Lawmakers Crack Down on Wi-Fi Crime

By Tim Scannell

April 28, 2006

Performing security due diligence or paying fines in White Plains.

If you’re a business owner in upstate New York and use a wireless LAN to handle sensitive customer data, you better make sure it’s secure. It it’s not, you may be breaking the law and could be slapped with a fine.

That is the message coming out of Westchester County and the city of White Plains this week as legislators pass a law that makes it illegal for a business not to take the necessary precautions to protect its wireless networks from accidental or deliberate abuse.

Precautions range from internal firewalls to simply switching on a system to changing a network’s SSID identifier.

The new law is less restrictive on public Wi-Fi hotspots, like those found in local coffee shops or hotels. In this case, the operators are required to post signs reminding users to turn on personal firewalls and embedded 802.11 protection. If they don’t, then they too will run afoul of the Wi-Fi police.

Most members of the local business community support the legislation as a good way to boost awareness for wireless security.

They also say it’s an issue that needs to be addressed, Andrew Neuman, senior assistant to the county executive, told internetnews.com. “At the end of the day, not one person has said it’s a bad idea.”

IBM’s corporate headquarters is located in White Plains, and therefore must also comply with the new law, which goes into effect in October. Executives there have not yet responded to the legislation, Neuman said.

Experts from the technical community have a mixed reaction to the legislation.

“Overall, it’s a step in the right direction, but how much of an impact it has on altering Wi-Fi usage habits for the business and consumer remains to be seen,” Chuck Conley, vice president of marketing for Boston wireless security firm Newbury Networks, told internetnews.com.

“Strong authentication and encryption combined with Wi-Fi security technologies will ultimately be the best remedy for keeping the bad guys off the network while protecting users from connecting to unauthorized devices.”

Maybe, although some experts believe that forcing businesses to secure their wireless networks with legal mandates may not be the best approach.

“As much as the local government thinks they’re doing the right thing by enforcing some sort of wireless security, is it really within their rights to do so?” said Doug DiNunzio, senior product manager for Bluesocket in Burlington, Mass.

“Some of the fault lies with the manufacturers’ not making security come on by default, and for not making it easy enough to configure,” he told internetnews.com.

Complying with the law could give a business a false sense of security since some of the security precautions suggested are easily defeated, he added. It would be more effective and useful to bundle an education process along with the legislation, or at least require businesses that violate the new law to take a class to bring them up to speed on security.

Officials in Westchester County say the new law is an important part of the education process since it forces businesses to evaluate the security of their wireless networks.

“Our position always has been that public awareness is a key aspect of the enforcement,” said Neuman.

Lawmakers decided to put a wireless law on the books because of increased reports in the press about computer fraud and security breaches, and comments that “mainstream” American cities were the most vulnerable, he added.

“All the businesses that we approached, and told them we think their network is insecure, were totally shocked.”

Westchester County officials believe their actions do put more teeth into current computer security laws that do not specifically deal with Wi-Fi and other unlicensed broadcast spectrum. Most laws focus on the computer systems and data behind the wireless network and not the network itself, said Neuman.

The Federal Computer Fraud and Abuse Act, for example, makes it illegal for anyone to knowingly access a computer without authorization or intentionally use a computer to access financial data without authorization.

An Illinois man was fined $250 and one year probation earlier this year for using a Wi-Fi network without authorization, but was charged with illegally accessing a computer system on the network and not the wireless network itself.

In fact, technically it is not illegal to use your computer or specialized devices to sniff around for wireless networks and connect to these networks when there are no safeguards in place.

Operating systems like Microsoft’s XP are designed to zero in and lock onto the strongest wireless signal and attempt a connection.

Newbury Networks demonstrated just how easy it is to locate wireless networks during the 2004 Democratic National Convention (DNC) in Boston.

A crew from the tech company drove around the DNC site and cataloged the number of unprotected Wi-Fi networks in and around the political gathering.

In a three-hour wardrive they discovered a total of 3,683 unique Wi-Fi devices and 457 wireless access points, most of which were unprotected.

An average of one wireless network card in and around the convention site also tried to connect with Newbury’s open access point every two minutes, the company noted. Many of these devices were being used by press and others attending the DNC.

Most companies are careful about installing security safeguards on internal wireless networks that lock out unauthorized users and can even disable rogue access points that try to lure a user’s network signals.

Public Wi-Fi is a bigger problem, however, since hospitals and hotels install it as a consumer convenience and are reluctant to take security measures that are too strong and may create problems for casual users.

The best solution is to keep public Wi-Fi totally separate from a corporate network.

“If you provide free Internet access, don’t use the same system for credit authorizations and customer data,” said DiNunzio.