Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Home WiFi Network Security Failings Exposed

CmdrTaco posted more than 3 years ago | from the passwords-are-for-suckers dept.

Security 161

An anonymous reader writes "The shocking state of home wireless (Wi-Fi) network security in the UK has been revealed by a life assistance company study. CPP used an 'ethical hacker,' Jason Hart, to test thousands of Wi-Fi networks across six UK cities, including London. He found that many didn't even have a password and roughly half of home UK Wi-Fi networks could be hacked in less than 5 seconds."

cancel ×

161 comments

Default password security (1, Funny)

BadAnalogyGuy (945258) | more than 3 years ago | (#33895762)

My wifi router required me to change the root name and password. Don't they have that technology over in the UK?

Re:Default password security (2, Informative)

indros (211103) | more than 3 years ago | (#33895982)

Unfortunately that only changes the login for your router admin page. That has nothing to do with WEP/WPA/WPA2.

Re:Default password security (2, Informative)

master0ne (655374) | more than 3 years ago | (#33898582)

This points out a major issue, many non technical users often do not know the difference between security of the router and security of the wifi signal itself. Many people just change the router's password and think they are "safe".

Re:Default password security (1)

coolsnowmen (695297) | more than 3 years ago | (#33896982)

I have verizon DSL, and when I called for help/to complain (my connection was dropping), the tech on the phone couldn't fathom why I'd changed my administrative password. He slowly guided me through typing in a default name/pw (which I'd changed a year ago) and wouldn't deviate from the script when I told him mine was different and to hold on a second.

Though, as a linux user, I'm used to lying to technical support: "Yes, sir, I can click start->run->'cmd' "

"Life assistance" = identity theft protection (3, Informative)

Sockatume (732728) | more than 3 years ago | (#33895782)

If you were in any doubt as to why they were sponsoring a study which discovered something scary about the intertrons.

Re:"Life assistance" = identity theft protection (0, Flamebait)

Frosty Piss (770223) | more than 3 years ago | (#33896004)

So? Your point? Are you saying that the findings are bunk? Or are you just pissing about enterprising people who make more money than you?

No password WiFi != unsecured (5, Informative)

Omnifarious (11933) | more than 3 years ago | (#33895808)

My Wi-Fi has no password, and that's a purposeful choice. While evaluating the passwords on WiFi that does have a password is a reasonable analysis, it's not reasonable to call any WiFi without a password as unsecured.

Re:No password WiFi != unsecured (1)

Sockatume (732728) | more than 3 years ago | (#33895886)

MAC filtering, right? A surprising number of generic routers from telecom companies do some MAC-based authentication, I've found. I was surprised to discover that my aunt's Orange router made you switch it into a pairing mode by holding a button on the side before it'd let an unfamiliar device actually use the network. So even though this amazing hacker could get through the WEP password in 5 seconds, he wasn't going anywhere.

Re:No password WiFi != unsecured (0)

Anonymous Coward | more than 3 years ago | (#33895952)

I've got some bad news for you... MAC spoofing is incredibly easy to do for anyone that wants to do it.

Re:No password WiFi != unsecured (1)

BrokenHalo (565198) | more than 3 years ago | (#33896210)

MAC spoofing is incredibly easy to do for anyone that wants to do it.

It is, but guessing the MAC address of a device that will be accepted by the router might be just a little bit harder.

Re:No password WiFi != unsecured (5, Informative)

JayJay.br (206867) | more than 3 years ago | (#33896312)

Not if the communication is not encrypted and there is any traffic at the time.

Re:No password WiFi != unsecured (2, Insightful)

Anonymous Coward | more than 3 years ago | (#33897802)

Even if it is encrypted, you'll see the MAC in the clear.

Re:No password WiFi != unsecured (1)

TheRaven64 (641858) | more than 3 years ago | (#33896332)

Unless, of course, one such device is already connected, in which case it will be broadcasting its MAC address with every packet. If you use different port numbers, its TCP/IP stack will simply ignore any packets sent to it on connections that you are using.

Re:No password WiFi != unsecured (0)

Anonymous Coward | more than 3 years ago | (#33895962)

...because there's no such thing as mac spoofing, right guys?

Security Through Obscurity at it's best

Re:No password WiFi != unsecured (3, Informative)

rotide (1015173) | more than 3 years ago | (#33895990)

Frankly, spoofing wireless MAC addresses are easier than cracking WEP. Hell, one of the first steps in using backtrack, etc, is to spoof your mac before associating with the AP.

Re:No password WiFi != unsecured (0)

Anonymous Coward | more than 3 years ago | (#33896226)

yes, except you have to know a MAC address that the AP is going to allow on the network.

Re:No password WiFi != unsecured (1)

kikito (971480) | more than 3 years ago | (#33896296)

bum! headshot

Re:No password WiFi != unsecured (1)

natehoy (1608657) | more than 3 years ago | (#33897288)

Sure, and once you crack the encryption (assuming there is any) you wait for the first machine to send the first packet of data to the WiFi access point, which (conveniently) has a recognized MAC address!

MAC address filtering isn't a bad idea, it's just not an effective one. It's a great extra layer of protection, but it's only the slightest bit effective if you also encrypt the control stream so a would-be hacker can't simply look for a known-good one.

Plus, and just as importantly, once the hacker can decrypt the data going over the wire, he or she may not give a shit about actually connecting to your access point. They can just record everything you send and receive, and even if you use SSL for all passwords on the Web and such they can still usually get URLs and often (because very few ISPs support encrypted email checking) your email address, password, and the contents of any email. Not to mention instant messages, the contents of any non-encrypted web pages, etc.

Re:No password WiFi != unsecured (2, Funny)

sjames (1099) | more than 3 years ago | (#33896324)

On the other hand, simple MAC based filtering is a perfectly effective way of making it clear that the Wifi is not intended for public use. It's not a half bad option if you don't really care much but want to let normal polite people know your intentions.

It will also keep MOST people looking for free Wifi out.

The ideal MAC filtering sends all un-approved devices to the MITM box to log their facebook credentials and post really awkward messages on their page.

Re:No password WiFi != unsecured (0)

Anonymous Coward | more than 3 years ago | (#33896700)

MAC filtering is not an effective way of making it clear that the Wifi is not intended for public use, simply because it does not give any feedback to the user. "It just doesn't work" is the least polite way of letting people know your intentions, especially "normal people".

Interception of transmissions which are not intended for you is clearly illegal, btw., as is manipulating data without authorization. Even if you're in a place where accessing open wireless LANs is not per se legal: If you have the know-how to do what you describe, but still make your access point look like a public hot spot, this will certainly be held against you.

The right thing to do is to encrypt wireless LANs that are not meant to be public. No ifs and buts about it.

Re:No password WiFi != unsecured (1)

sjames (1099) | more than 3 years ago | (#33896996)

That was a joke son...

As for the MAC filtering, if it refuses to allow association, it makes it quite clear the network is closed and that there's no offer available to get it open (unlike a customers only hotspot where a password might be available if you buy something).

Re:No password WiFi != unsecured (0)

Anonymous Coward | more than 3 years ago | (#33897258)

MAC filtering results in an indescript error condition. It literally "just doesn't work". There's also no indication that there is no way to use the network. Just like you could get a password for a password protected network, you could have your MAC added to the whitelist. Most importantly, an unencrypted network transmits beacon frames which indicate an open network, indistinguishable from a public network. Captive portals are in the same bin as MAC filtering networks: They both send out misleading information. Captive portals should use WPA(2) encryption and indicate the shared key in the SSID. Closed networks should be encrypted. If you operate an unencrypted network and it's not meant to be accessed by the general public, then you're doing it wrong.

Re:No password WiFi != unsecured (1, Interesting)

Albanach (527650) | more than 3 years ago | (#33897470)

Spoofing is misdescribing things a bit. It's not like spoofing an IP address where you present an address diffferent to that you're actually using and which can cause issues with a lack of return traffic (data being sent to the spoofed IP).

Usually your MAC address can be user set using ifconfig - something like

ifconfig eth0 hw ether 00:01:02:03:04:05

That then becomes your MAC address. It's not being spoofed, it's the address your card has and will present when connected to a network.

Re:No password WiFi == unsecured (4, Insightful)

Anonymous Coward | more than 3 years ago | (#33895938)

You seem to be confusing "unsecured" with "insecure". They do not mean the same thing.

Unsecured WIFI means you have no password..

Just because it's intentionally unsecured doesn't mean it's not unsecured.

Re:No password WiFi == unsecured (1)

Klync (152475) | more than 3 years ago | (#33897712)

Yes, but if we're going to parse the words that closely, I'll jump in on the side of the OP. Perhaps it's true to say, strictly speaking, that the WAP itself is "unsecured". But if the WAP is unsecured by design (i.e. the design of the *network*), than I'd say it's inaccurate to say that "the network is unsecured".

I leave my AP open to the public on purpose. I have no less fear of an attack on one of the machines hosted on that network through the wireless interface on the router than I do through the WAN interface. The only part of the network that would be "unsecured" due to the AP being open would be a box (ahem, windows) that was connected to it without my knowledge and is listening for connections.

Oh, what? MitM attacks? Puh-lease. Again, the network is no less secure through the open WAP than it is through the WAN interface.

Re:No password WiFi != unsecured (1)

MoonBuggy (611105) | more than 3 years ago | (#33896012)

Exactly. Some of us are quite happy to provide a little bit of free access to those who need it. All the machines on my network are secured, the network itself is deliberately open.

Re:No password WiFi != unsecured (2, Interesting)

gmack (197796) | more than 3 years ago | (#33896300)

Do you filter outgoing mail and do you take any measures to prevent forum spamming?

Re:No password WiFi != unsecured (0)

Anonymous Coward | more than 3 years ago | (#33896756)

Not his job.

Re:No password WiFi != unsecured (2, Insightful)

Anonymous Coward | more than 3 years ago | (#33896384)

Some of us are quite happy to provide a little bit of free access to those who need it.

also, it helps to have a little bit of plausible deniability when ACS:Law come calling...

Re:No password WiFi != unsecured (1)

MikeURL (890801) | more than 3 years ago | (#33896832)

I'm sorry but that is just foolish. For starters anything that is done on your network is going to be tracked right back to you. If someone leeches your internet to grab child porn or to communicate with terrorists then you are on the hook.

But beyond just that there are always 0-day hacks out there and letting someone freely roam your LAN is like begging to be compromised. This is particularly true if you leave the network unsecured long-term and it becomes a "known" open AP.

Re:No password WiFi != unsecured (1)

ElectricTurtle (1171201) | more than 3 years ago | (#33897684)

So are hotels and libraries and coffee shops "on the hook" for terrorism and child pr0n too?

Re:No password WiFi != unsecured (1)

tepples (727027) | more than 3 years ago | (#33898072)

Ideally, hotels, libraries, and coffee shops should offer Wi-Fi credentials (the WPA key and a one-time-use activation code on the captive portal) only to customers who have paid or otherwise identified themselves.

Re:No password WiFi != unsecured (0)

Anonymous Coward | more than 3 years ago | (#33898600)

If someone leeches your internet to grab child porn or to communicate with terrorists then you are on the hook.

Maybe he's a part time pedophile terrorist and he wants to be able to blame his unsecured wifi in case he gets caught.

Re:No password WiFi != unsecured (0)

Anonymous Coward | more than 3 years ago | (#33898682)

Me too, I have an open wireless network with a +9db omni antenna in my attic. It reaches a couple of houses in any direction around my house. I also run a TOR exit node.

A couple of reasons for this.
1. Comcast charges me $80/month, by god I'm going to USE that !@)!$*#))@*&&# bandwidth.
2. It gives me interesting traffic to packet trace.

My personal internal network uses an ipsec policy to encrypt all traffic to the private gateway where it is decrypted for the interwebs.

It's good enough, for now.

Umm, no. (4, Insightful)

schon (31600) | more than 3 years ago | (#33896048)

My Wi-Fi has no password, and that's a purposeful choice.

Which doesn't mean it's not unsecured. It just means that it's unsecured on purpose.

Supposed you have a bicycle. You chain it to a lamppost. It is now secured.
Supposed you take the same bicycle and decide purposely to not chain it to anything. Just because you decided not to chain it doesn't make it magically secured. It's still unsecured, you just made the decision not to secure it.

Re:Umm, no. (2, Insightful)

sjames (1099) | more than 3 years ago | (#33896390)

However, in the latter case, you can no longer be said to have failed somehow.

Re:Umm, no. (1)

Reilaos (1544173) | more than 3 years ago | (#33896412)

But suppose he didn't use a chain, but instead some other form of protection? It's still secured, just not with a chain.

If he secures his network with something other than a traditional password, it's still secured. Just not password protected, which is what I think the parent did.

Re:Umm, no. (1)

MozeeToby (1163751) | more than 3 years ago | (#33896418)

But there are other ways to secure a bicycle like... ok, the metaphor is breaking down so I'm going back to reality. MAC filtering, guest SSIDs, or firewalls are all valid ways to secure your network while not encrypting the signal.

Re:Umm, no. (1)

tdyer (1399659) | more than 3 years ago | (#33896672)

ummm, no. seperate unencrypted vlan's are == to seperate network. allowing a seperate network for others to use has nothing to do with your security and is irrelevant to this discussion. MAC filtering is just plain stupid, and not worth the time it will take to setup. Firewall's are great as long as you aren't transmitting anything sensitive.

Umm, no... again (1)

Charliemopps (1157495) | more than 3 years ago | (#33896482)

You don't need to password protect your wifi to secure your network. If you have it properly firewalled after the AP there's no need to secure the connection at all. Since Wifi security is pretty much worthless anyway, why bother? If someone connects to my AP they will get a big fat nothing. No internet connection, no access to the internal lan, nothing.

Re:Umm, no. (2, Insightful)

Abcd1234 (188840) | more than 3 years ago | (#33897018)

Which doesn't mean it's not unsecured. It just means that it's unsecured on purpose.

Not quite. I have two WAPs, one with WPA2-PSK connected to my internal LAN with a ridiculously long key, another open and isolated in a DMZ with very limited access to my LAN. As such, while the WAP isn't locked down, I'd argue it is secured.

Re:Umm, no. (1)

natehoy (1608657) | more than 3 years ago | (#33897370)

Not to be pedantic, but... oh, hell, I'll be pedantic.

Your open-and-isolated WAP is not secured. It's isolated.

Your LAN is secured from your WAP. Your WAP is not secured.

Re:Umm, no. (1)

discojohnson (930368) | more than 3 years ago | (#33898622)

Sorry, but use a car analogy so the rest of us can understand.

Re:No password WiFi != unsecured (1)

MoriT (1747802) | more than 3 years ago | (#33897564)

Right. By "hacking" they didn't mean, "got full access to the router", they meant, "could use the WiFi." I run an open router because I think blanketing as much of the country in open WiFi is important. I keep appropriate security for it, and I don't use that network, but there is no reason to equate the two unless you're a FUD company profiting off people thinking that just because someone can use their WiFi they are going to commit identity theft. By that point, wouldn't it be easier to find some of those credit card checks in the trash? How many of these people use shredders? Probably fewer than secure their wireless network.

um seconds... no... (1)

daveb1 (1678608) | more than 3 years ago | (#33895820)

um seconds... no... it takes a few minutes max to crack wep ... If you were trying a dictionary attack against a network that may work faster :)

No password may be a feature not a bug (4, Interesting)

kherr (602366) | more than 3 years ago | (#33895856)

There is no way to know if the open wifi networks are open intentionally or not. Just ask Bruce Schneier [schneier.com] . Saying they're "open to criminals" is biased, maybe "open to visitors" would be more appropriate. How come coffee shops and other businesses with open wifi aren't called out for letting criminals access the network?

Re:No password may be a feature not a bug (1)

houghi (78078) | more than 3 years ago | (#33896414)

In the real life, the people will have no idea that the wireless from they got from their ISP is insecure. That is why they payed money for it in the first place, because they have no idea how to do it themselves.

And sure, the coffee place might have the modem to standard login and password, so I would take another coffee while I played with their system, but in reality I know better and you know as well.

Re:No password may be a feature not a bug (0)

Anonymous Coward | more than 3 years ago | (#33896610)

crumpet bribery is at epic levels in UK i'm sad to report.

Re:No password may be a feature not a bug (1)

hedwards (940851) | more than 3 years ago | (#33896790)

If you want it to be open for visitors and whoever else wants in, there's solutions for that. Open mesh [open-mesh.com] includes the possibility, although at this point, they don't seem to allow a proper way of securing it other than just putting in a long passphrase of gibberish and not telling people what it is.

Re:No password may be a feature not a bug (1)

tepples (727027) | more than 3 years ago | (#33898118)

How come coffee shops and other businesses with open wifi aren't called out for letting criminals access the network?

As I understand it, solely because there hasn't yet been a widely publicized child porn conviction involving coffee shop Wi-Fi.

I'm Shocked! (0)

AtomicDevice (926814) | more than 3 years ago | (#33895926)

The men in their scary black vans will totally park outside my house and steal my wifi!

Oh wait, that's not scary at all because people don't do that. And in real life, I type all my passwords only into sites secured with ssl, which is way better than crappy wifi encryption anyways. So I guess that the neighbor kids might get some free wifi (don't care, not a big deal to block them, mac whitelist, upside-down-ternet etc). If there are people parked outside my house gathering my non-secret data (since my secret data is encrypted regardless of wifi), I either
a) Don't care (google, engineering students, etc
b) Have bigger things to worry about (the FBI, and since I don't have brown skin or read a Koran, I probably won't ever fall into their highly sophisticated detection network)

See also: http://xkcd.com/341/ [xkcd.com]
and furthermore: http://www.wired.com/politics/security/commentary/securitymatters/2008/01/securitymatters_0110 [wired.com]

Re:I'm Shocked! (1)

hedwards (940851) | more than 3 years ago | (#33896826)

I disagree, the point is that they could do it, not that they are doing it. If you leave your connection open, then they could do it and you'd ultimately be the one that's getting investigated by the FBI.

Sure it's not common practice, but that's not to say that it doesn't or couldn't happen, it's still a risk and really a stupid one to take.

Re:I'm Shocked! (0, Troll)

Lumpy (12016) | more than 3 years ago | (#33897048)

Dude, only rank amateurs would do they from in front of your house. I have a $29.95 antenna I bought that I can use your WiFi from 5 blocks away. You wont see them, you will not be able to detect them. Heck this thing was able to pull Wifi through trees and houses from a block away.

If you think they need to be near your house, then you know absolutely nothing about networking.

Re:I'm Shocked! (1)

natehoy (1608657) | more than 3 years ago | (#33897530)

Do you check your email over WiFi? Have you configured your email to check over a secured connection (hint: very, very few ISPs actually support this!)?

http://customer.comcast.com/Pages/FAQViewer.aspx?Guid=b454828c-37a6-459a-9191-2a1b0f2bb20e [comcast.com] http://www22.verizon.com/ResidentialHelp/FiOSInternet/Email/Setup%20And%20Use/QuestionsOne/85515
http://www.dslreports.com/forum/r19960885-northeast-Verizon-FIOS-and-Outlook-2003-Setup [dslreports.com] -- note the quote "Server Requires Authentication should not be checked."

There are a surprising number of services that do not use SSL (POP/SMTP for email, Instant Messenger, plain old FTP, etc), and even those that do sometimes only protect the actual login process.

I don't mean to sound paranoid, but you may be revealing more of your "secret" data than you think. Security is not accomplished using a single layer of protection. Particularly not when the single layer is woefully incomplete.

Slow take up of WPA (1)

pellik (193063) | more than 3 years ago | (#33895940)

Why is it so hard for industry (default configurations) to move from open or WEP to WPA? Sure, WPA isn't perfect, but it does represent a significant increase in difficulty for hackers.

Re:Slow take up of WPA (1)

hedwards (940851) | more than 3 years ago | (#33896906)

Indeed, while WPA1 was cracked, it's not completely cracked and the utility is pretty minimal for those that want to abuse it. I think that getting things like WPS to work right and be supported across platforms would likely go along ways.

WPS in my experience tends to be hit or miss, I don't think that any of my hardware actually supports it, apart from one of the access points I had. Unfortunately, things like my Wii and PS3 don't seem to support it, which is a shame given that when done properly it's both more convenient and more secure that counting on the ability to type in a pass phrase with a controller.

Re:Slow take up of WPA (2, Interesting)

VJ42 (860241) | more than 3 years ago | (#33897118)

Why is it so hard for industry (default configurations) to move from open or WEP to WPA? Sure, WPA isn't perfect, but it does represent a significant increase in difficulty for hackers.

I use WEP+MAC filtering because I have a really old WiFi card that doesn't handle WPA and no reason to replace it.And to be blunt, that's just fine; it deters the neighbors enough to stop them using my 'net connection. It won't stop a determined hacker, but exactly when is that going to be a problem?

OT Question (2, Interesting)

rotide (1015173) | more than 3 years ago | (#33895958)

Honest question here. Say I wanted to setup and open a WiFi AP for neighbors to check email, etc, when their connection is down. How can I do that and not get screwed if they download kiddie porn or send a threatening letter to the white house? Yes, I'm in the US. I know I can use the TOR network, but frankly, I'd rather not. Is there any legal way I can share my network connection to those that need it without setting myself up for a world of hurt?

Again, I realize this is OT, but it's an honest question.

Re:OT Question (5, Interesting)

mellon (7048) | more than 3 years ago | (#33896130)

Yes. Vote in the November election. Lobby your congresscritters to keep the common carrier defense applicable to the Internet.

Re:OT Question (2, Interesting)

bsDaemon (87307) | more than 3 years ago | (#33896702)

Leaving your wireless AP open doesn't make you a common carrier. From Title II of the Communications Act of 1934:

(h) "Common carrier" or "carrier" means any person engaged as a common carrier for hire, in interstate or foreign communication by wire or radio or in interstate or foreign radio transmission of energy, except where reference is made to common carriers not subject to this Act; but a person engaged in radio broadcasting shall not, insofar as such person is so engaged, be deemed a common carrier.

Running an AP basically makes you a person engaged in radio broadcasting, and as we see, that is explicitly not covered. Likewise, if you're not carrying traffic for hire and aren't under an FCC license, then you are also not covered.

But then again, this is Slashdot, where people keep repeating things they heard whether they actually know what they're talking about or not.

Re:OT Question (1)

IndustrialComplex (975015) | more than 3 years ago | (#33897818)

But then again, this is Slashdot, where people keep repeating things they heard whether they actually know what they're talking about or not.

Your right, you don't know what you are talking about. An AP is NOT radio broadcasting in the scope of the regulation you posted.

Re:OT Question (3, Interesting)

bsDaemon (87307) | more than 3 years ago | (#33897916)

Not in the sense of a W or a K station, but its still broadcasting radio traffic. It still doesn't make you a common carrier due to other restrictions. Most things people think are common carriers aren't and never were. Likewise, "safe harbor" means that if the carrier meets the requirements for compliance with CALEA, that they can't be held liable for not being able to do anymore.

Either way, the end case is the same. Neither of these constructs have anything AT ALL to do with whether or not you're going to get boned if someone jumps on your AP and starts committing crimes.

Re:OT Question (2, Insightful)

IndustrialComplex (975015) | more than 3 years ago | (#33898166)

Thanks for responding in a civil manner even though I was a bit snarky.

When you get down to it, any 'radio' is broadcasting if you define the area of measurement narrowly enough.

Republicrats (1)

tepples (727027) | more than 3 years ago | (#33898190)

Vote in the November election.

For one Republicrat or the other Republicrat? As I understand it, child pornography and terrorism are not issues whose policies vary between the respective platforms of the two major U.S. parties.

Lobby your congresscritters

How do you propose to outlobby the "for the children" crowd and the Motion Picture Association of America?

Re:OT Question (1)

characterZer0 (138196) | more than 3 years ago | (#33896142)

Get a VPS in another country. Establish a VPN connection from your router to your VPS. Route all traffic from the open AP through the VPN.

Re:OT Question (0)

Anonymous Coward | more than 3 years ago | (#33896166)

Sounds like somebody wants plausible deniability. Kidding! :)

Re:OT Question (1)

garyok (218493) | more than 3 years ago | (#33896326)

Say I wanted to setup and open a WiFi AP for neighbors to check email, etc, when their connection is down. How can I do that and not get screwed if they download kiddie porn or send a threatening letter to the white house?

If you're really worried that they're going to download CP or troll the POTUS, then you probably just shouldn't do it at all. Yeah, the internet is epoch defining communication tool and a great source of entertainment but I seriously doubt your neighbours' lives are going to grind to a halt if they can't browse Craiglist for the next single woman to keep in their chest freezer.

Re:OT Question (2, Informative)

Lumpy (12016) | more than 3 years ago | (#33897074)

ipcop firewall with a red green and blue interface. run them on the blue interface and run dans guardian on it as well as limit the bandwidth and ports allowed.

20 minutes work. and less than $60.00 if you find a Nokia IP130 firewall used.

In other words... (1)

rakuen (1230808) | more than 3 years ago | (#33896024)

...a large quantity of general users don't know how to properly configure a wireless network. Shock and awe!

Not sure I like the fearmongering (0)

Anonymous Coward | more than 3 years ago | (#33896070)

...but on the other hand I'm all for securing access points which aren't meant to be publicly accessible. It is good that these people do what's necessary to gain actual security. The alternative is that some of them get burnt and complain, which will lead to the criminalization of accessing public wireless networks. That in turn will lead to a false sense of security as people still broadcast their data in the clear. So, yes, please encrypt your wireless network if it's not meant to be provide public internet access.

Lets face it... (4, Interesting)

Darkness404 (1287218) | more than 3 years ago | (#33896140)

Lets face it, yeah, wi-fi routers can be hacked, yeah, a lot of people don't have secure wi-fi, but in all honesty does it matter to most people? Credit card information already should be encrypted with HTTPS so that wouldn't be sniffed, most sites let you use security to log in, etc.

Re:Lets face it... (1)

ledow (319597) | more than 3 years ago | (#33896732)

Because on MOST home setups, access to the network is raw access to the machines. Access to the router setup (compromise and redirect EVERYTHING, bypass IE security zones, etc.), access to the local printers, access to the filesharing ports on the computers, etc. It's a bit more serious than just "could theoretically read all incoming/outgoing unencrypted data".

There is rarely a firewall for a wirelessly connected user (because it's seen as a trusted network once you're on it), thus a simple "net use \\ip address\share" will join you to their hard drive if they've ever enabled file sharing (local user passwords aside - if they didn't bother to set a WPA key, chances are they don't use passwords more complicated than "dad"). That's complete, utter, 100% compromise of the machine because it's trivially easy to then just replace critical system files and thus instant key-logger compromises even secure websites.

Beside that, the amount of stuff that flows over an unencrypted HTTP connection is actually quite scary - most UK ISP's use the same login for ADSL and thus do for email, and use plaintext SMTP or POP3 authentication. Even PPTP is inherently insecure if you can record a single conversation over it. If you ever see someone log into their POP3 account, then you have access to their ISP billing, all their email accounts, their home router and again you've hit total compromise.

I never understand the apathy towards this, or towards malware in general. Yes, these people are idiots and get what they deserve but why just say "Oh, it's only a virus, don't worry" or "Oh, someone just got into your wireless". If someone said those things about your body or your home, you'd be extremely nervous and scared about what could have been. If you NEVER use your devices for anything that you wouldn't do on national television, then sure, it's fine. Most people however would be shit-scared to even have their photographs deleted, let alone posted online for all to see, not counting that "passwords.doc" file, or the letters they wrote to their boss complaining about their inept co-workers, etc.etc.etc. If you can happily say that you would just upload the contents of your computers to a public FTP site, then sure, don't worry. Most people, if not all, can't afford such luxuries.

Yes, in practice, most of these compromised users will never know and never have anything bad done to them. However, even a small percentage of such a large number of people is an awful lot of people to be taken to the cleaners, have their bank accounts compromised, have rogue people installing things on their computer etc. Hell, even a teenager deleting your hard drive for a laugh has brought grown people to tears before now because they've lost something they needed for work / some family photos / etc. Yes, backup, backup, backup but that doesn't help after the event.

I work in schools as an IT manager. My first job when I joined my current workplace was to educate people. If you bring me a laptop that "might have a virus or something" and I see a SHRED of evidence of malware, it gets disconnected (even in the middle of a class) and wiped back to factory settings. There is no compromise, or negotiation, because just a few network hops away is the program that pays the entire staff wages from the school's bank account automatically each month. If I see a single piece of software that doesn't belong on any computer, it gets wiped (and all your "unofficial" programs with it, and your music if it's iTunes). When a computer is under my domain, it WILL be clean and that means absolutely STERILE. Every time you take it home and bring it back in, if I spot something, I will just keep wiping it until you learn. So far, 2+ years and nothing more than a fake antivirus banner ad in Firefox across 150 machines because of that policy - but an awful lot of people have learned that they should always back up everything twice (well, I *DID* backup their stuff before I wiped any potentially infected laptop but I only told the senior staff that, who were shocked at the lack of backups these people were performing of supposedly "critical" files to their jobs - amazing how much I was able to "recover" later when they admitted they hadn't backed up that stuff EVER even though it was critical data). Before I arrived, it was apparently commonplace to have infections every week or so on average.

At home, yeah, you do what you like. If you expect me to provide you with VPN or with a laptop, that's my domain and you will be killed if you present a risk to my networks. And if you ask me to clean your computer, I used to link my rates not to the amount of time to clean things up, but to the amount of effort you put into stopping them in the first place (people who knew nothing about computers but had done everything "right" often got it done for free). Don't come to me and ask "My laptop has a virus that I think I caught from my wireless because it has no password", because that kind of stupidity gets VERY expensive even for a small job.

Apathy is fine. Until you expect sympathy. Most people expect sympathy and almost all have things on their computer that they do NOT want to lose / have made public knowledge.

This just in! (0, Troll)

Drakkenmensch (1255800) | more than 3 years ago | (#33896158)

Hello, Day Old News? Slashdot would like to cancel their subscription. They're taking all their business to Behind the Times.

5 seconds? (5, Funny)

cfc-12 (1195347) | more than 3 years ago | (#33896236)

He found that many didn't even have a password and roughly half of home UK Wi-Fi networks could be hacked in less than 5 seconds."

I'm impressed. I can't connect to my own wireless network in less than 5 seconds.

Re:5 seconds? (0)

Anonymous Coward | more than 3 years ago | (#33896620)

I'm impressed. I can't connect to my own wireless network in less than 5 seconds.

Just compare it to movies. If I try to play my legally obtained blu-ray or DVD, it takes forever to start. If I obtain a rip from Pirate Bay, it plays instantly.

Re:5 seconds? (1)

stephanruby (542433) | more than 3 years ago | (#33897726)

I'm not. I don't think his set up requires him to click three buttons and wait for internet explorer to load. He's most likely just establishing the connection through some kind of scripted command-line utility, and then just issuing a ping to a well-known fast-loading web site.

Not Shocking (5, Insightful)

timeOday (582209) | more than 3 years ago | (#33896340)

I hate the alarming tone of these passe "war driving" articles. A car or home can be broken into in 5 seconds by breaking a window. Most mailboxes where I live (including mine) are just boxes with a little non-locking door on the front that anybody can open.

And yet, the world keeps on turning.

Hopping onto somebody's wifi doesn't mean anything. It doesn't mean you can get their personal documents, or banking info, or anything else.

Re:Not Shocking (1)

rakuen (1230808) | more than 3 years ago | (#33896662)

Well, you might be able to if it was on a network share, but that brings up an entirely different set of security issues. The foremost of which is probably, "Why on earth are you keeping important information on a public network share?"

Bet it happens too.

Re:Not Shocking (3, Insightful)

Nidi62 (1525137) | more than 3 years ago | (#33896716)

Hopping onto somebody's wifi doesn't mean anything. It doesn't mean you can get their personal documents, or banking info, or anything else.

But you CAN download music on their network and ruin them for life if the RIAA/MPAA finds out.

Re:Not Shocking (1)

betterunixthanunix (980855) | more than 3 years ago | (#33896854)

Now if only judges and juries could be convinced that is a likely scenario, maybe we could finally move past all the nonsense.

Re:Not Shocking (1)

Lumpy (12016) | more than 3 years ago | (#33897114)

But we need more people AFRAID.. the world is better with rampant fear....

LOOK OUT! ther's terrorists hiding in the bushes behind you!

Re:Not Shocking (1)

tophermeyer (1573841) | more than 3 years ago | (#33897144)

The scary part though is that a determined thief could be monitoring your traffic and you would never know. If someone smashes a window and breaks into your house you will know about it. If someone is monitoring my traffic while I'm trying to file my tax returns, for example, they might have all sorts of valuable information about me and I would never know. Especially if I am the sort of under-experienced user that leaves my wi-fi open.

scale difference (1)

DrYak (748999) | more than 3 years ago | (#33897560)

there's a subbtle diference :

- a burglar can only be physically in one home at a time
So your possesions are at risk only if he broke specifically in *your* house. If the burglar is in neigbours' - your possessions are safe (for now)

- whereas, a war-driver can usually see a smal city block while sitting comfortably in his/her car (even farther using special antenas)
So your local network (if WiFi isnt'correctly segregated) is at risk,as soon as an evil-hackerdrives in the neighbourhood. Both your local network and anyone else's on the same small block is at risk.

- a script kiddie can see the whole internet at the same time. The whole internet is just "one big village".
So if you don't have a correctly configured firewall an up-to-date antivirus and/or patched OS, your computer is pretty much toasted. It's only a matter of minute before it gets hosed, once a range scaning comes up with your IP. Luckily, most modern modem come with a firewall preconfigured. The bad thing is, some people are going to (badly) open it for applications which need incoming ports. Worst thing, people are going to connect laptops on networks that are somewhat big (work,university) and there's bound to be an infected machine on the local network.

and that's not counting that burglars will have to carry a physical loot and are thus weight limited, whereas evil hackers are more interested in data and are mostly band-width limited (and not even CPU limited. Thanks to CPU technology advancements, now there are enough cores to run all the crapware and still have free processing power for work).

Re:Not Shocking (0)

Anonymous Coward | more than 3 years ago | (#33898280)

Most mailboxes where I live (including mine) are just boxes with a little non-locking door on the front that anybody can open.

That would never work in the UK. Post is generally delivered through a letterbox in the front door. Just not always to the front door of the correct house.

Re:Not Shocking (0)

Anonymous Coward | more than 3 years ago | (#33898768)

Where you live do you have robots going from mailbox to mailbox? I suspect not.

Ethical Hacker? (1)

jermo (1898720) | more than 3 years ago | (#33896438)

Does that qualify every 12yr old- capable of cracking a WEP key, to then do security assessments in the name of CPP? If so, they should promptly upgrade their lolcats and share those with us, so at least their contribution to the information security community will have some usefulness and originality.

Rubbish. (3, Informative)

Curmudgeonlyoldbloke (850482) | more than 3 years ago | (#33896450)

"* We found that nearly a quarter of private wireless networks has no password whatsoever attached, making them immediately accessible to criminals."

So that's not just home networks then, that includes businesses deliberatly running open wifi as a service to visitors, and all sorts of commercial access points that are "open" in that they get you to a login provider for the service, which you then have to log in to? How many these "private wireless networks" are adhoc wireless on one PC connected to nothing in particular?

The first link is just an advert selling snake-oil, the second contains no information to speak of. No link to any "report" at all.

Here comes WarPrinting (1)

rokkaku (127052) | more than 3 years ago | (#33896456)

I can just imagine the birth of WarPrinting -- folks driving around the neighborhood, looking for an open printer to spew out Tubgirl or Goatse. Somehow, WiFi-equipped printers don't seem like the perfect idea, after all.

Re:Here comes WarPrinting (1)

Lumpy (12016) | more than 3 years ago | (#33897160)

my favorite is war faxing...

dial a fax number and have two pieces of black paper ready, tape them together and start it feeding, then tape it into a loop.

When the offending company comes to the office they will be out of fax paper and toner.

for bonus points, program their head office's main fax number into your fax machine as the reporting number...

Here's what I think of all those unsecured WAPs (1)

hdon (1104251) | more than 3 years ago | (#33896506)

Good.

Re:Here's what I think of all those unsecured WAPs (0)

Anonymous Coward | more than 3 years ago | (#33896742)

There needs to be more of them. It is the only way I connect to the Internet. I have never paid a monthly Internet bill (or cable) for the past 9 years. ($40/month * 12 months * 9 years = $4,320 after tax dollars saved)

So cute... (2, Insightful)

twebb72 (903169) | more than 3 years ago | (#33896622)

Its so cute how kids today think 'hacking' is obtaining access to an unprotected WAP.

Re:So cute... (1)

jank1887 (815982) | more than 3 years ago | (#33896886)

unprotected WAP? sure, I hacked my old cell phone to get WAP without paying verizon. but I think the good folks up above were talking about WiFi.

Re:So cute... (0)

Anonymous Coward | more than 3 years ago | (#33897810)

http://en.wikipedia.org/wiki/WAP [wikipedia.org]

In this context, WAP would mean "Wireless Access Point".

Most three-letter acronyms mean more than one thing, you know.

If it only takes 5 seconds to 'break in' (2, Insightful)

jenningsthecat (1525947) | more than 3 years ago | (#33896952)

... then it's not called 'hacking', it's called 'connecting to an open access point'. Next thing you know, sticking a DVD in your computer's drive and installing software will be called 'hacking'. Have we fallen so far?

Re:If it only takes 5 seconds to 'break in' (1)

rnelsonee (98732) | more than 3 years ago | (#33897414)

RTFA, it's even in bold:

According to CPP a typical password can be breached by hackers in a matter of seconds

So this isn't open access points - it's networks that are locked down (with WEP)

Shocking? (0)

Anonymous Coward | more than 3 years ago | (#33897112)

How is this shocking to anyone that uses the technology? Every person that uses WiFi knows that there's open AP's all over the place.

Where's the break-in kit? (1)

BenEnglishAtHome (449670) | more than 3 years ago | (#33897128)

Where's the software suite that lets me set up P2P software, a giant list of usenet down- or uploads, or any task for later execution, then constantly searches for open wi-fi, connects, and does the task(s)? Surely someone has written something simple to set up that works automatically.

It sure would be nice if EvilMe (tm) had a VM on my laptop that was constantly doing all my EvilDeeds (tm) in the background.

Mine doesn't (1)

fishbowl (7759) | more than 3 years ago | (#33897268)

I have an open wi-fi access point. The SSID is named "FBI Surveillance". I've waited a long, long time for someone else to actually connect to it. If they did, it's not as if they'd be able to access any of my hosts - my security doesn't rely on a closed network segment at all.

They're not thinking ahead (1)

hyades1 (1149581) | more than 3 years ago | (#33897272)

I wish that "ethical hacker" clown had kept his head down and his mouth shut. Given how far down the road the UK has already gone toward a society like Big Brother's wet dream, relatively easy access to Wi-Fi without some government snoop leaning over your shoulder might be one of the few remaining freedoms.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...