[ISN] "Hacker" warns of Wi-Fi risks

From: InfoSec News (alerts@private)
Date: Tue Dec 26 2006 - 22:13:59 PST


http://www.freenewmexican.com/news/54268.html

By Wendy Brown 
The New Mexican
December 26, 2006

A Santa Fe man with minimal computer training says some local business 
owners could be making their customers' financial information easy 
pickings for hackers.

Craig Ripley said by using his laptop computer, he has observed that 
some Santa Fe business owners provide free wireless Internet access over 
their business computer networks, a practice that leaves their business 
networks vulnerable to hackers.

If businesses have customer information on their networks, hackers could 
use that information to steal a credit card number or someone's 
identity, he said.

"I'm not into hurting people," said Ripley, who works in the shipping 
department of Sears. "I just want to let them know."

Ripley said he once worked as an over-the-phone computer technician and 
received three months of formal computer training, but otherwise, he has 
learned about computer security just by tinkering around.

"I'm just a common Joe who works at Sears," Ripley said, adding if he 
can see these vulnerabilities, anyone can.

Eric Padilla, owner of AirNet Security in Santa Fe, a company that 
specializes in wireless security for businesses, agreed many wireless 
business computer networks in Santa Fe are vulnerable.

"It's crazy in downtown Santa Fe," Padilla said.

Padilla has spent much of his career protecting the federal Department 
of Energy, the National Nuclear Security Administration and Los Alamos 
National Laboratory from computer-related threats, according to 
Padilla's biography on his company's Web site.

Ripley said he started "wardriving," or trying to see how many open 
Wi-Fi networks he could find in Santa Fe, in October. His intent was to 
write an article about how many open networks he could find and disclose 
how easy it would be to obtain information on them. He hopes that 
business owners will tighten their security.

"I'm all for free Internet," Ripley said, "but you have to make it 
secure."

Ripley said he found he could easily access the computer networks of 
several businesses, including two local restaurants.

The general manager at one of the restaurants, who would not provide his 
name, said he did not want to comment for this story. The other 
restaurant did not have an owner or manager available for comment 
Friday.

One of the restaurants now requires a password to access the 
restaurant's business network, Ripley said, but that wasn't always the 
case.

Ripley said security measures such as passwords aren't enough because 
they're often easy to break.

There is a program called John the Ripper that helps hackers crack 
passwords, and it is available for free on the Internet, Ripley said.

Also, some businesses still use passwords that can be easily guessed 
based on what the business does or uses for a name, Ripley said.

People should always use lengthy passwords that combine letters, numbers 
and symbols, according to Microsoft literature on how to create a strong 
password. People should use words they'll remember, but ones that other 
people wouldn't guess.

Padilla said separating Wi-Fi access from a business network is one way 
to solve the problem. Increasing security measures is another, he said.

It is possible to run Wi-Fi access over a business network and keep it 
secure, Padilla said, but business owners should be leery of 
consumer-grade security measures. The quality of business-grade security 
measures has increased greatly in the past two years, he said.

Nothing is 100 percent secure, Padilla said, but companies like AirNet 
Security offer monitoring services that can tell business owners if 
people are trying to hack into their network. "If you're really 
concerned about your information, you have to monitor the system," he 
said.

It is definitely a bad business practice to run public Wi-Fi access over 
a business network without tight security, Padilla said. Under state 
law, accessing a computer network without authorization is legal. The 
statute requires that a person who accesses a computer without 
authorization cause damages for a crime to occur.

But Assistant U.S. Attorney Laura Fashing said in general, it is a crime 
under federal law to access a computer network without authorization.

Eric Struck, owner of the Santa Fe Baking Co. & Cafe, said for security 
reasons, he made sure to keep his business network separate from the 
restaurant's free Wi-Fi access. "I keep the business off the Internet, 
just for that reason," he said.


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Tue Dec 26 2006 - 22:28:26 PST