Four chains, four Wi-Fi pay policies: CIO magazine looks at Borders, McDonald's, Panera, and Starbucks, and how they're offering Wi-Fi. I'd like to suggest you read this article, but the author writes, "Right now, according to Hotspot Locations, there are more than 33,000 WLAN hotspots worldwide, and more than 10,000 in the United States alone." I don't know who "Hotspot Locations" is, and I need to disclose that I have a financial interest in what must be their competitor, JiWire, but any hotspot finder that calls them "WLAN Hotspots" and reports 11,712 in the U.S. and 33,106 worldwide just isn't working very hard. JiWire lists over 230,000 hotspots worldwide, and notes over 60,000 in the U.S., while Boingo and iPass each resell access to over 100,000 hotspots worldwide.

Up, up, and away in my beautiful, my beautiful warballoon: Defcon hackers deployed a balloon with Wi-Fi receivers on it 150 feet in the air to scan for network vulnerabilities in Las Vegas last week. They found 1/3rd of networks had no encryption--although I always wonder if they're using passive scanning where 802.1X allows a limited connection for authentication and appears "open" in some ways, or if they were actively scanning, in which case 802.1X networks would be unavailable.

Cincinnati Metro service has Wi-Fi on 20 buses: The free service supplied by AT&T in an ads-for-access deal with the authority was placed after a couple years of testing on a relatively long commuter run. The authority spends $15,000 per bus to setup a connection, which seems rather pricey. Other authorities are paying in the low thousands, from what I've seen, so I'm not sure what their particular case is.

This new remote WiFi attack is particularly timely as a new indictment of 11 for ID theft of over 100 Million credit cards (watch video to see Veracode’s CEO) was handed down this week.  Guess how they got in?  They used War Driving to get on insecure internal WiFi networks and then used the internal access to install sniffing software.  The attackers were mostly from foriegn countries and the companies attacked in the US.  So at some point someone must have been in the country to physically scan the networks. 

David Maynor’s WarShipping trick solves this “need to be there” problem  to do wireless attacks.  Why travel and risk being physically apprehended when you can just mail a package with a WiFi and WAN enabled device and just hack remotely? 

We will have to see how insecure these businesses that need to be PCI compliant are now that this massive WiFi attack has been made public.  I find it takes a widely publicized attack of your organization or a close peer to actually get many security problems fixed.  I bet some retailer’s IT departments started scambling after this was made public.

Attackers like to keep updating their methods just ahead of compliance requirements.  Sometimes I think that becoming compliant is protecting yourself from last year’s attack due to the lag time between attacks becoming prevelant, compliance standards changing, and then organizations making security updates to meet complaince.

With application security we may already be a little behind.  PCI requirement 6.6 kicked in June 2008 and requires organizations handling credit card data to audit their applications for the vulnerability classes outlined in OWASP Top Ten 2004 (yes, note the lag time).  I fear a 100 Million ID theft scale compromise is still looming using application security attacks.

This new remote WiFi attack is particularly timely as a new indictment of 11 for ID theft of over 100 Million credit cards (watch video to see Veracode’s CEO) was handed down this week. Guess how they got in? They used War Driving to get on insecure internal WiFi networks and then used the internal access to install sniffing software. The attackers were mostly from foriegn countries and the companies attacked in the US. So at some point someone must have been in the country to physically scan the networks.

David Maynor’s WarShipping trick solves this “need to be there” problem to do wireless attacks. Why travel and risk being physically apprehended when you can just mail a package with a WiFi and WAN enabled device and just hack remotely?

We will have to see how insecure these businesses that need to be PCI compliant are now that this massive WiFi attack has been made public. I find it takes a widely publicized attack of your organization or a close peer to actually get many security problems fixed. I bet some retailer’s IT departments started scambling after this was made public.

Attackers like to keep updating their methods just ahead of compliance requirements. Sometimes I think that becoming compliant is protecting yourself from last year’s attack due to the lag time between attacks becoming prevelant, compliance standards changing, and then organizations making security updates to meet complaince.

With application security we may already be a little behind. PCI requirement 6.6 kicked in June 2008 and requires organizations handling credit card data to audit their applications for the vulnerability classes outlined in OWASP Top Ten 2004 (yes, note the lag time). I fear a 100 Million ID theft scale compromise is still looming using application security attacks.

ScienceLogic: Mike, what’s your background working with network and management system tools?

Mike Lawson: Before joining Apptis, I worked for the Air Force, mainly in satellite communications for almost nine years. I’m probably most familiar with HP OpenView and BMC Remedy. I managed a team that used them but wasn’t involved in tool selection; like many other federal IT workers, we didn’t have a choice of tools because there were existing enterprise licenses and maintenance contracts.

I also saw a large systems integrator do a full Remedy/Crystal Systems/OpenView installation. It took 6 weeks to stand up and customize to meet just the basic monitoring requirements, and it cost something like half a million dollars. At the time, I thought that wasn’t bad and was a pretty typical experience.

ScienceLogic: Coming from where you did, what’s your take on EM7?

Mike Lawson: Honestly, I didn’t believe that EM7 could really do all that it claimed. In many ways, it was the complete opposite of what I had seen first-hand with other monitoring solutions. Could it really cover that much functionality? At relatively much lower cost to the customer and without the licensing nightmare?

That quickly changed when I needed to understand the system enough to run it at a customer’s site. I went back over the training docs I received during my initial training class and jumped in; now, 6 months later, I’m the EM7 expert and can tell you that it delivers on all those promises. (But I still need to show people to get them to believe it too)

I preach the “EM7 gospel” and when anyone wants to talk monitoring, I ask about the universal pain points: cost, maintenance contracts and licensing, and then I explain EM7. The cost difference is real; the solution is based on capacity, so there’s no licensing and it’s easy to use. They are shocked to learn that they can buy multiple EM7 appliances and years of maintenance for what they paid for most other tools.

ScienceLogic: Apptis won the contract for monitoring aboard the USNS Mercy. We love that you’re using EM7 for one of the Navy’s hospital ships. Can you tell us more?

Mike Lawson: The USNS Mercy is a Military Sealift Command hospital ship. Some stats:

• 849 feet long (nearly the size of a football field)
• 12 fully-equipped operating rooms, a 1,000 bed hospital facility, digital radiological services, a diagnostic and clinical laboratory, a pharmacy, an optometry lab, a CAT scan and two oxygen producing plants
• Crew: 61 civilian mariners, 956 Naval medical staff, and 259 Naval support staff

The USNS recently departed on a five-month humanitarian mission in the Western Pacific and Southeast Asia in support of Pacific Partnership 2008. The partnership provides international medical, dental and engineering teams this summer to provide humanitarian support and conduct joint, combined, and cooperative Civil-Military Operations in order to improve regional stability and build partner capacity to respond to natural disasters and pandemic.

For the most part, the ship’s network is self-contained, but can also use a landline when docked. The network covers 400 devices, including Windows/Exchange servers and VMware for server virtualization. Prior to using EM7, none of the monitoring was integrated; each system was independently monitored through individual vendor-specific consoles.

Out of the box, EM7 provided integrated systems, application and network management for all network gear, applications and virtual machines in one solution. We didn’t have to do a lot of customization – EM7 includes best-practice based thresholds, event and monitoring templates and this covered what USNS Mercy needed to monitor.

ScienceLogic: You’re a systems integrator with a very useful “customer point of view” when it comes to looking at tools. From that perspective, can you share what you think are the biggest benefits that EM7 provides?

Mike Lawson: First of all, EM7 stands up right away. We’re talking days, not weeks. In contrast to the lengthy installation of OpenView and Remedy I witnessed during my military career, I was able to configure, customize, and implement the EM7 solution for the USNS Mercy in three days.

Second, it’s easy to train people on and the support is outstanding. This judgment is from first-hand experience. Right before the USNS Mercy departed on its latest voyage, the system administrator I had trained on EM7 left, so I had all of a day to train some new EM7 admins. I prepared a seven-page “cheat sheet” and over a 3-hour conference call, we walked through the entire EM7 solution; I haven’t gotten a support call since.

And when a problem did crop up with a device being discovered incorrectly, ScienceLogic was very responsive. We contacted ScienceLogic support on a Saturday and they created and emailed us a video to help troubleshoot the same day. Within 30 seconds of watching the video, the problem was resolved.

Finally, EM7 helps us be good stewards of the government’s money. This is very important to me personally and to Apptis as a company. Because EM7 is cheaper and deploys so quickly and easily, you might think that it’s just the opposite of what a system integrator would want to use. But that’s short-term thinking. We believe in deliver the most value for customers every time. It’s what creates trust and long-term relationships with our customers. Instead of that half million spent on standing up the solution and basic setup, I’d much rather (and I know the customer would rather) spend that on fine-tuning or extending the solution to do much, much more.

As a former government employee, I know what it’s like to use a tool that doesn’t fit my needs. EM7 proves that the best solution can totally break the old model of costly, lengthy installations. EM7 has the right model: the right solution and the right price delivered as an appliance that is easy to deploy, train on and use.

ShareThis