News that came in soon after the terrorists' attacks in Ahmedabad and Delhi
revealed that terrorists used unsecured Wi-Fi (Wireless Fidelity) networks to
send emails containing terror messages. The story is alarming to home wireless
network users as well as corporates.
A group of Indian Mujahideen (IM) lieutenants from Pune accessed unsecured
Wi-Fi networks in the city to send threat emails. Interestingly, the trio made
several trips to Mumbai to see how much easier it was to access unsecured Wi-Fi
networks using their laptops. An American national, Kenneth Haywood, became
victim of the trio's hunt for unsecured Wi-Fi network and on July 26, the day
the blasts took place in Ahmedabad, they sent terror emails to media
organizations from his network. It's a cause of concern for the organizations
that leave the Internet connections open, and for the security departments in
the government.
Threat Level Orange
Though the public might not be aware of the exact level of the threat, it
can be considered as high or orange level, if not severe or red, which is the
highest level in the US Defense Department's parlance. At a conference on Wi-Fi
Security organized in Mumbai, Sunder Krishnan, and the Brand Ambassador of the
ISACA Mumbai chapter, summed up the future threat as: "The future threat is
glaring and corporate Indian could ill afford to be prepared the way it is. A
vulnerable access point hardly lasts for an hour, if not the average of few
minutes that it lasts." So, bringing the threat level to green or lowest level
is the immediate concern.
On the one hand, terrorists and hackers are working overnight, becoming
smarter. And on the other, corporates are not adequately prepared in terms of
people, processes, and technology. This is because about 20% of the people are
not aware of the implications of unsecured networks and only 81% people are
aware of the threat perceptions. A study conducted by ISACA reveals that many
enterprises are still not adequately prepared for disasters. Even in this 81%
category, about 60% people do not have basic polices, processes, and practices
to secure networks. It's really alarming.
"Most networks are 'open' which means that anyone within 100 feet can get
connected and start using the network. No permissions, no passwords, no special
tools are required. This is how one gets access to the so-called 'hot spots'
which are meant for anonymous use. Do not let your wireless network become such
a hot spot," says Avinash Kadam, director, MIEL e-Security and ex-vice
president, ISACA International.
IMany security preventive measures can be taken in two different contexts. The larger issue of who will implement and who owns responsibility for implementing these measures needs to be resolved by regulatory agencies
Manjula Sridhar, co-founder and CTO, |
The initiatives can be expanded to a national level also as FICCI is a national body. If other states also approach us for the similar initiative to secure the Wi-Fi networks in their states, we will certainly take it to next level Vijay Mukhi, chairman, FICCI-IT |
Terrorists utilize certain lacunae in wireless network security to get access
to the network. Insecure configuration of access points/base stations, use of
vendor default user profiles and passwords, use of weak or default
authentication mechanisms which are published over the Internet, and clear-text
data communication between the end device and access point are some of the
lacunae. Sharing of cryptographic keys (WEP keys) when data encryption is
employed, and lack of knowledge among the end-users and even among network
administrators at times are utilized for unauthorized access by anti-social
elements. What are all the options technically and legally available for us to
secure our Wi-Fi network?
Sticking to Basics
Wi-Fi networks' accessibility outside physical boundaries is the root cause for
this kind of open access to networks by terrorists. WEP is shared key based
authentication/encryption mechanisms for Wi-Fi. Industry experts say that this
encryption mechanism/authentication is weak by nature and could easily be
cracked into. Later versions of 802.11 have come up with somewhat sophisticated
security encryption algorithms, however they too can be hacked. Vikas Desai,
Enterprise Solution Architect, RSA Security, says, "WEP is susceptible to Brute
Force Attacks, so for corporate environments it would make sense to use a strong
form of two factor authentication from RSA. The two-factor authentication will
also protect the network even when there is no form of security."
Since WEP key can be easily cracked, it is recommended to use WPA or WPA 2 (Wi-Fi
Protected Access). This also requires you to set a key on the access point and
same key needs to be provided when you access the wireless network through your
computer. WPA uses much stronger cryptographic techniques and as such is not
possible to break.
Basically, there are various international standards that put emphasis on
implementing administrative, technical and physical security measures that need
to be followed for a secured network. Administrative controls include a wireless
security policy and monitoring of the radio spectrum for existing of rough
access points. Technical controls encompass access control (802.1X port based
access control), end-device and/or user authentication (username/passwords,
one-time-passwords (OTP), smart cards, digital certificates), and communication
(both user data and control) security using cryptographic mechanisms to ensure
data confidentiality and integrity). Use of Intrusion Detection and Prevention
Systems (IDPS) to monitor malicious traffic and attack patterns is another
technical control. Physical security measures involve controlled
access-to-access points and base station using biometrics, etc.
Sudarshan Rajagopal, principal consultant, security governance, risk &
compliance, Wipro Infotech, emphasizes on a comprehensive approach to address
this issue: "A defense-in-depth approach should be adopted to provide security
over wireless networks popularly known as Wi-Fi. Various standards and alliances
have been developed to meet this objective. Toward this end, standards like IEEE
802.11i Robust Secure Network (RSN) standard also known as the Wireless
Protected Access (WPA) alliance and the 802.16e standard for WiMAX have been
developed." He further says, "Due to the inherent strength of the underlying
protocols and abundance of security measures, an integrated WiMAX—Wi-Fi solution
would be best suited to meet this objective."
Due to the inherent strength of the underlying protocols and abundance of security measures, an integrated WiMAX—Wi-Fi solution would be best suited
Sudarshan Rajagopal, principal |
TMost networks are 'open' which means that anyone within 100 ft can get connected and start using the network. Do not let your wireless network become such a hot spot
Avinash Kadam, director, MIEL |
Home Lock
Home users also should exercise caution and adopt some security measures for
their Wi-Fi networks. They must ensure certain basics.
Turning Off SSID: Each Wi-Fi signal is identified by a unique identifier
called SSID (service set identifiers), which is configured in the modem. SSID
broadcast should be disabled on the access point and default SSID should be
changed. This is one way by which a wireless network announces its presence. If
the SSID is not broadcast, others cannot find the network unless they themselves
know the SSID and provide the same to connect.
Strong Encryption: Strongest possible encryption (WPA 2 in many cases) should
be used.
Strong Key: For the modem itself the user should have a strong username and
password combination. Also, the password used to access the configuration menu
should be often changed. Most access points have very simple and sometimes
default password as given by the manufacturer. This password should be changed
immediately. The user names and the password of the access point should be as
long as 16-25 characters non-guessable words and WAP should be configured with
WAP2.
Turn Off Modem in Rest: Finally, when the Internet connection is not used, it
has to be switched off to reduce the chances of getting hacked.
Restrict Physical Access: The physical access to the wireless access point
should be guarded. Some access points have a reset switch, which resets the
configuration and password to default settings. And, the home user must try and
ensure that the WAP is placed in a way that the signals do not reach outside
their physically guarded premises.
Restrict Signals: We can also configure a network to operate only in a
particular radius. Giridhar Java, India head, Meru Networks, says that all
signals going outside a particular periphery can be blocked. Another way is to
throw junk to an outside receiver trying to connect. We can easily jam his or
her Wi-Fi card but that's not legally allowed in most parts of the world.
Security Key: Though wireless connectivity is for the purpose of anywhere,
anytime Internet connectivity, there should be some restrictions on the access.
Avinash Kadam, director, MIEL e-Security and ex VP, ISACA International, says,
"Wireless networks are designed for ease of connectivity. Making them secure
involves some loss of freedom. You have to set up the security key at various
points and all the casual users have to first obtain the key before they are
allowed to access the network."
Basic Tips to Secure Your Wi-Fi Network |
|
Corporate Network
Manjula Sridhar, co-founder and CTO Aujas Networks says, "Many security
preventive measures can be taken in two different contexts. The larger issue of
who will implement and who owns responsibility for implementing these measures
needs to be resolved by regulatory agencies." In the enterprise context,
depending on the budget, one can either go for security measures that home users
should adopt or have policies and procedures for configuring, managing and
maintaining the access. For corporate networks, a more robust authentication
method could be set up which requires an authentication server to be configured.
All the users will then be first authenticated and then admitted to the wireless
network.
One should also do MAC-based filtering to deter unknown computer connecting
to the network. By registering the wireless network card's hardware address-the
MAC address-with the access point, one can restrict access to wireless networks.
This will require first to find the MAC address for each computer and then enter
it in the access point. Once this is done, only specific computers with specific
network cards will be allowed to access the wireless network. The MAC address
can be captured and spoofed but this requires more experience. If cost is not an
issue, sophisticated Wireless Intrusion Prevention devices should be installed.
What Needs to be Done |
|
Ban Hacking Tools?
Is it legally possible to ban websites promoting free hacking tool downloads
like Airsnorts, and websites providing hacking training? "Yes, it is legally
possible to ban any websites that promotes free hacking tools, but most such
sites make them available either as vulnerability testing tool or purely for
educational purpose," says Vikas Desai, enterprise solution architect, RSA
Security.
But Manjula Sridhar, says that it is not possible to ban them. "Many of these
hacking tools have valid uses like testing one's products, administration, and
other research needs. Moreover, due to its inherent nature, the Internet has no
boundary, hence it is not possible to enforce such laws," she explains. "Even if
you ban them, they will still be available through various means. It is better
to demonstrate these tools and then show how you can protect yourself against
them by following better security practices."
Stringent Punishment
Can severe punishment by the governmental policies on cyber crimes deter
cyber criminals from hacking is another angle one can look at. Penalties and
punishments have always proven to be effective. Kadam says, "Hacking is
stealing. Unless the guilty is punished, the temptation to steal is not going to
go away. We must have good cyber crime laws and well trained cyber crime police
to enforce those laws."
Sridhar of Aujas Networks has a slightly different take on it: "It is like
any other crime, just having severe penal codes in place will not stop cyber
criminals. A multi-pronged approach of creating user awareness, ensuring people
and enterprises take adequate care to protect themselves, and having stringent
laws and enforcement will help reduce cyber crime."
Apart from bringing more stringent laws, enforcement agencies should be
educated to thoroughly know the government policies and procedures to make the
prosecution of cyber criminals easier.
Awareness Campaign
Security experts unanimously agreed that creating awareness is the key to
resolve this issue. Internet service providers say that it is the customer who
is to blame for this unwanted scenario. According to Rajesh Chharia, president
of the Internet Service Providers Association of India, Internet service
providers are taking steps on their own to secure Wi-Fi connections. All ISPs
are installing AAA servers and firewalls. But when people take routers and make
their homes and offices Wi-Fi-enabled and then leave it open, there is nothing
ISPs can do about it.
Kadam says, "Emphasis should be placed on awareness, training, and education.
It should be ensured that everyone is aware of the discipline required to
maintain security. Training should be given to the technical people apart from
educating the management about the significance of network security."
Corporate employees are also not aware of security risks of some of their
innocuous acts. For example, software/music downloaded from the Internet could
have spyware embedded and potentially could leak confidential data. Awareness on
the legal implications for the acts and stringent policy enforcement would deter
many insider crimes.
The key reason for a lot of enterprises not being secure is lack of awareness
and basic precautions. There are enough security solutions, technologies, and
processes available to most enterprises. But apathy and lack of awareness
becomes root cause of the problems.
Maha Initiative
Following the terror email episode, Maharashtra Police, in association with
ISACA and FICCI, has joined hands to educate and help companies in the city and
state Wi-Fi secure. As part of the initiative, ISACA has agreed to extend
technical support to Maharashtra Police with its huge bandwidth of expertise and
key tools in IT security management area. ISACA will provide guidance and
support to create awareness about the need for Wi-Fi security, providing
companies an insight on various internationally recognized and adopted tools and
programs, providing adequate training to IT professionals through CISA, CISM and
CGEIT certifications, and so on.
Kadam said at a Wi-Fi security conference in Mumbai, "In the present scenario
when Net security has become vulnerable and terrorists are misusing Wi-Fi
connections for wrong reasons, it is pertinent to educate our society to secure
them. ISACA is helping lead the initiative to make corporate India Wi-Fi
secure." Vijay Mukhi, chairman of FICCI-IT cell says, "The initiatives can be
expanded to a national level also as FICCI is a national body. If other states
also approach us for the similar initiative to secure the Wi-Fi networks in
their states, we will certainly take it to next level." In Maharashtra the acute
problem is less awareness about the technology.
ISACA will also work with the Police in other cities and states and with
national bodies like FICCI and Nasscom. With our nine other chapters, it will
proactively approach the state governments to sensitize them about the
implications of unsecured networks through campaigns and other awareness
programs.
National Level Initiatives
Realizing the high level threat, concerned ministries and departments
including the Department of Telecommunications (DoT) and the Department of
Information and Technology (DIT) are now mulling over imposing new rules and
regulations to make it illegal to leave such wireless Internet connections open
which is increasingly tapped for anti-social work. The government might make it
mandatory that Wi-Fi networking companies restrict Wi-Fi signals within a
defined radius by installing access points around the signal. The Telecom
Regulatory Authority of India (TRAI) is studying defense mechanisms and measures
adopted in other countries to draw lessons for Indian corporates and home users
who use Wi-Fi connectivity.
Sunder Krishnan, and the Brand Ambassador of the ISACA Mumbai chapter
comments, "Penalizing corporates and home users for having unsecured network or
leaving it open will not work unless frameworks and level of encryption for each
technology is standardized. But nothing concrete has come about the frameworks
and standards." These departments are under the process of formulating
guidelines/polices in consultation with technical and legal experts. So nothing
else has come out from the government side.
TRAI and the DoT are consulting each other to ask the ISPs to launch
awareness campaign for their customers on security measures related to Wi-Fi.
Last, but certainly not the least, would physical verifications including
proper identity proof before issuing any email ID prevent cyber crimes and
sending terror mails? Fake personal information during online registration is
enough to signup for as many as email IDs as you want. This encourages
anti-social elements to easily get many email IDs for unlawful activities.
Though it is a humongous task, if physical verification is made mandatory as in
the case with mobile subscription, terror mails could be reduced to a great
extent.
Mail server companies like Google clearly states in their terms and
conditions before registration that "You agree that any registration information
you give to Google will always be accurate, correct and up to date... Google may
at any time, terminate its legal agreement with you (canceling the email service
among others) if you have breached any provision of the terms." Other companies
like Yahoo, Hotmail, Rediffmail, etc, also have similar terms and conditions,
but they are all flouted.
Kannan K
kannan@cybermedia.co.in