How to protect your network from wardrivers

OK, so you bought the cute little blue Linksys wireless router. Your entire house is networked like SBC’s main office. It was easy, right? You just hooked up your DSL modem to the router, dropped wireless cards into Junior’s desktop for online game playing, Missie’s desktop for Internet research and instant messaging, Mom’s office PC that she uses for the family’s financial matters (and a little bit of Amazon.com), the laptop you use for numbers crunching in front of the television and the old PDA you sync with the office computer so you’ll never be without your Outlook contact list.

“What’s that?” you say. “Never heard of an SSID, login or password. WEP? Jesus wept, didn’t he?”

It would take the average malicious wardriver about 15 seconds to type in the default login, “admin,” the default password, “admin,” take control of your network, lock you out, install a program to send out half a million “Teenage Barnyard Sex” e-mails, grab your bank account passwords, financial service account numbers and passwords, launch a virus, put the car in drive and head down the street to the next open AP.

Ira Victor is owner of the Reno-based company Privacy Technician.com. His company does information security and privacy compliance for businesses, particularly for health-care and financial operations.

He says companies that don’t treat computer security as a priority—right down to the user-level—are apt to get themselves in trouble, mentioning the Wells Fargo Bank that recently had a computer carrying customer credit information stolen.

“There’s a huge gap between the technical world and the everyday user when it comes to security,” he said. “People think computer security is a technical issue. It’s not. That would be like saying getting a person safely to work is the responsibility of the automobile’s design engineer.”

There are several things to do, Victor said. No. 1 is to understand that network owners may have some liability if they don’t bother to take minimum security precautions.

“There are wardrivers out there who will use your open access point to send out spam. If that spam hurts other businesses, then the businesses whose connection was used could find themselves in a lawsuit. Even though they weren’t the original sender of the spam, they could have downstream liability.”

The first thing Victor recommended is to change the login and passwords on routers the instant they are installed. All factory defaults are available on the Web to hackers.

Next, WEP encryption should be enabled. He suggests changing the WEP key once a week, as that will limit the time hackers have access to the network.

Make sure the person who sets up the network sets up the wireless network on a separate sub-network, so desktop gear is separate from wireless gear.

Ensure that the hardware you are using on your network—laptops or PDAs or desktops—has proper security, strong firewalls and strong passwords. Buy the most secure routers, which may have security components that the brand names, like Linksys and NetGear, don’t have.

Finally, those who have real privacy issues may want to consider some strong encryption.

“Using VPN makes a lot of sense for anyone who is transmitting sensitive information—financial services, health care, credit cards—any type of confidential information that by any stretch of the imagination the owner would consider valuable," Victor said. "VPN creates an encrypted tunnel between the user and the wireless access point itself. It’s not that pricey. Windows XP comes with a free VPN program. If you buy a wireless access point from a company like SonicWall, it comes with one to five VPN programs with the firewall."