Security issues when using outside networks.
CPAs need to be aware of the issues that arise when connecting to the Internet via such networks and how they can ensure that (1) sensitive data is not compromised and (2) their computers cannot be attacked by "malware" (malicious software). Fundamentally, the issue is simple--if, on connecting to an outside network, specific steps are not taken to secure data, this information can be relatively easily compromised by an outsider.
This column addresses the basic issues involved. A useful resource for those wishing to delve more deeply into this and other computer-security-related topics is the Gibson Research Corporation website and its Security Now podcasts on this topic by Steve Gibson and Leo Laporte (www.grc.com/ SecurityNow.htm).
Ethernet's Basic Lack of Security
The Ethernet networking standard that is used virtually universally today to link computers was designed a long time ago, for a very different environment. When it was originally created, computers could not be transported easily and were extremely expensive. In addition, they generally spent their entire lives physically connected to a single LAN.
In such an environment, a number of today's troublesome issues simply did not exist. Key among these is the security of data traveling on the LAN to which a computer is connected. The only computers on that network were ones under the direct physical control of the LAN's owner; they were connected only to a LAN owned by such an entity. Thus, there was no real need to ensure that only an "authorized" machine was able to read the data packets being transmitted.
Dual addresses: When a computer is connected to an Ethernet network, the system implicitly trusts (and has to trust) virtually all of the other devices on that network in order to function. A key reason is that every device on a network ends up with two addresses--its assigned Internet address (IP address), which can (and does) change as a machine logs into different networks, and the machine's unique media access control (MAC) address (which never changes).
Why dual addresses? The IP address is a hierarchical one that helps systems direct data where it needs to go; the specific, unique MAC address assigned to each device ensures that each machine is uniquely identified. By associating the currently assigned IP address to a unique MAC address, data can be sent from any computer connected to the Internet directly to a specific machine.
The IP address is that "dotted" address one sees from time to time. Each segment of the address offers information about how to move the data in the direction of the ultimate recipient's machine, to get it to the LAN to which that computer is connected. Once on the LAN, the MAC address is used to move the data to the recipient's machine.
The dotted address is used because it defines, in a roundabout way, the "direction" to send data to get it to a specific machine. Computers come and go from the Internet all the time, and no machine has a detailed table of where every other machine is. This address allows any computer on the Internet to figure out how to move data to a machine that will move it closer to a specific user--until it arrives at that user's network.
Depending on how the network gets data to the machines using it, everything going to and from a machine may also be seen by every other machine on the network.
Finding the Machine on the LAN
In the Ethernet's original design, computers were all hooked to a single cable that ran the network's entire length. All traffic went through that cable to all computers, each of which checked to see if its unique MAC address was listed as the one that should use the data packet. By definition, every machine on the network saw every bit of data transmitted--this was necessary, to figure out which packets it should grab.
A problem with that network, outside of security, was that if a problem occurred anywhere along that string of cable, the entire network on that cable stopped functioning. To solve this problem, the physical wiring was eventually changed from a single cable going through the network to a centralized wiring location, with cables run to each specific computer.
Because this was meant to solve the physical problem, the original such devices (known as hubs) simply retransmitted all data to each computer, just like the original single wire. It was much simpler to implement and the centralized switch needed no intelligence--it simply sent out data to everyone when it received data in. Every machine still saw every piece of data.
A problem that arose, however, was that there would be data "collisions" in such a system--i.e., two computers tried to transmit at the same time and garbled each other's transmissions. While the Ethernet had methods to deal with this problem (using retransmissions), as networks grew, the number of collisions also grew, slowing speed.
To solve this problem, intelligence was added to the central point, so that it would transmit data only down the single wire to which the packet was directed. It did this by keeping a table of MAC addresses for each machine connected to it, then examining packets to see where each should go (a device known as a switch). No longer would every machine on the network receive every bit of data.
The technical details of hooking up a network create security issues. Steve Gibson reported on Security Now that many hotels offering high-speed Internet access had wired room networks using hubs, generally because, at the time, it was cheaper than using switches; see "ARP Cache Poisoning" at www.grc.com/nat/ arp.htm. Because these networks are still working, the hotels see no need to change them. If a user connects to such a network, all unencrypted traffic can be "sniffed" by widely available software, to reveal all kinds of information. Obvious items, such as email logins and passwords (which are often sent totally unencrypted), can be easily obtained.
In addition, a wireless network cannot really function as a switch--every machine on the network (and any device in radio range) can see every transmission.
The initial solution to this problem seems easy--wireless network transmissions can be scrambled using either wired equivalency privacy (WEP) or, for newer systems, wi-fi protected access (WPA). However, this works only as long as a user is connected only to encrypted networks. Because the key is only meant to stop those not on the network from reading the traffic, every machine on the network that has the key can still look at every piece of traffic going over the network. Also, WEP (the older "security" system for encrypting wireless transmissions) has significant design problems; anyone who does some minimal work (including simply downloading free software) can break into a WEP-protected network fairly easily.
Do Switches Solve All?
At first glance, it would appear that switches would solve this problem. If users only connected to switched outside networks, all should be well, as only data directed at that user's machine would be sent down that line. However, dual addressing (discussed earlier) causes a problem once again, because it was designed for systems in which machines would only connect to a LAN under the owner's control.
The problem exists because Ethernet networks handle mapping of IP addresses (those used to find each machine) to MAC addresses (those that uniquely identify a particular machine on the LAN) very informally. Machines send out their own mapping, and each retains a table of mappings. An actual MAC address is needed to get data to a specific machine on the network; thus, each machine and device on the network must map the "transient" IP address to the "real" MAC address associated with each machine.
Stealing data: Anyone on the network can send any machine on the network a message claiming to be the network's Internet gateway. (A gateway machine exists on each network, allowing access to the Internet and essentially serving to relay data from a LAN to the Internet.) Thus, by telling a user's machine that the data thief's machine is the gateway, the former will send all of its Internet-destined data to the latter's machine. As amazing as it may seem, the user's system does not check to ensure that this machine truly is the gateway--the Ethernet standard simply has no way to do so; a machine has little choice but to accept the revision.
The thief's machine can then send a similar message to the actual gateway machine that contains the user's IP address--so all outbound traffic will be routed through the thief's machine. Again, there is no way for the real gateway to make sure the machine in question is a specific user's machine--it has no choice but to accept the address/MAC combination given. The thief's machine logs the data received, then sends it on to the real gateway.
Similarly, when traffic arrives at the gateway for a user's machine, it will send the data to the thief, who logs it and then sends it to the user. Worst of all, in most cases no one will know this is happening; all of a user's data gets to the Internet and comes back, with no indication that anything is amiss. However, all the information is being captured and can be easily analyzed by the third party.
The problem is that users are not authenticating that the machine to which they are talking is the correct one. The only real clue would be that, if a user signed onto a secure website, the browser will likely initially complain about the certificate (which would be falsified). However, if a user accepts the faked certificate (and most users would, as this allows them to continue working), even secured transmissions are not actually secure.
Free software exists on the Internet to "help" this process along for those who wish to invade networks, including separating out the various "interesting" items in data streams (like logins, passwords, Social Security numbers, etc.). Thus, simply plugging into an available network when traveling or away from the office is risky, unless specific action is taken to address the problem.
What is needed is a way to (1) encrypt the transmissions (so that those trying to look at this information cannot intercept the data sent) and (2) have an authentication mechanism in place (to ensure that the system to which data is sent is the correct one).
VPNs: Virtual private networks (VPNs) provide one obvious solution. A VPN can be linked to an "in the office" LAN, to access data and resources on the latter; or, various commercial public VPN services can be used to handle security until a user gets to the VPN's secured access point on the Internet (away from potential villains on the user's LAN).
A VPN creates a "tunnel" that contains what seems like random noise to any machine that intercepts the traffic; that encrypted traffic is decoded only at each end of the transmission. Using a VPN ensures that the traffic finally arrives at a location confirmed in the protocol.
Corporate VPNs are configured on a company's LAN; traffic is routed back to the company's home network, where there is control of the machines on what appears to be the LAN.
If primarily concerned with getting safely to the Internet to check email or the like, available solutions include PublicVPN (www.publicvpn. com) and HotspotVPN (www.hot spotvpn.com). Both are "pay to play" solutions, but provide an authenticated tunnel to a known location. Hotspot, because it uses the same https technology used on secured websites, will also tend to work in situations in which Other VPNs fail.
If all that is needed is to create a simple VPN to get back to a machine, one option is to use the freely available Hamachi service (www.hamachi.cc). That system helps solve one of the major problems of establishing a VPN back to a home network--getting the router to forward the traffic properly--but uses a third-party server only to initiate the conversation. This system is available for Windows, Linux and, recently, Macintosh OSX Tiger. Using Hamachi, a computer can connect back to a local machine, or use a program like RealVNC to remotely access a computer. It can also be configured to use Windows Remote Desktop, but this is not easy (due to architectural issues in Windows XP, Hamachi has to run as a service for this to work).
To simply connect back to a terminal, Citrix's GoToMyPC (www. gotomypc.com) is a good option, relatively easy to set up and secure as long as authentication complaints are not ignored. The offering is commercial, but is a "quick and easy" solution that is a lot simpler and more secure than using an "exposed, Windows Remote Desktop or RealVNC client.
EVDO: Finally, for CPAs who travel in areas in which it is available, wireless carriers offer high-speed data service for Internet connection. Evolution-data optimized (EVDO) wireless Internet service systems are being rolled out nationwide by both VerizonWireless and Sprint, and now cover most major metropolitan areas. EVDO speeds are much greater than those offered by prior wireless phone technologies, and offer an Internet connection that bypasses the issues of others on an unknown LAN.
A number of new cellular telephones that support receiving streaming video can also be used, with a universal series bus (USB) cable or via Bluetooth, as a very fast modem to access the Internet. For example, the author used a Samsung phone on the Sprint wireless network tethered to a Apple iBook G4 to access the Internet while writing this column, rather than the publicly available wireless network available in the airport in which he was situated.
Steven H. Holub, CPA
Aidman, Piser & Co.
Jeffrey A. Porter, CPA
Porter & Associates, CPAs
Edward K. Zollars, CPA
Thomas & Zollars, Ltd.
Mr. Holub is a former chair of the AICPA Tax Division's Tax Practice Management Committee. Mr. Porter chairs the AICPA Tax Division's Tax Practice Improvement Committee; Mr. Zollars is a former member of that committee. For information about this column, contact Mr. Holub at (813) 222-8555 or email@example.com, or Mr. Zollors at firstname.lastname@example.org.