WiFi Internet cafes "must have firewall" - Westchester County

by Guy J Kewney | posted on 04 November 2005

Just outside New York City, Westchester County has become the scene of the latest WiFi scare, with County Executive Andy Spano [left] announcing legislation to prevent insecure WiFi hotspot operation.

The suggestion, on the face of it, is a sensible one: that anybody who operates a WiFi network commercially should "take basic security precautions to protect private customer information from potential data thieves and hackers."

The law will enforce firewalls. "“People don’t realize how easily their personal information can be stolen. All it takes is one unsecured wireless network,” Spano said. “Your credit card number, social security number, bank account information – it’s all vulnerable if a business that collects that information hasn’t taken the proper steps to protect it."

However, although the law may be sensible, Spano's illustration of the risks was not. The press release issued by the County Executive's office described a simple war-driving exercise, completely irrelevant to the security of WiFi.

"To illustrate how easy it is to get into an unprotected network, Spano and Norman Jacknis, the county’s chief information officer, took a laptop computer equipped with easily available software and drove around downtown White Plains today in search of vulnerable networks," announced the County. The statement continued: "Last week, a team from the Department of Information Technology performed the same survey and came across 248 wireless hot spots in less than a half an hour of driving down Westchester Avenue and Main Street in White Plains."

Out of those, 120, or almost half, "lacked any visible security at all. Many users marked themselves as easy targets by failing to change the network’s default name from “default” to something unique," the statement concluded.

In fact, this survey merely exposes ignorance of how wireless networks operate.

WiFi hotspots almost by definition, have to be "open" in order to allow passer-by users to see them and log in. Security for that sort of service can be intense, provided behind the scenes by virtual networks and demilitarised zones and firewall hardware and software and intrusion detection and intrusion prevention - and yet the SSID of the public access point can still be "default" or "Linksys" and wide open. The crucial question is whether any other user can snoop on customer transactions, either in the customer database, or by tracking credit card transactions over the air.

Neither of those risks is measurable by the "openess" of the wireless access point.

In fact, most commercial organisations which operate wireless networks have rather better Internet security than those which just run wireline Ethernet, and the main risks (very small!) associated with using public WiFi, involve other users gaining access to the hard disks of laptop users who have shared their files.

Spano's assistant, Norman Jacknis, the county’s chief information officer, aims to cover this: “Protecting your computer involves little to no cost. Setting up a Wi-Fi network with basic security takes just a few minutes and there are available free or low-cost personal firewalls to stop intruders from gaining access to your personal computer,” he said.

The proposed law would address many of these risks, he suggested. "The way the law reads, all commercial businesses that use wireless networks and maintain personal information would be required to have “secure networks that protect the public from potential identity theft and other potential threats such as computer viruses and data corruption.” For example, a retail establishment that uses a wireless network to process credit card transactions would be required to install a firewall, one of the easiest and least expensive ways to guard a network from attack. They would have to file a note of compliance with the county."

Businesses that offer public Internet access would be required to post a sign stating that the network has been secured with firewall protection and stressing the need to use discretion.

Full text of Westchester's press release

Technorati: , , ,

Can a WiFi law help? - You can discuss this article on our discussion board.