VideoDuring a recent White Hat sweep of downtown Denver, reports Comerford, his company detected a bank manager who had installed an off-the-shelf wireless access point in her office. "We were sure the bank's IT department had not authorized or implemented this link. Meanwhile, this access point was wide open and broadcasting. Needless to say, when we told the bank it woke a few people up."
Evidently, many companies are still asleep at the switch. "Most companies have no idea how vulnerable they are," says Dean Au, the CEO, president, and founder of AirMagnet Inc., a Sunnyvale, California-based Wi-Fi security and performance monitoring company. "When they buy our remote handheld device and go out sniffing for wireless access points, at least 20 pop up in the first 30 seconds. Employees are out there sharing files wirelessly, and meanwhile, anybody can read their hard drives."
Rich Mironov, AirMagnet's vice president of marketing, recalls one client, a fund manager who had purchased some new laptops with wireless capability, who was floored when he realized that the units were shipped with the wireless functionality turned on. "Here they go taking the laptops out of the box, which are already powered up and looking for an access point," says Mironov. "Talk about an instant security issue. If there is an access point across the street, the laptops would immediately want to talk with it. They will literally attach and connect."
Seemingly innocuous PDAs can enable unauthorized wireless access, too. "A lot of these new pocket PCs have built-in wireless, and it seems reasonable that if you're floating around at Starbucks with one of these with no firewall, it's just a matter of time before some mastermind figures out a way to hack it," says Galen Schreck, a Forrester research analyst. "We haven't seen any pocket PC viruses yet, but they're inevitable. Besides, there's always the risk of losing it, which is lot harder to do with a laptop. Meanwhile, you've got 64 megabytes of RAM in there that may contain sensitive company information."
PDAs pose an additional problem: "People go out and get these specialized PDAs that interfere with existing corporate systems because they're not standardized to them," says Belanger says. "That then takes up the help desk's time to get the system back up and working. For example, our corporate policy is to support Palm devices. When somebody goes out and buys BlackBerry and the thing has a problem, it consumes the help desk's resources and takes time away from supporting our legitimate PDA users."
Is It a Tool or a Toy?
The threat of rogue technology isn't limited to wireless applications. According to research firm IDC, some 5.5 million employees send instant messages at work. Unfortunately, many of them use free IM software that they downloaded off the Web. "Anybody can sign up and use Yahoo or AOL for instant messaging," says Schreck.
"Normally, corporate E-mails and IM are sent through the company firewall, where there is an opportunity to filter them — HR can see if you're talking about inappropriate things, for instance," he adds. But that's not true of instant messages transmitted by an outside company, such as AOL; you'd need to deploy specialized software to filter the content. Adds Schreck, "That's why many companies forbid the use of outside IM services."
Gold agrees that IM is another open window. "IM is important in a corporate context just so long as it is corporate IM," he says. "It's an incredibly effective way for employees to ask each other quick questions. But people do stupid things, sending a message to a colleague or a friend about the company's financial information, like, 'we're going to have a loss this quarter — don't tell anybody.' Under Sarbanes-Oxley this would be material information."
Peer-to-peer applications like KaZaA, the oddly-spelled music downloading technology, create other vulnerabilities. KaZaA is designed to allow music lovers to easily share audio files with one another, but if an employee downloads the software to an office machine, it may just as easily allow company files to be inadvertently shared with millions of other KaZaA users. "We had to rebuild ten laptops here that had been corrupted by KaZaA installations," says Belanger. "They really mess with other programs. Moreover, there's the risk of copyright liability — storing copyrighted music that is freely shared with others. That's a lawsuit waiting to happen."
Gold brings to mind a particularly Kafkaesque nightmare — the surreal distortions and sense of impending danger that only a camera phone can produce. "There's a reason why many companies ban regular cameras at the worksite," Gold explains. "If you're Intel, do you want workers happily snapping pictures of their colleagues, while in the background is the company's secret new technology?" But some managers may not look twice at camera phones, since they probably think of them more as telephones, and perhaps E-mail devices.
Belanger says that since Forrester doesn't have a "secret proprietary manufacturing process like Apple does," the company doesn't prohibit camera phones. "But I wouldn't be surprised to see Apple, a design company, or some fashion house outright ban these things." Reportedly, Samsung and LG Electronics, among other companies, have done just that.
Then there are USB tokens — nifty little storage devices also called fobs or key chains. "You can plug one of these hundred-dollar tokens the size of a thumbnail into a standard USB port on a PC and walk away with a gigabyte of data," says Alex Cone, CEO of CodeFab Inc., a New York-based software consulting firm. "These things are pervasive." So pervasive, notes Belanger, that he picked up a USB token as a convention giveaway.
Reader Comments» Post a comment