This Internet News report about a simulated attack on a Wi-Fi network conducted by Indiana University offers good news and bad.
The bad news is that the researchers found it would be possible for a malware to spread from router to router and impact tens of thousands of routers in two weeks or so.
That's bad, but not quite as dire as it sounds. Several conditions would have to be simultaneously in place for this to happen. Massive amounts of routers would have to be unprotected for such an event to occur, and there are settings and tools available today that drastically reduce the chances of a security breakdown on this scale.
While a total meltdown is not likely, the study is a clarion call for IT departments, public hotspot operators and end users that Wi-Fi is still risky. These groups all must take precautions that will keep security from being compromised in more subtle ways. We are well past the point where the Wired Equivalent Privacy (WEP) is acceptable. Wi-Fi Protected Access (WPA) must be the standard operating procedure. Even more basic is that gear must ship with any security defaults set to the operational status.
All things considered, perhaps corporate security policies should disallow the use of public Wi-Fi. Ars Technica details AirDefense research found that a quarter of 4,748 public access points in Atlanta, Boston, Chicago, Los Angeles, New York City, San Francisco, London and Paris are not encrypted and that another quarter only used WEP. To their credit, 49 percent used WPA.
On a less tangibly measured note, the surveyors found that far more companies queried are less concerned about data security than protection of physical property. In other words, shoplifting is a bigger worry than hacking. The firm said that 85 percent of retail establishments surveyed put corporate data such as point of sales information or credit card numbers on unprotected or under-protected wireless networks. The study links to a list of best practices. http://www.itbusinessedge.com/item/?ci=37576
Network Liquidators offers four steps for wireless security. The most basic is to change the name of the network, which is the service set identifier (SSID). Generally, it comes with a generic default SSID, such as "Linksys" or"Netgear." This invites people who are using devices with the same SSID -- and there will be many of them, since the names are so general -- to connect to it.
The second step is to disable broadcasting of the SSID. As the term broadcasting implies, generally publicizing the SSID in essence tells wireless devices -- some of which are malicious -- that the network is there. The third step is to use media access control (MAC) filtering. MAC filtering essentially puts the network off limits to folks who don't have an authorized MAC address. It isn't foolproof, but like a LoJack bar on a car steering wheel, it will encourage criminals to move on to easier targets. The fourth suggestion, the post says, is to use encryption. Bypass WEP in favor of WPA or WPA2.
As if WEP isn't compromised badly enough, at the Toorcon hacker conference late last year in San Diego a researcher from AirTight Networks demonstrated how to trick WEP-enable computers into thinking they are communicating with a known network when, in reality, they are exchanging messages with the hacker. Previously, this InfoWorld story says, WEP hacks involved using vulnerabilities to break into the users' network. In other words, the new exploit focuses on the user and his or her device instead of the network.
This interesting Techdirt post that builds on the non-technical issues surrounding poor security habits. The writer quotes a Sophos study that says 54 percent of wireless users admitted to using "stolen" access. The poster offers an alternative interpretation. If the network had no security in place and was broadcasting its SSID and the visitor did not look at any proprietary information belonging to the network owner, what crime was committed? The writer's premise is that it is possible to interpret the network owner's acts as an open invitation.
It's an interesting argument. For IT managers, however, the takeaway is not philosophical or legalistic. It is simply that poorly protected networks are bound to attract unwanted visitors.