Tuesday, March 18, 2003

Public agency data vulnerable

Auditor employees find security holes in wireless networks

By Charles Wolfe
The Associated Press

FRANKFORT - A van cruises into a parking lot in the center of campus at Kentucky State University, well within range of the school's wireless computer network.

An off-the-shelf wireless antenna is held out the window and B.J. Bellamy, computer on his lap, is suddenly "inside."

"I'm a member of their network now," Bellamy, an information technologist for the state auditor's office, said Monday. "Whatever their folks can do, I can do."

Bellamy actually had gained access to more than the university's computer network. He was able to use it as a doorway to a significant portion of the network for Kentucky state government. A "hacker" bent on destruction could have had a field day, he said.

"They don't know I'm here. So I can maliciously hack away at their network until I compromise it," he said.

Bellamy and a colleague who accompanied him Monday, Ralph C. Long, spend their time probing state government computer systems for security weaknesses. Wireless networks, which link multiple computers via broadcast signals instead of cables and which have become increasingly popular because they are convenient and inexpensive, are fertile ground.

The systems come with some basic security mechanisms, including encryption, plus settings to limit signal strength and to restrict access to specific computers. A "moderately determined hacker" can get around the safeguards, though they are "sophisticated enough to keep the casual intruder at bay," Bellamy said.

However, typical users of the systems tend not to use even those modest safeguards, he said. In a tour of downtown Frankfort, Bellamy came within range of 23 wireless networks, of which 18 had no security - not even system passwords. They automatically recognized the wireless "card" in his laptop as an authorized user.

Long said he and Bellamy encountered about 140 wireless networks in both Louisville and Lexington. In each city, about one in five had any security.

The state auditor's office in June issued a bulletin about wireless technology security risks to all agency heads in state government.

The bulletin said wireless signals can be broadcast up to a half mile and intercepted by anyone with commonly available hardware and software. Bellamy, for example, made a directional antenna with a Pringles potato chip can and $30 worth of connector cable and other parts.

Getting the message across is an ongoing process, said Aldona Valicenti, chief information officer for state government.

A guide to Colerain Township
Colerain town meeting tonight

Accord to clear 132 liens on Erpenbeck homes
Church worker indicted in theft of $210,000
Booth to resign council
Military families wait, worry
Stadium mistakes not repeated

How much detail about Elizabeth do we need?

NAACP aims to get blacks to polls
Foster dad jailed, baby critical
UC Varsity Village gets $10M from Fifth Third
Cookie girl helps starving Africans
Women's City Club aims to raise questions
Students greet Chabot with war questions
Councilmen want panel to monitor city audit

Airport extends flight-pattern test
Tristate A.M. Report
Good News: Cincinnatian helps in African vaccinations

Horses found ill or dead
Butler County increases tax

Church vandalism suspect in custody

Ohio Moments: Abolitionist founded free church
Public systems turn to online charter schools

N.Ky health workers get smallpox shot
Councilman charged in Internet sex sting
Boone to move 200 students
Peace Rules among early Derby favorites
Around the Commonwealth
Ky. Congrats
Public agency data vulnerable
Kentucky burgoo: Don't ask, just eat
Fletcher first on TV in Republican race

Woman pulls man from car