Low-tech, high-tech crime

I recently read a “real-world” incident that provides a useful case study of what to do — and what not to do in securing data.

The Jerusalem Post ran a story about a victim of a security breach, which was an Israeli bank. Given the importance of security to banks in general and the overarching importance of security in Israel, it was a surprise to say the least.

It seems that someone had broken into a bank one night and wasn’t caught. Officials, at the time, were relieved to find out that nothing was missing.

What they didn’t think to consider was that the purpose of the break-in was not to take something out — but to put something in.

The burglar cleverly sought out a wiring closet and installed a simple wireless LAN (WLAN) access point. Pretty low tech for a high-tech crime.

With the access point in place, our “entrepreneur” was now literally “plugged in” to the bank. He was able, apparently, to get on the network — and, the bank didn’t notice.

This burglar was brazen, with the range of the wireless signal limited, he had to do his hacking nearby. So he dreamed up a phony business and rented office space close enough to reach his access point.

He broke into the system and transferred money to accomplices, got a bit too bold, got caught and now is behind bars.

But why did this happen at all when there are so many ways to prevent such incursions?

Since we know he broke into the system and no “insiders” were mentioned, he must have broken a password. If the bank still used some type of shared (hub) technology, he could do that just by monitoring the network. Or maybe the bank didn’t insist on strong passwords and he ran a dictionary attack until he got in.

Even with that, though, if the bank had implemented a basic two-factor authentication — SmartCard — a cracked password would have done him no good.

By now, any WLAN providers reading this have already mumbled “rogue access point detection” to themselves. Of course, that would have saved the day. Most enterprise-class WLAN implementations have such a facility to detect and even deactivate unauthorized access points.

Given that many banks might be afraid of perceived security problems inherent with wireless, the rogue access point might have been the only access point in the bank. Because they didn’t use wireless — or didn’t think that they did — they would likely have had no rogue detection scheme in place.

Still, there was an easy way to keep him out — 802.1 port-level authentication. Even low-end switches these days support the 802.1X protocol to authorize basic port-level network access. That means before the switch lets you on the network you must pass a challenge-response sequence to prove you have the authorization. Clearly, no such mechanism was in place.

The moral is the flexibility of wireless is a double-edged sword and the ease with which your system can be compromised is greater than ever before. So prepare.

QuickLink 054360

–Tolly is president of The Tolly Group, a strategic consulting and independent testing company in Boca Raton, Fla. He can be reached at ktolly@tolly.com.