A reader who will remain anonymous (he can out himself if he wishes) sent me an interesting observation. He was in his doctor’s office last week, and out of curiosity, he ran a wifi scanner on his phone just to see what networks were available and how they were secured.
What he saw wasn’t pretty. Especially considering he was in a building full of doctors, lawyers, and financial advisors.
He saw 11 networks, total. Of those, 4 networks were straight-up WEP. One was WPA2, but had WPS enabled. One was straight WPA, and two were dual WPA/WPA2.
Only 3 of the 11 were WPA2 without WPS, which is the textbook way to configure a network securely. Five of the 11 networks were configured in such a way that someone could break them easily, using known vulnerabilities.
I don’t think I’d fire my doctor over that. An attorney? It depends, but I’d certainly want my estate attorney to have a secure network. And I wouldn’t hesitate to change financial advisors over such a thing. After all, these professionals have a lot of your information, and if someone were to steal that information via their networks, you’d have a big mess to clean up, and you may very well never know where the perpetrators stole the information. The only way to fix it is to raise awareness. And asking the question is the first step toward raising awareness.
Securing a wi-fi network took 30 minutes the last time I did it.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.
I did some computer work for a doctor friend of mine a few years work. When I told him that he had a completely open and unprotected wireless network, he insisted that he did not, even after showing him. After a bit of investigative work we tracked it down to his network closet. Apparently he had upgraded his old wireless router to a newer one, but no one had turned the old one off.
I also found that he was renting three servers, one of which wasn’t even powered on and the other two using about 5% of their resources. My friend was definitely getting some bad advice from a “friend of a friend” who had turned him on to a fairly crooked IT group. We got things straightened out eventually.