Perhaps the most OBVIOUS question you will ever see.

[Curious George]

Dear Colleagues:

For the life of me I don't know why I have to ask this question since the
answer is so obvious, however, I need to have others tell me that I am not
completely insane.

I work at a place where we have a myriad of wireless access points and NO, I
am not writing from there at present.

NONE of the wireless access points has any form of security on them
whatsoever. No WEP, no CHAP. . . no nothing. Everything is open so you
could walk into our joint, grab an IP address and surf the web to your
heart's content.

Here is the problem. My boss insists that its "no big deal" and that since
the servers are on the inside and protected, we really don't have a thing to
worry about. Furthermore, my boss is under the impression that since we are
situated in a wide area, that nobody would be able to get into our network
because of this distance. Needless to say, my boss does not consider
somebody sneaking into a parking lot with a laptop, a good network card and
a directional bazooka antenna a possibility.

So here is what I have to explain to my boss' boss and, perhaps, the board
of directors. . . and here is where I can't help but laugh. I hope that I
will be able to keep a straight face come Monday when I have to explain
myself to people why its important.

Okay, so I know the analogies. For example, I understand that not having a
secure wireless network with many Waps and high gain transmission antennas
is the same as putting cables out to anybody within 'x' amount of yards with
a sign that says "free internet access", but since I am going to be asked
these obvious questions, just what type of damage could somebody do?

Yeah, I know about denial of service attacks, yeah I also know about
enumeration and password guessing, but considering that we have an SQL
server on the inside of our network (no, the sa account password is not
null) what are we talking about.

I can envision so many things. Like somebody just sitting there caputring
packets to get things like usernames, passwords and the like, but come on. .
.. what else could they do.

I have read my boss the riot act many times, but this is now going to go in
front of somebody over my boss' head, so, aside from giving them worst case
scenarios, end of the world analogies, etc., how else could people break in.

Creative responses are appreciated and will be rewarded with much praise.

I can't believe that I have to actually explain this to people, and this
entire thing would last about two seconds when it comes to talking with a
computer professional, but you see, my boss is under the impression that
they are a computer professional because they received a Master's degree in
Comp Sci back in the 80's. I know that this line of thinking is dangerous,
but I really want some creative answers to put my point across strongly, and
yet professionally.

Although I realize that this post will likely be the butt of many jokes
(which I will appreciate immensely) I never the less would appreciate a bit
of useful information in your responses.

I am going to have a serious drink now, and then bang my head against the
wall.

Thanks in advance,

CC

 

[Roger Abell]

Being a bit flippant just now, but why not suggest that, if they are
so sure of their "beliefs", you just post the address of the parking
lot here. I am sure there are some within driving distance reading
the newsgroups.

Let's see, your industry - it has confidential client info? it has
trade secrets? it has government imposed data privacy/security
regulations? it has a revenue stream that depends on uptime?

Those are some of the things in the vault.

Now, you are asking us, how can I explain without explaining,
to the boss' boss, that having those things in the vault is not all
that good if no one shuts the door and spins the tumbler enough.

That's what you are asking?

 

[Massimo]

I am going to have a serious drink now, and then bang my head
against the wall.

That's definitely the best thing you could do, other than banging your
boss's head against the same wall. Or smashing it with a (big) hammer. Or
something else, equally destructive.
Seriously: the best explanation you can give is the most straight one, i.e.
they're actually giving away full access to the internal network for free to
anyone which is skilled and close enough to use it. Tell them anybody could
guess a user's password (or sniff it) and have full access to his/her files,
tell them anybody could download porn movies from the Internet using your
bandwidth, tell them everybody could use your mailserver to send fake mail
worldwide.
Best of all, tell them you're not going to be held responsible for any
access violation happening through the unprotected wireless network, and so
if they really want to use it, they'll have to sign you a paper saying
they're fully aware of the security implications you pointed out, but still
wanting to do it. At least, you'll not be risking anything personally.

Massimo

 

[Bigbruva]

Might I suggest a different tack.

Simply send them a memo or email explaining in simple non-inflammatory terms
that by having an unprotected wireless network they are exposing all the
data on that organizations network to a serious risk. You understand that it
is not your place to set the network strategy for the whole company but you
do feel that it is important to highlight this issues before a security
breach occurs.

Then leave it at that, if you push too hard you could be out of a job!
However, if your boss does nothing after that memo and you are later hacked,
he will be the one out of a job while you will probably be first inline for
his post

Good luck, either way

BB

 

[Joe Richards [MVP]]

First off, I think you cross-posted this a bit excessively. Bad etiquette.

Second off, you are being far to flippant about this I think. You could be
terminated on your attitude probably all on its lonesome. How you proceed is
entirely up to your thoughts on how you feel about your job. Attacking your boss
generally isn't a way to form a career somewhere. At the very least it puts you
in a hostile environment that isn't fun to work in.

Finally, the number of ways you could be compromised varies. It is possible,
however unlikely, that you guys are actually locked down to the point that this
could be safe. Again, I think it is unlikely given the impression I have of the
technical knowledge and security conscience the company appears to have. But it
isn't entirely impossible.

I think the most effective way to handle this would be to go and get your own
laptop, don't use any work resources whatsoever, and drive around the location,
do not trespass onto the property, stick to public accessable areas and try to
pick up the connection. If you do connect, try various things, such as network
sniffing, etc to find what others would find. Do a network scan (based on the IP
address you get from DHCP) and see if you can find machines with services
available, SMTP would be a really good one to find. DO NOT use your knowledge of
the environment to just go straight to an SMTP server you are aware of. Now try
to send an anonymous email to some external email address that you have.
Possibly try to scan for machines with open shares or mounts that allow you to
read unauthenticated or write unauthenticated. Look for any SQL servers with
blank SA accounts, etc. Again do all of this without using any knowledge you
have of the environment, if you don't think you can, have a friend do it and
don't give them any hints.

Now if you are successful, this is a great example that anyone will understand.
Walk your BOSS out to where you were, use your non-work laptop and walk through
the process you used previously. As a finale, send an email to your boss from
his boss or the president of the company or something like that with your boss
standing their watching you. If he doesn't get the picture, and you really feel
you need to, do this with your bosses boss or whomever.

Basically try to convince your boss to be your ally and to do that, you need to
prove that there is an issue.

Now there is one thing you need to do before this. I doubt you do, but if you
have security group, you need to alert them that you are going to do this.
Explain why you are doing it. Again I doubt you have that in place. So what you
do in that case is ask your boss if he minds if you test the security and try to
do what it is that you think can be done. This is a key step, if you don't do
it, you could find yourself getting in trouble for doing it since a big part of
the whole thing is publishing to your superiors that you did it to prove the point.


joe

 

[Colin Nash [MVP]]

Dear Colleagues:

For the life of me I don't know why I have to ask this question since the
answer is so obvious, however, I need to have others tell me that I am not
completely insane.

I work at a place where we have a myriad of wireless access points and NO,
I
am not writing from there at present.

NONE of the wireless access points has any form of security on them
whatsoever. No WEP, no CHAP. . . no nothing. Everything is open so you
could walk into our joint, grab an IP address and surf the web to your
heart's content.

The only way that I could start to see this from your boss' perspective is
if they treat their whole wireless network as a DMZ and keep it firewalled
off from the rest. If not, then hmmmm...

It doesn't make sense, because even moderate security like WEP or WPA
doesn't really cost a lot or require incredible effort to implement.
Neither are perfect but at least it would be a start.

 

[S. Pidgorny]

I'd just demonstrate why that is a big deal. If you have servers that are
not totally secured, if you see applications credentials and data sent in
clear and available to a guy in the parking lot - that will make the things
a big deal.

Until you show that the risk is actually a vulnerability, that will be just
a risk - and the risk seems to be accepted by the business. For now.

 

[tarquinlinbin]

Dear Colleagues:

For the life of me I don't know why I have to ask this question since the
answer is so obvious, however, I need to have others tell me that I am not
completely insane.

I wouldnt bother,if they know best,let them take the consequences. In
my experience,if you try to do a good job,you are no better thought
of. Your boss or someone higher up,always knows best
Remove antispam and add 670 after bra to email

Be a good Global citizen-CONSUME>CONFORM>OBEY

Circumcision- A crime and an abuse.

 

[Patrick J. LoPresti]

Here is a somewhat contrarian opinion.

First of all, relax a little. This is not that bad if you have the
sort of internal access controls which you ought to have anyway.

A wireless attacker cannot "sniff" anything except other wireless
traffic. Packets to and from machines on the wired network are not
sent over the wireless, period. In order to sniff most of your
traffic, the attacker would need to compromise a machine on the
internal network. And even then, a switched network (like most are
today) would make sniffing useless.

And even the most basic Windows authentication mechanisms do not send
passwords in the clear.

A wireless attacker has the same access as an employee who has
forgetten his password; no more, no less. So he can probably browse
the Internet, send objectionable mail originating from your network,
try to guess passwords, seek out unpatched security flaws on internal
systems, and so on.

But if you are a serious network admin, you should already be
preventing (or at least noticing) any of these. By far the most
widespread and expensive security compromises are inside jobs. They
do not make the newspapers because they are not "sexy" and companies
do not like to publicize them. But disgruntled or curious employees
are the biggest threat you face, and if your network is secure against
them, it will be secure against a wireless attacker.

That said, it is certainly not considered best practice to have an
unsecured wireless access point behind your firewall, because you
might as well not have a firewall. Which is actually how I would
argue this to management: For anybody within range, your firewall does
not exist.

On the other hand, unsecured access points in a DMZ are not uncommon.
Many companies find that the convenience of easy binding to the
wireless network (especially for visitors) is worth the cost/risk of
providing free Internet access to anyone nearby.

- Pat

 

[Martin]

The only way that I could start to see this from your boss' perspective is
if they treat their whole wireless network as a DMZ and keep it firewalled
off from the rest. If not, then hmmmm...

Even then, if the wireless part has an unprotected internet connection
there are other possibilities.

How about someone running their own SMTP server sending spam out through
the company's router? Or someone downloading child porn though the
company's router (try explaining the one to the FBI, or then the boss
when they 'borrow' every single computer to audit them)?

It doesn't make sense, because even moderate security like WEP or WPA
doesn't really cost a lot or require incredible effort to implement.
Neither are perfect but at least it would be a start.

I agree with you. Crazy for the OP's company to even argue about it

 

[Ray]

Actually, this is a good thing. It means you have impressed upon your boss
that there is some issue and he wants you to present it to his superiors,
who may be non-technical. Most people think that everything is secure out of
the box, like buying a Ford car and knowing that other Ford car keys cannot
open your locks.

The people you will present to apparently have the authority to provide
money to fix the problem, and if your boss didn't think you had a valid
issue and were capable of presenting it professionally and at their level,
you would never get past him.

Ray

 

[Mark Gamache]

George,

I used to work for a WISP that used 802.11. I think your boss would be
amazed at how far off I can be and still connect to your network. If you
have a wireless network, you have to assume that the RF is not secure unless
you do in-depth RF planning, a survey and remediate with RF absorbing paint
and what not.

It sounds like your boss is lazy and doesn't want to deal with the issue so
he's throwing out any old argument. Its really as simple as this: Either
protecting the data is important or its not. His argument says that its
not, so why not take down your firewall and publicly address your entire
organization?

As for what a hacker can do... Absolutely anything that an authorized user
can do. You seem flippant about gathering usernames and passwords, but this
is easy and from there one can use the stolen privileges to wreak havoc.
Unless your VPN solution requires a certificate that can't be acquired for
the outside, a hacker just needs to get a single username and password combo
to get in to your core network.

If your accounting system uses direct wire transfers for bill payments, that
is at risk. One could open up a dummy bank account, and create a new vendor
in your system and initiate a transfer to the account.

I guarantee that a hacker can read your CEOs email and send email as your
CEO. The social engineering power of sending an email as your CEO is
enormous.

Your CEO probably uses the same password for his network logon as he does
for his electronic banking... Once a hacker has access to that, your
identity is toast.

Customer data... I'm not sure your industry, but if you store any customer
financial data such as credit cards, that is exposed.

The list is never ending...

 

[Curious George]

Dear Colleagues:

In all of my years of posting to newsgroups I would have to say that the
response you all provided me are among the best I have ever seen. I thank
you all so very much for your advise.

To those of you who mentioned my excessive cross-posting, please accept my
apologies but this total lack of security is something that has given me
nightmares.

To those of you who suggested that I publish the address of one of our
parking lots, I would like to, if anything to prove a point, however, being
that I am the poor slob who would be called upon to remedy the problem (and
likely be the one who is blamed) its not advisable.

Now, without going into much fanfare (and to better respond to those of you
who inquired), my boss is one of those people who thinks they know it all.
My boss is a teacher and we are a school and every time that I have
suggested that we secure our wireless network, my boss rolls her eyes as if
I were crying wolf. The people who installed our waps said that we should
have some type of security in place, but her thing is all about what happens
if somebody comes in with a laptop and cannot connect. Of course I said
that such a person would have to visit the IT department, but this has
fallen upon deaf ears.

The biggest problem is not with the fact that my boss knows precious little
about managing a network and that the last time she was involved in any form
of network management was sometime back in 1985, it is because she is
adamant about her technical knowledge. It does not matter if 99% of the
industry believes in something (for example, having SDLT tape backup
devices) its what she thinks works and does not. In short, she is
completely ignorant.

To be clear, I have no quams about having a woman boss. What I have a
problem with is somebody who is so adamant that they are right and I am
wrong that it seems that no matter what I say, she will go against it.
There are more issues here than meet the eye, but I had to draw the line
when it came to the integrity of our data, not to mention what could happen
if the wrong person got in.

For those of you who mentioned that I should tread carefully, thank you. I
already have my resume and cover letter updated for even if they turned
around and changed all of the things that are totally wrong and dangerous, I
cannot stay in the sort of environment where our administrators take the
advice of somebody who clearly has precious little technical knowledge over
the advice of somebody who comes in with recommendations from a plethora of
experts.

This being said, I thank those of you who graciously contributed to this
thread and apologize to those who feel that my cross posts were excessive -
regardless of these complaints, those of you who took issue with my
crossposting also contributed good advise never the less.

Thank you so very much for your time and advice.

Curious George

 

[R Hughes]

I would suggest you first prove your suspicions by doing exactly what you
are afraid others might do - take a laptop to the parking lot and email your
boss via one of your company's wifi networks, then do it again with a
company security guard as witness. Then let your company's security dept
handle the problem.

 

[Mercury]

Ahhh. No, that won't help really.

Talk to the board in terms they understand: Money and litigation when data
goes astray.

Illustrate how the company can lose money, customers, reputation if data is
lost.

Talk about competitors gaining secret data - documents etc.

Talk about liabilities for insider trading.

Don't for a moment mention anything technical. You will be talking to a
brick wall if you do.

Most directors know little about computers.

Suggest an IT security audit. If they baulk - say that the problem is so
severe you know what the issues are.

Speak in terms of
Any disgruntled ex employee.
Anyone walking down the street.
Competitors,
Criminals.

Above all pose as a responsible person - you may have to gain credibility
and trust first - demoing a hack will do the opposite.

Prepre a plan of what "I would expect IT auditors would recommend".

HTH