Re: Perhaps the most OBVIOUS question you will ever see.

From: Mark Gamache (mark.gamache_at_css-security.com)
Date: 01/28/05 

Date: Fri, 28 Jan 2005 09:38:31 -0800

George,

I used to work for a WISP that used 802.11. I think your boss would be
amazed at how far off I can be and still connect to your network. If you
have a wireless network, you have to assume that the RF is not secure unless
you do in-depth RF planning, a survey and remediate with RF absorbing paint
and what not.

It sounds like your boss is lazy and doesn't want to deal with the issue so
he's throwing out any old argument. Its really as simple as this: Either
protecting the data is important or its not. His argument says that its
not, so why not take down your firewall and publicly address your entire
organization?

As for what a hacker can do... Absolutely anything that an authorized user
can do. You seem flippant about gathering usernames and passwords, but this
is easy and from there one can use the stolen privileges to wreak havoc.
Unless your VPN solution requires a certificate that can't be acquired for
the outside, a hacker just needs to get a single username and password combo
to get in to your core network.

If your accounting system uses direct wire transfers for bill payments, that
is at risk. One could open up a dummy bank account, and create a new vendor
in your system and initiate a transfer to the account.

I guarantee that a hacker can read your CEOs email and send email as your
CEO. The social engineering power of sending an email as your CEO is
enormous.

Your CEO probably uses the same password for his network logon as he does
for his electronic banking... Once a hacker has access to that, your
identity is toast.

Customer data... I'm not sure your industry, but if you store any customer
financial data such as credit cards, that is exposed.

The list is never ending... 

-- 
Mark Gamache
Certified Security Solutions
"Curious George" <curious@spampoop.com> wrote in message 
news:99hKd.1635$Vt6.340@fe10.lga...
> Dear Colleagues:
>
> For the life of me I don't know why I have to ask this question since the
> answer is so obvious, however, I need to have others tell me that I am not
> completely insane.
>
> I work at a place where we have a myriad of wireless access points and NO, 
> I
> am not writing from there at present.
>
> NONE of the wireless access points has any form of security on them
> whatsoever.  No WEP, no CHAP. . . no nothing.  Everything is open so you
> could walk into our joint, grab an IP address and surf the web to your
> heart's content.
>
> Here is the problem.  My boss insists that its "no big deal" and that 
> since
> the servers are on the inside and protected, we really don't have a thing 
> to
> worry about.  Furthermore, my boss is under the impression that since we 
> are
> situated in a wide area, that nobody would be able to get into our network
> because of this distance.  Needless to say, my boss does not consider
> somebody sneaking into a parking lot with a laptop, a good network card 
> and
> a directional bazooka antenna a possibility.
>
> So here is what I have to explain to my boss' boss and, perhaps, the board
> of directors. . . and here is where I can't help but laugh.  I hope that I
> will be able to keep a straight face come Monday when I have to explain
> myself to people why its important.
>
> Okay, so I know the analogies.  For example, I understand that not having 
> a
> secure wireless network with many Waps and high gain transmission antennas
> is the same as putting cables out to anybody within 'x' amount of yards 
> with
> a sign that says "free internet access", but since I am going to be asked
> these obvious questions, just what type of damage could somebody do?
>
> Yeah, I know about denial of service attacks, yeah I also know about
> enumeration and password guessing, but considering that we have an SQL
> server on the inside of our network (no, the sa account password is not
> null) what are we talking about.
>
> I can envision so many things.  Like somebody just sitting there caputring
> packets to get things like usernames, passwords and the like, but come on. 
> .
> . what else could they do.
>
> I have read my boss the riot act many times, but this is now going to go 
> in
> front of somebody over my boss' head, so, aside from giving them worst 
> case
> scenarios, end of the world analogies, etc., how else could people break 
> in.
>
> Creative responses are appreciated and will be rewarded with much praise.
>
> I can't believe that I have to actually explain this to people, and this
> entire thing would last about two seconds when it comes to talking with a
> computer professional, but you see, my boss is under the impression that
> they are a computer professional because they received a Master's degree 
> in
> Comp Sci back in the 80's.  I know that this line of thinking is 
> dangerous,
> but I really want some creative answers to put my point across strongly, 
> and
> yet professionally.
>
> Although I realize that this post will likely be the *** of many jokes
> (which I will appreciate immensely) I never the less would appreciate a 
> bit
> of useful information in your responses.
>
> I am going to have a serious drink now, and then bang my head against the
> wall.
>
> Thanks in advance,
>
> CC
>
>