Beating the Snoops

By Daniel Franklin

Preparing a conference presentation a few minutes before going onstage is cutting it close for some, but Gordon Mitchell, an information-security expert, wanted to make a point to an audience of skeptics about just how vulnerable they might be. Shortly before speaking to a group of corporate-intelligence specialists, Mitchell, 59, flipped open his laptop, plugged in an antenna and within moments slipped through the back door left open by the unprotected signal of the Seattle conference hotel's wireless network. "I was looking at their firewall from the inside," Mitchell says. "All the things they were using to protect themselves were useless," because he could have deactivated them at will. In the middle of Mitchell's talk--during which he projected in front of the audience his computer screen showing the network's firewall setup commands--one participant leaped from his chair and ran out of the room. "I asked him where he was going," Mitchell recalls, "and he said, 'I'm going to call my network guy.'"

Information, as any hacker will tell you, wants to be free. From Web-enabled PDAs to wireless networks, new technology is making data freer than ever. But if the data are more accessible to you, they're more accessible to anyone who knows where to look for them. To keep valuable information out of the wrong hands, more businesses are turning to the ancient art of encryption, making security software one of the few growth sectors in business technology. Over the past three years, sales of encryption products have jumped 86%, to $248 million--a figure that will rise to $379 million by 2006, according to the research firm IDC.

New information-hashing techniques are easier to use and harder to crack. But for all the high math that goes into the jumbling of important messages, hackers and security types alike realize that while encryption is hard, people are easy. All too often, the best-scrambled plans of cryptographers are laid waste by an overworked IT guy who forgot to flip the encryption switch or a lazy user who picked a too obvious password.

Today, IDC analyst Charles Kolodgy says, encryption is the "plankton" of the Internet: ubiquitous, almost invisible and indispensable. An encryption program that Netscape released for free in 1994 secured $53 billion in online commerce in the first three quarters of this year. As the Internet weaves its way into more devices, so does encryption technology. Sony's PlayStation 2 consoles include encryption software that allows gamers to communicate securely with their online playmates. TiVo television-recording systems receive encrypted software updates without the owner's even realizing it.

Data-security companies are working on protecting every level of the data chain, from authenticating users to demonstrating when a communication has been tampered with in transit (a task that a sealed envelope performs with an elegant simplicity difficult to achieve in cyberspace). Though email encryption seems the most obvious use, its market, according to IDC, will probably be flat, because there are adequate options, like the program PGP (short for "pretty good privacy"), available free at web.mit.edu/network/pgp.html Instead, the main drivers of growth stand to come in the areas of database and wireless security.

The need for heightened database security has been exposed repeatedly, thanks to high-profile thefts of sensitive information. These include the raiding of CD Universe's customer credit-card database in 2000 or the pilfering that year of patients' records from the University of Washington Medical Center. Visa and MasterCard have released guidelines to member banks and online merchants on measures each credit-card company expects them to take to protect card numbers. Congress, meanwhile, has passed laws demanding that financial institutions and health-care companies protect customer information.

The result has been growth in the market for database-encryption strategies. Established encryption companies like RSA Security and new entrants like Eruces and Protegrity are marketing new products that enable businesses and government institutions to encrypt each data addition separately to prevent hackers from swiping entire databases in a single attack. Some experts say health-care companies and self-insured employers are waiting to see how aggressively the government enforces the penalties for noncompliance with data-security laws. "People we've talked to are waiting until the last minute, because they just don't have the budgets," says Josh Pennell, president of IOActive, a security-engineering firm. "It could be cheaper for them to incur the fine" than to pay $100,000 to $1 million for an adequate information-security system. As things stand today, breaking into health-care databases, Pennell says, "would be a trivial thing."

An unprotected database can seem like Fort Knox compared with wireless communications. "On a wired or fiber system, there's a physical path that someone has to penetrate. With wireless, the geographic area and the technology to access it are much, much broader," says Noel Matchett, president of Information Security, based in Silver Spring, Md., and a former National Security Agency cryptographer.

Most wireless handheld devices that communicate digitally include built-in encryption. More vulnerable, however, are the new Wi-Fi networks that allow wireless access within short ranges. The problem with these remarkably convenient wireless local-area networks (WLANS) is that the range is not short enough. As with the Seattle conference-hotel WLAN, anyone with an inexpensive wireless card can access wireless networks from as far as 500 yds. away. Owing to the ease with which they can be installed, wireless networks are among the few tech sectors that continue to grow, according to the Gartner research firm, which estimates that WLAN shipments will rise 73% in 2002, boosting sales to nearly $2.8 billion.

When wireless networks were first introduced, they included an encryption protocol known as WEP, for wired equivalent privacy. Within months of that protocol's release, however, University of Maryland computer scientist William Arbaugh and his graduate assistant Arunesh Mishra discovered a weakness that allowed a hacker to invisibly jump ahead of an authenticated user after that user had logged in. Shortly after the two published a paper on their findings, two shareware programs, WEPCrack and AirSnort, were released freely online, allowing even the most unsophisticated hacker to break through wireless protocols. The weakness was eventually fixed by RSA Security, the leading encryption company, but many WLAN users have failed to upgrade their security, because they weren't aware of either the problem or the solution.

Often out of simple sloppiness IT departments don't take the time to enable the encryption protocol available to them. Last year RSA Security researchers found that 67% of the WLAN signals they picked up driving through the streets of London did not have encryption protocols activated.

This is a rookie mistake, committed most often by small businesses, but it has also been made by companies and institutions that ought to be more careful. Last month Computerworld magazine surveyed several U.S. airports and found that Northwest Airlines' wireless server at San Francisco International Airport and the system in Chicago supporting O'Hare airport's Xray machines were sending unprotected signals into the ether. Northwest admitted the oversight. O'Hare officials declined to comment.

Effective data security requires users to take extra measures--such as carrying around a token that generates random pass codes--that busy people often resist. Bruce Schneier, founder of Counterpane Internet Security, based in Cupertino, Calif., says he has seen too many hackers find too many ways around cryptography to place absolute faith in it or any other security system that doesn't involve constant beat-cop-style policing of networks. Security experts say every layer of security, properly installed, closes off one more avenue through which hackers can access important information. It's a cat-and-mouse game that can never be won once and for all. But at the moment, some of the cats in IT are setting out pretty impressive traps.