No Online Headline

Computerworld - White-hat hackers last week discovered vulnerabilities in the wireless networks of two major retailers—holes that they claimed exposed data that appeared to include customer information.

On May 1, an anonymous hacker posted a message on an online security mailing list stating that he had discovered holes in the wireless LANs operated by Best Buy Co. Later that day, Jonas Luster, co-founder of security consultancy D-fensive Networks Inc. in Campbell, Calif., told Computerworld that he had conducted a test of networks operated by a San Jose outlet of The Home Depot Inc. and found similar vulnerabilities.

Best Buy said it shut down its wireless LANs shortly after the initial report surfaced. The San Jose Home Depot network, which Luster said exposed what appeared to be SQL database queries, shut down May 2, he said.

Don Harris, a Home Depot spokesman, declined to say whether the company had turned off its wireless LAN in the San Jose store.

Spokeswoman Jennifer Bohuslavsky said Eden Prairie, Minn.-based Best Buy on May 1 deactivated its "wireless temporary cash registers," which transmit information via a wireless LAN connection. "These registers are not Best Buy's main register terminals and represent a small percentage of our transactions," she said.

Bohuslavsky declined to provide any security or deployment details on the wireless network used by Best Buy throughout its 480 stores.

Dave Ellis, vice president for information systems at Atlanta-based Home Depot, sharply denied a published report that hackers had captured data from wireless point-of-sale terminals or cash registers in any of the company's 1,200-plus stores. "That dog does not hunt," Ellis said. "All our registers are hard-wired."

Ellis declined to discuss Home Depot's wireless LAN security or whether white-hat hackers could have penetrated its wireless network.

John Pescatore, an analyst at Gartner Inc., said the fact that someone was able to sniff data from a Best Buy wireless LAN indicated to him that the company hadn't turned on the simplest form of security available on any 802.11b wireless LAN: encryption based on the Wired Equivalent Privacy (WEP) protocol. Not turning on WEP is "just stupid," Pescatore said.

Dennis Eaton, chairman of the Wireless Ethernet Compatibility Alliance, a wireless LAN industry group in Mountain View, Calif., said that, in fact, most users fail to turn on WEP, despite widespread publicity about the inherent lack of security in wireless LANs.

Rick Doten, a program manager at security consultant NetSec Inc. in Herndon, Va., said that only 30% to 40% of enterprises turn on WEP, though some companies run more powerful forms of encryption.