By Wendy Brown
The New Mexican
December 26, 2006
A Santa Fe man with minimal computer training says some local business
owners could be making their customers' financial information easy
pickings for hackers.
Craig Ripley said by using his laptop computer, he has observed that
some Santa Fe business owners provide free wireless Internet access over
their business computer networks, a practice that leaves their business
networks vulnerable to hackers.
If businesses have customer information on their networks, hackers could
use that information to steal a credit card number or someone's
identity, he said.
"I'm not into hurting people," said Ripley, who works in the shipping
department of Sears. "I just want to let them know."
Ripley said he once worked as an over-the-phone computer technician and
received three months of formal computer training, but otherwise, he has
learned about computer security just by tinkering around.
"I'm just a common Joe who works at Sears," Ripley said, adding if he
can see these vulnerabilities, anyone can.
Eric Padilla, owner of AirNet Security in Santa Fe, a company that
specializes in wireless security for businesses, agreed many wireless
business computer networks in Santa Fe are vulnerable.
"It's crazy in downtown Santa Fe," Padilla said.
Padilla has spent much of his career protecting the federal Department
of Energy, the National Nuclear Security Administration and Los Alamos
National Laboratory from computer-related threats, according to
Padilla's biography on his company's Web site.
Ripley said he started "wardriving," or trying to see how many open
Wi-Fi networks he could find in Santa Fe, in October. His intent was to
write an article about how many open networks he could find and disclose
how easy it would be to obtain information on them. He hopes that
business owners will tighten their security.
"I'm all for free Internet," Ripley said, "but you have to make it
Ripley said he found he could easily access the computer networks of
several businesses, including two local restaurants.
The general manager at one of the restaurants, who would not provide his
name, said he did not want to comment for this story. The other
restaurant did not have an owner or manager available for comment
One of the restaurants now requires a password to access the
restaurant's business network, Ripley said, but that wasn't always the
Ripley said security measures such as passwords aren't enough because
they're often easy to break.
There is a program called John the Ripper that helps hackers crack
passwords, and it is available for free on the Internet, Ripley said.
Also, some businesses still use passwords that can be easily guessed
based on what the business does or uses for a name, Ripley said.
People should always use lengthy passwords that combine letters, numbers
and symbols, according to Microsoft literature on how to create a strong
password. People should use words they'll remember, but ones that other
people wouldn't guess.
Padilla said separating Wi-Fi access from a business network is one way
to solve the problem. Increasing security measures is another, he said.
It is possible to run Wi-Fi access over a business network and keep it
secure, Padilla said, but business owners should be leery of
consumer-grade security measures. The quality of business-grade security
measures has increased greatly in the past two years, he said.
Nothing is 100 percent secure, Padilla said, but companies like AirNet
Security offer monitoring services that can tell business owners if
people are trying to hack into their network. "If you're really
concerned about your information, you have to monitor the system," he
It is definitely a bad business practice to run public Wi-Fi access over
a business network without tight security, Padilla said. Under state
law, accessing a computer network without authorization is legal. The
statute requires that a person who accesses a computer without
authorization cause damages for a crime to occur.
But Assistant U.S. Attorney Laura Fashing said in general, it is a crime
under federal law to access a computer network without authorization.
Eric Struck, owner of the Santa Fe Baking Co. & Cafe, said for security
reasons, he made sure to keep his business network separate from the
restaurant's free Wi-Fi access. "I keep the business off the Internet,
just for that reason," he said.
Subscribe to InfoSec News