Government wireless networks in San Francisco need a security upgrade, according to AirDefense, an Atlanta-based network security company. The firm released its San Francisco Wireless Security Vulnerability Survey in April, revealing a grim snapshot of the City by the Bay's wireless climate.
The survey analyzed wireless security in five categories - finance, government, retail, transportation and major corporations - and found 4,606 total access points (APs) in use for connecting wirelessly to these networks.
Government finished dead last with a D grade, according to the company. Transportation scored highest, earning a B-. Retail earned a C+, major corporations earned a C and finance earned a C-.
San Francisco government officials defended the security of their municipal networks, however, and questioned the accuracy of the company's grades.
"There's no indication of how an access point was identified as government as opposed to any of the other industry groups, or whether it was even associated with an industry rather than just a consumer's access point," said Brian Roberts, senior policy analyst for the Department of Telecommunications and Information Services in San Francisco consolidated government.
AirDefense graded each industry on five criteria:
- The number of APs without encryption or using the relatively weak Wireless Equivalent Privacy (WEP) encryption standard.
- The presence of probing laptops, which look for unencrypted wireless networks to assess how vulnerable they are to infiltration.
- The discovery of "rogue" APs, which often are set up by workers without authorization from their employers. They also can be deployed by hackers to gain entry into enterprise networks.
- The detection of data leakage, which can occur when organizations add wireless functionality onto existing wired networks.
- The number of APs set in the manufacturer's default mode instead of proper security configurations.
Of 1,209 total government access points discovered, 871 of them were unencrypted or used WEP, and had 47 percent traffic leakage over the network. By comparison, of 480 transportation APs discovered, 149 of them were unencrypted or encrypted with WEP, and had 52 percent data leakage.
AirDefense Chief Security Officer Richard Rushing conducted the survey in March by taking two trips to San Francisco that lasted seven days total. Rushing went up and down streets with equipment -- including a laptop, small antenna, portable hard drive and some storage media -- to test wireless networks. He never entered any buildings or questioned anyone about networks, and no one was the wiser, which was his point.
"You could sit on a park bench and open up a laptop in San Francisco and no one would look at you funny," said Rushing.
However, the report discloses data only on unencrypted/WEP APs in use in the industries and data leakage. It does not clearly specify how many rogue APs were found for each industry or which were in default mode. It also does not indicate how industries were catagorized. For example, public transportation would be a government agency, but AirDefense puts government and transportation in separate categories without specifying if a category overlap exists.
The report also offers no distinction between different government levels, so readers can't tell how security in the consolidated city and county of San Francisco compares with that of state or federal facilities operating in the San Francisco Bay Area. Roberts said wireless security in the city/county government is healthy because the jurisdiction has taken a cautious approach.
Rushing called government "kind of a latecomer to the wireless party." He said agencies need more distinct policies in place with enforcement capabilities in order to raise the level of protection. More oversight would mean more motivation to improve. Additionally, nongovernment industries have usually had wireless in place longer, so they've had longer to strengthen their networks.
AirDefense released the survey two days before the 2008 RSA Conference, scheduled for April 7-11 at San Francisco's Moscone Center. The event is an international security conference and expo.