Scorpions are perhaps the oldest -- and therefor most successful -- arthropods on the planet. They first walked the Earth back in the Silurian Period, some 425 million years ago and today they are found on every continent except Antarctica. I hate them. The damned things are all over the place, here in Mariposa. Poisons don't work very well on them, because they can go for more than six months between meals, so they outlast even the most persistent toxin. They don't balk at cannibalism, either, so it's nearly impossible to starve them out. Put two scorpions in a jar and in six months you'll have one scorpion left -- and it'll be alive and kicking, even if you fail to punch air holes in the lid. They're nocturnal, so they like to hide in dark places, like drawers and boxes -- and our bedding. They come in two varieties around here: brown and black. The black ones have a painful sting, much like that of a wasp. And we can't get rid of the little bastards, because they can squeeze through cracks as narrow as a sixteenth of an inch. But we've tried. Oh yes. We've screened our heater and swamp cooler vents and caulked the cracks in our walls and shower inserts and laid out sticky paper traps in dark corners. It's all been to no avail -- but at least we've tried to keep out the invaders. A lot of the folks who're so enthusiastically deploying 802.11b wireless LANs don't even seem to be trying. Eyes Wide Shut According to eWeek's Andrew Garcia, certain unnamed "officials" at Cisco Systems Inc.'s Aironet division (that's Cisco's wireless arm) estimate that as many as 50% of 802.11b users never enable Wireless Equivalent Protocol (WEP), the WiFi industry's current, pitifully inadequate security standard. If that were true, it would be bad enough. But it's not. In fact, it's a serious underestimate of the problem. According to Peter Shipley, who ought to know, the number of WLANs that employ no security measures at all is closer to 85%. Shipley's numbers are based on a survey he's been conducting since last Fall. His methodology is as basic as it gets: using an omnidirectional roof-mounted antenna and a portable GPS system, he drives all over San Francisco and Silicon Valley. With his laptop's Lucent wireless card set to "ANY", so that it will associate with any 802.11b WLAN within range, Shipley runs a Perl script that reiteratively attempts to log into any WiFi LAN it finds, writes the location, signal strength and SSID of each beacon it sees to a log file and then automatically resets itself for the next attempt. So far, he's logged over 2000 separate beacons, all around the San Francisco Bay Area, and he's found that the vast majority of them are completely open. And of those that do employ security measures, all but a handful use the manufacturer's default SSID as the WEP password -- which provides them effectively zero security against any but the most casual intruders. Less than zero, in fact, since they think they're protected, when their WLANs are, instead, effectively wide open. And, even if they were to use WEP properly -- utilizing 128-bit encryption, customizing their SSID, requiring regular password changes and forcing their Initialization Vector to re-intialize every 20 megapackets or so -- the most recent exploit of WEP can still break it within 90 seconds. Unbreakable Why should you care? Because inadequately-secured WLANs not only provide excellent platforms from which to launch distributed denial of service attacks, they also invite freeloaders to enjoy stealth Internet access at your customers' expense. And yours, of course. So enlightened self-interest dictates that you do what you can to encourage your users to make their WLANs secure -- especially in view of the exploding popularity and plunging price of 802.11b technology. Discuss the problem in your subscriber newsletters. Explain to them why leaving their network exposed is a bad idea. Tell 'em they need to construct a firewall -- and to put their wireless access point out the outside of that barrier. Then give them pointers to where they can find VPN software to let authorized users get through the firewall. Or, at least tell 'em to turn on WEP. It's a pathetic excuse for security, but, with a non-default SSID, it's marginally better than nothing. I know it won't be easy -- but it's not as hard as getting rid of the damned scorpions. (Copyright© 2001 by Thom Stark--all rights reserved) |