Modernizing Authentication — What It Takes to Transform Secure Access
The first mistake many companies make, says Diana Smetters, security researcher at the Palo Alto Research Center (PARC), is failing to prohibit employees from setting up their own wireless networks at the office. If there's a wired connection available in, say, a conference room, anyoneemployees, contractors, partnerscan create a new local area network. With wireless LAN cards available for less than $100 at most local electronic superstores like Best Buy it's easy for these so-called "rogue" networks to slip into the company under IT's radar screen.
That's not to say that Wi-Fi is not at all secure. It's just that the equipment is typically shipped with its security softwareknown as WEP, or Wired Equivalent Privacyturned off. Using WEP means users have to fire up a browser, log onto a wireless access point and choose security keys. According to CERT's Rogers, some employees might consider doing all of these things more trouble than they're worth. "Or, they may be just clueless," says Rogers.
But even when WEP is turned on, it's no match for the toughest wireless hackers, or "whackers." WEP can be "broken" by anyone with a wireless laptop, a widely available encryption-buster program and enough time. Even relatively undetermined technophiles, for example, can use freeware software such as NetStumbler with a Wi-Fi card to sniff out exposed networks.
The NetStumbler site, for example, lets people see the locations of unprotected access points around the U.S.a gold mine for would-be corporate spies. If the CEO's nightmare is to wake up and see the corporation's unannounced acquisition plans, for example, plastered across The Wall Street Journal's front page, then the CIO's equivalent is finding the company's wireless network exposed on NetStumbler.
Another cause for wireless insecurity: the failure by workers to take needed security precautions when they work on a wireless device from outside the officewhether from Starbucks, the airport lounge or from home. PARC's Smetters says it's easy for a corporate spy seeking to "sniff" the laptop of a competitor. "Say I want to find someone who works in Corporation X," she says. "What I'm going to do is sit in a coffee house around the corner and wait for somebody from Corporation X to sit down with their laptop" and then, using a wireless card and "sniffer" program, begin scanning that person's laptop without their knowledge, if no wireless security software is in place. "People are going to take their laptops, and with wireless they're going to be moving in and out of your firewall in a much more dynamic way than they would have or could have before," she says.