The weak link in Wi-Fi access: Is your laptop secure?

Cheaper laptops and other mobile computing devices plus the ubiquity of Wi-Fi access points at work, at home and everywhere in between is making wireless access an important commodity in an increasingly connected world.

The ease of using wireless Internet or wireless LAN (local area network), more commonly known as Wi-Fi, is accelerating adoption rates across all types of applications: from simple web browsing to point-of-sale systems and enterprise data transmission. In many metropolitan areas, coffee shops, restaurants, and even malls offer free and paid wireless access for those whose work or lifestyle demands connectivity. Internet access has become what telephones were back during the analog decades – an indispensable everyday communication tool.

Enterprises and businesses of all sizes were also quick to subscribe to the wireless phenomenon. This meant instant access and sharing of network resources without the usual pains of structured cabling. Network cables were reserved for the data center and other critical appliances. The IT consumer never looked back.

With packets of data floating around, the black hat (our term for system hackers with malicious intent) community saw the opportunity to grab information, literally, from the air. Thus a new battlefront in information security began.

The Wi-Fi technology community reacted to the information security threat by creating new standards in wireless encryption. Since 2004, the WPA2 (Wi-Fi Protected Access 2) certification has been identified as the most effective standard in encrypting wireless traffic. This standard uses AES (Advanced Encryption Standard – the same cipher used by the US National Security Agency). IT managers and network administrators made sure to secure their wireless network. Some of them acquired the budget for it by relating to management horror stories of exposed passwords and sensitive data. Faced with the possibility of wireless access withdrawal, businesses approved wireless network security upgrades. These days, most IT groups worth their salt would have their Wi-Fi channels and end points tightly secured. One would think this would send the black hat back to exploiting systems remotely through the Internet; however, they simply shifted their attention from well-secured wireless access points to the weaker client (referring to PCs, laptops, and other computing devices that a ‘user’ uses).

Sitting in a coffee shop one evening at the Ortigas Complex area, 30 minutes of scanning uncovered 67 access points, with only five of them secured. All around were laptops undoubtedly tuned to several of these unencrypted APs, their traffic broadcasting in the clear. It was the perfect environment to intercept information. However, since it would be unlawful to capture packets right there, the experiment ended. Under more controlled conditions back at the KPMG IPBR (Information Protection and Business Resiliency) security lab, we successfully extracted information from unencrypted wireless traffic between an access point and a PC. The result was nothing short of amazing – passwords, web addresses, entire emails, documents and even pictures were revealed. It was as if we were sitting right in front of the exploited computer. The best part of it is: we employed tools readily available from the Internet.

But why worry when the IT department already encrypted everything wireless? Sure, your enterprise wireless network may be secure, but what happens when you’re out of the office? Do you find yourself working on some emails while sipping espresso at a nearby coffee house? Or doing a bit of research during TV commercial breaks at home – all the time using your office-issued laptop?

Wireless access is best experienced from a mobile device. A mobile workforce poses several challenges to those in charge of IT security. The laptop can be locked down to a point where it can only connect wirelessly to the enterprise Wi-Fi. But that would defeat the purpose of mobility. Rather than getting a call at 2 a.m. from the vice-president of sales asking why he can’t connect to the Wi-Fi at his London hotel, the IT manager would simply deploy minimal security on wireless laptop connections. It’s like locking the door with four dead bolts and a chain but leaving the window open.

How can you resolve the question of priority between access and security? Solutions are plenty but the trick is to properly apply these to secure wireless clients:

1. Use traditional VPN (virtual private network) and force all network traffic to go through the enterprise gateway – this technology is mature and is likely present in many organizations. The drawback is that this solution has a relatively heavy overhead and may slow down the connection. However, the advantage is that a laptop with this setup cannot connect to the internet (only to the public AP) until it establishes a secure route to the enterprise. A VPN essentially creates an encrypted tunnel between two points over the Internet.

2. Employ an SSL-VPN solution – this solution is the newer application of the VPN technology taking advantage of the most common desktop program the browser (so there is no need to install a VPN client). This also offers more granular control over which applications or data can be accessed – differing from traditional VPN where all traffic is rerouted to the tunnel.

3. Only connect to secure, trusted web sites; use SSL for web applications – the internet is like the Wild West; you have to know who to trust. An SSL web page (you know you’re connected to one of these when you see “https” on the address bar) provides an encrypted connection between the PC and the web site.

Regardless of what solution may be fit for purpose and budget, the following form part of best practice for wireless security:

1. Restrict automatic access to non-preferred access points

2. Disable peer to peer (ad-hoc) connections

3. Apply patches and other updates to the operating system and applications

4. Use a client-side firewall to filter outbound and inbound traffic

5. Update anti-virus and malware definitions

6. Run the computer with the least user privilege as possible

These are just some of the technical solutions that can be used in securing wireless traffic. At the enterprise level, there must also be a clear provision regarding Wi-Fi use embedded in the company information security policy.

Mobile Internet access is certainly improving the information worker’s productivity; a simple information security awareness and correct application of security measures should go a long way in enjoying the benefits of a safe wireless computing environment.

(Ronald F. Gonzales is a Director for Tax & Corporate Services of Manabat Sanagustin & Co., CPAs, a member firm of KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative.

The views and opinions expressed herein are those of Ronald F. Gonzales and do not necessarily represent the views and opinions of KPMG in the Philippines. For comments or inquiries, please email [email protected] or [email protected]).