Now, someone can steal your company’s most sensitive data by snatching it out of thin air—right from the company parking lot.
Sound more like scare talk than reality? Guess again. On May 1, an anonymous customer of Best Buy Inc. told SecurityFocus Online, a Web site for a security threat management firm, that he was able to break into Best Buy’s internal sales data network from his car—which was parked in one of the store’s parking lots. He tapped into the network, he said, after installing into his laptop a wireless card that he had just bought in the store.
It’s not certain whether any customer credit card numbers or other purchasing information held by Best Buy at its 499 stores across the country has actually fallen into the wrong hands, but the discovery of the company’s vulnerability caused a brouhaha at Best Buy headquarters.
The problem? Best Buy, in some of its checkout lanes, uses portable point-of-sale terminals that are tied to its servers by a wireless local area network, or LAN. The LAN relies on the 802.11 wireless networking standard, known as Wi-Fi. But Best Buy did not, apparently, bother to turn on the most fundamental security feature that’s built into Wi-Fi, thereby leaving customer credit card data unencrypted and open to snooping. At first, Best Buy pulled its wireless POS systems from its stores. Now, though, they’re back in use, says spokeswoman Joy Harris, because the company has bolstered its wireless security procedures.
But Best Buy’s vulnerability is hardly unique. Many companies fail to take even the most basic wireless security precautions. Still have doubts? Take a ride with government software consultant Todd Waskelis in Virginia’s Dulles corridor, a thruway outside Washington, D.C. that is lined with high-tech firms. Waskelis can slip a wireless card into his laptop, drive down Route 7 and pick up one wireless network after another, including the networks of a major credit clearinghouse. “Instead of hacking from the Internet, people can hack from the road, and probably get to the accounting server,” Waskelis says.
But the culprit, say experts, isn’t the technology as much as it is poor management. Few companies think about wireless security as a business problem, and fewer still think of wireless security as a critical component of their company’s business strategy—a set of choices to be made about what level of wireless risk is acceptable, and how to manage exposure while monitoring the network continuously for new holes and threats.
“The concept of wireless is on many peoples’ radar screens, [but] the concept of wireless security is on far fewer of them,” says Larry Rogers, a senior member of the technical staff at the CERT Coordination Center at Carnegie Mellon University. CERT trains companies to help secure the Net.