Slashdot Mirror
Wartrapping?
netphilter writes "This article on ZDNet writes: "A "honeypot" trap consisting of a Wi-Fi-equipped laptop is the latest weapon against drive-by hackers." Although I'm sure that I've heard of this somewhere before, it appears that the latest twist is that this company is looking to sell them to corporations. Hmm...I wonder what the warchalking symbol for a honeypot really would look like?"
I'm guessing the submitter wasn't thinking of Winnie the Pooh...
Liam
I don't get it, why not just configure your network not to hand out IP addresses to anyone who asks? Does this wireless thing have no security at all?
-- Ed Avis ed@membled.com
)( :-(
or
)NO!(
Or failing that a picture of a fat bear with handcuffs being lead away by the brain police. Damn you Pooh bear...
is this really gonna make a difference? Ok, they know you're connected, they know your IP address. So what? How are they going to actually track you down? Then what? Call 911? Interesting article but the ramifications are still unclear.
There is nothing inherently safe about liberty. That's why so many people died protecting it.
What they use to put all the crap in...
I'm not really a web designer, I just play one on the Internet.
Imagine a distributed network of Wi-Fi honeypots taking in unique ID's, and distributing a "do not provide access" list to it's corporate subscribers.
Things could get sticky.
This exact same story was on net-security.org yesterday. If you would like more information about this topic go to this story @ net-security.org.
Fighting for Peace, is like Fucking for Virginity.
Send it into the building to disable the honeypot laptop.... It can use its onboard signal strength meter to search for it and then with some onboard weapons in the Mark II version (remember its a DARPA project....) BOOM!! no more honeypot...
-jon
think that there's a warchalking symbol for a honeypot. I think that writing SANDERS in really poor backwards handwriting is good enough. /me hopes people aren't lame, and they get the joke
The GeekNights podcast is going strong. Listen!
I wound't call em hackers, just opportunists.
Trying is the first step towards failure.
A honey pot is slang for a vagina as well as a computer used to trap misfits. I think and femal genetalia related symbol would do nicely.
Reality is that which refuses to go away when I stop believing in it. --Phillip K. Dick (remove SPAM to email)
Well, I for one am glad that we are going to see a crackdown on today's tech-obsessed miscreant.
Than exposing your network and then trying to catch people who break in.
Since even a secured wireless network can be broken into in about 30 minutes,
it makes more sense to treat the wireless network as an external network.
All accesses to the 'real' internal network then go through the firewall as if they came from the Internet.
Doing anything less than this seems to be courting danger.
Sig for sale or rent. One previous user. Inquire within.
Can we dispense with the prefixing of "War" to anything 802.11 related, PLEASE?! This is just stupid now.
Historically, "wardialing" was phr33k-slang for the rapid dialling of phone numbers. Exactly what does this have to do with 802.11? Driving around and listening to packets is not the equivalent of "wardialling", nor is it in any way similar.
And don't even get me started on the idiotic term "Wi-Fi"...
It is quite possible to do wireless without opening up your entire company network. Just like it's possible to NT networking securely.
The problem is for the most part there are idiots in control of the corporate IT that have impressive MS certifications after their names but don't know diddly squat. This quote:
proves it and let's us know who they plan on selling to.And just what is it they plan to do when they get people logged into their honey pot? Call the police? Oh man please.
You know you're a geek if you've ever replied to a tagline.
I've always believed that flat out good security was a much better solution than trying to eliminate all who would probe your security. Take for instance firewalls that claim to "track down attackers"--I don't care about that. Anyone with half a brain can get an IP address from their firewall logs. All I want is a firewall that locks down all unused ports, and offers program-specific access settings. This stops most portscans and worms. The idea of a honeypot may be important in certain cases, i.e. when very clever hackers have been found invading networks, even after they were secured well. But an ounce of prevention (locking down your wireless network in the first place) is worth a pound of cure (honeypots).
OT, does anyone know of a Netstumbler-like tool that works with the Toshiba e740's built in Prism wireless card?
"I may be quite wrong." - Socrates
maybe instead of a symbol we could put a nest of killer bees near the point and then that would be the form of security too. :-)
-(|||) - is that a honey pot symbol?
There is no way to "catch" someone with a modified satellite dish and hitting the AP from 2 miles away. At the most they have is my MAC address, hah, or what they think is my MAC address.
Not all people accessing wireless networks drive up to the front door.
I think many corporate IT people are instinctively scared of anything "free". This looks like a lame effort to sell a new "service" to these suckers.
If you want wireless security, take your WAP and plug it into a spare interface on your firewall, or whatever hardware you're using to do your VPN. Now send out a memo saying 'We now have wireless access. In order to use the wireless access you'll need to use that VPN software that we gave you so you could work from home'.
Only accepting authenticated IPSec connections is going to do a hell of a lot more good than getting useless statistics on how many people wanted to hit google while sitting in that park half a block down the street from your office.
I recently worked at a large government organization (in Canada if it matters). The particular organization held a lot of information classified secret. It was all stored on a password protected mainframe that users accessed through telnet.
Well, someone had liked the idea of setting up wireless networking for a group of users in the building. The admin who installed the system simply used MAC address authentication as the only security on the WLAN. They only had so many wireless nics, so they simply added those addresses.
The problem here is that the admin did not realize the security hole he had just opened, as we all know that mac addresses offer no security at all. Though the wireless network I was able to capture plaintext telnet sessions, which included logins and passwords, and I could gain mainframe access from my car in the parking lot. (BTW, don't attempt these types of activitys without your employers permission).
If the admin had done his homework he would have at a minimum turned on WEP (although it is not secure either, but before the crack was out it was thought to be). Finnaly I convinced them to start using the built-in LEAP authentication and a RADIUS server, as well as limiting the access that users could have with their wireless nics (ie, no telnet access though the wireless). With simply a little deeper look into the security aspects of 802.11, the admin wouldn't have opened the huge security hole in the first place.
The reason Santa is so jolly is that he knows where all the bad girls live.
Darn those gansta boyz. Is nothing too taboo for their cutting edge lyrics?
I am a Karma Library.
Maybe it was here....
I would never use one of those airport systems because ANYONE could be spoofing it. There could be someone sitting next to me with a laptop in his suitcase.
It is good that someone tries to chart this problem. At least it makes big corporations aware of the problem with wireless systems and the security issues associated with them.
I like the idea of wireless internet access everywhere, but not though stealing bandwidth of some business with bad security. I feel very bad for the companies being hacked and abused because of the bad security of the wireless solutions they use.
It surprises me that no-one thought of this before the technology was launched.
Valuable WinUSER
1069 Penn Ave, Washington DC.
(100) 555-1069
192.168.1.1
Press 1 to recieve list of all songs and movies ever watched on this PC.
Press 2 to recieve social security number
Press 3 to recieve mother's maiden name
Press 4 to be authenticated as vendor with power of attorney for Valuable WinUSER.
Press 5 to spam.
Oh wait, 192.168.1.1 is a local IP. Bill, you need to store medical records so we can cross reference the social security number with the real ISP, thanks.
Friends don't help friends install M$ junk.
would be for a pair of parentheses () with a zigzag line down the middle, like a closed beartrap viewed from above.
-- Proud descendant of semi-nomadic cattle-herders.
Alternative 1:
1. Buy the honeypot from this Van Strien fellow, packaged as "a security tool for corporate Wi-Fi users" with "a beautiful user interface". Estimated cost: _____
2. Maintain it. Estimated cost: ______ per month.
3. Keep someone on the payroll to watch for suspicious activity. Estimated cost: _____ per month.
4. When suspicious activity is found.... um... what exactly do you do then?
Alternative 2:
1. Let laptop users connect through Wi-Fi to the company's VPN server, just like the road warriors. Nothing except this server is accessible through the wireless network. Estimated cost: _____
Would anyone fill in the blanks for me? I want to see which one is more cost-effective.
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
Historically, "wardialing" was phr33k-slang for the rapid dialling of phone numbers. Exactly what does this have to do with 802.11? Driving around and listening to packets is not the equivalent of "wardialling", nor is it in any way similar.
Actually, wardialing referred to having your computer rapidly dial phone numbers and look for modems that would allow anyone to connect. The idea was that Joe Scriptkiddie would start a wardialing program when he got up in the morning and it would dial a randomized list (because the phone company is looking for lots of numbers being dialed sequentially) of phone numbers all day. In the afternoon when he got home from Junior High, he would check to see if the program had found any "interesting" information (modems on numbers that he didn't know about before) and if so he would add them to his "to-investigate" list.
If we define warX to mean aimlessly using method X to find hosts that will talk to anyone, that fits with the definition of wardialing - aimlessly dialing numbers in the hope of finding a modem. Even though driving isn't the most important component of wardriving (one could walk, I suppose), the term wardriving seems to fit. It means aimlessly driving around with a laptop scanning for hosts that will talk to anyone.
Can we dispense with the prefixing of "War" to anything 802.11 related, PLEASE?! This is just stupid now.
As far as I know, wardriving is the only war* term related to 802.11 technologies.
For those of us looking for wireless acess, we just want to check email and check a few web pages. There's no way of telling whether a unsecured wireless network was deliberately unsecured to allow people to access the Internet, (like many people and some businesses - notably, Starbucks - do) or whether it was left unguarded due to ignorance, laziness, or boneheadedness.
If you find people accessing your network and you don't want to share, lock it down. What's the point of a honeypot? To find all those roving bloggers on park benches, obsessively updating their fans on the minutiae of their lives? What are you gonna do when you find them? Slap them on the wrist?
Doesn't everyone realize that this is the future? Unfettered access to information, whether you're in line at the DMV, at the park with the kids, Saturday morning soccer, whatever. What other technology is going to bridge that last mile? Nobody's putting fiber down in my neighborhood. Wireless seems like the best option for fast, ubiquitous acesss to me.
Ture.
It's a research tool for security firms that can help provide data that will help sell security services
False. It's a research tool for security firms that can't provide security because their clients insist on using insecure software like Microsoft Windows TM. I imagine the silly thing will disrupt legitimate corporate communications and collect a bunch of usless "Valuable user at 192.168.1.1" information.
As you seem to suggest, the only way to secure your wireless network is to treat it as an external insecure network. The streams must be encryped (WEP no good) and the connections must be authenticated. If you don't do that you just might end up with half your NT admins in the park accross the street.
If you just hand out IP addresses and service to anyone who walks by, you can expect people to take it. They might as well put PCs on the street and then complain when people stop and surf or play solitair. Duh, what will they think of next, trying to secure bags of money in the lobby with nerve gas?
Friends don't help friends install M$ junk.
Airscanning? Scannetting? Scandriving? Probing? WiScanning? AirSniffing? Airdunking? AirPorting? AirProbing? ScannerDriving?
Relive the BBS Past - One Byte at a Time! www.ssabbs.com
Mentioned one month ago here on slashdot this fakeAP software sends out lots of 802.11b beacon message with different SSIDs. Hide in the noise for the good it will do you.
If these companies are willing to spend the money and effort to set up a honeypot, why aren't they willing to spend the money and effort to secure their wireless networks in the first place?!
unless the honeypot has rooftop rf direction finding and megawatt laser blaster.
BOFH: Hey, tripwire shows we got a fly in the honeypot!
PFY: (looking out window with binos) Really? It could be that guy at the sidewalk cafe with the notebook out.
BOFH: Heheh, Mr. warwhiz left port 139 open and admin share on! Now where did you put smbclient?
PFY: In daisy/pub. Go for it and I'll let you know of any change in facial expression.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
)///( /// means 'unsafe area'
Three slashes over the warchalk symbol.
True technology evolves -- and this is how these 'environmental' networks will become secure, finally -- not through laws and threats against "hacking"....
Ya know, I was just thinking the other night how people need to accept wardriving wether they like it or not. Physical proximity on an open 802.11 network is very much so like dialing a point to point link; you should see me in my basement trying to get access to my wireless access point on the third floor- I move a foot to the left, check signal strength, bring the laptop up, check strength, then down, check strength, until I find a spot where I can get good enough reception. lather rinse repeat.
The only other term I could think of would be involve grep, however that implies a more sequential search and regular expressions.
In the future, I would want to not be isolated from my friends in the Space Station.
Linux: FreeSwan
OpenBSD: builtin (read FAQ)
Windows: PgPNet seems to work
Maybe I'm a dumbass, but dosen't MAC address filtering address most of the security issues related to Wi-Fi?
:-)
Well, I wouldn't say you're a dumbass, but no, it does not address most of the security issues
It is trivial to sniff a valid MAC address, and then set your card to be that address.
-- I speak only for myself.
This also relates to discussions about cooperative wireless mesh networks. If you want people to volunteer to share their wireless node with neighbors, you have to provide a box that enables it to be done safely. If the design isn't rock solid and foolproof, all it takes is a little FUD to damage the necessary trust that makes people feel ok volunteering.
The idea of placing an access point outside the wired network is probably the correct solution given the claimed weaknesses in WEP, and it might save you from replacing all those cards immediately. If I was proposing adding wireless access to a corporate or educational campus, I would propose this exclusively. No access points inside the gateways, and access the internal network resources as if you were coming in from outside. If you use a VPN solution for telecommuters, the same would work for wireless access. Now you have end2end security on your external people, and whatever your policy is about sharing out some bandwidth for free, it's more like giving a free drop to a nonprofit down the hall. You'd just hook them up to your external router with no internal access.
There was also a small comment in the interview with Vint where he says that he wishes they had designed in access controls for each node from the start. This would probably be a big help here as well as with problems related to IP spoofing and such. Perhaps IPv6 would be an opportunity to get this in, but if it isn't in the spec yet (anyone know?), it's probably too late.
.
I suspect that the first problems are going to be identification, notification and most of all entrapment.
This is nothing to fear, there is nothing to fear, but caution should be observed.
Record your activity and the instant you are notified that it is a restricted system GET OUT and STAY OUT.
Do not destroy your records, keep 2 copies in different locations, you may need them.
My larger concern is that these are unregulated frequencies and corporate use combined with prosecution could inspre the less altruistic to push to have them regulated (in the US).
Probably because the system is a sandbox, what it broadcasts is data about a network which isn't really there, probably setting up a series of spoofed mac addresses and some traffic which it is sending to itself.
The actual system is not designed to accept the data as a useful transmision, it's designed just to log what comes in on it's interfaces (probably set in promiscuous mode) and provide an appropriate response, give the hacker what he'd expect to see.
Sure, some brightspock hacker could find a bug in the software, exploit it and gain access, then browse to and remove any log files that might have been kept. But, by the time the hacker figures out it is a honeypot, the computer has already logged and recorded everything he/she has done to probe the network, and how long do you think it is going to take to find an exploit, that would let him / her remove evidence of his / her presence.
I dont hack, but I have to imagine that it's not quite that easy hacking a black box that you have never seen, when it probably runs some custom OS / software that you most likely will never gain access to. The Honeypot has it's own security through obscurity.
Probably, he or she wont bother and will instead walk away, but the data captured by the device will be invaluable in securing networks which are vulnerable to attack.
You will of course, soon find an elite group of hackers that go around specifically searching for honeypots, so that they can find ways of identifying them, and once one of them finds a way it will be passed on as knowledge, then this test will be done by any attacker as a probe first, so that his / her tactics are not exposed to any honeypots.
I have trouble finding decent FAQs for SWAN. For example, I want to set up a simple "Road Warrior" connection to my Zaurus via a floating IP (e.g. a Starbucks!) and through my NATing firewall - all I've read is that SWAN (or more correctly, IpSec) has difficulty in understanding NATs due to the contruction of the AH / ESP(sic?) packets. Please tell me I'm wrong - and send a link as to where I can find out how to do this....
Two wrongs may not make a right, but three
I believe the following are already taken: - "Kilroy was here" - "Frodo lives" - "Eternity" "WAREZ HERE" though is still available.
John Maynard Keynes: "When the facts change, I change my mind. What do you do?"
I recently purchased a zaurus + dcf650 and loaded kismet + the qt kismet app. Plugged it in, cycled to my local shop and back and had a look - no signals. None whatsover.
Anyway, tinkered around with the settings, rebooted a coupla times, ifconfiged up and down (you get the idea) and before you knew it, 2 APs detected from within my lounge. Walked outside, another 2. Next day, on the way to the the train station - another 6. From the station to work ( a ten minute walk), another 30. Around 50% of these bothered using encryption and when I put the kismet packet logs into ethereal, I didn't have a lot of stuff, but I did get a few web pages browsed and even a few pop3 account emails and passwords.
Now I'm no hacker - I did this warwalk just as I read so damn much about it (on sites like this), but either these companies / individuals want there bandwidth used or they really have completely clueless admins who have no idea what their unleashing on there networks. I feel like emailing the addys I did get with a "please secure your network", but that'd probably go to the poor users who have no idea what they're doing but have been given a neat tool by their IT dept.
So what to do ?
Two wrongs may not make a right, but three
Admiral Ackbar.
'nuff said.
Where does the school board find them and why do they keep sending them to ME?
I don't understand why people think it is so difficult to secure wireless. All you need to do is have encryption running on the box, and use some kind of authentication firewall between the wireless box and the rest of the network. We're doing this at my company, and so far it works great. We even set up a credit card payment system on the box, so people that don't have passwords (non-employees), can kick us a few bucks and get access to our T-1.
I've been called a "Fucking Dick" by better people than you.
The people doing the wardriving/walking/chalking are not doing anything illegal, AFAIK. The people running the network left a door open on a public street. If they don't want people in, they should lock the door.
The only purpose of this would be to determine whether people were looking for open networks. I can save them some money right here: the answer is "yes" - now spend your money securing your network instead of hiring consultants and "investigating."
I don't fault the company making the honeypot in this case. They're simply taking advantage of the cluelessness of companies.
I can't imagine why you'd want to BUY this though; renting one should be enough. You rent, you find out people are snooping around, you take the thing back and start concentrating on locking down.
Even better; hire someone to come by once every few months and try to break into your network. If they can, then fix the problem. Repeating this occasionally takes care of the departments/individuals that go down to Fry's and buy a WAP and install it without the knowledge of the IT dept.
if you bilk them WITHOUT lying or mis-representing yourself is it a crime ? Unless of course they are legally not capable of making desicions for themselves. I see your point and the analogy is not perfect, but...
:)
"Trespass is the proper remedy for the several acts of breaking through an enclosure, and coming into contact with any corporeal hereditament, of which another is the owner and in possession,and by which a damage has ensued. There is an ideal fence, reaching in extent upwards, a superficie terrae usque ad caelum, which encircles every man's possessions, when he is owner of the surface, and downwards as far as his property descends; the entry, therefore, is breaking through this enclosure, and this generally constitutes, by itself, a right of action. The plaintiff must be the owner, and in possession. There must have been some injury, however, to entitle the plaintiff to recover, for a man in a balloon may legally be said to break the close of the plaintiff, when passing over it, as he is wafted by the wind, yet as the owner's possession is not by that act incommoded, trespass could not probably be maintained; yet, if any part of the machinery were to fall upon the land, the aeronaut could not justify an entry into it to remove it, which proves that the act is not justifiable."
Notice, there is the PRESUMPTION of DAMAGES, while it may in fact meet some of the points for trespassing I don't think that simple use would be upheld unless you lived in Texas
errr....umm...*whooosh* *whoosh* Is this thing on ?
they'd be "Airpots"?
- Tjp
I am in wallow with my inner money grubbing capitalistic pig. ... Oink!
While what you descibed could be called spoofing, its more likely that spoofing is just a small part of your attack. What you've described is a man-in-the-middle attack. Spoofing is really just making something look like something else in order to fool someone. It doesn't have to be making your machine look like the machine of someone you're trying to attack. For example, in your ssh example, you could ARP spoof to pull that off, but say you want to access an SSH server that is restricted to certain IPs, well then you would have to pretend to be an allowed IP, any allowed IP.
Using weak metaphors to argue about computer security gets really old. A closed door, locked or not, is an indication that you're not supposed to go in unless the owner wants you there. Likewise, a WEP-protected network may be easy to get into, but the use of WEP is a sign that you're not wanted there. And just like a house with an Open House sign on the front, my wireless network has no such "go away" signal because I want people to use it. (Of course, just like an Open House sign does not mean "please burn my house down", my 802.11b base station is not an invitation to abuse my network, just an opportunity.)
well duh, it matters! Canada only has, like, three secrets. And two of them have to do with maple syrup. I wouldn't lose much sleep over it.
Oh, those warwalkers are so evil! They're actually accepting our offer to communicate! Let's demonstrate our moral virtue by creating false invitations to use our network backed with bogus MAC addresses so they don't catch on! Bleh.
"Hmm...I wonder what the warchalking symbol for a honeypot really would look like?"
A picture of Pooh with a honeypot on his head, "Oh bother."?
Just because you can mod me down, doesn't mean you're right. Shoes for industry!
If there WAS a honeypot symbol, wouldn't it have potential to be abused? As in, draw on your own sidewalk to scare away hackers. How do you know if it's real or not? Of course if this was done a lot, it would lose believability.
Mind the legal language folks. I seem to recollect that US law is based in part on British law, but it's likely that it has diverged.
AFAIK (IANAL): in England and Wales, trespass is not a *crime*. There is a big distinction between crimes which are tried in criminal courts and other actions (torts) for which there is only a civil remedy. If someone comes onto your land you don't in general have much comeback against them unless they do some harm or damage - they haven't committed a crime. If they do damage, then you may be able to claim recompense in civil courts, but it's still probably not a crime.
However, if they are armed, then it's armed trespass, which IS a crime and you can call the cops straight away. In cases of ordinary trespass the police will be very disinterested because their responsibility is basically criminal not civil law.
No, I think he's talking about trojan horses
Author, Shell Scripting : Expert Re
What they say about GPS not working indoors is right.
Anywas, we're not taking about MAC addresses here... GPS would be an expensive and impracticle means of identification.
There are plenty of ways to secure a network, people just aren't putting forth the effort - if it's important enough just set up a VPN