Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Beware the Airport Wireless

ScuttleMonkey posted more than 5 years ago | from the far-too-trusting dept.

120

schwit1 writes to tell us that a recent study by a Silicon Valley-based security company shows that black-hats have been ramping up their use of tempting free or unsecured wireless access points in high travel areas like airports and hotels. "According to their study, even the 'secure' networks weren't all too safe. Eighty percent of the private Wi-Fi networks at airports surveyed by Airtight were secured by the aging Wired Equivalent Privacy (WEP) protocol, which was cracked back in 2001. Almost as many — 77 percent — of the networks they surveyed were actually private, peer-to-peer networks, meaning they weren't official hotspots. Instead, they were running off someone else's computer."

Sorry! There are no comments related to the filter you selected.

Old (4, Informative)

sopssa (1498795) | more than 5 years ago | (#28654915)

Isn't this quite old story? Already years ago I read that people have been setting their own hotspots near crowded places, and it works good because if you get better signal than the official hotspot the computers usually pick your hotspot first. This was even covered in The Real Hustle [youtube.com] many seasons ago.

And for that matter, you're in a insecure place connecting via some random network. Its just stupid.

Re:Old (5, Funny)

Anonymous Coward | more than 5 years ago | (#28655009)

I cracked my own network in minutes using this method [lifehacker.com] . Can someone point me to a less complicated method?

When I need to get into just about any secure network, this hacking multitool is what I use: CB G.Freeman [ndswebservices.com] .

It can crack arbitrarily high amounts of encryption when applied to the proper segment of the network. It works very well, often only taking seconds to provide you with the authentication you require. It also can do wonders on conventional locking systems.

Enjoy!

Re:Old (5, Insightful)

girlintraining (1395911) | more than 5 years ago | (#28655029)

And for that matter, you're in a insecure place connecting via some random network. Its just stupid.

But very convenient. You'd be surprised how much Stupid you can get for Convenience.

Re:Old (2, Insightful)

interkin3tic (1469267) | more than 5 years ago | (#28655241)

I think it's more ignorance. Of a fairly technical issue, at least for most people. A little bit of self-defensiveness there, I'm far less computer literate than most /. users and had no idea that WEP had been broken for 8 years.

Granted, I wasn't assuming it was safe, doing online banking while on an unknown network in a crowded airport. I've only used my nintendo DS on them. Now I guess I can't even do that, assholes always trying to steal me level 40 Charizard...

Re:Old (-1, Flamebait)

girlintraining (1395911) | more than 5 years ago | (#28655597)

I think it's more ignorance. Of a fairly technical issue, at least for most people. A little bit of self-defensiveness there, I'm far less computer literate than most /. users and had no idea that WEP had been broken for 8 years.

Your education is your responsibility. It's assumed that if you're installing a wifi router, you will do your homework on how to set it up and read all the included documentation. Failing that, simply googling for "wifi router security FAQ" would provide this same information in short order. You're the owner and operator of that piece of equipment -- if you don't feel you can manage its installation and maintenance, hire someone who can. It's the same with anything else -- like your car. If your brakes go out because you didn't maintain them and you crash into another vehicle, you have only yourself to blame. It's not any different just because something's electronic.

Re:Old (1)

X0563511 (793323) | more than 5 years ago | (#28655951)

He doesn't own and operate that router... which is a key point here.

Re:Old (2, Insightful)

girlintraining (1395911) | more than 5 years ago | (#28656317)

He doesn't own and operate that router... which is a key point here.

In that case, why is he trusting any device that is outside his administrative control, and has no contractual agreement or working relationship of any kind, with the owner of said device? O.o

Re:Old (1)

interkin3tic (1469267) | more than 5 years ago | (#28658267)

In that case, why is he trusting any device that is outside his administrative control, and has no contractual agreement or working relationship of any kind, with the owner of said device? O.o

Because, as I said in the post you responded to, I only use the Nintendo DS on airport wifi. To play Tetris or Mariokart. Worst case scenario I can see is that there could be a vulnerability in the DS that would allow someone to brick it. More likely someone would be using it to cheat. All of which would be annoying, but I think the likelyhood of that is pretty low, and I should really be reading papers on molecular biology when I'm on the plane, especially if I'm so concerned about educating myself.

Re:Old (1)

Fulcrum of Evil (560260) | more than 5 years ago | (#28656187)

wait, how is it the responsible of every user to know that WEP has been dead for 8 years? Regardless, this won't help you if someone sets up a rogue AP and collects passwords and credit cards.

Re:Old (2, Informative)

cbiltcliffe (186293) | more than 5 years ago | (#28659409)

Your education is your responsibility. It's assumed that if you're installing a wifi router, you will do your homework on how to set it up and read all the included documentation.

The local major DSL provider to me used to provide DSL modem/routers to their customers with built in wireless. The wireless was disabled by default.
When you went through the initial setup, though (had to do it before the router would let you online) it encouraged you - strongly...it would have been hard for a non-techie user to figure out how to avoid it - to enable wireless.
When setting up the encryption, it had four radio button options that looked like this:

O No encryption.
O 64 bit WEP
O 128 bit WEP (recommended)
O WPA-PSK

So the recommended option was something that could be broken into in 15 minutes or so.

About a year ago, they stopped distributing those routers, and started sending out a different type, that come by default with 128 bit WEP enabled, and with the customer's username/password pre-programmed, so the documentation just says "Your router is preconfigured. Just plug it in, and it will connect and work properly."

Microsoft's web site says if you must use WEP, change your key once a month, so if somebody gets the key, they'll be locked out again. So out of the 43200 minutes in an average month, you'll only be vulnerable for 43185 of them if you follow Microsoft's advice.

Most of the computer stores in my city are still using WEP on their networks. If the customer hires them to set up their network properly, they'll still end up hackable.

Then, on top of that, very few techs even know of the vulnerabilities in WPA. If you use a passphrase that's in a dictionary/wordlist/phraselist somewhere, you can still be broken into, even using WPA. It's a little harder, as it requires a legitimately connected client, which WEP doesn't, but it also doesn't require anywhere near the amount of wireless traffic collection that WEP does.
30 seconds will typically be long enough to collect the data you need, then you can go crack remotely, whereas WEP requires 5-15 minutes worth of data collection.

The bottom line is, you can't trust the documentation, you can't trust the advice from the "experts," and you can't trust articles you read on the Internet. The only real way to be secure is to ask somebody who knows how to break into these things if they can break into yours. If they can't, you're probably safe.

Re:Old (4, Interesting)

Weedhopper (168515) | more than 5 years ago | (#28656365)

If your system hasn't been compromised, it doesn't matter.

You could do your banking on an open, unsecured network, no WEP, no WPA, etc because your traffic between you and your banking institution has been encrypted from point to point.

That said, if I were you, I wouldn't do it.

Re:Old (2, Interesting)

BrokenHalo (565198) | more than 5 years ago | (#28657477)

If your system hasn't been compromised, it doesn't matter.

It would if the network points to a poisoned DNS cache.

Re:Old (1)

lewko (195646) | more than 5 years ago | (#28657893)

Not necessarily. Your browser would be able to demonstrate the incorrect digital certificate (if any) of the rogue site.

However, a few pretty padlock icons on the page, and users' habit to ignore security warnings, might still mean trouble. So the attack would often work.

Re:Old (1)

Meumeu (848638) | more than 5 years ago | (#28657975)

If your system hasn't been compromised, it doesn't matter. It would if the network points to a poisoned DNS cache.

SSL would detect that the server doesn't have a valid certificate.

Re:Old (1)

interkin3tic (1469267) | more than 5 years ago | (#28658227)

I don't think the people we were talking about would do anything besides hit OK and go ahead and do whatever they were going to.

Re:Old (1)

DamnStupidElf (649844) | more than 5 years ago | (#28656519)

Online banking is safe over HTTPS, as long as your PC can't be immediately compromised by some root hole and you don't click through the SSL warnings from the fake certificates the attacker tries to get you to accept.

Re:Old (1)

michaelhood (667393) | more than 5 years ago | (#28657929)

There are theoretical and non-theoretical (read: spotted in the wild) ways to get the target's browser into thinking a MITM'd HTTPS connection has valid SSL certs. But even if there weren't, I'd anecdotally offer a good 7/10 noobs will click right past those silly warnings anyway. This is largely the fault of the popular browsers (yes, both IE and Mozilla-based) for not giving a more useful UI when a cert isn't valid. Expired, self-signed, doesn't match the hostname, etc. should all look wildly different to the end user.

Re:Old (2, Insightful)

mcrbids (148650) | more than 5 years ago | (#28656137)

You forgot to mention that it's also not relevant.

The Internet itself is "insecure". It is so by design, so if the purpose of the Wifi is to get to teh iNternetz then there is logically no substantial value to encrypting your hotspot.

Practically, I can only think of two benefits:

1) Prevent neighbors from leeching bandwidth and making your YT videos "skippy".

2) Prevent neighbors from sharing MP3s on your connection so that the RIAA sues you. Of course, if you don't secure your connection, you have plausible deniability when they sue....

Now, if you are actually running a local NETWORK, (EG: printer sharing, etc) then things change a bit. But even then, it's sensible to secure your services so that security issues don't plague you. Since all my company's resources need to be "roadable", we don't bother with VPNs and instead just used all encrypted protocols. (EG: rather than SMB, we use DAV over HTTPS, SMTPS/IMAPS for email, etc)

Re:Old (1)

GigaplexNZ (1233886) | more than 5 years ago | (#28658583)

I can think of a 3rd. Prevent neighbours from leeching bandwidth and costing you money. That's right, many people live in areas where bandwidth isn't free.

Re:Old (0)

Anonymous Coward | more than 5 years ago | (#28658801)

Now, if you are actually running a local NETWORK, (EG: printer sharing, etc) then things change a bit. But even then, it's sensible to secure your services so that security issues don't plague you.

You're absolutely correct. I don't know what you're using for your local network, but business networks these days are encrypted end-to-end via IPSec by default, if the IT staff is competent.

Since all my company's resources need to be "roadable", we don't bother with VPNs and instead just used all encrypted protocols.

Neat! You must have some *really* long cables for your servers and printers: How do you keep them from getting tangled?

Re:Old (1, Interesting)

Anonymous Coward | more than 5 years ago | (#28656931)

And for that matter, you're in a insecure place connecting via some random network. Its just stupid.

But very convenient. You'd be surprised how much Stupid you can get for Convenience.

From an MIS/IT perspective, one solution to that is to provide something more convenient. Our laptops are issued with cellular broadband NICs and unlimited data plans for those with a demonstrated business need, and coverage is widespread enough now (especially in airports) that it's easier for them to access our corporate VPN that way than it is to connect to some arbitrary open WAP, especially after automating it so that they double-click one icon on their desktop, enter their password, and the rest "just works".

Re:Old (1)

calmofthestorm (1344385) | more than 5 years ago | (#28655719)

If they can crack 256 bit AES and/or fake SSH hostkeys, well, then I guess they've probably got my data either way. If not, there's nothing stupid about it.

Not so old. (1)

numbski (515011) | more than 5 years ago | (#28656241)

The thing that gets me is that this only covers half of the story. They ignore the white hats. :)

When I'm at a hotel for example, I'll usually bring a pair of Airport Express units. Take one, join it to the hotel's "paid" wifi, then nat over to the other in bridged mode via cross-cable, and create a new network with the ESSID "Hey look, free Wifi!". :)

Then again, my hat might always start changing colors on you, so watch out.

*weeeooooohhhh* ;)

Re:Old (1)

gad_zuki! (70830) | more than 5 years ago | (#28656805)

Heck I'm typing this on an iPhone on a plane via airtrans wifi service somewhere between Chicago and orlando and I don't care about privacy. I'm not bankingand if the worst that happens is my slashdot pw sniffed then that's an Acceptable risk".

Re:Old (1)

lxs (131946) | more than 5 years ago | (#28659171)

"if the worst that happens is my slashdot pw sniffed then that's an Acceptable risk".

Says the poster with the five digit UID.

Re:Old (1)

Phoghat (1288088) | more than 5 years ago | (#28659007)

I've got an older Netgear WiFi router that runs only in WEP and I'm also running Avira Free security.

Haven't been accessed (that I can tell). Sometimes Avira will pop up and tell me someone is trying to access my network and I just click DENY ACCESS .

"Beware the Jabberwock, my son! The jaws that bite, the claws that catch! Beware the Jubjub bird, and shun The frumious Bandersnatch!"

Get to work! Here's how to crack WEP networks (1, Offtopic)

bogaboga (793279) | more than 5 years ago | (#28654943)

I cracked my own network in minutes using this method [lifehacker.com] . Can someone point me to a less complicated method?

Re:Get to work! Here's how to crack WEP networks (4, Funny)

davester666 (731373) | more than 5 years ago | (#28655435)

Connect to your wireless router via Ethernet and click the 'Show Password' checkbox?

Re:Get to work! Here's how to crack WEP networks (2, Funny)

tomhudson (43916) | more than 5 years ago | (#28656205)

"I cracked my own network in minutes using this method [lifehacker.com]. Can someone point me to a less complicated method?"

Look for the PostIt on the bottom of the router. Or try the password on the PostIt on the underside of the keyboard - but only if the password on the PostIt on the monitor doesn't work.

current state of affairs (1)

girlintraining (1395911) | more than 5 years ago | (#28654987)

In truth, the current state of affairs is about what anyone who has been following security news and publications for awhile would expect. There's been a rise in the level of networks that aren't "open", but instead encrypted in some fashion. That's because of the endless parade of articles about pedophiles using laptops and the FBI busting down innocent people's doors to find (da-dum!) the wifi router. So while people are very good at being afraid and then doing something vaguely rational about it, "smart" is one word I wouldn't use to describe the public's response. Most of them still use passwords. Many of them don't know the difference between WEP, WPA, and WPA2 and just set it to whatever option gives them the least amount of grief (Windows likes spit out key-length errors when using WPA -- usually because of an extra space at the end of the copied string)... Which is usually a simple password. So they use 0.008% of the available keyspace, breathe a sigh of relief, and then go to the store to buy duct tape and gas masks because CNN says it'll help keep the terrorists out.

Re:current state of affairs (1)

CAIMLAS (41445) | more than 5 years ago | (#28655077)

Yeah, and people used to think wolf's bane would keep werewolves at bay, garlic would keep vampires away, a good bleeding would cure what ails, and putting blood from one's gums on the north side of a mossed tree would cure a toothache.

People are a superstitious lot as a whole; for most people, it's because they can't be bothered to verify a statement's factuality. For everyone else, it's due to there simply not being enough time to verify the factuality of everything.

Re:current state of affairs (1)

Sponge Bath (413667) | more than 5 years ago | (#28655277)

People are a superstitious lot...

Daily animal sacrifices keep my Windows server running smoothly...
unless the Great Blue God becomes angry.

Re:current state of affairs (0, Offtopic)

Gerzel (240421) | more than 5 years ago | (#28655559)

The Great Blue God is always angry. Watchout for chairs.

Re:current state of affairs (1)

Hatta (162192) | more than 5 years ago | (#28655545)

That's because of the endless parade of articles about pedophiles using laptops and the FBI busting down innocent people's doors to find (da-dum!) the wifi router.

How often does that ever happen? I brought that up as a reason once not to leave one's wifi network open (even though I'd like to share), and was told I was being paranoid. Do you have any links to these articles, I couldn't find any.

Re:current state of affairs (0)

Anonymous Coward | more than 5 years ago | (#28657673)

Ignore the pedophile excuses, they take a lot more precautions than the asshole who decides to try out torrenting for the first time using your broadband. That's the guy you need to be worried about.

Re:current state of affairs (0)

Anonymous Coward | more than 5 years ago | (#28655815)

I have helped some people with a decent way of doing secure wireless:

On OS X, you can generate random 63 character passphrases using the KeyChain app. On Windows, KeePass is something I use, because it not just uses random characters, but can take random mouse movements as part of the character generation. I show the user how to use either utility, then copy and paste the passphrase to a file on a USB flash drive (which then gets stored somewhere safe such as a TrueCrypt volume or an encrypted disk image file.) Then, it is a matter of copying and pasting into the router (while on a machine that is on a hardwire connection), and pasting the key into all the computers that are authorized to connect. MAC checking is also nice, but I leave that up to the user as icing on the cake.

From what I've read, a 20 character passphrase is good against most attempts, 32 against almost all, and 63 (the longest the WPA2 spec allows) is going to make a black hat use another technique to find a weaker link (compromise a machine on that segment, physical compromise, rubber hose, look for a weaker wireless AP to attack, etc.)

What's the big deal? (5, Insightful)

Anonymous Coward | more than 5 years ago | (#28655015)

What's the big deal? Why worry about the insecurity of the local wireless network when you're connecting to the Internet... hello, it's insecure!! If your computer isn't secure it doesn't matter whether the local network is or isn't, your computer is still insecure. If you are doing things across the network that you want to keep private and you aren't doing them over SSL/SSH/VPN you are an idiot regardless of whether the local wifi uses WEP, WPA2, or no encryption at all.

VPN, SSH, or Unsecured- SSL isn't safe enough (2, Interesting)

billstewart (78916) | more than 5 years ago | (#28655803)

If you're checking the weather or airline schedules or Slashdot, it doesn't matter if you get eavesdropped on. If you're checking your work email, you want to be using an IPSEC VPN, so all your traffic is going to be protected inside that (unless you're doing split-tunnel...) and SSH is fine too.

The tricky case is using SSL-protected websites, when you can't trust the DNS and network not to be redirecting you to some bogus cracker site. If you pay attention to the certificate details, you can be safe, but if you're not paying attention and hit the "Yeah, Sure, Whatever" button, then you're hosed. An SSL VPN connection to work may or may not be, if your company is using an SSL VPN appliance - are you using passwords or one-time-access tokens? Does the cracker know how to break in to that given your authentication, as opposed to just stealing credit card or bank passwords?

Re:What's the big deal? (1)

shentino (1139071) | more than 5 years ago | (#28655861)

Wireless security is more about preventing unauthorized usage of a network. i.e., the deeds that can land you in trouble with the feds or the RIAA. You still need a firewall on your local machine, since apart from the internet you also have peers on the local lan.

Re:What's the big deal? (1)

ratboy666 (104074) | more than 5 years ago | (#28656043)

"You still *need* a firewall on your local machine" (emphasis mine).

Why? My laptop responds to ICMP packets, but has no open ports. None. Whatever would I be firewalling?

If I actually open a port, it would actually be a reverse SSH tunnel. So, what would I be firewalling?

You are welcome to TRY hacking my laptop. Unless you can sneak through the web browser, or attack me with a specifically formatted email, I doubt you will have any success. Good luck with that -- I use NoScript and disable even image loading on email.

Indeed, take it as an pwn2own challenge.

Can you explain why a firewall would improve things for me?

And, on to the original topic -- I don't care if my network connection is "snooped". In fact, I EXPECT that it is being monitored and tracked. That's why I have a little "Tor" button in my browser.

Re:What's the big deal? (2, Interesting)

DamnStupidElf (649844) | more than 5 years ago | (#28656555)

Because someday you're going to run some program locally that for whatever reason wants to bind the 0.0.0.0 address and listen on some port. Web server, database server, chat client, p2p client, whatever. Unless you run netstat -a all the time, you don't *know* that there isn't something listening.

Ad-Hoc not a danger (3, Interesting)

royallthefourth (1564389) | more than 5 years ago | (#28655017)

In every wifi GUI tool I've used, ad-hoc networks show up with a special icon. I don't know about the public in general, but any decent Slashdot reader should know better than to connect to one!

Re:Ad-Hoc not a danger (3, Interesting)

PPH (736903) | more than 5 years ago | (#28655437)

Its not that difficult to run a managed network off a laptop. So filtering out the ad-hoc ones will only eliminate the stupid black hats.

Wrong (4, Interesting)

aywwts4 (610966) | more than 5 years ago | (#28655441)

Sure if the network is truly adhoc, but these aren't, the hacker needs to get the wifi from somewhere, and more often than not it is the official airport/coffeeshop wifi.

This is someone connecting to a wireless access point with their laptop, running the sniffing suite on the laptop, and running a portable access point out another ethernet jack or through USB. I have a great USB based access point that is able to repeat and share any signal I can get, I use it to route wifi over great distance over a cantenna and repeat it to all my devices, it will not show up as an ad hoc network. Mine is old they make them even better, smaller and cheaper now. Nobody is going to bat an eye at the hacker with a usb cable running into his laptop bag.

PS: Firefox with a proxy including DNS + Putty running a dynamic proxy + A linux box at home (such as a low power tomato router) with SSH access + Priv/Pub ssh keys + DynDNS static IPs = 3 second complete encryption of everything no matter how sketchy the access point.

PSS: People saying this isn't a problem, so much webmail is unsecured by default, so many passwords are emailed to users. Please just trust the security geeks, you are really really vulnerable to deep packet inspection and transparent proxies. Secondly you are trusting the blackhat's DNS, are you really going to notice when you go to paypal/etc and the HTTPS is missing just one time?

Re:Wrong (2, Insightful)

_avs_007 (459738) | more than 5 years ago | (#28655629)

are you really going to notice when you go to paypal/etc and the HTTPS is missing just one time?

I must really be a paranoid geek. I trained my wife to always look at the certificate, and inspect the trust chain, EVERY time she logs into the bank, etc...

Re:Wrong (1)

zippthorne (748122) | more than 5 years ago | (#28659439)

What exactly are you looking for?

How is this dangerous to a normal user? (3, Insightful)

Anonymous Coward | more than 5 years ago | (#28655045)

How can this affect a normal user? Aren't HTTPS sites and other safe regardless of this?

Re:How is this dangerous to a normal user? (5, Insightful)

sopssa (1498795) | more than 5 years ago | (#28655103)

What about if the hotspot doesn't actually give the user the real page, but instead phishing page? I doubt many normal users notice that HTTPS isn't on. Or like in the above The Real Hustle video, "for $1 you can get one hour of surfing time, just enter your credit card details" and you probably can guess what happens from there.

Re:How is this dangerous to a normal user? (2, Interesting)

causality (777677) | more than 5 years ago | (#28655237)

What about if the hotspot doesn't actually give the user the real page, but instead phishing page? I doubt many normal users notice that HTTPS isn't on. Or like in the above The Real Hustle video, "for $1 you can get one hour of surfing time, just enter your credit card details" and you probably can guess what happens from there.

I don't doubt that the people who run such scams are doing something evil but this irrational insistence people have of using what they do not understand and then acting shocked if something goes wrong is in need of some serious "Darwinism" or "artificial selection" or whatever you like to call it. The basics of how to protect yourself are not that difficult to understand, the information is out there, and any literate adult can educate himself as easily as searching via Google. If putting a price on that kind of rampant ignorance is the only way to give it an incentive to be remedied, then so be it.

It shouldn't be that way. People should care enough to guard the things that are important to them, like the kinds of personal information phishing pages could harvest. The reasons why they don't seem to be rooted in apathy combined with a strong feeling that basic competency (which is a far cry from expertise) is some kind of horrible undue burden that is completely unreasonable to expect of them. There is a great deal of arrogance in the belief that safeguarding things that matter to you should always the responsibility of someone else, be it Microsoft or the airport or whomever. When that kind of hubris leads to problems, what legitimate complaint do they have? Why are they so often portrayed as helpless victims instead of held up as examples of negligence, of what not to do?

Re:How is this dangerous to a normal user? (1)

darthwader (130012) | more than 5 years ago | (#28655801)

But this "for $1 you can get..." has nothing to do with network security, that is all about user stupidity. If I put up my "wireless internet" sign up in one of those disused airline rewards plan program booths that litter most of the airports I go through, and ask for people's credit cards, I'm also going to get money. Heck, I could probably find an unused visa application booth, and stand next to it with my customized application form and get all sorts of personal banking information from idiots. If you're dumb enough to type in a credit card number on a web site you haven't confirmed, then you're an idiot. And the only network security process that will help you is for someone to take your computer away from you.

Always assume public networks (wifi or cheap motel wired) are being recorded by someone who wants to steal your money. Always use SSL enabled sites, and always verify the contents of the certificate. Make sure your webmail is on an SSL enabled site, and if you are using other apps that use the network (thick-client mail), ensure it is configured to use SSL.

Would be apparent for many.... (1)

SuperKendall (25149) | more than 5 years ago | (#28656183)

What about if the hotspot doesn't actually give the user the real page, but instead phishing page? I doubt many normal users notice that HTTPS isn't on.

Even ignoring that, there's two other things that would make people think twice:

1) Fake cert, people would see an alert (though as you say perhaps they are not even trying)

2) The bigger issue is that when they go to the site, they would not be logged in automatically or the form to login would not auto-fill. A lot of people use this so much now they'd be hard pressed to actually enter the real password themselves if autofill fails!

You have the same problem anyway even if using an "official" WAP outside home, since you cannot trust that the thing has not been compromised.

Re:How is this dangerous to a normal user? (1, Interesting)

Anonymous Coward | more than 5 years ago | (#28656469)

I was once staying at a hotel for a convention and brought my laptop downstairs -- only to be presented with three different wireless network options, all of which looked like they *could* have been the hotel's access point, but slightly different. It would have been trivial to set up a network with a similar name and a dummy phishing page that looked identical to the hotel's.

Re:How is this dangerous to a normal user? (0)

Anonymous Coward | more than 5 years ago | (#28657379)

lawl

http://www.thoughtcrime.org/software/sslstrip/

"Hi, Jack!" your PC (0, Offtopic)

ifeelswine (1546221) | more than 5 years ago | (#28655047)

Ever see a black hat naked before Jimmy?

Friday trolling...again (1)

Gizzmonic (412910) | more than 5 years ago | (#28655053)

I'm sorry I don't have anything good to say. I'm late for my flight anyway!

Can you get arrested as a terrorist if you hack airport networks?

Ahh, the old "Free Public WiFi" issue (4, Interesting)

DigitalSorceress (156609) | more than 5 years ago | (#28655069)

Ever notice an SSID for "Free Public WiFi" just pop up while you're at your place of work?

When I first saw these, I assumed "someone got infected with some trojan which sets them up to pretend to be an open WiFi either to do a man-in-the-middle attack, or to infect my system with some kind of worm."

After a bit of digging, I discovered that this was actually not malicious, but was a viral-like spread due to some strange way that one of the MS Operating systems was handling ad-hoc wireless connections.

Here's a 2006 advisory on the issue
http://www.nmrc.org/pub/advise/20060114.txt [nmrc.org]

Here's a less technical explanation (in case you have to convert it to "boss speak")
http://erratasec.blogspot.com/2007/01/ad-hoc-wifi-virus.html [blogspot.com]

So, pretty much everyone says it's harmless.

However, my initial suspicians (about MitM or worm infections) could easily be made to come true, and anyone who google'd it would say "oh, I guess it's that 2006 thing, no worries"

Of course, being an ad-hoc node, it'll be kinda obvious to most geeks... and of course, most geeks would probably make sure they were tunneling or otherwise using the network safely anyhow.

John Q. Public on the other hand? hoo boy. ... AND it doesn't help that so many products, in the name of making things easier on John Q. Public, will just auto-associate when they see an available connection.

I don't really know where I'm going with all this except to say "Never trust any network outside your own, never EVER trust the Interwebs, and only trust your own network as far as you have to in order to make things work... especially if you're not the only one using it.", but you knew that already.

Re:Ahh, the old "Free Public WiFi" issue (5, Informative)

Anonymous Coward | more than 5 years ago | (#28655185)

A few years ago, I was at a SANS security course being hosted at the University of Minnesota. One of the tools we were using was Cain & Abel. The people at the university who had set up Wi-Fi for the class of 125 students had done a horrible job, a bunch of Apple Airports, all sharing the same SSID and the same channel, and each performing their own NATing. You'd bounce between APs and get IP collisions as you'd hit someone who already had that IP on the other AP. It was a total joke, and if you were lucky, you'd maybe get 10-20 minutes of working internet before it'd die again. So, I bought a day pass from the Starbucks access point in the lobby downstairs, which was very reliable by comparison. I then remembered I had my little Apple Airport Express in my bag that I carried with me for when I traveled to hotels that didn't have wireless, so I could set up my own network and sit in the bed, rather than at a desk chair. I used that to create an infrastructure wireless access point called "Free Better Internet" and routed all the traffic through my laptop back to the Starbucks AP downstairs. People would get so frustrated using the shoddy supplied internet that they'd try the other SSIDs they'd see in the list. I then turned on Cain & Abel, and within a couple of hours, I had over 700 username & password combinations, and this was in a class where they handed me the tool to do it on the class CD, and we were talking about it! The looks on my classmates faces when I showed them their usernames and passwords were priceless. I was amazed that large research schools weren't even using SSL on their IMAP connections, and I had a ton of AIM and ICQ passwords, not to mention dozens of web site passwords, even my co-worker's password to her World of Warcraft Guild web site! :) The moral of the story, is that even "smart" people, who know exactly what the risks are, and who know how to use a VPN, will give up a LOT of security in exchange for free internet access!

Re:Ahh, the old "Free Public WiFi" issue (2, Interesting)

PhxBlue (562201) | more than 5 years ago | (#28655511)

The moral of the story, is that even "smart" people, who know exactly what the risks are, and who know how to use a VPN, will give up a LOT of security in exchange for free internet access!

But how much security are we really talking about? I'd be pissed if someone got my AIM or ICQ login credentials, but that wouldn't be the end of the world for me. And I don't play World of Warcraft, though I guess you could attach a pretty high dollar value to some WOW accounts.

The real question is, did you get passwords for secure sites such as bank sites or other financial Web pages? If not, then it's very likely that these "smart" people understood the risk and chose to accept it.

Yes, those were sensitive passwords (2, Interesting)

Beryllium Sphere(tm) (193358) | more than 5 years ago | (#28657017)

He mentioned getting email passwords, and with access to someone's email you can reset their passwords to more important sites. Not to mention that I've seen a place handling sensitive information that answered lost password requests by _mailing out the password_.

Re:Ahh, the old "Free Public WiFi" issue (0)

Anonymous Coward | more than 5 years ago | (#28658327)

Considering how many people use the same username and password for everything they do, I'd say we are talking about some serious information being gathered.

One could easily take those 700 usernames and passwords and try them on other systems. Or even more easily fetchmail copies of their inboxes and grep for account information and other sensitive bits at their leisure.

Re:Ahh, the old "Free Public WiFi" issue (1)

Ohrion (814105) | more than 5 years ago | (#28656239)

So basically, you were very smug about breaking the law. They specifically tell you NOT to do things like this in SANS classes unless first getting permission in writing. In this case you would have needed permission from Starbucks and most likely from the University. Possibly even from the individual students in the class. Breaking these rules is generally a quick way to be removed from the class and having any prior certifications by SANS revoked.

Re:Ahh, the old "Free Public WiFi" issue (1)

dkf (304284) | more than 5 years ago | (#28658133)

So basically, you were very smug about breaking the law. They specifically tell you NOT to do things like this in SANS classes unless first getting permission in writing. In this case you would have needed permission from Starbucks and most likely from the University. Possibly even from the individual students in the class. Breaking these rules is generally a quick way to be removed from the class and having any prior certifications by SANS revoked.

On the other hand, if he clearly and obviously deleted those passwords after showing them to the victims and absolutely avoids repeating this trick, it's not worth reporting him. In addition, hopefully all those other idiots will have learned a small lesson in security (i.e., credentials should never go over the net in the clear, and never ever trust the network).

There's nothing like being in the same area as a cracker (even a white-hat one) for teaching you practical security measures.

Re:Ahh, the old "Free Public WiFi" issue (1)

WNight (23683) | more than 5 years ago | (#28658333)

you would have needed permission from Starbucks and

Oh get real. Your reasons are silly.

For starters, what company would ever say yes to anything? They'd assume you were trying to get them to take responsibility for it. You're essentially arguing that nobody should do anything because there's no way you could get written permission to leave your own condo (try it...) let alone anything else.

But what obligation does he really have with Starbucks? I've bought coffee-shop net access and it's always a straight purchase, just like software. There's often a bunch of mumbo-jumbo after I've paid, similar to a EULA, but as it too purports to be a post-sale contractual modification it's similarly worthless. And even if the contract was binding, what are the damages?

Then the university. Does he have any obligation to the university? He didn't appear to be a student, just attending a seminar hosted there in a room rented by SANS (and thus officially welcome to use the attending facilities). And again, would they ever say yes even if it was vitally important?

And if SANS purports to retroactively deny certs, I guess that's about the limit of their credibility. A certificate of accomplishment states you have done something. To revoke someone's certs is to claim they didn't do the work. To use that claim for anything else is tantamount to fraud.

Besides, not only would a revoked cert (ie, cert) be just as good anywhere I've been, but you'd just say "Scored 4.7/5 on SANS xyz" instead of "have cert xyz" and it avoids the whole issue.

The law, in general (unauthorized access, etc) is his only reason not to. (Assuming it's a demo it's not unethical.)

Not great to begin with (3, Interesting)

TClevenger (252206) | more than 5 years ago | (#28655083)

I was in an airport a couple of weeks ago (Denver?) The WiFi was "free", but they proxied all of your traffic through their servers and used that to encapsulate all web sites into a frame with advertisements above. They did allow SSH, so I just bypassed them by proxying my traffic through an SSH tunnel to my home machine.

relay (5, Interesting)

digitalsushi (137809) | more than 5 years ago | (#28655113)

While I was at University, there was often someone broadcasting the SSID "UNH-Wireless" in their Memorial Building. The official SSID was just unhwireless. UNH required you to register your MAC before they would forward your packets to the Internet, but the rogue SSID was open. Since the Memorial Building was where all the visitors ended up for lunch after tours, I wonder how many delicious things were intercepted.

(New Hampshire is the one that touches the ocean. The other one is Vermont, which is the one that touches Canadia.)

Re:relay (1, Informative)

Anonymous Coward | more than 5 years ago | (#28655217)

(New Hampshire is the one that touches the ocean. The other one is Vermont, which is the one that touches Canadia.)

Canadia? [urbandictionary.com]

Re:relay (1)

winkydink (650484) | more than 5 years ago | (#28655449)

Doesn't New Hampster also touch Canadia?

Re:relay (1)

Dragonslicer (991472) | more than 5 years ago | (#28655459)

Yeah, well, it's UNH. What do you expect? (says the UMaine alumnus)

I kid, I kid

Re:relay (1)

omi5cron (1455851) | more than 5 years ago | (#28655855)

when was this? i am a few miles down the road, WTF why not i go do some experimenting...i am also an alumnus, but back then there wasn't even the internet. my, how time flies, and things change!!

Re:relay (0, Offtopic)

rickb928 (945187) | more than 5 years ago | (#28655879)

New Hampster touches Canadia, just in a not very interesting spot.

Vermont, on the other hand, touches Canadia upclose to Montreal. Much more fun than just trees.

Maine, of course, touches a lot more of Canadia, but it's all lower rent and not so much fun. Beautiful in its own way, but not Montreal.

And thankfully, Maine doesn't touch Vermont at all. Wierd shit in Vermont.

Blackhat Interception : +1, Extra Jalapeno Hot (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#28655147)

Cheney: Yeah, zap 'em. He's watches too much Olbermann. While your at it, potato Al Gore's Prius.

Agent X: You're sure.

Cheney: As sure as I'm a burner of the U.S. constitution.
We'll make billions, I assure you.

Agent X: Does "we" include me.

Cheney: You're a poet and don't know it.
See ya in Paraguay or Turkmenistan.

they were running off someone else's computer (1)

Threni (635302) | more than 5 years ago | (#28655183)

So what? I'm in an airport using https over wpa, or I'm just surfing news etc. I don't care how it's getting on the net.

Re:they were running off someone else's computer (4, Insightful)

Absolut187 (816431) | more than 5 years ago | (#28655357)

Except that you are directly connected to someone elses network, meaning that there is nothing stopping them from getting into your Windows machine via one of the many security holes.

Re:they were running off someone else's computer (2, Interesting)

markringen (1501853) | more than 5 years ago | (#28655765)

only problem is, that u have to be an uber-dork to exploit them... meaning extensive programming knowledge which i doubt any aviation worker has.. so it's a false warning really, as nobody is truly going to attack a single laptop on an airport (your not gonna do online-banking on a public connection, unless your an idiot...)

Re:they were running off someone else's computer (1, Informative)

Anonymous Coward | more than 5 years ago | (#28657309)

only problem is, that u have to be an uber-dork to exploit them... meaning extensive programming knowledge which i doubt any aviation worker has.. so it's a false warning really, as nobody is truly going to attack a single laptop on an airport (your not gonna do online-banking on a public connection, unless your an idiot...)

A black hat is, however, going to be perfectly happy with leaving the trojan on your PC so that, when you get back home and log into your bank from your "secure" connection, you're pwn3d.

All it would take is a few hours running a properly-configured (2 network interfaces, one to the airport's wireless, one acting as the WAP) laptop doing DNS redirects on common banner-ad hosting sites to run the malicious Javashit, Flash, or even just replace the ads with a .gif/.jpg/ that contains suitably-malformed headers/metadata.

Re:they were running off someone else's computer (1)

markringen (1501853) | more than 5 years ago | (#28659363)

moving to my point: the chances are 1 in a billion.. meaning, not a risks.

Re:they were running off someone else's computer (1, Insightful)

Anonymous Coward | more than 5 years ago | (#28658033)

Which Windows machine ?

SSL? (2, Interesting)

captaindomon (870655) | more than 5 years ago | (#28655227)

This article contains a lot of FUD. If you're banking or anything important money-wise you're probably using SSL with a signed certificate, even if you're a Joe Sixpack. If I'm doing anything work related I'm on a VPN. You should never, ever, trust that your connection through the "internets" is secure anyway. Wireless access doesn't change anything about that. This article is just trying to gain attention by using fear.

Re:SSL? (2, Insightful)

causality (777677) | more than 5 years ago | (#28655443)

This article contains a lot of FUD. If you're banking or anything important money-wise you're probably using SSL with a signed certificate, even if you're a Joe Sixpack. If I'm doing anything work related I'm on a VPN. You should never, ever, trust that your connection through the "internets" is secure anyway. Wireless access doesn't change anything about that. This article is just trying to gain attention by using fear.

There really is a tremendous amount of ignorance concerning the most basic knowledge of computers and networks. Of course, you can decide that if you are going to use a complex tool for important tasks, that it is wise to learn what you can about that tool so that you use it effectively. That you bear some responsibility is welcome news, for it means you have some control over whether you have a good experience. In fact you can be curious about how it works and enjoy discovering and learning new things. The mark of such people is that over time, they gradually get better and better as they gain experience and their knowledge expands.

You can also insist that you have a God-given right to perform complex tasks with little or no understanding. You can then resent anyone who tells you that you bear at least some responsibility for this decision and for any undesirable events that result from it. You can decide that while lesser men may have to read up on a thing or learn about it, you are too special for that and will magically do everything that they do while investing no such effort. You can memorize a monotonous and robotic list of steps instead of developing any real understanding of what you are doing and why, causing interface changes to lead to "retraining costs." The mark of such people is that they are "permanent noobs" who can somehow manage to use a device for years and know nothing more about it than when they first started.

The folks in that second category seem proud of it. They seem to view understanding the tools they use the same way the aristocracy of old felt about "fraternizing with the help." I am not glad when they encounter misfortune, but I don't consider them to be victims either.

Re:SSL? (1)

Burz (138833) | more than 5 years ago | (#28657269)

The only issue I have with that view is the fact that most IT types aren't trying to educate people about link security, or even telling them what a browser is. That vast ocean of ignorance reflects poorly upon US not them!

Re:SSL? (1)

causality (777677) | more than 5 years ago | (#28657471)

The only issue I have with that view is the fact that most IT types aren't trying to educate people about link security, or even telling them what a browser is. That vast ocean of ignorance reflects poorly upon US not them!

I will tell you why I reject that viewpoint.

I did not wait around, passively, until someone decided that they were going to educate me. I educated myself, actively, knowing that I am better able to accommodate how I learn and how I understand things better than some stranger. The information was out there, it was freely available, there was no secrecy and no hidden nature to it, so I looked things up, I read a lot, I used trial and error, and otherwise I did what I had to do. This was not some single one-time event, but more of a gradual process that has helped to strenghten my skills over time. This is not just computing. I feel that way about anything I do on any sort of regular basis. Each time, I want to be just a little more proficient with it than the last time I did it. If I don't meet that standard, that's no big deal, I see what mistake(s) I made and I learn from them, but that's the goal and it is that towards which I strive.

So, logically there are two possible answers to what you are saying. Only one of them can be true. Either I am something special and have made some supreme accomplishment that is completely inaccessible to most of the rest of the population, or, I haven't done anything that any other literate adult could not also do. Lest there be any doubt, I will say up-front that I don't believe I am something special. I really believe that if half the effort that is spent towards making excuses and justifications for ignorance were instead put towards remedying that ignorance, that the general level of competency would absolutely skyrocket. Every last thing I see only confirms that this is true.

So, to me it's apparent that saying "well WE should have educated THEM" is nothing more than a quaint way of agreeing with those "average" users. In what fashion does it agree with them? It shares their denial, their belief that they are just helpless victims who have no hope of taking things into their own hands and deciding for themselves what their experience is going to be. It's the leaf-in-the-wind again, and that leaf-in-the-wind status is always voluntary. There's a huge, staggering difference between "blaming the victim" and realizing that the victim is not really a victim but has actively chosen the experience that he or she is having.

Re:SSL? (2, Informative)

Runaway1956 (1322357) | more than 5 years ago | (#28656147)

You should read more. There's a book out, "Beautiful Security". There is a chapter devoted to airport wireless. Joe Sixpack doesn't look at the SSL certificate, doesn't even notice the little lock emblem. Even a lot of "sophisticated" people continue doing their banking, rationalizing the absence of the secure symbol. The author of the section has collected TONS of personal details by spoofing a WIFI service at an airport.

Re:SSL? (1)

itsthebin (725864) | more than 5 years ago | (#28658009)

to use this access point you require our activeX plugin

please accept the plugin to continue

Re:SSL? (1)

rdebath (884132) | more than 5 years ago | (#28658185)

Tell me where you get caught ...

  1. You enter your bank's name into the browser bar, get the html page
  2. You hit the logon button, get to an ssl page
  3. You enter your logon details
  4. You check your balance
  5. You logoff.

You have just been hacked, your user id and password are now property of the blackhats.

Airport wireless is shoddy anyway, half the time (2, Interesting)

King_TJ (85913) | more than 5 years ago | (#28655261)

Last time I was traveling, I was flying out to Portland, and I had connectivity issues with the free wi-fi offered by the airports. At one of them, I'd detect their SSID and successfully connect with a reasonably strong signal, but after going through their initial "terms of service" type page and using it for a couple minutes, I'd lose communications. The wi-fi said it was still connected but pings were just timing out and nothing would come up. I could disconnect, search for available wireless networks, and try to reconnect, which worked about half the time (but again, only for a few minutes).

All things considered, I'd rather find and use a rogue offering, set up a VPN tunnel, and use THAT!

I agree entirely, MOD PARENT UP (1)

Burz (138833) | more than 5 years ago | (#28657235)

A good tunnel will keep you safe and allow you to capitalize on the rogue's motives.

Your suggestion also highlights the god awful ignorance being spouted by Fox and Symantec in the article. Slashdot should be ashamed at posting such a crappy article that doesn't even mention SSL or VPNs as a safety measure!

appallingly stupid study (2, Insightful)

kali (32955) | more than 5 years ago | (#28655399)

No one should ever rely on the network layer for security, because networks are by nature insecure. Run traceroute sometime if you're curious to see how many nodes are located between your computer and your bank/stock broker/webmail. Every one of those nodes can see every one of your packets. The only solution is to use application layer encryption, and once you've done that, it doesn't matter who is spying on your traffic.

You'll notice that this study was done by "AirTight Networks, a wireless security company." In other words, they are fear-mongering in order to try to sell more of their products. No matter how secure you make your wireless network, it still won't stop anyone even 1 hop away from seeing all of your traffic. As security professionals, the researchers from AirTight Networks know this, which makes their study all the more stupid and despicable.

hak5 (0)

Anonymous Coward | more than 5 years ago | (#28655409)

I was kind of shocked that hak5 episodes (downloadable to my tivo) educates and actually encourages. this type of fake wifi. Google Jasager.

Roman McDonalds (2, Interesting)

Anonymous Coward | more than 5 years ago | (#28655585)

I noticed someone setup a wireless access point next to the McDonalds in Rome complete with the golden arches asking you to type in a valid pasport ID, date of birth, etc to get online. It was even secure https with some bogus versign.
I asked the mcdonalds employees and they all said that there was no wireless. Sketch.

3G Data Card (1)

Mistah Blue (519779) | more than 5 years ago | (#28655607)

This is one reason why I typically just use my 3G data card nowadays.

Be Safe (0, Offtopic)

Punk CPA (1075871) | more than 5 years ago | (#28656045)

Always use a rubber duck.

So what? (3, Insightful)

nurb432 (527695) | more than 5 years ago | (#28656109)

If i can get outside and not pay anything, why should i care that its not 'official'? Really, i'm not joking.

Okay...I'll repeat what others have said... (1)

rindeee (530084) | more than 5 years ago | (#28656453)

...because it NEEDS TO BE. If you are using public wireless without a VPN, YOUR ARE A FOOL. If you can't setup your own, use a cheap, public provider such as Witopia (I've had outstanding experience with them in the past).

I'm sorry (1)

JeanBaptiste (537955) | more than 5 years ago | (#28656751)

I didn't know that was wrong. I'll stop. maybe.

VPNs are your friends (1)

rbanffy (584143) | more than 5 years ago | (#28656783)

Seriously, I always VPN myself back to base every time I use a network I don't trust completely. If someone can break my crypto, he or she deserves my data.

Setting up a VPN is easy, quick and painless. Why not do it?

Re:VPNs are your friends (2, Interesting)

jroysdon (201893) | more than 5 years ago | (#28656989)

Ditto. I take it a step further. For one, I SSH to my own box for which I've got the public key for already and if it is changed the SSH will fail and throw nasty "someone changed the key" errors. For two, I go into "silent" mode where I firewall and block all inbound connections and silently drop them (even ping) and even more I firewall and block all outbound connections except my one ssh connection. My ssh script connects to my IP, so no need to use DNS either. All traffic is proxied through my ssh connection and out my server, and anything that would somehow evade my proxy (java and javascript sometimes somehow have a hack around method to bypass a proxy setting on a host) - it doesn't matter because iptable is going to drop that outbound traffic and never allow it to leave my box.

The only thing I usually have to do is first give a thumbs-up. For that, I have my usual locked-down inbound mode, all a "guest" Firefox profile that is set to no proxy and connect to hit the authentication/agreement terms page (for Starbucks, hotel wireless, etc.), and then once I get past that I flip my ssh script on which locks down my firewall and sshs to my system as described above.

I'm not sure about how easy that'd be to do on a Windows box. Can you firewall a Windows box from not making any outbound connections? It's been a while since I ran Windows as a Host (when I must, I run them as VM guests). But that would be my recommendation to anyone.

Stop scaring people into paying for the Internet!! (0)

Anonymous Coward | more than 5 years ago | (#28657639)

When I'm in a crowded airport and have a long layover - the first thing I do is broadcast a free ad-hoc network with an SID "Free till flight x departs" in airports that charge for WiFi before my flight departs. Just trying to be nice.

I shouldn't have to remind people that the Internet is not secure. Not taking proper precautions (Using a VPN, SSL..etc) or being a gullable sucker and downloading botnetzombie.exe from your favorite porn site has the potential of being just as stupid in an airport as it is at home or while attending defcon later this month.

Scary connection in Hartford airport (1)

blanchae (965013) | more than 5 years ago | (#28657915)

Back a couple of years ago, I was waiting for a flight out of the airport in Hartford and turned on my laptop. I forgot that I had my wireless turned on and up came the list of available connections. One was called "Friends of Engtech" - Engtech was a project that I was working on at the time. I don't have a clue how they picked up that phrase unless I had a shared folder called that - but I'm pretty sure that I didn't. I immediately switched off my antenna and disabled the wireless connection.

I use free WiFi all the time... (1)

dskoll (99328) | more than 5 years ago | (#28658509)

But I run OpenVPN. The first thing I do upon connecting is create an OpenVPN tunnel to our corporate server. I then route all traffic over the VPN connection (except for the actual encrypted OpenVPN packets themselves, of course: those need a special host route.)

I use an IP address to connect to the OpenVPN server so spoofed DNS won't affect me, and once connected, I of course use our corporate DNS servers.

Problem solved.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?