In Andy Gluck’s session of the TD Ameritrade Institutional National Conference in San Diego, the tech guru told his audience to use WPA2 encryption if they have a Wi-Fi network for their businesses.
One of the audience members affirmed his advice by commenting that the firm had set up a Wi-Fi network a while back, and subsequently asked a college student to try and test the security of the firm’s systems. See: A war of words flares up between Andy Gluck and Joel Bruckenstein.
In less than two hours, the student had full access to the firm’s files. (No word on whether he skipped to Brazil.)
The Wi-Fi used by the firm testing its security using 20 year olds had only WEP encryption, which can be cracked using free tools downloaded off the Internet.
In other words, it was a somewhat predictable result of a security test on a knowable porous system.
But it gained value for having come up at a conference — and then getting advisors at their desks across the United States involved in a discussion because of its timely delivery via Twitter. Bill Winterberg, principal of FPPad.com and known techie appears to have broken the story, so to speak. People were following the hashtag: #tdai2013. See: Why RIAs would rather go to Twitter than talk to a wholesaler.
Only two hours?
One of the chimers-in on Twitter was Michael Kitces who wrote this in a follow-up e-mail from his East Coast office:
“Certainly hits home one of the points I make regularly in my sessions and wrote about last year — if you think your servers are more secure because they’re in your office and not the cloud, you’re kidding yourself. Your equipment is radically less secure, both physically and virtually. Ironically, I suspect the primary reason RIAs think their servers are so safe is because their intrusion detection and defense capabilities are SO weak, they wouldn’t even KNOW if their client data had been stolen. After all, good data thieves don’t exactly leave a calling card; they want the theft to be a secret, so people don’t know they should be watching their credit cards/credit report/etc.” See: At FPA’s Norcal event, wary advisors are told how to stop worrying and love the cloud.
As is the case with Twitter, people who aren’t attending the TD Ameritrade conference got into the conversation on the popular social media site.
Daniel O’Leary, who describes himself as a person who tweets on bleeding edge technology, said he was surprised it took the college student as long as two hours to break into the system.
“With social engineering you could do it in 15 minutes,” he tweeted. See: Dreamforce review: Social media enters the business cloud and why RIAs should care.
CFP Nathan Gehring asked Winterberg how the security lapse happened. “Just a good ol’ brute force hack on a weak password, I presume?”
Winterberg then explained what happened. “It was a WEP encryption crack in the RIA’s Wi-Fi network.”
That led Kitces to chime in: “Another reminder that the cloud is probably a much more secure place for most firms’ data!”
It’s no surprise that several conversations on Twitter delved into the topic of passwords and ways to improve security. Winterberg Tweeted this, “So how good is “Wa1kd0g4495” as a password? Just asking.”
Another fellow techie Blaine Warrene who goes by the user name Blano on Twitter and is the co-founder of Arkovi then offered his insight. “I am hoping we can move passwords to phrases/sentences and away from jumbles – which still can be cracked,” he Tweeted.
Winterberg then followed it up with: “It’s going to take a combo of biometric and multi-factor authentication, but most of us have the tech to do this today.”