Networks dominate today's computing landscape and commercial technical protection is lagging behind attack technology. As a result, protection program success depends more on prudent management decisions than on the selection of technical safeguards. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.
Bandwidth on the run... That's what we all seem to want, but of course that's not all we get. When we use radio instead of wires we trade the limited physical security of the wires inside our buildings for the unlimited lack of physical security of radios. Combine this with the removal of most of the firewalls and intrusion detection systems and the lack of adequate use of encryption technology, and you have a recepie for protection failures.
While I knew this was how it was a long time ago, the first time I saw such a thing in action was at the HTCIA conference a few years back. One of the AT&T folks who was there had a wireless LAN PCMCIA card rigged in his computer and just popped up the old network neighborhood. There they were, a few dozen computers all using the default network information, all accessible over the air. He briefly went into a few remote disks, added a file, copied a file out, then undid it all. It was a simple enough demonstration, it didn't take but a minute, and we all laughed. We knew that the wireless revolution would mean even less protection and more job security.
The wireless revolution - gateway to the stars...
Thinking about the good things to come... If you're a computer attacker, something very good for you has begun. They call it drive-by hacking. Computer attackers literally drive around with radio LAN cards gaining access to systems, dropping in Trojan Horses for reentry, extracting data as desired, and so forth.
On a good day, and with automated tools, you can get into 1,000 or more computers this way. Just so I am clear, that's 1,000 computers a day - something like 2 a minute for 8 hours. In case you haven't done it, you just have to try sitting outside your corporate headquarters and see what kind of access you can get.
Now that we have gone wireless, we are back to the situation we were in just a few years ago - thousands of computers hooked up the the Internet without a firewall or intrusion detection system, operated by inexperienced users who have no knowledge or understanding of the issues underlying information protection.
I just love it when a plan comes together. If I were to try to find a way to make my life as a security expert more complex and interesting, I could not have done better than this. Now that we all 'need' and 'trust' computers with more and more capabilities that we cannot otherwise get along without, we are running on an even weaker infrastructure than ever.
This will, of course, change with time. We will move toward encryption. For those of you who haven;t read the 50 Ways Series this might be a good time to look at the article on how to defeat your cryptographic systems. Just as everything else in information protection, encryption is highly dependent on a well trained user - something we seem to constantly find ways to avoid, hoping that technology will save us. The Wireless Encryption Protocol (WEP) has already been shown to have serious flaws. In fact, there appear to be freely available programs to break it, although nobody I am aware of has published a real-time method, even the ability to get the keys in a few hours would allow an attacker to access your LAN without limit once they got the key code you use for your LAN.
Encryption won't save us, but it will make us safer, sort of. Because encryption will end up becoming widespread in the wireless world, we will have dramatic changes in the way we do law enforcement, the way we do business, and lots of other things. But the one thing that won't change is our ability to misuse the technology. It may surprise you to know that almost every wireless system today has encryption capabilities built into it.
Like I said, technology is not the problem - it's people. The day you get your wireless PCMCIA card or Palm VII or other similar wireless device, what's the first thing you do? Is it check out the security features and enable them appropriately? I think not. You do what everyone else does - you try to get it on line as soon as you can. And as soon as it is on line, you use it. And as soon as you start using it, you have a new capability and you don't want to lose it, so you don't mess with it.
Come hell or high water, the odds of you adding security once the thing works is nearly zero. And the odds of vendors putting impediments to using their technology is about the same. It takes a small additional amount of effort to include strong encryption and enable it by default, and that small amount of effort is enough to make it not be the default and that means the odds are against it from the get go.
We have known this for a very long time in information protection. If the defaults are not set right, the system starts insecure and is highly likely to remain that way. In many cases, wireless systems are broken into fairly quickly in their lifetime. Consider that these days there are viruses roaming the Internet that try to remotely exploit a vulnerability and install themselves in your computer. They typical time between when you get on the net and when a scan hits your system is only a few hours. If you connect to the Internet via wireless and leave the defaults on place with no added protection, it's likely to be only a few hours before your system is broken into by a worm, and from that point forward, attempts to add protection will be largely fruitless unless you have real expertise in your camp.
You know we want to lend a hand. Or perhaps a hand-held. The wireless revolution may one day stand for a lot more than just a change in the way we use technology. After all, with wireless you can literally drive around as you attack systems, break into critical infrastructures, and so forth. The ability to trace radios is quite good in some places these days, but it's still pretty tough to get a skilled attacker, especially one that is connecting to one hand held through another to get to the target.
GPS has been suggested for handhelds. That way we can literally locate you within a foot or so based on the position your GPS claims to be at. How long will it be before we see GPS forgeries? About 15 minutes after the first person arrested this way is caught and the word gets out. Since that was more than 15 minutes ago... In fact, as I recall, there were some folks who did GPS forgery with ground stations some time ago. The details illude me just now.
From hand held to hand held we go and where it stops nobody knows. When you find one, my observers will notice it move because of the change in GPS position (or lack thereof) and we know to sacrifice it for the good of the greater network. After all, at the rate of 1000 systems a day, there is no reason to even use one as a relay for more than a few minutes. (I just found out that radio LAN cards can work in either hop to hop mode as forwarding units or in LAN mode talking to base stations. I have long wanted to set up a series of dead drop hops from spot to spot - perhaps even in UPS packages and behind drywalls... and now I can do it a lot more easily.))
Look around you. How many people have computers today, and how many of them work only at their desk. How many have palm top computers and how many of them would love to be wireless. How many have cell phones and how many of those will be rigged as computers if they aren't already. How many people have pagers and how many would like to get and send email on them, and how many already do it today.
I'm ready to go wireless as soon as it will do what I want. And that's not very far from where it is today. I just want it to run Linux and have enough storage to hold what I need to get secure communications running between wherever I am and wherever I want to be. That's just a few gigabytes of memory, a few hundred megahertz of CPU speed, and a few hundred kilohertz of bandwidth. It's only a year away - maybe two.
Most of the world will not wait for the things I demand in a system and if you wait it may be too late.
I like the fact that I heard most of the music in my life for the first time over the radio. While we talk about music going to the Internet, what we really see is the same music we used to listen to on FM radio moving to Internet radio. Individually tailored (or is it Taylor'ed) and there when we want it.
It's music to my ears. I will now be in constant touch with the world. Not a single second of isolation or peaceful contemplation. No privacy is more than just no leakage of secrets. I will have spam 24x7. The wireless revolution - don't leave home without it.
One of my regular readers (Marcus "Mackan" Andersson) suggested an article on wireless, and I want to thank him for the suggestion. He has also reviewed and commented on the article and provided some interesting added information. He will (hopefully) be giving a talk on wireless security (or the lack thereof) at DefCon later in 2001. I also want to thank all of the unnamed song writers for their titles and tag lines. It kind of makes it more fun to write with a theme like that.
About The Author:
Fred Cohen is thinking inside a bigger box as a Principal Member of Technical Staff at Sandia National Laboratories, helping clients meet their information protection needs at Fred Cohen and Associates, and educating defenders over-the-Internet on all aspects of information protection at the University of New Haven. He can be reached by sending email to fred at all.net or visiting http://all.net/