What retail wireless security?
TJX has plenty of company in the blithe-indifference pool
Computerworld - TJX may be in a class all by itself in terms of the number of records compromised in a data breach. But the retailer apparently has plenty of company when it comes to wireless security issues of the sort that led to the compromise it disclosed earlier this year.
A survey of over 3,000 retail stores in several major U.S. cities by wireless security vendor AirDefense Inc. reveals that a large number of retailers are failing to take even the most rudimentary steps for protecting customer data from wireless compromises.
Among the biggest issues: weakly protected client devices, wrongly configured wireless access points inside stores, data leakage, poorly named network identifiers, and outdated access-point firmware.
According to AirDefense, about 85% of the 2,500 wireless devices that it discovered in retail stores, such as laptops and barcode scanners, were vulnerable to wireless hacks. Out of the 4,748 access points that were monitored for the survey, about 550 had poorly named SSIDs that could give away the store's identity.
"One thing we did not expect was the large number of point-of-sale devices that looked as if they had been turned on" and left in essentially the configuration in which they arrived at the store, said Richard Rushing, chief security officer at AirDefense . Many of the access IDs that were being used by retailers had names that were dead giveaways, such as 'retail wireless', 'POS WiFi' or 'store number 1234'," Rushing said. "I can guarantee that all of these stores were also using default configurations" on their access points, he said. "You really are knocking at the doors of hackers," with such weak security practices, he said.
About 25% of the access points that were monitored used no encryption at all. In total, of the 3,000 stores monitored, about a quarter of them were still using the Wired Equivalent Privacy (WEP) protocol for encrypting traffic. WEP is considered to be among the weakest of the encryption options available today and was the standard in use by TJX when it was first breached.
In at least a few cases, Rushing said, stores were using legacy protocols that many companies have stopped using for some time now. Among such legacy protocols were Novell's IPX, Banyan Vines and IBM's SNA , he said, "This is stuff we simply did not expect," he said. "Some of this has been banished from corporations for years," he added.
The findings in the AirDefense survey are not at all surprising, even if they're from a vendor that sells wireless security products, said Avivah Litan, an analyst with Gartner Inc. in Stamford, Conn.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Audit Ready and Asset Optimized: The Solid Promise of an Intelligent Software Asset Management Solution In this paper Frost & Sullivan examines the benefits of enterprise-grade Software Asset Management solutions, and how these solutions serve as the convergence...
- Pragmatic Endpoint Management: Empowering an SMB Workforce in the Age of Mobility Lacking the time for proper training and education, SMB administrators often resort to taking shortcuts to keep their environment running.This paper discusses the...
- Infographic: Converged Infrastructure Benefits This Infographic quantifies the savings organizations are realizing from increased deployment speed, higher availability, and lower annual costs.
- CIOs Deliver Productivity Breakthroughs with Intelligent Digital Signage Retailers have long recognized the influence that digital signage provides over a shopper's point-of-purchase decision making process.
- Top 4 Digital Signage Fails Join RMG Networks for a look at four of the most common reasons digital signage fails in corporate businesses. Learn about strategies to...
- Building Tomorrow's Infrastructure Listen to this podcast to discover how Crider Foods worked with PC Connection to update their IT infrastructure, while maintaining compliance and control. All Endpoint Security White Papers | Webcasts