ARN

Sound off: Why worry about wireless?

Wireless security threats are overhyped and easily stopped, says a Computerworld editor
  • David Ramel (Computerworld (US))
  • 27 September, 2007 16:01

Editor's note: Computerworld editors David Ramel and Preston Gralla disagree on the security threat posed by wireless networks. In this article, Ramel alleges that the threat is overhyped, that it's now trivial to secure wireless nets and that IT pros have far more serious security concerns they should be addressing -- while home users have little to lose even in the remote chance someone tries to breach their network.

In Why you need wireless protection, Gralla presents his case that wireless networks are indeed a serious vulnerability. He also provides tips on how to secure a wireless network. Both editors wrote their articles without having read the other's.

Want wireless security? Fine, click the WPA2 button during your router setup, enter a key, change the default log-on, and you're good.

Still worried? Fine, turn off SSID broadcast, and you're good.

If you're really paranoid, you can even filter MAC addresses so only the devices you specify can connect to your wireless network, and you're good. You're still done in under five minutes.

Meantime, you might want to think about whether or not Joe from Accounting is locking his car doors when traveling around with a laptop that contains tens of thousands of customer names, account information and Social Security numbers. Reading the news lately, I think you have bigger fish to fry than the relatively trivial matter of securing a wireless network.

Sure, Computerworld and other IT trade sites keep pumping out the wireless security tips, but wireless isn't new any more. It isn't a wild 'n' woolly frontier being explored by cutting-edge first-adopters ignorant of security issues and reluctant to jump through numerous hoops to be safe.

Everyone gets it now. These days, you have to want to be hacked if you're running an insecure wireless net. You practically have to beg for it.

Even home users get it. I used to drive around with NetStumbler and find all kinds of unsecured nets. No more. Even though they have very little to lose and the odds of losing it are slim, home users are securing their wireless operations like never before.

Shock and ignorance

I once asked on this site exactly how a wireless hacker could steal valuable information from a home wireless network, and no one had an answer. Readers were full of dire warnings and expressed all kinds of shock at my ignorance, but no one could provide details about how it's done.

Sure, someone could "steal" your bandwidth. But how many movies would they have to download before you even noticed a slowdown?

Sure, they could download child pornography using your Internet connection. But how many pedophiles are likely to be parked outside your house or live within range?

All these things could conceivably happen, but my point is that it's extremely unlikely anyone will even try -- and it's really easy to stop them if they do.

But if you're running a corporate network with valuable data to protect, you can't take any chances. Which is why vendors have made wireless security so simple.

At the time I'm writing this, I haven't yet read Preston Gralla's articles on why you need wireless protection and how to secure your wireless network, but I've read so many of these articles that I can reel off the likely top tips without doing any research at all: Change default log-in and password; change default SSID; enact WPA2; turn off "broadcast" mode of your device; and filter MAC addresses so only those devices specified can access your network. I've set up a few wireless devices, and each one explained pretty clearly how to secure the network. There's no excuse not to do it.

Page Break

Of course, the last time I espoused these thoughts, in a security newsletter, the news broke that the massive TJX data breach happened through a wireless hack. (Ouch! Just my luck.) And boy, did readers let me know about it.

OK, $256 million (or whatever the TJX figure is now) is nothing to sneeze at. But someone at TJX was clearly asleep at the wheel. Obviously they didn't read Computerworld. In fact, according to a May 5 article in The Wall Street Journal, "The US$17.4-billion retailer's wireless network had less security than many people have on their home networks, and for 18 months the company ... had no idea what was going on."

So I'll give you that one -- chalked up to sheer stupidity. And the BJ's hack of a few years ago was another wireless attack that made great headlines. Of course there have been a few high-profile cases of wireless break-ins. Plane crashes make news, too, but are you avoiding air travel because of them?

More serious threats

Rather than point to a few well-publicized wireless intrusions, just look at all the data breaches caused by lost or stolen laptops. Or rogue personal devices. Or Trojans or bots or customer record sheets used as newspaper wrapping, which actually happened last year.

And take a look at the "chronology of data breaches" maintained by the Privacy Rights Clearinghouse, and search for wireless. You won't find many hits.

There are some people who agree with me. Check out this passage about wireless security from CSO magazine, one of our sister sites:

"Most of the things you'll need to do [for security] will come from the vendor. It's just a question of turning it on," adds Selby. Last year, Gartner went so far as to say that Wi-Fi was one of the most overhyped IT security threats.

If it was overhyped in 2005, what is it now?

It's a page-view-generating, show-the-CEO- what-we've-done, still-sexy-for-some-reason, hot-button, Slashdot/Digg-bait -- that's what it is. It's dead.

But just to be safe, you'd better go read Preston's article right now.