Evil Twins a Menace to Wireless Security

Wireless Fidelity (WiFi) connections to the Internet provide business and personal users with near limitless computing convenience. However, unprotected wireless connections can be more damaging to corporate network security and user privacy than always-on cable connections without firewalls.

Security experts are warning wireless users about the latest threat to identity theft. Known as the “Evil Twin,” this threat is the wireless version of e-mail phishing scams. An attacker tricks wireless users into connecting a laptop or PDA to a rogue hotspot by posing as a legitimate provider.

Once the wireless victim has connected to the illegitimate hotspot, the attacker can gain access to the user’s log-on details, along with personal and confidential information that aids the attacker in identity theft and other illegal activities.

Twin Evils

To protect information such as credit card details, passwords and PIN numbers from access by Evil Twin scams, some leading Internet security firms are offering tips and free or low-cost software to alert WiFi users about potential risks.

The Evil Twin attack shows clearly how wireless technology has spawned powerful new threats from hackers who exploit wireless vulnerabilities at local public wireless networks called hotspots.

“People are lulled into a false sense of security with personal firewalls. However, wireless attacks such as Evil Twin and other wireless phishing scams cannot be seen by personal firewalls,” Richard Rushing, chief security officer of AirDefense, which provides security products for wireless Internet connections, said.

AirDefense President and CEO Anil Khatod agreed that the issue of end-user protection at hotspots and other unsecured wireless networks is a growing concern for security and IT professionals.

“Customers have traditionally focused only on preventing unauthorized access to their corporate wireless networks,” Khatod said.

As an example of how pervasive the Evil Twin threat has become, consider the experience of Bo Mendenhall, information security analyst with the University of Utah Health Sciences Center.

“We see hundreds of rogue stations and access points around our campus, and trying to determine which one poses a security risk is like finding a needle in a haystack,” Mendenhall said.

The latest version of AirDefense’s Enterprise wireless-security software helped the University of Utah control dangerous clandestine wireless connections.

Why Evil Twin Works

“What I love about the latest version of AirDefense is its ability to pinpoint if a rogue is on my network and the ability to do something about it immediately,” he said.

Without the latest software defenses on their computers, wireless users remain completely clueless that their connections are compromised. David Blumenfeld, vice president of marketing for WiFi software provider Jiwire, said that Evil Twins can be set up to so that a person connects to a rogue signal and is then simply routed to the real signal. In this process, the Evil Twin hacker can then see all the information that is being sent and received by the user.

To combat this, Blumenfeld said, a user should be using a virtual public network (VPN) or a service that encrypts a user’s information so that even if the Evil Twin can see the user’s information flying by, it will appear as undecipherable gibberish.

Wireless popularity and ease of use are two factors making Evil Twin attacks so prevalent. Combine these two elements with a general lack of education among wireless users and it is easy to understand why attackers are successful.

According to Gregor Freund, founder and general manager of Internet security firm Zone Labs, wireless hotspots are so widespread that users now assume they can connect to the Internet while away from home. Zone Labs markets free and consumer versions of a popular firewall program, ZoneAlarm. Both versions of ZoneAlarm alert users about potential rogue wireless connections.

“Yet rarely do consumers know anything about the infrastructure behind the hotspot. Is it a secure network? What protocols are used — WEP, WPA, even IPSec? Most people wouldn’t even know what those acronyms mean, but the deployment of proper security could make a difference in whether or not people walk away from that coffeehouse on the corner with their privacy intact,” Freund told TechNewsWorld.

Social Engineer Works

As is true in most cases of online fraud and identification theft scams, the computer users are often their own worst enemies. Hackers rely on user response to make many of the intrusion scams successful. That trick is precisely what works with the Evil Twin scam.

“There are multiple flavors of the Evil Twin, and all are based on the user being duped into logging on,” Blumenfeld said.

Some of the most recent versions of the Evil Twin scenario put up a false user sign-on screen. Users can not stop this from happening.

Blumenfeld said some software security products are now able to identify false authentication certificates used by hackers to mask a rogue hot spot.

“But by the time that happens, it is usually too late. The wireless user has already entered his personal data to complete the log-on process,” he said.

Combating Attackers

Wireless computer users can bolster their security defenses and minimize the risk of exposing their personal data and corporate data by using one of the new wireless security products now available. Following is a rundown on some of the leading software products designed to secure wireless Internet connections.

All ZoneAlarm products will detect and assign a policy to new networks, including wireless connections, automatically. ZoneAlarm (free version) does this behind the scenes and defaults to the most protective security setting by default no matter what type of new network is detected. This is really good for potentially hostile environments, such as open public networks or Evil Twins.

In the retail products (ZoneAlarm Anti-Virus, ZoneAlarm Pro and ZoneAlarm Security Suite), users can choose between automatically setting the security when the environment is hostile or prompting the user when the network might be safe (such as a home or office network). Users might want to lower settings to allow file sharing and other riskier behaviors. In the free ZoneAlarm firewall, lowering the security settings for safe networks is a manual process.

For enterprise networks AirDefense’s Enterprise 6.0 allows IT managers to configure the system to manage itself. Settings include identifying security risks, rogue devices, policy violations, level of threat, location of threats and automated mitigation via wire or wirelessly.

Malicious, Accidental Activities

AirDefense Personal, a software application for employees logging onto the corporate network from a wireless provider, resides on mobile users’ computers and looks for malicious or accidental wireless activities and wireless misconfigurations that might cause security exposures or policy violations. If threats are discovered, AirDefense Personal notifies both the user and AirDefense Enterprise program running on the corporate server.

JiWire’s SpotLock, released in May, is a beta download that makes using WiFi safe, secure and easy when individual users connect to public hotspots around the globe, remote offices, or home networks. SpotLock is built specifically for small businesses and self-employed professionals who do not have access to corporate VPN solutions. SpotLock automatically encrypts WiFi communications using its built-in personal security or through methods the user already has from WEP/WPA or other VPN services. SpotLock is available for $4.95 per month or $49.95 per year.

AirWave Wireless markets AirWave Management Platform. It contains a module that enables network administrators to discover any unauthorized rogue access points from the wired side of the network. The software uses a variety of protocols to discover and interrogate any unauthorized devices.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Jack M. Germain
More in Security

Technewsworld Channels