LONDON (01/29/2004) - IT managers are catching up to the dangers of Wi-Fi, but opportunities for drive-by hackers in London may actually be increasing. New wireless LANs are popping up very fast, and many of them are insecure "rogue" access points.
This year, two-thirds of the City's Wi-Fi networks have WEP (Wired Equivalent Privacy, the basic Wi-Fi security standard) turned on. That's not a great record, but it is better than last year, when only a third of them had WEP. However, since the number of WLANs in the city of London went up by 235 percent over the year, there are more than three times as many WLANs out there. So while the proportion of non-WEP networks is lower (34 percent), the actual number is higher.
It may not be as bad as all that, according to the survey carried out by Cracknell Information Systems Security Partnership (CISSP), for the security vendor, RSA Security Inc. Apparently about half the WLANs without WEP actually have VPN protection (19 percent). "Researchers believe many other access points could have had MAC address screening or other undetectable security methods," said RSA in its release.
The bad news from the survey is that a quarter of access points don't follow all best practice guidelines, committing errors such as leaving insecure default settings on the access points. "This allows important network information to be broadcast into the street, providing potential hackers with valuable intelligence to launch an attack," says RSA.
While access points using VPN encryption are almost certainly approved and installed by the IT department, this sloppiness sounds more like rogue access points, brought in and slung up any old how.
"The 25 percent of poorly configured access points suggests that employees and departments could be deploying rogue wireless networks within their business without the knowledge of IT managers," said Phil Cracknell of CISSP. "The price of access points has fallen rapidly and they can now be bought for as little as £140 (US$255) -- a purchase that could easily be made on expenses."
While rogue networks continue to be a menace, the secure, IT-approved networks are moving quickly, said Cracknell. A large proportion of the secure networks, backed by the IT department, were implementing the faster 802.11g standard as well as 802.11b. "The number of systems incorporating both 802.11b and 802.11g on the same network reinforces the fact that wireless networks are being implemented at the heart of IT infrastructures," said Cracknell. "By embracing new wireless standards and creating a clear migration path, businesses are cementing the future of WLANs, especially as second-generation installations are occurring only three years after its initial introduction."
"I think IT policies have caught up in the enterprise," said Tim Pickard, strategic marketing director EMEA for RSA. "We will see fewer rogue access points in corporate environments in future. But there will be more in small businesses or remote offices, where they don't have enough IT support." Many of the poorly configured access points, he said were probably in small offices, attached to DSL routers.
CISSP's route for the survey started at Holborn, England, and passed through Clerkenwell, Shoreditch, the City, St Luke's, Finsbury, Spitalfields, and Canary Wharf.