http://www.freenewmexican.com/news/54268.html By Wendy Brown The New Mexican December 26, 2006 A Santa Fe man with minimal computer training says some local business owners could be making their customers' financial information easy pickings for hackers. Craig Ripley said by using his laptop computer, he has observed that some Santa Fe business owners provide free wireless Internet access over their business computer networks, a practice that leaves their business networks vulnerable to hackers. If businesses have customer information on their networks, hackers could use that information to steal a credit card number or someone's identity, he said. "I'm not into hurting people," said Ripley, who works in the shipping department of Sears. "I just want to let them know." Ripley said he once worked as an over-the-phone computer technician and received three months of formal computer training, but otherwise, he has learned about computer security just by tinkering around. "I'm just a common Joe who works at Sears," Ripley said, adding if he can see these vulnerabilities, anyone can. Eric Padilla, owner of AirNet Security in Santa Fe, a company that specializes in wireless security for businesses, agreed many wireless business computer networks in Santa Fe are vulnerable. "It's crazy in downtown Santa Fe," Padilla said. Padilla has spent much of his career protecting the federal Department of Energy, the National Nuclear Security Administration and Los Alamos National Laboratory from computer-related threats, according to Padilla's biography on his company's Web site. Ripley said he started "wardriving," or trying to see how many open Wi-Fi networks he could find in Santa Fe, in October. His intent was to write an article about how many open networks he could find and disclose how easy it would be to obtain information on them. He hopes that business owners will tighten their security. "I'm all for free Internet," Ripley said, "but you have to make it secure." Ripley said he found he could easily access the computer networks of several businesses, including two local restaurants. The general manager at one of the restaurants, who would not provide his name, said he did not want to comment for this story. The other restaurant did not have an owner or manager available for comment Friday. One of the restaurants now requires a password to access the restaurant's business network, Ripley said, but that wasn't always the case. Ripley said security measures such as passwords aren't enough because they're often easy to break. There is a program called John the Ripper that helps hackers crack passwords, and it is available for free on the Internet, Ripley said. Also, some businesses still use passwords that can be easily guessed based on what the business does or uses for a name, Ripley said. People should always use lengthy passwords that combine letters, numbers and symbols, according to Microsoft literature on how to create a strong password. People should use words they'll remember, but ones that other people wouldn't guess. Padilla said separating Wi-Fi access from a business network is one way to solve the problem. Increasing security measures is another, he said. It is possible to run Wi-Fi access over a business network and keep it secure, Padilla said, but business owners should be leery of consumer-grade security measures. The quality of business-grade security measures has increased greatly in the past two years, he said. Nothing is 100 percent secure, Padilla said, but companies like AirNet Security offer monitoring services that can tell business owners if people are trying to hack into their network. "If you're really concerned about your information, you have to monitor the system," he said. It is definitely a bad business practice to run public Wi-Fi access over a business network without tight security, Padilla said. Under state law, accessing a computer network without authorization is legal. The statute requires that a person who accesses a computer without authorization cause damages for a crime to occur. But Assistant U.S. Attorney Laura Fashing said in general, it is a crime under federal law to access a computer network without authorization. Eric Struck, owner of the Santa Fe Baking Co. & Cafe, said for security reasons, he made sure to keep his business network separate from the restaurant's free Wi-Fi access. "I keep the business off the Internet, just for that reason," he said. _____________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Tue Dec 26 2006 - 22:28:26 PST