Comment: The enemy within

16 Nov 2005

I sometimes wonder if regular readers get bored of poring over what appear to be the same old security stories on these pages. Then I stop myself. The more I cover IT security, the more I realise that technology’s got a big part in the whole show and that human behaviour is centre stage.

Wireless networking is an ideal example. It has the potential to be very secure, but many of us at home or in business simply don’t bother doing any more with it beyond the basics. Hands up who’s still using the default password ‘1234’ or ‘0000’? It takes one to be reckless, inattentive or plain lazy and it takes another to be at best curious and at worst malicious.

This came to mind when I was testing a laptop recently. It was fitted with a wireless card, which is standard gear on most notebook computers now. One of the first things it did, because it’s configured to do so automatically, was seek out the nearest wireless network.

Without any prompting from me, it discovered one nearby that was active and ‘awake’. The first thing I knew about it was that the PC asked me if I would like to connect to it. I didn’t try looking to get at the person’s network, I basically piggybacked on their internet connection and got access for free.

It was the perfect illustration of a point made in a recent report by the Irish Honeynet Project. Over a two-week period one wireless honeynet in Dublin (a computer purposely set up to attract and monitor attempts to access it) averaged nearly two connection attempts per day. “It appears that the majority of these access attempts were what we could call ‘chancers’ looking for a source of free internet access,” said Colm Murphy, report author and technical director with the IT security firm Espion.

Applying myself to this description, I visited a couple of websites, as much to see if the connection worked. My curiosity satisfied, I disconnected. But every time I boot up this laptop, I’m told whether the wireless connection is active or inactive.

I’m fairly sure my nearby access point was domestic because I was testing the PC at home. But what if it had been a business? I could have easily logged on to the network and had a very interesting and informative peek at what it was up to. The Wireless Honeynet Project report suggests encryption and strong passwords as good steps to prevent data being intercepted by unauthorised third parties.

Here’s where the repeated behaviour factor comes into play: this isn’t an isolated incident. A colleague was once testing another laptop in our office and was able to gain access to the network of a company based on the first floor. It proves that the effective range of many wireless access points is far wider than it needs to be – a fact the Honeynet report supports. It advises people to adjust the settings of their access points so they only broadcast as far as necessary. Another tip – which would have prevented me from getting very far – is to force every visitor to your wireless network to authenticate themselves. The upshot of that is no authentication, no access.

As a postscript, I’m now barred from my neighbour’s network (and after my colleague informed our office counterparts they also changed their settings to keep out unwanted guests). But to come back to my earlier point, the technology press is full of stories that warn of the dangers of leaving network resources exposed and suggest ways to plug those gaps. But we’re fighting human nature, where it seems we have to wait for something bad to happen before coming to the conclusion that a little extra security is a good idea.

By Gordon Smith