[ISN] New York presents wireless security challenge for RNC

InfoSec News isn at c4i.org
Fri Sep 3 06:14:31 EDT 2004


By Dan Verton

Transportation Security Administration security checkpoints, hundreds
of Secret Service agents, thousands of police on foot, horses and
motorcycles, city blocks barricaded by dump trucks filled with tons of
sand and an invisible wireless back door that is virtually impossible
to monitor and control. That was a snapshop of the security situation
at this week's Republican National Convention (RNC) at New York's
Madison Square Garden.

While physical security was tightened to unprecedented levels --
transforming the city into something unrecognizable to those who call
it home -- IT security researchers uncovered an unsettling number of
unencrypted wireless devices that they say create a potential
information security nightmare for convention organizers and

During a two-hour "war drive" around the site of the RNC as well as
Manhattan's financial district, security researchers from Boston-based
Newbury Networks discovered more than 7,000 wireless devices, 1,123 of
which were located within blocks of the convention, including a
network named WirelessForKerry. More important, 67% of those devices
were access points that did not have encryption protection.

During the war drive, to which Computerworld was granted exclusive
access, Newbury technicians set up an unsecured wireless "honeypot"  
that masqueraded as a Linksys access point. According to log analysis
of Newbury's Watchdog system, a wireless device attempted to
automatically connect to the honeypot every 90 seconds.

The findings underscore that while New York continues to focus on
physical security for the convention, the huge numbers of open,
unsecured wireless networks represent a serious threat to the city's
hard-wired infrastructure, said Newbury CEO Michael Maggio.

"A wireless-enabled notebook computer powered up inside Madison Square
Garden by a conventioneer or media representative could automatically
associate with wireless networks outside of the building," said
Maggio, noting that such a security gap could allow an attacker to
"hop onto" the wired network inside the facility. "All the security
policies in the world can't stop a wireless intruder from accessing an
open network signal emanating from a Wi-Fi access point or network

The two-hour drive around Manhattan also revealed as many as 2,161
access points and 821 client devices broadcasting unique service set
identifiers (SSID). "The SSIDs beaconed by clients is really a
valuable list for an attacker," said Brian Wangerien, senior product
manager at Newbury. "Once the attacker knows that a client is
beaconing for a particular SSID, he can change the SSID of his AP and
trick the client into connecting to the attacker's access point."

Several network administrators in Manhattan's financial district also
appeared to use the system's encryption key as the SSID.

These security gaps potentially open the entire hard-wired RNC network
and other corporate networks to data sabotage, virus and worm
infections, denial-of-service bots and spam engines, said Wangerien.

Newbury Networks conducted a similar war drive around the Fleet Center
in Boston during the Democratic National Convention. Although the
company found only half the number of devices that were present in New
York, nearly the same percentage were unencrypted.

David Shatzkes, vice president of government services delivery at New
York-based Computer Horizons Corp., the firm managing the wired
network at the convention site, said convention organizers
specifically avoided requesting wireless network support due to the
security issues and useability issues associated with them. Although
the RNC staff did not request wireless network support from Computer
Horizons, Shatzkes said it could have been done securely.

However, Jose Colon, a spokesman at Hewlett-Packard Co. (HP), said he
is "unaware" of any restrictions on the use of wireless at the
convention and acknowledged that his company has provided dozens of
wireless tablet PCs for use on the convention floor. Although security
is always a concern, Colon said the biggest focus has been on
coordinating with the Secret Service and providing redundant backup
for the wireless systems in use.

One of the reasons for redundant wireless support, said Colon, is that
when President George W. Bush arrives in the city, the Secret Service
and other defense agencies follow the common practice of jamming local
communications emanations for security reasons.

However, the disconnect between the RNC's main network integrator and
HP's deployment of wireless tablet PCs raises a red flag for Maggio.

"Apparently nobody at the RNC seems to know what the wireless policy
is," said Maggio. "They spend millions of dollars on physical security
and they don't have a clue of who's using their airwaves."

The fact that the main network integrator was unaware of the
deployment of HP's wireless systems is an indication that IT security
personnel had not been "sniffing the air" to see where authorized
wireless systems were in use and where rogue or intruder systems might
be deployed, he said.

More information about the ISN mailing list