Slashdot Mirror
Government Use of WiFi Not Secure
Terremoto writes "A Congressional report indicates that the use of WiFi by government agencies is being done with little regard for security. The article says, "Government Accountability Office investigators were able to pick up Wi-Fi signals from outside all of the six agencies they tested, and they were able to find examples of unauthorized activity at all six as well.""
Indeed, NetStumbler's help file even suggests such a scenario as one possible use for the program:
" Wireless LAN Auditing
A corporate network administrator needs assurance that the wired LAN is not being exposed to unauthorized users. This can often happen when users set up their own wireless LANs for convenience. Such wireless LANs often have little or no security, which poses a risk to the entire LAN. The network administrator can use NetStumbler to detect the presence of these "rogue" wireless LANs."
At least now that this story has hit the news, perhaps more people will wake up to the danger and try to secure their critical networks (as long as they leave open at least one for me to use as a wi-fi hotspot ;-)).
Laughter is the best medicine, but in certain situations the Heimlich maneuver may be more appropriate.
"It is a shame that they allow these agencies to recieve funding or for their IS / IT departments to still have jobs."
I work for a large IT department for a government-based organization. The users don't call us when they get new equipment frequently unless it doesn't work. With all of these wireless devices coming 'ready to go' out of the box we don't usually find them unless we physically stumble across them or unless the DHCP server in the device is handing out address on the LAN at the site and therefore breaking connectivity for the users.
Yes, it is technically possible to note the MAC address of a device when it comes on the network and compare it to a table of kinds of equipment, but there are 11 field technicians, four network engineers, and two cable/infrastructure technicians for 25,000 machines. We don't get the funding for supplies, equipment, or manpower that we need, we don't get support from higher-ups in the organization, and we are left being reactionary. Even worse yet, some of the agency-level higherups are all about 'new technology' without giving us the resources to thoroughly investigate it and how it will impact our network, and half of the time they don't even figure out why the users need such technology for before allowing them to order it.
We have machines running from average as low as Windows 95 (though I do still encounter Windows for Workgroups 3.11 in rare cases) and MacOS 7.5.3. Most days I'm astounded that things work as well as they do, let alone at all.
Do not look into laser with remaining eye.
Err, doesnt the FCC spank down anybody who does Wi-Fi access control (if it's NOT encrypted)?
huh?
Every corporation with any sense of security uses MAC filtering. The FCC doesn't license the 900 MHz, 2.4 GHz and 5.x GHz bands (ISM), but they also don't enforce anyone's access. They used to restrict the kind of amplification that was allowed, but now, AFAIK, there is only a wattage limit.
no...wimax is a paid-spectrum service, and is not intended for use by the general public. Wimax is only for big companies that can afford the equipment AND SPECTRUM LICENSES to set up a hotspot. It will probably be used mainly to provide wireless Internet access to people - not to provide access to internal networks of companies or governments. It is simply not intended for that purpose.
as far as wimax is concerned, i'd be more concerened about people with hacked equipment reading your traffic if I were you...but I don't know if wimax has any encryption.
MAC filtering is absolutely worthless. All I have to do is sniff, find a MAC on your network, and change my MAC to that. Easier than cracking WEP.
Every corporation with any sense of security uses a DMZ + a VPN into the real network.
Any wardriver with the capability of decrypting WEP can also change their MAC address. Check out Auditor Linux. All the tools you need at the tip of your fingers.
Synergy is your friend
You were so close to being partialy right but your wrong. Yes, wimax devices can be made in the licensed spectrum, but they can also be used in the un-licensed spectrum. It is likley that we will see 5.8 Ghz wimax gear in the US as the "listen first" protocol required in the opening of 5.3 is not compatible with the polling protocol specified in the wimax standard.
CP
At a guess, the grandparent is referring to the possibility of dictionary attacks on WPA in Pre Shared Key mode and the recent announcement that if you run encryption without authentication in IPSEC then attackers can flip bits and see what happens.
In other words, the crypto doesn't protect you against choosing weak passwords or against choosing a stupid combination of configuration settings in IPSEC.
The crypto algorithms themselves seem to be holding up OK. If you use WPA as intended (with a Radius server) and use an implementation of IPSEC that doesn't make stupid choices for you then you're safe from the publicized vulnerabilities.
Even Windows supports it, the mac address used can be over ridden in the registry.
I assume that this is the Air Fortress security product. Nice; it uses AES.
I don't suppose you really have any control left but when things are getting that bad it's your only sane option. (It's the only sane option when you're getting to 100+ clients anyway). Allowing users to design your IT infrastructure is pure madness, entropy inevitably turns your network to mush.
Even Windows Terminal Server expensive as it is, is better than 25,000 desktops. We use LTSP and an array of Linux and Sun servers[1] tied together with Sun Grid Engine[2] to provide what the users think of as a single system, "The Grid". It was a remarkably easy sale to management, but we were coming from a largely Unix environment. It's a bit more difficult with Windows, the array smallish servers approach is is far more expensive to implement than Linux.
[1] many of them ex workstations and desktops.
[2] Though Condor looks like a good option.
Deleted
That doesn't get you in. Not quite.
Once you have swapped your MAC address to match another on the network, what happens next? How does the conflict resolve between two machines with the same MAC address? Not nicely...
To be stealthy you need to observe MAC addresses, then identify when a machine has disconnected from the network. Then you can walk up and take it's place at the table and eat its porridge - until it comes back. Then there's conflict again.
Solutions exist to implement secure WiFi, but it comes with a cost.
Harris makes an encrypted PCMCIA 802.11b based card that has high grade encryption built in. It certainly makes the system impossible to get into, but they're far from cheap ($2k+).
Product: SecNet11
In the end, a lot of the exploitable networks comes from either poor management, lack of information or lack of control within government areas.
www.techwatch.com.au
Check out the Army's wireless BBP:% 20Wireless%201_25(Final).pdf
http://www.igov.com/informationtech/contracts/BBP
I can't link to the original because it's behind Army infrastructure, but I found a link out in the real world. It's not too bad. On Army installations, you are required to do layer 2 encryption, which is pretty good. However, the "road warriors" are not required to do layer 2 on the road. Layer 2 is not an easy thing, as we are finding...
This might be "US citizen's-only" technically, but the report itself is available on the web here. It's a 1.5MB PDF. You can also request a free printed copy of this or any GAO report here. (This report is GAO-05-383.)
blarg.
Spot on. The other part is that the request for the toilet seat stated that it should be able to touch a human ass without freezing it at -10 degrees and still be cool to the touch at 125 degrees. Also needs to be equally comfortable for both sexes and should have a service life of 75 years.
"Want in one hand and spit in the other and see which one fills up first." - My Dad
There's several issues here.
First - the money tends to be tight in government IT. This leads to some impact on hardware but a much, much larger impact on personnel. Government IT shops just don't pay what they should. So you either end up with a staff of the best you could afford (but far from the best) and / or a select few dedicated, really good people who are vastly over-worked.
Secondly - the US Government is the ultimate beuocracy. It rarely resembles a meritocracy in any shape or form. Civil Servents tend to end up in IT positions for any other reason than technical competance. Consequently, IT contracts tend to be fairly inconsistant when it comes to technical performance (although the metrics will always show otherwise).
Finally - this is a security issue. IT shops are concerned about making widgets work, not making them secure. When the pressure is one due to limited funds and limited competance, IT will err on the side of functionality; they'll get a widget running. That tends to tip against the inverse relationship with security.
Having said that... the one thing that I like about that statement is the fact that the Gov't beurocracy lives and dies by its budget. Your group is only as powerfull as your budget makes you. Fat budgets display and bestow power. So affecting an organization's budget is guaranteed to get their attention. The trick would be to do it in a manner that doesn't simply make the problem worse.
One final comment - the US Government just isn't good with Infosec. There are notable exceptions. But as a whole, they make a soft target. Any kiddie who bosts about tagging a
also requires said "toilet seat" be an
1. integrated structural part of the airframe,
2. not release toxic gases on contact with combustion,
3. upon catastrophic failure not pose a physical hazard to the aircrew,
Apocalypse Cancelled, Sorry, No Ticket Refunds