Wi-Fi Network Security : Watch Your Hot Spots

News that came in soon after the terrorists' attacks in Ahmedabad and Delhi

revealed that terrorists used unsecured Wi-Fi (Wireless Fidelity) networks to

send emails containing terror messages. The story is alarming to home wireless

network users as well as corporates.

A group of Indian Mujahideen (IM) lieutenants from Pune accessed unsecured

Wi-Fi networks in the city to send threat emails. Interestingly, the trio made

several trips to Mumbai to see how much easier it was to access unsecured Wi-Fi

networks using their laptops. An American national, Kenneth Haywood, became

victim of the trio's hunt for unsecured Wi-Fi network and on July 26, the day

the blasts took place in Ahmedabad, they sent terror emails to media

organizations from his network. It's a cause of concern for the organizations

that leave the Internet connections open, and for the security departments in

the government.

Threat Level Orange



Though the public might not be aware of the exact level of the threat, it

can be considered as high or orange level, if not severe or red, which is the

highest level in the US Defense Department's parlance. At a conference on Wi-Fi

Security organized in Mumbai, Sunder Krishnan, and the Brand Ambassador of the

ISACA Mumbai chapter, summed up the future threat as: "The future threat is

glaring and corporate Indian could ill afford to be prepared the way it is. A

vulnerable access point hardly lasts for an hour, if not the average of few

minutes that it lasts." So, bringing the threat level to green or lowest level

is the immediate concern.

On the one hand, terrorists and hackers are working overnight, becoming

smarter. And on the other, corporates are not adequately prepared in terms of

people, processes, and technology. This is because about 20% of the people are

not aware of the implications of unsecured networks and only 81% people are

aware of the threat perceptions. A study conducted by ISACA reveals that many

enterprises are still not adequately prepared for disasters. Even in this 81%

category, about 60% people do not have basic polices, processes, and practices

to secure networks. It's really alarming.

"Most networks are 'open' which means that anyone within 100 feet can get

connected and start using the network. No permissions, no passwords, no special

tools are required. This is how one gets access to the so-called 'hot spots'

which are meant for anonymous use. Do not let your wireless network become such

a hot spot," says Avinash Kadam, director, MIEL e-Security and ex-vice

president, ISACA International.

IMany security preventive measures can be taken in two different contexts. The larger issue of who will implement and who owns responsibility for implementing these measures needs to be resolved by regulatory agencies Manjula Sridhar, co-founder and CTO, Aujas Networks	The initiatives can be expanded to a national level also as FICCI is a national body. If other states also approach us for the similar initiative to secure the Wi-Fi networks in their states, we will certainly take it to next level Vijay Mukhi, chairman, FICCI-IT

Terrorists utilize certain lacunae in wireless network security to get access

to the network. Insecure configuration of access points/base stations, use of

vendor default user profiles and passwords, use of weak or default

authentication mechanisms which are published over the Internet, and clear-text

data communication between the end device and access point are some of the

lacunae. Sharing of cryptographic keys (WEP keys) when data encryption is

employed, and lack of knowledge among the end-users and even among network

administrators at times are utilized for unauthorized access by anti-social

elements. What are all the options technically and legally available for us to

secure our Wi-Fi network?

Sticking to Basics



Wi-Fi networks' accessibility outside physical boundaries is the root cause for
this kind of open access to networks by terrorists. WEP is shared key based

authentication/encryption mechanisms for Wi-Fi. Industry experts say that this

encryption mechanism/authentication is weak by nature and could easily be

cracked into. Later versions of 802.11 have come up with somewhat sophisticated

security encryption algorithms, however they too can be hacked. Vikas Desai,

Enterprise Solution Architect, RSA Security, says, "WEP is susceptible to Brute

Force Attacks, so for corporate environments it would make sense to use a strong

form of two factor authentication from RSA. The two-factor authentication will

also protect the network even when there is no form of security."

Since WEP key can be easily cracked, it is recommended to use WPA or WPA 2 (Wi-Fi

Protected Access). This also requires you to set a key on the access point and

same key needs to be provided when you access the wireless network through your

computer. WPA uses much stronger cryptographic techniques and as such is not

possible to break.

Basically, there are various international standards that put emphasis on

implementing administrative, technical and physical security measures that need

to be followed for a secured network. Administrative controls include a wireless

security policy and monitoring of the radio spectrum for existing of rough

access points. Technical controls encompass access control (802.1X port based

access control), end-device and/or user authentication (username/passwords,

one-time-passwords (OTP), smart cards, digital certificates), and communication

(both user data and control) security using cryptographic mechanisms to ensure

data confidentiality and integrity). Use of Intrusion Detection and Prevention

Systems (IDPS) to monitor malicious traffic and attack patterns is another

technical control. Physical security measures involve controlled

access-to-access points and base station using biometrics, etc.

Sudarshan Rajagopal, principal consultant, security governance, risk &

compliance, Wipro Infotech, emphasizes on a comprehensive approach to address

this issue: "A defense-in-depth approach should be adopted to provide security

over wireless networks popularly known as Wi-Fi. Various standards and alliances

have been developed to meet this objective. Toward this end, standards like IEEE

802.11i Robust Secure Network (RSN) standard also known as the Wireless

Protected Access (WPA) alliance and the 802.16e standard for WiMAX have been

developed." He further says, "Due to the inherent strength of the underlying

protocols and abundance of security measures, an integrated WiMAX—Wi-Fi solution

would be best suited to meet this objective."

Due to the inherent strength of the underlying protocols and abundance of security measures, an integrated WiMAX—Wi-Fi solution would be best suited Sudarshan Rajagopal, principal consultant, security governance, risk & compliance, Wipro Infotech	TMost networks are 'open' which means that anyone within 100 ft can get connected and start using the network. Do not let your wireless network become such a hot spot Avinash Kadam, director, MIEL e-Security and ex-vice president, ISACA International

Home Lock



Home users also should exercise caution and adopt some security measures for

their Wi-Fi networks. They must ensure certain basics.

Turning Off SSID: Each Wi-Fi signal is identified by a unique identifier

called SSID (service set identifiers), which is configured in the modem. SSID

broadcast should be disabled on the access point and default SSID should be

changed. This is one way by which a wireless network announces its presence. If

the SSID is not broadcast, others cannot find the network unless they themselves

know the SSID and provide the same to connect.

Strong Encryption: Strongest possible encryption (WPA 2 in many cases) should

be used.

Strong Key: For the modem itself the user should have a strong username and

password combination. Also, the password used to access the configuration menu

should be often changed. Most access points have very simple and sometimes

default password as given by the manufacturer. This password should be changed

immediately. The user names and the password of the access point should be as

long as 16-25 characters non-guessable words and WAP should be configured with

WAP2.

Turn Off Modem in Rest: Finally, when the Internet connection is not used, it

has to be switched off to reduce the chances of getting hacked.

Restrict Physical Access: The physical access to the wireless access point

should be guarded. Some access points have a reset switch, which resets the

configuration and password to default settings. And, the home user must try and

ensure that the WAP is placed in a way that the signals do not reach outside

their physically guarded premises.

Restrict Signals: We can also configure a network to operate only in a

particular radius. Giridhar Java, India head, Meru Networks, says that all

signals going outside a particular periphery can be blocked. Another way is to

throw junk to an outside receiver trying to connect. We can easily jam his or

her Wi-Fi card but that's not legally allowed in most parts of the world.

Security Key: Though wireless connectivity is for the purpose of anywhere,

anytime Internet connectivity, there should be some restrictions on the access.

Avinash Kadam, director, MIEL e-Security and ex VP, ISACA International, says,

"Wireless networks are designed for ease of connectivity. Making them secure

involves some loss of freedom. You have to set up the security key at various

points and all the casual users have to first obtain the key before they are

allowed to access the network."

Corporate Network



Manjula Sridhar, co-founder and CTO Aujas Networks says, "Many security
preventive measures can be taken in two different contexts. The larger issue of

who will implement and who owns responsibility for implementing these measures

needs to be resolved by regulatory agencies." In the enterprise context,

depending on the budget, one can either go for security measures that home users

should adopt or have policies and procedures for configuring, managing and

maintaining the access. For corporate networks, a more robust authentication

method could be set up which requires an authentication server to be configured.

All the users will then be first authenticated and then admitted to the wireless

network.

One should also do MAC-based filtering to deter unknown computer connecting

to the network. By registering the wireless network card's hardware address-the

MAC address-with the access point, one can restrict access to wireless networks.

This will require first to find the MAC address for each computer and then enter

it in the access point. Once this is done, only specific computers with specific

network cards will be allowed to access the wireless network. The MAC address

can be captured and spoofed but this requires more experience. If cost is not an

issue, sophisticated Wireless Intrusion Prevention devices should be installed.

Ban Hacking Tools?



Is it legally possible to ban websites promoting free hacking tool downloads

like Airsnorts, and websites providing hacking training? "Yes, it is legally

possible to ban any websites that promotes free hacking tools, but most such

sites make them available either as vulnerability testing tool or purely for

educational purpose," says Vikas Desai, enterprise solution architect, RSA

Security.

But Manjula Sridhar, says that it is not possible to ban them. "Many of these

hacking tools have valid uses like testing one's products, administration, and

other research needs. Moreover, due to its inherent nature, the Internet has no

boundary, hence it is not possible to enforce such laws," she explains. "Even if

you ban them, they will still be available through various means. It is better

to demonstrate these tools and then show how you can protect yourself against

them by following better security practices."

Stringent Punishment



Can severe punishment by the governmental policies on cyber crimes deter

cyber criminals from hacking is another angle one can look at. Penalties and

punishments have always proven to be effective. Kadam says, "Hacking is

stealing. Unless the guilty is punished, the temptation to steal is not going to

go away. We must have good cyber crime laws and well trained cyber crime police

to enforce those laws."

Sridhar of Aujas Networks has a slightly different take on it: "It is like

any other crime, just having severe penal codes in place will not stop cyber

criminals. A multi-pronged approach of creating user awareness, ensuring people

and enterprises take adequate care to protect themselves, and having stringent

laws and enforcement will help reduce cyber crime."

Apart from bringing more stringent laws, enforcement agencies should be

educated to thoroughly know the government policies and procedures to make the

prosecution of cyber criminals easier.

Awareness Campaign



Security experts unanimously agreed that creating awareness is the key to

resolve this issue. Internet service providers say that it is the customer who

is to blame for this unwanted scenario. According to Rajesh Chharia, president

of the Internet Service Providers Association of India, Internet service

providers are taking steps on their own to secure Wi-Fi connections. All ISPs

are installing AAA servers and firewalls. But when people take routers and make

their homes and offices Wi-Fi-enabled and then leave it open, there is nothing

ISPs can do about it.

Kadam says, "Emphasis should be placed on awareness, training, and education.

It should be ensured that everyone is aware of the discipline required to

maintain security. Training should be given to the technical people apart from

educating the management about the significance of network security."

Corporate employees are also not aware of security risks of some of their

innocuous acts. For example, software/music downloaded from the Internet could

have spyware embedded and potentially could leak confidential data. Awareness on

the legal implications for the acts and stringent policy enforcement would deter

many insider crimes.

The key reason for a lot of enterprises not being secure is lack of awareness

and basic precautions. There are enough security solutions, technologies, and

processes available to most enterprises. But apathy and lack of awareness

becomes root cause of the problems.

Maha Initiative



Following the terror email episode, Maharashtra Police, in association with

ISACA and FICCI, has joined hands to educate and help companies in the city and

state Wi-Fi secure. As part of the initiative, ISACA has agreed to extend

technical support to Maharashtra Police with its huge bandwidth of expertise and

key tools in IT security management area. ISACA will provide guidance and

support to create awareness about the need for Wi-Fi security, providing

companies an insight on various internationally recognized and adopted tools and

programs, providing adequate training to IT professionals through CISA, CISM and

CGEIT certifications, and so on.

Kadam said at a Wi-Fi security conference in Mumbai, "In the present scenario

when Net security has become vulnerable and terrorists are misusing Wi-Fi

connections for wrong reasons, it is pertinent to educate our society to secure

them. ISACA is helping lead the initiative to make corporate India Wi-Fi

secure." Vijay Mukhi, chairman of FICCI-IT cell says, "The initiatives can be

expanded to a national level also as FICCI is a national body. If other states

also approach us for the similar initiative to secure the Wi-Fi networks in

their states, we will certainly take it to next level." In Maharashtra the acute

problem is less awareness about the technology.

ISACA will also work with the Police in other cities and states and with

national bodies like FICCI and Nasscom. With our nine other chapters, it will

proactively approach the state governments to sensitize them about the

implications of unsecured networks through campaigns and other awareness

programs.

National Level Initiatives



Realizing the high level threat, concerned ministries and departments

including the Department of Telecommunications (DoT) and the Department of

Information and Technology (DIT) are now mulling over imposing new rules and

regulations to make it illegal to leave such wireless Internet connections open

which is increasingly tapped for anti-social work. The government might make it

mandatory that Wi-Fi networking companies restrict Wi-Fi signals within a

defined radius by installing access points around the signal. The Telecom

Regulatory Authority of India (TRAI) is studying defense mechanisms and measures

adopted in other countries to draw lessons for Indian corporates and home users

who use Wi-Fi connectivity.

Sunder Krishnan, and the Brand Ambassador of the ISACA Mumbai chapter

comments, "Penalizing corporates and home users for having unsecured network or

leaving it open will not work unless frameworks and level of encryption for each

technology is standardized. But nothing concrete has come about the frameworks

and standards." These departments are under the process of formulating

guidelines/polices in consultation with technical and legal experts. So nothing

else has come out from the government side.

TRAI and the DoT are consulting each other to ask the ISPs to launch

awareness campaign for their customers on security measures related to Wi-Fi.

Last, but certainly not the least, would physical verifications including

proper identity proof before issuing any email ID prevent cyber crimes and

sending terror mails? Fake personal information during online registration is

enough to signup for as many as email IDs as you want. This encourages

anti-social elements to easily get many email IDs for unlawful activities.

Though it is a humongous task, if physical verification is made mandatory as in

the case with mobile subscription, terror mails could be reduced to a great

extent.

Mail server companies like Google clearly states in their terms and

conditions before registration that "You agree that any registration information

you give to Google will always be accurate, correct and up to date... Google may

at any time, terminate its legal agreement with you (canceling the email service

among others) if you have breached any provision of the terms." Other companies

like Yahoo, Hotmail, Rediffmail, etc, also have similar terms and conditions,

but they are all flouted.

Kannan K



kannan@cybermedia.co.in