Democratic Convention Computer Security Threat?

Hiawatha writes "Excuse me for tooting my own horn, but check out my story in today's Boston Globe about a possible security problem at the Democratic convention next week. If visitors plug insecure laptops with wireless connections into the convention's wired network, there could be trouble..."

anybody setting up an AP?

[UnderAttack]

Hm. Taking over the Jumbotron is probably the ultimate "Capture the Flag" contest.

Re:anybody setting up an AP?

[jred]

I think the Rep. ppl here aren't as noticeable because they aren't as offensive.

I mean, KERRY EATS BABIES!!!

Yeah, that's what I meant to say.

Um... "Hiawatha Bray"?

[boomgopher]

ummmmmmm... is that your real name?

Re:Um... "Hiawatha Bray"?

[goober]

ummmmmmm... is that your real name?

yes, that's his real name. He's been regurgitating FUD pieces in the Globe for years now...

What?

[EvilTwinSkippy]

My network just assumes that everybody is a stranger, and anything of value refuses to talk to anyone without a known MAC address.

Well at least it would, but I wound up disabling all that so the CEO could get on E-Bay.

But, but, but...

[fizban]

Who in their right mind would want to hack into the democratic convention? The only ones I can think of are Republicans, and we all know they never do anything illegal like that...

so what's new?

[stonebeat.org]

the article doesn't contain any new info. Everyone know how unsecure network connections can be at conventions. everyone know they can cause havoc.

Even the SANS conference, with all the security gurus, had issues with providing network connectivity. That is why they longer provide network connectivity, WiFi or otherwise, in classrooms.

Democrats have techies on their side...

[A_GREER]

How can they get hacked when it was AL Gore who invented the internet...

Re:Not a realy problem

[afidel]

Uh, so they are going to ban laptop's? As the article points out over half of laptops sold in the last year have WiFi built in. Thanks to XP's auto-connect for WiFi if a person was able to setup an AP outside they could surely find an XP laptop which could be compromised which was plugged into the wired network. THAT is what the article is talking about.

really secret stuff

[pocomoonshiine]

Maybe somebody at the DNC has compromising pictures of George Bush getting wads of money stuffed up... oh wait, that wouldn't be news. (Same applies to Mr. Kerry) Just what sort of top secret information does anybody expect to snag? This is a planned media circus, not a cigar smoke-filled warroom meeting.

I don't see how the security vulnerabilities at the DNC are any different than any business, convention, or hotel on any day in any city.

Hmmm not really democratic specific...

[merlin_jim]

Don't bash on the democrats. This has been a problem ever since wireless networking has become ubiquitous in every convention, company, and private network. The democrats are no more or less susceptible than anyone else...

Hey...

[Otter]

...at least the Globe has found a story besides "Why can't you whiny Bostonians take the convention in stride, like New Yorkers?"

As long as Globe writers are reading Slashdot, perhaps someone could clarify this mystery:

• Yesterday's paper claimed that "11% of Boston businesses" believe they'll make more money as a result of the DNC, with 78% expecting the same or less>
• Today's paper featured the Causeway Street pizzeria owner who put up a pro-Bush banner and is closing his store for the week and going to Canada, expecting more trouble than business if he stays open.

Excuse me? If a guy who owns a freaking pizzeria across the freaking street from the Fleet Center doesn't think the convention is worth any money, who the hell are those 11% of business owners who think they'll benefit?

Basic precaution

[Albanach]

If the Democrats have any sense, any non trusted computers are going to live on a different subnet to their trusted systems, with no routing between the two networks. The trusted systems should be using a VPN to make sure any network traffic they're emitting is encrypted.

That way, sure someone can hijack a laptop, but all they get to do is piggy back on the Democrat's internet connection or target other machines on the untrusted network.

Sure it's possible they haven't thought of this, but it's such a basic precaution I find it hard to believe. If they're letting any untrusted computers on to their network they have to treat the physical network like the internet - untrusted jsut like the guest PCs.

zerg

[Lord+Omlette]

Granite Island Group has already one-upped this story. Fuck wireless security, we're talking about actual bona fide security problems here.

ObCounterMeme

[Bearpaw]

How can they get hacked when it was AL Gore who invented the internet...

Har. Har.

It was Republicans who invented that claim. What Gore actually said was "I took the initiative in creating the Internet". Robert Kahn and Vinton Cerf -- two of the people who did "invent the internet" have publicly stated that "Al Gore was the first political leader to recognize the importance of the Internet and to promote and support its development." Repub spinmasters pushed the reworded version hard as part of their successful effort to exaggerate Gore's supposed exaggerations.

(The Repub spin this time around is that Kerry always "flip-flops". That's the script, and they're pushing it hard. I guess this is to distinguish him from Bush, who sometimes flip-flops and sometimes sticks to his opinions ... regardless of the facts.)

Re:ObCounterMeme

[Theaetetus]

It is impossble to invent, or even just "take the intiative in creating" a thing that PREDATES the time you are referring to. What makes Gore's statement stupid (his actual statement, not just the republican falsified version of it) is that the internet was already in existence before the act in question. He can't have taken the initiative in creating the internet for the same exact reason I can't have taken the initiative in creating the automobile. I wasn't there at the time.

Nope, not exactly. ARPAnet was in place, but that and the modern internet (even that and the 1980's Gopher/WAIS type internet) are very different beasts.
To use your analogy, it's more like people saying that Gottlieb Daimler didn't really invent the modern automobile because internal combustion engines already existed. They existsed in a different form, limited in use and ability, and he turned it into something usable in a car, but he didn't invent the engine.

Likewise, Gore didn't invent ARPAnet, but he was one of the primary people pushing open, non-military use of it.

-T

Practical security

[syrinje]

The democratic convention is only providing wired security so that people who bring their own notebooks to the party can plug in and share their dirty pictures with each other.

So WiFi security is not something the Convention IT staff can control, with or without WEP

Nearly a 100% of all notebook computers brought to the convention will have WiFi built-in to them. A few sensible folks will have their notebooks configured to only latch onto "known" access points using wep. The rest will have their WiFi settings set to allow both ad-hoc and infrastructure mode and to connect automatically. These people, while probably smart and successful in other ways, are likely to be morons who are network-retarded.

As a result they are unlikely to realise that while they are busy and connected to the wired network, their computers have also connected automatically to the blackHatAP that has been setup in the closed-for-the weekend in the Pizzeria across the street. A convenient and cheap SEP field will prevent them from seeing small message dialogs that inform them of these events.

Some of these notebooks, as a result of belonging to irresponible morons, will already be 0wn3d. They are twice as likely to not be updated using windos update..

In short these computers will behave pretty much the same as the drunk chick flahing her tits at Dayton Beach on spring break (altho why we only see photos of them on the internet and never meet any of these tipsy goddesses IRL is beyond me. Oh wait, that probably cuz I'm here instead of there.!)

I would lay a wager of 10 bucks at odds of 5-1 that at least 5% of the notebooks on-site will automatically latch onto the first available AP AND be unpatched enough to allow arbitrary code execution using a buffer overflow vulnerability on some port OR have a trojan installed which can be leveraged to execute said code

What is the hapless IT support guy to do? Here are a few ideas -

1. Ban all notebooks since you cant physically inspect the WiFi settings for the visitors. This idea will probably get you fired though. The morons are rich and powerful and will get their way in penetrating your network with their toys. Being a BOFH is only going to get you shafted.

2. Set up your own AP with repeaters all over the place and hope the ho-ing notebooks latch on to your WiFi network first. I am sure this is not foolproof, but will probably bring down your risk by 70%. The boundary cases here are truly that - the notebooks on the wifi edge might see a better signal from blackHatAP and kiss up to it.

3. This may not be legal in your Locale/state/country. Adherence to local laws is your responsibility. Disclaimer made, heres the option - Install a jammer for WiFi frequencies. Better yet, if you have the Secret servce on hand, get them to do it. Simple and efficient. Unintended Interference is a bizatch though.

I thought about the option of setting up a WiFi farm that would create its own /. effect on the BlackHatAP but that wouldn't scale well if the BlackHat set up more than one AP....