RSA Conference

    • RSA Conference USA 2008
    • RSA Conference Japan 2007 (upcoming)
    • RSA Conference Europe 2008

    Email This Page

    Wireless: Blog

    Get updated when new blog entries are added.

    RSSSubscribe to the Wireless: Blog RSS feed.

    Oct 21, 2007

    Open Devices

    Tim Mather, Chief Security Strategist, RSA Conference

    The announcement this week by Steve Jobs on Apple’s Web site that Apple has reversed its position and will now open the iPhone to 3rd party application developers is a big deal. The AOL business model of a ‘walled garden’ didn’t work. It took years for AOL to realize such. More recently the Wall Street Journal and The New York Times have also relearned that lesson with regard to their Web sites. So, in one sense Apple’s decision to open the iPhone is not surprising. On the other hand, the wireless industry in the United States has dug in its heels hard on not allowing open devices, so Apple’s decision is a breath of fresh air – and reality.


    With the iPhone’s popularity, the big question now is, will the wireless providers in the United States (e.g., Verizon, AT&T, Sprint Nextel) follow Apple’s lead?  I believe the answer is yes – reluctantly and belatedly, but yes.


    Apple expressed the ‘usual’ security concerns in its announcement on October 17th stating that it wants to “protect iPhone users from viruses, malware, privacy attacks, etc.” But it, and every other vendor should be doing such anyway. Haven’t we finally learned the lesson that proprietary does not equal security? (Of course, the converse is not necessary true either: open source does not necessarily equal security.)


    However, the longer-term question for the wireless industry is, if the wireless service providers follow Apple’s lead, what does this action mean to other technology companies that are positioning themselves to enter the wireless industry? Specifically Skype, which has already entered the wireless industry with its own dedicated mobile phone, and more interestingly to Google, which has been considered bidding in the Federal Communications Commission’s upcoming wireless spectrum auction in January?


    I think that the next couple of months will be very interesting for the technology industry.

    Aug 31, 2007

    The Times They Are A Changing - Open Phones

    Tim Mather, Chief Security Strategist, RSA Conference


    Continuing from my last post, the times they are definitely a changing for the mobile phone ecosystem. The second aspect of this change is the availability of open phones. Not only are the phones open, but their operating systems are open too – Linux. The world's first open source mobile phone (First International Computer’s (FIC) Neo1973), will be available in September – priced less than an Apple iPhone. Others will follow as open development environments for Linux, such as Qtopia Greenphone, become available. Additionally, some of the major network operators are hedging their bets on this trend with involvement in either the LiMo Foundation (NTT DoCoMo, Vodafone) or the Linux Phone Standards (LiPS) Forum (Orange / France Telecom, Telecom Mobile Italia).


    Network operators are hedging their bets because with the FCC order, the network operators in the United States have now fallen back to a media and lobbyist campaign invoking FUD (fear, uncertainty, and doubt). Yes, that old security industry selling technique of inducing FUD is now being used by non-security industry companies. The network operators are now arguing U.S. national security will be harmed by the threat that open devices pose to this piece of critical infrastructure. While the shrill tone of this FUD campaign is exaggerated, the operators are correct that open devices could allow for greater exploitation of security vulnerabilities in new applications and open devices due to weaker security architectures and testing.


    Network operator FUD is based on grafting the current Microsoft Windows PC paradigm onto the mobile phone market and claiming that an escalation of exploits against security vulnerabilities will occur. Witness the first hack of the Apple iPhone less than one month after its official release.  If extrapolated, then such exploits would in turn provoke an escalation in the availability of security products available (and necessary) for mobile phones. This is today’s (in) security model for the PC ecosystem, and it is the model that established security vendors are following in the mobile phone market – for today. For example, companies such as Symantec, McAfee, and Sophos have all introduced anti-virus products for mobile phones. 


    To break this arms race, a new paradigm for securing open devices is needed, and this will probably involve hardware-based solutions, such as the Trusted Computing Group’s mobile trusted modules. Whether that new security paradigm emerges or not, open devices are coming and are a sign that the times they are a changing indeed for the mobile phone ecosystem.

    Aug 29, 2007

    The Times They Are A Changing

    Tim Mather, Chief Security Strategist, RSA Conference


    Many of today’s mobile phone users were not even alive in 1964 when Bob Dylan released what became a signature anthem for the protest movements of the 1960s. Nearly forty years after French students on the barricades of Paris in May 1968 battled the educational establishment, a business revolution with consumers manning virtual barricades against network operators is rapidly developing.  The times they are a changing for the mobile phone ecosystem. While American consumers await the upcoming Federal Communications Commission (FCC) auction of wireless spectrum due to take place starting in January of next year in the United States, changes fostered Google, Skype, other technology companies, and even high school students are provoking another metaphor: a new security arms race.


    Innovation in the market for mobile phones has been constrained by the carriers control over the devices allowed onto their networks. As one critic said rather sarcastically about this lack of innovation, “10 years and all we have to show is ring tones.” Well, the network operators have given us camera phones too, and GPS services are now beginning to appear. However, that cynical comment about ring tones is largely accurate. It is a short list indeed of new innovations fostered by the current business and regulatory environment for mobile phones.


    That situation is about to change.  The first aspect of that change is the July 31st announcement by the FCC that licensees will be required “…to allow customers, device manufacturers, third-party application developers, and others to use or develop the devices and applications of their choosing…, so long as they meet all applicable regulatory requirements and comply with reasonable conditions related to management of the wireless network (i.e., do not cause harm to the network).”  Open devices may finally becoming to American mobile networks.


    The American network operators, notably Verizon Wireless, made some ridiculous legal arguments to the FCC against this openness.  Verizon even claimed such openness would be an infringement on the U.S. Constitution’s First Amendment – that Verizon’s commercial free speech would be impaired. Translation: any communication to the customer other than that allowed by Verizon is unacceptable. What is clearly unacceptable to consumers manning the virtual barricades however is network operators’ domination of their mobile phone experience, high prices, coupled with arrogance, poor customer service, and a lack of innovation.


    Consumers are already taking matters into their own hands.  A seventeen year high school student in New Jersey published details last week on his Web site about hardware changes to Apple’s iPhone to unlock it from network control (i.e., currently restricted to use on AT&T’s network in the United States only). Similar unauthorized (by network operators) iPhone unlocking techniques have been announced by the iPhoneSimFree group and a Czech company, Bladox.


    The second aspect of this change is the availability of open phones. To be continued.....

    Jul 30, 2007

    Open Phones: Carriers and the Government

    Tim Mather, Chief Security Strategist, RSA Conference


    As the Apple iPhone brings on a new level of complexity and feature sophistication, a big question that is begging to be asked is what does this say about open phones? Customers are growing tired of closed phones where only carrier approved applications can be downloaded, and those customers are increasingly unwilling to pay the high prices charged by the carriers.  Customers want open phones where they can load whatever applications that want onto their phones, and get those applications from vendors other than carriers.

    At least one influential member of Congress apparently feels the same way. Representative Ed Markey, Democrat of Massachusetts and Chairman of the House subcommittee on Telecommunications and the Internet Committee, recently held hearings on this issue.
     
    Verizon, AT&T, Sprint Nextel, and T-Mobile are hardly seen as altruistic or visionary on this matter, and yet the issue is really a cellular replay of the 1968 “Carterfone decision” by the FCC which allowed non-AT&T devices to be connected directly to the AT&T network. That ruling lead to a telecommunications revolution, which has been stopped at the cellular threshold by the carriers. 

    Google and Skype have already asked the FCC to require that carriers open their networks and devices. So far the carriers’ response has been predictably negative. Interestingly, there are strong parallels between this issue and the still simmering net neutrality fight. The New York Times reported, “Verizon Wireless, however, contended that Google’s proposals would open its network to phones that Verizon had not approved and ‘that cannot reliably communicate with law enforcement,’ a grave problem ‘in an era of heightened national security concerns.’ …  In other words, stick with Verizon-certified phones, or the terrorists win.” Oh, please!  (‘Dick Cheney to the white cellular courtesy phone please. We have an Al-Qaeda plot on line #1.’)

    Apr 11, 2007

    Wi-Fi Security and RSA® Conference 2007

    AirDefense, an exhibitor at RSA Conference 2007, published some interesting stats about the lax security in mobile devices carried by attendees during the Conference. Some articles written on AirDefense’s findings were not clear about what exactly was insecure – devices or the RSA Conference wireless network.


    Since it wasn’t the RSA Conference wireless network. we thought this would be  a good opportunity to explain, in detail, the wireless network configuration and security at RSA Conference 2007, the monitoring conducted by AirDefense and what you can do to protect yourself.

     

    The RSA Conference wireless network was available to full Conference attendees, which included speakers and members of the press.

     

    802.1x Authentication

    The RSA Conference wireless network was built-out with Cisco 1200 and 1100 series access points (APs). The APs communicated with an access point designated as the Wireless Domain Server (WDS) which authenticated users with a Cisco Access Control Server (ACS) located on site. All communications between the APs and the authentication server were on a separate VLAN from user traffic. The VLAN was protected with a firewall.

     

    In the first phase of the 802.1x authentication process, users’ systems were presented with a certificate from the ACS, signed by a Verisign Secure Server Certification Authority.  Authentication was done with 802.1x Protected Extensible Authentication Protocol (PEAP) with MS-CHAP version 2. Users needed to configure their PEAP supplicants to accept this certificate alone, to assure that they were connecting to the RSA wireless network and not a rogue AP located on-site.

     

    User Requirements

    To use the 802.11b/g wireless network, users needed an 802.1x PEAP supplicant installed on their computer. Users needed to specify the digitally signed certificate they expected to receive from the AP.  After network authentication with a unique username/password combination, users received a dynamically assigned unique encryption key. For Microsoft Windows users, the information was stored in the registry after the first successful connection. For MAC OS or a third party supplicant, the information was kept in their 802.1x connection settings. A service desk was available to help users configure their wireless settings.

     

    Users whose operating system and wireless hardware supported Temporal Key Integrity Protocol (TKIP) data encryption could use this capability for greater confidentiality. For user environments that did not support TKIP, they had the ability to use a dynamically assigned 128-bit WEP encryption with a key set to rotate once every 2 hours to assure a very high level of confidentiality.

     

    Additional Connectivity Options

    While the 802.1x PEAP network was the publicized network, an SSL-VPN gateway was available as a pilot program. This option was available to users that could not use 802.1x. The pilot program was also used to provide feedback on additional wireless options for future RSA Conferences. A separate wireless network (with a distinct SSID) was configured to only allow DHCP and HTTPS traffic with all other traffic blocked. To access the Internet, users had to initiate an HTTPS connection to the on-site router, verifying that the digital certificate presented corresponded to the conference equipment. The user’s machine then downloaded an SSL-VPN applet (ActiveX or Java) that allowed the client machine to tunnel all Internet traffic through the router. While this option did not allow users to initiate all types of VPN connections to their corporate networks, it provided a secure, confidential wireless experience, the ability to verify the network they were connecting to, and a configuration-free connection.

     

    AirDefense Monitoring

    Even with an extremely secure wireless network, the security of user laptops and mobile devices is a major part of the wireless security equation. Devices that are wireless-aware were vulnerable to connect to any open access points available at the Moscone Center. Most of the popular hot spots are unencrypted open connections (e.g. well known coffee shops and other public wireless gatherings). The weak point is set in by the end user who is not controlling the end point of the connection so any activity happening on that device is open to attack.


    AirDefense’s independent monitoring found that 56 percent of laptops, cell phones, personal digital assistants and PCs at the conference were susceptible to attacks because these devices were not properly secured. In addition, they found that attacks were stepped up during the conference to exploit these devices.  Given that RSA Conference was a gathering of security professionals who theoretically should have been more aware, the implications of not securing laptops for the general population are immense.

     

    For a discussion of the issues of Wi-Fi security at the end user device, as well as the AirDefense findings at the Conference, there is a good overview by Richard Rushing, the AirDefense CSO, on YouTube.

     

    Protect Yourself

    At most technology shows, including RSA Conference, exhibitors are creating wireless networks to connect their demos to the Internet or computers to other machines in their booths. In addition, if the conference site is near a local hot spot like Starbucks, additional open networks may be in range. If your wireless device is not properly secured, it may connect to these networks. Any transactions over these networks are open and unencrypted and your device is subject to receiving any number of malicious attacks. While your company email  or transactions might be protected by a VPN, other transactions, such as online banking or e-commerce, are not.


    The confusion created by the shear volume of wireless networks at shows like RSA Conference provides fertile ground for hackers. When attending events (or even connecting at your local hot-spot), make sure that your mobile devices are secure and connecting only to a secure network. There are products available at minimal to no cost that can ensure that your device is not a target.

     

    The situation at RSA Conference is happening at hot spots on a daily basis because in general, people think that the network is where the security problem lies. Therefore they leave their mobile devices vulnerable even when the wireless network itself is very secure.

    Read 2 comments
    [X]

    Comment: We are waiting for new standards.

    Name: Sheran

    URL: www.sheelf.com

    Comment: Wow... das finde ich klasse. Ok, die beiden T2s sind glaube ich mit Solaris besser bedient, aber für Workstations ist das sehr interessant. Dann kann man die Ultra auch ohne Probleme in eine bestehende Umgebung integrieren. Danke für die Neuigkeit! http://www.batteryfast.com/acer/tm3200.htm

    Name: laptop battery

    URL: http://www.batteryfast.com

    Mar 01, 2007

    Our List of Top Blogs for Wireless

    Here are four blogs on Wireless security.

    Unwired: Building & Maintaining Secure Wireless Networks
    Follow this Systems Engineer on a journey into the latest in wireless technology, you’ll find updates on new security issues and vulnerabilities, information on IEEE standards, advice on networking hardware, and unique insight on building and maintaining a secure wireless network.

    Voice of VoIPSA
    Collective thoughts and musings on the state of VoIP security today.

    Zaib Kaleem's blog
    Wireless Networks, Wireless LAN Security, Mobility and More

    IT Wireless
    IT-Wireless covers mobile enterprise and wireless technology news.

     

    Let us know of any blogs you recommend for Wireless Security.

    © 2008 RSA Conference