Best practices for the worst WLAN security

Security-conscious attendees at Computerworld's Mobile & Wireless World conference Monday heard a new twist on an old theme: the 10 things not to do when implementing a wireless LAN.

The hard-learned lessons came at the expense of an unnamed national retail chain with more than 1,000 stores whose sorry story was detailed by John Stehman, a consultant at Robert Frances Group Inc. "We're going to talk about ineptness," Stehman said. And then he delivered.

The retailer, from one seemingly innocuous misstep to another, ended up victimized by security breaches that included fake store Web sites set up by hackers to capture customer account information. "The goals were good," Stehman said, noting that the company wanted to offer wireless access for customers looking to shop from the parking lot and within the store, access to inventory control for employees and access to the corporate intranet.

At first, the WLAN seemed okay. "It came up and it worked," he said. But then, "somebody threw a monkey-wrench into the works. From the get-go, it was doomed."

A year after the project was implemented, frustrated users who didn't know how to configure security options couldn't access the network, denial-of-service attacks had crippled communications, and "untold sums of money were lost," Stehman said. "We're talking big bucks."

Also, he noted, the company's director of IT was llooking for a new job after being fired.