Sign in with
Sign up | Sign in
Your question

Wireless Devices - Security Risk?

Tags:
  • Wireless
  • Notebooks
  • Devices
  • Wireless Networking
Last response: in Wireless Networking
Share
Anonymous
a b F Wireless
June 9, 2004 4:35:22 AM

Archived from groups: alt.internet.wireless (More info?)

From http://www.vnunet.com/news/1155700 --->
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"...companies which had not installed any wireless technology were
also at risk because wireless is shipping in devices from PDAs and
mobile phones to notebook computers".

"He pointed out that Intel's Centrino wireless
capability was embedded in 42 per cent of notebook
computers shipped last year, and will be in 90 per
cent of notebooks shipped this year".

"Whether you're using that wireless capability or not,
every wireless notebook represents a clear and present
danger to the security of your computer network".
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If you don't have any access points active/connected, how are these
devices a risk?

Jim Benner

More about : wireless devices security risk

June 9, 2004 5:06:50 AM

Archived from groups: alt.internet.wireless (More info?)

<b1377@worldnet.att.net> wrote in message
news:40c65834.710421@netnews.worldnet.att.net...
> From http://www.vnunet.com/news/1155700 --->
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> "...companies which had not installed any wireless technology were
> also at risk because wireless is shipping in devices from PDAs and
> mobile phones to notebook computers".
>
> "He pointed out that Intel's Centrino wireless
> capability was embedded in 42 per cent of notebook
> computers shipped last year, and will be in 90 per
> cent of notebooks shipped this year".
>
> "Whether you're using that wireless capability or not,
> every wireless notebook represents a clear and present
> danger to the security of your computer network".
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> If you don't have any access points active/connected, how are these
> devices a risk?

Up until that last sentence you quote, the article was reasonably well
balanced and accurate. That particular claim - "every wireless notebook
represents a clear and present danger" - is a bit of an overstatement,
unless the company is running a WLAN.

Unfortunately, it's not completely incorrect. Even if there's no WLAN, if
the notebook is configured for ad-hoc an outsider could associate with the
adapter. If there are unsecured shares on the notebook, or if the notebook
is in a docking station connected to the wired corporate net, it could be a
back door. But this is a really unlikely scenario, and pretty easy to
eliminate. I don't think it's a significant source of risk.

>
> Jim Benner
>
Anonymous
a b F Wireless
June 9, 2004 5:06:51 AM

Archived from groups: alt.internet.wireless (More info?)

On Wed, 09 Jun 2004 01:06:50 GMT, "gary" <pleasenospam@sbcglobal.net>
wrote:

>
><b1377@worldnet.att.net> wrote in message
>news:40c65834.710421@netnews.worldnet.att.net...
>> From http://www.vnunet.com/news/1155700 --->
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> "...companies which had not installed any wireless technology were
>> also at risk because wireless is shipping in devices from PDAs and
>> mobile phones to notebook computers".
>>
>> "He pointed out that Intel's Centrino wireless
>> capability was embedded in 42 per cent of notebook
>> computers shipped last year, and will be in 90 per
>> cent of notebooks shipped this year".
>>
>> "Whether you're using that wireless capability or not,
>> every wireless notebook represents a clear and present
>> danger to the security of your computer network".
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> If you don't have any access points active/connected, how are these
>> devices a risk?
>
>Up until that last sentence you quote, the article was reasonably well
>balanced and accurate. That particular claim - "every wireless notebook
>represents a clear and present danger" - is a bit of an overstatement,
>unless the company is running a WLAN.
>
>Unfortunately, it's not completely incorrect. Even if there's no WLAN, if
>the notebook is configured for ad-hoc an outsider could associate with the
>adapter. If there are unsecured shares on the notebook, or if the notebook
>is in a docking station connected to the wired corporate net, it could be a
>back door. But this is a really unlikely scenario, and pretty easy to
>eliminate. I don't think it's a significant source of risk.
>
>>
>> Jim Benner
>>

They know now that almost 50% of company network break ns, are done
using stolen company notebooks.
Related resources
June 9, 2004 6:05:42 AM

Archived from groups: alt.internet.wireless (More info?)

"AndrewJ" <ajpk3@hotmail.comremove> wrote in message
news:2qqcc0hndb3sigqa39lugcpsdjja6a6joq@4ax.com...
> On Wed, 09 Jun 2004 01:06:50 GMT, "gary" <pleasenospam@sbcglobal.net>
> wrote:
>
> >
> ><b1377@worldnet.att.net> wrote in message
> >news:40c65834.710421@netnews.worldnet.att.net...
> >> From http://www.vnunet.com/news/1155700 --->
> >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >> "...companies which had not installed any wireless technology were
> >> also at risk because wireless is shipping in devices from PDAs and
> >> mobile phones to notebook computers".
> >>
> >> "He pointed out that Intel's Centrino wireless
> >> capability was embedded in 42 per cent of notebook
> >> computers shipped last year, and will be in 90 per
> >> cent of notebooks shipped this year".
> >>
> >> "Whether you're using that wireless capability or not,
> >> every wireless notebook represents a clear and present
> >> danger to the security of your computer network".
> >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >> If you don't have any access points active/connected, how are these
> >> devices a risk?
> >
> >Up until that last sentence you quote, the article was reasonably well
> >balanced and accurate. That particular claim - "every wireless notebook
> >represents a clear and present danger" - is a bit of an overstatement,
> >unless the company is running a WLAN.
> >
> >Unfortunately, it's not completely incorrect. Even if there's no WLAN, if
> >the notebook is configured for ad-hoc an outsider could associate with
the
> >adapter. If there are unsecured shares on the notebook, or if the
notebook
> >is in a docking station connected to the wired corporate net, it could be
a
> >back door. But this is a really unlikely scenario, and pretty easy to
> >eliminate. I don't think it's a significant source of risk.
> >
> >>
> >> Jim Benner
> >>
>
> They know now that almost 50% of company network break ns, are done
> using stolen company notebooks.

That may be, but that's simply because notebooks are easy to steal, and the
corporate info on them (including any passwords, login ids, or telephone
numbers that might be intentionally or accidentally saved to disk) is
immediately available.

If the company isn't running a WLAN, then it doesn't matter if the stolen
notebook has builtin wifi or not. If they were running a WLAN, then if the
notebook is configured with WEP or WPA preshared key, the company network is
compromised.
Anonymous
a b F Wireless
June 9, 2004 11:13:09 PM

Archived from groups: alt.internet.wireless (More info?)

>> If the company isn't running a WLAN, then it doesn't matter if the stolen
notebook has built-in wifi or not. If they were running a WLAN, then if the
notebook is configured with WEP or WPA preshared key, the company network is
compromised.

Gary:

Not necessarily, if the company was also using VPN.
June 9, 2004 11:30:39 PM

Archived from groups: alt.internet.wireless (More info?)

"CZ" <CZ@no99spam.com> wrote in message
news:9jJxc.5393$4Q5.3796@newssvr22.news.prodigy.com...
> >> If the company isn't running a WLAN, then it doesn't matter if the
stolen
> notebook has built-in wifi or not. If they were running a WLAN, then if
the
> notebook is configured with WEP or WPA preshared key, the company network
is
> compromised.
>
> Gary:
>
> Not necessarily, if the company was also using VPN.
>
>
>

No, of course not necessarily. But even with VPN, you might be surprised at
what sorts of information can be retrieved by examing swap files. Not to
mention the fact that people sometimes keep passwords in a file, especially
if they are required to change this information often. Authentication via
smartcard is an improvement here, but if someone stole the laptop they may
also have stolen the card.

Anyway, rolling this all back to the original post, the only point I'm
trying to make is that merely allowing employees to carry laptops equipped
with wifi is not per se an enhanced risk, despite what the article claimed.
Allowing them to carry laptops at all is the greater part of the risk.
Anonymous
a b F Wireless
June 10, 2004 1:28:50 AM

Archived from groups: alt.internet.wireless (More info?)

In article <zzJxc.5402$XT5.3882@newssvr22.news.prodigy.com>,
gary <pleasenospam@sbcglobal.net> wrote:
:Anyway, rolling this all back to the original post, the only point I'm
:trying to make is that merely allowing employees to carry laptops equipped
:with wifi is not per se an enhanced risk, despite what the article claimed.
:Allowing them to carry laptops at all is the greater part of the risk.

Hmmm.

So then... a fast food chain employee is authorized to carry latched
jugs of bleach as part of the hourly bathroom floor sanitation
procedure. But it isn't any additional risk "per se" for the employee
to carry around benzine in uncovered cardboard soft-drink cups:
allowing the employee to carry any hazmat at all is the greater part
of the risk.
--
'ignorandus (Latin): "deserving not to be known"'
-- Journal of Self-Referentialism
June 10, 2004 5:12:12 AM

Archived from groups: alt.internet.wireless (More info?)

"Walter Roberson" <roberson@ibd.nrc-cnrc.gc.ca> wrote in message
news:ca7vei$ooh$1@canopus.cc.umanitoba.ca...
> In article <zzJxc.5402$XT5.3882@newssvr22.news.prodigy.com>,
> gary <pleasenospam@sbcglobal.net> wrote:
> :Anyway, rolling this all back to the original post, the only point I'm
> :trying to make is that merely allowing employees to carry laptops
equipped
> :with wifi is not per se an enhanced risk, despite what the article
claimed.
> :Allowing them to carry laptops at all is the greater part of the risk.
>
> Hmmm.
>
> So then... a fast food chain employee is authorized to carry latched
> jugs of bleach as part of the hourly bathroom floor sanitation
> procedure. But it isn't any additional risk "per se" for the employee
> to carry around benzine in uncovered cardboard soft-drink cups:
> allowing the employee to carry any hazmat at all is the greater part
> of the risk.

??? I don't see the parallel at all. Did you read the original post, and the
article I was responding to? What I said was, if a company doesn't have a
wireless network, then the fact that employees carry laptops with wireless
cards does not significantly increase their risk, even though the original
article specifically claimed that it does. I thought that was a
straightforward observation, but perhaps not.

A better analogy would be that the fact that employees carry their car keys
along with their office keys does not increase the company's risk.

> --
> 'ignorandus (Latin): "deserving not to be known"'
> -- Journal of Self-Referentialism
Anonymous
a b F Wireless
June 10, 2004 6:29:28 AM

Archived from groups: alt.internet.wireless (More info?)

In article <MzOxc.5457$N6.5075@newssvr22.news.prodigy.com>,
gary <pleasenospam@sbcglobal.net> wrote:
:D id you read the original post, and the
:article I was responding to? What I said was, if a company doesn't have a
:wireless network, then the fact that employees carry laptops with wireless
:cards does not significantly increase their risk, even though the original
:article specifically claimed that it does. I thought that was a
:straightforward observation, but perhaps not.

But you are wrong: systems default to ad-hoc wireless being turned on,
and that allows reaching devices that could not otherwise be reached.

Your counter-argument to that is, as I understand, that employees
should not be given unsecured laptops, which is true in an ideal world,
but not so easy to enforce in practice.

But the way you put your argument, the logic extends further, right to
the boundary where *everything* that can go wrong with laptop security
would be the fault of the company for having allowed the employees
to use laptops at all.

Companies take risks for business purposes, and it is, in my opinion,
completely correct for the press to warn companies that they may
not have previously considered an important risk factor that is getting
built into computers these days.

Yes, companies *should* be assigning someone to systematically
cross-index all the possible security threats of every feature of the
computer equipment they use, but *in practice* not many companies have
enough personnel to assign someone to a task such as that. I know well
that our local organization, about 150 people, doesn't have those kind
of resources; I don't imagine that the Small Businesses that make up
most of the economic growth at present have the appropriate
resources either.
--
'ignorandus (Latin): "deserving not to be known"'
-- Journal of Self-Referentialism
!