Interview with Charles R. Elden, co-author of “Wireless Security and Privacy”

Charles R. Elden is an independent security consultant. He has worked as a manager and software security consultant with Cigital’s Software Security Group. He has experience performing communication and software systems risk analysis and risk management.

Previously, he worked for the Central Intelligence Agency for 12 years and has worked for more than 11 years in the Directorate of Science and Technology’s Office of Technical Services. He is the co-author of “Wireless Security and Privacy: Best Practices and Design Techniques.”

How did you get interested in wireless security?

I have a general interest in security and leveraging technology to assist in solving problems. During my time with the Agency, I was a Technical Operations Officer, responsible for technical support to field operations including secret writing, disguise, concealment devices, miniature cameras, counter-terrorism, technical surveillance, and clandestine communications (my specialty). I was responsible for designing, building, installing, operating and training field agents and assets to use these devices, in other words I got to build and play with cool spy toys. On the communications side these systems included RF signalling, voice and data transmission via RF, IR, microwave, satellite, as well as wired and wireless networks. The security requirements of these systems were stringent and unyielding; we had the anonymity of the sender, receiver, commercial communication technologies and systems. Becoming involved with commercial security issues (wireless being a part) was an easy transition from my government duties.

What are your favourite tools for dealing with security when it comes to wireless networks and why?

Tools are just that, and listing tools will likely lead people to believe that by implementing the tool they will be able to achieve security. The mind is the best tool, you have to thoroughly understand what you are trying to accomplish with the use of a wireless network, what you are trying to protect, and where might an attacker try to gain access. The results of this analysis will lead you to the tools you will need to verify that the system is working, as you believe it is, or know it should be. It all comes down to how much risk you are willing to accept and what the consequences are if the threat is realized.

The only tools unique to wireless systems over a wired system are; a wireless device, one of the available spectrum analysis program(s) and wireless diagnostic utilities, which allows you to determine the range of the wireless access, other RF activity, what access points are visible and how they are configured.

How long did it take you to write “Wireless Security and Privacy: Best Practices and Design Techniques” and what was it like? Any major difficulties?

I am estimating it took us between 7-9 months to write the substance of the book. It was another 6 months for reviews, editorial changes, etc. Then another 4 months for the layout, proofing, and printing.

It was a lot more work than originally appeared when we were approached to write the book. It was also a lot of fun to see the book take shape and develop into the final product.

The hardest thing was taking all the material we wanted to cover, organizing it so it had some logical flow and could be understood, setting a deadline for not adding new information (after all technology is constantly changing) and culling out information so the book had a good balance between level of detail and breadth of coverage.

Warchalking, Wardriving, Warspamming – these are just some of the terms we see frequently in the news. Do you see these actions as a real problem or is it just the media making things bigger than they are?

Unfortunately, I believe the answer is both. The media does tend to highlight the sensational aspects that they wish to highlight while leaving out critical details or assumptions.

These actions can be a real problem if the purpose of such actions is to do damage to the network or company to which these actions grant access. Again, it comes back to “What are you concerned about?” By properly configuring and restricting wireless access you can eliminate, or at least minimize the potential damage these actions can have on you network.

What are your predictions for the future when it comes to wireless security?

I would like to say that those responsible for building wireless security into the devices would read our book, do the right thing, and design security in from the start. However, the real answer is that the consumers will dictate what will be the future of wireless security. The companies are going to try to produce what the consumer demands, at the lowest cost possible. Companies believe that the consumer is willing to accept reduced security for greater functionality. Unless pressed otherwise by consumers, security will not be the focus for these companies and will continue to be a problem for the foreseeable future.

My experience shows that security is not an end state, but a continual process. I am sure the security profile of wireless devices and networks will improve. However, the functionality of these systems will also increase, which will likely introduce new vulnerabilities or provide additional avenues for exploitation.

What are your future plans? Any exciting new projects?

My background and experience is a driving force encouraging me to assist concerned individuals and companies to overcome the security and technological challenges they face.

In addition to my consulting activities, I am exploring the options of writing another security book based on the I-ADD process described in the “Wireless Security and Privacy” book, focused this time on critical infrastructure. I am also working on a project integrating several technologies into a new product, which is all I can say about it for now.

I am also excited about a novel I have half completed, a fictionalized account based on real-life experiences of myself and other CIA Technical Operations Officers travelling, meeting assets, working with advanced technology, etc. I hope to have it completed and ready for a publisher this fall.