Wartrapping?

netphilter writes "This article on ZDNet writes: "A "honeypot" trap consisting of a Wi-Fi-equipped laptop is the latest weapon against drive-by hackers." Although I'm sure that I've heard of this somewhere before, it appears that the latest twist is that this company is looking to sell them to corporations. Hmm...I wonder what the warchalking symbol for a honeypot really would look like?"

Huh?

[Ed+Avis]

I don't get it, why not just configure your network not to hand out IP addresses to anyone who asks? Does this wireless thing have no security at all?

Re:Huh?

[paranoos]

If all Wi-Fi cards had a mandatory GPS system reporting their location, then an office with a large access area could cordon off their building by walking around with a device that will trace a GPS line around the network, and not allow access to anybody outside.

The one thing this doesn't solve is if a company residing in a suite doesn't want to share their network with ABC Corp upstairs. In that case, they may be able to string copper wire in the ceiling as a "shield".

Re:Huh?

[Anonynnous+Coward]

The one thing this doesn't solve is if a company residing in a suite doesn't want to share their network with ABC Corp upstairs. In that case, they may be able to string copper wire in the ceiling as a "shield".

Actually, GPS provides altitude, as well as position. So you're all set--no floor and ceiling shielding necessary.

Re:Huh?

[Zeinfeld]

I don't get it, why not just configure your network not to hand out IP addresses to anyone who asks? Does this wireless thing have no security at all?

The problem is that they called the security scheme Wired Equivalent Privacy, thus botching the job from the start. They failled to understand that the big difference between a wired and a wireless network is access control, you can bypass the guard at the gate.

This proposal appears to be macho bullshit rather than serious security. First off most people who are warchalking just want to download their email. So while it is great press to demonize them don't make a big issue.

Secondly it is very easy to apply a layered security solution. You can use IPSEC or 802.1x with a bunch of other stuff.

The bugs in WEP have been known for some time and the people doing the next generation crypto security know what they are doing. Incidentally the 802.11 working group knew about and was fixing the bugs before Stanford put out the report. A small company up in Redmond Washington had decided to make 802 available throughout their campus (sounds like a directive from his Bill-ship). Before deploying their crypto people had a look at the security of WEP and went AGGGHH!

I found out about this because I tried to contact Big-Softie after hearing about the WEP problems at a cipherpunks meeting. Working out how to fix a problem like that without having to replace every card is really hard.

Point is that nobody should be using honeypots until they have actually deployed decent crypto security. And you should protect the honeypot as closely or almost as closely as the real network.

Rather than messing with this stuff why not just put up a courtesy 802.11b network with a net ID of 'OPEN123' or something, plug it into your network so that it is outside the firewall and set throttles so that nobody can use too much bandwidth. Then people who just want to downlod their mail can get it.

I keep trying to persuade folk that we should do this sort of this in the base infrastructure, Access points should offer a guest mode as standard with appropriate limits, say no more than 20Mb of guest use per hour.

Re:Huh?

[Egoine]

"If all Wi-Fi cards had a mandatory GPS system reporting their location"

Yeah right. Like someone who would want to use your network wouldn't lie about his position (by hacking the card, driver,etc..). Maybe non-trivial, but once one guy does it, he gives the recipe.

When modems began to be deployed, corporations wouldn't even ask a password to be connected. Just dial the line. This is equivalent of the now unsecured wireless networks. Your solution would then have been to only allow some phone numbers to dial in. Not that bad, but asking for a password is probably simpler and better.

Re:Huh?

[EatHam]

Actually, GPS provides altitude, as well as position...

Unless you can't see enough satellites. Which has been my experience in many office buildings. Maybe my GPS is a POS, but unless it's right next to the window, or outside, all the concrete and whatnot block the signal. So I wouldn't want to trust my network access to that kind of spotty coverage.

Re:Huh?

[bobKali]

Yea, that'd be about as effective as using MAC addresses for authentication. It's not like anyone would be able to spoof their GPS location.

Would be interseting . . .

[seangw]

Imagine a distributed network of Wi-Fi honeypots taking in unique ID's, and distributing a "do not provide access" list to it's corporate subscribers.

Things could get sticky.

WarSTUPID

Can we dispense with the prefixing of "War" to anything 802.11 related, PLEASE?! This is just stupid now.

Historically, "wardialing" was phr33k-slang for the rapid dialling of phone numbers. Exactly what does this have to do with 802.11? Driving around and listening to packets is not the equivalent of "wardialling", nor is it in any way similar.

And don't even get me started on the idiotic term "Wi-Fi"...

802.11 can be secure, if the admins know how to!

[Diver777]

I recently worked at a large government organization (in Canada if it matters). The particular organization held a lot of information classified secret. It was all stored on a password protected mainframe that users accessed through telnet.

Well, someone had liked the idea of setting up wireless networking for a group of users in the building. The admin who installed the system simply used MAC address authentication as the only security on the WLAN. They only had so many wireless nics, so they simply added those addresses.

The problem here is that the admin did not realize the security hole he had just opened, as we all know that mac addresses offer no security at all. Though the wireless network I was able to capture plaintext telnet sessions, which included logins and passwords, and I could gain mainframe access from my car in the parking lot. (BTW, don't attempt these types of activitys without your employers permission).

If the admin had done his homework he would have at a minimum turned on WEP (although it is not secure either, but before the crack was out it was thought to be). Finnaly I convinced them to start using the built-in LEAP authentication and a RADIUS server, as well as limiting the access that users could have with their wireless nics (ie, no telnet access though the wireless). With simply a little deeper look into the security aspects of 802.11, the admin wouldn't have opened the huge security hole in the first place.

It should be EASY

[newestbob]

to sit in an airport or a starbucks with a hidden laptop + 802.11 card that presents a welcome screen that LOOKS LIKE some pay-per-use internet access point.

I would never use one of those airport systems because ANYONE could be spoofing it. There could be someone sitting next to me with a laptop in his suitcase.

Re:How the heck

The point is to see just how many people do try and connect to it, and what level of access those who do connect try to get.
It's basically just an intelligence gathering device then. If in a month all of 4 people try to connect, and all they do is surf the web or something, then there isn't any point on that office spending thousands protecting the network, but, on the other hand, if half of London is loging on, trying to gain as much access as they can, then it might be worth actually trying to do something about it.
It's not designed to catch people at it, just determine how much a problem it actually is before taking further action.

Re-using hobo signs

[Stavr0]

)///(
Three slashes over the warchalk symbol. /// means 'unsafe area'

Secure network topology

[Gerry+Gleason]

Good points. I'm not up on the details of WEP, but I think I understand what you are getting at. For wired corporate (and other) networks, the basic paradigm is to physically secure the facility and make the gateway points secure with firewalls and such. With wireless, you don't have physical security anymore becuase you don't know exactly where the node is.

This also relates to discussions about cooperative wireless mesh networks. If you want people to volunteer to share their wireless node with neighbors, you have to provide a box that enables it to be done safely. If the design isn't rock solid and foolproof, all it takes is a little FUD to damage the necessary trust that makes people feel ok volunteering.

The idea of placing an access point outside the wired network is probably the correct solution given the claimed weaknesses in WEP, and it might save you from replacing all those cards immediately. If I was proposing adding wireless access to a corporate or educational campus, I would propose this exclusively. No access points inside the gateways, and access the internal network resources as if you were coming in from outside. If you use a VPN solution for telecommuters, the same would work for wireless access. Now you have end2end security on your external people, and whatever your policy is about sharing out some bandwidth for free, it's more like giving a free drop to a nonprofit down the hall. You'd just hook them up to your external router with no internal access.

There was also a small comment in the interview with Vint where he says that he wishes they had designed in access controls for each node from the start. This would probably be a big help here as well as with problems related to IP spoofing and such. Perhaps IPv6 would be an opportunity to get this in, but if it isn't in the spec yet (anyone know?), it's probably too late.

honeypot abuse

[ohpo]

If there WAS a honeypot symbol, wouldn't it have potential to be abused? As in, draw on your own sidewalk to scare away hackers. How do you know if it's real or not? Of course if this was done a lot, it would lose believability.