Department of Interior Wireless Networks Breached by $200 Units Hidden in Backpacks
Wireless networks within the US Department of the Interior (DoI) have been successfully breached ... not by high tech equipment, but 'on the cheap'.
As a means of testing the security of the networks, the DoI's Office of Inspector General (OIG) 'attacked' some of the hundreds of networks with low budget kits used in publicly accessible areas within the DoI's Washington office.
"We assembled portable test units for less than $200 that were easily concealed in a backpack or purse and operated these units with smartphones," stated the OIG in their Final Evaluation Report. "Our attacks simulated the techniques of malicious actors attempting to break into departmental wireless networks, such as eavesdropping, evil twin, and password cracking."
The results of the DoI attack showed that their wireless network infrastructure didn't operate to the guidelines set out by the National Institute of Standards and Technology (NIST).
The attacks went undetected by security guards and IT security staff and were able to intercept and decrypt (wireless) network traffic in numerous bureaus, including two where the OIG was able access internal networks. They also obtained the credentials of one bureau IT employee and used them to log into the bureau's help desk ticketing system.
"Our attacks reveal(ed) that the Department did not deploy and operate a secure wireless network infrastructure," stated the OIG. "We also found that several bureaus and offices did not implement measures to limit the potential adverse effect of breaching a wireless network."
Further to this, the OIG found that the DoI didn't require regular testing of network security, or maintain complete inventories of its wireless networks, and published contradictory, outdated, and incomplete guidance.
While the report was damning of the DoI, it didn't blame it entirely and noted the role of the Office of the Chief Information Officer (OCIO), which is in place to assist the DOI in all areas of information management and technology.
"These deficiencies occurred because the Office of the Chief Information Officer (OCIO) did not provide effective leadership and guidance to the Department," stated the OIG. "(It) failed to establish and enforce wireless security practices in accordance with NIST guidance and recommended best practices."
As a result of the attacks, 14 recommendations were made (in a draft report) to strengthen the DoI’s wireless network security. The OCIO concurred with all recommendations and stated that it is working to implement all of them, with 13 of the 14 resolved.
+ + +
Thanks for visiting SecAlerts and reading this story. We offer a free weekly CVE alert service, or an hourly service from $US20/mth, both of which include software updates and news relating to your software stack. Join more than 1,300 other users and sign up.
. . .
If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.
