A Broad Overview
Joseph Kashi, MS, JD
Data Security
Mobile Devices
Notebook computers flash drives Wireless networks Bluetooth phones, networks, printers GSM cell phones PDAs and BlackBerry
Includes identity theft, losses from which topped $48 billion loss in 2008 despite federal statutes
Can be more damaging because usually not known ever or for many months in case of breach of confidentiality, identity theft or credit damage
Data loss can be devastating Gulf War plans were a classic example Physical loss affects not only data but entire network security Upside You know its compromised and can react accordingly
Wireless will be the basic network standard in 7 or 8 years Avoid if possible for next 18-24 months certainly no confidential data
For ease of set up, most wireless devices ships with all security turned off as basic default Most users never enable any security Security never complete at best slows down and deters intruders
Hidden Dangers
Windows XP default is to bridge between mobile Wi-Fi device and any other connected network interface, possibly exposing your entire network
Change your router setup password to something other than the published default Change your SSID to a nonobvious and unpublished name
Most small networks use basic MS file and printer sharing protocols these are totally insecure Default is no password and standard network name
Choose a non-obvious workgroup name Avoid Microsoft defaults such as MSHOME Dont settle for the first working network configuration which by default has no security, to aid lay setup
Router Setup
Access and configure your Wi-Fi router with a direct Ethernet cable connection
Router Setup
Enable security - some studies found more than 2/3 of all Wi-Fi networks made no changes at all to totally insecure defaults Your aim is to close, at least partially, and otherwise totally open door
Set up a DMZ using a second firewall to protect the internal hard-wired LAN
Place all Wi-Fi and Internet connections outside the hard-wired networks firewall
Locate the Wi-Fi router to minimize leakage of signal outside office
Router Setup
Dont advertise disable the wireless SSID broadcast known as beaconing Do this only after you have completely setup all computers that are to connection to your Wi-Fi network
Enable Security
There are several possibilities default is no security WEP, a Weak encryption with many basic vulnerabilities WPA needs same upgraded hardware
WEP Encryption
Lowest common denominator, but with serious systemic weakness Keys easily vulnerable to cracking regardless of key length
Every Ethernet device has an unique identifier known as a MAC MAC filtering lists allowed or blocked Ethernet devices not much help if WEP Easily fooled - done by most routers, firewalls and hacker freeware
Access Restrictions
Newer routers also act as network hubs and allow security policies that can limit undesired types and times of network usage Some benefit but require some knowledge to set up
WPA Encryption
More secure but less open interim follow on to WEP keys are automatically and securely rotated
Requires new WPA capable hardware, all of which should be the same brand and model, with upgraded firmware
Hardware Firewall
Adds some protection against hacking through the wired Internet connection Generally useful and unobtrusive unless using VPN tunnel or other means of remote access Use XP and 802.1X
Check for possibly conflicting access points and peer to peer networks these may be an unguarded backdoor.
Enable at least WEP Search for rogue LANs with notebook
If possible, reduce router transmission power to minimum that works Install network traffic transmission monitoring hardware/software Upgrade older Wi-Fi hardware the network runs at the lowest common denominator
New industry standard not fully gelled Requires total Wi-Fi network rebuild with new 802.11i hardware throughout entire network
More powerful handsets with stronger encryption New versions of WAPI that fix obvious security holes (www.wapiforum.org)
UL-style security ratings for wireless and Internet security products and services (www.ICSA.net)
These offer some additional security, particularly with private tunneling software protocols for wireless users
Look for good performance and lower future costs as DSL networks become more common
DSL networks a new approach that could extend to wireless
Until Then
Treat wireless devices like a cell phone Wireless known to be possibly insecure Most confidential data, such as litigation strategy, should not be sent wireless
Call back vs.. direct dial in Intrusion detection software: Black Ice Set security configuration and user rights carefully Change security passwords regularly
Instant messaging = insecure Internet itself is definitely more secure than wireless due to packet routing PGP encryption - easy but not fool-proof Encrypt passwords and logins, use an authentication server w/ digital signature
Dynamic Vs. Static IP networks - low cost option for DSL users Firewalls- Linksys Ethernet switch, DSL router and hardware firewall.
DSL and other inexpensive broadband network routers include hardware firewalls that can block incoming calls
Commercial personal software firewall such as McAfee Firewall seems very effective
Avoid downloading and using highly interactive programs from untrusted sources. Some programs send data surreptitiously or are insecure, e.g. ICQ
For ease of set up, most wireless devices ships with all security turned off as basic default
Most users never enable any security Security never complete at best slows down and deters intruders
Mobile computers often set to ad hoc network wireless mode, which can connect with any nearby computer
Wi-Fi Is Insecure
Many cracking programs available free War-driving and War-chalking Default installations are totally insecure
The most primitive portable device - cells are insecure. GSM security model cracked as early as 1998. Loaning a phone or GSM card for even a few minutes can compromise your security
PDAs
PDAs that depend upon Wi-Fi access have the same security problems as notebook computers BlackBerry is a proprietary format that can be made substantially more secure You need to fix a PDAs basic Wi-Fi and Bluetooth security holes
Wi-Fi and/or Bluetooth typically installed in notebook computers hundreds of millions sold each year Usually enabled by default even when not used A major but non-obvious security hole I physically turn off power to my wireless devices
Theoretically, Bluetooth is not a bad security model but security is unfortunately optional
Bluetooth Today
Bluetooth sets initially were very low power and hard to intercept Newer models have more power and can be intercepted to 100 meters or more
IEEE has recently published on Web a variety of papers describing proven methods of easily cracking Bluetooth transmissions even industry group admits security holes Programs like Blue Stumbler and SNARF attack are available on the web
Windows servers often configure to connect to all Bluetooth devices in range a major security breach Former employees can take connection data
Phone cards or unsecured headsets may be borrowed and company connection data and security compromised Windows registry retains all connection data for all devices ever used
Bluetooth Networks
Piconets sometimes set up automatically that can allow anyone in range to see your files Discloses your embedded link security information Worse if you also have other simultaneous network access
Never use unit authentication keys Always use combination authentication keys with manual PIN input
Use a longer PIN minimal 4 digit PIN easily cracked by brute force challenges
Auto PIN number generation is insecure and allows device impersonation Never establish device pairing or first meeting in a public or other non-secure environment Eavesdropping feasible link data disclosed to third parties
Always enable security mode on all devices You are only as secure as the weakest link that may transmit connection information Mode 3 security should be used if possible
Bluetooth headsets should use broadband mode and then turn off pairing mode Use access policies
Turn off computers and PDAs when not in use disable all unused wireless devices including Bluetooth, Wi-Fi, IR
Keep Windows security patches
12 Steps - Part 2
Turn off network bridging between wireless and hard wired networks Use a hard-wired network with a hardware firewall when not mobile Enable all possible 802.11 security
12 Steps Part 3
Always turn off network file and printer sharing when mobile
pairings and trusted relationships in a non-secure area authenticate in private and then turn off pairing mode
12 Steps Part 4
Avoid ad hoc network modes Use WPA and 802.1X if possible with your Wi-Fi hardware
And Number 12
Remember that all mobile and wireless devices, including Wi-Fi and Bluetooth, are always potentially insecure.
ACT ACCORDINGLY