News Stay informed about the latest enterprise technology news and product updates.

Wireless trespasser stopped dead in his tracks

A security expert working at a California government office spotted an unauthorized person trying to bridge onto the wired network through a wireless NIC card. He put a stop to it.

"Oh lord!"

Those were the first words out of Ned Allison's mouth one recent afternoon when by chance he spotted a crasher trying to hop onto his network. The exclamation could've been a lot more colorful, but thankfully for Allison, he was on it. He had it under control.

At the time, Allison, vice president of the Sacramento chapter of the Information Systems Security Association, was working as a network and security expert at a high-profile California state agency. He won't name the agency, but he said it's a government agency with a network containing critical state data. Allison is also a Certified Information Systems Security Professional, the premier vendor-agnostic information security certification.

The agency had made a request to bring wireless scanners into the warehouse. Since the warehouse is on a major thoroughfare with a lot of wireless activity, however, some deemed the barcode readers a security risk because the information they transferred would contain financial data. But as Allison is quick to point out: "Security is meant to enable business, not disable it." So he forged on.

Still, Allison noted that the agency is snuggly settled in a neighborhood with a "fairly rich wireless environment," where freeloaders are known to seek out free wireless Internet access. The agency already had two-factor authentication, token, device certification -- you name it -- but the wireless scanners didn't support any of that.

And then he tried to hit a device on my network. I saw this guy say, 'Ah, fresh meat, I'm going to try to connect.'
Ned Allison
Network and Security ExpertCalifornia Government Agency
Allison sought a way to establish a barrier in the warehouse so the barcode scanners and their wireless connection would not leak into the street -- a sort of invisible fence. He didn't want anything getting in or going out. He found what he needed with a product from Network Chemistry. The Redwood City, Calif.-based wireless security vendor provided the agency with a system that fences in the warehouse and recognizes valid devices. Any invalid or unauthorized devices that try to get on are trapped in a tarpit.

So, one day -- the "Oh lord" day -- Allison was using that product, Network Chemistry's RFprotect Mobile, to check out the wireless environment in the area. The portable, laptop-based analyzer can be used for site surveys, security assessments, planning sensor locations, and incident responses. It also gives a good overview of wireless activity in the area.

"From my desk, I could see a particular individual brought his system up and tried to connect to the hotel across the street," Allison said. "I was just watching this out of curiosity."

The hotel makes folks pay for access, so the rogue looked somewhere else. He tried a nearby coffee shop. Nope, gotta pay. He tried a few more places. Nope. He tried a passing UPS delivery truck. Nope, the signal was gone in a second.

As the would-be invader systematically moved his way up the street, Allison got the sinking feeling that his network was next.

Just then, he was alerted that a wireless Network Interface Card (NIC) on a computer connected to the wired network was up and broadcasting. The pinging laptop belonged to a database administrator with pretty much unlimited network access.

Though broadcasting with a NIC is a violation of agency policy, the laptop was brand new and still in default mode. Because it was new, the laptop's default configuration was set to connect to any available wireless network, including ad hoc and peer-to-peer connections. A broadcasting NIC is a common vulnerability in new Windows operating system machines that are still in default mode. Regardless, a broadcasting NIC meant someone could link wirelessly into the laptop and bridge into the wired network, something Allison certainly did not want, but which almost happened.

For more information

Check out our story on a mall thwarting wireless intruders

Learn more about the differences between IDS and IPS

Read more security stories in our Network Defenders series

"And then he tried to hit a device on my network," Allison said of the potential intruder. "I saw this guy say, 'Ah, fresh meat, I'm going to try to connect.'"

Allison made a break for it. Using RFprotect Mobile and its QuickLocate feature, he was able to physically track down the broadcasting laptop one floor up and a few doors down. He was fast enough to find the machine, gain administrative access, and shut down the NIC before the wireless snoop could get in, thwarting the attack and preventing unauthorized network access.

"Because I had this here," Allison said, "I was able to walk up and prevent the intrusion."

While Allison can't say for sure the person trying to connect to his network had any malicious intent -- probably just a cheapskate looking for free wireless -- the consequences could've been huge. The meddler could've gotten in and island hopped throughout the network from the "privileged network station" he was trying to tap into. That would've given him access to most network data. Also, had the trespasser done anything illegal while on the agency's network, Allison and his crew would've been responsible because they were the network hosts.

Allison credits putting the kibosh on the intrusion to being in the right place at the right time, and though stressful, the incident gave him enough proof to convince upper management that Network Chemistry's products are necessary tools. A short time after the near-breach, the agency deployed Network Chemistry's RFprotect Distributed system, purpose-built sensors for 24/7 intrusion detection and prevention. Allison said he and others no longer have to rely on dumb luck or manual blocking to protect against attacks because the RFprotect system automatically provides wireless threat protection.

"It was a very great eye-opener here for people to understand how vulnerable we were to this particular issue," he said.

The entire thing, from watching the would-be hacker try the hotel to shutting down the NIC card, took roughly five minutes. But watching it all unfold, Allison said, seemed much longer.

"I was literally watching him walk up the street," he said. "I went from 'This is kind of neat,' to 'Oh lord, here's someone on my network pinging.'"

Dig Deeper on Network Security Monitoring and Analysis

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.