Print


Securing Wireless Networks Against Intruders

By Gregory Hanna

APRIL 2005 - Wireless devices, such as a laptop computer or a personal digital assistant (PDA), make it easy to stay in touch and organized, and are a tremendous boost to productivity. They are also, however, a prey to Internet thieves. Wireless security is one area where hackers are several steps ahead of their victims.

The weakness of wireless devices lies in the access points on wireless networks. These access points transmit a continuous radio signal that anyone can intercept using only a laptop, a wireless adapter, and wireless scanning software. When intruders find a wireless unit with a four-digit password, they can generally break into it in less than 60 seconds. Once inside, they can steal the user’s PINs and other financial information, or use that wireless unit to break into the organization’s main computer system and gain access to proprietary financial information. Some of these intruders may be industrial spies attempting to steal trade secrets and other competitive information, but statistics show that most intruders are hackers looking for credit card PINs and other financial data.

Some hackers are more interested in an organization’s communications than its money. For example, they might hijack the firm’s e-mail and take over its website. The next morning, the staff discover that a hacker based somewhere in Patagonia is sending out spam and redirecting the website to a pornographic site.

Solving wireless security problems is a challenge. To connect to the firm’s computer network, a wireless device requires a wireless network adapter. There are just a few vendors of wireless network adapters, so if a user does not change the default name to a secure code—and most don’t—it can be easy for an intruder to crack the default code and intercept the user’s communications.

Many firms recognize this problem and insist that users change their default settings. But if just one person fails to do so, the entire system may be wide open. For this reason, some organizations have installed wireless virtual private network (VPN) access points.

A wireless VPN access point lets users access the system only if they are properly authenticated by a custom-generated encryption key, which is a code that is generated automatically and changed periodically. Although scanners can still detect the presence of a wireless network, they cannot break into it without a verifiable encryption key.

A skilled hacker can crack most access-point encryption keys, so some organizations also require users to authenticate themselves with passwords. These passwords should have at least eight characters, including numbers, symbols, and both upper- and lower-case letters.

The problem with complicated passwords is that users have trouble remembering them, so they write them down on a slip of paper and tape the paper to their laptop. To counter this kind of negligence, a few organizations require users to present two forms of identification, typically something only the user knows (such as a PIN) and something only the user has (such as an authentication token).

An authentication token is simply a device that authenticates the identity of a user. One type looks like a key fob with a string of LCD numbers. To get into the system, users enter their PIN and the number on their token. To make this approach almost uncrackable, each employee has a different token number, and the individual numbers change every 60 seconds or so, in synch with a master server at the company’s office.

Reducing Risk

Here are some commonsense steps firms can take to reduce risks further.

  • Educate. The biggest threats to computer security are often an organization’s own employees. They use their laptops in public places where snoops can read their screens and steal their passwords, they leave their notebooks and PDAs behind in hotel rooms and taxicabs, and they fail to keep their antivirus protection up to date. It is critical to teach employees how to use wireless computers safely.
  • Practice eternal vigilance. Just one slipup can open the firm to a computer disaster. Treat all remote users as though they are unknown and must be authenticated.
  • Patch bugs promptly. Software bugs, such as those commonly found in Microsoft’s Internet Explorer, can open computers to spyware that covertly gathers data, including passwords, and sends it off to thieves or competitors. Vendors provide security patches to deal with these bugs, but the patches are not always passed on to wireless users quickly enough.
  • Prevent viruses. While most networks are protected with the latest antivirus software, the same cannot be said about wireless computers. To date, few viruses have been found on PDAs, but it is only a matter of time before virus writers target them, and through them, reach the company’s computer system.
  • Limit access. Allow access only to authorized folders and not to the hard drive.
  • Encrypt. Encrypting communications puts another obstacle in front of hackers and spies.
  • Firewalls. Maintain the strongest security policy possible on the network firewall, limiting open ports to the absolute minimum.
  • Assess vulnerability. Run automated vulnerability assessments on a regular basis as part of a proactive security maintenance procedure.
  • Take charge. To prevent employees from ignoring security measures, remove responsibility for wireless IT security from end users and manage it proactively.

Gregory Hanna is president and CEO of TOSS Corporation, Framingham, Mass. (www.disasteravoidance.com).