ZDNet Australia recently discovered the extent of the threat on a wardriving mission with Jason Edelstein, principal consultant for IT consultancy Sense of Security.
Having demonstrated the ease with which wireless LANs are detected through a technique known as wardriving, Edelstein pointed out that many companies were putting themselves at risk unnecessarily, by failing to take simple measures to prevent wireless hackers from gaining access to their data.
-Many of the systems are easily detected using readily available, affordable software, and don't even have the default encryption turned on," Edelstein said. He pointed out, however, that the vendor default encryption was by no means desirable as the keys were easily obtained by people in the industry. -If you can find out who the manufacturer is, it is easy to see into the network if the default encryption is used."
-It is easy enough to park alongside a building and use their wireless network to download information," he added.
While an encryption standard called Wired Equivalent Privacy (WEP) was created by the IEEE (Institute of Electrical and Electronics Engineers) with the release of the 802.11b wireless LANs standards, it is broadly recognised as easily broken and ineffectual.
Similarly Daniel Lewkovitz, senior consultant with IT security firm CMG, expressed concern regarding the proliferation of poorly protected wireless LANs in Australia.
-Some people say having WEP turned off is like waving a red rag to a bull," Lewkovitz said. -But it is important to use several layers of protection. Turn the encryption on, authenticate anyone coming onto the network and segregate the wireless access point. It is like having a steel gate and a balsawood door protecting your house, you are better off if both are closed and locked."
I believe that war driving is in contravention of
Part VIA of the Crimes Act 1914 punishable by 10 years in prison.
76C. Damaging data in Commonwealth and other computers
A person who intentionally and without authority or lawful excuse:
(a) destroys, erases or alters data stored in, or inserts data into, a Commonwealth computer;
(b) interferes with, or interrupts or obstructs the lawful use of, a Commonwealth computer;
(c) destroys, erases, alters or adds to data stored on behalf of the Commonwealth in a computer that is not a Commonwealth computer; or
(d) impedes or prevents access to, or impairs the usefulness or effectiveness of, data stored in a Commonwealth computer or data stored on behalf of the Commonwealth in a computer that is not a Commonwealth computer;
is guilty of an offence.
Penalty: Imprisonment for 10 years.