Looking Back At Wireless Security In 2003

December 2003

Wireless security is one of the hottest topics in our business. In the article you are just reading, I've tried to cover some of the most interesting wireless security topics and events in 2003.

General overview

The first news item added to Help Net Security in this year was "Wi-Fi: The National Security Threat". The topic of this news item, was literally copied all over and over throughout the year, so the majority of news stories dissed wireless security. This media "attack" on wire-free network security, eventually lead to a raise in wireless security awareness and better state of security in general.

In March, a consultancy firm once again stressed out the importance of wireless threats, so they set up a couple of wireless honeypots over London and stood by to see what was happening. The results showed some activity, mostly bandwidth stealing and a conclusion was made: "The project dispels the myth that all unauthorized wireless activity is harmless". At this year's RSA Conference Europe, held in Amsterdam, I've spoken with one of the guys who ran this project and was unpleasantly surprised that all those figures derived from the study, were based on extremely small amount of "unauthorized wireless activity". From what he said, a new wireless honeypot project is in preparation and it will include far more honeypots, running on several operating systems, which will finally bring much better (from the quality perspective) results than the initial project.

During the NetWorld+Interop conference in April, the Wi-Fi Alliance launched Wi-Fi Protected Access (WPA), protocol that was needed to carry on upon flawed WEP. "Rather than wait for 802.11i to come out as a full standard, which may not happen until next year, they decided to take parts of the draft standard that are already very solid and take that to market now as Wi-Fi Protected Access," said David Cohen, Wi-Fi Alliance security committee chair. WPA soon faced some critics (1, 2).

When taking a look at May, I remember another quote from Wi-Fi Alliance, this time from Kirk Allchorne, marketing co-chairman at that organization, which showed the need for making new security standards: "It has become apparent to us that enterprise markets were avoiding Wi-Fi because of security worries". In the other news, AirDefense's May newsletter featured an interesting list of top 10 Wireless LAN Policy Violations.

In June, we've seen a big plus going to wireless networks, when Intel Corp.'s Chief Financial Officer Andy Bryant said his company had found that the security offered by a "controlled wireless network" was superior to computer security regimes that traditionally have blocked wireless access as a threat. The end of the June was marked by a third World Wide WarDrive. This is an effort by security professionals and hobbyists to generate awareness of the need by individual users and companies to secure their access points. The results showed that things are going better, as the number of WEP enabled networks went up and both numbers of default SSID and default SSID + No WEP networks went down.

I need to mention AirDefense one more time, but in July they did another interesting thing. During the 802.11 Planet Expo in Boston, they monitored WLAN activity and published their findings. The results showed a lot of malicious activity. Citing the "explosion" of wireless hotspots in public spaces, homes and businesses, IBM Corp. in October unveiled a new managed intrusion detection service targeted at wireless networks. According to Shane Robison, HP executive VP, HP has security projects in development such as moving its SSL-based VPN technology to 802.11 wireless networks.

As people have a lot of imagination, these are some of the phrases you'll stumble upon any day now: Warwalking, Warwatching, WiLDing, Warbiking, Warhiking, Bluejacking and Bluestumbling.

The corporate wireless security world

As wireless security received more and more exposure throughout the media, we've seen a number of new startups offering their expertise in this field. When taking a look at the corporate wireless security sphere (as presented via media press releases and company newsletters), I can see that majority of the news releases were concerning new client wins, integrations with other vendor technologies and showing the current state of wireless (in)security. All the companies I've successfully followed throughout the year proved that there is still space in the wireless security market for new products, new ideas and innovative services.

Source...

 

With Dionach you get:

• An efficient, friendly and flexible service
• To talk directly to the experts
• Straightforward assessment reports that get to the point
• Complete confidentiality and utmost discretion