Finding your weakest link
- By Bob Brewin, Frank Tiboni
- Nov 07, 2004
Although concrete barricades block physical access to many roads and buildings throughout the Washington, D.C., region, a Federal Computer Week team discovered that information and systems at many defense and civilian agencies are left exposed through wireless networks.
Despite all of the attention focused on cybersecurity, agencies still have vulnerabilities, either because data on the wireless links is unencrypted or because wireless access points are broadcasting signals that hackers could use to attack the network.
But that may not be the worst of it. Agency officials may find that the weakest link is government contractors, which are involved in many of their programs. FCW found significant vulnerabilities among systems integrators, such as Computer Sciences Corp., which has multimillion-dollar contracts with the National Security Agency and the Internal Revenue Service.
A survey of wireless security in the Washington area Oct. 19 found that Wi-Fi networks at several federal agencies and defense contractors did not meet the security policies issued by Defense Department officials last April or guidelines issued by National Institute of Standards and Technology officials in November 2002.
At CSC's federal division's campus in Falls Church, Va., FCW reporters discovered five rogue, or unauthorized, wireless access points.
During the tour, the reporters detected a wireless bridge at the headquarters of the Defense Information Systems Agency on Courthouse Road in Arlington, Va., which was transmitting megabytes of traffic.
Open to trouble
These vulnerabilities could potentially allow somebody to bring down the organization's network. A wireless security consultant who helped FCW with its wireless survey, on the condition of anonymity, said he could have launched a denial-of-service attack against these access point bridges, which operate in the easily detectable 2.4 Ghz band. He could have knocked them out in less than a minute.
The DOD wireless directive states "measures shall be taken to mitigate denial-of-service attacks," and a DISA spokesperson said the agency complies with that policy. The spokesperson said the Wi-Fi network detected by FCW at Courthouse Road was part of a routine test to evaluate new wireless technologies.
The Pentagon has a Wi-Fi network operating in a private Internet domain, which FCW was able to detect from a range of more than 1,000 yards from highways on three sides of the building. This network constantly recycled packets of data. Officials at the Army's Washington Headquarters Service, which manages the Pentagon, did not return calls from FCW for comment.
Agency officials have at least some control of internal wireless access points. Security at contractors' facilities may be more difficult to manage.
In July, for example, CSC won a multibillion dollar outsourcing contract from NSA to upgrade the agency's computer infrastructure.
An NSA spokeswoman said the agency has mandatory Wi-Fi policies for contractors, including adherence to the April 2004 DOD wireless directive. That directive calls for active electromagnetic sensing for unauthorized wireless devices at DOD and contractor facilities.
Chris Steinbach, CSC's vice president of global security, said company officials conducted a sweep for rogue access points Aug. 27 but did not launch another until the week of Oct. 25 after being contacted by FCW reporters.
Wireless networks often can be detected because many access points have a built-in beacon function. That function broadcasts a signal known as a Service Set Identifier (SSID) to make it easier for wireless devices to find the link. However, it is also a beacon for hackers looking for an entry point into an organization's network. As part of their guidelines, NIST officials suggest agencies turn off the built-in function.
Even with the broadcast function turned off, SSIDs are transmitted in other frames of the Wi-Fi signal, which can be detected by sniffing software. NIST officials recommend agency officials use an SSID that does not reveal information about the agency, such as name, division or department. FCW detected hundreds of default SSIDs and easily associated beacon signals during the Wi-Fi survey.
These included GDWAP1 from an unencrypted access point at the headquarters of General Dynamics Corp. in Falls Church, NASA: Official Use Only from an access point at NASA headquarters on Independence Avenue in Washington and CMC from an access point located at the house of the Commandant of the Marine Corps at 8th and I streets in Washington.
Trouble on the cheap
Vendors and analysts said the FCW survey illustrates security problems federal agencies and contractors need to face with the rise of Wi-Fi technology during the past four years.
Sheung Li, product line manager for Atheros Communications Inc., a Wi-Fi chip manufacturer, estimates there are 50 million active Wi-Fi devices nationwide. Abner Germanow, an analyst with International Data Corp., a research firm based in Framingham, Mass., said worldwide shipments of Wi-Fi devices could hit 19.2 million units in 2004, up from 11.3 million units in 2003.
Wi-Fi's market growth has led to a steep drop in prices for access points, with consumer access points from companies such as the Linksys division of Cisco selling for $40 through Internet retailers. Linksys access points feature plug-and-play capabilities, taking less than a minute to set up.
The combination of low cost and easy installation facilitates rogue access points, which is a serious concern for agency and defense contractor officials, said Richard Rushing, chief security officer of AirDefense Inc., a Wi-Fi security company based in Alpharetta, Ga., that sells stand-alone and networked Wi-Fi sensing systems.
Rogue access points have the potential to open enterprise networks to sniffing by potentially malicious adversaries and contractors. Federal agencies need to have an active program to detect and prevent rogue access points.
Steinbach said CSC officials have a policy barring installation of unauthorized access points, and they could fire any employee who installs one. Steinbach said the rogues discovered by FCW have been disconnected and emphasized that any intruder attempting to use them to penetrate CSC networks would have been stopped by firewalls on the company's wired networks. "We have multiple layers of security," Steinbach said.
He added that CSC has contracted with AirDefense to provide systems with around-the-clock monitoring capabilities immediately.
General Dynamics spokesman Kendall Pease said in a statement the GDWAP1 access points FCW discovered are part of a guest network used to provide Internet access for visitors to the company's headquarters. These visitors, including General Dynamics officials, other contractors and government customers, are warned that the Wi-Fi network is unsecure, and they are responsible for maintaining the security of their communications and compliance with policies of their home networks.
Pease's statement did not address the potential security problems posed by transmitting unencrypted data via a Wi-Fi network with an easily identified SSID, but vendors and analysts expressed surprise that contractors and federal agencies would entrust traffic on unencrypted networks with easily associated SSIDs.
NASA and Marine Corps officials did not return phone calls for comment about the networks FCW detected.
Ken Evans, vice president of product management for Fortress Technologies Inc., based in Oldsmar, Fla., said "this is wireless security 101. This
is stuff that has been covered in the popular press for the past two years."
Fortress officials sell a security product widely used by the Army and the Department of Veterans Affairs. Evans said contractors and federal agencies should use such a system to provide gold-plated security that is better than the Wired Equivalent Privacy (WEP) encryption used on NASA and Marine networks detected by FCW.
Officials at T-Mobile USA in Bellevue, Wash., which operates a nationwide network with more than 4,700 Wi-Fi hot spots, offer better security on their public-access networks than the General Dynamics guest network or the NASA and Marine networks detected by FCW, said Mark Bolger, the company's director of hot spot brand marketing.
Since October, T-Mobile has offered security based on the Institute of Electrical and Electronic Engineers Inc. 802.1x standard, which provides stronger authentication and encryption than WEP, Bolger said.
Rushing said any federal agency or defense contractor Wi-Fi network should have defense in depth, which includes the Advanced Encryption Standard, stronger authentication and constant monitoring of a campus or building to detect rogues.
Joe Lawless, department manager for global network systems design at United Parcel Service Inc. in Atlanta, said physical security is another important component of Wi-Fi security. UPS officials say the company operates the world's largest wireless network with about 7,000 access points at the company's offices, hubs and distribution centers.
Lawless said UPS security personnel are instructed to question suspicious individuals parked in or around the perimeter of UPS facilities, especially if they are aiming a three-foot antenna at the facility, similar to the methodology of the FCW reporting team during its assessment of Wi-Fi security in Washington.
Florence Olsen contributed to this article.
Watch out for wireless vulnerabilities
Security experts warn that wireless communications have certain vulnerabilities that need to be addressed. Among those threats:
Rogues: These are cheap ($100 or less) consumer-grade access points, most likely unauthorized, that have the potential of opening up an enterprise network to anyone within the range of the rogue access point. Users frustrated by lack of wireless access, easy installation and a continuing drop in the cost of access points make this a serious threat that will not go away.
Bug lights: The Wi-Fi utility in Microsoft Corp. Windows XP constantly searches for access points like moths headed toward a flame. This utility makes it easy for a hacker to set up an access point that XP clients will use. If that client is connected to a wired network, it will serve as a bridge for intruders.
Automatic address assignment hacks: Many wireless local-area networks use the Dynamic Host Configuration Protocol to assign IP addresses. That means a hacker can obtain an IP address and a connection to the access point and the network behind it as easily as an authorized user.
Man-in-the-middle attacks: Hackers collect IP addresses from access points and client cards during an initial association process and then set up a fake access point that looks like the real one, diverting traffic to the hacker.
Denial-of-service attacks: Like a polite dinner guest waiting his turn, the Wi-Fi Media Access Control layer avoids transmission when it senses other radio frequency activity. Hackers can exploit that vulnerability by flooding an access point with traffic and setting up a high-power radio frequency generator that denies legitimate users access to the network until the denial-of-service attack ends.