The 802.11n standard was ratified in 2009 and WiFi really took off in 2010, with support showing up in an array of consumer electronic devices. Unfortunately security related issues escalated right along with growing acceptance.  Here’s a look back at the WiFi security issues that emerged this year.
Virtual WiFi leads to rogue access points: The Windows 7 virtual WiFi capability, or soft AP, became popular in the early part of 2010, with users downloading millions of copies of free programs such as Connectify to exploit feature.  But it didn’t take long for security experts to see the danger and warn organizations about the possibility of employees creating possible rogue access points using virtual WiFi. These rogue APs can create a hole in your network security and allow an unauthorized user to “ghost ride” into the corporate network.  This type of access can be difficult to notice using traditional wire-side techniques, so experts advocated watching carefully for the appearance of rogue APs while upgrading machines to Windows 7.
MiFi gains popularity: Â Steve Jobs experienced a WiFi malfunction during the iPhone 4 launch in June 2010. An examination after the fact revealed that around 500 mobile hotspot networks were in use, supporting some 1,000 WiFi devices. This incident brought to light the security issues that can crop up from use of MiFi, and experts suggest using dedicated monitoring solutions capable of detecting these unauthorized devices on a 24×7 basis.
Google’s WiFi snooping controversy: In the middle of 2010 Google admitted that their cars used to collect Street View information also mistakenly collected payload data from unsecured WiFi networks. Many viewed the act as a privacy breach because the data collected included personal information such as email, passwords, fragments of files, browsed Internet data, pictures, video clips, etc. The controversy was a major black eye for Google but served as a big wake up call for all those WiFi users who still haven’t secured their WiFi networks. Â
Russian spies and peer-to-peer WiFi links: The use of private, adhoc WiFi networks for secret communication came to light when the FBI arrested a group of Russian spies who were using the tools to privately transfer data. Such adhoc WiFi networks set up links between WiFi users without using a centralized WiFi router. Corporations are advised to deploy monitoring tools that can snoop out such connections.
Fake WiFi stealing data from smartphones: Security experts discover that using a smartphone’s WiFi capability to access an open or public network can lead to a vulnerability if the user doesn’t tell the phone to forget the network.  Users that don’t follow this advice are in danger of getting trapped into a fake WiFi network by someone with malicious intents. Once trapped, users can end up leaking passwords and other private data, and might be at risk of malware and worms.
Hole196 uncovered for WPA/WPA WiFi networks: Â The name Hole196 was used for the vulnerability that was uncovered at security conferences in Las Vegas in July by AirTight Networks. The vulnerability was mainly targeted at WPA2 (using AES encryption) WiFi networks configured with 802.1x Authentication mechanism. Before Hole196 showed up, such networks were considered some of the most secure WiFi deployments around. With Hole196, these networks can be subjected to a fatal insider attack, where an insider can bypass the WPA2 private key encryption and 802.1x authentication to scan devices for vulnerabilities, install malware and steal personal or confidential corporate information. Although specially targeted at WPA (AES)/802.1x networks, the vulnerability also applies to the WPA/WPA2-PSK networks.
The folks that found Hole196 say exploiting the vulnerability is simple and the attack isn’t detected by traditional wire-side IDS/IPS systems. Being an insider attack, the importance of Hole196 was downplayed by some experts, but reports point out that, with the rise of insider attacks, Hole196 is now considered important. Security experts strongly advocate the use of a comprehensive WIPS solution.
Firesheep turns layman into WiFi hackers: Firesheep, the Firefox extension developed by Eric Butler, was released for public use in late 2010. Since then it has gained tremendous attention because it has almost automated the task of hacking over insecure WiFi networks such as hotspots. With Firesheep and a compatible WiFi client card, a malicious user just needs a single click to see the details of various people in his/her vicinity, visiting their respective accounts on websites (using unencrypted after-login session), such as Facebook, Twitter, Amazon, etc.
Another click and the malicious user can log into these sites, meaning even laymen can become hackers. Security experts remind people to exercise extra precaution while enjoying unsecured WiFi connections. The world is hoping Firesheep’s popularity will motivate the popular social network websites to take further steps to protect user security.
Smartphone as WiFi attacker: The year 2010 witnessed the release of many new high end smartphones but these devices are now being seen as active threats. While attackers previously needed to carry a notebook to eavesdrop on WiFi links or launch sophisticated WiFi attacks, they can now perform these tasks using a high end smartphone.
Reviewing the list of WiFi security issues that came up in 2010, it can be expected that 2011 will witness more of the same. With new WiFi attack vectors emerging, corporations will realize they need additional layers of security that can provide active protection.
About the author: Ajay Kumar Gupta is presently working with an enterprise dealing in WiFi security products. He has been in the field of wireless security for more than five years and is a frequent contributor to leading security magazines and blogs. He holds a master’s of technology degree from IIT Bombay in India.
CHARLOTTE (AP) – Officials in the Vermont
town of Charlotte say they found listening devices in the Town Hall
that would have allowed someone to eavesdrop on both public and
private town business sessions.
Town Planner and
Selectboard assistant Dean Bloch says the bugs were discovered in
October during a retrofit of a dropped ceiling.
Shelburne Police, who serve Charlotte, say the devices weren’t
working and they could have been up to 10 years old.
Officer Chris Morrell said that the spying
device were “primitive.” He says the two microphones were connected
to battery-powered, wireless transmitters that might have carried a
signal into the parking lot.
The Mclean-based hotel giant has settled a lawsuit in which rival Starwood Hotels Resorts accused Hilton of using stolen trade secrets to launch a niche brand called Denizen Hotels and advance other Hilton lines such as its Waldorf Astoria Collection.
The settlement, disclosed in a federal court filing Wednesday, calls for the appointment of an independent monitor to make sure Hilton doesn’t take advantage of the documents allegedly purloined from Starwood.
For just over two years, the settlement also prohibits Hilton from creating any hotel brand that would compete “in the lifestyle hotel or branded boutique space.”
There was more to the settlement, but some terms were kept confidential, Hilton said.
“Hilton Worldwide regrets the circumstances surrounding the dispute . . . and is pleased to bring an end to this prolonged litigation,” Hilton chief executive Christopher J. Nassetta said in a news release. Under the settlement, Hilton denied Starwood’s allegations.
The Justice Department previously revealed that it was conducting a criminal probe, and the document filed in court Wednesday said a grand jury is still investigating.
Starwood operates hotels under brand names that include St. Regis, W Hotels, Westin, and Sheraton. The company’s lawsuit, filed in U.S. District Court for the Southern District of New York, alleged a far-reaching effort by Hilton to exploit internal Starwood documents obtained when Hilton hired executives away from Starwood.
Hilton’s “senior management personally induced and used Starwood employees to serve as corporate spies . . . to provide Hilton with real-time information about Starwood’s confidential development plans,” the lawsuit said.
The litigation began after Hilton informed Starwood in February 2009 that it had found confidential Starwood information at Hilton and in the homes of Hilton employees. Hilton turned over to Starwood thousands of Starwood documents and computer files.
Starwood alleged that Nassetta was told of the theft months earlier and that, in November 2008, an executive whistleblower within Hilton sent Nassetta a letter describing the wrongdoing.
Hilton introduced its Denizen brand in March 2009, and Starwood alleged the concept was developed using Starwood’s internal documents.
SAN FRANCISCO –  A federal judge on Tuesday ordered the U.S. government to pay more than $2.5 million in attorney fees and damages after he concluded investigators wiretapped the phones of a suspected terrorist organization without a warrant.
U.S. District Court Judge Vaughn Walker said the attorneys for the Ashland, Ore., chapter of the now-defunct Al-Haramain Islamic Foundation should receive $2.5 million for waging its nearly five-year legal challenge to the Bush administration’s so-called Terrorist Surveillance Program.
Walker also awarded $20,400 each to Wendell Belew and Asim Ghafoor, two of the foundation’s Washington D.C.-based lawyers. They had their phone conversations with Al-Haramain principals monitored, the judge said.
“The system worked,” Ghafoor said. “And we really hope that the government lets this stand and writes it off as a bad program from a previous administration..”
Earlier this year the judge found that investigators illegally intercepted the electronic communications without warrants. Government lawyers have refused throughout the litigation to disclose whether investigators eavesdropped, “although the fact of such surveillance is not in doubt,” the judge concluded.
The Department of Justice lawyer who defended the program in court for the Bush administration and then the Obama administration, Anthony J. Coppolino, didn’t return a phone call late Tuesday.
The judge refused to award any punitive damages, saying the investigators didn’t act in bad faith in following the guidelines of the controversial program exposed by the New York Times in 2005.
“The record shows that the government had reason to believe that Al-Haramain supported acts of terrorism and that critical intelligence could be obtained by monitoring Al-Haramain,” the judge said.
The Treasury Department froze the assets of the Ashland chapter and declared it a “specially designated global terrorist” on Sept. 9, 2004. Treasury officials believe the Ashland chapter delivered $150,000 overseas to “support terrorist activities by the Chechen mujahideen,” the judge concluded.
Pete Seda was convicted in October of tax fraud and conspiracy for helping another official of Al-Haramain smuggle the $150,000 out of the U.S. to Saudi Arabia in 2000. Seda’s lawyers are preparing an appeal.
The eavesdropping was initially discovered when Treasury Department officials mistakenly turned over a document to Al-Haramain lawyers that appeared to be a top-secret call log.
Even though lawyers were ordered to give back the document and not rely on it in the lawsuit, they were still able to convince Walker with other evidence that they were warrantless wiretap targets.
Generally, government investigators are required to obtain search warrants signed by judges to eavesdrop on domestic phone calls, e-mail traffic and other electronic communications. But Bush authorized the surveillance program shortly after 9/11, allowing the National Security Agency to bypass the courts and intercept electronic communications believed connected to al-Qaida.
Cairo, Dec 21 (PTI) An espionage network working for
Israel has been identified in Egypt, a top official of the
country has said.
Main member of the network Ziad Hussien has travelled a
number of times to Israel and was trained by Israeli
intelligence, Egypt’s prosecutor general Abd-al-Megeid Mahmud
announced yesterday.
The main activity of the network was to interfere in the
path of phones calls made by influential figures in Egypt and
transfer them to Israel.
Members of the network had communication offices in the
Cairo suburb of Maadi, he said.
Last week news sites had reported that employees of
Egyptian cellular service provider Mobinil were allegedly
eavesdropping on phone calls of Egyptian ministers and later
selling the information they obtained but the company
categorically denied such claims.
Meanwhile Egyptian authorities have also nabbed a local
businessman Tarek Hassan on charges of spying.