Are Security Firms Promoting Insecurity?

By Ed Sutherland

July 13, 2005

FUD -- fear, uncertainty, and doubt -- is an effective tool for marketing wireless protection, whether or not someone is out to get you.

In all marketing there is some hyperbole, some stretching of the truth to peddle a product or service. Yet a recent wave of hype surrounding Wi-Fi security may indicate that what began as a helpful educational campaign is turning into fear-mongering.

When Wi-Fi first launched, vendors largely ignored security, believing it would lead to complexity and cause consumers to hesitate about buying the new wireless networking technology, according to John Pescatore, Gartner Research security analyst. He says, “This led to ineffective security, like WEP [wired equivalent privacy], instead of real security features."

“Early on, the highlighting of threats and break-ins was good” to educate the Wi-Fi public, believes the Gartner analyst. “However, in the past year or so we have definitely seen over-hype of WLAN security threats.”

In June, Gartner was praised when it reported what it felt was the five top over-hyped security threats, including fears about using public Wi-Fi hotspots, spam aimed at VoIP, and viruses and other malware targeting wireless devices such as PDAs and cell phones.

While saying the research group would like to claim some credit for limiting the growth of hype, “the natural tendency of any market is to hype away,” according to Pescatore.

Wi-Fi Hacker How-To?

Recently, Wi-Fi security vendor LucidLink released a Flash movie entitled “Through a Hacker’s Eyes” a chronicle of a hacker attacking a Wi-Fi network. Described as a “step-by-step explanation of a wireless hacker’s activities,” the demo shows the freely-available hacking tools used to crack 128-bit WEP encryption “instantaneously rendering a secure network unsecured.” The demo ends with an advertisement for the free LucidLink Home Office security product, a software-based authentication server for SOHOs and small businesses.

“I’m not saying there’s no hype,” says Wayne Burkan, vice president of Marketing at LucidLink. “Is it hype to point to that [hacking] and say it’s bad?”

“There’s a huge number [of people] out there hacking the data,” says Burkan. He says the company has received a deluge of responses to the hacker demo. Some people are e-mailing the company saying they had no idea it was so easy to hack a Wi-Fi connection, while some self-professed hackers are saying they aren’t interested in breaking into a network just to read people’s emails, says Burkan.

LucidLink began looking for a real hacker, but decided against it, not wanting to promote the activity. After considering using a professional security firm, the company decided on using a LucidLink employee. The hacking shown in the movie – from identifying the network to reading private data -- took a day and half, says Burkan.

High-profile events such as political conventions and trade shows have served security vendors well as venues to test their wares and to track the overall security in use -- or the lack thereof. Vendors like Newbury Networks and AirDefense have frequently put out media alerts after wireless trade shows.

Earlier this year, AirDefense alerted the public to a ‘new’ wireless security breach it termed the “Evil Twin.” Known for years as a man-in-the-middle attack, the security threat presents an identical Web page for users to login at public hotspots. “The attacker coerces the user into revealing personal and confidential information that can be used for the purposes of identity theft or other illegal activities,” warns the company. Like LucidLink, AirDefense’s notice on Evil Twins was tied to a promotion of its free security application.

“I have not seen many ‘new’ security threats recently, although new names as ‘evil twins’ come up often,” says Ina Sebastian, a Jupiter Research wireless analyst.

Take for example the claim this week from AirMagnet of another 'new type of attack. Building on the use of the letters "ph" instead of "f" as seen in the term phishing , they coined "phlooding" to name what is essentially just a variation on a Denial of Service (DoS) attack. The difference, says AirMagnet vice president of marketing Rich Mironov, is that phlooding is a "wirelessly generated attack against a wired asset," in this case, a company authentication server. He admits that phlooding is "not a radical departure, but it is an interesting combination." And, of course, it's a combination his company's product, AirMagnet Enterprise 6.0, is ready to identify and prevent.

In fact, he says AirMagnet now will feature a "day zero" alarm. It's a term that comes from medicine, where day zero is the first day a disease is seen. Mironov says AirMagnet will look for unusual patterns and make correlations with the usual Wi-Fi network traffic to identify possible attacks that might otherwise go unnoticed.

Security “is consistently the number one concern and barrier to deployment,” according to Sebastian, who says that in surveys and interviews with enterprise executives, security concerns even topped performance issues.

While worries about rogue users from the outside and rogue APs from employees were the top two security concerns of executives, the most common threats were self-made, according to Sebastian. “The most frequent problems are self-inflicted and arise from misconfigured devices."

Insecure Security Market

But Wi-Fi security isn’t all hype. “The security industry has done a wonderful job of developing technology to protect against outside attacks,” says Keith Nissen, security analyst at In-Stat. “Successful security breaches are very rare these days."

While threats from the outside are being deflected, “most attacks are from the inside these days,” says the Nissen. As the workforce becomes more mobile, security vendors are recognizing the change and adapting. “We are seeing more distributed security."

Security vendors offering standalone appliances must also adapt to a shrinking market. “Security technology is now being incorporated into every sort of product, such that security appliances are no longer a high-growth market,” Nissen says.

So common is the need for security that it is becoming a commodity making its way into routers, APs and many other devices -- AirMagnet, for example, is building its software into other vendors' products, and is using third-party APs like Cisco's Aironet line as scanners.

As the commoditization of security continues, vendors relying on sales from standalone security products will vanish. “A lot of these security vendors won’t be viable,” according to Nissen.

The More Things Change...

Although much of security has focused on hackers peering into your WLAN, drive-by snoopers sneaking into your files or public hotspots duping mobile users, professional hackers have become the biggest threat, according to wireless analyst Craig Mathias of the Farpoint Group.

While security vendors and others have aggressively pointed to possible threats, users still are split on the subject. Despite the publicity, 21 percent of those online say security questions prevent them from using public hotspots – down only four points since a year ago.

Although 76 percent of consumers are concerned about Wi-Fi security, 80 percent do not turn on Wi-Fi Protected Access (WPA), the security standard promoted by the Wi-Fi Alliance, according to Sebastian.

Comment and Contribute
(Maximum characters: 1200). You have
characters left.