Before joining Red-M as CEO in 2002, Karl W. Feilder founded and sold two lucrative companies; ran an independent consultancy; and for four years wrote a syndicated column in which he bucked industry convention by revealing he had a personality.
Led by Feilder, Red-M recently spent six months conducting “friendly attacks” on the wireless networks of 100 international companies and proved that, using a $40 portable detector, 80 percent of the companies’ corporate networks were accessible from their parking lots. Banks, government agencies, educational institutions, IT companies—in each case, only a minority proved truly secure. Red-M’s findings sent IT managers scrambling and caused countless others to wonder: How could this happen?
Mobile Enterprise: What kinds of reactions did you get, telling people you’d just hacked into their networks?
Karl Feilder: I think, initially, most of them were incredulous. They simply didn’t believe it was possible. And then most of them went through a bout of anger. I personally had to get on the phone with a few of these people to talk to them sensibly and calmly, and they realized that we are not the bad guys here at all. We’re trying to help them understand an area of risk … I think, ultimately, they were quite grateful that somebody had alerted them to a problem about which they weren’t aware.
ME: I imagine you expected many of your targets would be vulnerable, but were even you surprised that it was such a hearty majority?
KF: We had really, really inside access to those organizations. We could see their printers—we could print documents on their own printers in their office. We could intercept their e-mail, we could see their total communication traffic. We could, if we wanted to, have taken huge gigabytes of data out of their network, and they’d never have noticed. And that’s what surprised me—just the level of access that we attained.
ME: Your study proved that a VPN is only part of a complete solution. Obviously, you believe Red-M’s Red-Alert PRO is the other part. What makes it so distinct?
KF: Ultimately, it’s a question of policy. It has to be understood that if you have a policy of no wires, then it’s useless unless you police that policy. In fact, many of the organizations we spoke to said that they have one man or woman who goes around their building once a month to see if there are any wireless devices. And we said to them, that’s like asking the fire department to come and check your building once a month, to see if you’re on fire. It’s crazy! You’ve got to have a system that detects 24/7, because you could have a hole in your security network any time of the day or night. ...
Why Red Alert is so special is that it does a lot of the threat-analysis inside our little box, and that means that we can lift the wireless trapping and only send alarms about bad things back to the central unit for processing. First of all that means it’s a more secure implementation of the wireless security product than some of the other things that are out there. And secondly, it has relatively little overhead on the network. We’re not actually loading the network with lots and lots of traffic.
ME: Are there any plans to go back and try again—see who’s improved their security since you alerted them?
KF: We’re already doing that. Everybody that’s on our list we’ve been to see. And we are helping a number of people there. Actually, the ones that have been quickest to respond are the government departments. That astounded us. You know, governments … never have any budgets for things, and they take forever to make a decision. But compared to the commercial enterprises we spoke to, we found that government departments were actually far more aware of the threat level and far more keen to do something about this.
ME: That’s the British government, you mean?
KF: No, I’m talking about a number of governments around the world. I will not be more specific, because then I’d have to shoot you. •