Each week vnunet.com asks a different expert to give their views on recent virus and security issues, with advice, warnings and information on the latest threats.
This week Ken Munro, managing director of SecureTest, warns that personal information and company data is at risk from rogue access points set up to lure unsuspecting wireless surfers.
Most corporate IT departments have now realised that wireless local area network (Lan) security is a necessity not an option. In any modern office it is not so much denial, as negligence to say that we have no wireless networks, therefore we need no wireless security policy.
Executives will have Bluetooth and Wi-Fi enabled smartphones and PDAs which hold company data. Many new notebook PCs now have integrated Wi-Fi chips. Even where this is not the case, with Wi-Fi being offered as a value-add on many home broadband offerings, employees will add Wi-Fi cards to office laptops for use on their home networks.
Companies must have a wireless policy in place and ensure that it is enforced, even if this is simply to say that company machines may not be wireless enabled and company data may not be stored on wireless enabled devices.
But for the many companies which are embracing wireless technology, there is another, possibly even greater, threat emerging which could offer a new set of challenges to security personnel: access point impersonation.
Public access wireless hotspots are becoming widely available in coffee shops, airport lounges, hotels and even on trains. Mobile users simply connect to the access point web server, purchase connection time or log on, and obtain internet connectivity.
By positioning a rogue access point near a legitimate access point and offering a stronger signal, fraudsters can tempt the user to join the rogue access point.
A fraudulent access point acting as a proxy or snooping device can be run on a wireless enabled iPaq. Once the user joins the rogue access point, a copy of the legitimate access point website is shown to the user who, unaware of any problem, enters their credit card or corporate access details.
The user either believes that the access point isn't working correctly or, with a more sophisticated attack, can be allowed to continue surfing unaware.
Having already gained the user's credit card or access details, the fraudsters now have a connection to the target laptop, and can start interrogating it for information, either harvesting user credentials or extracting sensitive data.
The accuracy of the attack will also make this type of activity very attractive to criminals. By targeting Wi-Fi users in areas such as hotels, airports and first class train compartments etc, fraudsters can be guaranteed a higher calibre of victim and access to more valuable information.
A variation on this attack poses another threat: many offices now provide wireless access to hot desk workers. It is trivial to 'sniff' the airwaves to determine the name of the access point that the laptop is searching for.
The criminal simply sets up the rogue access point with the same name, and uses a directional aerial to ensure that the rogue access point has a higher signal strength than the valid one. Depending on configuration, the laptop may join the rogue access point, allowing the attacker access to the laptop and useful information.
There are ways to mitigate these problems: Users should take care if relying on the common wireless encryption standards. It doesn't take long to crack even a 128-bit Wired Equivalent Privacy key, and Wi-Fi Protected Access has already been shown to have a problem which may allow brute force cracking of the pre-shared key in some situations.
A far safer, and relatively simple solution for the roaming executive, would be to ensure that all communications are routed via a virtual private network, including email.
Next, ensure that all laptops have a software firewall running to limit inbound access to the device. Make sure that the laptop is kept fully patched (which is a challenge in itself, given the remote location of the machine).
Identifying a rogue access point is hard work for a non-technical mobile user, as the website running on the access point looks like the real thing. One of the few clues may be the Secure Sockets Layer certificate, which will either not exist or will be incorrect. But how do you train a user to spot this?
Using client software provided by the access point service provider to initiate a trusted connection to a wireless access point may solve the problem, but it will restrict the user to only the service provider's access points, which rather flies in the face of the whole 'hotspot' concept.
So, next time you're in the business class lounge at an airport, be careful where you connect to when you log on to a wireless network. Are you sure that's the Starbuck's wireless Lan you're putting your credit card details into?
IBM and Technical University of Munich team demonstrate how Shor's algorithm, which can't be cracked by conventional computers, can be solved quickly with quantum computing
Hubble Space Telescope finds superflares from young red dwarfs could strip away planetary atmosphere
Younger stars are 100 to 1,000 times more energetic than when they're older
Two of the big four supermarkets will use the system to control sales of restricted products
PUBG news and updates: November's Update #23 to bring new Skorpion pistol and changes to blue zone visibility
Genuinely useful side-arm coming to PUBG in Update #23