News from the front....

[squishyalt]

Well, I had the (not original, I know, I know) idea of approaching businesses that are using WEP for their business wireless networks, telling them how insecure it was and offering to help them fix it for free.

So far I have tried 2 different approaches.

#1) I tried to just drop in (laptop in hand) on 10 businesses and explain to them what I had found, why it was bad and how easy it was for them to fix.

Two businesses didn't even let me in the door, took my business card and said they'd tell the owner. OK....whatever....

Two other businesses actually got mad at me. One of these was a dentist office. When I approached the counter I told them my name, handed them my business card and asked to see the office manager. The receptionist hesitated, so I added that I was not there to sell them anything, and asked to see the office manager again.

Upon being told that I was not selling anything, she asked "Then, why do you need to see her?" I opened my laptop, showed her WirelessMon, her dentist office SSID and that they were using WEP which is so insecure that any teenager with a laptop could hack into it in as little as 3 minutes.

At this point, a rather large, middle aged, quite unpleasant woman sitting next to her scowled at me and growled "We have an IT person, and I am SURE that she would NEVER do anything that would allow us to be hacked into!"

Taken quite by surprise at this nasty welcome (and without taking a moment to think before speaking), I looked her dead in the eye and shot back "Want to bet?". Needless to say, this probably did not endear her to me.

She then said "We have your card and will give it to her. If she thinks there is a problem, she can call you." I'm sure she will.

As I left, I secretly hoped they'd get hacked that night. It would server her mean old ass right. After all, I am just here trying to help the ignorant stay safe - for free - no strings attached.

But, that is the attitude that I got from about half of the businesses that I approached.

One business was a CPA's office. The owner actually lied to me and told me that he was aware that he was running WEP. He said that he set it up that way on purpose for just that week. Unfortunately I had been monitoring his business park for more than 4 weeks, and it had been WEP for all that time.

Only 1 business owner in 10 allowed me in and let me show him how to switch from WEP to WPA2. It took us all of 10 minutes for me to explain it to him and show him how to fix it himself.

He asked if he should do the same thing at home. I told him "Yes". I also told him to tell all of his friends to do the same thing at their businesses and homes. I left 3 business cards with him so that they could call me for some free help if they needed it. (He was quite intelligent and I am sure that he will be able to help them through this simple task.)

#2) I have changed my approach to handing out a single page flyer to businesses that I know are insecure. I first ask them if they offer free wifi for their clients. If they say "No", I hand them the flyer and tell them to have a nice day.

Basically the flyer tells them that my IT company has detected that they are using an insecure wireless access point. It tells them that any teenager with a laptop can hack into their WAP and that they need to get their wireless security checked by an independent 3rd party (it does NOT have to be my IT company) ASAP.

I do recommend that they use someone other than the IT person they currently have (again stating that it does NOT have to be me), because they have the right to know if their IT person is keeping their data safe.

I also include some references that they can contact to check me out if they wish.

I just handed out about 10 of them today. I'll let you know if I get any bites from them - but I'm not holding my breath.

I have two other plans to help secure the businesses in my area. One requires an element of surprise for it to work well and a week or 2 to see what effect it has. The other requires another worker and a little training to pull off.

Anybody have any better luck trying to help businesses secure their wireless networks?

(And, yes, I am offering this help for free. No strings attached. That's probably what scares them the most.)

[streaker69]

Taken quite by surpirse at this nasty welcome (and without taking a moment to think before speaking), I looked her dead in the eye and shot back "Want to bet?". Needless to say, this probably did not endear her to me.

She then said "We have your card and will give it to her. If she thinks there is a proiblem, she can call you." I'm sure she will.

As I left, I secretly hoped they'd get hacked that night. It would server her mean old ass right. After all, I am just here trying to help the ignorant stay safe - for free - no strings attached.

Here's the problem and the main reason why many of us that have thought of this idea previously have never followed through.

You gave them your business card, and showed them that they're vulnerable.

Now, if they're breached in anyway, there's gonna be a LEO knocking on your door, and you're gonna be hard pressed to prove that it wasn't you that did it. It's gonna take hiring an attorney.

Good luck, I hope something bad doesn't happen.

[squishyalt]

Here's the problem and the main reason why many of us that have thought of this idea previously have never followed through.

You gave them your business card, and showed them that they're vulnerable.

Now, if they're breached in anyway, there's gonna be a LEO knocking on your door, and you're gonna be hard pressed to prove that it wasn't you that did it. It's gonna take hiring an attorney.

Good luck, I hope something bad doesn't happen.

A LEO may be knocking on my door for another reason... I drove into the parking lot of the local sheriff's office and saw 3 WEPs that appeared to be inside the SO. So, I trotted right in and left a flyer with them too.

So, they needn't look any further than their own place for a reason - if they want one.

And, I have considered the possibility of being falsely accused of a crime involving computer trespass. If that happens, I'll sue them until Smurf's are no longer blue.

If there's one thing I hate it's ignorance. If it is aimed at me, God help whoever is doing the aiming.

[theberries]

You seemed determined, so I say Good for You! I'd like to see what happens and how your "business" progresses.

I'd highly suggest that anyone thinking this is a good idea to watch and see what comes of him. Let him make the mistakes. In my opinion, his "business plan" will fail. I hate to be a nay-sayer but that's the reality.

[squishyalt]

You seemed determined, so I say Good for You! I'd like to see what happens and how your "business" progresses.

I'd highly suggest that anyone thinking this is a good idea to watch and see what comes of him. Let him make the mistakes. In my opinion, his "business plan" will fail. I hate to be a nay-sayer but that's the reality.

While I certainly hope to enhance my business by introducing myself to more business owners, I would agree that others should wait and see what happens with me before pursuing this course of action themselves.

I am desperate for new clients. It's grow or die time for my little business.

Much like the extraordinary steps that the government is taking to help the economy by bailing out private businesses, I am taking extraordinary steps to get my business name out to more people in a way that (a) gets their attention and (b) hopefully makes them safer for the effort.

That being said, anytime somebody breaks out of what is considered "normal" behavior, unintended consequences may be a result. All the more so when your "abnormal" behavior scares the living crap out of people by telling them their business IS operating an insecure wireless access point and that any teenager could hack into it in as little as 3 minutes.

I expect a certain amount of blowback, but I also (?wrongly?) expect those that investigate my actions to do so in a civil, informed manner.

Here's hoping that my SO and County PD understand enough about wireless access to know that I am legit and well within the laws in my area.

Assuming I am not wrongfully jailed, I will post all of my attempts in this area here along with the results that I get so that others may learn from my experiences and (hopefully) add something to the mix that may make my (and others') attempts at spreading WAP security more successful.

[theberries]

Outstanding...look forward to it

[streaker69]

In my experience, IT people are very territorial, and you're potentially invading that territory by cold calling on those businesses.

I know if you showed up at my place and pulled what you did at that Dentist's office, you'd have gotten an earful.

I wouldn't be surprised if you get some angry phone calls from the IT staff that support those businesses. Whether the IT person did something right or wrong, I think your method is going to anger more people than it enlightens.

[squishyalt]

In my experience, IT people are very territorial, and you're potentially invading that territory by cold calling on those businesses.

I know if you showed up at my place and pulled what you did at that Dentist's office, you'd have gotten an earful.

LOL.....

I wouldn't be surprised if you get some angry phone calls from the IT staff that support those businesses. Whether the IT person did something right or wrong, I think your method is going to anger more people than it enlightens.

Bring the lazy bastards on! If they screw with me, I'll have attorney's calling those businesses suggesting lawsuits against the IT people - and I'll testify against them.

These lazy, ignorant, morons are putting the business at risk, clients at risk, patients at risk, children at risk (2 daycare centers, 1 school and 1 Autistic Society), and the owners of these businesses at GREAT risk!

They want a piece of me? LOL!!! Bring it! I can hardly wait!

If they aren't careful, the ensuing lawsuits will have the business names in the papers and then the personal lawsuits begin against the businesses by the patients, clients and parents. I won't even go into the irreparable damage that will be done to the reputations of these businesses and the ensuing financial disasters once these stories hit the papers.

These so-called "I.T. people" had better tread lightly near me. I am in no mood for any foolishness.

[Thorn]

LOL.....



Bring the lazy bastards on! If they screw with me, I'll have attorney's calling those businesses suggesting lawsuits against the IT people - and I'll testify against them.

These lazy, ignorant, morons are putting the business at risk, clients at risk, patients at risk, children at risk (2 daycare centers, 1 school and 1 Autistic Society), and the owners of these businesses at GREAT risk!

They want a piece of me? LOL!!! Bring it! I can hardly wait!

If they aren't careful, the ensuing lawsuits will have the business names in the papers and then the personal lawsuits begin against the businesses by the patients, clients and parents. I won't even go into the irreparable damage that will be done to the reputations of these businesses and the ensuing financial disasters once these stories hit the papers.

These so-called "I.T. people" had better tread lightly near me. I am in no mood for any foolishness.

What's with all the threatened lawsuits? I know lawyers who don't me make threats of suits as often as you have. Every time a potential issue comes up, you're reaction is "I'll sue!" Frankly, I think you'd have a hard time on the stand, as it would look like your being vindictive to competitors for no reason except to steal their clients. On cross-examination, you just might find that your ass was handed back to you in tiny pieces.

Competition is good, and showing a client why you're 'better than Brand X' is the foundation of competition, but sicing a lawyer on them because your methods are stepping on toes is a poor way to influence people and get more clients.

One point abut focusing on WEP and open access points, and it bears directly on the idea about the "lazy" IT people and the confrontation at the dentist's office: There are other methods to secure WLANs, and some aren't nearly as obvious as WEP or WPA.

[squishyalt]

What's with all the threatened lawsuits? I know lawyers who don't me make threats of suits as often as you have. Every time a potential issue comes up, you're reaction is "I'll sue!" Frankly, I think you'd have a hard time on the stand, as it would look like your being vindictive to competitors for no reason except to steal their clients. On cross-examination, you just might find that your ass was handed back to you in tiny pieces.

Anything is possible. Perhaps I should post a cleaned version of the latest flyer so that you guys can see that I am not simply stating that I am the only solution to their security problem.

I clearly, and repeatedly, tell the reader to feel free to use anyone to double check what I am telling them - even Geek Squad.

I am simply glad to help anyone make their wireless more secure.

I do admit that even the idea that a lazy IT person who has placed many people and businesses at risk thorough their own incompetence would "give me an earful" pisses me off.

HE or SHE puts a business, clients, patients and children at risk by allowing a WEP network and he or she would dare to lecture ME? Right.

As far as lawsuits go, I'd sling more lawsuits than Waffle House slings waffles were people to attack me for trying to help others.

Helping people with such a sensitive issue is hard enough without anyone adding to the mix. And, people that place businesses at risk by using a protocol that has been broken for at least 7 years and is not even a part of the current wireless specification SHOULD be held liable!

It's IT malpractice, and it puts a lot of businesses and people at risk.

Lawsuits are what people seem to understand most. Lawsuits also make sure that the matter becomes public record - not just my word against their word.

If they attack me, they had better have their ducks in a row. I will not tolerate them dragging my name or the name of my business through the mud just because they are mad that I pointed out their lack of skill in protecting their clients.

Remember, I am not doing this publicly. I give the flyers to (and talk to) only the business owner or office manager. If they are not there, I leave and go back later. This is a sensitive security issue and should be handled as discretely as possible.

Competition is good, and showing a client why you're 'better than Brand X' is the foundation of competition, but sicing a lawyer on them because your methods are stepping on toes is a poor way to influence people and get more clients.

Let me be clear about this... The only reason that I would sick a lawyer on anyone is to protect my and my business' reputations. I am not doing anything illegal or even immoral in pointing out the failure of these IT people (many times it is the small business owner him/herself) to safeguard the data at the businesses that they work for.

If they were to attack my character or insinuate that I was wrong about the state of the businesses wireless network in a public manner, I would address that publicly with a lawsuit. If they feel that I have done them harm by addressing this security issue in a private manner with the business owner or office manager, they are free to file suit against me anytime.

One point abut focusing on WEP and open access points, and it bears directly on the idea about the "lazy" IT people and the confrontation at the dentist's office: There are other methods to secure WLANs, and some aren't nearly as obvious as WEP or WPA.

True. Among other things, they may have a VPN lurking behind that WEP, but it is still insecure as you can exploit security holes in unpatched laptops, pcs, servers, etc. attached to the network if you can gain access to the first layer - the wireless access point.

The first line of defense is to keep the data thieves off of your network. Ideally that would entail more than just WPA2. You'd want a VPN that not only verifies the clients, but also verifies the server to the client. And, yes, there are ways around this too.

The thing here is...did the IT person on staff do due diligence in protecting the client? I am not expecting any IT person to be able to completely and totally secure a wireless network. It's like trying to keep a burglar out of a building. If the burglar is determined enough, and works at it long enough, s/he will get in.

The people I fault are the people that don't set the alarm...the people that don't lock the door...the people that don't set the most secure available router settings while promoting themselves as a knowledgeable IT person.

Everyone has to learn this stuff sometimes. If they truly didn't know, don't get mad at me, call me. Learn what I know. I'll gladly share if you ask. Then learn more than me, and chastise me when the opportunity arises.

Hopefully I will be wise enough to ask you to teach me. And we will continue to grow together.

I chose to address the WEP issue because it is so easy to hack, because 60% of the businesses in my area are running WEP and don't know about its flaws and because the fix is so damned simple.

I wrote a 12 page manual for the local PD to show them what I do. In it I state that this is a VERY PRELIMINARY scan. It is not to be considered a full network scan or anything other than the detection of WEP use on a wireless access point.

I do not go into that detail in the flyer as the flyer has one page to scare the business owner or office manager into taking action - be it with me, Geek Squad or anyone else. As long as they take action and take it now.

I think I am going to wait until January 5, 2009 to continue the flyer campaign.

It is Christmas time and people just are too preoccupied with all things shiny to pay attention to something as dreary as wireless security.

It'd be nice for me to slow down and take a little break myself.