IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Securing Thin Air

As governments go wireless, they must pay close attention to a host of security-related issues.

The world is shrugging off its wires.

Cellular telephones, PDAs and laptops with wireless antennas allow businesspeople to access corporate networks from far-flung locations. Now, even government agencies arm field employees with mobile devices. Building inspectors, police officers and social workers collect data, complete reports and communicate with their headquarters through an array of mobile technoloy.

Although freedom from wires is redefining how some government employees do their jobs, an agencys IT staff now has to fret about a new set of information-security problems. Any organization worries about its data, but governments, especially, have to protect constituents information.

A Five-Front War
Agencies considering wireless applications must fight the information-security war on five fronts, according to Carlo Grifone, a principal of Deloitte Consulting and the client service lead partner on projects with Californias state government. Deloitte worked with California on several wireless applications rolled out during the summer to give citizens mobile access to lottery results, traffic updates and electricity black-out alerts.

"From a security perspective, there are five key areas [that government agencies will have to address]," Grifone said. "The privacy issue, the authentication issue, the non-repudiation issue, the availability issue and the integrity issue."

Grifone breaks down the broader issues into questions:
  • Privacy: Can unauthorized persons electronically "listen in" and obtain information they shouldnt be able to obtain?

  • Authentication: Is the right person actually using a mobile device or accessing the wireless network?

  • Non-repudiation: Can it be proved that the correct person was using a mobile device or accessing a wireless network in case a dispute arises?

  • Availability: Is the wireless network available to the users? Can it be knocked out with an electronic attack?

  • Integrity: Is the data received the same data that was sent?


  • In some respects, agencies dont need to completely rethink their approach to privacy; they simply need to adapt their policies.

    "To a large extent, [privacy] is taken care of through things like VPNs [virtual private networks]," he said, adding that organizations typically have policies or practices in place to protect data traffic over the Internet, and those policies can be tweaked to accommodate wireless applications. "Once youre logged onto the network, the same security applies. You want to be able to use appropriate controls within the network to make sure that there isnt an ability to get into that network unless youre authorized."

    Mobile devices themselves present a danger in that theres always a chance of one of them being lost or stolen. To protect sensitive information, such devices should never store sensitive data locally - that sort of data should reside on an agencys server behind a firewall.

    "If youre a caseworker in someones home and youre gathering a whole bunch of information, once you press the button to transmit that information, it should be cleared from the device," he said.

    Authenticating users in a wireless network is easy to do if an agency assumes that its mobile employees always have their devices, Grifone said. He compares mobile devices to government-issued credit cards: The home office probably wont know if unauthorized persons are using a lost or stolen card until its too late and someone else has already gone on a shopping spree.

    PINs and passwords are a couple of ways to authenticate users, though these are only as good as users ability to devise PINs or passwords that cant be easily guessed. Biometric identification systems present a near rock-solid way to authenticate users and, in the future, mobile devices could be outfitted with a slot to accept an ID card. Although if both the device and the ID card are lost, so are your chances for authenticating the user.

    Still, Grifone predicted that biometric devices eventually would become the preferred choice for user authentication. "They really arent very big and they dont take a whole lot of processing ability," he said.

    Government agencies get assistance from telecommunications carriers when addressing non-repudiation. "Carriers are the ones that help here," he said. "Much more so than on the Internet, carriers are able to track transactions and usage, so you can go back to those records."

    Making sure that a network is available to wireless users is more problematic because the United States lags behind foreign countries in the development of wireless infrastructure and adhering to standards.

    "Its not as much of a security issue as it is an ability-to-do-business issue," Grifone said. "Thats the biggest issue in the states right now; we dont have the standard out there. Europe and Asia are years ahead of us in terms of having standards in place for communication; therefore, they have a much more reliable system. Theres an issue of the potential of someone being able to interrupt service."

    Having impeccable service does little good, though, if the issue of data integrity isnt addressed. System administrators have a bit of an edge with maintaining data integrity if theyve set up a VPN for employees to use.

    "In a private network, its very difficult to impersonate another mobile device because youve got each of them tagged and serialed and positively identified," Grifone said. "In a public network, its pretty much impossible to validate that the data received was actually the data sent. In a private network, youve got the sign-on and password taking place as validation."

    In some respects, the migration to wireless technology mirrors the earlier migration to the Internet: Security issues present themselves; vendors and consultants concoct ways to ensure security; and standards groups struggle to keep their ever-evolving protocols current to match the needs of computer users and software programmers.

    The crucial difference, wireless access to a wired network, is what could through government agencies a curve.

    Easy Access?
    When the San Francisco Chronicle interviewed Matt Peterson, founder of the [San Francisco] Bay Area Wireless Users Group (BAWUG), about the relative insecurity of wireless networks earlier this year, Peterson related a telling story to the newspaper.

    He and a fellow member of the BAWUG outfitted themselves with a laptop PC and a wireless antenna and roamed the citys Financial District. Peterson told the newspaper that they were able to access approximately six networks per block just by pointing the antenna at various high-rises.

    According to Peterson, several currently available wireless security mechanisms are relatively easy to defeat. The first is broadcast mode, in which a wireless access point broadcasts its availability but not its name. Only those users who key in the networks name are allowed access to the network.

    "The beacon to the access point doesnt say what its network name is," Peterson said. "If a client wants to associate with it, the client has to explicitly type in that network name. What happens is that if Im across the street, even though the access point isnt advertising what its name is, when a user connects, that goes over as plain text."

    At that point, an intruder who is monitoring the network could see the networks name and use that information to access the network.

    Another security mechanism, media access control (MAC) address filters, works by only allowing Ethernet cards and wireless cards with the appropriate MAC address (a hexi-decimal address that represents the manufacturer, the product code and a portion of the serial number) to access the network.

    "With that particular policy, the problem is that the wireless drivers, even the ones for Windows, let you spoof your MAC address," he said. "You can just do filter surfing; [John Doe] just left his desk and theres his MAC address - let me write that down - and when he goes home, Ill just use that MAC address to get onto the wireless network. Thats a basic level of sniffing."

    The final mechanism is the wired equivalent privacy (WEP) algorithm, a protocol that encrypts the traffic between wireless access points and network clients.

    "Access points are like hubs with no wires; theyre shared mediums," Peterson explained. "When people connect to an access point, I can do a TCP dump or I can sniff the network and I can see all this traffic going across. With the WEP, in theory, that traffic is encrypted. The problem is that the WEP can be defeated.

    "Its pretty clear that if companies are going to adopt this technology, for right now, theyre going to have to roll their own security solutions," he said.

    Making Progress
    But debating the effectiveness of wireless security is a little like debating politics or religion: Opinions fluctuate widely, but the passion is definitely there. Some liken the state of wireless security to the early days of cellular phones, when analog cell phone conversations were easily intercepted and eavesdropped. But others argue that wireless security is more advanced in its early age.

    "The cell-phone industry started out broadcasting in the clear, so anybody with 60-cent scanner could tune in to your signal," said David Cohen, chairman of the Wireless Ethernet Compatibility Alliance (WECA), an organization formed to promote the EEEI 802.11 wireless networking standard, otherwise known as Wi-Fi. "Even here in the early stages of the industry, [wireless] transmissions are being made with encryption on. Were starting off in a much more advanced stage by having this encryption capability - even in the first generation of products. The cell-phone industry only woke up to this later on."

    WECAs membership boasts a number of technology industry heavyweights, including 3Com, Cisco, Dell, IBM, Intel, Hewlett-Packard, Microsoft, Ericsson and Nokia. Although detractors such as Peterson argue that Wi-Fi isnt as secure as vendors would have users believe, Cohen counters that cracking Wi-Fis encryption measure - the WEP algorithm - is no walk in the park.

    "The casual snooper will not have an easy time getting into your network," he said. "It requires a fair amount of resources and a fair amount of knowledge."

    Cohen acknowledged that wireless presents security risks because it is a broadcast medium, and unintended recipients may detect wireless transmissions. However, detecting a wireless network and cracking a wireless network are two different things, he added.

    "Part of the way that a wireless LAN works is that theres something called the wireless network name thats typically broadcast out there. It does not mean that you can enter the system; it just means that you can see it. Thats commonly misconceived as being insecure."