Backbone is about business, technology, lifestyle, innovation, bold ideas, trends and events
Going ‘round the block to crack your network | November 5, 2001
By Geoff Dennis
FOR THE NEXT 25 MINUTES, BEN SAPIRO IS A HACKER. HE DROPS HIS LAW-ABIDING image as senior consultant of risk management at KPMG LLP to share a
secret, a hush-hush tidbit that might make you look twice at the guy strolling by
your company’s building with a notebook computer under his arm.
Jumping into a taxi, armed with a laptop PC and an antenna, Sapiro trolls
Toronto’s Bay Street, contempt flashing in his eyes like a real cyber-criminal. He plugs a tiny antenna into his laptop and holds it up to the taxi’s window. As the cab tours the financial district, Sapiro uses software that detects wireless Ethernet signals to search for vulnerable corporate networks. Five minutes into the trek he’s had four hits. In 10 minutes, there are 12.
“We’ve got a real strong signal here,” he said, pointing at a blinking green icon on the screen. “If I were a real nasty person, I’d get out of the cab and crack the system. It’s so easy my grandmother could do it!”
In 20 minutes, Sapiro uncovers a grand total of 19 wireless Ethernet signals. Only four have enabled Wired Equivalent Privacy (WEP), and that alone won’t stop a determined hacker, who can break the encryption code and gain access to a company’s network in less than five hours.
It’s called war driving and it’s a hacker’s paradise that could end up costing thousands in protection and repair bills. Wireless networking isn’t entirely secure yet, and war driving has become the New Economy version of war dialing, a tactic immortalized in the movieWar Games, in which a PC dials telephone number after telephone number trying to locate a vulnerable modem.
If war driving isn’t addressed soon, some companies will wish they had stuck with hard-wired communications systems.” The average company does not know that wireless networks are different from wired ones and require different, and more advanced, security measures,” Sapiro said. “Until some sort of watershed event happens, there will be a lag of awareness. I just hope it’s not something totally damaging.”
Opening secrets
War driving’s potential damage is striking: a hacker could spill or sell corporate information to the competition, or send in a malicious virus like the newest strain of Code Red. He or she could use the infiltrated network to attack another company or, at minimum, could simply surf for free, a joy ride at the company’s expense.
Currently, the only standard protection is WEP, the 40- or 128-bit encryption system developed by The Institute of Electrical and Electronic Engineers (IEEE). Compatible technology is continually updated by the Wireless Ethernet Compatibility Alliance (WECA), but neither they nor IEEE is willing to concede that war driving is a real threat. Yet WECA does admit that WEP is a flawed security tactic- asserting that a company cannot rely solely on encryption to ensure safety.
“We acknowledge that WEP can be cracked, but it’s like thinking the lock on my door is unbreakable,” said WECA chairman David L. Cohen in San Jose, Calif. “Does that mean I shouldn’t buy a house because the lock can be picked? Let’s get real. If you’re a large company, than you should do more than WEP.You need end-to-end security.”
Cohen said beefing up security is even easier than war driving. Companies can start by regularly changing the WEP default keys and adding password protection to the network. Many security experts, including Cohen, recommend installing authentication protocols like RADIUS (Remote Authentication Dial-In User Service) as well.
“There is no need for alarm-there is a need for education, risk assessment and understanding,” Cohen said, adding that the IEEE is working on encryption improvements. “Wireless LANs [local area networks] are a pragmatic, useful technology. You can stay connected to the network, or to your e-mail or to the office whether you’re on the road or in a hotel or in a cafe. But if you have patents or trade secrets on that network, it’s foolish to forget about security.”
No barrier strong enough
Security expert Frank Prince at Forrester Research warns that safety is an illusion and that if hackers really want to crack your network, nothing can prevent them from doing so. But that doesn’t mean they will, and war driving-as easy as it is- simply is not a very significant worry. Forrester Canada predicts that by 2003, almost half of all companies will allocate at least five per cent of their budgets to wireless development and 46 per cent of companies will consider wireless development to be a critical strategy. So with more companies planning to spend more money on wireless technology, does that mean upgrades should be halted until better security measures are developed?
A resounding “No” is the response from Prince, who said that the threat posed by war driving (like most other security problems) can be lessened if companies recognize the value of their information. According to Prince there are two kinds of companies: those who care about security and those who don’t -and the latter may as well post their sensitive information right on their Web sites.
Sapiro’s hacker alias would love that, but as he exits the cab and returns to his work at KPMG, he knows the matter is a serious one. He offers one last piece of advice: preventative measures are always the best strategy-even if it means using WEP encryption coupled with extra security precautions.
“The sky isn’t falling just yet,” he said. “But it could be.”
FOR THE NEXT 25 MINUTES, BEN SAPIRO IS A HACKER. HE DROPS HIS LAW-ABIDING image as senior consultant of risk management at KPMG LLP to share a
secret, a hush-hush tidbit that might make you look twice at the guy strolling by
your company’s building with a notebook computer under his arm.
Jumping into a taxi, armed with a laptop PC and an antenna, Sapiro trolls
Toronto’s Bay Street, contempt flashing in his eyes like a real cyber-criminal. He plugs a tiny antenna into his laptop and holds it up to the taxi’s window. As the cab tours the financial district, Sapiro uses software that detects wireless Ethernet signals to search for vulnerable corporate networks. Five minutes into the trek he’s had four hits. In 10 minutes, there are 12.
“We’ve got a real strong signal here,” he said, pointing at a blinking green icon on the screen. “If I were a real nasty person, I’d get out of the cab and crack the system. It’s so easy my grandmother could do it!”
In 20 minutes, Sapiro uncovers a grand total of 19 wireless Ethernet signals. Only four have enabled Wired Equivalent Privacy (WEP), and that alone won’t stop a determined hacker, who can break the encryption code and gain access to a company’s network in less than five hours.
It’s called war driving and it’s a hacker’s paradise that could end up costing thousands in protection and repair bills. Wireless networking isn’t entirely secure yet, and war driving has become the New Economy version of war dialing, a tactic immortalized in the movieWar Games, in which a PC dials telephone number after telephone number trying to locate a vulnerable modem.
If war driving isn’t addressed soon, some companies will wish they had stuck with hard-wired communications systems.” The average company does not know that wireless networks are different from wired ones and require different, and more advanced, security measures,” Sapiro said. “Until some sort of watershed event happens, there will be a lag of awareness. I just hope it’s not something totally damaging.”
Opening secrets
War driving’s potential damage is striking: a hacker could spill or sell corporate information to the competition, or send in a malicious virus like the newest strain of Code Red. He or she could use the infiltrated network to attack another company or, at minimum, could simply surf for free, a joy ride at the company’s expense.
Currently, the only standard protection is WEP, the 40- or 128-bit encryption system developed by The Institute of Electrical and Electronic Engineers (IEEE). Compatible technology is continually updated by the Wireless Ethernet Compatibility Alliance (WECA), but neither they nor IEEE is willing to concede that war driving is a real threat. Yet WECA does admit that WEP is a flawed security tactic- asserting that a company cannot rely solely on encryption to ensure safety.
“We acknowledge that WEP can be cracked, but it’s like thinking the lock on my door is unbreakable,” said WECA chairman David L. Cohen in San Jose, Calif. “Does that mean I shouldn’t buy a house because the lock can be picked? Let’s get real. If you’re a large company, than you should do more than WEP.You need end-to-end security.”
Cohen said beefing up security is even easier than war driving. Companies can start by regularly changing the WEP default keys and adding password protection to the network. Many security experts, including Cohen, recommend installing authentication protocols like RADIUS (Remote Authentication Dial-In User Service) as well.
“There is no need for alarm-there is a need for education, risk assessment and understanding,” Cohen said, adding that the IEEE is working on encryption improvements. “Wireless LANs [local area networks] are a pragmatic, useful technology. You can stay connected to the network, or to your e-mail or to the office whether you’re on the road or in a hotel or in a cafe. But if you have patents or trade secrets on that network, it’s foolish to forget about security.”
No barrier strong enough
Security expert Frank Prince at Forrester Research warns that safety is an illusion and that if hackers really want to crack your network, nothing can prevent them from doing so. But that doesn’t mean they will, and war driving-as easy as it is- simply is not a very significant worry. Forrester Canada predicts that by 2003, almost half of all companies will allocate at least five per cent of their budgets to wireless development and 46 per cent of companies will consider wireless development to be a critical strategy. So with more companies planning to spend more money on wireless technology, does that mean upgrades should be halted until better security measures are developed?
A resounding “No” is the response from Prince, who said that the threat posed by war driving (like most other security problems) can be lessened if companies recognize the value of their information. According to Prince there are two kinds of companies: those who care about security and those who don’t -and the latter may as well post their sensitive information right on their Web sites.
Sapiro’s hacker alias would love that, but as he exits the cab and returns to his work at KPMG, he knows the matter is a serious one. He offers one last piece of advice: preventative measures are always the best strategy-even if it means using WEP encryption coupled with extra security precautions.
“The sky isn’t falling just yet,” he said. “But it could be.”
