OK, so you bought the cute little blue Linksys wireless router. Your entire house is networked like SBCโs main office. It was easy, right? You just hooked up your DSL modem to the router, dropped wireless cards into Juniorโs desktop for online game playing, Missieโs desktop for Internet research and instant messaging, Momโs office PC that she uses for the familyโs financial matters (and a little bit of Amazon.com), the laptop you use for numbers crunching in front of the television and the old PDA you sync with the office computer so youโll never be without your Outlook contact list.
โWhatโs that?โ you say. โNever heard of an SSID, login or password. WEP? Jesus wept, didnโt he?โ
It would take the average malicious wardriver about 15 seconds to type in the default login, โadmin,โ the default password, โadmin,โ take control of your network, lock you out, install a program to send out half a million โTeenage Barnyard Sexโ e-mails, grab your bank account passwords, financial service account numbers and passwords, launch a virus, put the car in drive and head down the street to the next open AP.
Ira Victor is owner of the Reno-based company Privacy Technician.com. His company does information security and privacy compliance for businesses, particularly for health-care and financial operations.
He says companies that donโt treat computer security as a priorityโright down to the user-levelโare apt to get themselves in trouble, mentioning the Wells Fargo Bank that recently had a computer carrying customer credit information stolen.
โThereโs a huge gap between the technical world and the everyday user when it comes to security,โ he said. โPeople think computer security is a technical issue. Itโs not. That would be like saying getting a person safely to work is the responsibility of the automobileโs design engineer.โ
There are several things to do, Victor said. No. 1 is to understand that network owners may have some liability if they donโt bother to take minimum security precautions.
โThere are wardrivers out there who will use your open access point to send out spam. If that spam hurts other businesses, then the businesses whose connection was used could find themselves in a lawsuit. Even though they werenโt the original sender of the spam, they could have downstream liability.โ
The first thing Victor recommended is to change the login and passwords on routers the instant they are installed. All factory defaults are available on the Web to hackers.
Next, WEP encryption should be enabled. He suggests changing the WEP key once a week, as that will limit the time hackers have access to the network.
Make sure the person who sets up the network sets up the wireless network on a separate sub-network, so desktop gear is separate from wireless gear.
Ensure that the hardware you are using on your networkโlaptops or PDAs or desktopsโhas proper security, strong firewalls and strong passwords. Buy the most secure routers, which may have security components that the brand names, like Linksys and NetGear, donโt have.
Finally, those who have real privacy issues may want to consider some strong encryption.
โUsing VPN makes a lot of sense for anyone who is transmitting sensitive informationโfinancial services, health care, credit cardsโany type of confidential information that by any stretch of the imagination the owner would consider valuable,” Victor said. “VPN creates an encrypted tunnel between the user and the wireless access point itself. Itโs not that pricey. Windows XP comes with a free VPN program. If you buy a wireless access point from a company like SonicWall, it comes with one to five VPN programs with the firewall.”