Slashdot Mirror
Wartrapping?
netphilter writes "This article on ZDNet writes: "A "honeypot" trap consisting of a Wi-Fi-equipped laptop is the latest weapon against drive-by hackers." Although I'm sure that I've heard of this somewhere before, it appears that the latest twist is that this company is looking to sell them to corporations. Hmm...I wonder what the warchalking symbol for a honeypot really would look like?"
I'm guessing the submitter wasn't thinking of Winnie the Pooh...
Liam
I don't get it, why not just configure your network not to hand out IP addresses to anyone who asks? Does this wireless thing have no security at all?
-- Ed Avis ed@membled.com
)( :-(
or
)NO!(
Or failing that a picture of a fat bear with handcuffs being lead away by the brain police. Damn you Pooh bear...
is this really gonna make a difference? Ok, they know you're connected, they know your IP address. So what? How are they going to actually track you down? Then what? Call 911? Interesting article but the ramifications are still unclear.
There is nothing inherently safe about liberty. That's why so many people died protecting it.
What they use to put all the crap in...
I'm not really a web designer, I just play one on the Internet.
Imagine a distributed network of Wi-Fi honeypots taking in unique ID's, and distributing a "do not provide access" list to it's corporate subscribers.
Things could get sticky.
This exact same story was on net-security.org yesterday. If you would like more information about this topic go to this story @ net-security.org.
Fighting for Peace, is like Fucking for Virginity.
think that there's a warchalking symbol for a honeypot. I think that writing SANDERS in really poor backwards handwriting is good enough. /me hopes people aren't lame, and they get the joke
The GeekNights podcast is going strong. Listen!
I wound't call em hackers, just opportunists.
Trying is the first step towards failure.
Well, I for one am glad that we are going to see a crackdown on today's tech-obsessed miscreant.
Than exposing your network and then trying to catch people who break in.
Since even a secured wireless network can be broken into in about 30 minutes,
it makes more sense to treat the wireless network as an external network.
All accesses to the 'real' internal network then go through the firewall as if they came from the Internet.
Doing anything less than this seems to be courting danger.
Sig for sale or rent. One previous user. Inquire within.
Can we dispense with the prefixing of "War" to anything 802.11 related, PLEASE?! This is just stupid now.
Historically, "wardialing" was phr33k-slang for the rapid dialling of phone numbers. Exactly what does this have to do with 802.11? Driving around and listening to packets is not the equivalent of "wardialling", nor is it in any way similar.
And don't even get me started on the idiotic term "Wi-Fi"...
It is quite possible to do wireless without opening up your entire company network. Just like it's possible to NT networking securely.
The problem is for the most part there are idiots in control of the corporate IT that have impressive MS certifications after their names but don't know diddly squat. This quote:
proves it and let's us know who they plan on selling to.And just what is it they plan to do when they get people logged into their honey pot? Call the police? Oh man please.
You know you're a geek if you've ever replied to a tagline.
I've always believed that flat out good security was a much better solution than trying to eliminate all who would probe your security. Take for instance firewalls that claim to "track down attackers"--I don't care about that. Anyone with half a brain can get an IP address from their firewall logs. All I want is a firewall that locks down all unused ports, and offers program-specific access settings. This stops most portscans and worms. The idea of a honeypot may be important in certain cases, i.e. when very clever hackers have been found invading networks, even after they were secured well. But an ounce of prevention (locking down your wireless network in the first place) is worth a pound of cure (honeypots).
OT, does anyone know of a Netstumbler-like tool that works with the Toshiba e740's built in Prism wireless card?
"I may be quite wrong." - Socrates
There is no way to "catch" someone with a modified satellite dish and hitting the AP from 2 miles away. At the most they have is my MAC address, hah, or what they think is my MAC address.
Not all people accessing wireless networks drive up to the front door.
If you want wireless security, take your WAP and plug it into a spare interface on your firewall, or whatever hardware you're using to do your VPN. Now send out a memo saying 'We now have wireless access. In order to use the wireless access you'll need to use that VPN software that we gave you so you could work from home'.
Only accepting authenticated IPSec connections is going to do a hell of a lot more good than getting useless statistics on how many people wanted to hit google while sitting in that park half a block down the street from your office.
I recently worked at a large government organization (in Canada if it matters). The particular organization held a lot of information classified secret. It was all stored on a password protected mainframe that users accessed through telnet.
Well, someone had liked the idea of setting up wireless networking for a group of users in the building. The admin who installed the system simply used MAC address authentication as the only security on the WLAN. They only had so many wireless nics, so they simply added those addresses.
The problem here is that the admin did not realize the security hole he had just opened, as we all know that mac addresses offer no security at all. Though the wireless network I was able to capture plaintext telnet sessions, which included logins and passwords, and I could gain mainframe access from my car in the parking lot. (BTW, don't attempt these types of activitys without your employers permission).
If the admin had done his homework he would have at a minimum turned on WEP (although it is not secure either, but before the crack was out it was thought to be). Finnaly I convinced them to start using the built-in LEAP authentication and a RADIUS server, as well as limiting the access that users could have with their wireless nics (ie, no telnet access though the wireless). With simply a little deeper look into the security aspects of 802.11, the admin wouldn't have opened the huge security hole in the first place.
The reason Santa is so jolly is that he knows where all the bad girls live.
Maybe it was here....
I would never use one of those airport systems because ANYONE could be spoofing it. There could be someone sitting next to me with a laptop in his suitcase.
Historically, "wardialing" was phr33k-slang for the rapid dialling of phone numbers. Exactly what does this have to do with 802.11? Driving around and listening to packets is not the equivalent of "wardialling", nor is it in any way similar.
Actually, wardialing referred to having your computer rapidly dial phone numbers and look for modems that would allow anyone to connect. The idea was that Joe Scriptkiddie would start a wardialing program when he got up in the morning and it would dial a randomized list (because the phone company is looking for lots of numbers being dialed sequentially) of phone numbers all day. In the afternoon when he got home from Junior High, he would check to see if the program had found any "interesting" information (modems on numbers that he didn't know about before) and if so he would add them to his "to-investigate" list.
If we define warX to mean aimlessly using method X to find hosts that will talk to anyone, that fits with the definition of wardialing - aimlessly dialing numbers in the hope of finding a modem. Even though driving isn't the most important component of wardriving (one could walk, I suppose), the term wardriving seems to fit. It means aimlessly driving around with a laptop scanning for hosts that will talk to anyone.
Can we dispense with the prefixing of "War" to anything 802.11 related, PLEASE?! This is just stupid now.
As far as I know, wardriving is the only war* term related to 802.11 technologies.
For those of us looking for wireless acess, we just want to check email and check a few web pages. There's no way of telling whether a unsecured wireless network was deliberately unsecured to allow people to access the Internet, (like many people and some businesses - notably, Starbucks - do) or whether it was left unguarded due to ignorance, laziness, or boneheadedness.
If you find people accessing your network and you don't want to share, lock it down. What's the point of a honeypot? To find all those roving bloggers on park benches, obsessively updating their fans on the minutiae of their lives? What are you gonna do when you find them? Slap them on the wrist?
Doesn't everyone realize that this is the future? Unfettered access to information, whether you're in line at the DMV, at the park with the kids, Saturday morning soccer, whatever. What other technology is going to bridge that last mile? Nobody's putting fiber down in my neighborhood. Wireless seems like the best option for fast, ubiquitous acesss to me.
1. Buy the honeypot from this Van Strien fellow, packaged as "a security tool for corporate Wi-Fi users" with "a beautiful user interface". Estimated cost: _____
2. Maintain it. Estimated cost: ______ per month.
3. Keep someone on the payroll to watch for suspicious activity. Estimated cost: _____ per month.
4. When suspicious activity is found.... um... what exactly do you do then?
You forgot:
5. Profit!
Mentioned one month ago here on slashdot this fakeAP software sends out lots of 802.11b beacon message with different SSIDs. Hide in the noise for the good it will do you.
If these companies are willing to spend the money and effort to set up a honeypot, why aren't they willing to spend the money and effort to secure their wireless networks in the first place?!
unless the honeypot has rooftop rf direction finding and megawatt laser blaster.
BOFH: Hey, tripwire shows we got a fly in the honeypot!
PFY: (looking out window with binos) Really? It could be that guy at the sidewalk cafe with the notebook out.
BOFH: Heheh, Mr. warwhiz left port 139 open and admin share on! Now where did you put smbclient?
PFY: In daisy/pub. Go for it and I'll let you know of any change in facial expression.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
)///( /// means 'unsafe area'
Three slashes over the warchalk symbol.
Maybe I'm a dumbass, but dosen't MAC address filtering address most of the security issues related to Wi-Fi?
:-)
Well, I wouldn't say you're a dumbass, but no, it does not address most of the security issues
It is trivial to sniff a valid MAC address, and then set your card to be that address.
-- I speak only for myself.
This also relates to discussions about cooperative wireless mesh networks. If you want people to volunteer to share their wireless node with neighbors, you have to provide a box that enables it to be done safely. If the design isn't rock solid and foolproof, all it takes is a little FUD to damage the necessary trust that makes people feel ok volunteering.
The idea of placing an access point outside the wired network is probably the correct solution given the claimed weaknesses in WEP, and it might save you from replacing all those cards immediately. If I was proposing adding wireless access to a corporate or educational campus, I would propose this exclusively. No access points inside the gateways, and access the internal network resources as if you were coming in from outside. If you use a VPN solution for telecommuters, the same would work for wireless access. Now you have end2end security on your external people, and whatever your policy is about sharing out some bandwidth for free, it's more like giving a free drop to a nonprofit down the hall. You'd just hook them up to your external router with no internal access.
There was also a small comment in the interview with Vint where he says that he wishes they had designed in access controls for each node from the start. This would probably be a big help here as well as with problems related to IP spoofing and such. Perhaps IPv6 would be an opportunity to get this in, but if it isn't in the spec yet (anyone know?), it's probably too late.
Probably because the system is a sandbox, what it broadcasts is data about a network which isn't really there, probably setting up a series of spoofed mac addresses and some traffic which it is sending to itself.
The actual system is not designed to accept the data as a useful transmision, it's designed just to log what comes in on it's interfaces (probably set in promiscuous mode) and provide an appropriate response, give the hacker what he'd expect to see.
Sure, some brightspock hacker could find a bug in the software, exploit it and gain access, then browse to and remove any log files that might have been kept. But, by the time the hacker figures out it is a honeypot, the computer has already logged and recorded everything he/she has done to probe the network, and how long do you think it is going to take to find an exploit, that would let him / her remove evidence of his / her presence.
I dont hack, but I have to imagine that it's not quite that easy hacking a black box that you have never seen, when it probably runs some custom OS / software that you most likely will never gain access to. The Honeypot has it's own security through obscurity.
Probably, he or she wont bother and will instead walk away, but the data captured by the device will be invaluable in securing networks which are vulnerable to attack.
You will of course, soon find an elite group of hackers that go around specifically searching for honeypots, so that they can find ways of identifying them, and once one of them finds a way it will be passed on as knowledge, then this test will be done by any attacker as a probe first, so that his / her tactics are not exposed to any honeypots.
Admiral Ackbar.
'nuff said.
Where does the school board find them and why do they keep sending them to ME?
Using weak metaphors to argue about computer security gets really old. A closed door, locked or not, is an indication that you're not supposed to go in unless the owner wants you there. Likewise, a WEP-protected network may be easy to get into, but the use of WEP is a sign that you're not wanted there. And just like a house with an Open House sign on the front, my wireless network has no such "go away" signal because I want people to use it. (Of course, just like an Open House sign does not mean "please burn my house down", my 802.11b base station is not an invitation to abuse my network, just an opportunity.)
well duh, it matters! Canada only has, like, three secrets. And two of them have to do with maple syrup. I wouldn't lose much sleep over it.
Mind the legal language folks. I seem to recollect that US law is based in part on British law, but it's likely that it has diverged.
AFAIK (IANAL): in England and Wales, trespass is not a *crime*. There is a big distinction between crimes which are tried in criminal courts and other actions (torts) for which there is only a civil remedy. If someone comes onto your land you don't in general have much comeback against them unless they do some harm or damage - they haven't committed a crime. If they do damage, then you may be able to claim recompense in civil courts, but it's still probably not a crime.
However, if they are armed, then it's armed trespass, which IS a crime and you can call the cops straight away. In cases of ordinary trespass the police will be very disinterested because their responsibility is basically criminal not civil law.