E-business firms' doors are left open to hackers at show

IT suppliers specialising in e-commerce failed to take basic precautions to secure their own wireless networks at a major...

IT suppliers specialising in e-commerce failed to take basic precautions to secure their own wireless networks at a major Internet technology show in London, Computer Weekly has discovered.

The suppliers, which work on security-sensitive Internet systems for major user organisations, left their own networks wide open to attacks from hackers as they exhibited at the high-profile trade show, Internet World.

Suppliers' wireless networks were openly broadcasting supposedly secure access details, had their encryption turned off, or were operating on the manufacturer's insecure default settings, a Computer Weekly survey shows.

The findings will prove embarrassing for exhibitors, particularly those that gave presentations during three days of seminars on Internet security at the show, described as the UK's definitive Internet business event.

A researcher, posing as one of 18,000 visitors to the exhibition, collected data from the exhibitors' wireless networks using a Compaq personal digital assistant (PDA) fitted with a wireless card, and free software from the Internet. The PDA identified 49 wireless devices of which 32 were not using encryption, 31 were broadcasting an identifiable access name, and four had been left to operate on default settings.

Security experts who examined Computer Weekly's research said they were shocked by the findings.

Guven Bayram, security engineer at consultants Orthus, said, "When you have companies providing Internet and, in some cases, security services you would expect and hope they would engage in best practice.

"They are having to set up something quickly for an exhibition but that is not an excuse. The argument that it is only a conference does not give me a warm feeling. What happens in the real world when you want to get something quickly for your customer - do you ignore security?" Bayram asked.

Several companies broke one of the first rules of wireless security by using their own company name as the server set identification (SSID) on their wireless networks.

A hacker with a laptop or a PDA could have used this information to hack into their systems, particularly those lacking encryption, with a minimum of effort, said Orthus.

Other suppliers used wireless networks that were set to the manufacturers default settings, a good indication that they were also using default passwords, that would provide an easy access route for hackers.

Even those firms using the wireless network encryption are not invulnerable - a determined hacker could break the encryption using freely-available packages from the Internet, by collecting data packets over the three days of the exhibition.

Read more on Wireless networking