

[JWSmythe]

Actually, I was doing it a couple years ago, when I wanted to hide on random wireless networks, but still be blatently obvious that I was there. :)

I found myself without an Internet connection someplace I was staying. I found a point to point network about 4 miles across, with two high gain antennas pointing at each other. I happened to be sitting right between them, so I stuck up my low gain antenna, and got online with no problem. No MAC filtering, they had DHCP on, and I stayed online for a week. I did find it was a business later on. They didn't seem to mind, since I wasn't really doing much (checking mail, through a little PPPoverSSH tunnel)

This problem is a lot more common

[PalmMP3]

The article mentions this problem only in regard to government agencies, but the truth is, it happens all over (in regular businesses) as well. I'm not talking about /.ers who get free broadband through their neighbors open networks; I'm talking about businesses where one employee decides to make his life a little easier by setting up his own personal mini-network - but unknowingly putting the entire company's network at risk.

Indeed, NetStumbler's help file even suggests such a scenario as one possible use for the program:

" Wireless LAN Auditing

A corporate network administrator needs assurance that the wired LAN is not being exposed to unauthorized users. This can often happen when users set up their own wireless LANs for convenience. Such wireless LANs often have little or no security, which poses a risk to the entire LAN. The network administrator can use NetStumbler to detect the presence of these "rogue" wireless LANs."

At least now that this story has hit the news, perhaps more people will wake up to the danger and try to secure their critical networks (as long as they leave open at least one for me to use as a wi-fi hotspot ;-)).

Really?

[tengwar]

I'm always a bit doubtful of these surveys. Some companies run an open network, but to reach any network resources you need to set up a VPN. This avoids possible problems with air-side encryption (yes, I know there are many other solutions) and allows visitors to use the network.

Re:Really?

[petecarlson]

Doubtfull? I have done consultations for comapnies that were having problems accessing their mail server because their computers were connecting to the company next door's APs. It seemed that both companies were using linksys access points... SSID "linksys". The whole time they had been using each others connections and neither had a clue.

CP

Re:Really?

[jdreed1024]

I'm always a bit doubtful of these surveys.

This sentence made me stop caring:

GAO investigators were able to pick up Wi-Fi signals from outside all of the six agencies they tested

In other news, your computer may be broadcasting an IP address that hackers could use to attack you.

I mean if government agencies have fully open networks, and people can connect, get an IP (or find out enough about the netblock to make one up), and see data, sure that's bad. But then say that, don't waste time with stupid stuff like this. "Unauthorized activity" could mean a ping (seriously, I have dealt with network administators who accused me of "hacking" when I attempted to ping a server - 5 pings, not ping -f or anything), or it could mean terrorists are editing the no-fly list we speak. But this article is ~useless.

No surprise, Sherlock...

[__aaclcg7560]

The reason why radio frequencies keep leaking out of these government buildings is because they removed the lead paint from the walls. Now they are going to spend a few million USDs putting the lead paint back on the walls. No wonder the White House is complaining about leaks to the media.

Re:No surprise, Sherlock...

Actually, I think the White House complaints have more to do with their eating that lead paint after it was pulled off the walls.

Re:No surprise, Sherlock...

[budgenator]

Graphic sucks up microwaves much better than lead, just paint everything with graphite pigmented paint.

Watergate

[porp]

Maybe in the next presidential elections concerning a power hungry, i-must-crush-my-opponent-candidate, there will be a wireless-tapping scandal that takes place in the parking lot of the Watergate hotel instead of the actual room.

Obviously, that sets up Forrest Gump II where the Forrest character spots a couple of geeks trying to jump start their van because their surveillance equpiment drained the battery.

porp

Re:Watergate

[Seigen]

Its ironic that leaking of politically inconvenient information is probably one of the most effective ways to get security taken seriously, at least within one organization.

Of course they may just label the people who intercepted the unencrypted information terrorists and use it as an excuse for why you must elect them ...

The Pentagon Needs Aluminum Siding.

Ah yes, aluminum siding! I twill keep the wifi waves inside, and the death rays outside.

Re:WiMax

[xmodem_and_rommon]

no...wimax is a paid-spectrum service, and is not intended for use by the general public. Wimax is only for big companies that can afford the equipment AND SPECTRUM LICENSES to set up a hotspot. It will probably be used mainly to provide wireless Internet access to people - not to provide access to internal networks of companies or governments. It is simply not intended for that purpose.

as far as wimax is concerned, i'd be more concerened about people with hacked equipment reading your traffic if I were you...but I don't know if wimax has any encryption.

Are there any safe (hardware) protocols?

[Phoenixhunter]

It seems that just about every form of current encryption has a proof of concept on cracking it. WEP, WPA, LEAP, IPSec, etc.

About the only solution I've seen is the airFortress product that utilizes a client that encrypts all data and decrypts it through a hardware device that interfaces with the access points. Military has been using it for a bit.

Re:Are there any safe (hardware) protocols?

WPA,LEAP ,IPSEC have all been cracked?

Wow, links please!

Re:Are there any safe (hardware) protocols?

[ninboy]

I know wep is easy to crack, but I thought since wpa uses temporal shifting of keys , it would be very hard to crack , have any links ?

Re:Are there any safe (hardware) protocols?

[Hi_2k]

There's a distinction between a theoretical crack and a real one. Theoretically, I could try every 1024 bit key against my GAIM-Encryption messages, and I would eventually find the proper key to decrypt them. It's even possible that there are simpler ways to do it. However, what matters is that it will take sufficently long that the data is no-longer so sensitive. Knowing about next months troop deployments in Iraq is of little use to terrorists in the year 2010.

Re:Are there any safe (hardware) protocols?

[tildebeast]

In the Army we use cisco aironets and Air fortress products. Mostly we use it for ptp access to remote locations. However there is software that can be installed on laptops that allows the client to connect, while out and about in the motorpool. we have tried several times to crack our own system, Each time resulting in failure. We can use a linux box and kissmet, and other nameless tools to crack into the multiple wep keys, but the Air Fortress encryption eludes us. We have not had, any unallowed access to our system in the 7 months we have been in Iraq.

Re:Are there any safe (hardware) protocols?

[Beryllium+Sphere(tm)]

At a guess, the grandparent is referring to the possibility of dictionary attacks on WPA in Pre Shared Key mode and the recent announcement that if you run encryption without authentication in IPSEC then attackers can flip bits and see what happens.

In other words, the crypto doesn't protect you against choosing weak passwords or against choosing a stupid combination of configuration settings in IPSEC.

The crypto algorithms themselves seem to be holding up OK. If you use WPA as intended (with a Radius server) and use an implementation of IPSEC that doesn't make stupid choices for you then you're safe from the publicized vulnerabilities.

Re:Are there any safe (hardware) protocols?

I assume that this is the Air Fortress security product. Nice; it uses AES.

Re:Are there any safe (hardware) protocols?

Good to hear. The Air Fortress solve this wireless problem.

Period.

Ever look at a sniffer trace of an IPsec connection? LOTS of useful stuff is sent unencrypted.

Then look at a sniffer trace of an Air Fortress wireless connection.

Yeah, its an expensive proprietary vpn solution, but nothing else gives as complete end-to-end wireless protection.

Re:Are there any safe (hardware) protocols?

[matuscak]

That looks to be a reseller. The real home for the Air Fortress products is http://www.fortresstech.com/

Re:Are there any safe (hardware) protocols?

Theoretically, I could try every 1024 bit key against my GAIM-Encryption messages, and I would eventually find the proper key to decrypt them.

I'm nitpicking here, but no, you couldn't. Schneier gave an good explanation of why physics won't let you brute-force keys past about 200 bits or so. This is cut & paste from another site that quoted his book Applied Cryptography:

One of the consequences of the second law of thermodynamics is that a certain amount of energy is necessary to represent information. To record a single bit by changing the state of a system requires an amount of energy no less than kT, where T is the absolute temperature of the system and k is the Boltzman constant. (Stick with me; the physics lesson is almost over.)

Given that k = 1.38*10^-16 erg/deg Kelvin, and that the ambient temperature of the universe is 3.2 deg Kelvin, an ideal computer running at 3.2 deg Kelvin would consume 4.4*10^-16 ergs every time it set or cleared a bit. To run a computer colder than the cosmic background radiation would require extra energy to run a heat pump.

Now the annual energy output of our sun is about 1.21*10^41 ergs. This is enough to power about 2.7*10^56 single bit changes in our ideal computer; enough state changes to put a 187-bit counter through all its values. If we built a Dyson sphere around the sun and captured all its energy for 32 years, without any loss, we could power a computer to count up to 2^192. Of course, it wouldn't have the energy left over to perform any useful calculations with this computer.

But that's just one star, and a measly one at that. A typical supernova releases something like 10^51 ergs. If all of this energy could be channeled into a single orgy of computation, a 219-bit counter could be cycled through all of its states.

These numbers have nothing to do with the technology of the devices; they are the maximums that thermodynamics will allow. And they strongly imply that brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than matter and occupy something other than space.

All that said, those "long" keys (1024, 2048, etc) are typically referring to assymetric ciphers, and breaking them depends on things like factoring large numbers, not sequentially testing keys. A 256-bit AES key is unbreakable, unless a flaw in the AES algorithm is found. OTOH, 256-bit RSA ... I wouldn't trust any anti-government subversive email to it in a police state.

Re:Are there any safe (hardware) protocols?

The VA also uses airFortress for wifi. Is it secure? That's what I wanted to know, but there is virtually no detailed information on this product in the public domain.

The article was not clear on how they determined whether a network was "secure" or not. If they just checked to see if WEP was enabled, that may not be a fair assessment. Lots of times if something like airFortress is being used, WEP will be disabled.

Re:Are there any safe (hardware) protocols?

[Phoenixhunter]

It doesn't matter if they use any encryption at all on the hardware side of the access points, the Airfortress product essentially encrypts everything on the user side with a software client, and then decrypts it past the access points with a hardware network appliance.

big deal

[j1m+5n0w]

So, some government agencies use unsecured wireless networks, and some people might even be leeching off of them for internet access. That might or might not be a real security issue, depending on if they're using their wireless network for sensitive applications and if those applications aren't using end-to-end encryption for their applications and if their wireless networks aren't firewalled away from the rest of their network. Perhaps the actual report describes the vulnerabilities in greater detail than this article, but I don't see how the mere presence of an unsecured wireless network is necessarily something to get worked up about.

Re:big deal

[nmos]

So, some government agencies use unsecured wireless networks, and some people might even be leeching off of them for internet access.

It sounds to me like "some" means "every one they tested".

That might or might not be a real security issue, depending on if they're using their wireless network for sensitive applications and if those applications aren't using end-to-end encryption for their applications and if their wireless networks aren't firewalled away from the rest of their network.

Well sure they might have taken steps to keep their important data secure while leaving the system itself wide open but doesn't it seem more likely that some moron simply plugged an AP directly into the network and it's broadcasting EVERYTHING to the outside world?

Re:big deal

[Bert64]

And if i ran the IT department at a government agency, i might consider setting up a fake wireless network that's not connected to anything else just to see who might try to connect..
Interestingly, there is a wireless network called "MI5 Network" that appears to be located in an apartment near the MI5 headquarters in london. It's just some guy's home network, but because of it's name and location people might mistake it for something else.

...WiFi Not Secure

[Ziviyr]

The story title seems wordy, heres the short version.

Can't blame them the unauthorized entries.

[WindBourne]

You watch the government today and realize that the current mode is now to get what you can. GWB is busy getting his for he and his buddies (haliburton is getting the bulk of the iraqi oil). They are squashing all attempts at stopping anybody from gripping (the gal from the DOD who compaigned about the haliburton deal, Edmunds has a gag order (www.justacitizen.org), a traitor is allowed to remain hidden in the white house, etc.). But it is not limited to the white house. Look at Tom Delay, Campbell of Colorado (who resigned rather than be under heavy investigation, but it looks like indictments may still come down), etc. And while I do not mention the dems here, there are plenty of them who are doing there best to get as much as they can.

Sadly, I really do not blame those that come in through the back door when so many are simply stealing from the front door.

Re:Can't blame them the unauthorized entries.

[eUdudx]

Quoted from parent mod'd off-topic:

Sadly, I really do not blame those that come in through the back door when so many are simply stealing from the front door.

WindBourne has a technical point, at the end of his non-slashdot-compative rant: even before wireless became useful/cheap/widespread, many folks feared any physical connection to a nework that was "insecure"....for example, a Sun JumpStart server allowed (gasp) annonymous ftp access for images.

Open WIFI == Good

[xiando]

I know many disagree with me on this, but personally I think that open WIFI networks is a very good thing. And I encourage all Wifi administrators to Open up their networks for all! This is quite safe if you secure the private services on the networks so random people only have access to the Internet. Think of it like this: You allow a few people to use the Internet from your home in exchange of being able to use the Internet when you are other places. If everybody with a Wifi does this then we will eventually have a global free Internet available everywhere for all. Again, having a Open Wifi is no threat to you IF you simply secure the services running on the Wifi! And this is, in fact, a much better approach than having a firewall and relying on that for security...

Re:Open WIFI == Good

[balthan]

I know many disagree with me on this, but personally I think that open WIFI networks is a very good thing.

Hey, why not? The government does such a great job protecting our data as it is that I'm sure opening their networks would present not security problems whatsoever.

As long as you're getting free internet access, it's all worth it.

Re:Open WIFI == Good

[Osty]

That sounds great, right up to the point where some pervert uses your open wi-fi to download child porn which is then traced back to your IP, or some l33t hax0r d00d tries to crack into military servers. And of course all of this is ignoring the fact that most ISPs specifically deny you the right to share your access this way. There are a few like Speakeasy that don't care or even encourage it, but Speakeasy's service sucks (I know, I had DSL with them for two years), and none of them legally protect you if someone using your connection doesn't something illegal or at least against their AUP.

You could go hardcore setting up a walled garden, authentication system, and the whole nine yards, but you really don't have to. Even doing something as simple as enabling WEP on your AP is enough for the casual browser. It's certainly not 100% secure, and anybody with malicious intent could easily crack your key in minutes, but that's not the point. It's a deterrent and a source of plausible deniability. A thief could easily pick the lock on your door, but the simple act of locking your door will keep most people out (the end goal). As well, the fact that you took some measure means that you can't be held responsible when the thief who picked your lock and stole your shotgun later goes on to shoot up a school or convenience store.

Re:Open WIFI == Good

[Chran]

Again, having a Open Wifi is no threat to you IF you simply secure the services running on the Wifi!

That is so wrong, it's not even funny. What happens when someone decides to do something illegal using your open AP?

Re:Open WIFI == Good

[bsiggers]

Interesting point regarding plausible deniability - say if someone *does* grab your WEP key and downloads child porn or hacks into the pentagon from your IP, you might have a harder time denying that it was actually you that was doing this stuff than if your WLAN was wide open without any protection at all.

Re:Open WIFI == Good

[ajs318]

Then you have Plausible Deniability.

Suppose a car rental company rents out a car to somebody who uses it to travel internationally and pick up a large stash of child pornography {in printed form}, class A drugs or weapons of mass destruction. Is that car rental company in any way legally complicit in the offence?

In the same way, you would not be found complicit if some third party does something with your network that you could not prevent outright, but would rather they didn't anyway. Just make sure outside connections are logged and users are aware of it. But that comes under the heading of "reasonable precautions" anyway.

The radio spectrum is a shared resource, and whether you like it or not, somebody is always going to be trying to use your wireless network. Nothing short of a Faraday cage around your perimeter is going to stop them if they're really determined. What's more, if you make it too hard to get in, you'll annoy them. It's better to limit the damage people can do if they get in, than to assume that they won't get in.

Re:Open WIFI == Good

[yppiz]

From the parent post:

(running an open access point) sounds great, right up to the point where some pervert uses your open wi-fi to download child porn ...

Right now, there are a zillion anonymous proxies on wired connections. It's far more likely and convenient for J. Random Hacker to connect to one of these always-on proxies that are available from anywhere in the world than to get within 100' of your fiddly little access point.

If you're really worried about someone within 100' of your house doing something bad, sure, create a lead-lined bunker, put up chicken wire to keep the signals from leaking out, run encryption, etc.

Or, do what SFLan and hundreds of other metropolitan open wireless networks do -- stop worrying and share.

--Pat

Re:Open WIFI == Good

It's always back to kiddie porn... *sigh*

Re:Open WIFI == Good

[FireFury03]

Right now, there are a zillion anonymous proxies on wired connections.

It's actually pretty hard to _guarantee_ you are anonymous on the internet. If you use an anonymous proxy then your IP will be hidden from the end web server you are contacting, but there is *no way* to know if the anonymous proxy is keeping logs. The authorities can track your web accesses back to the proxy, and if the proxy is keeping logs then it's very easy for the authorities to get the logs through a court order and tie the web server accesses to your real IP address.

The only way to guarantee an anonymiser isn't holding incriminating evidence against you is if you administer it yourself... and in that case you're probably screwed anyway.

Re:Open WIFI == Good

Explain to me how requiring everybody pay for an ISP in order to have a working WAP (because you do need service) is 'free'?

Unless the protocol is changed and all the boxes can route through each other ala 'meshbox', your idea will never be free.

Re:Open WIFI == Good

[not-real-sure]

I disagree with your comment on speakeasy service. I have had it for over 3 years 16k+ feet from my CO and get reliable service with 1.5 / 786 service. I also get 3 ip addresses to use. 1 IP is deadicated to my wireless access point so i can share my services and not endanger my home network in the process. I use IPSEC to connect to my home network via the wireless.

Re:Open WIFI == Good

[b0bby]

I agree too - I had Speakeasy for years & was always happy with the service.

Re:Open WIFI == Good

Or it can go like this:
Prosecutor: So you had all of these measures to protect your access point?
You: Yes
Prosecutor: So most of the people here in this courtrooom probably couldn't just go out and connect to your access point?
You: Correct
Prosecutor: So what you are saying is that the offending/illegal network traffic must have originated from your computer, which is connected to the access point?
You: Ummm...

"Sound of jail door slamming"

Eureka

[namedcowards]

Grad students like me are in for big funding!. Yes I don't mind getting paid for setting mac filtering and wep key.

Wrong metal!Re:The Pentagon Needs Aluminum Siding.

No, it should be tin, not aluminum. Does aluminum protect you from the mind-control rays of the secret government? No, but tin does. Does aluminum protect you from Bush's thought police? Nope, only tin can protect you. So, if we wrap all of the government buildings in tin, we'll all be safe from their harmful effects (except all the legislation, of course. However, if we forget to poke air holes...).

Some of the older posters might point out that "tin foil" caps were good enough to protect them from the government's mind control and thought reading devices of their day, "and it outta be good enough for you". I concur, however, "tin foil" no longer contains tin! Yes, it's really aluminum foil, and people just still call it tin foil. This was a plot by the government to fool people into believing that they were safe from government control. Soon, the black helicopters will be hovering over your doublewide as black-clad stormtroopers burst into your home and disappear you.

Re:WiMax

[petecarlson]

You were so close to being partialy right but your wrong. Yes, wimax devices can be made in the licensed spectrum, but they can also be used in the un-licensed spectrum. It is likley that we will see 5.8 Ghz wimax gear in the US as the "listen first" protocol required in the opening of 5.3 is not compatible with the polling protocol specified in the wimax standard.

CP

erm .. And?

Wireless network connectivity is nothing new to the US govenrment. I assume they are talking about DSSS when they refer to WiFi. There is no mention of Frequency Hoping systems that they have been using for years.

And in other news, the sun is bright, ice is cold and the new Star Wars flicks arent as good as the originals....

Re:WiMax

[iconworks]

maybe a better technology will pop-out soon. but WiMax will stay just like floppy-drives here in Asia.

open wi-fi + insecure clients = disaster

[Bernie]

Er.. if two computers connect to the same access point, won't they have direct access to each other? And.. if you're not relying on firewalls to protect you from each other you will get to show your ignorant laptop-owning friends how to remove their worms your other ignorant friends (or passers-by) kindly infect them with... the hard way.

Not at all

[WindBourne]

What the GP is saying is that you should already have all your boxes secured or should set the wifi up in DMZ. Keep in mind that the vast majority of systems are cracked by locals. That is, from somebody within the company, not out on the internet. So all boxes should be secured from the gitgo. Likewise, if your box will get a worm from a box that is connected, it will almost certainly get it from the employee box that went home at night, was hooked in, and then surfed some site that does worms such as ninenine.

Issues

[Exter-C]

One of the issues with many government organisations is that the IT is not managed by a central location. Often policies differ from location to location, state to state etc. Having a uniform policy centrally managed across the entire organisation would be a good start for many government organisations that I have come into contact with when working with a tier 1 networking vendor.

Most Companies stray away from WiFi

[Ecko7889]

My father works for Boeing, and everything has to be hardlined. There is a company ban on any "secure data" being transfered by any wireless protocol. This ban came when the scare of serious wifi security measures were hacked. The government is smart to stay away from wifi, until a more secure type of encryption is enabled. Maybe possibly a private "wifi protocol" specifically for the government?

Re:Most Companies stray away from WiFi

[Zemplar]

Boeing is smart.

I do some sideline consulting for small local businesses, and I always recommend to stay away from wireless if they can. If they can't, I tell them about the expense of good equipment and the need to have it checked and updated frequently to avoid such security breaches. This, in turn, is usually enough of a deterrent.

Hell, what one less wire?

This is the fault of consumers and the WiFI makers

There is a wonderful solution to all of the wireless security issues:

802.11i

802.11i not only plus all of the holes in WEP, it also uses AES encryption to get around all of the potential problems with RC4.

Right now, as I speak, err write, I can not buy an 802.11i complient router with AES encryption. I've looked at Netgear's site. I've looked at Linksys's site. I've looked everywhere. There was a bunch of discussion about how 802.11i was going to be the next great thing in mid-2003, then a deafening silence.

If I want 802.11i right now, I can't get it.

I think the fact of the matter is the your average user is not willing to pay for than $50 for a wireless router. It is, of course, possible to make AES work fine with a router of that costs, but it is going to take good deal of economics of scale in action to make a 1,000,000-transistor chip for implementing AES affordable at that price point.

802.11i is just not a buzzword in the buzz machine that all the tech magazines use. Until it becomes a buzzword, wireless networks will continue to be insecure.

(There is also a lot to be said for 802.11i being deployed on a wide enough scale that AES becomes ubiquitous. I would like to see special AES-specific op codes on x86 chips and have $5 co-processors available that can do AES at 100Mbps)

Do /.'s consider WPA "good enough"?

[WoTG]

How secure is secure enough? From what I can see in almost every office I've been in, finding a way to steal data (not necessarily digital format) is relatively easy. So should we really expect "perfect" security from WiFi networks?

Clearly unencrypted wireless is out, WEP too. But how about WPA? I personally feel that running VPN over WiFi would be best, but for many small businesses, the added complexity is hard to justify.

Let me put this another way, what do /.'s use at home?

Re:Do /.'s consider WPA "good enough"?

[xmodem_and_rommon]

WEP, with a 128 bit key and MAC filtering, and SSID broadcast disabled

yes i know its insecure, but the WPA on my router is buggy (drops out about once every 3 seconds) and its better than nothing.

besides, all its used for is web browsing and IM from my laptop.

(BTW the router is a netgear wgr614 (v4). because of the embedded linux, i will probably replace it with a linksys wrt54g soon)

No i dont consider WPA secure enough for a company. Personally I'd set up an open (unencrypted) wifi hotspot with a VPN server connected.

Re:Do /.'s consider WPA "good enough"?

i use a d-link router, wep encryption 64 bits, mac filtering

it's impossible to hack my wlan. 1) i live in a really small place, noone would want to hack me, 2) the WLAN is broken

Re:Do /.'s consider WPA "good enough"?

[BaudKarma]

Stealing data might not be that difficult. Stealing data without anyone knowing that the theft occured is somewhat more difficult. If you break open a door, jimmy a file cabinet, steal a laptop... someone will notice, and security will presumably be improved to prevent that from happening again. You can break into a wireless network without anyone noticing, and you can steal data for a long, long time.

At home I've got 128 bit WEP and SSID turned off. It would require a few minutes of effort to break in, and there's really nothing on my system that would justify even that minimal effort. I'm a very boring person. Also, there are plenty of unsecured networks in my area, so it's unlikely that someone will hack me just to get net access.

Re:Do /.'s consider WPA "good enough"?

[servo335]

I use wpa tkip with mac filtering at home. I do broacast the ssid but i have dhcp disabled.

Re:Do /.'s consider WPA "good enough"?

At home, I run a RADIUS server with an LDAP server back end and use WPA. I support TTLS with PAP (for Linux) and PEAP with MS-CHAPv2 (for Windows) for authentication.

Re:Do /.'s consider WPA "good enough"?

[RandomJoe]

I "administer" (if you can call it that) two WLANs. One at home, one at work. The one at work is NOT the company's LAN, it is a separate DSL line we use for our remote monitoring contracts because the corporate LAN firewall is way too strict...!

At home, all I do in the AP is filter MACs. That's just to keep the random neighbor from taking advantage of an opportunity. The AP plugs straight into a separate NIC on my firewall machine, and all you can get is an IP. From there, you have to run a VPN. For my home network I use OpenVPN, since it's so easy to set up. I also pass the Cisco VPN for my work laptop straight out the cable modem.

At work, I don't even filter MACs on the access point. Due to our building's construction, I'm doing good to get a usable signal near the outside walls IN the building. The minute I walk outside I get nothing. (My office where the AP is sits dead center.) Granted, someone with a high gain antenna could probably get a signal. The AP plugs into a Linux firewall box that MAC filters. To be honest, we aren't all that concerned about someone managing to use it for anything. It's just a mostly-unused DSL line!

Having had such success using OpenVPN at home, I am considering implementing it at the office as well. I would *like* to be able to instead just open up access so visitors could use it, but I can't even allow just anyone in my office to. Several were already caught with porn on their work machines. Whatever you may feel about that, I won't condone it. (Especially since the company certainly doesn't.) I have to wonder when people can't abstain for eight hours until they get home...

Re:Do /.'s consider WPA "good enough"?

[heydonms]

nothing

my AP is entirely open so anyone can connect. It then goes to a router which limits wireless clients access to the LAN and internet, it works well for me.

Re:This is the fault of consumers and the WiFI mak

[blowdart]

It's not just the router remember, it's the NICs that need support as well. It's all very well having great encryption on your router, but if your users' machines don't have the option to use it then you have to use the lowest common denominator.

For example XP now supports WPA2, but even if you get a router that has it neither Toshiba or Dell appear to offer NIC drivers that support it.

Re:This is the fault of consumers and the WiFI mak

[cidViscous]

even when it becomes a buzzword (and you know it will--just look how long it took bluetooth to make it to the mainstream...) it will be very difficult to get everyone to switch out the old hardware. there will be plenty of unsecure legacy hardware floating around long after the government (and corporations and private users) have started buying nothing but 802.11i, and what many of these users (and even admins) don't realize is that any hole behind the security perimeter is still a hole--and that makes the whole network vulnerable... but you're definitely right--we need to get it out as soon as we can.

--cid

http://cidviscous.blogspot.com/

Thin client

[Colin+Smith]

Seriously!

I don't suppose you really have any control left but when things are getting that bad it's your only sane option. (It's the only sane option when you're getting to 100+ clients anyway). Allowing users to design your IT infrastructure is pure madness, entropy inevitably turns your network to mush.

Even Windows Terminal Server expensive as it is, is better than 25,000 desktops. We use LTSP and an array of Linux and Sun servers[1] tied together with Sun Grid Engine[2] to provide what the users think of as a single system, "The Grid". It was a remarkably easy sale to management, but we were coming from a largely Unix environment. It's a bit more difficult with Windows, the array smallish servers approach is is far more expensive to implement than Linux.

[1] many of them ex workstations and desktops.

[2] Though Condor looks like a good option.

Re:Thin client

[Oriumpor]

Unfortunately there aren't linux advocates with truckloads of money to convince the PHBs to give free a chance. If it doesn't get sold to the higher ups on the back 9 with promises of kickbacks it probably won't be sold.

On top of which gov't agencies require things like Access and hell some even require *gasp* Dos to run their interdepartmental reporting applications. Possible to run in a TS environment, but not quite a cakewalk to manage the tens (hundreds?) of such applications 25,000 users would require.

Now, as to preventing wireless access points and the like. It's not about preventing uber hackers from getting on the network, it's about preventing joe-sixpacks from plugging in and having an access point.

25,000 users is a lot but not unmanagable. DHCP whitelisting is a good step towards enforcing policy on the calibre of worker you end up with in a beurocracy.

Still, who needs a computer, most government employees are willing to give you any information they have at their fingertips for a short cordial conversation with a stranger. I'd start there, and the computer based problems become much easier to communicate to users.

Re:Thin client

[Colin+Smith]

"not quite a cakewalk to manage the tens (hundreds?) of such applications 25,000 users would require."

Or think they do. It's all about control, either you have it or you don't. With desktops the amount of effort you have to put in to manage and maintain control increases directly in proportion with the numbers of machines, even with management tools like SMS. By the time you get to 25,000 you need a staff of hundreds or you lose control of basically everything as chaos sets in. You have lost control and are simply firefighting the biggest problems for whomever is shouting loudest.

With thin client the effort required to manage systems increases logarithmically. 100 servers are as easy to manage as 10. This leaves your staff free to do useful stuff like security checks, disaster recovery testing etc.

Re:Wrong metal!Re:The Pentagon Needs Aluminum Sidi

[hotdiggitydawg]

Actually, aluminium is sufficient for a Faraday Cage to keep the WiFi in. The mind-control rays, on the other hand...

Not surprised!!!

[Madas]

I saw a similar story on SC's Website link

Secure Wireless for Government

[DaemonTW]

Solutions exist to implement secure WiFi, but it comes with a cost.

Harris makes an encrypted PCMCIA 802.11b based card that has high grade encryption built in. It certainly makes the system impossible to get into, but they're far from cheap ($2k+).

Product: SecNet11

In the end, a lot of the exploitable networks comes from either poor management, lack of information or lack of control within government areas.

Re:Secure Wireless for Government

They are great devices, but you can't buy them unless you are US Gov. And then, you have to have a guard with each end of the link or keep it in a secure area. No MAC sniffing, no ssid sniffing. Nothing but noise on a channel.

Re:This is the fault of consumers and the WiFI mak

[terminal.dk]

My Linksys WRT54G does support WPA with TKIP and AES encryption.

Sure, it is not AES at the low level as 802.11i, but it is AES instead of RC4.

Why ?

[Digital+Warfare]

Why is an agency such anything to do with the Governement using WiFi ? Bit stupid imo.

The fact I can pickup some guys WiFi across the road from my couch in my bedroom indicates people aren't hot on security, he doesn't even encrypt !

Re:This is the fault of consumers and the WiFI mak

Is this a stock WRT54G, or is this one with a modified firmware (which seems possibe, since these Linksys beasties run Linux and the source is available)? I can't find anything about AES in the supplied documentation.

Is VPN enough?

[ksp]

I have considered setting up a VPN for my home net so I can forget about WEP. Use L2TP or even PPTP so the Windows machines can have a simple way to connect, Linux is handled by myself.

However, what about the risk that a laptop may not have a decent personal firewall? It gets cracked (or runs malware in the first place), it connects over the VPN since I trusted the user the last time he visited - suddenly the malware has a route to my servers. Or theoretically a cracker could attack the client machine through the WiFi link, right? Then it doesn't help much that the AP is secured and only allows a VPN client to connect, if my neigbor cracks someones laptop while they are connected through the VPN.

No

[harris+s+newman]

I have implemented wifi for several parks for a large city. We place the network on the outside of our internal network. We allow anyone to connect to the network after agreeing to a pop-up stating our acceptable use policy. Exactly how can this be conceived as insecure?

Re:No

Did you stop to think of all the users who won't see that popup for any of a billion reasons, and can connect to that network without agreeing to anything?

Re:No

[harris+s+newman]

Uh, could you be more specific? I've used this system for over a year,and have NEVER had a situation in which the popup didn't occur. Being somewhat knowledgable of computers, I find it an interesting theory that some users wouldn't see the popup, you mention billions of reasons, maybe a specific example of one would be helpful?

Some devices DO support 802.11i RIGHT NOW

[docstrange]

With a linksys wrt54g and this new "beta" firmware (linksys release, not 3rd party) you can have wpa2 right now.
ftp://ftp.linksys.com/sg/support/download/broadban d_router/WRT54G_WRT54GS/WRT54GWRT54GSBeta_Firmware _for_Wireless_Transfer_Issues/
You'll need to have a card that supports wpa2 in the drivers as well. There are a few out there.

Army does it a bit better.

[mgargett]

Check out the Army's wireless BBP:
http://www.igov.com/informationtech/contracts/BBP% 20Wireless%201_25(Final).pdf

I can't link to the original because it's behind Army infrastructure, but I found a link out in the real world. It's not too bad. On Army installations, you are required to do layer 2 encryption, which is pretty good. However, the "road warriors" are not required to do layer 2 on the road. Layer 2 is not an easy thing, as we are finding...

Re:Wrong metal!Re:The Pentagon Needs Aluminum Sidi

[userlame]

...I concur, however...

I do not think that word means what you think it means.

And you trust your retirement to these folks?

[toupsie]

I don't know if I want to trust a part of my retirement to a group of folks that can't set up even the most basic Wifi security. I am sure they even overpaid for the access point...

My 2.5M, trailer mounted dish...

[Senor_Programmer]

does a great job with WiFi reception from a km away.

It's radio. It's not held back by windows. The 'good stuff' happens in the 'big guys' office. His office is high in the building with the nice view. The view goes both ways. The new Athlon 64 box is damn fast!

Now all I need is some surplus 'camo' paint.

Government Wireless

[kilodelta]

It isn't just wireless. Even government wired isn't the most secure thing.

The problem is that that isn't funding to put BlueSocket on wireless for government networks. Nor is there money to put a proper firewall in many instances.

Government flies by the seat of its pants.

Well..

[jav1231]

You're already using Windows, aren't you accepting a certain level of insecurity anyway?

Government employees?

[NineNine]

c'mon, be serious. We all know that government employees don't actually *work*. They're certainly not going to work in a cafeteria, during their federally-mandated 3 hour lunch break each day.

Re:Government employees?

[Skater]

3 hour lunch? Yeah, right. That would seriously screw up my 11 a.m. to 2 p.m. work day. ;)

News at 11

[spikedvodka]

WiFi is insecure when used improperly

and in other news

The government is still a bloated inefficient model of stupidity

Water is still wet

and

New study proves that Fish's skin is wet

Re:News at 11

Actually, it's "All native species of fish were found suspectible to drowning."

Re:Wrong metal!Re:The Pentagon Needs Aluminum Sidi

[userlame]

Scratch that. I'll be heading to my local bookstore for a reading comprehension book posthaste. Do they make books about reading comprehension? That blows my mind.

Re:This is the fault of consumers and the WiFI mak

[jon787]

mmmm encryption co-processors

I've been thinking of getting one for a long time. SSH, SSL, TLS, they all use AES as their strongest chipher. I also have IPsec and loop-aes setup, so I have even more reason to have one of those cards.

MOD PARENT UP!!

[Futurepower(R)]

MOD PARENT UP!! Interesting.

Here you go

[PhraudulentOne]

Check out Proxim AP-700 It support 802.11abg, 802.11i AES, etc.
Proxim also has has other AP's that support 802.11i. I think the D-Link 7200AP also suport 802.11i, but I may be wrong. Oh yeah, and you can get 'em "right now."

Not surprised. WiFi's too effin' complicated.

[crovira]

For what it does, displacing/replacing the cost and aesthetics of cat5 cable, wireless does a very bad job of it.

Quite apart from the security aspect, which was handled by slapping WEP on it, its a mess.

It can and does work with extremely simple networks (one transmitters, many receivers,) but it is absolutely terrible at topologies with repeators.

Apple's Airport and 'Bonjour' (previously called 'RendezVous') is one of the worst at letting you build network topologies.

I have scrapped my AirPort base and a couple of 'pucks' because I, a friend AND a network guy I paid for were unable to set up my network.

I am now running a network of Macs and Windows PC on a single LinkSys wireless router because I'd had one since moving to my new place and NOT laying down some cable.

It was simple, secure (WEP & destination addresses so only a few IP addresses are actually exposed and port filtering,) and easy to install.

As for AirPort, Apple's vaunted skills at GUI utterly failed them this time. Its a dogs breakfast of confusing and seemingly contradictory options, 'build' directions and concepts which just don't friggin work.

I'm out $300 bucks on the Airort equipment but two guys and myself are much wiser when it come to wireless. Friends don't let friends buy Airport.

Nice try Apple, but building networks should not be magic where you're never sure if doing one thing just undid another.

Your current GUI approach is totally inadequate, TOTALLY.

Not the FDA though

[BitterAndDrunk]

The FDA IT department is actually pretty good. They've disallowed all wireless routers, and actually patrol the halls of the Fisher Lane building (the main HQ for the FDA, located in Rockville, MD) sniffing for illegal wireless routers to shut down.

If they can ever get away from the "use two consulting firms in an adversarial role" implementation model, they might see some benefits to their IT advances.

Wifi Blocking Paint

[Stonent1]

It's available. Companies should look into it. Paint all exterior walls with it and it could help with the issue.

Re:Wifi Blocking Paint

[Creepy+Crawler]

Just dont eat the paint chips ;P

Wonders for lead paint ;)

Link to the actual report.

[jeblucas]

This might be "US citizen's-only" technically, but the report itself is available on the web here. It's a 1.5MB PDF. You can also request a free printed copy of this or any GAO report here. (This report is GAO-05-383.)

You're confusing this with another issue

[fizbin]

The FCC will spank down anyone who tries to enforce "don't broadcast your evil wifi radio waves into my airspace/apartment complex/living room". However, anyone is free to say "don't connect my wired network to wireless", assuming that the network is indeed theirs.

This has usually come up in the context of landowners (airport operators, universities acting as landlords to "off campus" housing, etc.) trying to enforce a monopoly on wireless internet access while on their property. However, in the US the FCC regulates the wireless spectrum exclusively, hence the smackdowns on all "though shalt not broadcast" prohibitions. (related smackdowns occur occasionally against homeowners associations who try to prevent an FCC-licensed ham radio operator from putting an ugly-looking antenna in her yard)

But the issue of offering connectivity to a particlar (non-public) network through an unatuhorized interface is something else entirely.

Confused

[Lovesquid]

From TFA: At one agency, 90 laptop computers were configured to search for a wireless connection while they were plugged in to a wireless network -- an easy way in for snoops and hackers.

How does one "plug in" to a wireless network?

Re:Confused

I applaud your complete lack of imagination.

Let me guess

The SSID was named linksys....

wha wha wha wha

[jesusfingchrist]

the govt doesnt actually care. this is just a study someome did to 'look busy'. if the govt cared this problem would not exist in the first place.

DHCP is a giant security hole. How to fix it...

we don't usually find them unless we physically stumble across them or unless the DHCP server in the device is handing out address on the LAN at the site and therefore breaking connectivity for the users.

We forbid DHCP "blanket use" on our network. We have a DHCP/BOOTP server for only one purpose: to hand out reserved leases for a handful of legacy network printer devices which can only get an IP address that way.

Here's how we solve the problem of unauthorized IP address assignments: I set up a Linux box with a shitload of ip aliases on its eth0. Every device on our network has a manually assigned fixed ip address. All ip addresses that are unassigned are put into that Linux box as ip aliases, in essence our entire address space is filled. If anyone tries to connect an unauthorized device with an adddress the user just picked out of our address space, he gets a duplicate address collision and we find out about it right away. When we need to add another legitimate device to our network, we remove the IP address from one of the aliases on the Linux box and assign it to the new device.
Sure, it's a hassle to admin this mess, but it guarantees no unauthorized devices will function when plugged into a switch port.

Picking up signal != breaking in

[uniqueUser]

I pickup signals all the time, this does not mean that I am able to connect. If they jammed or otherwise prevented the signalls from being broadcasted, it would defeat the reason for having a wirless connection in the first place!

Nope. WPA is still "pretend" security

It only keeps the casual script kiddie occupied for a while. Not even WPA2 is secure. Nothing short of Layer-2 encryption with minimum AES 128-bit really constitutes a serious impediment to a real wireless cracker. Look at an Air Fortress AF2100 or AF7500 is you want your Wi-Fi to be secure... for a short while anyway.

Not at NASA

[alispguru]

At least, not at Goddard where I work. NASA used to be an easy target for crackers, but we've tightened up a lot since those days. Network security around here wardrives the grounds, and people with guns (!) will show up if they detect an unauthorized access point.

there ARE WPA2 APs available!

mod parent down - what a load of rubbish

There are WPA2 (or 802.11i if you prefer) APs available. Try the Cisco 1130AG Wireless Access Point for a start. Plus there are WPA2 certified wireless client cards available - including both pcmcia and MiniPCI.

MACs are trivially reconfigurable.

[Medievalist]

MAC addresses are configurable, for a number of legitimate reasons I won't go into.

Anyway, if you and I have the same MAC address there will not necessarily be any confusion that's visible to the end user.

Each of our machines will discard the packets that do not fit into the conversations we are having, based on other values than the MAC. For example, stuff like sequence numbers, higher-level addressing details (ports & IPs), etc.

So, this will just make stuff run slow, due to all the packet discards. It'll still mostly work.

Now, if you are on a switched network (NOT wireless) and two machines have the same MAC, it will confuse the bejeezus out of the switch and cause much more havoc. Higher level protocols that can ask for retransmits might still muddle through if the the switch is fast enough and you luck out on on the timing, but the switch should throw up all kinds of alarms to the net admins.

Re:MACs are trivially reconfigurable.

[chrisnewbie]

Thanks for the clarification! That's not what i was told in school! but again, like someone wrote to me "since when school teach something usefull"

Re:MACs are trivially reconfigurable.

[zbuffered]

Excellent post, and I might add that "will just make stuff run slow" is referring to the wireless link's potential throughput per host being lessened due to the fact two hosts are generating traffic on a given channel.

It does require additional resources on the spoofing (and spoofed) PC, but that won't be the bottleneck 99.x% of the time.

BLOW THE WHISTLE

[Medievalist]

Seriously, man, grow a spine. Your organization - which is apparently funded by my tax dollars - needs to be reported to los federales. Your management's behaviour is criminal if your post is correct - so do your job, and your duty as a citizen, and turn the bastards in. Look up "anonymous whistle blower" in the federal phone book or consult Google for how to do it.

What I recommend

[Medievalist]

128-bit WEP, no SSID broadcast (aka "stealth mode") and connect the access point via a crossover cable to an ethernet card on a stripped-down linux box that firewalls all ports except 22.

On the laptops use a little script that does an SSH login (user supplies password, never stored anywhere) and then forwards the SMB/CIFS, IMAPS, DNS, and SMTP-AUTH ports over the SSH connection.

Make sure the access point is very "dumb" - that is, it doesn't have enough memory or OS to allow an attacker who compromises the AP itself to install an SSH M-i-t-M sploit. I use weird Intel and Enterasys boxes (pulled out of dumpsters) that haven't got real OSes anyway.

If I've ever been cracked, it was done so gracefully I haven't even noticed... and since my neighbors don't even run WEP it's unlikely that I'd even be noticed much less targeted.

Oh, and most importantly: Don't use default passwords, and KEEP YOUR PATCHLEVELS UP TO DATE!

Re:What I recommend

[xmodem_and_rommon]

Make sure the access point is very "dumb" - that is, it doesn't have enough memory or OS to allow an attacker who compromises the AP itself to install an SSH M-i-t-M sploit. I use weird Intel and Enterasys boxes (pulled out of dumpsters) that haven't got real OSes anyway.

Hmm, isn't part of the idea of SSH is that you have public AND private keys, so someone would have to obtain the private key before they could do a MITM attack? THey could always send out the same public key as the server, but then they wouldn't be able to decrypt the received data.

Conversely, they could use a new public/private key pair and stick them on the access point. However, SSH clients save keys that are received, and next time you connect, they make sure the keys haven't changed. If the key has changed, it'll throw up huge errors. Last time I did this, the SSH simply refused to connect. I had to go and delete the key file.

Right now i'm in my car...

...driving past a government building posting this comment.

Re:This is the fault of consumers and the WiFI mak

[dirkstoop]

I think the fact of the matter is the your average user is not willing to pay for than $50 for a wireless router. It is, of course, possible to make AES work fine with a router of that costs, but it is going to take good deal of economics of scale in action to make a 1,000,000-transistor chip for implementing AES affordable at that price point.

well perhaps if the vendor adds nifty features like wireless audio streaming and whatever else you can think of to it people will be willing to pay more for it. 802.11i can become a complementary feature, a bonus.

just maybe if apple puts 802.11i support in their next-gen low-end base station with some cool new features and corresponding high price tag...

How does one do this?

[NevarMore]

At one agency, 90 laptop computers were configured to search for a wireless connection while they were plugged in to a wireless network -- an easy way in for snoops and hackers.

Well no wonder the wireless security is a flop! If they can plug in they need wired security. Some people, sheesh..

putting this GAO survey into context

I work for a government department/agency that was one of the six more intensely reviewed. Though I was not directly involved with the survey, I work with folks who were and I have a general knowledge of their findings.

As the report mentioned, every one of the six reviewed in depth were found to have unsecured wireless devices. Our organization was one of the better ones. In our main building they found two unauthorized devices after doing a hallway-by-hallway search. Neither of these devices were connected to any of our enterprise networks. One was an access point that was connected to a DSL connection by a construction contractor and the other was a personal laptop or something of the sort. Nevertheless we had unsecure wireless devices in our facilties. Of course there were some other network signals that they couldn't authoritatively say did or did not come from our building. This is a building with several thousand employees, BTW.

Currently, we do not authorize the use or purchase of wireless networking devices. This is a management directive from our main IT body. We do not however, have any official policy stating that wireless shall not be used nor any policy on its secure use. This is simply due to the fact that we will likely authorize limited use of wireless devices but do not want to do so without including enforceable policy documents. At least where I work, getting policy is something like passing a law. Lots of folks have to review and sign off on it, and there's the occasional bickering on language, responsibility, funding implications, etc. The point being that establishing new policy is quite an undertaking, espcially in an environment of differing opinions (there are multiple draft policies in the works). GAO did not mis-state nor I think mis-represent anything that applied to us. Despite our directives stating no wireless, someone new and senior enough could simply open the floodgates.

GAO can sometimes be a thorn in the side of federal agencies. They are given tasks by Congressmen to go research something and generate a report after said congressman may have read a magazine article, saw something on TV, or had a conversation with a lobbyist. The few GAO folks that I have been in contact with are very professional people and for the most part work for everyone's best interests. They do ultimately work for Congress and will present recommendations and to a certain extent need to find problems to prove their worth (kind of like a toned-down inspector general but without direct enforcement ability). OMB isn't much better with their mandates. Just say the words "telework" or "HSPD-12" to any IT or security person and you'll likely hear them groan.

Anyway. I guess the reason I'm pointing this is that being in the goverment myself, I often get annoyed by the reputation that our culture attributes to government employees and the way we do business. Believe me, some of it is deserved. We have to follow some governement-only labor laws that were passed at the turn of the century that make it extremely time consuming and very difficult to fire (and hire) someone. There are many highly-dedicated and qualified government professionals that are way underpaid. As a whole, government employees tend to be hardworking folks. Our bad apples just happen to be really really bad.

Re: SSH M-i-t-Ms

[Medievalist]

In theory, yes, you are right. You should be able to just configure your client to reject connection when the host keys are changed, and provide the keys to clients via a secure channel like floppy, USB, or whatever (I recommend putting the SSH host public keys and wireless encryption keys on a CD, even though it's a huge waste of space. Some of my cow-orkers use a USB stick for this).

In practice, there are always rumors of SSH M-i-t-Ms going around, and some of the rumors always turn out to be true, although they are usually restricted to specific implementions or to specific encryption methods. For example, I use PuTTY to connect from windows boxen; in versions of PuTTY prior to 0.56 a M-i-t-M can simply replace your host key files during session startup, before host key verification is even begun. But if your AP OS is sufficiently esoteric or space-limited, an attacker will not be able to insert code to do this without breaking the wireless functions.

So, using dumb APs is another layer in the "defense in depth" strategy. You should have a virus scanner too...