January 29, 2004, 11:35 AM — IT managers are catching up to the dangers of Wi-Fi, but opportunities for drive-by hackers in London may actually be increasing. New wireless LANs are popping up very fast, and many of them are insecure "rogue" access points.
This year, two-thirds of the City's Wi-Fi networks have WEP (Wired Equivalent Privacy, the basic Wi-Fi security standard) turned on. That's not a great record, but it is better than last year, when only a third of them had WEP. However, since the number of WLANs in the city of London went up by 235 percent over the year, there are more than three times as many WLANs out there. So while the proportion of non-WEP networks is lower (34 percent), the actual number is higher.
It may not be as bad as all that, according to the survey carried out by Cracknell Information Systems Security Partnership (CISSP), for the security vendor, RSA Security Inc. Apparently about half the WLANs without WEP actually have VPN protection (19 percent). "Researchers believe many other access points could have had MAC address screening or other undetectable security methods," said RSA in its release.
The bad news from the survey is that a quarter of access points don't follow all best practice guidelines, committing errors such as leaving insecure default settings on the access points. "This allows important network information to be broadcast into the street, providing potential hackers with valuable intelligence to launch an attack," says RSA.
While access points using VPN encryption are almost certainly approved and installed by the IT department, this sloppiness sounds more like rogue access points, brought in and slung up any old how.
"The 25 percent of poorly configured access points suggests that employees and departments could be deploying rogue wireless networks within their business without the knowledge of IT managers," said Phil Cracknell of CISSP. "The price of access points has fallen rapidly and they can now be bought for as little as