Wireless Devices - Security Risk?

From http://www.vnunet.com/news/1155700 --->
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~
"...companies which had not installed any wireless technology were
also at risk because wireless is shipping in devices from PDAs and
mobile phones to notebook computers".

"He pointed out that Intel's Centrino wireless
capability was embedded in 42 per cent of notebook
computers shipped last year, and will be in 90 per
cent of notebooks shipped this year".

"Whether you're using that wireless capability or not,
every wireless notebook represents a clear and present
danger to the security of your computer network".
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~
If you don't have any access points active/connected, how are these
devices a risk?

Jim Benner

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> From http://www.vnunet.com/news/1155700 --->
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~
> "...companies which had not installed any wireless technology were
> also at risk because wireless is shipping in devices from PDAs and
> mobile phones to notebook computers".
>
> "He pointed out that Intel's Centrino wireless
> capability was embedded in 42 per cent of notebook
> computers shipped last year, and will be in 90 per
> cent of notebooks shipped this year".
>
> "Whether you're using that wireless capability or not,
> every wireless notebook represents a clear and present
> danger to the security of your computer network".
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~
> If you don't have any access points active/connected, how are these
> devices a risk?

Up until that last sentence you quote, the article was reasonably well
balanced and accurate. That particular claim - "every wireless notebook
represents a clear and present danger" - is a bit of an overstatement,
unless the company is running a WLAN.

Unfortunately, it's not completely incorrect. Even if there's no WLAN, if
the notebook is configured for ad-hoc an outsider could associate with the
adapter. If there are unsecured shares on the notebook, or if the notebook
is in a docking station connected to the wired corporate net, it could be a
back door. But this is a really unlikely scenario, and pretty easy to
eliminate. I don't think it's a significant source of risk.

>
> Jim Benner
>

On Wed, 09 Jun 2004 01:06:50 GMT, "gary" <(E-Mail Removed)>
wrote:

>
><(E-Mail Removed)> wrote in message
>news:(E-Mail Removed).. .
>> From http://www.vnunet.com/news/1155700 --->
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~
>> "...companies which had not installed any wireless technology were
>> also at risk because wireless is shipping in devices from PDAs and
>> mobile phones to notebook computers".
>>
>> "He pointed out that Intel's Centrino wireless
>> capability was embedded in 42 per cent of notebook
>> computers shipped last year, and will be in 90 per
>> cent of notebooks shipped this year".
>>
>> "Whether you're using that wireless capability or not,
>> every wireless notebook represents a clear and present
>> danger to the security of your computer network".
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~
>> If you don't have any access points active/connected, how are these
>> devices a risk?
>
>Up until that last sentence you quote, the article was reasonably well
>balanced and accurate. That particular claim - "every wireless notebook
>represents a clear and present danger" - is a bit of an overstatement,
>unless the company is running a WLAN.
>
>Unfortunately, it's not completely incorrect. Even if there's no WLAN, if
>the notebook is configured for ad-hoc an outsider could associate with the
>adapter. If there are unsecured shares on the notebook, or if the notebook
>is in a docking station connected to the wired corporate net, it could be a
>back door. But this is a really unlikely scenario, and pretty easy to
>eliminate. I don't think it's a significant source of risk.
>
>>
>> Jim Benner
>>

They know now that almost 50% of company network break ns, are done
using stolen company notebooks.

"AndrewJ" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Wed, 09 Jun 2004 01:06:50 GMT, "gary" <(E-Mail Removed)>
> wrote:
>
> >
> ><(E-Mail Removed)> wrote in message
> >news:(E-Mail Removed).. .
> >> From http://www.vnunet.com/news/1155700 --->
> >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~
> >> "...companies which had not installed any wireless technology were
> >> also at risk because wireless is shipping in devices from PDAs and
> >> mobile phones to notebook computers".
> >>
> >> "He pointed out that Intel's Centrino wireless
> >> capability was embedded in 42 per cent of notebook
> >> computers shipped last year, and will be in 90 per
> >> cent of notebooks shipped this year".
> >>
> >> "Whether you're using that wireless capability or not,
> >> every wireless notebook represents a clear and present
> >> danger to the security of your computer network".
> >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~
> >> If you don't have any access points active/connected, how are these
> >> devices a risk?
> >
> >Up until that last sentence you quote, the article was reasonably well
> >balanced and accurate. That particular claim - "every wireless notebook
> >represents a clear and present danger" - is a bit of an overstatement,
> >unless the company is running a WLAN.
> >
> >Unfortunately, it's not completely incorrect. Even if there's no WLAN, if
> >the notebook is configured for ad-hoc an outsider could associate with
the
> >adapter. If there are unsecured shares on the notebook, or if the
notebook
> >is in a docking station connected to the wired corporate net, it could be
a
> >back door. But this is a really unlikely scenario, and pretty easy to
> >eliminate. I don't think it's a significant source of risk.
> >
> >>
> >> Jim Benner
> >>
>
> They know now that almost 50% of company network break ns, are done
> using stolen company notebooks.

That may be, but that's simply because notebooks are easy to steal, and the
corporate info on them (including any passwords, login ids, or telephone
numbers that might be intentionally or accidentally saved to disk) is
immediately available.

If the company isn't running a WLAN, then it doesn't matter if the stolen
notebook has builtin wifi or not. If they were running a WLAN, then if the
notebook is configured with WEP or WPA preshared key, the company network is
compromised.

>> If the company isn't running a WLAN, then it doesn't matter if the stolen
notebook has built-in wifi or not. If they were running a WLAN, then if the
notebook is configured with WEP or WPA preshared key, the company network is
compromised.

Gary:

Not necessarily, if the company was also using VPN.

"CZ" <(E-Mail Removed)> wrote in message
news:9jJxc.5393$(E-Mail Removed) m...
> >> If the company isn't running a WLAN, then it doesn't matter if the
stolen
> notebook has built-in wifi or not. If they were running a WLAN, then if
the
> notebook is configured with WEP or WPA preshared key, the company network
is
> compromised.
>
> Gary:
>
> Not necessarily, if the company was also using VPN.
>
>
>

No, of course not necessarily. But even with VPN, you might be surprised at
what sorts of information can be retrieved by examing swap files. Not to
mention the fact that people sometimes keep passwords in a file, especially
if they are required to change this information often. Authentication via
smartcard is an improvement here, but if someone stole the laptop they may
also have stolen the card.

Anyway, rolling this all back to the original post, the only point I'm
trying to make is that merely allowing employees to carry laptops equipped
with wifi is not per se an enhanced risk, despite what the article claimed.
Allowing them to carry laptops at all is the greater part of the risk.

In article <zzJxc.5402$(E-Mail Removed)> ,
gary <(E-Mail Removed)> wrote:
:Anyway, rolling this all back to the original post, the only point I'm
:trying to make is that merely allowing employees to carry laptops equipped
:with wifi is not per se an enhanced risk, despite what the article claimed.
:Allowing them to carry laptops at all is the greater part of the risk.

Hmmm.

So then... a fast food chain employee is authorized to carry latched
jugs of bleach as part of the hourly bathroom floor sanitation
procedure. But it isn't any additional risk "per se" for the employee
to carry around benzine in uncovered cardboard soft-drink cups:
allowing the employee to carry any hazmat at all is the greater part
of the risk.
--
'ignorandus (Latin): "deserving not to be known"'
-- Journal of Self-Referentialism

"Walter Roberson" <(E-Mail Removed)> wrote in message
news:ca7vei$ooh$(E-Mail Removed)...
> In article <zzJxc.5402$(E-Mail Removed)> ,
> gary <(E-Mail Removed)> wrote:
> :Anyway, rolling this all back to the original post, the only point I'm
> :trying to make is that merely allowing employees to carry laptops
equipped
> :with wifi is not per se an enhanced risk, despite what the article
claimed.
> :Allowing them to carry laptops at all is the greater part of the risk.
>
> Hmmm.
>
> So then... a fast food chain employee is authorized to carry latched
> jugs of bleach as part of the hourly bathroom floor sanitation
> procedure. But it isn't any additional risk "per se" for the employee
> to carry around benzine in uncovered cardboard soft-drink cups:
> allowing the employee to carry any hazmat at all is the greater part
> of the risk.

??? I don't see the parallel at all. Did you read the original post, and the
article I was responding to? What I said was, if a company doesn't have a
wireless network, then the fact that employees carry laptops with wireless
cards does not significantly increase their risk, even though the original
article specifically claimed that it does. I thought that was a
straightforward observation, but perhaps not.

A better analogy would be that the fact that employees carry their car keys
along with their office keys does not increase the company's risk.

> --
> 'ignorandus (Latin): "deserving not to be known"'
> -- Journal of Self-Referentialism

In article <MzOxc.5457$(E-Mail Removed)>,
gary <(E-Mail Removed)> wrote:
id you read the original post, and the
:article I was responding to? What I said was, if a company doesn't have a
:wireless network, then the fact that employees carry laptops with wireless
:cards does not significantly increase their risk, even though the original
:article specifically claimed that it does. I thought that was a
:straightforward observation, but perhaps not.

But you are wrong: systems default to ad-hoc wireless being turned on,
and that allows reaching devices that could not otherwise be reached.

Your counter-argument to that is, as I understand, that employees
should not be given unsecured laptops, which is true in an ideal world,
but not so easy to enforce in practice.

But the way you put your argument, the logic extends further, right to
the boundary where *everything* that can go wrong with laptop security
would be the fault of the company for having allowed the employees
to use laptops at all.

Companies take risks for business purposes, and it is, in my opinion,
completely correct for the press to warn companies that they may
not have previously considered an important risk factor that is getting
built into computers these days.

Yes, companies *should* be assigning someone to systematically
cross-index all the possible security threats of every feature of the
computer equipment they use, but *in practice* not many companies have
enough personnel to assign someone to a task such as that. I know well
that our local organization, about 150 people, doesn't have those kind
of resources; I don't imagine that the Small Businesses that make up
most of the economic growth at present have the appropriate
resources either.
--
'ignorandus (Latin): "deserving not to be known"'
-- Journal of Self-Referentialism

"Walter Roberson" <(E-Mail Removed)> wrote in message
news:ca8h28$irf$(E-Mail Removed)...
> In article <MzOxc.5457$(E-Mail Removed)>,
> gary <(E-Mail Removed)> wrote:
> id you read the original post, and the
> :article I was responding to? What I said was, if a company doesn't have a
> :wireless network, then the fact that employees carry laptops with
wireless
> :cards does not significantly increase their risk, even though the
original
> :article specifically claimed that it does. I thought that was a
> :straightforward observation, but perhaps not.
>
> But you are wrong: systems default to ad-hoc wireless being turned on,
> and that allows reaching devices that could not otherwise be reached.

Yes, I believe I agreed way back at the beginning of the thread that this
was a possible security hole. I suggested that it is a minimal risk compared
to the risk the company takes by running a WLAN, or for that matter,
allowing employees to walk off the premises with laptops containing
corporate information. The rate of theft for these things is astronomical.
And companies rarely do a sufficient job cleaning the hard drives when they
sell them. You can yank-and-destroy the hard drive from a PC, but not from a
laptop. Just reformatting the disk is not good enough.

A Swedish security company recently did a test. They bought 100 laptops at
auction. They retrieved sensitive corporate data from 70 of them, including
passwords, internal company network authentication information, corporate
planning, and customer profiles.

I still believe that, if the company has done adequate security on the
internal network, the probability of someone sitting in the company parking
lot and hacking into the corporate net via somebody's accidentally-available
ad-hoc client is minimal *in comparison* to the other risks the company
takes by allowing the employee to keep sensitive data on the laptop and take
it on business trips.

>
> Your counter-argument to that is, as I understand, that employees
> should not be given unsecured laptops, which is true in an ideal world,
> but not so easy to enforce in practice.

It's not my argument, it's your extrapolation.

>
> But the way you put your argument, the logic extends further, right to
> the boundary where *everything* that can go wrong with laptop security
> would be the fault of the company for having allowed the employees
> to use laptops at all.

The way you put the argument, probably.

>
> Companies take risks for business purposes, and it is, in my opinion,
> completely correct for the press to warn companies that they may
> not have previously considered an important risk factor that is getting
> built into computers these days.

You bet. But the article contained an absolute claim about the insecurity of
owning any equipment with a wifi adapter. It made no distinctions, offered
few details, put nothing in perspective. In my opinion, that doesn't help
the company to understand the issues. It just pumps out a bit more fog.

>
> Yes, companies *should* be assigning someone to systematically
> cross-index all the possible security threats of every feature of the
> computer equipment they use, but *in practice* not many companies have
> enough personnel to assign someone to a task such as that. I know well
> that our local organization, about 150 people, doesn't have those kind
> of resources; I don't imagine that the Small Businesses that make up
> most of the economic growth at present have the appropriate
> resources either.

It's impossible to cross-index all threats. You have to calculate a
risk-reward ratio. Obviously, the utility of issuing laptops outweighs the
risks in most cases. I'm just saying that if you are willing to take the
risks involved in letting corporate info wander off premises with the
laptop, there's little point in ulcerating over the fact that the laptop is
a Centrino.

Nota bene: the whole issue of using the wifi adapters unsecured at airport
lounges is separate, and more serious. An article that really wants to
educate the reader might point out that this risk can be mitigated - disable
all shares, run a wifi firewall, etc. - but not eliminated. Instead, we are
warned that "... every wireless notebook represents a clear and present
danger to the security of your computer network". Sorry, as I reread this
quote I still find it hyperbolic.

> --
> 'ignorandus (Latin): "deserving not to be known"'
> -- Journal of Self-Referentialism