Government Use of WiFi Not Secure

Terremoto writes "A Congressional report indicates that the use of WiFi by government agencies is being done with little regard for security. The article says, "Government Accountability Office investigators were able to pick up Wi-Fi signals from outside all of the six agencies they tested, and they were able to find examples of unauthorized activity at all six as well.""

Unauthorized access?

[Creepy+Crawler]

Err, doesnt the FCC spank down anybody who does Wi-Fi access control (if it's NOT encrypted)?

YEah, breaking an auth scheme could be grounds of breaking/entering, but when its open invite, isnt it allowed?

You know, public airwaves and all..

Re:Unauthorized access?

[JWSmythe]

My girlfriend's cablemodem took a dump while I was trying to do something, so I fired up Kismet, and found 6 access points within listening range.

4 were encrypted, named "2wire###", where ### is a 3 digit number. I've been informed that those are SBC DSL routers, which *ALL* have the wireless enabled but encrypted by default.

1 was a very weak signal

1 was a moderately strong signal (60% to 70%), unencrypted, named "DEFAULT". Kismet said it was a DLink (if I remember right).

I asked for an IP by DHCP, and I was on. I didn't do anything but started up ethereal, and logged everything for a few minutes.. I was trying to show my girlfriend the problems with unencrypted traffic on the Internet, and how important network security is.

There are two machines on their network, which were both sending SMB traffic with their machine names (or descriptions). I got their Yahoo! Messenger username. I know they have weatherbug running, and saw he specific zip code. They didn't browse the net, but in one of the rare instances that my girlfriend's own cablemodem was working, I sent a message by Yahoo! Messenger, and she saw it go by in clear text. Based on the information I gathered, I knew exactly which apartment it was.

At an unnamed casino in Vegas, I saw everything about their display boards. It would have been trivial for me to pretend to be their host, and change all the boards (winners, potential winnings, etc). I didn't though. I just emailed them when I got home, with the logs. They thanked me for pointing out the oversight. They were very good about it, so I won't say the name.

Once in a while, I'll fire up Kismet, and go driving. Not really wardriving, just to get an idea of what the area looks like. I can see about 200 AP's from my house with a high gain antenna (24db). I can pick up about 300 driving about 10 miles with a low gain antenna (4db) stuck to the back of my laptop screen. In both cases, more than half of the AP's found are unencrypted. Random samplings showed I could get online with no problems.

Re:Unauthorized access?

4 were encrypted, named "2wire###", where ### is a 3 digit number. I've been informed that those are SBC DSL routers, which *ALL* have the wireless enabled but encrypted by default.

FYI, the WEP key for those 2WIRE### DSL modem/routers is "2wire". My sister had one for a few days in Los Angeles and sent it back after it couldn't keep link for more than a few seconds. That key has worked in numerous DSL-equipped neighborhoods.

Re:Unauthorized access?

[SailorFrag]

Err, not quite.

As far as I know, STP only kills ports that STP decides are causing a loop. Seeing a MAC address on two ports just makes it think that the system has moved (think about what happens if you roam between APs) so it will direct all future packets to that MAC address to the last port it saw data come in from. So if both hosts are sending a lot of data, then the ensuing packetloss (because packets are going to the wrong place) makes it pretty miserable. If only one has a lot of traffic going, then they win most of the time, at the expense of the other. Either way, it's probably going to elicit a helpdesk call by the legitimate user if it happens for too long.

The above description only applies when two systems have the same MAC address, but different IP addresses, and the two systems are going through different switch ports.

If you have two machines configured with the same MAC address and the same IP address, then you basically end up with the system being unusable. Whenever a packet to the other computer is seen, the OS sends a TCP reset or ICMP port unreachable (in the case of UDP). So basically, if there's much traffic going through the two computers at all, then neither of them can get anywhere, because the connections keep getting reset constantly (as opposed to mere packetloss when the IPs are different). You'd need a firewall on /both/ systems to avoid sending the reset responses for any hope of it working (and even then, you only end up as good as the two-IP scenario).

If you have two systems with the same MAC address but different IPs on the same AP/hub, then you can at least have a reasonable hope it'd work. I don't know if sane APs would let two instances of the same MAC address successfully associate though. I don't know how the association process works, so I can only speculate.

Re:Unauthorized access?

[pointbeing]

MAC filtering is absolutely worthless. All I have to do is sniff, find a MAC on your network, and change my MAC to that. Easier than cracking WEP.

Standing up WiFi on a federal network is a lot like herding cats ;-)

I'm the project manager responsible for standing up WiFi access on a fair-sized Department of Defense installation. If the wireless network is configured according to DoD security technical implementation guides (STIGs) it can be fairly secure.

You're correct that MAC filtering alone isn't real secure but we use MAC filtering as one component in a 'defense in depth' strategy.

You're also correct that DMZ + VPN is the only way that makes sense to stand up a wireless network and in DoD that's the only way you *can* stand one up if it connects to a trusted network ;-)

The amusing thing for me was than when my boss handed me this project he thought I was gonna throw up a buncha access points and call it a network. This building is 13 stories high and has about 2500 users - and would produce the wireless footprint from hell if I'd let the boss have his way.

Instead, I told him the IDS pieces needed to be in place first - and we're using a reasonably effective network of AirDefense and Cisco WLSE - if you stand up a rogue AP or an ad hoc network in this building the system will close the ethernet ports feeding the device(s) and shoot an email to the federal cops in the building. I figure about ten minutes after you power the thing up someone with a uniform will be tapping on your shoulder ;-)

All WiFi connections to trusted resources on this network are encrypted - as a matter of fact there's a DoD requirement to encrypt the hard drive of any wireless device connecting to a trusted resource.

So far the biggest challenge for us has been antenna selection and tuning WAP outout power so the network doesn't radiate any farther than we'd like it to and we've had pretty fair results so far. But - anybody working for the federal government who thinks you should just throw up a buncha access points and call it a network needs to be fired or killed or both ;-)

My choice for WiFi security is a combination of private networks, the DMZ + VPN idea you had (which is a DoD requirement), MAC filtering, strategic placement of intrusion detection resources, client-server encryption (we use AirFortress), domain policies that prevent network bridging, denying access to anything that isn't 802.11g and so on. There's also a requirement that the WiFi network can't share any physical infrastructure with the trusted network - so the only only infrastructore pieces the wired and wireless network share are patch panels ;-)

If you walk into my building with an unauthorized WiFi device you'll be able to connect to my Comcast cable modems in three or four public areas, but if you really want on my network you might be able to get on -

But I'm gonna make you work for access ;-)

Unauthorized Activity

[flood6]

...they were able to find examples of unauthorized activity at all six as well.

It wasn't clear in TFA either, but do they mean a little pr0n surfing/p2p going on or active hack attempts were found?

If this were 2003.....

then there would be no huge issue. But with tools like - Airsnort for Unix, NetStumbler for Windows and MacStumbler for Mac, there is no excuse for this.

I would consider it to be criminally negligent.

It is a shame that they allow these agencies to recieve funding or for their IS / IT departments to still have jobs.

Lets stop talking about Filibusters and start talking National Security

Really?

[tengwar]

I'm always a bit doubtful of these surveys. Some companies run an open network, but to reach any network resources you need to set up a VPN. This avoids possible problems with air-side encryption (yes, I know there are many other solutions) and allows visitors to use the network.

Re:Really?

[petecarlson]

Doubtfull? I have done consultations for comapnies that were having problems accessing their mail server because their computers were connecting to the company next door's APs. It seemed that both companies were using linksys access points... SSID "linksys". The whole time they had been using each others connections and neither had a clue.

CP

Are there any safe (hardware) protocols?

[Phoenixhunter]

It seems that just about every form of current encryption has a proof of concept on cracking it. WEP, WPA, LEAP, IPSec, etc.

About the only solution I've seen is the airFortress product that utilizes a client that encrypts all data and decrypts it through a hardware device that interfaces with the access points. Military has been using it for a bit.

Re:Are there any safe (hardware) protocols?

[Hi_2k]

There's a distinction between a theoretical crack and a real one. Theoretically, I could try every 1024 bit key against my GAIM-Encryption messages, and I would eventually find the proper key to decrypt them. It's even possible that there are simpler ways to do it. However, what matters is that it will take sufficently long that the data is no-longer so sensitive. Knowing about next months troop deployments in Iraq is of little use to terrorists in the year 2010.

Re:Are there any safe (hardware) protocols?

[tildebeast]

In the Army we use cisco aironets and Air fortress products. Mostly we use it for ptp access to remote locations. However there is software that can be installed on laptops that allows the client to connect, while out and about in the motorpool. we have tried several times to crack our own system, Each time resulting in failure. We can use a linux box and kissmet, and other nameless tools to crack into the multiple wep keys, but the Air Fortress encryption eludes us. We have not had, any unallowed access to our system in the 7 months we have been in Iraq.

big deal

[j1m+5n0w]

So, some government agencies use unsecured wireless networks, and some people might even be leeching off of them for internet access. That might or might not be a real security issue, depending on if they're using their wireless network for sensitive applications and if those applications aren't using end-to-end encryption for their applications and if their wireless networks aren't firewalled away from the rest of their network. Perhaps the actual report describes the vulnerabilities in greater detail than this article, but I don't see how the mere presence of an unsecured wireless network is necessarily something to get worked up about.

Open WIFI == Good

[xiando]

I know many disagree with me on this, but personally I think that open WIFI networks is a very good thing. And I encourage all Wifi administrators to Open up their networks for all! This is quite safe if you secure the private services on the networks so random people only have access to the Internet. Think of it like this: You allow a few people to use the Internet from your home in exchange of being able to use the Internet when you are other places. If everybody with a Wifi does this then we will eventually have a global free Internet available everywhere for all. Again, having a Open Wifi is no threat to you IF you simply secure the services running on the Wifi! And this is, in fact, a much better approach than having a firewall and relying on that for security...

Re:why are they using local 802.11b at all?

[terminal.dk]

A laptop without wireless is still a laptop. It isn't that difficult to use a network cable.

Of course it prevents you from bringing the laptop to the bathroom.

No

[harris+s+newman]

I have implemented wifi for several parks for a large city. We place the network on the outside of our internal network. We allow anyone to connect to the network after agreeing to a pop-up stating our acceptable use policy. Exactly how can this be conceived as insecure?

Re:Can't blame them the unauthorized entries.

[eUdudx]

Quoted from parent mod'd off-topic:

Sadly, I really do not blame those that come in through the back door when so many are simply stealing from the front door.

WindBourne has a technical point, at the end of his non-slashdot-compative rant: even before wireless became useful/cheap/widespread, many folks feared any physical connection to a nework that was "insecure"....for example, a Sun JumpStart server allowed (gasp) annonymous ftp access for images.

Not surprised. WiFi's too effin' complicated.

[crovira]

For what it does, displacing/replacing the cost and aesthetics of cat5 cable, wireless does a very bad job of it.

Quite apart from the security aspect, which was handled by slapping WEP on it, its a mess.

It can and does work with extremely simple networks (one transmitters, many receivers,) but it is absolutely terrible at topologies with repeators.

Apple's Airport and 'Bonjour' (previously called 'RendezVous') is one of the worst at letting you build network topologies.

I have scrapped my AirPort base and a couple of 'pucks' because I, a friend AND a network guy I paid for were unable to set up my network.

I am now running a network of Macs and Windows PC on a single LinkSys wireless router because I'd had one since moving to my new place and NOT laying down some cable.

It was simple, secure (WEP & destination addresses so only a few IP addresses are actually exposed and port filtering,) and easy to install.

As for AirPort, Apple's vaunted skills at GUI utterly failed them this time. Its a dogs breakfast of confusing and seemingly contradictory options, 'build' directions and concepts which just don't friggin work.

I'm out $300 bucks on the Airort equipment but two guys and myself are much wiser when it come to wireless. Friends don't let friends buy Airport.

Nice try Apple, but building networks should not be magic where you're never sure if doing one thing just undid another.

Your current GUI approach is totally inadequate, TOTALLY.

Not the FDA though

[BitterAndDrunk]

The FDA IT department is actually pretty good. They've disallowed all wireless routers, and actually patrol the halls of the Fisher Lane building (the main HQ for the FDA, located in Rockville, MD) sniffing for illegal wireless routers to shut down.

If they can ever get away from the "use two consulting firms in an adversarial role" implementation model, they might see some benefits to their IT advances.

Not at NASA

[alispguru]

At least, not at Goddard where I work. NASA used to be an easy target for crackers, but we've tightened up a lot since those days. Network security around here wardrives the grounds, and people with guns (!) will show up if they detect an unauthorized access point.