Keeping devices out of Discoverablemode is an effective cloaking mechanismfor Bluetooth networks. Unlike 802.11,there is currently no known way to easilyfind non-Discoverable Bluetooth devices using commodity hardware.@Stake released RedFang3, a tool whichtries to guess the MAC address of nearby,non-Discoverable devices. The ShmooGroup has written a wrapper, BlueSniff4,to put a war-driving UI in front of RedFang. While this method doeswork with commodity hardware, it can take an impractical amount of time.Over the next few years, familiarity with the existing hardware, refinement of techniques, and more usable user interfaces will potentially make find-ing non-Discoverable Bluetooth deviceseasy.

Advanced discoveryThe above discussion focused on how anattacker (or auditor) can find wirelessdevices using low-cost hardware. For thosemore motivated and well funded, there are

far more options. Many companies makeprotocol analyzers for both 802.11 andBluetooth that can overcome the limita-tions of discovering devices of each type.In particular, the Bluetooth discoveryequipment is effectively a spectrum ana-lyzer that can listen to large frequencybands and find devices regardless of wherethey are in their hopping pattern.

These specialized discovery devicesstart at $5000 and rapidly get moreexpensive. However, while this type ofequipment is impressive, the averageattacker will likely not have access tothis type of machine. It is important toremember the issues raised earlier in thisarticle; regardless if you are using 802.11or Bluetooth, an attacker can finddevices on your network using inexpen-sive equipment, free software, and a lit-tle bit of time. And once the deviceshave been discovered, they can then bedirectly attacked or their traffic can besubverted. Since there is little you cando to prevent the discovery of your wire-less equipment, it is imperative that you

employ higher-level security mecha-nisms to protect your assets.

References1http://www.netstumbler.com/ 2http://airsnort.shmoo.com/3http://www.atstake.com/research/tools/info_gathering/ 4http://bluesniff.shmoo.com/

About the authorBruce Potter has a broad information secu-rity background that includes deployment ofwireless networks. Trained in computer sci-ence at the University of Alaska Fairbanks,Bruce served as a senior technologist at sev-eral hi-tech companies. Bruce is the founderand President of Capital Area WirelessNetwork. In 1999 Bruce founded TheShmoo Group, a group of security profes-sionals scattered throughout the world.Bruce co-authored 802.11 Security pub-lished through O'Reilly and Associates. Hehas coauthored Mac OS X Security. BrucePotter is currently a senior security consul-tant at Cigital.

5

Where to outsource?

There are three main donor regions ofsuch services:

• China.

• The Indian subcontinent.

• Russia along with the ex-Soviet statessuch as Ukraine.

There is certainly a strong perceptionthat all three pose security threats. In thecase of Russia the main concerns are general lawlessness, unreliability, and apervasive Mafia culture, with the threatthat organized crime might see opportu-nities within the country’s growing off-shore software industry for industrialespionage leading to a black market inintellectual property. In the case of thesub-continent, the main fear is cyber-ter-rorism, but China is deemed the greatestrisk for a different reason, because of itslong-standing economic espionage pro-gramme against western countries, espe-cially the US.

Against these risks are the huge savingsthat can be made through outsourcing tothese countries, all of which are acknowl-edged to have high quality developersequal to those in the west, but at half orless the salary levels. Given that cost is

Security Issues with Offshore Outsourcing

Offshore coding booming, but is it safe? Answer is a qualifiedyes, but only if you do your homework.

Philip Hunter

Offshore coding is booming throughout North America and Europe, with Gartnergroup predicting that by 2004 80% of US companies will consider outsourcing crit-ical services to foreign-based developers. But as this offshore outsourcing trendaccelerates, concerns that enterprises are exposing themselves to undue risk of cyber-terrorism and industrial property theft are increasing.

analysis

6

itself an element of risk, enterprises wouldbe as foolish to disregard this potentialsource of software, as they would be torush headlong into it.

What should be outsourced?The key is to manage the process of off-shore development effectively and bediscriminating over which particularsoftware components you decide to out-source. To a large extent the same prin-ciples should apply to all forms ofoutsourcing, whether abroad or withinyour own country. In either case risk isinvolved along with issues of controland devolution of responsibility. It isharder to maintain a physical presence ata development site in the Chinese out-back than down the road. With offshoreoutsourcing therefore, it is particularlycritical to have high trust in the softwarefirm involved. Such a firm should have astrong presence both in your countryand on the ground in the offshore terri-tory. Inevitably with offshore develop-ment you will rely to a greater extent onthe outsourcing company’s local knowl-edge of the people concerned, on theirvetting procedures, and auditing.

Invest in outsourcingIn most cases you will also have to acceptthat some of the software developmentsavings will be offset by the extra cost ofmanaging the project. Large enterprisesthat outsource, such as Cisco, have dedi-cated teams that travel regularly to off-shore sites to vet people, perform riskassessments, and monitor physical accessto critical local development facilitiessuch as file servers. Clearly smaller enter-prises lack the resources to do this, andwould have to entrust this task to theoutsourcing company. The questionthen is can this company, which in effectis broking offshore development ser-vices, be trusted. There is a growingnumber of specialist providers of off-shore coding, some dealing with all ofthe principle territories, and to someextent they can be judged by their repu-tation, but it would be a good idea toseek references, ideally from customers

whose requirements were similar to yourown.

Assess the outsourcerThe initial tendering process also needsto be taken seriously, for the greater riskthan espionage or cyber-terrorism is thatthe company may just not be up to thejob. Even though the average quality of offshore developers may be high, anygold rush attracts its share of hangers onand pretenders hoping to soak up busi-ness before their cover is blown. Often itwill be a matter of establishing technicalcompatibility rather than competence,for a software firm suitable for one typeof project may be out of its depth onanother because of the particular skillbase it has.

In any case it is essential that the techni-cal competence of the outsourcer be firm-ly established before any financialnegotiations take place. It can usually beassumed that significant savings can bemade, and the important point is to avoidwasting time discussing money with afirm that you will end up disregarding ontechnical grounds.

Select the right processThe other important point is in the selec-tion of software components for out-sourcing. The best candidates arecomponents that are not available off theshelf because they involve a significantamount of bespoke coding, but at thesame time are not too complex. Ideallythey should be components that can beassembled offline without access to liveprocesses or the internal network, andthen integrated once complete. For thisreason website development is one of themost popular offshore projects, for it cantake place in parallel, while the precedingwebsite remains operational.

Protect intellectual propertyOn the other hand highly sensitiveprocesses, or those that would involveaccess to valuable intellectual property,might well be deemed unsuitable foroutsourcing abroad. The same mightwell apply to complex software involving

cutting edge technology and requiringregular interaction between key internalstaff and the developers or programmers.In such cases if the work is outsourced atall it should be to a company in reason-ably close physical proximity. Even giventhe best video conferencing equipmentthere is no substitute for regular face-to-face intercourse within a complex pro-ject involving significant technical collaboration.

There can also be an issue with projectsrequiring direct access to existing sourcecode, for then there is the potential formischief. At the recent Techno-Securityconference in May 2003, Oracle’s chiefsecurity officer Mary Ann Davidson,pointed out that although the companydid outsource to China, this was onlyquality control work that did not requireaccess to source code.

Where overseas staff do need access tointernal software or resources, extra careshould be taken in defining their accessrights and ensuring that their privilegesare limited just to what they need. Butthis should apply to all users, includinginternal staff, who will still in many casespose a greater threat than external overseas developers.

Test firstMany of the risks associated with off-shore development can be mitigated byapplication of good all round projectmanagement. Basic ground rules includepiloting where possible, to establish thatoutsourcing works before over-commit-ting to it, and breaking a project intodigestible chunks each assessed at regularintervals. This helps keep a tight rein andminimises the risk of a project veeringoff course and over-budget. But there isalso a risk that too much micro-manage-ment will impede a project and eliminatethe cost savings, so a balance has to bestruck.

ConclusionOverall the risk of ignoring the offshoreoption completely is greater than thethreat it poses, providing the measuresoutlined here are taken.