Drive-by hackers still major threat

NEWS Two-thirds of companies are failing to secure wireless networks and are leaving themselves exposed to 'drive-by hackers', according to a new survey. Belfast-based security consultancy Celare did a 'drive-by' test through Edinburgh, which is home to the head offices of many financial and retail companies, using just £200 of common kit and found 103 wireless networks out of 153 detected were unprotected. The results are all the more shocking given several similar high-profile 'war-driving' surveys in major cities over the last two years. War-driving gets its name from the practice of war-chalking - marking the outside of buildings with unprotected wireless networks. Darren Craig, professional services director at Celera, told silicon.com several high-profile names were among those without adequate encryption. He said: "We were surprised. We did war-driving round some other cities and found similar results and some of it is quite shocking. Some of these companies you would have thought would a lot more aware of the issues and done something about it." Celare did non-intrusive scanning by driving through Edinburgh with just some Linux scanning tools, a £50 wireless network card and a standard laptop and antenna. Craig said some networks had the company name in the SSID identifier tag, while those with the default SSID tag showed only the inadequate out-of-the-box security was implemented. He said: "WEP encryption that comes with the connection points can be brute-forced." Craig recommends that companies with WLANs should use a virtual private network connection to encrypt data behind the firewall, while employees using laptops out on the road should have a local firewall installed. John Salmon, partner at IT law specialists Masons, said in a statement that businesses could face legal action from the Information Commission for breaching the Data Protection Act if weak security left sensitive data exposed. He said: "When people talk about war driving, they often say that the law is ambiguous. That may be true to an extent for those accessing the networks, but for the business that runs the networks, the law is absolutely clear: if the personal data which you hold is not secure, you risk action by the Information Commissioner and by anyone whose confidential data is compromised."