Expert lapse shows wireless security policy needed

Even the experts can fall victim to security lapses.

At the New Zealand Wireless Data Forum’s Convergence conference in Auckland in October a virus-infected laptop broadcast the Welcha worm over the conference’s wireless LAN.

“An exhibitor lent it to someone else, then picked it up the night before the exhibition and brought it in,” says John Martin, principal security specialist at Logical CSI.

“They didn’t do a virus check, it got infected and was put across the wireless LAN and started pinging, looking for hosts for the Welcha worm.”

Martin recounted the incident at a New Zealand Computer Society event last week as a cautionary tale about the need for rigorous security when running wireless LANs. “The boundaries of a wireless network are amorphous and formless,” he says. “They’re not fixed.”

Walls, people and weather can limit their range, but a 1Mbit/s link that goes 485m indoors will go a lot further outside, he says.

The security problems inherent in wireless LANs are a side effect of the ease with which they can be set up and it’s vital to develop a policy from the beginning. “Adding security afterwards means getting new equipment and redeploying the network.”

Organisations need to do a risk assessment and determine whether the benefits of having a wireless LAN outweigh the risks. “It’s also important to make sure the segregation between the wired and wireless networks is correct.”

WEP (wired equivalent privacy), the default security measure shipped with wireless LAN gear, can be easily breached by hackers.

Upcoming security measures, such as 802.11i, scheduled for ratification this year, offer greater protection, he says.