|
|
|
|
|
|
|
||
|
|
|
|||
 |
|||||
 |
     
|
 |
Security Sentinel: It ain't the user who is ignorant, folks...Toni McConnel (1/30/06, 2:24 PM GMT)
The reason we have so much trouble with spyware and trojans and worms is that system designers and security people think end users are more technologically savvy than we are, and so they leave a lot of security decision-making up to us. “Don’t leave Wi-Fi or Bluetooth turned on in your cell phone or laptop when you are in a public place”, they warn. If the user is unaware of this necessity, or knows about it but forgets to do it, an attack on their laptop is chalked up to “user ignorance”. Not poor protocol or user interface design, dear reader, oh no. User ignorance. It doesn’t seem to occur to any of the people making such judgments that the end user shouldn’t have to be an expert in security. Just because you drive a car doesn’t mean you have to be a mechanic. Why should a computer user be required to protect herself from attacks through a Wi-Fi or Bluetooth connection on her laptop when she’s in a public place? Automobiles are designed so that when gas or oil gets low, a gauge in the "control panel" notifies the driver. Why don’t the Wi-Fi and Bluetooth protocols include functions that remind the user to turn them off when no user-initiated activity is detected for a certain number of minutes? I'm prompted to do a rant on this topic because recently there has been a buzz in security bulletins that Microsoft’s 802.11 Wireless Network Connection has a vulnerability that allows an attacker to attach to a laptop through an ad hoc network that can be created without the user’s knowledge. (Many news items state that this vulnerability has just been discovered, but in fact Air Defense made note of it in a white paper they published prior to this publicity.) An ‘ad hoc’ network is a peer-to-peer wireless network that transmits from computer to computer without using an access point such as a router or other hub. The range of such connections is typically about a thousand feet, although this can vary greatly depending on local conditions and can be extended greatly with an antenna. Here’s how it works: Every wireless Wi-Fi network has a Service Set IDentifier (SSID) that is included in all the packets sent over the network. All devices on any given network must use the same SSID to connect to the other devices on the network. The default SSID is typically set at the factory to the router or other access-point equipment vendor's name, such as "linksys”, and the average user doesn’t bother to change this, probably never realizing that s/he can accidentally connect to any other wireless-enabled computer or device that also uses the default SSID “linksys” to send or receive data over their WLANs. That's a somewhat oversimplified version of the vulnerability, but this is why you sometimes find yourself connected to a computer in the house across the street or an office down the hall, and unless you monitor your network connections, you might not even know it. Now imagine that you are using your laptop at the public library or in a restaurant or airport. Once you boot up, if you have not turned off your WLAN in the taskbar, your laptop broadcasts its SSID, primarily looking for its access point (let's say the Linksys router), but it is quite likely that there is at least one other laptop in range, perhaps even several that are also configured with “linksys” as their SSID. So if your laptop can't find its access point connection, it says “Hi there!” to other computers beaconing a linksys SSID, innocently thinking that these other laptops in the neighborhood are members of its family. Collectively, these computers (including yours) constitute an ad hoc network. If one of these happens to be driven by an attacker looking for a victim, you’re in big trouble. Aside from the obvious wisdom of changing the SSID to something unique and hard to guess, the simplest solution is, whenever you are using your laptop in a public setting, to simply turn off both WLAN and Bluetooth by right-clicking on the wireless icon in the taskbar and clicking on "Turn WLAN off" and "Turn Bluetooth off". But although I am a fairly computer-savvy person, I am not likely to remember to do this. I have other priorities on my mind when I boot my laptop in the airport. And I can guarantee you that my Uncle Ralph, who has trouble operating an electric can opener, will not remember to do it. The best solution for him is to make sure his wireless connectivity settings won't allow intrusions. So zeroing in on the recently publicized Wi-Fi vulnerability, and assuming Uncle Ralph is running Windows XP on his laptop, here's what security experts expect him to do to protect his system from accidentally connecting to an ad hoc network: (1) On the Start Menu, move cursor over Connect to and click on the wireless connection displayed in the subwindow. (2) Under the General tab in the window that opens, click on Properties. (3) In the next window that opens, click on the Wireless Networks tab. Hopefully, only one wireless network shows as active. If there's more than one, Uncle Ralph will not know which one to choose. (4) In the bottom half of the window, click on Advanced button. (5) In the window that opens, there are three choices with radio buttons: *Any available network (Access point preferred) *Access point (infrastructure) only *Computer-to-computer (ad hoc networks) only (6) Click on the radio button for Access point (infrastructure) only. Then click Close (7), OK (8), and Close (9) on the three open windows. That's a nine-step process, folks. I will have to get on the phone and guide Uncle Ralph through this process step by step. Left to himself to follow instructions he will only get if I send them to him, he will give up in confusion and frustration by the time he reaches window number 3. Is my Uncle Ralph stupid? No. He's a successful CPA and head of his own accounting firm, fercripesake. Expecting him to figure this out for himself is like expecting him to know how to set the timing in his SUV. In either case, he shouldn't have to know how. And how is he even supposed to know he should do this in the first place? Nothing in the system warns him of the risk, folks. He doesn't even read this column by his very own niece; should we expect him to go looking for security bulletins and read them? And this is only the first layer of defense against a Wi-Fi intrusion because an attacker can easily spoof an access point and get to Uncle Ralph's laptop even if U.R. has managed to find his way to the right window and choose the Access-point-only option. He needs to set up authentication--yet another window--and encrypt his WLAN with WPA (Wi-Fi Protected Access) or WPA2. This requires Uncle Ralph to know he should do this in the first place, know how to get to these windows, and know what choices he should make when he gets there. How is he supposed to know this? Even if he somehow finds out he should change his SSID setting to an uncommon set of alphanumeric characters not easily guessed, and even if he somehow finds out he should set up security for his WLAN and he manages to get to the right place, when he gets there he has to choose between Open, Shared, WPA, and WPA-PSK for network authentication (huh?), and then he has to make a choice between TKIP and AES under Data Encryption (huh? huh?). There are no guidelines for making these choices linked to these windows, and although instructions exist in Windows Help and Support, it takes navigating through menu after menu to find them, and when you do find them, the instructions are detailed and complicated and absolutely daunting to a computer novice. So even if my Uncle Ralph gets there, at this point he is going to say "Forget it!" and get on with his life. There are millions and millions of Uncle Ralphs out there. He is by far the most typical user of computers. Considering how long Microsoft has been churning out versions of Windows, it's way past time to reasonably expect that when you right-click on that wireless icon in the taskbar, the three options for network connection settings should appear right along with the option to turn off WLAN and Bluetooth completely, and there should be a reminder about security with a link to a SIMPLE means of setting it up in a single window with a help button by every choice to be made. What is this nine-step bullspit? And where is the taskbar popup balloon that gives notice when there is activity on the network not initiated or approved by my Uncle Ralph? No one can convince me that if Uncle Ralph becomes the victim of an attack via WiFi it is because of "user ignorance". It is because of incompetent user interface (UI) design. Toni McConnel is executive editor of iApplianceWeb and a freelance technical article ghostwriter. She is also a nature writer and photographer, bon vivant and raconteur. Your comments on this column can be sent to her by email: Toni TechRite-Associates com. You know what to fill in where. For more information about topics, issues and technologies mentioned in this story go to the flashing icon in the upper left corner on this page or go to the iAppliance Web Views page and call up the associatively-linked Java/XML-based Web map of the iApplianceWeb site. |
 |
|
|||||
Terms and Conditions Privacy Statement |
||||||||||
