By Matt Ward
December 07, 2006
They have quirky names, such as AirSnort, Aircrack, CoWPAtty and
THC-LEAPcracker. They are the implements of 21st century burglary.
Widely available online -- tutorials sometimes included -- these are a
few of the latest tools hackers are using to pilfer information from
supposedly secure wireless networks. Experts in the field agree it no
longer takes much interest in computers, or much skill, to penetrate all
manner of networks, from the typical user's home connection to those
used by small businesses and local governments. Whole communities exist
online for the purpose of sharing tips and techniques for breaking into
wireless networks -- www.churchofwifi.org, www.netstumbler.com and
www.kismet wireless.net to name a few.
Many wireless users are already familiar with the ease with which they
can tap into someone else's network connection simply by being at the
right spot at the right time. Similarly, it is easy for hackers to
target those openings. The same technology allows coffee shops and
bookstores to offer WiFi hotspots.
Computer manufacturers counter with a wide variety of security products.
However, as one expert pointed out at the Global Gaming Expo last month,
there is disagreement even among IT professionals over whether any of
the standard security protocols go far enough.
"It's not like the incompatibilities are running rampant. But there are
incompatibilities that are rather serious," said Joe Tomasone, a senior
network-security engineer with Florida-based Fortress Technologies.
Fortress builds military-grade secured networks for the Department of
Tomasone says many hackers access a wireless user's computer by sitting
out in the parking lot of a business or the street near a home.
Employing tools available online, it usually takes as little as 10
minutes to start collecting sensitive data or to start downloading
illicit material using an innocent person's IP address. Some hackers
even build their own antennas, hoping to tap into larger streams of
wireless networks, some as far as 100 miles away.
With wireless gambling coming into play in Nevada, issues surrounding
network security could become much more acute. "Wireless is a very
promiscuous technology. It's designed to talk to anything," Tomasone
said. "Convenience and security usually have an inverse relationship."
Casino operators and gaming regulators, he explained, will need to pay
close attention to security issues surrounding wireless gaming devices.
If securing such products isn't constantly monitored, he said, casinos
may see network penetrations that wreak havoc on their system: theft of
customers' personal information, compromised casino-security procedures,
manipulation of the gaming devices themselves ... all done remotely and,
most likely, without a trace.
"Mobile devices are transient and hard to track. That's why networks are
easily breached," Tomasone said.
Users can't count on state and federal officials to protect them from
Internet crimes like identity theft and corporate espionage, because
most law enforcement computer-crime units are focused on catching sexual
predators. Gerald Gardner, chief deputy of the Nevada Attorney General's
Las Vegas office, says the problem of computer crime is so large that
many agencies don't have the resources to do much about it.
"It's extremely hard to track those people down. We've done a handful of
prosecutions," he said. "It's exceedingly hard to get our arms around
IDENTITY THEFT GROWING
IN LAS VEGAS ALONE, MORE THAN 2,400 REPORTS OF IDENTITY THEFT WERE MADE
TO METRO LAST YEAR. THIS YEAR, THE NUMBER WAS OVER 2,500 BY MID-OCTOBER.
THOSE NUMBERS DO NOT INCLUDE CREDIT CARD FRAUD. POLICE DON'T BREAK THIS
CATEGORY DOWN FURTHER TO DETAIL WHICH THEFTS ARE COMPUTER-RELATED AND
MANY VICTIMS PROBABLY AREN'T AWARE HOW THEIR IDENTITIES WERE STOLEN IN
THE FIRST PLACE.
"People are conducting more and more personal business online," said
Gardner, who also serves as chief counsel to the state's Technological
Crime Advisory Board. "It's frightening. We can't even get a search
warrant for a computer unless we know its location."
The issue will never be solved by police, Gardner said, and can only be
mitigated by financial institutions, Internet service providers and
software manufacturers. The problem with leaving security up to software
manufacturers is that everything is standardized, created to work with
as many different vendors as possible, which often allows weaknesses to
slip into finished products.
"Instead of choosing something that works the best, they choose
something that works for everybody," Tomasone said, referring to the
Institute of Electrical and Electronics Engineers.
Tomasone says the worst thing consumers can do is depend on their local
computer-store clerk for advice on securing their wireless networks. He
suggests homeowners secure them by installing a WPA protocol, creating a
complicated password and unplugging the access point when the computer
isn't in use. This will also work for small businesses. Above that, he
said, the security should match the threat level a hacker could pose.
"Security is a gray area. What is secure? Saying my house is
burglary-proof is a pretty strong statement." Tomasone said. "Do I want
to be secure from someone using my Internet connection, the casual
hacker or (from) someone committing corporate espionage?"
Copyright 2006, Las Vegas Business Press
Subscribe to InfoSec News