The recent security breach at a U.S. credit-card processing center put over 40 million accounts at risk of fraud . This event was quite shocking to many of usthe day-to-day users of credit cards. We expect a financial institution of this stature to be aware of security threats and their serious consequences as it processes very sensitive and important data. An organization of such a size should be able to employ a team of security experts. Indeed, researchers in IT security are very active [5, 9], and research papers in this area are abundant. We tend to believe that security experts in consumer finance organizations have adopted all possible measures and such breaches are highly unlikely. However, this event once again proved Murphy's Lawwhatever can go wrong, will go wrong.
Organizations with fewer resources are even more vulnerable than the above-mentioned processing center. The incident is a wake-up call for every company to review its security measures. The strength of a computer system's security is always measured by its weakest component. In most systems, the weakest components are the end users, particularly when they are accessing the corporation's databases with wireless facilities at home. The reasons are simple.
The strength of a computer system's security is always measured by its weakest component. In most systems, the weakest components are the end users, particularly when they are accessing the corporation's databases with wireless facilities at home.
Wireless routers have been available for several years, are extremely ease to install, and are inexpensivemost cost less than $100. A single router provides users with the following conveniences:
A seasoned application programmer with a master's degree who uses a wireless router at home recently expressed his belief that his connection was secure. It is not. If an application programmer puts his faith in myths, we cannot expect anyone with less computer knowledge to be aware of the security problems.
In theory, nothing can be 100% safe. Indeed, even if an owner tries to protect his/her house from burglary by installing good locks, determined thieves can still break in provided they have the right equipment and enough time. If they cannot break the lock, they can break the door, or a window, or drill a hole in the wall, dig a tunnel, use explosives, and so on. However, all of these methods will take more time and make more noise. Carrying more equipment will increase the chance the thieves will be detected or even arrested before or after the task. Rational thieves will compare the costs of these methods with the estimated valuables in the house. They might decide it is not worthwhile to break into the house provided the owner has the right degree of security.
Wireless communication is very similar to this scenario. However, while many users believe their "doors," at least, are locked, the truth of wireless communication is the doors are not even closed and are actually wide open [3, 10]. Intruders can simply walk in. A wireless router user might believe the following:
Most wireless routers have some security features. However, these features are optional and usually turned off. The installation of a router is quite easy, and the user can complete it within minutes. During the initialization process, a small installation program will ask them to type in the account name and password they use for their ISP. Users might believe they are protected by the password afterward; indeed, the account name and password are stored in the router. When the user turns on their computer, the router logs into the ISP automatically. The computer then communicates with the router directly and accesses the Internet through it. The router does not ask the computer to supply the account name and password again. As a result a hacker's computer can connect to the router without any knowledge of the account.
Hackers do not require specific hacking tools, as operating systems can find nearby routers and connect to them almost automatically. Hackers can then perform illegal operations such as hacking other computers, spreading viruses, organizing terrorist activities, and so on. They do not need to get into users' houses or plug in any cables. They might be sitting inside a car [1, 2, 6] parked on the road near a user's house. A hacker might also live next door with nothing more than a notebook computer and wireless LAN card. It is extremely difficult for users to detect this hacking process, as hackers do not need account names, passwords, IP addresses, or any identification to the ISP. It is impossible to trace them afterward.
Hacking can take place automatically if proper software is installed on the computer. For example, a hacker could leave a computer on in a van while masquerading as technicians from telephone or electricity companies. They do not need to stay in the van during the hacking processes. Antennas and amplifiers can extend the area of wireless coverage. A study  shows it is possible to attack a target from 20 miles away. This kind of hacking is more difficult to detect.
As the router is actually sending/receiving messages for the computers, it is impossible for the ISP to detect the number of users. This will create headaches for the users and governments. When the police come to the doors of the legitimate users, they will have a difficult time explaining what is going on. Governments will also have problems in identifying hackers from ISP records.
There is another illusion in the initiation process. Many routers have a default administrator account "admin" (with the same default password "admin"). Users can change the password or create a new account. They might believe this is another level of protection. Actually, this account is used only when users want to view or revise the settings in the router. Hackers do not need this piece of information to access the Internet through the router. This illusion only gives users a false sense of security.
As the security features are usually turned off, communications between computers and routers are transmitted in plain text. Messages can be intercepted easily. The hacker only needs an ordinary computer with a wireless LAN card to intercept the signal.
Many companies have developed applications that use Internet technologies as they offer many advantages. Employees can access the databases of the company with an Internet browser. Naturally, employees can also access the systems with their home computers so they can continue to work at home.
Such advantages are accompanied by additional risks. Many systems rely on only account names and passwords to authenticate users. If a hacker can obtain this information while a user is accessing corporate databases, every security feature installed by the corporation will fail and the unauthorized intrusion will go undetected.
Some corporations protect their log-in pages with SSL or similar techniques. Such traditional methods for wired communication can also be effective for wireless networks. The transmissions are encrypted if the corporation is using such techniques. Users might believe that further encryption is not necessary. However, they will also access Web sites that do not require high levels of security, and a patient hacker can obtain hints from these non-secured communications. For example, a user might use their favorite car model as a password. This word could be found in their communications as they frequently search for information about this model from the Internet.
It is common for users to have multiple accounts. Many Web sites providing free information also ask their readers to create new accounts. As these Web pages do not involve any money or confidential information, encryption techniques might not be used.
In theory, users should use different passwords (and account names) for different accounts. In practice, many people use the same password for multiple purposes as it is extremely difficult to remember all accounts and passwords. If account names and passwords are intercepted in unsecured transmissions, hackers can spoof users and break into company databases.
Even if users do use different passwords, it is still dangerous not to protect passwords for non-secured Web sites. By analyzing user communications, hackers can detect patterns in the composition of passwords. It is difficult for people to remember a combination of characters and numbers that have no meaning. A common practice is to take words and numbers that are familiar and combine them.
For instance, a user might choose the first four characters of his son's name (for example, "davi" from "David"), combined with the year of his son's birthday (say, 1992). To make it a little more difficult to crack, the user reverses the order so the final password is 2991ivad. This password is not bad because it is easy to remember and it does not use a complete word from a dictionary. However, an assiduous hacker will find out the pattern if the password can be intercepted. The hacker can then try the user's corporate account with his daughter's name and year of birth (by adding or subtracting a small number from the 1992 in the example). If this does not succeed, the hacker can try the name of the user's wife, or something similar. Hackers can obtain these pieces of personal information by monitoring the communications of the user and his family members. In other words, such information could help to minimize the number of trials needed to break into a computer system.
By eavesdropping on user communications, hackers can find out the users' favorite or frequently used words and Web sites. This kind of information can also speed up the hacking process. Thus, it is important to encrypt all communications even when there is no confidential information in Web pages.
Finding the executives of a target corporation is also easy. The names of executives can be found on their company Web sites. Sometimes there are even photos and brief biographies on the same page. Hackers can follow the executives' cars and find their residences easily. Armed with this knowledge, hackers are ready to carry out their jobs.
Security will never be perfect as hackers can always find new methods to crack systems.
Parents do not leave their babies in the jungle and expect them to protect themselves. Nevertheless, many organizations do not take care of the home Internet connections of their employees. The widespread use of wireless routers by employees is a threat to many computer systems.
There are many ways to attack wireless communication, so it is almost impossible to make it absolutely safe. There are also basic weaknesses in the technologies that are currently being used in most routers (for example, WEP [4, 5, 8]). However, we should force the hacker to invest more time and install more hardware/software for each attack. This will increase the hacker's risk of being caught. Corporations should urgently review their security, with the following measures easy to implement.
There are flaws  in the current security technologies of wireless routers. Security experts are proposing new standards [4, 5] to overcome these problems, but manufacturers can improve security in the meantime. Security will never be perfect as hackers can always find new methods to crack systems. Nevertheless, the following measures could be implemented quickly and easily.
Technology alone will never be able to solve all security problems. Enhancement of the coordination between employers, end users, and wireless facilities manufacturers is constantly required. Users should understand it is their obligation to protect their employers' computer systems by understanding the risks and appropriate countermeasures, and that it would be worthwhile investing their time in updating their knowledge. Employers and manufacturers should make this process as easy as possible. Indeed, common sense, constant vigilance, and up-to-date knowledge are the best weapons in the fight against hacking.
©2008 ACM 0001-0782/08/0200 $5.00
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2008 ACM, Inc.
No entries found