Network News

X My Profile
View More Activity

Rogue Networks Stir Trouble for Firms of All Sizes

It is disconcerting to hear that a recent audit of the Internal Revenue Service's computer security posture revealed that some field offices were operating wireless networks accessible to anyone lurking nearby with a laptop.

The IRS inspector general's office scanned 20 IRS buildings in 10 cities. It found unauthorized wireless networks in at least four instances. The audit noted that one of the networks required no authentication at all, potentially exposing the IRS's internal network and taxpayer data to unauthorized access.

The IRS has one authorized wireless network, located in its Bloomington, Ill., field office. But auditors found that one of that network's access points was operating in a default configuration. That means it was set up with well-known user names and passwords used to change the router's network settings. It also found that there was limited monitoring being done that would alert the IRS if someone tried to join, tamper with or attack the network.

The idea of the IRS, which harbors mountains of personal data, using unauthorized wireless networks is jarring. But the reality is that these "rogue wireless networks" are a common security problem for organizations of any size.

Even companies that have a security staff periodically scanning for rogue networks set up by employees can miss wireless access points operating in "stealth mode," said security researcher Josh Wright with Aruba Networks, a Sunnyvale, Calif., firm. For instance, a free software tool called "Wknock" enables its user to set up a wireless router so that it responds only when it is given a predetermined sequence of data, presumably a string or sequence of network signals known only to the individual who set it up on the network.

Wright, whose firm sells wireless monitoring services, has audited dozens of companies for rogue wireless networks. Companies that have strict "no wireless" policies are usually those firms that have the most problems with rogue networks.

"A lot of times employees want wireless access and figure if their organization isn't going to provide it to them in a managed and hopefully secure deployment, often times those users will go off and decide to implement their own," Wright said.

The IG's report found that the IRS was attempting to detect unauthorized access points on an ad hoc basis, with limited success. As of May 2006, the IRS had scanned fewer than 6 percent of its nationwide locations, concentrating mainly on offices in the Washington area.

"We believe this scanning is of limited value, considering wireless access points can be set up easily anywhere in the nation and can place the confidentiality of the data at risk," the inspectors wrote. The report calls on the IRS to begin using available tools to continuously monitor its offices for rogue networks, a recommendation that the IRS said it planned to implement.

By Brian Krebs  |  April 20, 2007; 2:15 PM ET
 
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Apple Issues Patches for 25 Security Holes
Next: $10K Prize Nets Apple Vulnerability

Comments

I feel very helpless trying to prevent identity theft because you have to rely so much on others for your security. I think something major will have to happen before the government really pays attention to its lax practices.

Posted by: A | April 20, 2007 6:10 PM | Report abuse

All organizations struggle with trying to manage large enterprise networks and what is connected to them. The IRS alone has over 750 locations around the country and probably doesn't have the right number of security folks or active monitoring to cover all of that territory. No different than a large global company. That's why organizations need to do routine scanning, network mapping, and probing of these networks.

Posted by: A2 | April 21, 2007 8:47 AM | Report abuse

It is a classic case of ease of use versus security. It's also a consequence of complexity.

Problem is that many organizations simply do not put forth the resources to properly secure their network and systems. Even when they do, they fail to realize security is an ongoing process. It's not something you implement, then walk away from.

Posted by: TJ | April 21, 2007 2:59 PM | Report abuse

I have been looking for sites like this for a long time. Thank you!
This is very interesting site...
The current site version is (http://alles.qupis.com)
Web Site: http://alles.qupis.com

Posted by: Britny Bears | April 21, 2007 4:48 PM | Report abuse

The IG audit finding unauthorized IRS wireless networks reminded me of one in my agency a few years back. Our IG auditors, hired to do the FISMA report, reasonably checked for such networks and were elated to report that they had found one. When I, the IT security guy, asked to see the data, they were reluctant to let me have it -- those guys are always trying to nick the IT guys and they thought they had me cold. Finally I had the chance to examine it and, with a little testing of my own, was able to demonstrate that the rogue network belonged to a contractor for another agency and the signal was originating from a building a hundred yards from my own agency. It was only one of many times the auditors ended up with egg on their faces because they were so set on finding something bad to report.

Posted by: WW | April 23, 2007 1:34 PM | Report abuse

I think in this time of technolgy not using wireless is the real issue. Train the people to secure it and have laptop brainstorming sessions. Instead they want to put it in the papers right around tax day time to get people more angry with the IRS. With cell phones and PDAs, wireless is everywhere. In the meantime the real problem, congress is still writing new tax laws that the IRS has to try and work into their systems. All of this while running on the poorest budget possible.

Posted by: Jon | April 24, 2007 9:33 PM | Report abuse

interesting thank you...
foreclosure attorney michigan prostitutki foreclosure attorney michigan

Posted by: Mqwuyera | May 8, 2007 9:19 AM | Report abuse

Thank you!
france holiday sporting free game demo france holiday sporting

Posted by: Hazjqera | May 8, 2007 2:33 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company