Interview with Charles R. Elden, co-author of "Wireless Security and Privacy"
by Mirko Zorz - Tuesday, 11 February 2003.
Charles R. Elden is an independent security consultant. He has worked as a manager and software security consultant with Cigital's Software Security Group. He has experience performing communication and software systems risk analysis and risk management.

Previously, he worked for the Central Intelligence Agency for 12 years and has worked for more than 11 years in the Directorate of Science and Technology's Office of Technical Services. He is the co-author of "Wireless Security and Privacy: Best Practices and Design Techniques."

How did you get interested in wireless security?

I have a general interest in security and leveraging technology to assist in solving problems. During my time with the Agency, I was a Technical Operations Officer, responsible for technical support to field operations including secret writing, disguise, concealment devices, miniature cameras, counter-terrorism, technical surveillance, and clandestine communications (my specialty). I was responsible for designing, building, installing, operating and training field agents and assets to use these devices, in other words I got to build and play with cool spy toys. On the communications side these systems included RF signalling, voice and data transmission via RF, IR, microwave, satellite, as well as wired and wireless networks. The security requirements of these systems were stringent and unyielding; we had the anonymity of the sender, receiver, commercial communication technologies and systems. Becoming involved with commercial security issues (wireless being a part) was an easy transition from my government duties.

What are your favourite tools for dealing with security when it comes to wireless networks and why?

Tools are just that, and listing tools will likely lead people to believe that by implementing the tool they will be able to achieve security. The mind is the best tool, you have to thoroughly understand what you are trying to accomplish with the use of a wireless network, what you are trying to protect, and where might an attacker try to gain access. The results of this analysis will lead you to the tools you will need to verify that the system is working, as you believe it is, or know it should be. It all comes down to how much risk you are willing to accept and what the consequences are if the threat is realized.

The only tools unique to wireless systems over a wired system are; a wireless device, one of the available spectrum analysis program(s) and wireless diagnostic utilities, which allows you to determine the range of the wireless access, other RF activity, what access points are visible and how they are configured.

How long did it take you to write "Wireless Security and Privacy: Best Practices and Design Techniques" and what was it like? Any major difficulties?

I am estimating it took us between 7-9 months to write the substance of the book. It was another 6 months for reviews, editorial changes, etc. Then another 4 months for the layout, proofing, and printing.

It was a lot more work than originally appeared when we were approached to write the book. It was also a lot of fun to see the book take shape and develop into the final product.

The hardest thing was taking all the material we wanted to cover, organizing it so it had some logical flow and could be understood, setting a deadline for not adding new information (after all technology is constantly changing) and culling out information so the book had a good balance between level of detail and breadth of coverage.

Warchalking, Wardriving, Warspamming - these are just some of the terms we see frequently in the news. Do you see these actions as a real problem or is it just the media making things bigger than they are?


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th