[Infowarrior] - N.Y. county mandates wireless security

Sun Apr 23 12:12:24 EDT 2006

 N.Y. county mandates wireless security

Friday, April 21, 2006; Posted: 3:26 p.m. EDT (19:26 GMT)

http://www.cnn.com/2006/TECH/internet/04/21/wireless.security.ap/index.html

WHITE PLAINS, New York (AP) -- New York's Westchester County has enacted a
law designed to limit identity theft by forcing local businesses to install
basic security measures for any wireless network that stores customers'
credit card numbers or other financial information.

The law also requires that businesses offering Internet access --
coffeehouses and hotels, for example -- post signs warning that users should
have firewalls or other security measures.

As he signed the bill, County Executive Andrew Spano said the county had
been unable to find any law like it in the country and had received
inquiries about the legislation from other states and from Great Britain,
South Korea and the Czech Republic.

"There are many unsecured wireless networks out there, and any malicious
individual with even minimal technical competence would have no trouble
accessing information that should be kept confidential," Spano said.

"It would be nice if these businesses took the necessary steps on their own
to ensure their networks were kept secure, but the sad fact is that many
don't."

All computers connected to the Internet and other networks are potentially
vulnerable, but wireless networks are especially troublesome because a
hacker can easily grab data traveling through the air.

Experts warned that the law would not fully protect anyone from dedicated
hackers but acknowledged it could raise awareness of the vulnerabilities
inherent in wireless technology.

Bruce Schneier, chief technical officer of Counterpane Internet Security
Inc., said laws like Westchester's are probably helpful "because the
information companies have on their networks is more valuable to you than it
is to them and the law gives them an incentive" to protect it.
No 'silver bullet'

"But it's not going to stop identity theft," he added.

Andrew Neuman, a senior assistant to Spano, said, "We know this is not a
silver bullet. But deterring amateur hackers from the easiest targets is a
step in the right direction."

A primary component is public awareness, he said.

"We believe companies and businesses will welcome these requirements once
they realize what's at stake," he said.

Spano said businesses will also find that "this is an easy way to avoid that
public relations disaster that comes when companies find out their
customers' information has been stolen."

The law requires each business to install a firewall or change the default
SSID, the name that identifies a wireless network, if the personal
information stored has not already been encrypted. Penalties would range
from a warning on first offense to a $500 fine on third offense.

Norman Jacknis, the county's chief information officer, said that when the
law was being considered officials detected 248 wireless networks during a
20-minute drive through downtown White Plains. Nearly half had no visible
security.

Some of the unprotected networks were at cafes, hotels or other
establishments that offer wireless hot spots to patrons. Other networks,
like those at Starbucks, were protected.

The signs that are to go up at such places will say, "For your own
protection and privacy, you are advised to install a firewall or other
computer security measure when accessing the Internet."

Jacknis said easily available firewalls would protect credit card
transactions, for example, from being detected by a hacker posted outside a
dry cleaner that uses a wireless network.

At most, he said, installing firewall protection -- or just turning on the
encryption and other security measures available with the hardware -- would
take an hour of a consultant's time.

Frank Hanzlik, managing director of the Wi-Fi Alliance, which certifies
wireless products, said, "We're very much in favor of strong security.
Security is just something that people expect, whether it's a phone call
they're making on a wired network, a call they're making over a cellular
network or an e-mail that they're transmitting via a Wi-Fi network. It's a
basic capability that everybody expects."

The law takes effect in October 2006.