Finding your weakest link

Although concrete barricades block physical access to many roads and buildings throughout the Washington, D.C., region, a Federal Computer Week team discovered that information and systems at many defense and civilian agencies are left exposed through wireless networks.

Despite all of the attention focused on cybersecurity, agencies still have vulnerabilities, either because data on the wireless links is unencrypted or because wireless access points are broadcasting signals that hackers could use to attack the network.

But that may not be the worst of it. Agency officials may find that the weakest link is government contractors, which are involved in many of their programs. FCW found significant vulnerabilities among systems integrators, such as Computer Sciences Corp., which has multimillion-dollar contracts with the National Security Agency and the Internal Revenue Service.

A survey of wireless security in the Washington area Oct. 19 found that Wi-Fi networks at several federal agencies and defense contractors did not meet the security policies issued by Defense Department officials last April or guidelines issued by National Institute of Standards and Technology officials in November 2002.

At CSC's federal division's campus in Falls Church, Va., FCW reporters discovered five rogue, or unauthorized, wireless access points.

During the tour, the reporters detected a wireless bridge at the headquarters of the Defense Information Systems Agency on Courthouse Road in Arlington, Va., which was transmitting megabytes of traffic.

Open to trouble

These vulnerabilities could potentially allow somebody to bring down the organization's network. A wireless security consultant who helped FCW with its wireless survey, on the condition of anonymity, said he could have launched a denial-of-service attack against these access point bridges, which operate in the easily detectable 2.4 Ghz band. He could have knocked them out in less than a minute.

The DOD wireless directive states "measures shall be taken to mitigate denial-of-service attacks," and a DISA spokesperson said the agency complies with that policy. The spokesperson said the Wi-Fi network detected by FCW at Courthouse Road was part of a routine test to evaluate new wireless technologies.

The Pentagon has a Wi-Fi network operating in a private Internet domain, which FCW was able to detect from a range of more than 1,000 yards from highways on three sides of the building. This network constantly recycled packets of data. Officials at the Army's Washington Headquarters Service, which manages the Pentagon, did not return calls from FCW for comment.

Agency officials have at least some control of internal wireless access points. Security at contractors' facilities may be more difficult to manage.

In July, for example, CSC won a multibillion dollar outsourcing contract from NSA to upgrade the agency's computer infrastructure.

An NSA spokeswoman said the agency has mandatory Wi-Fi policies for contractors, including adherence to the April 2004 DOD wireless directive. That directive calls for active electromagnetic sensing for unauthorized wireless devices at DOD and contractor facilities.

Chris Steinbach, CSC's vice president of global security, said company officials conducted a sweep for rogue access points Aug. 27 but did not launch another until the week of Oct. 25 after being contacted by FCW reporters.

Wireless networks often can be detected because many access points have a built-in beacon function. That function broadcasts a signal known as a Service Set Identifier (SSID) to make it easier for wireless devices to find the link. However, it is also a beacon for hackers looking for an entry point into an organization's network. As part of their guidelines, NIST officials suggest agencies turn off the built-in function.

Even with the broadcast function turned off, SSIDs are transmitted in other frames of the Wi-Fi signal, which can be detected by sniffing software. NIST officials recommend agency officials use an SSID that does not reveal information about the agency, such as name, division or department. FCW detected hundreds of default SSIDs and easily associated beacon signals during the Wi-Fi survey.

These included GDWAP1 from an unencrypted access point at the headquarters of General Dynamics Corp. in Falls Church, NASA: Official Use Only from an access point at NASA headquarters on Independence Avenue in Washington and CMC from an access point located at the house of the Commandant of the Marine Corps at 8th and I streets in Washington.

Trouble on the cheap

Vendors and analysts said the FCW survey illustrates security problems federal agencies and contractors need to face with the rise of Wi-Fi technology during the past four years.

Sheung Li, product line manager for Atheros Communications Inc., a Wi-Fi chip manufacturer, estimates there are 50 million active Wi-Fi devices nationwide. Abner Germanow, an analyst with International Data Corp., a research firm based in Framingham, Mass., said worldwide shipments of Wi-Fi devices could hit 19.2 million units in 2004, up from 11.3 million units in 2003.

Wi-Fi's market growth has led to a steep drop in prices for access points, with consumer access points from companies such as the Linksys division of Cisco selling for $40 through Internet retailers. Linksys access points feature plug-and-play capabilities, taking less than a minute to set up.

The combination of low cost and easy installation facilitates rogue access points, which is a serious concern for agency and defense contractor officials, said Richard Rushing, chief security officer of AirDefense Inc., a Wi-Fi security company based in Alpharetta, Ga., that sells stand-alone and networked Wi-Fi sensing systems.

Rogue access points have the potential to open enterprise networks to sniffing by potentially malicious adversaries and contractors. Federal agencies need to have an active program to detect and prevent rogue access points.

Steinbach said CSC officials have a policy barring installation of unauthorized access points, and they could fire any employee who installs one. Steinbach said the rogues discovered by FCW have been disconnected and emphasized that any intruder attempting to use them to penetrate CSC networks would have been stopped by firewalls on the company's wired networks. "We have multiple layers of security," Steinbach said.

He added that CSC has contracted with AirDefense to provide systems with around-the-clock monitoring capabilities immediately.

General Dynamics spokesman Kendall Pease said in a statement the GDWAP1 access points FCW discovered are part of a guest network used to provide Internet access for visitors to the company's headquarters. These visitors, including General Dynamics officials, other contractors and government customers, are warned that the Wi-Fi network is unsecure, and they are responsible for maintaining the security of their communications and compliance with policies of their home networks.

Pease's statement did not address the potential security problems posed by transmitting unencrypted data via a Wi-Fi network with an easily identified SSID, but vendors and analysts expressed surprise that contractors and federal agencies would entrust traffic on unencrypted networks with easily associated SSIDs.

NASA and Marine Corps officials did not return phone calls for comment about the networks FCW detected.

Ken Evans, vice president of product management for Fortress Technologies Inc., based in Oldsmar, Fla., said "this is wireless security 101. This

is stuff that has been covered in the popular press for the past two years."

Fortress officials sell a security product widely used by the Army and the Department of Veterans Affairs. Evans said contractors and federal agencies should use such a system to provide gold-plated security that is better than the Wired Equivalent Privacy (WEP) encryption used on NASA and Marine networks detected by FCW.

Officials at T-Mobile USA in Bellevue, Wash., which operates a nationwide network with more than 4,700 Wi-Fi hot spots, offer better security on their public-access networks than the General Dynamics guest network or the NASA and Marine networks detected by FCW, said Mark Bolger, the company's director of hot spot brand marketing.

Since October, T-Mobile has offered security based on the Institute of Electrical and Electronic Engineers Inc. 802.1x standard, which provides stronger authentication and encryption than WEP, Bolger said.

Rushing said any federal agency or defense contractor Wi-Fi network should have defense in depth, which includes the Advanced Encryption Standard, stronger authentication and constant monitoring of a campus or building to detect rogues.

Joe Lawless, department manager for global network systems design at United Parcel Service Inc. in Atlanta, said physical security is another important component of Wi-Fi security. UPS officials say the company operates the world's largest wireless network with about 7,000 access points at the company's offices, hubs and distribution centers.

Lawless said UPS security personnel are instructed to question suspicious individuals parked in or around the perimeter of UPS facilities, especially if they are aiming a three-foot antenna at the facility, similar to the methodology of the FCW reporting team during its assessment of Wi-Fi security in Washington.

Florence Olsen contributed to this article.

***

Watch out for wireless vulnerabilities

Security experts warn that wireless communications have certain vulnerabilities that need to be addressed. Among those threats:

Rogues: These are cheap ($100 or less) consumer-grade access points, most likely unauthorized, that have the potential of opening up an enterprise network to anyone within the range of the rogue access point. Users frustrated by lack of wireless access, easy installation and a continuing drop in the cost of access points make this a serious threat that will not go away.

Bug lights: The Wi-Fi utility in Microsoft Corp. Windows XP constantly searches for access points like moths headed toward a flame. This utility makes it easy for a hacker to set up an access point that XP clients will use. If that client is connected to a wired network, it will serve as a bridge for intruders.

Automatic address assignment hacks: Many wireless local-area networks use the Dynamic Host Configuration Protocol to assign IP addresses. That means a hacker can obtain an IP address and a connection to the access point and the network behind it as easily as an authorized user.

Man-in-the-middle attacks: Hackers collect IP addresses from access points and client cards during an initial association process and then set up a fake access point that looks like the real one, diverting traffic to the hacker.

Denial-of-service attacks: Like a polite dinner guest waiting his turn, the Wi-Fi Media Access Control layer avoids transmission when it senses other radio frequency activity. Hackers can exploit that vulnerability by flooding an access point with traffic and setting up a high-power radio frequency generator that denies legitimate users access to the network until the denial-of-service attack ends.

NEXT STORY: Postal Service prized for privacy

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.