Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » A Security Nightmare

A Security Nightmare

by Nikola Strahija on October 14th, 2002 Wireless Devices Could Soon Be Ubiquitous in American Business, but the Security of Their Transmissions Still has a Ways to Go...You're sitting in an airport coffee shop, rifling through files you've downloaded from your corporate network onto your PDA.


You glance at the guy sitting nearby with his laptop. Suddenly, you realize he could be rifling through those same files, using your PDA as a window to sneak peeks into your corporate network.

Don't worry, the wireless world isn't quite so nefarious. At least not yet. But as more workers use handhelds to connect to the Internet, hackers will begin paying attention to those open gateways to private networks.

The automated, always-on mentality of corporate America demands a powerful machine that thinks like a PC but can fit into a business executive's pocket or purse. And yet those tiny contraptions will be a business network's double-edged sword. They're capable of shipping files, browsing e-mail and tapping into the hard drive at a moment's notice - but rely on weakly built wireless tunnels that lie beyond the perimeter of a company's protective firewall.

And after suffering through the Love Bugs and Code Reds of e-mail, the growth of mobile wireless raises the question of whether businesses have learned their lessons for this second round. So far, experts say, not really. But the final test may still be a few years away.

"When we have our first big wireless security incident, you'll suddenly start to see people wonder," says James Lewis, director of technology and public policy programs at the Center for Strategic and International Studies, a Washington think tank. "Will the convenience of wireless start to outweigh the security risks?"

Much of the focus has concentrated on wireless local area networks that businesses use to connect their desktops across campuses. The transmission standards have holes that can virtually announce themselves to nearby hackers sporting equipment they bought from the neighborhood electronics stores and software they found for free over the Internet. But standards groups are working on plugging those holes - just in time for the threat of the more wily mobile devices to loom.

The security risks are large for a device so little. In fact, its size is part of the problem. Strong encryption measures require lots of processing power, which in turn requires bigger chips and more memory - things that can't squeeze into handhelds quite as easily as they can into desktops. Also unlike PCs, the handhelds rarely carry passwords or antivirus protection today. To make matters worse, they often travel the same weak transmission tunnels used in wireless networks.

Some see the solution in stopping wireless transmissions. Lawrence Livermore National Laboratory, a Department of Energy facility in California, temporarily banned the use of most wireless networks in January. The Office of the Secretary of Defense released a policy report last month backing its moratorium on classified Pentagon networks that talk to wireless devices.

Solving these problems takes more time and money than manufacturers can afford in the race to trumpet the latest product that answers every businessperson's needs.

"Security hampers speed," explains Mark Komisky, CEO of Bluefire Security Technologies, a Baltimore company that's developing security software for wireless devices. "[Manufacturers] try to push as much functionality as possible. ... Security is a secondary issue."

In fact, it will likely be up to third-party software developers to make security the higher priority in applications they sell to handheld manufacturers and users. That's a key task for a Cellular Telecommunications & Internet Association security task force, composed of representatives from Sun Microsystems, Cisco and Microsoft, as well as major cell phone companies and telecom standards writers. They're hashing out their own guidelines for these applications to work on their systems without glitches - especially as employees decide to download unauthorized programs onto their PDAs.

"As an industry, we have to say, 'These are the standards they must write to,'" says Kathryn Condello, CTIA's vice president of industry operations. "I think our paranoia is serving us well."

So far, many of those third parties are taking up the challenge, creating an emerging market of companies that gear their security software to wireless gadgets and networks. Bluefire plans to launch its software suite next month.

Aether Systems, an Owings Mills company that predates the wireless phenomenon, says it started inserting security software into its wireless applications six years ago. But it wasn't until this year that seven out of 10 of Aether's major business clients were demanding it in their first meeting.

"They're telling us, 'Bring it on. We need this stuff yesterday,'" says Bill Anderson, Aether's senior director of product management and marketing.

That belies a big problem with ensuring these networks and devices are safe. In most cases, experts say they have to convince companies of the significance of security - and that it's a threat that changes day to day.

"It's an awareness issue. It's a priority issue," says Pete Lindstrom, director of security strategies at the Hurwitz Group, a research firm based in Framingham, Mass. "Every time you have a new technology, you have a new opportunity to break into it."

Regardless of the arguments or potential fixes, some say outbreaks are inevitable. Like their Internet predecessor, mobile devices and wireless networks must simply go through the natural course of corporate action: Build, release, abuse, police.

"No matter where the focus of the individual is in securing this stuff, they will always lag behind the hackers," says Jason Wright, a security analyst for Frost & Sullivan, a San Jose consulting and research firm. "It's a very reactive scenario."

- article available from www.securitynewsportal.com -


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »