Slashdot Mirror
'Evil Twin' Threat to Wireless Security
BarryNorton writes "The BBC are currently reporting on research from Cranfield University on the ability of unscrupulous third parties to spoof wireless networking clients into believing they are connected to a 'valid base station' and compromising their passwords for Internet banking etc. Of course the rest of the connection through the Internet, even from a trusted router, is insecure in any case and such sites should be using end-to-end security like SSL. Is there, therefore, anything (other than the cute name 'evil twin') to this story?"
Is there, therefore, anything (other than the cute name 'evil twin') to this story?
Yes. If they control the gateway they now have the capability to perform a man-in-the-middle attack.
So, in other words, be careful when you connect to an unfamiliar access point? Shouldn't people already be doing this? This is about the same parallel as "Don't take candy from strangers."
http://sourceforge.net/projects/airjack/
Alls you need
Everyone that disagrees with me is a paid shill
I imagine an SSL man-in-the-middle attack could also be quite effective (assuming their browser hasn't already seen the 'bank.com' certificate to know its changed.
How many banks don't use encryption? Frankly, if you entrust your valuable information to any site on the internet that doesn't provide end to end encryption, you're an idiot.
That was my first thought. To properly spoof all the sites so a user is fooled.
:-)
But I suppose key sites you want to capture are all that are required and the rest can be passed through.
So who wants to get one of these going
You can never trust what you're connecting to... It's the age old problem, you're asking for anything you get without performing proper encryption between both links.
Seriously, the only time this problem is going to be fixed is when it's EASY to perform encryption. Where's the easy support for GPG in email clients? SSL in web browsers was certainly a step in the right direction, but what about IM services, email, ftp? Most hosting companies (afaik) don't provide for secure ftp...
This is a problem. While it would be nice to think that everyone used SSL or a VPN to encrypt all of their traffic it doesn't always happen. Many people for example, only use encryption when away from work. What's to stop someone setting up this sort of facilities within what people suppose to be a secure environment.
Of course, only time will tell how much of a problem it turns out to. It's always hard to tell which security threats are going to turn into really big security problems.
Phil
I think that Email Interception is the real hole here, rather than depending on unsecure websites. If you can see at which sites a person does secure transactions, you can use the 'email password' functionality to send that user an unencrypted email containing the password or reset link. That email would be easily read by a packet sniffer. Of course the victim would have to have their email client get the email, but email is the first thing that most people check. Sure the victim would get the password reset email, but most would believe that it is just a glitch.
The force that blew the Big Bang continues to accelerate.
TFA has no info on how this is being done. Are the "Cybercriminals" using a regular computer with a wireless card and wired network bridged- forwarding packets and saving a copy for themselves, or are they using a WRT54G with rewritten firmware (OpenWRT?) and to capture packets? Why go through all the trouble when you can park your butt down in the coffee shop with your laptop and latte and sniff everyone directly.
Also it would seem to me that the "evil twin" method would only work with unsecured access points, unless you know the WEP key for the secured access point you are trying to dupe. Anyone trying to connect to their favorite secured AP with their default WEP key would fail to connect to an "evil twin" unless it had the matching WEP key...
Urge to post... fading... fading... RISING!... fading... fading... gone.
I wonder if the research was sponsored by a paid-for hotspot provider in order to scare people away from free competition?
and I'll say it again, the average person (not average slashdot person) wants things fast and easy. So anything requiring the least effort is the best route for them. And for some people, that is doing banking on a wireless connection without proper encryption. Of course, this is just one of the many problems that exist with doing online banking without taking precautions or cleaning your cookies afterwards. As long as these settings are not done by default for such interactions, there will always be some people to steal from. Quite easily too might I add.
The security lapse isn't with bad software, it's with bad policy and hapless users. If you connect to a fraudlent base station, then you can intercept banking passwords even on with connections that use end-to-end encryption. Why, and why isn't this protected. Simple. If you connect to a website, even the most-secure site in the world using SSL. If there is something wrong with the SSL certificate you will be presented with a dialog asking you if you want to accept the certificate. 99% of people blindly click yes, because clicking no means that it "wont work" and clicking yes means it "will work". So to the average user there is no downside to clicking yes and a large downside to clicking no. Enough with the psychology though. Once you have clicked yes on this dialog the entire chain of communication is now suspect. You cannot be sure that there is not someone sniffing your connection. Even if you check the certificate and everything looks OK (Sane information in text fields) you still can't be sure that it's valid unless you compare the signature of the SSL certificate with a known-good one. So, the real danger here lies in unsigned SSL certificates and hapless users. This type of attack is just as easy to orchestrate (if not easier) by associating with any wireless access point and spoofing dns or even on a wired network.
to connect back to a trusted network (i.e., one under your own control) so that you do all your email, browsing, etc. from there, and you'll be fine.
I do this with commercial hotspots, free hotspots, wireless at hotels, conferences, etc. - not to mention wired connections at any network which isn't my own.
This is exactly the reason why VPN was created, for situtations like this. Just create a secure tunnel across the internet, and they can't sniff your data.
This is just the BBC jumping onto the IT security bandwagon again. Whenever a theoretical threat which any sensible user will not be vulnerable to anyway is reported by a researcher, the BBC immediately trumps it up on their news programs as the end of the internet.
We've already had 'end of the internet' panics from them in the last year about spam, virii, child porn, spyware, and lack of bandwidth.
This style of reporting just indicates the increasingly dumbed down approach of the BBC to news.
The interviewee seemed to be doing his best to simplify the concepts involved, but it sounded as if he were focused on the problem of the initial authentication. For example, the User goes to a public place like a cafe that has a pay-as-you-go model, e.g. he pays a certain amount per minute; such places often require a credit card to initiate the session. (Some business centers in hotels work this way for Internet access.)
If the user sits down at WiFi-R-Us to check his mail, he will have to enter a credit card number. However, there might be a 'rogue' WAP in the area configured to look legitimate, e.g. Wi-Fi-Are-Us, complete with ripped HTML, etc. to make the authentication page look legitimate. (See 'Phishing 101'). The user then enters his information on what he thinks is the proper authentication server.
It's an interesting issue, and I was glad to see it getting some broad[er] exposure.
I want to drag this out as long as possible. Bring me my protractor.
For those that don't know, Wikipedia has a nice article explaining man-in-the-middle attacks.
Is it really that surprising? Hardly. We had it coming. The lesson is: don't ignore security professionals when they say that your products are inherently flawed, but we knew that already, right? Right?
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
As pointed out by James Ogley they had this on BBC Breakfast TV with a Gnome box :)
Of course the Gnome box was the one doing spoofing at the expense of the poor innocent Windows box user.
This is about the same parallel as "Don't take candy from strangers."
What do you mean by, "Don't"?
If you look up www.bank.com, receive a wrong IP address from the DNS server (e.g. dnsspoof), and connect to it, your browser will warn you that the certificate does not match the name. (Note that if the attacker is using dnsspoof, using a local DNS server will not necessarily protect you from this)
If you ignore this warning, you deserve everything you get.
It is not so easy to get around this problem, other than:
a) brute forcing the server's SSL cert to get the private key (a HARD problem)
b) stealing a copy of the cert by hacking the bank's webserver. (Hopefully also a HARD problem), or
c) getting your own CA cert installed into the victim's browser (maybe not *that* difficult, but still not trivial)
Anyone who thinks that SSL is *INSECURE* needs to understand the protocol better.
http://www.defcon.org/html/links/dc_press/archives /12/slashdot_darksideofwireless.htm
- Never underestimate the power of human stupidity.
Still, your point is well made.
You see that brine there? That's my brine.
Ladies (ostensibly) and gentlemen, meet Slashdot's first self negating story. God it's getting worse around here by the day. ;P
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
The man in the middle type of attacks have been around for a couple years by now. This is old news turned into new FUD. There is no reason to fear that. Leave your access point open and keep in mind that it is the individual user's responsibility to use end-to-end encryption.
To college students working on their teaching certs. The funny thing is the department specifically asked me to teach a 2-hour lesson security "for the common person". Boy, has it opened my eyes to how trusting people are.
Most people have come to trust brand names. Research shows, as does personal experience with my 3-year-old, that children in the US develop brand recognition at an early age, and associate Nike or, [shudder] Microsoft, with quality. It is of little wonder that when they see a hotspot with the T-Moble logo on the login page, they immediately trust it.
Don't get me started on phishing.
The class I teach meets in a lab where the students check out wireless laptops, and are supposed to use them as we work together in class, but, of course, most of them are just checking their email, etc. This week, I'm going to run Kismet on my Zaurus during the class and then show them the results at the end.
I'd rather have someone respond than be modded up.
The technique used in the article talks about jamming the legitimate AP to hijack the client connections. The real trick would be to figure out a way to forward the hijacked connections back to the real AP.
Army of One!
How would I go about that? Connection refused - there is a router encryption problem - click here
This will install the certificate authority, "Wireless Router". No, it's not a sure bet, but there's a good chance it would work.
Social engineering so often plays an important role in computer attacks.
Kinetic stupidity has a new brand leader: Allen Zadr.
One attack of non-SSL communication would be to target software downloads. When you see an exe, msi, zip come through in the clear, simply add your virus to it. Unless the user double-checks the md5 hash, the user will probably never know what hit him.
http://www.sysadminmag.com
June 2004 Volume 13 Number 6
Peace.
...isn't a quick one-time man in the middle attack, where a proxy server issues a one-time bogus certificate that the surfer has to accept in order to become a victim. The real threat is that the one bogus certificate can be built with the rights of a root certificate authority, capable of issuing other certificates.
So the really scary attack goes like this:
1) Set the evil proxy to transparently pass all traffic until an innocuous, non-SSL site (like maybe slashdot.org) is surfed.
2) When such a site (which wouldn't arouse one's security suspicions) is surfed, spoof it with a page announcing a "new, secure version" of the site is available as a feature, explaining that all the surfer has to do to get the "enhanced security" is to accept a one-time special certificate.
3) Send the bogus cert with the CA certification flag as securing, for example, https://slashdot.org.
4) Proxy all of the slashdot traffic using ssl, and wait (perhaps a long time) for the victim to eventually surf an actual SSL-secured site.
5) Generate a bogus cert for the SSL-secured site, proxy it, and record anything of interest. Once the victim has installed your bogus cert with the CA flag, you have the ability to generate certs for any domain, and spoof any secure URL he ever surfs without any certificate acceptance dialogs popping up.
Anybody see any holes in this compromise?
About the word "if": If bullfrogs had wings, they wouldn't bounce around on their little green butts.
Instead, what you want to avoid this attack (unscrupulous network device in the middle) is SSL-enabled mail checking protocols.
Such as, say, secure POP and secure IMAP which the major mail clients have all supported for years, and which most mail servers now support out of the box, but which, for some reason, most ISPs don't make the default (or occasionally, don't even make possible)
GPG defends against J. unethical sysadmin at your mailhost reading the content of your email; while it would provide a protection against reading email here, it wouldn't prevent the sniffer from getting your username and password, which is probably what people are more worried about. (Besides, can you _guarantee_ that all of the people likely to send you sensitive email will use GPG? Even if you can, do you want to give some sniffer owner the ability to do whatever else he can with your email account, which may include filling webspace provided by your ISP with the latest warez, deleting all your email, setting up a "This dud got 0wn3d" auto-responder...)
Discussed on Slashdot previuosly
Is there anything special about traversing a wireless network vs. traversing a wired network? Don't all the same possibilities of sniffing snooping redirection man-in-the-middle etc. apply to both? Isn't it just a manor of degrees - maybe easier to gain access to the wireless network vs. the wired network?
Why someone doesn't just slap an open-standard VPN server onto the base station is byond me. Solves a bazillion problems all at once.
SoupIsGood Food
I watched the piece on BBC TV news this morning.
:-(
Guy sits down, opens his laptop, starts a Microsoft OS, opens IE and calls up his bank's homepage.
Other guy comes in, sits down, opens his laptop. He's running Linux!
Really, Linux on a BBC news piece, wow!
But then he starts evin twinning the Microsoft guy's wifi link. He's the Linux bad guy.
Nice one BBC.
Isn't this really a new varient of 'man in the middle' (quite literally)?
Here a few ideas:
1. An easy way to prevent this is to have your Access Point assign you a strange IP address. That way if you normally get 192.168.1.251... and you end up with 192.168.1.1... you have an idea something is wrong.
A simple way to get a clue.
2. Another way to do this is a bit more complex. If you have another computer or file server at home, set up a webserver. Make sure this system is wired. Set your computer's homepage to that system (using your internal 192.168.x.x ip).
Now whe you open your web browser... if your using your own access point, you can view that site. If your being tricked onto another Access Point... you won't be able to view it.
3. Setup your computer to ONLY use WEP enabled Access points. Then the only way your connected is if your computer successfuly connects to an access point using your WEP key.... that requires the hacker to know your WEP key. Not available on all wireless software packages, etc. etc.... but for those who have the option, another decent trick.
Just a few pretty simple tricks.
Isn't there a possibility that a well organized
crime ring would go to Verisign for their signed
authority? If the CA is included in the browser,
the DNS cache poisoned, and the URL spoofed, how
would the end-user know any difference?
Last year I noticed my wireless reception was bouncing between excellent and poor. After some experimentation, I changed the channel on my wireless router...bingo...I then see that someone in my vicinity had set up shop on the same channel as my router, and was using the same SSID...an attempt to get my pc to connect to his base station. Once connected he/she would have been able to sniff all my traffic, launch all manner of windows exploits, etc. I promptly renamed my SSID to F**KOFF to send a message. Exchanging a WEP key would have taken care of this, but I wanted to keep my net open.
-h3dge
Actually, that in and of itself isn't too hard - all an attacker would have to do is broadcast a very strong signal on a channel different than the one the accesspoint is using, but with the same SSID, and then have a second wireless card locked to the correct channel communicating with the "real" accesspoint. I don't know about Linux wireless, but my windows laptop has no problem reconnecting if I change the channel my access point is using. (and this is after I've locked it down so that it won't autoconnect to other networks, or even to my own if I disable WEP - the key has to match, but the channel can jump all over the place) Certainly if someone is going to connect to a network and sees two TMobile networks, one with a strong signal and one with a relatively weak signal, they'll choose the strong one. Also, who hasn't sat out in the Borders parking lot trying to use wireless that's normally only available inside Borders? And who would find it suspicious that the wireless signal now covered a much larger area?
If the accesspoint is set up as, for example, T Mobile accesspoints are, all access is initially blocked except web access, which is immediately redirected to a T-Mobile sign-on screen. Now I don't know whether the real sign-on screens use https or not, but certainly some phishers fake login screen wouldn't use https, and after a bit of niggly stuff left as an exercise for the reader, the victim has given the fake accesspoint all of the information necessary to log onto the network: either a TMobile userid and password, or their credit card details, etc.
And all of this because the victim never noticed that the login page he was automatically redirected to was served over http, and not https. Remember, the initial login redirect isn't an address anyone types in; they want to go where they want to go, and the login page is a familiar and accepted hurdle to jump over. Assuming that the attacker's setup does sufficiently complicated redirecting and rewriting of html on the fly, the page could in fact be an exact replica of the TMobile signon page, just served of plain http.
All this of course assumes that the initial login redirect is served over https to begin with. If the initial login page is served over plain http, then everything is much easier for the attacker, who just needs to forward packets back and forth and sniff like crazy. (there's still the minor problem of DHCP packets, which may need to be forwarded with the original MAC address intact, and so could make it difficult to phish many people at once, but...)
Tried it against my own AP. Nice, nifty little program called airsnort- within 4 hours or less you can have the million or so packets needed to crack pretty much any sized key for WEP.
WPA's potentially better in that it changes the WEP key every so often with the handshaked parties to make it dramatically more difficult to obtain the WEP key- but there's still a risk that the WPA key can be broken or sniffed out of the whole mix.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
This has been a known expliot for three years now. How is this news?
Its pretty simple, most operating system wireless system will connected to the SSID with the strongest signal. Just set up and closen the SSID, put out more power and then send a disconnect packet. The clients will disconnect and then attempt to reconnect and will select your base station. The user will have no idea...
Very old news, this is just scratching the surface on some of the issues surrounding wireless security.
If your doing a MitM attack, your routing certs from the whereever you say. Your fake DNS jives with the real DNS, meaning you route victums to x.x.x.x and they pass thru z.z.z.z Your not just fooling the user and his/her computer your fooling the cert.
Nothing prevents you from asking the original target for it's cert and replaying that answer to the victim. They start the conversation and you finish it as you wish. Just intercept their logoff and your can do what you wish and they think they logged out. Worse yet, the transaction is mixed with real and faked info and hard to tell apart.
So you paid your electric bill and gave $200,000 to Scammo the 419? All in the same transaction. Do you expect us to believe that it's wrong?
Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
Any "Network-security" minded person would always consider a WiFi network as untrusted (like the Internet).
Just run a VPN on top of it...and/or when accessing HTTPS web sites, carefully check the certificates.
Also, WiFi and some AP have terrible security flaws. I own an old D-Link DI-514 802.11b Wireless Router. Because WEP is so bad, they added support for WPA-PSK. The problem is that anybody could try to brute-force password the configuration web utility: Password limited to only 8 chars!) and then, in the menus, the WPA-PSK key is displayed in clear text (no '*'!). Wow! What were they thinking?
Security is only as strong as the weakest link...
This is old news.
Set up a regular access point.
Install a web server like NoCat.
Subsitute the NoCat splash page with a copy of the T-Mobile (or whatever) login page. You can use wget to grab this.
From there you use a plain old cgi script to pipe the userID, password, credit card number, etc. into a text file.
A columnist connected the last earnings report with the last US election which both took place on 2nd November 2004. Major transaction also announced on the same day as inauguration today. There is a more than suspicious connection between the two. I have always wondered if the two have the same fate, this time it is confirmed. This explains why news concubine has been hiding the shit. Hoho, there will be some serious fun in the next 1 to 2 years.
At the university I go to, there's widespread wireless, on a closed network with pptp required to connect to anything. It'd be relatively straightforward for someone to set up fake dhcp, routing (and sniffing) to the real world, catching pop passwords automatically sent every 5 minutes, from computers which are yet to connect to the pptp server but have 'seen' the wlan network.
So it is a real threat...
Now I can see how this might apply to a corporate network with a government network, but maybe you should realize that the fact that the AP doesn't have any protection and the network doesn't look the same should ring some warning bells.
I do security
Back in my day we didn't have fancy terms like "Evil Twin"... we only had man-in-the-middle.
:(
These kids have it all
I prefer the term "Imposter Gateway." (Cough)
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
What is the best way that I can ensure that the WAP I am connecting through is the WAP I believe it is?
:)
I know XP users seem to have it worse--from reading the comments to this story, XP seems to associate with *any* available access point automatically... eep!
If my machine can't contact its AP, the interface is not brought up and I am safe. If the real signal from my AP is jammed, and an attacker spoofs it, then I am still reasonably safe because my machine will try to use a WEP key which the attacker will not have, unless they spent some time doing whatever analysis one needs to do to captured 802.11 traffic to obtain the WEP key.
I have been meaning to switch to WPA, but couldn't get wpa_supplicant to work at all a few months back, and so apathy triumphed over security.
1) Get broadband and set up cheap AP at home
2) Run dsniff
3) ???
4) Profit!!!
455fe10422ca29c4933f95052b792ab2
This almost happened to me, but right before I connected I looked at the router and it had a little goatee so I steered clear.
dont use wireless for data-sensitive networks.
and put good security on the computers you use.
WIFI is overrated.
Most of the bandwidth is wasted on just authenticating packets (so 11 mbps is more like 4 mbps)
It's a waste of time, and it may end up being a health risk too. (microwave radiation being used so wildly)
Can the "evil" wireless router just have a local system attached that has fake versions of a whole bunch of common banking websites, etc, and a fake DNS server, which redirects these DNS lookups to the fake versions of the sites? In IE, most users turn off the notification that the site is not secure(no certificate, no SSL), (or just click through it), and treat it as the real site, thereby giving up their login info.
The DNS server could even be set up to pass through to the correct site any that weren't spoofed on the local fake webserver, and gradually make up login pages for each of them in order to fool more people.
It seems to me that most people are so security unconscious that all the little telltale signs that would set off alarm bells for a security expert(http vs https in the address, etc).
"If you think the problem is bad now, just wait until we've solved it." --- Arthur Kasspe
Evil twin access points must be uplit, and wear a goatee.
So you have somebody connecting to your network, right? Here's a partial example from memory
/etc/hosts, add 127.0.0.1 slashdot.org
In
To your firewall rules, add:
iptables -A prerouting -s 192.168.0.0/24 -d 66.35.250.150 -j REDIRECT
Setup a local DNS, using internet DNS for all names except those already in hosts
Add an apache entry like
<Virtualhost slashdot.org$gt;
</VirtualHost>>
Whammo, all connections going to slashdot get redirected to the local machine. The local machine serves out pages for anyone going to slashdot.org, which happen to clone slashdot. You could do the same for a self-signed cert on https, except the user would get a warning (which most click-through anyhow).
And yes, it's easy and it works. I've done this for a staff member whom was working his personal site on work time (cloned it, copied it locally, redirected and "modified" some of the products so there were a little more amusing).
There's a small SF Bay Area startup that makes specialized wireless access points. You setup a network of the access points. The access points know about all other access points that *should* be there. When it detects another access point that is acting like an "evil twin," the network of access points can not only locate the evil AP to within few meters, but also DOS it with bunch of bad packets to knock it off the network. The CS department in Berkeley uses it. It can also be configured to knock out any non-evil AP if you want to restrict wireless APs in your organization. I don't know the name of the startup as the presentation by CS IT department chose not to disclose the company.
http://airsnarf.shmoo.com/
Yes, SSL is effect at this. However, many banks don't practice complete SSL security.
Take a look at the homepage of Chase:
http://www.chase.com/
The put a "secure" login on the page. Just look at the little lock there. Just like people are taught to look for.
The problem with this page is that it's not secure... A man-in-the-middle attacker could easily replace this page and where the login form goes to.
I've already complained to Chase about this many times, yet they don't believe that this is a security problem.
-- these are only opinions and they might not be mine.
You have to produce a good bit of documentation stating who you are and where you are before you will get a key. If you managed to pull it off, I would imagine it would be fairly hard not to get caught if you were to be found out.
how about a fake certificate authority?
if u have a fake bankofslashdot setup could u not have a coresponding certificate and a fake verisign certificate authority to say it is ok.
We use the "wireless" all the time here -- that Jack Benny is a hoot!
I took a fish head out to see a movie, didn't have to pay to get it in.
This is _wireless_ stuff.
People who live in glasshouses shouldn't throw stones (or "bad packets"). With wireless networking, it's really a glasshouse in more ways than one.
If you depend on wireless networking that much, you definitely shouldn't be throwing bad packets around. The person you are DoSing may not need wireless networking as much as you do. An eye for an eye and the whole world goes blind and all that.
Good luck finding proof that it's an Evil AP.
Plus I'm not sure how clear the laws in various countries are over running tcpdump on traffic that runs through your _own_ networks. And whether if it's such a good idea for people to go to jail for running ethereal on their own machines...
It's not exactly wiretapping... if it's wireless...
*most* users when confronted with a dialog box saying the certificate signature is unknown or does not match will just click it to go away as fast as possible because its getting in the way of their bank login.
I had a long conversation about this topic with a friend of mine at Microsoft.
It's great that you could get caught. (And it's debatable in such a case, because how do you track town which of the Starbucks you connected to a "T-Mobile" WAP at was the spoofed one?) But the person's already had access to your bank account, and possibly your computer (if you download any executables), so you've already lost.
Best thing to do is to not sign up for any wireless service in public at all (registering for T-mobile at home is the correct thing to do from a security standpoint), though this process defeats the idea of the oncoming era of wireless being available on every street corner... what's the use in having ubiquitous wireless when anyone with any sense is too paranoid to use it? (Unless it's free, of course.)
-Bill
Slashdot is surely on a roll for front page old news..
I have little faith in Verisign, so I assume that you could easily get the securebank.com cert. If they won't sell it, someone even more useless will. Maybe not for citibank, but certainly for an Your scheme has a minor hole in that you can't use DNS to do the redirect; it'll point to the securebank.com but the browser will still think it's bank.com, and so will expect a bank.com cert. The redirect you're expecting happens at the HTTP level, but the SSL handshake will happen first so they'll still see the warning. However, I'm sure a cleverer mind can fix that hole...
In soviet russia stale jokes recycle you!
There's are a few problems though.
:).
Internet Explorer (one of the most popular browsers) treats the option to "warn when going to a secure site" as the same as "warn when leaving a secure site".
How many people have disabled the warnings?
Worse: could a hijacker/phisher create a non-secure page and use javascript to overlay the "secure lock" logo on the relevant parts of the browser window? And erm, draw the necessary "windows/dialogs" to help the user check the certs?
Most people start with http://.../ instead of https://.../ so they won't notice.
Could the javascript stuff also pop up a dialog saying "You are about to view pages over a secure connection."? in response to the click? Many pop up blockers don't block popups directly triggered by the user.
I don't see why you can't do all that with javascript - after all I've seen javascript draw birds flying around the screen etc etc.
The trouble is many of these banks/organizations are stupid (or evil) and _require_ javascript for their online applications to work. How convenient for the attacker. I have complained to some of these organizations but they don't care.
I used to be an IT Security Consultant - but I think not enough people care about IT security...
Have a nice day...
Could've sworn I publicly demo'd how to steal T-mobile, PayPal, E-Trade, you name it passwords from users with rogue APs ummm... almost 2 YEARS AGO.
http://airsnarf.shmoo.com
Maybe we just don't pay news organizations enough to pimp our shit and get some Slashdottin'? Shame on us.
We're obviously slacking, but the world better wake the fuck up. Slashdot, too. And maybe university professors with eureka-look-what-hackers-have-been-doing-forEVER moments.
FYI, we're hosting a hacker conference in D.C. in a couple weeks--just in case you want to get a head start on the news items that Slashdot will pick up on 2 years from now.
Sincerely,
Beetle
The Shmoo Group
http://www.remote-exploit.org/?page=hotspotter
You're silly if you do banking on-line anyway, using credit cards is one thing, and they can be made much more secure by doing verifications for all on-line transactions. Sure it may be a little inconvenient, but come ON, you must drive past the bank on your way to SOMEwhere?!?! Unless you don't leave your house, which means you probably weigh 300 lbs. at 5'10", and you have many more problems than who's stealing your money. Like, how you're contributing to the sedintary problems of the populations of the developed Western nations. See? So in effect, this internet banking thing is a non-issue, it shouldn't even exist in the first place.
And I need to thank you guys for that wonderful application. I made some modifications to it and used it to circumvent the VPN and steal some admin passwords to prove the lack of security on my campus for my master's thesis on (the lack of) 802.11 security. It made them rethink their network security setup.
All I needed was a WiFi DoS utility and I whitelisted the rogue AP, the victims never had a chance.
I tried every decent and legal way I could think of to resolve the issue w/the business before I rented the chicken suit
http://shit.slashdot.org/article.pl?sid=05/01/20/1 310254
I am a professor at a university, and we have already done all this stuff years ago like you said. I am going to be kind and say that I am hoping that this being reported as "current reasearch" is due to the fact that the media have just picked up on it, rather than this institution doing that currently. You may also find that they were told to dumb it down by the reporter. I did a story for the media recently myself about wi-fi use and had to keep it really simple.
However, while that explains it for the vast masses out there, it certainly does NOT explain why it is on slashdot. What the?
why doesnt your bank just assign you a Network card and verify by the mac address?