Securing Wireless Networks Against Intruders
By Gregory HannaAPRIL 2005 - Wireless devices, such as a laptop computer or a personal digital assistant (PDA), make it easy to stay in touch and organized, and are a tremendous boost to productivity. They are also, however, a prey to Internet thieves. Wireless security is one area where hackers are several steps ahead of their victims.
The weakness of wireless devices lies in the access points on wireless networks. These access points transmit a continuous radio signal that anyone can intercept using only a laptop, a wireless adapter, and wireless scanning software. When intruders find a wireless unit with a four-digit password, they can generally break into it in less than 60 seconds. Once inside, they can steal the user’s PINs and other financial information, or use that wireless unit to break into the organization’s main computer system and gain access to proprietary financial information. Some of these intruders may be industrial spies attempting to steal trade secrets and other competitive information, but statistics show that most intruders are hackers looking for credit card PINs and other financial data.
Some hackers are more interested in an organization’s communications than its money. For example, they might hijack the firm’s e-mail and take over its website. The next morning, the staff discover that a hacker based somewhere in Patagonia is sending out spam and redirecting the website to a pornographic site.
Solving wireless security problems is a challenge. To connect to the firm’s computer network, a wireless device requires a wireless network adapter. There are just a few vendors of wireless network adapters, so if a user does not change the default name to a secure code—and most don’t—it can be easy for an intruder to crack the default code and intercept the user’s communications.
Many firms recognize this problem and insist that users change their default settings. But if just one person fails to do so, the entire system may be wide open. For this reason, some organizations have installed wireless virtual private network (VPN) access points.
A wireless VPN access point lets users access the system only if they are properly authenticated by a custom-generated encryption key, which is a code that is generated automatically and changed periodically. Although scanners can still detect the presence of a wireless network, they cannot break into it without a verifiable encryption key.
A skilled hacker can crack most access-point encryption keys, so some organizations also require users to authenticate themselves with passwords. These passwords should have at least eight characters, including numbers, symbols, and both upper- and lower-case letters.
The problem with complicated passwords is that users have trouble remembering them, so they write them down on a slip of paper and tape the paper to their laptop. To counter this kind of negligence, a few organizations require users to present two forms of identification, typically something only the user knows (such as a PIN) and something only the user has (such as an authentication token).
An authentication token is simply a device that authenticates the identity of a user. One type looks like a key fob with a string of LCD numbers. To get into the system, users enter their PIN and the number on their token. To make this approach almost uncrackable, each employee has a different token number, and the individual numbers change every 60 seconds or so, in synch with a master server at the company’s office.
Here are some commonsense steps firms can take to reduce risks further.
Gregory Hanna is president and CEO of TOSS Corporation, Framingham, Mass. (www.disasteravoidance.com).