Epic Fail: Physical and Wireless security during RSA

by Steve Ragan - Apr 27 2009, 18:36

At the end of most security related conferences you will see various reports for one or more vendors who used their products to test security. One report, issued by wireless and mobile threat management vendor AirPatrol, points out some interesting wireless observations, and offers a swift kick to the security community by their CEO. Adding to this is the faux pas by one vendor, who left an entire booth of laptops unattended and open for inspection.

Oh the irony; to attend a security conference, as a security vendor or practitioner, and fail to practice what you preach. On Wednesday, April 22, at the RSA Conference, AirPatrol discovered 2,792 Wi-Fi client devices, including smart phones, PDAs, and laptops in use. One network discovered, “Free Public Wi-Fi”, was the subject of many jokes and comments in the press room. Many of us noticed it on day one, but left it alone. Other Ad-Hoc networks included the famous SSID of Linksys, hpsetup, and Linksys2, in addition to the Free Public Wi-Fi.

You do not need to be a security professional to observe open networks and lax security regarding wireless. All you need to do is use the wireless connection manager on your laptop to scan for open networks and you will likely see a rather impressive list. In addition to the 35 Ad-Hoc networks discovered by AirPatrol, there were 94 unauthorized Access Points detected. There is no proof that these were rogue, but they could have been depending on the setting. In addition, it is worth pointing out that the WiFi network offered by RSA Conference organizers was well secured.

You can ask any security person about these open networks and they will tell you two things. One is that they are a risk for the device or network hosting them. This is because they offer a tapped bridge into the network. Think of it like this, on a normal network you need a username and password to access the resources on the network. This is like a closed door, where only your key will open it. Open Wi-Fi is like the window left open next to the locked door, with a space large enough for you to get through.

The second thing the security person is likely to say is that open access points are a risk to yourself as once you connect to them, there is no way to tell if they are malicious and used to sniff all of the data you are sending wirelessly. This data can include login information, down to simple things such as that joke you just sent via GMail to your brother-in-law.

“Amazingly, some of the world’s leading IT security professionals still think of wireless security as an afterthought and our RSA Conference wireless monitoring results demonstrate there is still a disconnect between what they practice and what they preach,” said Ozzie Diaz, CEO, AirPatrol Corporation.

 

The other security oddity of the week comes from Google. At one point during the show, six laptops were left unsecured and unguarded inside their booth. These nifty IBM laptops could have been taken from the booth, and at the time no one would have been the wiser. If that wasn’t ironic enough, they were open for inspection.

A recent blog post on ha.ckers.org, explains in detail how RSnake took a photo of one computer after he altered the display a bit and directed the page displayed to a more familiar setting. (The post and image are here.)

“The really amusing part was when a rather dim witted Google marketing person came over after a minute or so and asked if she could help us. Then she saw the ha.ckers.org logo, to which I said, ‘Don’t worry, we were just playing a practical joke on you.’ To which she said, ‘Okay.’ Okay indeed,” RSnake wrote.

Now, Google wasn’t the only one, other vendors were guilty of this too. Google is the only one where more than a few people were talking about it, and there was a comical image taken of the evidence as it were.

Why is this important? For one, you always hear about the security risks with laptops, the danger they pose to a company if they are lost or stolen and contain sensitive information. Here were six laptops, just out in the open, for any of the expo attendees to examine or in the worst (do it and go to jail) case scenario steal. The other reason is that RSA is a security focused event, and physical security is just as important as digital security. Granted, Google is not a security company by default. However, why were the laptops left unattended?

The AirPatrol report and the issue on the floor from several vendors leaving hardware unmonitored remind me of a blog post from Andrew Hay.

“Security professionals have a duty to promote security in the enterprise. In fact, most professionals take on the role of a “security herald” for their organization or customer quite seriously. At the end of the day, however, many practitioners pack up their things, make their way home, and completely throw all of their beliefs out the window,” Hay wrote.

Practice what you preach would be the lesson here. Sometimes that’s easier said than done. Still, shouldn’t those practices be carried over to a security related conference?

Around the Web