Viewing posts from : October 2010

Free wifi spots aren’t safe; this is not news. Wifi has been compromised since the beginning. So why are companies still allowing sensitive company data to cross public wifi networks (Panera, Starbucks, etc.)?

For one, if you use the maximum current security configurations and a whopper of a key, it is pretty solid. Not unbreakable, but definitely discouraging.

The vast majority, unfortunately, don’t maximize their use of the security features. Worse, some companies in highly sensitive fields continue to utilize free wifi spots, spots without encryption, for business purposes. Let’s focus on what makes this a very bad idea.

First, they assume their users are safe because they utilize VPN software of some sort. VPN software, especially the SSL variety, is not entirely safe. At the industry convention Blackhat more than a year ago a fellow going by the handle Marlinspike demonstrated how to compromise an SSL connection. So you can’t rely on SSL, and there are problems with other VPN connections as well, but not as accessible to the general public as the SSL bugs.

Second, companies assume the environment is safe (it’s not) or that their laptops are secure (they aren’t). Some hacker groups meet at these free wifi spots, because they are free. Hackers like anonymity. They might also like a peek at what’s on the other laptops nearby. Windows, Macs, and Linux laptops all have flaws that can be exploited. Yes, they can be “hardened”, that is, configuration changes can be made which make it much more difficult to gain access, but nothing is 100%. Regardless, the typical IT department isn’t making hardening changes to their systems or keeping them up to date. One of the most egregious errors is allowing users to install software on the systems. Either the software itself can be a problem or it is used as a vector for other problems.

Is it a war zone? No. It’s generally safe to use free wifi zones, especially if you’ve taken rudimentary precautions. But it’s not fool proof. And while it’s your personal risk to do online banking via free wifi, it’s entirely another legal matter to allow employees to do so when it can result in catastrophic business loss.

A safer (note “safer”, not safe; nothing is 100% safe) alternative is to use a dedicated Air-Card from a cellular provider, or the built-in equivalent. You still need to harden the machines, and restrict user software installation, but at least the guy sitting next to you isn’t accessing your hard drive. But it costs money.

So, how much is that class action lawsuit going to cost you?

Fear tactics? You bet. Fear is a survival mechanism. We’d like you and your company to still be around next year. So no more sensitive business data without adequate precautions on the free wifi networks. It’s the sensible thing to do. Contact us to discuss in more detail how best to secure your mobile users.

When assessing an account, be sure to ask questions regarding company policy on firearms, threat response, and also check the laws for state and local carry rules. Then verify reality matches the picture described in the interview. All it takes is one jumpy, perfectly legal, gun carrying employee to accidentally put a hole in your plans. If there are security guards and/or they are armed, make sure they are experienced, follow their procedures, and practice drills. Even a billy-club can ruin your day. If there is a fair chance that you may be looking at an unexperienced, unprepared armed response, discuss the risk with the client and consider delaying any physical check that may result in conflict until the client’s people are better prepared.