Drive-By Hacking in London

delibes writes "The BBC News website carries this story about hacking wireless networks in London's financial centre. " There isn't really much in the way of details, just saying that many businesses don't encrypt their networks. They talk about finding 12 networks while driving 1km... 8 of which had no encryption.

More info

[Da+J+Rob]

For those who want to read more on this subject, check out this past slashdot article

Or just go here.

Encryption not as important as VPN

[Chairboy]

At my company, we use WEP, but complete the connection you must log in using a VPN. We'll probably just switch to VPN only, but this makes me wonder how many of those networks simply did not have WEP enabled but DID require some other authorization to access network resources?

Just because it does not have WEP does not mean it is secure.

Re:Well,

[friscolr]

If that was the case then it wouldn't be possible to so fully exploit these networks.

walk around town with laptop in backpack then go somewhere to see what's been found - like an internet cafe, which is also useful for probing the network in question (like probing their network from the outside to find what router to spoof - determine this based off the ips in the tcpdumps from the walk) - here's what i've found

most of the unencrypted networks found will have nice tcpdumps chock full of arp requests, novell and nt broadcast messages. can tell you a lot about the network in question.

if you can find a discrete location close to the building in question then you have your entry point. of course cops dont really know what you're doing anyways (though they give some real wierd stares at 3am) so you might be safe. spoofing the router is generally wasy, gaining external access should be fine, sometimes they're real kind and leave a dhcp server accessible for you. but either all these places have taken the time to setup some real nice honeypost or they're real.

i'm giving a talk about this at rubi-con, plus my webstie has more info, not that i've done anything like this, of course.

Re:Is this ethical/legal or not? Is WLAN worth it?

[Nonesuch]

In general, 'wardriving' aka Netstumbling, refers to the basic act of wandering around and logging the GPS coordinates and response of 802.11b wireless networks to broadcast 'beacon' requests.

IANAL. I have been consulting with laywers, and this is a paraphrase of what they say (in the state of Illinois):

The basic act of identifying a wireless network while on the 'public way' is ethical, and usually legal. The moment you connect to a network and begin to access their machines or use their resources, you are on very shaky ground ethically, and, while unlikely to be prosecuted, are committing a criminal act.

Wireless networks are not only much less secure than wired, they are also considerably slower and less reliable. I have difficulty getting a reliable wireless connection more than fifty feet away from the AP. I have ethernet cables longer than that!

Re:2600

[xanadu-xtroot.com]

You can always watch them doing it too. :-)

Re:interesting...

[swillden]

now, as we all know, encryption isn't the one-stop shop in terms of securing data. in a wireless environment where intruders can get at you with relative ease, what other forms of protection are there against having data stolen?

In a wireless network encryption is your only defense. Remember, though, that the encryption built into 802.11b cards and access points is lousy and trivially easy to break, even with the larger key size.

If security matters to you, you need to:

• Put a VPN-equipped firewall between your wireless access point and the rest of your network. Configure the firewall so that it only allows VPN connections, rejecting everything else.
• Run VPN client software and firewalls on all of the machines you connect to the wireless network. Make sure the firewalls are configured to reject all incoming connections and permit only VPN outgoing connections.
• It's probably also a good idea to install intrusion detection systems on the wirelessly connected hosts. Whether you take that step or not, it's important to maintain those hosts carefully, keeping up to date on all security patches (particularly the patches for the firewall and VPN software). Other actions may be a good idea as well, just remeber that every one of those wirelessly connected machines has to be able to withstand hacking on its own; there are no firewalls or barriers between those machines and the world, they are truly "bastion" hosts.
• Put a "honeypot" wireless host or two out. Run a DHCP server on and put some other interesting stuff up (SMB is juicy). If it sees DHCP requests or other traffic, inform security and have them watch anyone who might be hanging around in publicly accessible halls or outside. If possible track down and silence the offending machine. A laptop equipped with a directional antenna and some 802.11b sniffing software that can be configured to look for a particular MAC address might be helpful.
• Run your honeypots on the "default" 802.11b channel (6?), and run the real stuff on other channels. This isn't a barrier at all, but it does make naive attackers more likely to get caught by the honeypot.

If all of that is too much effort, and security is important to you, then don't do wireless. When the built-in encryption is fixed you can look at wireless again; it still won't be quite the same as wired but the effort required to secure it will be lower and more related to how you manage your keys.