‘Friendly attacks’ show most of corporate South Africa is vulnerable to potentially devastating network invasions. Banks, financial institutions and other large businesses are running a continual risk of confidential data being intercepted because their corporate network is being compromised by portable devices.

Security experts conducting controlled "friendly attacks" on wireless networks have intercepted sensitive data from 66% of banks, 60% of financial services institutions, 79% of technology companies and 100% of the educational institutions tested.Once the "portable hackers" had hooked onto those networks, they could also read and manipulate all incoming and outgoing e-mail.

The attacks were carried out by wireless security specialist Red-M, which picked on 100 companies in London, Johannesburg and other major cities.

"These banks are sharing confidential customer information with anyone who cares to tune in to their airwaves," Red-M CEO Karl Feilder said last week. On tests that excluded food and beverage companies, every company "hacked" was vulnerable.

Fortunately Red-M could not name local victims without it falling foul of SA’s Interception and Monitoring Prohibition Act of 1992, which prohibits disclosure of such sensitive information. This act will soon be replaced by the Interception of Communications and Provision of Communication Related Information Act. The new act may permit such information to be made public in the interest of national security or crime prevention.

Feilder said that if the new act had been promulgated, he would have named the companies, as it could be argued that shaming them into tightening up their network security was a public duty.

"There is nothing to stop criminals doing the same thing that we have done," he said. "People can access banking records and see all kinds of documents, or at an airport they could access the baggage handling records , and that is a matter of national security."

Feilder said businesses routinely transmitted internal data beyond their physical walls. A hacker working up to 100m away on a laptop with wireless technology and inexpensive software could easily wreak havoc with stolen information.

"The ease and speed with which a determined hacker could intercept and manipulate e-mail is extremely dangerous," Feilder said. "We’ve demonstrated how a wireless intruder would be able to respond to an individual’s e-mail as if he were that person."

Feilder said that once in your email, a hacker could "do anything he wanted, such as hiring and firing staff, requesting confidential files and sharing them with anyone in your address book, exposing sensitive company information, and stealing sales data and sharing it with competitors".

The security flaw was caused by wireless devices because wireless transmissions were not restrained by physical walls, he said. Most companies should presume that wireless devices were operating on their premises if they used notebook computers and cellphones.

Feilder warned that South African companies had a false sense of security, believing they were safe if they had not deliberately installed wireless networks.

"Every wireless notebook represents a danger to the security of a computer network. Corporate SA is running a very high risk, and company directors may become personally liable for this threat," he said.

"Our survey shows that no one is safe unless they’ve implemented specific wireless security measures." So far only 20% of the companies surveyed had implemented even rudimentary security measures.

Business Day