Wireless accountability

Wireless insecurity has been in the press during the last week – the Sunday Times (March 6, 2005) spoke of a ‘virus epidemic’ threatening to wipe mobiles’ memories, while SC Magazine and Computing both report the astonishing absence of security in one third of the City’s wireless networks.

Why are there these failures?

OK, Cellphone “virus epidemic” is a bit of journalist panic-mongering; while Cellphone viruses have, indeed, been reported from a number of countries, there still aren’t a great many species (three, I think) and they still aren’t spreading terribly quickly – not 100,000 devices affected in 24 hours, but maybe 100 affected in a number of months. Sure, now’s a good time to be looking at Cellphone level anti-malware products, but it’s not yet time to panic.

Wireless, though, is a different matter. Who in the computer world doesn’t know that WiFi kit, out of the box, has no security configured? Who, in the computer world, thinks that security is important on the fixed network but not on (or for) mobile devices? Who is accountable for employing the computer ‘experts’ (the IT staff) who allow wireless laptops to be issued to staff – or, worse, allow wireless Access Points to be set up, without appropriate security?

You can sympathise with those employees who’ve taken with enthusiasm to the wireless world beyond their organization’s fixed perimeter: it’s great to not have the heavy-handed system administrator telling them what they can and can’t do. What is surprising is that sysadmins allow this state of affairs – or that their managers and executives turn a blind eye to it.

Because they are turning a blind eye, aren’t they? The alternative is that they’re just incompetent simply don’t know that wireless security is an issue, or that they’re supposed to do something about it.