Beating the Snoops

(2 of 2)

Most wireless handheld devices that communicate digitally include built-in encryption. More vulnerable, however, are the new Wi-Fi networks that allow wireless access within short ranges. The problem with these remarkably convenient wireless local-area networks (wlans) is that the range is not short enough. As with the Seattle conference-hotel wlan, anyone with an inexpensive wireless card can access wireless networks from as far as 500 yds. away. Owing to the ease with which they can be installed, wireless networks are among the few tech sectors that continue to grow, according to the Gartner research firm, which estimates that wlan shipments will rise 73% in 2002, boosting sales to nearly $2.8 billion.

When wireless networks were first introduced, they included an encryption protocol known as wep, for wired equivalent privacy. Within months of that protocol's release, however, University of Maryland computer scientist William Arbaugh and his graduate assistant Arunesh Mishra discovered a weakness that allowed a hacker to invisibly jump ahead of an authenticated user after that user had logged in. Shortly after the two published a paper on their findings, two shareware programs, WEPCrack and AirSnort, were released freely online, allowing even the most unsophisticated hacker to break through wireless protocols. The weakness was eventually fixed by RSA Security, the leading encryption company, but many wlan users have failed to upgrade their security, because they weren't aware of either the problem or the solution.

Often out of simple sloppiness IT departments don't take the time to enable the encryption protocol available to them. Last year RSA Security researchers found that 67% of the wlan signals they picked up driving through the streets of London did not have encryption protocols activated.

This is a rookie mistake, committed most often by small businesses, but it has also been made by companies and institutions that ought to be more careful. Last month Computerworld magazine surveyed several U.S. airports and found that Northwest Airlines' wireless server at San Francisco International Airport and the system in Chicago supporting O'Hare airport's Xray machines were sending unprotected signals into the ether. Northwest admitted the oversight. O'Hare officials declined to comment.

Effective data security requires users to take extra measures — such as carrying around a token that generates random pass codes — that busy people often resist. Bruce Schneier, founder of Counterpane Internet Security, based in Cupertino, Calif., says he has seen too many hackers find too many ways around cryptography to place absolute faith in it or any other security system that doesn't involve constant beat-cop-style policing of networks. Security experts say every layer of security, properly installed, closes off one more avenue through which hackers can access important information. It's a cat-and-mouse game that can never be won once and for all. But at the moment, some of the cats in IT are setting out pretty impressive traps.