From: Norm Jacknis <norm@jacknis.com>
Date: Thu Apr 20 2006 - 23:07:40 EDT


-----Original Message-----
From: Josef Sachs [ <mailto:sachs@cyb.org> mailto:sachs@cyb.org]
Sent: Thursday, April 20, 2006 7:57 PM

For the WATPA mailing list, in case you haven't already seen it.
<URL: <http://www.westchestergov.com/currentnews/2006pr/Wifinew.htm>

April 20, 2006

 <http://www.westchestergov.com/idtheft> FIND OUT MORE ABOUT WI-FI ON THE

Law signed by Spano is first of its kind in the U.S.

A groundbreaking proposal requiring local businesses to secure their
wireless networks to protect their customers against identity theft and
other computer fraud has just become law.

County Executive Andy Spano signed a bill into law today that mandates
commercial businesses that offer public Internet access and/or maintain
personal information on a wireless network to take "minimum security
measures." The Board of Legislators passed the bill unanimously on April 10.

The law, which appears to be the first of its kind in the U.S. (and perhaps
the world), applies to all commercial businesses that collect personal
customer information such as social security numbers, credit card or bank
account information, and also have a wireless network. In addition,
businesses that offer public Internet access must also "conspicuously post a
sign" advising customers to "install a firewall or other computer security
measure when accessing the Internet."

"We know there are many unsecured wireless networks out there, and any
malicious individual with even minimal technical competence would have no
trouble accessing information that should be kept confidential," Spano said.
"It would be nice if these businesses took the necessary steps on their own
to ensure their networks were kept secure, but the sad fact is that many
don't. That's why we're taking it one step further and making it a law."

As part of the new law, the County has also published a new brochure and
website (www.westchestergov.com/idtheft) to educate consumers about how to
prevent identity theft. The brochure, which is also posted on the website
and will be distributed to local business organizations, outlines five basic
steps that even non-technical users can take to make a wireless network more

"Internet cafes are a part of an increasingly mobile marketplace and this
will help create a safer environment for people conducting their personal
business on the go," said Legislator Clinton I. Young, Jr., whose Committee
on Legislation reviewed the new law. "Businesses will also begin to realize
how vulnerable their networks can be if not secured and go one step further
in protecting their customers."

When the law was being proposed last fall, a team from the Department of
Information Technology showed how easy it was to find vulnerable networks by
taking a drive through downtown White Plains. Using a laptop computer
equipped with easily available software, they came across 248 wireless hot
spots in less than a half an hour. Out of those, 120, or almost half, lacked
any visible security at all. Many users failed to even provide a name for
their network and instead using the standard name used as a default in the
product. This clearly marked them as a potential target to hackers.
"While we stopped short of hacking into anyone's private network, others
might not be as considerate," Spano said. "Someone sitting in a car across
the street or in a nearby building could invade any of these networks and
steal unprotected confidential information."

As the law reads, it affects "any commercial business that stores, utilizes
or otherwise maintains personal information electronically" to take minimum
security measures to "secure and prevent unauthorized (wireless) access to
all such information." Security measures can be as simple as installing a
network firewall, changing the system's default SSID (network name) or
disabling SSID broadcasting - all of which can be achieved with minimal
effort and little or no additional cost to the system operator.

For example, a retail establishment that uses a wireless network to process
credit card transactions could install a firewall, one of the easiest and
least expensive ways to guard a network from attack.

The law will be enforced by the Department of Consumer Protection's Division
of Weights and Measures. A first violation will result in a warning giving
the offender 30 days to remedy the situation. A second violation will result
in a $250 fine and any further violations will mean a $500 fine.

The law, which will go into effect 180 days after the signing, doesn't apply
to individual home users.

In a related effort, but taking another tack in combating computer crime,
the Department of Public Safety recently created the state's first
accredited Digital Crime and Investigation Unit. Two investigators are now
dedicated to searching the Internet for "techy criminals" involved in
identity theft, fraud (phishing), pedophilia and cyberbullying. The unit
will also recover digital evidence that can be used by prosecutors in
seeking convictions.

Received on Thu Apr 20 23:16:10 2006

This archive was generated by hypermail 2.1.8 : Sat Apr 29 2006 - 23:55:03 EDT