Mobilizing security

Growth of wireless applications drives need for greater protection

More and more federal agencies are cutting the wires that tether people to desktop PCs. Thanks to wireless networking, laptop users can now roam the office without losing their connection to the local- area network. Outside the office, workers can use wireless phones and handheld devices to tap into the Internet.

But along with the convenience and flexibility of wireless networking come concerns about security. Addressing those concerns requires an end-to-end approach that takes into account the security of the portable device, the wireless transmission of data and the handling of data back at the office.

In the government, security issues are governed by an edict that requires certain agencies and departments using wireless solutions to plug their security holes by 2002.

The criteria for evaluating security for information deemed sensitive but unclassified are specified in Federal Information Processing Standard Publication 140-1 from the National Institute of Standards and Technology. Many vendors are rushing to obtain FIPS 140-1 certification for their products so they can bid on government contracts.

The security of wireless LANs, which use internal gateways or access points, is generally considered easier to control than the security of wireless handheld devices, which rely on the services of an outside telecommunications company.

On the other hand, the limited functionality of most wireless devices today makes them less vulnerable to security breaches by malicious hackers, said Chris Klaus, founder and chief technology officer at Internet Security Systems Inc. He likens those devices to "old DOS PCs, which were very secure because they had no services running." Later, the Microsoft Corp. Windows operating system added services to PCs that provided openings for hackers, he said.

Others see similarities in the security of wireless LANs and the networks handheld devices use. Access control is "the foundation of security for both technologies," said John Muir, president of the North American division of Pointsec Mobile Technologies Inc.

Most attempts to address wireless security focus on data while it is in transit between sender and receiver. At Pointsec, "we deal with data the other 98 percent of the time, when it is resting on the mobile device," Muir said.

"The problem is that the portable client device may reside outside the firewall perimeter," he said. "Organizations are concerned about the privacy of the data stored on the device and the access that a device may provide to internal systems."

Several agencies, including the departments of Defense and Justice, are evaluating or deploying Pointsec technology, Muir said.

The company's technology is designed to prevent a portable device from being used by anyone other than the authorized user. It uses password-based access control and encrypts data in the portable device with "hard" (128-bit or greater) encryption algorithms, Muir said. Point.sec offers access-control software for both wireless LAN-enabled notebooks and handheld devices, but hard encryption is currently available only for notebooks, which have fewer processing limitations.

The Office of Naval Research recently selected Pointsec 4.0 to secure mission-critical data on laptop and desktop computers used by dispersed ground forces who connect wirelessly to joint forces ashore and at sea. Officials are using the technology as part of their Extending the Littoral Battlespace Advanced Concept Technology Demonstration.

"An important part of the approval process at the Navy was the user- friendliness of the solution," Muir said. "Our encryption occurs on the fly, so users don't even know it is there. That was very important to the Navy."

Navy officials are also interested in how Pointsec technology can make the access controls on Palm Inc. devices as easy to use as possible. Pointsec's PicturePIN uses a series of symbol displays that must be tapped in the right order for access to be granted.

"Essentially, the user remembers his password by making up a story: "A man walked on a beach carrying a news.paper,'" Muir said. The user "taps the symbol of a man, a beach ball and a newspaper in the proper order. The order of the symbols is scrambled with each log-in to prevent "over the shoulder' hacking. Without the story, the symbols are meaningless."

To George Brostoff, president of Ensure Technologies Inc., the problem with most access-control schemes is the lack of attentiveness by users after they've logged in. Users of wireless laptops are often oblivious to the threat posed by leaving a connected computer unattended—especially inside the office.

"Study after study has shown that the biggest security threat is from people inside the organization, not outside," Brostoff said.

With Ensure's XyLoc, a small radio "lock" device is attached to a laptop and the authorized user is issued a key card or key fob. When the user approaches the laptop, the card or fob communicates with the device, which grants access to the computer after authenticating the user's identity. If the user steps away from the computer, access is automatically denied. The user "doesn't have to log in each time he wants to use the wireless device," Brostoff said. A version of XyLoc for handheld devices is in the works.

Securing access, of course, is only one part of the security puzzle. In February, a study conducted at the University of California, Berkeley, confirmed what Jim Gemmel, senior signals analyst for systems integrator CACI International Inc., and others have been saying about wireless security for more than a year: Data traffic is susceptible to interception and eavesdropping.

"The wireless modems used with [personal digital assistants] and other mobile devices operate in the 2.46 GHz range and provide absolutely no security," Gemmel said. "Wireless LANs using the 802.11b Ethernet standard offer Wired Equivalent Privacy amounting to a 40-bit encryption scheme. Not only is the encryption level vulnerable, the encryption key is sent with each frame, so by examining each packet, a hacker can reconstruct the encryption key and decrypt the traffic. That's what they did at UC Berkeley."

And encryption can only work if it is enabled on the wireless system itself, which is often not the case, according to Klaus. He said that because wireless LAN devices are inexpensive—with base stations costing less than $800 and wireless notebook PC Cards costing less than $125—many organizations are deploying the technology without consulting security experts.

In many cases, Klaus said, users don't change the default administrative passwords on their wireless LAN access points, providing ready access to an organization's LANs by "drive-by hackers."

"We have literally driven through the business districts of many major cities with a laptop and wireless PC Card and gotten access to many LANs belonging to businesses occupying offices in the buildings on either side of the street," Klaus said.

Although he is dubious about the efficacy of a drive-by approach given the limited signaling distances of most wireless LAN transceivers, Robert Manchise, chief scientist for integrator Anteon Corp., agrees that users can compromise their networks by deploying wireless technology on their own. "Most users simply aren't thinking about the security ramifications, and integrators often have little input," he said.

Improving wireless security will require the efforts of vendors, customers and integrators, Manchise and others say. Vendors must make their products more secure out of the box. Customers need to be more aware of security issues. And integrators need to become involved in designing networks with security technologies to protect against wireless intruders.

Mobile-device manufacturers are beginning to make their products more secure. John Inkley, manager of federal sales at Palm, said that although "we don't ship the product with a security or encryption technology, custom key encryption solutions are available from our partners." He said those technologies "are adequate for most of our government clients. In classified data environments, no one uses the public airwaves to transmit data."

Wireless LAN vendors such as 3Com Corp. are beginning to make security "a mantra," according to John Temple, territory manager for civilian and federal sales with 3Com's offices in Tysons Corner, Va. He said 3Com's list of wireless "wins" in government has been growing and include Justice's Executive Office for Immigration Review, the U.S. Probationary Courts in Chicago and the Senate. 3Com's access-point product requires the user to change the administrative password as one of the first steps, eliminating a common hacking problem. The products are also designed to be deployed within the secure environment of 3Com's wired network technologies, Temple said.

In many ways, wireless security is similar to wired Ethernet security, Klaus said. "Ethernet itself is not very secure. You need to take measures to lock it down. Wireless merely increases the problem. Since traffic is broadcast through the air, you don't need to hijack a connection.

"Companies are going to need to build security into their wired networks and applications to cope with wireless. And they are going to need intrusion- detection capabilities to look for bad activity on an ongoing basis."

Toigo is an independent consultant and author specializing in business automation issues. He can be reached via his Web site at www.toigoproductions.com.

NEXT STORY: NSF plugs researchers into grid

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.