Business Idea - Wireless Security

An idea came to mind yesterday as I was...ahem...looking at my neighbor's unencrypted wireless connection. I could wardrive, finding open access points, then stop at the people's houses offering to secure their wireless devices. I think $50 or so would be a resonable charge.



Well, what do you guys think? I'm particularly interested in what the guys (warez, I think) that own, or owned your own business have to say.



Alpo- I got dibs on Austin. :)

Depends by what you mean by "secure". Do you plan on providing
network and application layer security when the user accidentally clicks
on a website that exploits his IE buffer overflow as well? You have to
spell it out or you will be accountable for EVERY security related issue
that includes the user's own stupidity in opening every .exe email
attachment for example. I would recommend offering end-to-end
security and best use practice training, and deploying the necessary
products defined by the users' security policy - and explain clearly
what it can and cannot do. Some users think you have a firewall and it
prevents virus from entering the network (which is not the case since
they are at different layers).

Most importantly, spell out in an MOU/SLA/Service contract what you
are and what you are not responsible for, otherwise, $50 will come
back to haunt you when they start calling you for something that's not
related to the service you offered.

Ahhh...that's exactly the kind of input I was looking for warez. Thanks.


Should I hire someone to write the contract? An attorney to look over it? My target market are people who don't have encryption turned on for their access point/wireless router. I don't know if people would be willing to spend the kind of money it would take to give them a "total security" package. (And a quick $50 router config might generate more profit in the long run) Maybe I could offer additional services on top of encryption configuration. I'd suppose I could setup a more robust solution for businesses. I think you're dead-on with me needing to provide a definition of service.

Oh yeah, as far as the business side goes, when should I consider becoming a legal business? Right away, after I see if this is going anywhere, or after a certain profit threshold?

I think $50 is sort've a high price to be charging someone to turn on a
feature of their own device. And if you are going to target that low of a
price point for your market, you have to do volume, otherwise this is a
hobby, not a business. I don't think its a good growth business doing
only wireless for home users (also, where's the sustainable competitive
advantange?) Assuming people were willing to pay for this information
which they can find on the Internet, the next Joe Shmoe will be offering
"Wireless Security for only $35"

I would suggest targetting SOHOs/SMEs and charging for a complete
security implementation. You make bank a lot faster, but the customer
is expecting every penny of what they pay for, so you better be able to
walk the walk when you talk the talk (which is bound by a service
contract).

As a security professional, I take my job pretty seriously, because my
customers certainly take their security pretty seriously. What I'm
saying is, don't offer "security" unless you can stand behind the
definition.

I would propose selling hardened Linux boxes bundled on IBM xSeries
for the SME's to be used for public servers as a better long term
business solution. Slap on a perimeter firewall, and use a VPN to
provide remote log storage services, SNMP monitoring, log file analysis
and you can have a recurring income. You can easily charge a few
thousand $ because information is a lot more expensive to a business
than a home user.

I lack the experience to call myself a security professional. A security hobbyist would be more accurate. My job is a M-F, 8-5 gig anyway, so I probably wouldn't be able to offer recurring services very easily. This is more of a, "Hey, I bet I can make some money doing this!" idea. If I only made 3-4 $50 sales every weekend, I'd be happy. This is definitely not a full-swing business venture. The bills have been getting to the point that I'm looking for a part-time job, and this would pay much better. (I'd also enjoy it)

I have thought of that a lot of times. There are a ton of them sround here. However, one term comes to mind....

EXTRORTION! lol

I really can't advise on the potential. Perhaps there are people willing
to pay the $50 in your area for that knowledge. It would be something
I would offer people for free in my profession, as I believe in educating
people about security. I sell the expertise and now the security
product and services, and building multi-tier partner channels, to do
the security support for dealers and customers. I am partnered with
some of the best security trainers in the market who make money on
their knowledge by teaching others; that's not my business model. I
teach people EVERYTHING and I point out flaws in their networks free
of charge (I used to do IT Security consulting), and now I just push the
product that enforces the company policy (and the company defines
their policy on the education I provide them).

I believe my approach is a new paradigm in the security market, and I
can tell you now, that all the SI's and vendor distributors who rely on
pushing the marketing instead of the technical knowledge, will lose
market share to me, because I win the confidence of the customers by
educating them and they can spot the bullshit for themselves and see
through the 'security sales pitch'.

I just want to comment that security is a pretty specialized field, and
the "Jack of all trades, master of none" is not really a long term
marketable option. If you sell 'security' you better be able to walk the
walk. Just like chiropracters shouldn't market themselves as doctors.
Could you explain the encryption process, and how it works, if the
customer asked you 'what is the difference in key strength between
40-bit WEP and 128-bit WEP?' Or, if VPN over 802.11b/g is an option
because the home user needs an encrypted tunnel back to his office?
Or the difference in key strength comparing asymmetrical and
symmetrical algorithms (128bit vs 1024bit), and how they are used in
IPSec VPN?

Perhaps a 'niche security' for people who are just happy not getting
caught in the wardriving cross-fire, but to me, it sounds like cutting
your neighbor's lawn for pocket change.


hunting- I'd bet extortion would be if I showed them their financial data and kiddie porn THEN asked if I could secure their wireless router. :)



Points well taken, warez. "Niche security" sounds about right for what I had in mind. If I could cut my neighbor's lawn in 30 minutes and make $50, I'd do it. :)



I'm going to make a few test-runs tomorrow. Is anyone interested in a report?



Wardriving itself is not a crime. How could it be? Right now I can see 2 of my neighbor's access points without doing a thing. Accessing their network, however, is definitely illegal. I wouldn't attempt a hack unless the customer specifically requested it.

rfquinn is right, it's not illegal access until you try to use their network assets.

checking for broadcast SSID's or to see if WEP is enabled, etc.... is totally legal.

if you're gonna be doing real pen testing, you better have a good contract drawn up by a real lawyer that the client can sign.

DO NOT access their assets without a contract.

I would be very careful about how you go about doing this.... people can get really pissed if they think you are extorting them.

make sure to emphasize that they are in no way obligated to buy your service, you are simply informing them that their wireless is open and that you can fix it.

I would write a script to use for the inital contact with the clients and practice it first.

I also think $50 is a bit much... you can buy routers on sale for that price.

"Identifying the presence of a wireless network may not be a
criminal violation, however, there may be criminal violations if the
network is actually accessed including theft of services, interception
of communications, misuse of computing resources, up to and including
violations of the Federal Computer Fraud and Abuse Statute, Theft of
Trade Secrets, and other federal violations."

the key phrases are "Identifying" and "Accessing".

"make sure to emphasize that they are in no way obligated to buy your service, you are simply informing them that their wireless is open and that you can fix it."


That's a good philosophy to approach them with. I think you're right on track about pen testing possibly being perceived as extortion.


warez- Do you have a cookie-cutter pen test contract I could modify and use? rfquinn(at)hotmail.com


"I also think $50 is a bit much"

I've asked around to non-techie friends, and they think it's about right. Some even think it's a bit on the low side. I know it's just changing some settings, but there are quite a few people out there that can't even set the time on their VCR.

I would be very careful about doing any kind of pen testing.

one mistake that happens occasionally is someone testing penetrates the wrong network...

if there is more than one wireless network around, it could easily happen.

I am not an IT professional. Why would a consumer have network capability and not know it?

because of the poor instructions and setup for home wireless routers.

many default to having an open wireless access point allowing all and sundry to connect with their product.



So wireless is a good option for homeowners? I haven't heard of it around here at all.

you hook up your cable or DSL modem to a router.

the router is then used to send a signal to the rest of your house so your computers with wireless network cards on them can work.

it's a decent option, if you do some configuration and buy routers and cards with WPA (Wi-FI Protected Access) on them.

My work laptop has some sort of wireless capability. I am not sure what. How do I access and use it? We have T1 at work and some wireless stuff as well.

thanks

Hey, don't hijack my thread! :)


If your laptop already has a wireless NIC, you only need an access point or wireless router to surf wirelessly. Create a new thread if you need more detail.