special report The dangers of not protecting wireless networks are well known, yet many fail to secure them--and may find themselves slapped with lawsuits as a result.
By Rob Lemos
Staff Writer, CNET News.com
July 1, 2002, 4:00 a.m. PT
The major Internet backbone networks for the Pacific Northwest converge at a single location: the Westin building in Seattle, a 32-story structure that houses dozens of major and minor Internet service providers.
It is also home to more than 50 wireless networks, most of which apparently have no security.
"The Westin building is the Northwest nexus for all the fiber. Everyone who is anyone is colocated there," said Josh Pennell, CEO and principal consultant for Seattle security firm IOActive, who recently visited his company's servers at the site. "You can think about the mayhem that people can cause by getting onto that. It's pretty scary stuff."
It's a story repeated all over the United States. Security researchers and wireless aficionados have found areas in cities and suburbia where hundreds of insecure networks can allow hackers to connect to the Internet and conduct nearly untraceable attacks.
Yet the potential for their networks to be subverted hasn't persuaded individuals and many companies to set up wireless access points with stronger safeguards. That's leading security professionals and many lawyers to warn companies that they may be liable for attacks launched from their corner of the Internet.
"If an attacker in a van uses a wireless network to hack an employee's workstation and launch an attack, it looks like the employee did it," Pennell said. "They could use your wireless to do a reconnaissance on FBI.gov, and it comes back to your doorstep."
Making matters even worse, wireless hackers and enthusiasts have created a graffiti-like system to mark zones of wireless connectivity with designs drawn on streets and walls. So-called Wibo runes--or "warchalking," as first described--have spread like wildfire around the Internet since the concept was introduced just over a week ago, and could make wireless networks that much easier to find.
Perhaps, but one with decidedly high-tech consequences that have security consultants worried. Already, they say, vulnerable areas are simple enough to identify without the help of Wibo runes.
Michael Stokes, chief security officer for wireless technology company CD/Help, recently came across a Northern California health care provider that used wireless connections throughout its facility and, because of the lack of security, broadcast patients' medical data indiscriminately.
In another instance, when one client called Stokes to its San Francisco office because of wireless connectivity problems, he traced the interference to a network used by a Big Four financial firm that was wide open half a block away. In the short time it took to identify the network, Stokes observed that data for investors' portfolios were broadcast for anyone to see.
"You see tons of poorly engineered or open-access points out there," Stokes said. "I see a huge liability issue."
Residential neighborhoods are rife with unprotected networks as well. From the top of an office building in a mainly residential area of Seattle, several students learning hacking and security from IOActive's Pennell were able to find more than 30 wireless access points, most with no security.
Moreover, because those who use wireless networks at home typically don't keep access logs, the threat goes beyond legal responsibility for damages because they could easily be fingered as the perpetrator, Pollino warned.
When the notorious Melissa virus struck in March 1999, law enforcement officials quickly tracked its release to an America Online account that had been hacked. AOL's logs indicated that the person who released the virus dialed in with a telephone number that didn't belong to the account owner.
"Right now, the account owner has a good story to tell over a beer," Pollino said. "But what would have happened today if the person who released the virus got into AOL through a home (wireless) network? The trail would have gone cold at the victim's house, and they would likely be arrested."
In addition, if an attack does a great deal of damage, the individual or company whose account was used in the hacking could face enormous liability charges, said Joseph Burton, a lawyer with Duane Morris who focuses on information security issues.
Until now, Burton said, companies have been afraid to sue others for their security problems. "Companies are reluctant to bring the cases, because it's like living in a glass house and throwing the stone. Everyone is at risk."
But that reluctance could be about to change. Because of heightened safety concerns since the Sept. 11 terrorist attacks, the courts will eventually establish certain levels of security as reasonable expectations.
"A company hurt because of another firm's weak security will say, 'They are idiots. They should have known better, and I'm out $22 million,'" Burton said.
"The minute it is open, it's open season on everybody," he said. "That's why you haven't seen it so far."
That same reason is why other lawyers believe that no such cases will be filed anytime soon. "I think at this point in time, it would be hard to say there is a professional duty of care to others to secure the network," said Jennifer Granick, clinical director for Stanford University's Center for Internet and Society.
In the meantime, while the issue is debated in academia and corporations, the chalk-marked message on the street is clear: Connect here.