Security issues when using outside networks.
Today, with the growth of laptops, low-cost, high-speed Internet See broadband. connections and wireless local area network (LAN (Local Area Network) A communications network that serves users within a confined geographical area. The "clients" are the user's workstations typically running Windows, although Mac and Linux clients are also used. ) technology, many individuals routinely connect laptop computers to multiple networks at places like coffee houses, hotels and airports. In fact, most laptop computers with wireless networking See wireless network. actively look for and ask permission to connect to any network they might find once activated.
CPAs need to be aware of the issues that arise when connecting to the Internet via such networks and how they can ensure that (1) sensitive data is not compromised and (2) their computers cannot be attacked by "malware (MALicious softWARE) Software designed to destroy, aggravate and otherwise make life unhappy. See crimeware, virus, worm, logic bomb, macro virus and Trojan. " (malicious software). Fundamentally, the issue is simple--if, on connecting to an outside network, specific steps are not taken to secure data, this information can be relatively easily compromised by an outsider.
This column addresses the basic issues involved. A useful resource for those wishing to delve more deeply into this and other computer-security-related topics is the Gibson Research Corporation website and its Security Now podcasts on this topic by Steve Gibson and Leo Laporte Leo Gordon Laporte (born November 29, 1956 in New York City, New York) is an American technology broadcaster and author. Currently he lives in Petaluma, California, with his wife Jennifer and two children, Henry and Abby and a dog, Ozzy. (www.grc.com/ SecurityNow.htm).
Ethernet's Basic Lack of Security
The Ethernet networking standard that is used virtually universally today to link computers was designed a long time ago, for a very different environment. When it was originally created, computers could not be transported easily and were extremely expensive. In addition, they generally spent their entire lives physically connected to a single LAN.
In such an environment, a number of today's troublesome issues simply did not exist. Key among these is the security of data traveling on the LAN to which a computer is connected. The only computers on that network were ones under the direct physical control of the LAN's owner; they were connected only to a LAN owned by such an entity. Thus, there was no real need to ensure that only an "authorized au·thor·ize
tr.v. au·thor·ized, au·thor·iz·ing, au·thor·iz·es
1. To grant authority or power to.
2. To give permission for; sanction: " machine was able to read the data packets being transmitted.
Dual addresses: When a computer is connected to an Ethernet network, the system implicitly trusts (and has to trust) virtually all of the other devices on that network in order to function. A key reason is that every device on a network ends up with two addresses--its assigned Internet address There are two kinds of addresses that are widely used on the Internet. One is a person's e-mail address, and the other is the address of a Web site, which is known as a URL. Following is an explanation of Internet e-mail addresses only. For more on URLs, see URL and Internet domain name. (IP address), which can (and does) change as a machine logs into different networks, and the machine's unique media access control (MAC) address (which never changes).
Why dual addresses? The IP address is a hierarchical one that helps systems direct data where it needs to go; the specific, unique MAC address assigned to each device ensures that each machine is uniquely identified. By associating the currently assigned IP address to a unique MAC address, data can be sent from any computer connected to the Internet directly to a specific machine.
The IP address is that "dotted" address one sees from time to time. Each segment of the address offers information about how to move the data in the direction of the ultimate recipient's machine, to get it to the LAN to which that computer is connected. Once on the LAN, the MAC address is used to move the data to the recipient's machine.
The dotted address See dot address. is used because it defines, in a roundabout way, the "direction" to send data to get it to a specific machine. Computers come and go from the Internet all the time, and no machine has a detailed table of where every other machine is. This address allows any computer on the Internet to figure out how to move data to a machine that will move it closer to a specific user--until it arrives at that user's network.
Depending on how the network gets data to the machines using it, everything going to and from a machine may also be seen by every other machine on the network.
Finding the Machine on the LAN
In the Ethernet's original design, computers were all hooked to a single cable that ran the network's entire length. All traffic went through that cable to all computers, each of which checked to see if its unique MAC address was listed as the one that should use the data packet. By definition, every machine on the network saw every bit of data transmitted--this was necessary, to figure out which packets it should grab.
A problem with that network, outside of security, was that if a problem occurred anywhere along that string of cable, the entire network on that cable stopped functioning. To solve this problem, the physical wiring was eventually changed from a single cable going through the network to a centralized cen·tral·ize
v. cen·tral·ized, cen·tral·iz·ing, cen·tral·iz·es
1. To draw into or toward a center; consolidate.
2. wiring location, with cables run to each specific computer.
Because this was meant to solve the physical problem, the original such devices (known as hubs) simply retransmitted all data to each computer, just like the original single wire. It was much simpler to implement and the centralized switch needed no intelligence--it simply sent out data to everyone when it received data in. Every machine still saw every piece of data.
A problem that arose, however, was that there would be data "collisions" in such a system--i.e., two computers tried to transmit at the same time and garbled each other's transmissions. While the Ethernet had methods to deal with this problem (using retransmissions), as networks grew, the number of collisions also grew, slowing speed.
To solve this problem, intelligence was added to the central point, so that it would transmit data only down the single wire to which the packet was directed. It did this by keeping a table of MAC addresses for each machine connected to it, then examining packets to see where each should go (a device known as a switch). No longer would every machine on the network receive every bit of data.
The technical details of hooking up a network create security issues. Steve Gibson reported on Security Now that many hotels offering high-speed Internet access had wired room networks using hubs, generally because, at the time, it was cheaper than using switches; see "ARP Cache Poisoning" at www.grc.com/nat/ arp.htm. Because these networks are still working, the hotels see no need to change them. If a user connects to such a network, all unencrypted traffic can be "sniffed" by widely available software, to reveal all kinds of information. Obvious items, such as email logins and passwords (which are often sent totally unencrypted), can be easily obtained.
In addition, a wireless network cannot really function as a switch--every machine on the network (and any device in radio range) can see every transmission.
The initial solution to this problem seems easy--wireless network transmissions can be scrambled using either wired equivalency equivalency
the combining power of an electrolyte. See also equivalent. privacy (WEP (Wired Equivalent Privacy) An IEEE standard security protocol for wireless 802.11 networks. Introduced in 1997, WEP was found to be very inadequate and was superseded by WPA, WPA2 and 802.11i. ) or, for newer systems, wi-fi protected access (networking, security) Wi-Fi Protected Access - (WPA) A security scheme for wireless networks, developed by the networking industry in response to the shortcomings of Wired Equivalent Privacy (WEP). (WPA WPA: see Work Projects Administration.
in full Works Progress Administration later (1939–43) Work Projects Administration
U.S. work program for the unemployed. ). However, this works only as long as a user is connected only to encrypted en·crypt
tr.v. en·crypt·ed, en·crypt·ing, en·crypts
1. To put into code or cipher.
2. Computer Science networks. Because the key is only meant to stop those not on the network from reading the traffic, every machine on the network that has the key can still look at every piece of traffic going over the network. Also, WEP (the older "security" system for encrypting wireless transmissions) has significant design problems; anyone who does some minimal work (including simply downloading free software) can break into a WEP-protected network fairly easily.
Do Switches Solve All?
At first glance, it would appear that switches would solve this problem. If users only connected to switched outside networks, all should be well, as only data directed at that user's machine would be sent down that line. However, dual addressing (discussed earlier) causes a problem once again, because it was designed for systems in which machines would only connect to a LAN under the owner's control.
The problem exists because Ethernet networks handle mapping of IP addresses (those used to find each machine) to MAC addresses (those that uniquely identify a particular machine on the LAN) very informally. Machines send out their own mapping, and each retains a table of mappings. An actual MAC address is needed to get data to a specific machine on the network; thus, each machine and device on the network must map the "transient" IP address to the "real" MAC address associated with each machine.
Stealing data: Anyone on the network can send any machine on the network a message claiming to be the network's Internet gateway (1) See cable/DSL gateway.
(2) A router or server that converts IP packets to IPX, AppleTalk or some other non-IP format and vice versa. It is used to connect non-IP networks to the Internet. . (A gateway machine exists on each network, allowing access to the Internet and essentially serving to relay data from a LAN to the Internet.) Thus, by telling a user's machine that the data thief's machine is the gateway, the former will send all of its Internet-destined data to the latter's machine. As amazing a·maze
v. a·mazed, a·maz·ing, a·maz·es
1. To affect with great wonder; astonish. See Synonyms at surprise.
2. Obsolete To bewilder; perplex.
v.intr. as it may seem, the user's system does not check to ensure that this machine truly is the gateway--the Ethernet standard simply has no way to do so; a machine has little choice but to accept the revision.
The thief's machine can then send a similar message to the actual gateway machine that contains the user's IP address--so all outbound traffic Traffic originating in the continental United States destined for overseas or overseas traffic moving in a general direction away from the continental United States. will be routed through the thief's machine. Again, there is no way for the real gateway to make sure the machine in question is a specific user's machine--it has no choice but to accept the address/MAC combination given. The thief's machine logs the data received, then sends it on to the real gateway.
Similarly, when traffic arrives at the gateway for a user's machine, it will send the data to the thief, who logs it and then sends it to the user. Worst of all, in most cases no one will know this is happening; all of a user's data gets to the Internet and comes back, with no indication that anything is amiss a·miss
1. Out of proper order: What is amiss?
2. Not in perfect shape; faulty.
In an improper, defective, unfortunate, or mistaken way. . However, all the information is being captured and can be easily analyzed by the third party.
The problem is that users are not authenticating that the machine to which they are talking is the correct one. The only real clue would be that, if a user signed onto a secure website, the browser will likely initially complain about the certificate (which would be falsified). However, if a user accepts the faked certificate (and most users would, as this allows them to continue working), even secured transmissions are not actually secure.
Free software exists on the Internet to "help" this process along for those who wish to invade in·vade
v. in·vad·ed, in·vad·ing, in·vades
1. To enter by force in order to conquer or pillage.
2. networks, including separating out the various "interesting" items in data streams (like logins, passwords, Social Security numbers, etc.). Thus, simply plugging into an available network when traveling or away from the office is risky, unless specific action is taken to address the problem.
What is needed is a way to (1) encrypt See encryption. the transmissions (so that those trying to look at this information cannot intercept the data sent) and (2) have an authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC.
(2) Verifying the identity of a user logging into a network. mechanism in place (to ensure that the system to which data is sent is the correct one).
VPNs: Virtual private networks (VPNs) provide one obvious solution. A VPN (Virtual Private Network) A private network that is configured within a public network (a carrier's network or the Internet) in order to take advantage of the economies of scale and management facilities of large networks. can be linked to an "in the office" LAN, to access data and resources on the latter; or, various commercial public VPN services can be used to handle security until a user gets to the VPN's secured access point on the Internet (away from potential villains on the user's LAN).
A VPN creates a "tunnel" that contains what seems like random noise to any machine that intercepts the traffic; that encrypted traffic is decoded only at each end of the transmission. Using a VPN ensures that the traffic finally arrives at a location confirmed in the protocol.
Corporate VPNs are configured on a company's LAN; traffic is routed back to the company's home network, where there is control of the machines on what appears to be the LAN.
If primarily concerned with getting safely to the Internet to check email or the like, available solutions include PublicVPN (www.publicvpn. com) and HotspotVPN (www.hot spotvpn.com). Both are "pay to play" solutions, but provide an authenticated au·then·ti·cate
tr.v. au·then·ti·cat·ed, au·then·ti·cat·ing, au·then·ti·cates
To establish the authenticity of; prove genuine: a specialist who authenticated the antique samovar. tunnel to a known location. Hotspot, because it uses the same https technology used on secured websites, will also tend to work in situations in which Other VPNs fail.
If all that is needed is to create a simple VPN to get back to a machine, one option is to use the freely available Hamachi This article is about the computer networking software. For the Japanese fish and sushi ingredient, see Japanese amberjack.
Hamachi is a centrally-managed zero-configuration virtual private network (VPN) freeware application capable of establishing direct service (www.hamachi.cc). That system helps solve one of the major problems of establishing a VPN back to a home network--getting the router to forward the traffic properly--but uses a third-party server only to initiate the conversation. This system is available for Windows, Linux and, recently, Macintosh OSX See Mac OS X. Tiger. Using Hamachi, a computer can connect back to a local machine, or use a program like RealVNC to remotely access a computer. It can also be configured to use Windows Remote Desktop, but this is not easy (due to architectural issues in Windows XP The previous client version of Windows. XP was a major upgrade to the client version of Windows 2000 with numerous changes to the user interface. XP improved support for gaming, digital photography, instant messaging, wireless networking and sharing connections to the Internet. , Hamachi has to run as a service for this to work).
To simply connect back to a terminal, Citrix's GoToMyPC (www. gotomypc.com) is a good option, relatively easy to set up and secure as long as authentication complaints are not ignored. The offering is commercial, but is a "quick and easy" solution that is a lot simpler and more secure than using an "exposed, Windows Remote Desktop or RealVNC client.
EVDO: Finally, for CPAs who travel in areas in which it is available, wireless carriers offer high-speed data service for Internet connection. Evolution-data optimized
A number of new cellular telephones that support receiving streaming video A one-way video transmission over a data network. It is widely used on the Web as well as company networks to play video clips and video broadcasts. Computers in home networks stream video to digital media hubs connected to a home theater. can also be used, with a universal series bus (USB USB
in full Universal Serial Bus
Type of serial bus that allows peripheral devices (disks, modems, printers, digitizers, data gloves, etc.) to be easily connected to a computer. ) cable or via Bluetooth, as a very fast modem to access the Internet. For example, the author used a Samsung phone on the Sprint wireless network tethered Attached to a data or power source by wire or fiber. Contrast with untethered. to a Apple iBook G4 to access the Internet while writing this column, rather than the publicly available wireless network available in the airport in which he was situated.
Steven H. Holub, CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000.
A member of an army medical corps attached to a field unit. , Piser & Co.
Jeffrey A. Porter, CPA
Porter & Associates, CPAs
Edward K. Zollars, CPA
Thomas & Zollars, Ltd.
Mr. Holub is a former chair of the AICPA AICPA
See American Institute of Certified Public Accountants (AICPA). Tax Division's Tax Practice Management Committee. Mr. Porter chairs the AICPA Tax Division's Tax Practice Improvement Committee; Mr. Zollars is a former member of that committee. For information about this column, contact Mr. Holub at (813) 222-8555 or firstname.lastname@example.org, or Mr. Zollors at email@example.com.