- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
Network World - Mounting worries about the dangers of too-easy access to wireless LANs have prompted government officials in New York and California to put new laws on the books aimed at preventing network “piggybacking” and exposure of sensitive data in both businesses and homes.
Last October, the local government in Westchester County, N.Y., began enforcing a countywide law requiring all commercial businesses to secure their WLAN access or face fines. It also requires any Westchester County businesses offering public Wi-Fi access to the Internet to post an official sign on the wall that advises the user to “install a firewall or other computer security measure.”
The law, which has the Westchester IT department periodically driving about the county with WLAN probes to test whether businesses have failed to adequately secure their WLANs, was enacted because “we saw piggybacking on Wi-Fi nets,” says county CIO Norm Jacknis. “On these networks, there’s unfettered access to confidential data, and we have a problem with that.”
Jacknis says a small number of businesses caught with unsecure Wi-Fi exposing sensitive data have been cited for violations under the law, but so far none has failed to correct the discovered problems. Under the new law, a second violation would lead to a $250 fine and a third and succeeding violation a fine of $500.
Public Wi-Fi access is spreading, with not just Starbuck's coffee houses, but many retail operations, such as garages, offering Wi-Fi for their customer’s convenience. Security experts say unprotected Wi-Fi poses dangers.
“I can sit in Starbuck's and not even try to join the network, and see all the traffic passing around me,” said Al Potter, manager at testing outfit ICSA Labs, during a talk on WLAN security at the InfoSecurity Conference in New York in December. “It’s possible to capture credentials and then I’m ‘you.’”
Andrew Neuman, special assistant to the county executive, says the State of New York as a whole is considering adopting similar legislation.
However, while some applaud the effort to raise security awareness, they’re skeptical a Wi-Fi warning sign posted on a wall is the right approach for government to take.
“It’s silly, because wireless doesn’t stop at the wireless site,” says Mark Rasch, chief security counsel at Omaha, Neb.-based security services firm Solutionary. “If you’re sitting outside, you won’t see the sign.”
However, Rasch says the general idea of warning users about the potential security dangers of Wi-Fi access is great. “A better approach would be a screen shot when you log in at the start.”
Legal experts agree that existing law in the United States does not clearly forbid the practice of Wi-Fi “piggybacking.”
Piggybacking entails using a wireless-enable computer to jumping onto whatever Wi-Fi access happens to available, whether its source is an unsuspecting business or home. When taking advantage of Wi-Fi access left open, a user may stumble across sensitive files.
“When it comes to piggybacking, it’s not clear it’s illegal, not clear it is legal,” Rasch says. “Is lack of security in this case an invitation to come in? We don’t know if what we’re doing is participating in a broad experiment or committing a felony.”
Rasch adds that a close reading of certain telecommunications-related laws in Delaware, Maryland, Florida, Michigan and Wyoming suggests a case can be made that unauthorized access to Wi-Fi would be illegal. But it’s simply not clear.