News

Opinion: are scare stories really good for the WLAN business?

Stop me if you've heard this before: "Despite recent media attention, European businesses are continuing to invite cyber attacks from hackers and crackers by failing to secure their wireless computer networks."

It's from a press release by Orthus: "A survey conducted at the WLAN Event, Europe's only dedicated wireless LAN exhibition found that 50% of companies surveyed don't even require their WLANs to be password protected."

The survey is here on NewsWireless.net.

You can't fault Orthus for effort - or for spotting a publicity opportunity.

Indeed, the report is not without interest - or we wouldn't have printed it here. They report that they "personally interviewed over 300 CEOs, MDs and IT, Finance and Security Directors representing hundreds of European businesses attending the event," which sounds like pretty dedicated hard work. "And the results of the survey were surprising considering the amount of media attention recently given to the issue of wireless security," continues the announcement.

Well, actually ... was it surprising?

I'll confess, I felt a sense of deja vu, and at first, I wondered whether the typical reaction to this sort of survey really is what Orthus hopes. I know my own reaction is, usually, quite negative. I found myself thinking: "Trying to whip up business by running scare stories - again!"

This negative reaction isn't because I think Orthus is in any way falling short of its own standards - which I know are rigorous. I believe the firm to be a competent group, with genuine expertise. And yet, when the report arrived for publication, I had qualms.

The fact that the release contained silly typos isn't important, probably. It really isn't a big deal that the introduction starts off by saying "37% of companies surveyed wouldn't even know if their Wireless networks were comprimised." The odd "grocer apostrophe" is forgiveable in a rapidly prepared summary of a big survey, and "Orthus wireless security engineers personally interviewed over 300 CEO's, MD's" is the sort of thing that can easily slip through. It's not the end of the world if it refers to people who don't want to "loose" information which is exposed by lax security - we all have occasions where the finger slips on the keyboard.

But isn't there a credibility problem, here? Not the spelling, but the approach to security?

If someone comes up to you and says: "You're going to Hell; but I'm party to a religious secret which can save you!" do you believe them? If someone sends you unsolicited email saying that you can earn $5,000 a week from home using your computer - if you buy some software from them - are you convinced? Or do you feel cynical?

Increasingly, my own reaction is cynical.

The first thing to do when considering security is to conduct a risk assessment. Most of us do this instinctively - and often, our instinct is badly wrong. Human beings - you and me - are really poor judges of statistics - otherwise, would betting shops rake in as much money as they do? Hardly! And yet, when it comes to security, sometimes, our instinct is that the risk is pretty small, and often, we're dead right.

Consultant Martin Cook put it well, in a presentation for Cisco, recently: "There are people who genuinely have liabilities, and for whom any possible security breach has to be sealed off. But in reality, the vast bulk of people who use networks are pretty safe with minimal security."

Cisco certainly does care about security - a lot! It is betting its future on becoming the central supplier of wireless security, taking a leading role in that market. But Cisco staff know that in reality, nobody is going to be interested in snooping the wireless packets of most corporations.

The sort of "recent media attention" which Orthus highlights in its report is, largely, pure hype. It talks about privateer security people doing a war-driving journey through San Francisco or Boston or Berlin or London, and how many "open" networks they find; it talks about parking in a car lot and "cracking the WEP key" of some access point. And finding ... what, exactly? Oddly, this never seems to be mentioned.

Some of what they find is a commercial opportunity, of course. "I broke into your web site, Mr Businessman; I can stop someone else from doing this for $2,000 a week."

But I suspect this is because the bulk of what they find is dross. It's tedious detail of no interest or concern to anybody outside. Annual holiday schedules for the staff of a soft drinks company. Delivery routes for warehouse distribution drivers. Stock levels, re-order information, phone numbers of customers, and (mostly) Power-Point presentations of interminable length, which death alone can end. Oh, and emails. "I can't make next Tuesday's meeting, for the following feeble excuse reasons." Or: "You are an insubordinate weasel and will be promoted."

The fact is, if I want to find out the secrets of a big corporation, there are far easier and deadlier ways of getting them than trying to access their servers. Frankly, the Web is a far more potent weapon in reaching them than hacking a wireless LAN; and even more effective, usually, is ringing them up and asking.

As a journalist, I'm occasionally required to compromise the security of large corporations. It's really not hard if it's important! - you ring their partners in firms that do business with them, and chat. Actually, my own experience is that their rivals are usually the first to know what the Board of a company is planning - long before the company's own middle management finds out.

For someone keeping medical records, security isn't just important, it's the law. For the typical wireless network operator, it's probably worth turning WEP on, and preventing the network from broadcasting its SSID. It certainly can't hurt.

But in most cases, my personal judgement would be that the risks taken are too small to be detected. The network may be open, but there are no jewels to be stolen there. My guess is that if you gave the whole Internet access to all your corporate data, you'd find the number of Web hits you'd get would hardly rival a web-cam showing a sleeping cat.

Pretty soon, I suspect reports like this will simply stop being effective as a way of drumming up business for security consultants. It's not yet quite the same as "crying wolf" - but it's getting there.