[ISN] Finding your weakest link

InfoSec News isn at c4i.org
Tue Nov 9 06:51:50 EST 2004

Forwarded from: William Knowles <wk at c4i.org>


By Bob Brewin and Frank Tiboni 
Nov. 8, 2004

Although concrete barricades block physical access to many roads and
buildings throughout the Washington, D.C., region, a Federal Computer
Week team discovered that information and systems at many defense and
civilian agencies are left exposed through wireless networks.

Despite all of the attention focused on cybersecurity, agencies still
have vulnerabilities, either because data on the wireless links is
unencrypted or because wireless access points are broadcasting signals
that hackers could use to attack the network.

But that may not be the worst of it. Agency officials may find that
the weakest link is government contractors, which are involved in many
of their programs. FCW found significant vulnerabilities among systems
integrators, such as Computer Sciences Corp., which has
multimillion-dollar contracts with the National Security Agency and
the Internal Revenue Service.

A survey of wireless security in the Washington area Oct. 19 found
that Wi-Fi networks at several federal agencies and defense
contractors did not meet the security policies issued by Defense
Department officials last April or guidelines issued by National
Institute of Standards and Technology officials in November 2002.

At CSC's federal division's campus in Falls Church, Va., FCW reporters
discovered five rogue, or unauthorized, wireless access points.

During the tour, the reporters detected a wireless bridge at the
headquarters of the Defense Information Systems Agency on Courthouse
Road in Arlington, Va., which was transmitting megabytes of traffic.

Open to trouble

These vulnerabilities could potentially allow somebody to bring down
the organization's network. A wireless security consultant who helped
FCW with its wireless survey, on the condition of anonymity, said he
could have launched a denial-of-service attack against these access
point bridges, which operate in the easily detectable 2.4 Ghz band. He
could have knocked them out in less than a minute.

The DOD wireless directive states "measures shall be taken to mitigate
denial-of-service attacks," and a DISA spokesperson said the agency
complies with that policy. The spokesperson said the Wi-Fi network
detected by FCW at Courthouse Road was part of a routine test to
evaluate new wireless technologies.

The Pentagon has a Wi-Fi network operating in a private Internet
domain, which FCW was able to detect from a range of more than 1,000
yards from highways on three sides of the building. This network
constantly recycled packets of data. Officials at the Army's
Washington Headquarters Service, which manages the Pentagon, did not
return calls from FCW for comment.

Agency officials have at least some control of internal wireless
access points. Security at contractors' facilities may be more
difficult to manage.

In July, for example, CSC won a multibillion dollar outsourcing
contract from NSA to upgrade the agency's computer infrastructure.

An NSA spokeswoman said the agency has mandatory Wi-Fi policies for
contractors, including adherence to the April 2004 DOD wireless
directive. That directive calls for active electromagnetic sensing for
unauthorized wireless devices at DOD and contractor facilities.

Chris Steinbach, CSC's vice president of global security, said company
officials conducted a sweep for rogue access points Aug. 27 but did
not launch another until the week of Oct. 25 after being contacted by
FCW reporters.

Wireless networks often can be detected because many access points
have a built-in beacon function. That function broadcasts a signal
known as a Service Set Identifier (SSID) to make it easier for
wireless devices to find the link. However, it is also a beacon for
hackers looking for an entry point into an organization's network. As
part of their guidelines, NIST officials suggest agencies turn off the
built-in function.

Even with the broadcast function turned off, SSIDs are transmitted in
other frames of the Wi-Fi signal, which can be detected by sniffing
software. NIST officials recommend agency officials use an SSID that
does not reveal information about the agency, such as name, division
or department. FCW detected hundreds of default SSIDs and easily
associated beacon signals during the Wi-Fi survey.

These included GDWAP1 from an unencrypted access point at the
headquarters of General Dynamics Corp. in Falls Church, NASA: Official
Use Only from an access point at NASA headquarters on Independence
Avenue in Washington and CMC from an access point located at the house
of the Commandant of the Marine Corps at 8th and I streets in

Trouble on the cheap

Vendors and analysts said the FCW survey illustrates security problems
federal agencies and contractors need to face with the rise of Wi-Fi
technology during the past four years.

Sheung Li, product line manager for Atheros Communications Inc., a
Wi-Fi chip manufacturer, estimates there are 50 million active Wi-Fi
devices nationwide. Abner Germanow, an analyst with International Data
Corp., a research firm based in Framingham, Mass., said worldwide
shipments of Wi-Fi devices could hit 19.2 million units in 2004, up
from 11.3 million units in 2003.

Wi-Fi's market growth has led to a steep drop in prices for access
points, with consumer access points from companies such as the Linksys
division of Cisco selling for $40 through Internet retailers. Linksys
access points feature plug-and-play capabilities, taking less than a
minute to set up.

The combination of low cost and easy installation facilitates rogue
access points, which is a serious concern for agency and defense
contractor officials, said Richard Rushing, chief security officer of
AirDefense Inc., a Wi-Fi security company based in Alpharetta, Ga.,
that sells stand-alone and networked Wi-Fi sensing systems.

Rogue access points have the potential to open enterprise networks to
sniffing by potentially malicious adversaries and contractors. Federal
agencies need to have an active program to detect and prevent rogue
access points.

Steinbach said CSC officials have a policy barring installation of
unauthorized access points, and they could fire any employee who
installs one. Steinbach said the rogues discovered by FCW have been
disconnected and emphasized that any intruder attempting to use them
to penetrate CSC networks would have been stopped by firewalls on the
company's wired networks. "We have multiple layers of security,"  
Steinbach said.

He added that CSC has contracted with AirDefense to provide systems
with around-the-clock monitoring capabilities immediately.

General Dynamics spokesman Kendall Pease said in a statement the
GDWAP1 access points FCW discovered are part of a guest network used
to provide Internet access for visitors to the company's headquarters.  
These visitors, including General Dynamics officials, other
contractors and government customers, are warned that the Wi-Fi
network is unsecure, and they are responsible for maintaining the
security of their communications and compliance with policies of their
home networks.

Pease's statement did not address the potential security problems
posed by transmitting unencrypted data via a Wi-Fi network with an
easily identified SSID, but vendors and analysts expressed surprise
that contractors and federal agencies would entrust traffic on
unencrypted networks with easily associated SSIDs.

NASA and Marine Corps officials did not return phone calls for comment
about the networks FCW detected.

Ken Evans, vice president of product management for Fortress
Technologies Inc., based in Oldsmar, Fla., said "this is wireless
security 101. This is stuff that has been covered in the popular press
for the past two years."

Fortress officials sell a security product widely used by the Army and
the Department of Veterans Affairs. Evans said contractors and federal
agencies should use such a system to provide gold-plated security that
is better than the Wired Equivalent Privacy (WEP) encryption used on
NASA and Marine networks detected by FCW.

Officials at T-Mobile USA in Bellevue, Wash., which operates a
nationwide network with more than 4,700 Wi-Fi hot spots, offer better
security on their public-access networks than the General Dynamics
guest network or the NASA and Marine networks detected by FCW, said
Mark Bolger, the company's director of hot spot brand marketing.

Since October, T-Mobile has offered security based on the Institute of
Electrical and Electronic Engineers Inc. 802.1x standard, which
provides stronger authentication and encryption than WEP, Bolger said.

Rushing said any federal agency or defense contractor Wi-Fi network
should have defense in depth, which includes the Advanced Encryption
Standard, stronger authentication and constant monitoring of a campus
or building to detect rogues.

Joe Lawless, department manager for global network systems design at
United Parcel Service Inc. in Atlanta, said physical security is
another important component of Wi-Fi security. UPS officials say the
company operates the world's largest wireless network with about 7,000
access points at the company's offices, hubs and distribution centers.

Lawless said UPS security personnel are instructed to question
suspicious individuals parked in or around the perimeter of UPS
facilities, especially if they are aiming a three-foot antenna at the
facility, similar to the methodology of the FCW reporting team during
its assessment of Wi-Fi security in Washington.

Florence Olsen contributed to this article.


Watch out for wireless vulnerabilities

Security experts warn that wireless communications have certain
vulnerabilities that need to be addressed. Among those threats:

* Rogues: These are cheap ($100 or less) consumer-grade access points,
  most likely unauthorized, that have the potential of opening up an
  enterprise network to anyone within the range of the rogue access
  point. Users frustrated by lack of wireless access, easy
  installation and a continuing drop in the cost of access points
  make this a serious threat that will not go away.

* Bug lights: The Wi-Fi utility in Microsoft Corp. Windows XP
  constantly searches for access points like moths headed toward
  a flame. This utility makes it easy for a hacker to set up an
  access point that XP clients will use. If that client is connected
  to a wired network, it will serve as a bridge for intruders.

* Automatic address assignment hacks: Many wireless local-area
  networks use the Dynamic Host Configuration Protocol to assign IP
  addresses. That means a hacker can obtain an IP address and a
  connection to the access point and the network behind it as easily
  as an authorized user.

* Man-in-the-middle attacks: Hackers collect IP addresses from access
  points and client cards during an initial association process and
  then set up a fake access point that looks like the real one,
  diverting traffic to the hacker.

* Denial-of-service attacks: Like a polite dinner guest waiting his
  turn, the Wi-Fi Media Access Control layer avoids transmission when
  it senses other radio frequency activity. Hackers can exploit that
  vulnerability by flooding an access point with traffic and setting
  up a high-power radio frequency generator that denies legitimate
  users access to the network until the denial-of-service attack ends.

"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
C4I.org - Computer Security, & Intelligence - http://www.c4i.org

More information about the ISN mailing list