Thinking of installing a wireless network? Think again. Columnist Winn Schwartau reveals just how simple it is
to break into wireless networks, even encrypted systems. Although we deliberately omit describing some key components of the hack attack kit to prevent intruders from wrecking havoc, those missing pieces are all too readily available.
It used to take a certain amount of talent to break into a computer network, but not anymore. Run a scanner, look for holes, download passwords or generate buffer overflows and you're in!
Today, breaking into a corporate network, not just their Web site, is even simpler. I've talked with people who believe that it's so simple that some companies should be prosecuted for stupidity. Not a bad idea, perhaps, but the cause may be that CIOs and security people are not aware of recent developments that leave their networks open to remote attack invisibly.
How I Became a Cyber Criminal Without Even Knowing It.
It was at DefCon, the world's largest computer hacker convention, drunk-fest and party for feds, hacker hopefuls, Goths, corporate and security folks. While there, I was invited to join a couple of characters to, "Break into some networks, dude, as long as you don't use our real names."
My adventure began with a cruise along the boulevards of Las Vegas. We never tried to disguise that we were breaking into a computer network; in fact we were in a convertible!
Our arsenal of attack equipment consisted of:
1. A laptop running W2K
2. A handheld GPS receiver connected to the laptop's serial port.
3. A wireless Ethernet card
4. A 12" antenna connected to the Ethernet card.
5. Two pieces of free software downloaded from the Internet. ( to remain unidentified to protect vulnerable wireless networks)
We drove the streets looking for an insecure network. Within 1/2 hour, our rig recognized about 100 separate Access Points inside of wireless networks. These access points broadcast signals on well-defined frequencies (IEEE 802.11b specifications) that shout "Here I am!?" In other words, we found organizations broadcasting who they were and where they were. That's all we needed to break in.
The Third Man's software did two things:
1. Identified the open network, and
2. With the GPS, gave us the exact physical location of the network.
Thus armed, the Third Man locked into an historical Vegas business.
How to break into a wireless network
Reboot your computer. (thus, the article's title, "Three Keystrokes.) With your wireless Ethernet card inserted and the unprotected access point will mate up instantly. You also need to change the Service Set Identifier (SSID) on your Ethernet card to match SSID on the network's access point. You can choose to manually force your DHCP settings to renew, but if that gives you any trouble, merely reboot!
As far the "victim" was concerned, the wireless laptop was a legitimate node on their internal network. Wireless access points automatically assign internal IP addresses through DHCP, and now we could see their LAN just as clearly as if we were sitting at a desktop insider their facility.
The Third Man ran a sniffer program that captured all of the LAN traffic inside of this company. It was transmitted through the wireless access point straight into the Third Man's computer. Passwords. Contracts. E-mail. We he had it all.
What's to prevent anyone from hacking wireless networks? Nothing! In fact, this sort of techno-entertainment even has a name, it's called "War Driving," and we found more than 100 open networks in just a few minutes in Las Vegas. Imagine how many there are in San Francisco, New York, Washington and other cities with dense wireless networks!
So why not encrypt your wireless networks and prevent a hack? Wired Equivalent Privacy (WEP), was designed just for that purpose, to protect wireless networks from such shenanigans. Unfortunately, the people who set up WEP chose to use a 26-bit encryption algorithm, which is close to useless. Even stronger encryption methods have been cracked as of August, 2001 by researchers from AT&T and elsewhere. The GPS software also showed if WEP was in use We found just two companies using WEP.
The Future of Mobile/Wireless Networks
So what can you do to protect yourself from this technical incompetence? First, don't use wireless networks unless you really have to...it's like putting a modem on your network, with a public dial-up number and no password. Next, be suspicious of vendor claims.
Vendors have got to standardize their encryption routines Forget about using proprietary algorithms. Use only well-known and proven crypto schemes with decent key management. Look for wireless technology using standards like DES, 3XDES, AES, RSA, and PGP.
Finally, beware of in house geeks that install wireless access points to your networks without permission. Land-based war dialers can find unapproved modems in your networks...War Driving does the same thing to identify rogue network connections.
Bottom Line - Don't...
Don't use wireless networks that tie into your main systems. And do not use wireless networks that employ proprietary encryption; that compounds the mistake. Look for vendors whose products offer solid security, encryption and meet acceptable industry standards. The National Security Agency and their contractors are working on setting standards as are other industry groups. It will take time to get the wireless network secure but it's worth the wait.
Winn Schwartau (email@example.com) is the President of Interpact, Inc., a security awareness consulting firm. His latest books are Internet and Computer Ethics for Kids, Parents and Teachers,(June 2001), CyberShock, May, 2001 and Time Based Security (Revised), May 2001.
Copyright 2001, availability.com. Reprinted by permission.