Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Fighting Rogue Access Points At linux.conf.au

timothy posted more than 2 years ago | from the your-boy-zoolander's-on-the-move dept.

Australia 80

An anonymous reader writes "Last week's linux.conf.au saw the return of the rogue access points. These are Wi-Fi access points which bear the same SSID as official conference hotspots. Often it might be a simple mistake, but sometimes it's more nefarious. To combat the attacks this year, conference organisers installed a Linux-based Wi-Fi 'intrusion prevention and detection system' supplied by sponsor Xirrius." At most conferences I've been to, I'd be grateful just to be able to get on any access point.

Sorry! There are no comments related to the filter you selected.

Cisco (2, Informative)

Bios_Hakr (68586) | more than 2 years ago | (#38807439)

At a recent event, we utilized Cisco's Wireless Access Controller. We are an all-Cisco house, so it was an easy choice.

http://www.cisco.com/en/US/products/ps6302/Products_Sub_Category_Home.html [cisco.com]

Re:Cisco (5, Informative)

mindcandy (1252124) | more than 2 years ago | (#38807507)

Cisco's WLSE has APs dedicated to TDOA and cleanair .. you can upload a CAD drawing of the building and pinpoint where exactly your TDOA aps are at and it will show you exactly where (on a virtual drawing) the rouge AP or client is.

Re:Cisco (1)

Anonymous Coward | more than 2 years ago | (#38807945)

Cisco's WLSE has APs dedicated to TDOA and cleanair .. you can upload a CAD drawing of the building and pinpoint where exactly your TDOA aps are at and it will show you exactly where (on a virtual drawing) the rouge AP or client is.

Cisco WLSE and WLC are completely different products that do different things. WLC is a wireless LAN controller that does all the radio management in hardware with lightweight APs. WLSE is an old software platform that tells IOS APs to change channels. WCS is the spiritual successor to WLSE.

Re:Cisco (2)

Lumpy (12016) | more than 2 years ago | (#38808017)

And can be thrown off with a directional antenna.

They are not accurate but highly approximate and if I put the "center" of my signal 4 rooms away it will not show my location.

Re:Cisco (1)

X0563511 (793323) | more than 2 years ago | (#38808183)

Not to mention a simple CAD drawing is not going to include all the furniture, equipment, people etc - all things that affect the signal.

At best it can give you a good idea where to start looking.

Re:Cisco (2)

mindcandy (1252124) | more than 2 years ago | (#38808427)

Here's a tip (and I work on a campus with thousands of these, btw)

When we go looking for miscreants, the guy with the Yagi (or pringles can, or patch antenna, or anything that isn't a regular laptop without external cabling) sticks out pretty clearly.

Re:Cisco (1)

Bios_Hakr (68586) | more than 2 years ago | (#38808841)

Agreed. We see a ton of these in the most unusual places.

Re:Cisco (0)

Anonymous Coward | more than 2 years ago | (#38810669)

If they have it visible? yes.

But typical of Uni people , they assume everyone is dumb. Me sitting there with a laptop and a backpack that has a router running OpenWRT+ a yagi hidden inside it will not stick out at all.

Only the N00b will "stick out"

Re:Cisco (1)

mindcandy (1252124) | more than 2 years ago | (#38811545)

The difference is I only have to get lucky once.

Re:Cisco (0)

Anonymous Coward | more than 2 years ago | (#38815837)

virtual drawing?

Re:Cisco (1)

flosofl (626809) | more than 2 years ago | (#38817723)

That's not really a differentiating feature, there are a quite a few companies that have the similar capabilities and are more accurate that Cisco. I find Cisco's wireless security offerings to be pretty damn weak. They target a very small slice of WLAN issues and exploits (granted, they are typically the most severe), than other vendors who focus solely on security.

For WLAN Cisco is adequate (I have issues with some of their config and engineering choices), but for WIPS/WIDS I can think of perhaps two (maybe three) companies I would recommend over Cisco. Cisco would be a "heavily invested in Cisco gear and can't get a real budget for wireless security" choice.

Re:Cisco *cha-ching* (1)

Anonymous Coward | more than 2 years ago | (#38807669)

At a recent event, we utilized Cisco's *cha-ching* Wireless Access Controller. We are an all-Cisco *cha-ching* house, so it was an easy choice.

http://www.cisco.com/en/US/products/ps6302/Products_Sub_Category_Home.html [cisco.com] *cha-ching*

Cisco. *cha-ching*

Re:Cisco *cha-ching* (2)

mindcandy (1252124) | more than 2 years ago | (#38809597)

Clearly A/C has never had to do an enterprise deployment.

The reason for going "all $vendor" (be it Cisco or Microsoft) is because our business is not about finding the absolute lowest line-item cost for every piece of IT gear.

Our business is doing something ELSE, and IT is just in support of that.

Could Cisco's technology be replicated with a bunch of WRT54GLs and a room full of grad students? .. probably, but who's going to support that long term?.

Trust me, the "fun" of making two random things work together wanes real fast when you've got a job to do.

Re:Cisco *cha-ching* (2)

asdf7890 (1518587) | more than 2 years ago | (#38811721)

Clearly A/C has never had to do an enterprise deployment.

Clearly you have misread A/C's point.

He wasn't (unless my understanding is wrong, of course) commenting on the expense of the equipment, he was commenting on the fact that the parent post looked like a very amateur paid shill. A worthwhile informative post would not have simply stated "we use this stuff, here go look at this link", it would explain how that equipment was pertinent to the article at hand. Perhaps it makes solving the problem easier in some way, if so he could have stated that rather than just getting the link in as fast as possible to try get it as close to the top of the post list as possible - just slapping "cisco cisco csico link cisco" in a post is essentially spam.

Re:Cisco (2, Informative)

Christopher B. Linn (2560089) | more than 2 years ago | (#38807961)

Full Disclaimer: I work as a software engineer at Cisco in our San Jose headquarters, and I must also say that this product does exactly what the submitter needs.

Re:Cisco (1)

Bios_Hakr (68586) | more than 2 years ago | (#38808869)

Nice. I've probably installed IOSs compiled by you. It's always nice when the IOS tells you who compiled it at boot time.

Re:Cisco (0)

Anonymous Coward | more than 2 years ago | (#38817009)

except that in other threads and under other nics, you've indicated that you neither live nor work in the US.

so, which is it?

Shill post (-1)

Anonymous Coward | more than 2 years ago | (#38807973)

Off topic shill post. We got a shill-troll-fag here, guys! Doesn't have anything to do with the article and is just a link to a Cisco product.

Can you tell us what that Cisco product does to prevent the scenario described in the summary?

Will it automatically break into my rogue access point and shut it down?

Remind me to stay away from your "all-Cisco house" you fucking moron.

Re:Shill post (0)

Anonymous Coward | more than 2 years ago | (#38825223)

No, but it will transmit deassociation frames spoofed to come from your rogue AP's mac address, effectively making it pretty much impossible to connect to it.

I've always got an access point on me (4, Informative)

Skarecrow77 (1714214) | more than 2 years ago | (#38807577)

android phone + cyanogenmod + grandfathered verizon unlimited data plan = "it may not be perfect, but it gets the job done and it is still way better than the dialup connection I used back in the day."

unless I'm in some building shielded with sandwiched lead sheets or something. in which case, hell, screw it, time to read an ebook.

it's easier to block than you think (1)

dutchwhizzman (817898) | more than 2 years ago | (#38808451)

Just window foil and energy efficient windows in a concrete/steel building will do it. I work for a mobile telco and we can't get any 3G at all inside the building, getting GSM900 reception is a struggle. It's so bad, we can't even use our cell phones in 90% of the rooms.

Re:it's easier to block than you think (1)

Skarecrow77 (1714214) | more than 2 years ago | (#38809317)

My company has a branch in another city that I occasionally have to visit. Office is on the 34th floor of a rather new building. reception there is atrocious. I wonder if it's got the same problems you're talking about.

When scouting out a new location for my company's business in this city, one of the first things I test is 3g signal strength for that reason.

Re:it's easier to block than you think (0)

Anonymous Coward | more than 2 years ago | (#38812921)

Just get cell repeaters (or internal antennas - place a few patches in the ceiling and route them outside the Faraday cage).

Re:I've always got an access point on me (1)

Inda (580031) | more than 2 years ago | (#38809419)

Vanilla Android does that.

It does in my country.

Really.

Re:I've always got an access point on me (2)

Skarecrow77 (1714214) | more than 2 years ago | (#38809579)

your country is more awesome than the usa.

here, our telcos sell us devices that we're locked out of by default, with features that are built into the operating system disabled, so that we can pay the telco stupid amounts of money to turn back on.

or we just say "screw the warantee, I own this device, I'm going to do with it what I damn well please" and flash a cleaned-up rooted version of the OS on it.

Re:I've always got an access point on me (-1)

Anonymous Coward | more than 2 years ago | (#38810305)

your country is more awesome than the usa.

That's not hard

Re:I've always got an access point on me (3, Insightful)

Skarecrow77 (1714214) | more than 2 years ago | (#38810399)

depends on what criteria you're talking about.

If it's internet access, yeah most of europe and a good portion of asia kicks our ass.

if it's access to junk food, guns, or street drugs... hard to beat the USA.

Re:I've always got an access point on me (1)

hitmark (640295) | more than 2 years ago | (#38816841)

Maybe i am nerd, but i think i will take net access over those others.

Re:I've always got an access point on me (1)

hitmark (640295) | more than 2 years ago | (#38816839)

And still the online tech press reports on US telecom products as if they are the latest and greatest...

Re:I've always got an access point on me (1)

Cimexus (1355033) | more than 2 years ago | (#38817107)

Hell, my ~iPhone~ does this out of the box. It's nothing to do with Android or the phone itself, and everything to do with the telcos/carriers.

Public key signed SSID names? (3, Insightful)

vlm (69642) | more than 2 years ago | (#38807623)

Note for next revision of the protocol... public key signed SSID names. Or SSL certed SSIDs

Re:Public key signed SSID names? (2)

Anonymous Coward | more than 2 years ago | (#38807727)

It's happening (kinda).

Take a look at 802.11u.

Re:Public key signed SSID names? (2)

Anonymous Coward | more than 2 years ago | (#38807765)

Where do you get the public key? Why is that source more trusted than the source of the SSID?

Re:Public key signed SSID names? (2)

vlm (69642) | more than 2 years ago | (#38807907)

Where do you get the public key? Why is that source more trusted than the source of the SSID?

There was a fad a couple years back of handing out little circuit boards with "stuff" on them at cons. I could see the next HOPE conference handing out ID necklaces with a little cheap USB flash drive as the "I paid my entrance fee" physical token.

At work its simpler, you preload your standard system image with the key.

Re:Public key signed SSID names? (1)

hitmark (640295) | more than 2 years ago | (#38816845)

Or some QR code that translate into a encryption key.

Re:Public key signed SSID names? (1)

Anonymous Coward | more than 2 years ago | (#38807985)

You do something smart.

Attach it to emails of the Convention newsletter, maybe with links on the convention web page. Or request it from the infodesk along with the wifi password.

Heck, depending on the swag bag you get, include a small USB drive with the keys.

Re:Public key signed SSID names? (1)

icebraining (1313345) | more than 2 years ago | (#38808655)

1. Print big poster with the key fingerprint
2. Prevent people from putting up their own posters

Physical security ftw.

Re:Public key signed SSID names? (2)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#38808291)

Already done; but not really designed for the 'open' deployment scenario:

WPA2 (if you flip the switch to "enterprise", this is exactly the sort of hassle that gets left out in order for things to Just Work and not get returned to the store by frustrated Joe User) adds 802.1X authentication, which includes validation of the authentication server's certificate.

Trouble is, all that stuff is basically aimed at a big serious corporate deployment, where everybody has a username and password and things are configured by IT, and so on. There isn't, to the best of my knowledge, any terribly elegant way of setting up your basic "bunch of more or less open APs that also have verifiable SSIDs". VPN to trusted offsite host and trust no one!

Re:Public key signed SSID names? (1)

Vancorps (746090) | more than 2 years ago | (#38811061)

I have a unique perspective on this problem as I do shows as well. The idea is, you have one set of access points that provide service, one set that monitor, and one set for active interference with rogue APs. When a rogue AP starts broadcasting you blanket the exact frequency and change neighboring service access points to channels that are on the other side of the spectrum. This works great in practice against regular people popping a linksys when they only pay for one Internet connection.

It won't work for a malicious attacker of course as you'll need to eventually locate the rogue AP and shut it off otherwise the offender will just keep changing channels forcing neighbors to change channels and thus causing disruption.

This is a growing problem everywhere .... (3, Insightful)

King_TJ (85913) | more than 2 years ago | (#38807631)

As wi-fi becomes a mainstream Internet on-ramp when you're out and about, I think the rogue AP issue needs to be addressed FAR better than it is today. As the story's submitter said, tech. conferences might be the least of the problem since most of the time, you've got a massive flood of wi-fi usage attempts concentrated under one roof at such things. The tech-savvy will already plan on other forms of connectivity (such as 3G or 4G cellular). Plus, the vast majority of conference-goers are trying to send photos, video or blog entries of the happenings ... not taking out time to do their online banking, shopping or what-not. So rogue sites trying to scape for data are less likely to capture anything really useful.

My co-workers have started asking me, "How do I know if it's safe to connect to a wi-fi hotspot when I'm traveling?" ... and I'm realizing the answer isn't very clear-cut. I can advise them that certain companies contract to provide thousands of APs for chain restaurants, and typically have an AP identifying themselves as such. (You'll often see an SSID of "wayport" at a McDonalds for example.) But beyond that, the average laptop or smartphone user really doesn't even think about someone spoofing a legitimate-looking SSID. I've even run across such things as multiple SSIDs showing up with no password at our airport, where I knew at least 1 or 2 of them were fakes. (One had an SSID of "airport wifi", as I recall, when I know our airport only provides wifi in the terminal waiting area via AT&T - who would NOT name it anything like that.)

Re:This is a growing problem everywhere .... (1)

Electricity Likes Me (1098643) | more than 2 years ago | (#38807739)

Isn't the basic answer "use encryption"?

You have no way of knowing if your internet connection is trustworthy - there was that incident where 30% of net traffic was routed through China for a time.

Re:This is a growing problem everywhere .... (1)

timeOday (582209) | more than 2 years ago | (#38809551)

Yes, I scanned the article for any good reason to think a "rogue" access point would any worse than any other, and only got:

Those Man-in-the-Middle attacks are serious, potentially leading to data or identity theft. Secure websites and services will display an error when this happens, but many users ignore the warnings.

OK. The only takehome I get from this is, don't ignore SSL errors. I think we all know that we have no idea where our traffic is going and ultimately who is looking at it, regardless of the first hop.

Or... (3, Informative)

betterunixthanunix (980855) | more than 2 years ago | (#38807789)

Have an SSH server somewhere, and tunnel everything through that; this is the equivalent of using a VPN. If you see host key warnings, then abort -- better than the headache of dealing with someone pwning your bank account.

Re:Or... (1)

CanHasDIY (1672858) | more than 2 years ago | (#38807899)

Have an SSH server somewhere, and tunnel everything through that; this is the equivalent of using a VPN. If you see host key warnings, then abort -- better than the headache of dealing with someone pwning your bank account.

Good methodology for those of us who actually (at least half-assed) understand how this internet stuff works.

However, that won't cover the vast majority of 'casual' users, i.e. regular folks... at least, not until "there's an app for that."

Re:Or... (0)

Anonymous Coward | more than 2 years ago | (#38808007)

However, that won't cover the vast majority of 'casual' users, i.e. regular folks... at least, not until "there's an app for that."

There is an app for that. http://www.appbrain.com/app/ssh-tunnel/org.sshtunnel [appbrain.com]

Re:Or... (1)

CanHasDIY (1672858) | more than 2 years ago | (#38811049)

However, that won't cover the vast majority of 'casual' users, i.e. regular folks... at least, not until "there's an app for that."

There is an app for that. http://www.appbrain.com/app/ssh-tunnel/org.sshtunnel [appbrain.com]

The problems with that app are

A) requires a rooted device, and

B) is not a 'one-click' solution, requiring (what a typical user would consider) extensive setup on both ends of the connection.

These factors combined ensure that, while useful for techies, this app in particular will never see mass adoption, which was the point I was getting at.

Re:Or... (1)

Vrtigo1 (1303147) | more than 2 years ago | (#38825237)

By your factors combined, I am captain planet!

Re:Or... (1)

yuhong (1378501) | more than 2 years ago | (#38810045)

Well there is already SSL built into browsers, and it is standard for banks already.

Re:Or... (1)

CanHasDIY (1672858) | more than 2 years ago | (#38810649)

SSL [wikipedia.org] =/= SSH. [wikipedia.org]

Re:Or... (0)

Anonymous Coward | more than 2 years ago | (#38814847)

But if the SSL cert is valid, it achieves the same thing, which was his point; or at least, HTTPS provides the same guarantees that SSH would, so wrapping one in another doesn't gain you anything. If someone could snoop your HTTPS internet banking transaction, they could just as easily snoop your SSH tunnel.

Re:Or... (1)

hitmark (640295) | more than 2 years ago | (#38816851)

Indeed, we have not even been able to get most people to use encrypted email by default...

Re:This is a growing problem everywhere .... (4, Insightful)

Hatta (162192) | more than 2 years ago | (#38807849)

My co-workers have started asking me, "How do I know if it's safe to connect to a wi-fi hotspot when I'm traveling?" ... and I'm realizing the answer isn't very clear-cut.

The answer is very clear cut. All networks are hostile until proven otherwise. The solution is an encrypted tunnel back to a secure network. VPN or SSH tunneling are both easy to set up and use.

Re:This is a growing problem everywhere .... (0)

Anonymous Coward | more than 2 years ago | (#38808329)

Mod parent +1 "that's all there is to say about borrowing wifi"

Re:This is a growing problem everywhere .... (1)

HockeyPuck (141947) | more than 2 years ago | (#38809261)

All networks are hostile until proven otherwise. The solution is an encrypted tunnel back to a secure network. VPN or SSH tunneling are both easy to set up and use.

So what do you recommend to the average traveler that doesn't have corporate VPN/ssh tunneling? Is there a solution for mom/dad/grandma/grandpa who are traveling with their iPad/laptop. Or even going to Starbucks etc..?

Re:This is a growing problem everywhere .... (2)

Hatta (162192) | more than 2 years ago | (#38809423)

If you can't run your own VPN, buy one. I can't recommend a provider, because I run my own.

Re:This is a growing problem everywhere .... (0)

Anonymous Coward | more than 2 years ago | (#38813159)

I'm not sure I'd trust mom to do it right, but you can always stick to surfing stuff you don't care if people are watching (when your plane leaves) or SSL (gmail, etc). That's my tactic.

Re:This is a growing problem everywhere .... (0)

Anonymous Coward | more than 2 years ago | (#38813737)

So what do you recommend to the average traveler that doesn't have corporate VPN/ssh tunneling? Is there a solution for mom/dad/grandma/grandpa who are traveling with their iPad/laptop. Or even going to Starbucks etc..?

An aircard. CDMA or WCDMA in particular are practically impossible to tap, EDGE is technically a bit easier but still less likely to be tapped into than wifi. Of course here in the good ol' US of A, the data plans are a bad joke on these now.

          More realistically, you HAVE to use https for any site where you care in the least about security. If you use plain http, well, wifi is a broadcast medium, and without some key (WPA or WEP), not only is your data broadcasted in the clear, you are also connecting to some random access point by name without any proof it's run by the venue you are at. If you want to be paranoid, even a wired ethernet *could* have a sniffer in line.

Re:This is a growing problem everywhere .... (2)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#38808611)

Arguably, trying to solve this problem at the AP level is something of a fool's errand. There are easily thousands upon thousands of entities running non-malicious access points, many of which the user would have not the slightest reason to be able to judge the legitimacy of(Hotel Chain A might entirely plausibly hire ObscurePoint Access LLC to run their wifi, so name recognition won't help you much, and SSL wont' be too useful because, even when it works, that only helps prevent spoofing of a name, it doesn't attest to behavior).

It seems like you'd be much better off assuming that APs simply cannot be trusted to any significant degree and working on the problem of how best to make establishing a secure channel over an untrusted AP as easy as possible(for less paranoid users, common services moving to encryption by default will at least protect the content of the communication, though not the origin and destination, more serious users will need a full tunnel to somewhere more trusted).

One perhaps useful point of attack might actually be at the users' own home AP... Your contemporary router/access point is a fairly punchy little machine, by historical standards. Easily enough to function as a VPN endpoint for a few remote systems not moving too much traffic. It would be nice to see some sort of dead-simple VPN configuration mechanism built into a consumer router out of the box. Something like the following: router has a USB port on the front. User inserts a USB drive, presses the "Create VPN key" button. Router dumps a text file onto the USB drive containing a private key, and information about its dynamic DNS hostname, supported VPN protocols, etc. User pulls the drive, plugs it into their computer, computer's network connection wizard widget ingests the file, configures itself to establish a VPN connection to the router. Should a key be compromised or system stolen, the matching public key could be purged from the authentication list.

The question of whether you are at risk out and about(yes, yes you probably are) would be much less salient if making yourself 'eh, about as safe as at home' were very much easier...

Re:This is a growing problem everywhere .... (1)

Anonymous Coward | more than 2 years ago | (#38809187)

And now you need either a static IP for the home router or to sign up for a dynamic IP tracking service. And even that little bit of terminology and requirement will stump most home users -- unless that gets rolled in with the auto setup USB magic.

Re:This is a growing problem everywhere .... (1)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#38813453)

True. My thinking, rough draft, is that the router would go and sign itself up for a dynamic DNS service(presumably bundled into the cost of the device by the manufacturer and, since the configuration would be handled automatically by the config file, the hostname needn't be memorable in the slightest SHA1-of-something.vendor.com style addresses wouldn't exactly be scarce...) when the first VPN key is requested.

It is certainly a rough-cut approximation of a plan, it just seems a pity that all the ingredients, except for being dead simple, are already in place with even fairly cheap and awful home routers, for the problem of security in untrusted locations to be largely solved.

Re:This is a growing problem everywhere .... (2)

MagicM (85041) | more than 2 years ago | (#38808701)

How do I know if it's safe to connect to a wi-fi hotspot when I'm traveling?

It's always safe to connect. It's what you do once connected that matters.

Unfortunately devices now do so many things automatically that you can easily get in trouble without knowing it. Auto-poll for new Email/Twitter/Facebook/AppStore content? You'd better hope that polling uses a complete and robust SSL implementation.

Depending on your definition of "safe", even just looking at cat pictures can be unsafe if the hotspot decides to replace all images with goatse.

Re:This is a growing problem everywhere .... (1)

ArsenneLupin (766289) | more than 2 years ago | (#38813211)

even just looking at cat pictures can be unsafe if the hotspot decides to replace all images with goatse.

You mean, like this? [chan4chan.com]

Re:This is a growing problem everywhere .... (1)

karnal (22275) | more than 2 years ago | (#38818023)

Why in the hell did I click on that lol

Re:This is a growing problem everywhere .... (0)

Anonymous Coward | more than 2 years ago | (#38815285)

It's always safe to connect. It's what you do once connected that matters.

Here connect that machine with an open share to my worm infested LAN. Nice n safe. Yup.

Re:This is a growing problem everywhere .... (1)

gl4ss (559668) | more than 2 years ago | (#38808713)

why would the legimate ap be any better than the "illegimate ap".
if doing banking, you should use encryption and one time codes anyways.

anyhow - a conference holder could for example make an application for android, win and ios that would detect the legit ap's and do a handshake with them. but then the problem becomes how do you distribute that app - and it's not like you can trust anyone connecting to that network anyhow.

Re:This is a growing problem everywhere .... (1)

Lehk228 (705449) | more than 2 years ago | (#38809315)

This is a huge advantage of blackberry over android and iOS, regardless of any hostile access point everything goes through a secure tunnel to the BIS servers, the downside is on rare occasions. the service has trouble despite being able to connect to the internet


this is not just for wifi connections, there are not technical measures in place to allow a phone to validate a cell tower it is connected to and hostile/sniffer towers already exist.

VPN (0)

Anonymous Coward | more than 2 years ago | (#38807663)

couldn't you just VPN to your home or work?

Wouldn't basic security practices protect you? (1)

ron_ivi (607351) | more than 2 years ago | (#38807835)

I would have hoped all the normal standard practices would protect you almost totally from this.... Don't use an important password except over https where your browser doesn't raise red flags. Use a VPN or ssh to connect to servers that are important to you. Seems the same practices that protect you from your normal ISP would protect you from rogue access points too, no?

Any access point? (2)

DarkOx (621550) | more than 2 years ago | (#38807921)

At most conferences I've been to, I'd be grateful just to be able to get on any access point.

I hope you have a ssh thumbprint to verify of any hosts you plant to connect directly to, and tunnel everything else!

Re:Any access point? (1)

icebraining (1313345) | more than 2 years ago | (#38808589)

I just use sshuttle [github.com] .

Airespace had this, Cisco nerfed it. (2)

sethstorm (512897) | more than 2 years ago | (#38807983)

Airespace had something where you could actively "discourage" or otherwise overwhelm the rogue AP within a defined area. Now that Cisco took over, it's just a "spot the rogue, hope you're right" type of deal.

Re:Airespace had this, Cisco nerfed it. (1)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#38808773)

One wonders if Cisco's legal chaps got a trifle nervous about shipping a system that involved quite-possibly-subject-to-CFR 47 15.5 [gpo.gov] device or devices intentionally causing interference to other such devices...

In particular, I'd be a trifle leery of the possibility that I was contravening the letter, as well as the spirit, of part B:

"(b) Operation of an intentional, unintentional, or incidental radiator is subject to the conditions that no harmful interference is caused and that interference must be accepted that may be caused by the operation of an authorized radio station, by another intentional or unintentional radiator, by industrial, scientific and medical (ISM) equipment, or by an incidental radiator."

Free speech (0, Troll)

Score Whore (32328) | more than 2 years ago | (#38808209)

Some people's "rogue access points" are other people's free speech. Maybe they should stop trying to squelch free speech?

Re:Free speech (1)

Anonymous Coward | more than 2 years ago | (#38808653)

This is not free speech. A "Rogue access point" is an attempt at idenitity theft.

Free speech is go setup your own show in a different place, and see who is willing to show up and listen.

Solution (1)

linuxwebadmin (694411) | more than 2 years ago | (#38808485)

android phone + wireless ap detection software of choice + conference management + exit door = problem solved. (find them and kick them out)

Even so, coverage was poor. (1)

complete loony (663508) | more than 2 years ago | (#38812155)

And yet, wifi coverage was fairly spotty for the conference. Some of those access points definitely weren't working, you'd have to manually choose which MAC address to use, or point your antenna in a different direction before you could connect properly.

If you wanted to setup a rouge AP, you could probably get away with it in the corridors. Though you wouldn't be able to hack everyone, there were plenty of people hanging around outside the main halls checking emails etc.

But overall, it was a pretty cool conference.

Locating Rogue APs (1)

asdf7890 (1518587) | more than 2 years ago | (#38812361)

From the point of view of the infrastructure/security go-to man for a small company, what options are there for locating unauthorised APs? We scan for unauthorised MAC addresses turning up on the network so an alert goes out if something unwanted is plugged into the LAN, but that wouldn't detect a soft-AP running on an otherwise expected machine (nor would it spot a device with a faked MAC, but that is another matter). Are there any reliable methods of picking up on new APs turning up (even those that are not broadcasting their ID) and then finding their approximate physical location (we are in a manged office block, so a new AP turning up is most likely to be on one of their LANs so not something we need to worry about).

Some of our clients trust us with data that they are (understandable) sensitive regarding the safety of, so if there is anything I can do to decrease the chance we'll ever be the source of any leak is useful to reduce my paranoia levels!

rogue dhcp (0)

Anonymous Coward | more than 2 years ago | (#38812859)

There was also a rogue DHCP server on the (wired) networks at the accommodation at linux.conf.au - it shut down as soon as I started nmapping it.

Re:rogue dhcp (1)

ras (84108) | more than 2 years ago | (#38813577)

Yes, there were a lot of "rogue" DHCP servers at LCA, although a better term might be miss-configured because I am almost certain it wasn't deliberate. But the story neglects to mention the reason. Attendees were invited to set up wireless access points because the accommodation didn't provide wireless. There were I guess 20 or 30 units, and I be surprised if every one of those units didn't have at least 1 AP set up by a community minded resident. It is inevitable that some of those will have forgotten to turn DHCP off, or perhaps plugged the internet connection into the switch rather than the upstream port on the router.

This is avoidable. LCA owns some 50 or so access points, which have been deployed in the past to supply wireless to the accommodation. Doing so means the attendees don't bother unpacking their access points, and the rogue DHCP problem goes away. However, deploying those access points takes a substantial amount of time and organisation. LCA is run by volunteers. So they have a tradeoff - they can put in a substantial amount of work and the problem largely goes away, or deal with the problem during the conference as it arises. As LCA attendees are a pretty sophisticated bunch networking wise, either way works well enough.

The one thing that doesn't make any sense is blaming the attendees, which is the way this story tries to slant it. That is like leaving the nappy off the baby and then blaming it for the piss on the carpet. The consequences of not supplying wireless are entirely predictable. Reasonable adults either supply wireless, or accept the consequences and don't whinge about it.

A more interesting topic of discussion is the collapse of the network in the accommodation on Friday night. In hindsight the cause is obvious. For the second LCA in a row they got all most of the conference video's up before the conference closed. Come Friday night many attendees decided to download huge quantities of them, the usual reason given being "so I have something to watch on the way home". It was a really good idea actually - LCA this year had 4 streams, and inevitably people ended up missing what in hindsight were "must see" talks. The problem was the link between the residences and LCA simply could not cope with the traffic.

Again, that could have been solved. Indeed it was solved at LCA 2011 using DNS tricks. In that year a copy of the videos was put on a server in the residences, and FQDN for the video server resolved to that server for the residences only. Or perhaps enabling torrents for the videos would have worked well enough. As it was, internet connectivity was almost non-existent Friday night, and that caused howls of anguish - far more anguish than the rogue DHCP servers.

Using public wireless without a VPN is pure folly (1)

dskoll (99328) | more than 2 years ago | (#38817219)

When I use a public wireless access point, my networking scripts immediately set up an OpenVPN tunnel and make that the default route. If you don't route all your traffic over a VPN when you use public wireless of any kind, you're asking for trouble.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?