It
pays to plug leaks in unsecured wireless networks
by
Alan Zisman (c) 2007 First published in
Business
in Vancouver June 12-18, 2007; issue 920
High Tech Office column;
Wireless
networking (aka WiFi) has become pervasive as the way to connect
laptops or multiple computers to the Internet and to one another. It’s
spread from universities, cafés and hotels to homes and small
businesses. It’s also increasingly used in large enterprise settings,
replacing traditional network wiring.
But many people who
wouldn’t imagine using a computer without antivirus protection can’t be
bothered turning on the security settings of their WiFi router. Partly
it’s because the manufacturers leave all the security settings off by
default, making it easier for users to plug ’em in and get online. Part
of it is because a user trying to turn on the security settings is
likely to get overwhelmed with jargon that varies from manufacturer to
manufacturer.
But there’s also an attitude of “Why bother?
What’s the worst that can happen? Some guy sitting in his car in front
of my house using some of my excess Internet bandwidth? How likely is
that?”
It just doesn’t seem much of a worry. But it should be.
This past winter,
TJX Companies
(parent company of
Winners,
Marshalls,
HomeSense
and other clothing retailers in the U.S. and Canada) reported the loss
of credit card numbers and other customer information from corporate
databases.
According to reports in the
Wall
Street Journal,
the data breach began with hackers in a car in the parking lot of a
Minnesota Marshalls store. From there, they breached the store’s poorly
secured wireless network. Over a period of two years, they were able to
download some 45.7 million credit card numbers.
In a recent
quarterly financial report, TJX attributed US$12 million in losses for
costs for that quarter related to the intrusions. There have been
wireless network intrusions reported at U.S. hardware chain
Lowes
and other large retailers. (In the first U.S. prosecutions for
wireless-based attacks, the Lowes hackers received sentences ranging up
to nine years.)
Besides investigations of large corporate
network hacks, there are increasing reports of prosecutions for
stealing bandwidth. In these cases, the “crime” can be something as
seemingly harmless as sitting in a car making unauthorized use of
someone else’s Internet connection.
In a May report from
Michigan, a man who habitually sat in his car parked in front of a café
to check his e-mail was charged under that state’s fraudulent access to
computers and computer networks law. The felony carries a maximum
sentence of five years in prison and a $10,000 fine, though prosecutors
are asking for less.
There have been reports of similar charges
and convictions in a number of U.S. states, including neighbouring
Washington and Alaska, and in London, England. The Alaska case involved
a man arrested playing online games while parked outside a public
library after hours.
Take the time to familiarize yourself with
your wireless router’s security settings and enable the wireless
encryption that’s left off by default. Use the more powerful WPA or
WPA2 encryption. The older WEP encryption is too weak and may be worse
than nothing, because it’s relatively easily hacked but gives users the
illusion that they’re protected. German security researchers recently
broke WEP encryption in 20 seconds. The St. Paul, Minnesota, Marshall’s
store thought its network was safe behind WEP encryption. It
wasn’t.