Bring the outside in


Sitting down at the local coffee shop, sipping a latte and checking the office email might seem an innocuous activity for the average executive, but without the proper checks and controls it can be the beginning of a nightmare for anyone in charge of corporate network security.

Market analyst firm IDC estimates that there will be more than 130,000 public wireless hotspots worldwide by the end of 2005.

A survey by Intel of U.S. computer users found that 34 percent of them took laptops on vacation, and that one of the most popular reasons for doing so was to check and send work email via a wireless hotspot. According to Intel's online hotspot finder ( the U.S. has 28,916 public hotspots. The U.K. is in second place with 10,594.

As every new laptop has wireless as standard now, just telling users not to access public hotspots to check webmail is not going to work. Policies and education need to be in place.

Threats such as "evil twin" hotspots, man-in-the-middle attacks, and worms jumping from laptop to PDA are real. An evil twin attack is where a hacker sets up a fake access point near a real one, gives it an authentic sounding name and then tries to lure unsuspecting users to divulge sensitive information by directing users to fake websites to steal information.

"A user might think they have logged onto a hotspot at an airport or hotel, when in fact they have been tricked into connecting to an attacker's base station," says Dr. Phil Nobles of Cranfield University in the U.K. Nobles says anyone with a wireless-enabled laptop could easily launch such an attack.

One other thing a user should be aware of is the man-in-the-middle (MITM) attack. This is an attack where an attacker is able to read, insert and modify at will messages between two parties without either party knowing that the link between them has been compromised.

There are, however, difficulties for your hacker in these situations.

The attacker must be able to observe and intercept messages going between the two victims and, with wireless signals, the attacker does have to be near a node of the wireless network.

Wireless MITM can occur in both layer one and layer two of the OSI layer stack. In layer one, the attacker jams the signal to the real base station. Or they can flood the access point with junk packets with tools such as FakeAP, File2Air or Void11.

More common are layer two attacks, which rely on flooding and breaking the link between the target host and access point with spoofed deassociation or deauthentication frames. The layer two attack tends to be the weapon of choice for the wireless hacker, as it is more efficient than jamming the channel.

These attacks are complex, and while security professionals can get their heads around the subject matter, the ordinary user probably won't.

Simple advice, such as making users protect themselves from shoulder surfing and querying the connection information of the link, can help up to a point.

But the best course of action is having software on mobile devices that can check if links are legitimate and the client machine is compliant with security policy.

But what makes a policy good enough? In other words, what makes a security policy safe enough to use in the open?

Tim Cranny, senior security architect at Senforce Technologies, says organizations must step back from the problem to assess the risks of allowing users to use hotspots.

"There is no magic bullet to solve this problem. Just going at it will result in a patchwork of incompatible solutions which can create additional problems and greater management overheads," he says.

Cranny says coherent security policy is based on proper risk assessment.

This means making sure minor threats do not hog the limelight, but are still given their proper place in the scheme of things. Then resources can be allocated appropriately. Also, administrators must be given the power to implement the policy and have software on the endpoints to make sure no one transgresses.

This software must assume that any hotspot used by an employee is untrusted. Administrators might also want to limit connections to hotspots operated by a trusted wireless provider who the administrator feels has a reasonable level of security.

Policy for laptops means there should be a minimum level of protection installed on any mobile device (see the panel, right, for what should be in your mobile device security policy).

Philip Stanfield, practice director of Morse Mobile, says a company's policy database should be held and maintained centrally but be flexible enough to mirror the changing nature of an organization.

"An organization must check its mobile devices against a central database to ensure they are valid and patched up," says Stanfield. "An organization has control of a device when it is within its infrastructure, so it should maintain control when it is outside."

By keeping policy based centrally, security professionals should be able to sleep a little more soundly. Users will be able to access files and emails whenever, and almost wherever, they like without compromising security.

It should also ensure that users get a level of flexibility to enable them to stay productive – especially when they are enjoying their lattes.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.