23 January 2009
After listening to TWIT, Security Now and several other podcasts that are relevant to the tech industry, I have heard that more and more people and businesses are using WEP and WPA on their wireless networks. While WEP is certainly NOT the best solution, it is something. WPA is widely considered the minimum protection by many, if not most, of people who care about the use of wi-fi networks. I certainly encourage my customers to use it when they purchase a wireless network setup.
Now for the “IDIOCY”!
A phone call came into the store shortly before we opened today. The person on the phone states to me that he works for a local business and gets his wireless from a different local business. He is having trouble connecting, because the router is over 40 feet away and goes through several walls. Well that can be a problem. He wants an antenna that will “improve” his connection.
The first thing I ask is if he actually has permission to use this connection. He states that he in fact does have permission. OK. I tell him that we do carry some antennas that “could” help, with emphasis on the “COULD”. We discuss the type of wi-fi adapter that he has to determine if one of the antennas we have will actually work for him. He tells me that he has a desktop PC with a wi-fi adapter in the back. I as if it is USB, and he tells me that it is not USB. Well, it sounds like we can help.
When the guy shows up in the store, he has a different story about the wi-fi adapter. He actually looked at it and turns out it is a USB adapter. Since he is not giving me the “tech toy hacker” vibe, I don’t even suggest soldering on an antenna to the USB device. He says that it might help if he was to get past one of the walls and wants to know if we have an extension cord for USB. We can do that, so he purchases one.
During to course of our conversation, I was able to get more info on his “wireless setup”. He business and “several” other businesses all use the high speed DSL connection that it paid for by one of the local businesses. This is probably against the “terms of service”. He did tell me he has to put in a “security code” to connect to the wireless.
Now for the scary part. The business that they are all using for their wireless connection is an insurance company. I know quite a bit about the network used in the insurance company, because I know who installed the network equipment. He was told that the owner of the business wanted a wired/wireless network for “in office” use only. There would be 2 wired users and 1 wireless user. Only the office staff would have access to the network. It was setup with a WPA key for the wireless user to prevent anyone from using the network that was not part of the office. Windows file sharing is in use on this network and none of the shares have passwords as per the owners requirements. This means that anyone connecting to the wireless network has access to the shares on the original network setup for the insurance company. I repeat, anyone connecting to this network can now SEE the files that have been shared by the insurance company.
25 January 2009
I wrote the original post above two days ago. I was amazed and a little upset at the time and thought that the person who came in the store may have had incorrect information or somehow figured out that WPA key from the insurance agent and was using the wireless network without permission. I was, however, wrong in this assumption and the original information was correct. The insurance agent is giving out the WPA key to his wireless network so that the other businesses around him can share the connection. He pays for a business class internet connection from a local ISP, then splits it out with the neighbors. He is using consumer grade equipment, a Linksys WRT54G, to create this wireless connection. The Windows shares are still unsecured as the insurance agent is unaware of how to change it and seems unwilling to do so. This is unfortunate as the shared data is there for to taking by anyone who is able to connect to this network. I have to hope that the people who have access to this data are honest people.
The moral of my story is this, if you are going to go to the trouble to secure your wireless, please don’t just give the key out to whomever. If you are going to be benevolent and share an internet connection that is connected to a network, by all means, protect sensitive data. The sharing of your network should not give everyone the keys to the kingdom.