Slashdot Mirror
How to Take Over a Train Station
ThinkComp writes "Everyone knows that home wireless networks are insecure, but who would expect a major transportation hub to be vulnerable to the same problems? Well, waiting for my friend's train at South Station in Boston, MA, I happened to notice that it was possible to take control of the entire station's wireless network, including its home page and authorization method (free wireless, anyone?)--and those of thirty other businesses throughout Massachusetts, thanks to a few coding errors on the part of the wireless company with which South Station contracted."
News at 11.
Here :)
liqbase
Everyone knows that home wireless networks are insecure, but who would expect a major transportation hub to be vulnerable to the same problems?
Well, would you expect railroad company employees to be any smarter about computer things than your average Joe Blow surfing the innurnet down the street?
I'd be more surprised to find open hubs around, say, Linksys buildings. But then again, only slightly more surprised, mind you.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Should you not tell anyone and get free wireless for life, or just goatse everyone?
Am I part of the core demographic for Swedish Fish?
Please remain where you are. The Department of Homeland Security has already pinpointed your location, and agents will be arriving shortly. Resistance is futile.
Disclaimer: The opinions expressed are not necessarily my own, as I've not yet had my medication today.
Summary: here's documentation of my illegal access to a system, please prosecute me, thanks.
no more running for trains - use your ipaq as a remote control for your very own train set.
and close the doors when you are all the way through
next stop: home
...icle: "Unless something is done to force accountability for wireless devices, perhaps by recording ethernet MAC addresses (which are unique and hard-coded to a physical piece of hardware)" ... uh, no they aren't. Most devices allow you to change your MAC with impunity. Others can be hacked to do so, by tweaking their firmware. MAC addresses meant something back in the day when they were hard to change (it's never been impossible) but those days are long gone.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
All your trains are belong to us!
This person merely tried common tricks to expose the network settings. Here's a summary:
1.) Try the default login/password combination and make some educated guesses.
2.) Look at the source code of web pages.
3.) Don't be an idiot admin and leave your system wider than your momma.
White Paper Wireless internet access has become a pervasive phenomenon in America's cities today, and there are many reasons why that is a good thing. Almost anywhere you go, whether it is a small coffee shop, or a car dealership, or an airport, or even the middle of a sidewalk, there's a good chance you'll be able to find a wireless signal, obtain an IP address, and start using the internet. As I'm writing this paper from my chair near the corner of my office in Boston's Financial District, there are six wireless networks available for my laptop computer to sign onto, two of which require no encryption whatsoever. None of them belong to my company or myself personally. One of them does belong to a company I know to be nearby, and should I choose to sign onto its network, I have full access to files on their Windows NT and Macintosh servers. Sometimes, I take this action without my even knowing it; for some reason, even though I've asked it not to, Microsoft Windows XP occasionally opts for the best wireless connection instead of my wired ethernet cable, which is faster. When this occurs, I am able to browse the inter- South : Station Aaron Greenspan Date: January 31, 2005 Topic Area: Security 1 http://www.thinkcomputer.com What is truly worrisome is what might happen if similar security issues with wireless routers really began to affect our businesses, financial institutions and our physical infrastructure: the basic framework of our society. net using the nearby company's DSL line (for which they are presumably footing the bill), but I usually cannot tell the difference. It has already been well-documented that wireless routers intended for home use are often insecure due to the fact that hapless customers tend to leave their default settings as they are. This usually means that you can sign into any home router with relatively obvious authentication information, such as the username "admin" and the password "admin." This is not always the case, of course. Depending on the manufacturer and model, the password might throw you off (some use "1234"), but it is never very hard to figure out. If for some reason you cannot guess it, a simple search on the internet for "default router passwords" will reveal a default password for every router you ever might want to know about. These pages sometimes follow the basic syntax for authentication information, which involves the username, followed by a colon, and then the password. Decoding the information is not difficult. All that's left to do for the visitor of such a page is match up the model number on the router with the one on 2 http://www.thinkcomputer.com his or her screen. The damage that can be done in this fashion is usually underestimated, for hacking often assumes the form of a chain reaction, as you will see in this paper. In other words, each time a hacker finds a password, it only makes it easier to find the next one. Once a hacker knows the password for a router, firewalls can be shut down. When those are down, ports are open, and viruses can infiltrate networks easily. Viruses often bring with them "malware:" spyware, keystroke loggers, data loss, and a plethora of other technical problems. Based on observations at Think, almost all Windows- based desktop computers in use today are afflicted by at least one of the aforementioned problems. An incredible amount of the spam we receive in our inboxes comes from our nextdoor neighbors, who do not even know that they are sending it. Misconfigured routers are somewhere along the beginning of the chain. It is worrisome to think what might happen if these kinds of security issues really began to affect our businesses, financial institutions and our physical infrastructure: the basic framework of our society. It is worrisome only because it is already happening. South Station is a major transportation hub in downtown Boston, Massachusetts. It serves thousands of passengers and commuters each day, who travel by rail on A
Yeah, I have a MAC address of 00:00:00:00:00:00. Fun!
Hello dear Internet Friend,
I am curious about your negrosemitic roping technique for securing wireless access points in railway stations. Could you please elaborate?
Regards,
Joe Slimy
Marketting department, Linksys Inc.
Sure wifi allowed access to the start page, but the same weakness (lam0r administration) would show up on lets say a wired public terminal. Wifi just makes criminal actions so much harder to catch.
09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
When you can play with the real thing?
Very good article. However, one of the author's ideas for improving security doesn't actually hold water. The problem is to verify the identity of people being assigned dynamic IP addresses on a wireless network. He proposes
"... to force accountability,Actually, most network cards allow you to set the MAC address by software if the factory one isn't good for you. For example, this is needed for drop-in-replacement functionality.
He's doomed. If he or his wife can't figure out that she should bring him the nickel instead of a sandwich as the train goes by, he deserves to be stuck down there.
Besides, the election's over anyway. I don't think Riley won.
Java: the bastard demon spawn of C++ and Ada
Did you refund your friend's tickets?
Cloned foods give the statement "We had that last week!" a whole new meaning.
Why would you want to set up WEP or WPA in an enviroment like this? The point is for clients to connect without the need of a key and then register through a custom proxy server. If encryption was enabled nobody would be able to connect.
unless are a journalist. With patriot act, you are not allowed to expose weaknesses like this in such an irresponsible fashion.
.... really make me feel like going to some place in Richmond and doing a bit of wardriving ....
This fella just cracked the "wireless" router put in place for patrons; he didn't break into the train station's systems. The title should be changed. Also, his writeup is well, boring (and obvious), like I found a wireless router in a similar state about a year ago in a coffee house. Unlike him, I didn't poke around, I reported the issue directly, called the programmers involved and got them a bit admonished.
At first this wasn't entirely the case. Consider, for example, copying all the files from /usr/bin to your home directory 1000 times. Back in the old days that would be enough to fill up the harddrive which would quickly stop other people from using the system. You could affect other people, the kernel didn't stop you, so it must be allowed right! Well no. You're wasting resources and being an asshole. But rather than put a sign on the wall that said "please don't waste disk space" someone decided this was a "security" issue and implemented disk quotas into the kernel. Now you can't affect other users by using up all the disk space.
Consider the "fork bomb" issue. For those who don't know, this is just like using up all the harddrive space, except instead of disk you're wasting memory. A fork bomb will quickly bring an older unix machine to its knees, and back in the days when I had the joy of sharing a unix lab with other students, a fork bomb would go off at least twice a day. Why? Cause if the kernel permitted it, it must be ok right? Now there's protections in most kernels just to detect a fork bomb and stop it.
Such a strange way of thinking. Thankfully most unix users do not try to apply this attitude to the real world. If there were to see the police or the government as some kind of kernel they might be surprised to find that they could kick over granny in the street or go ballistic with an automatic weapon. The police didn't stop me, it must be ok, right?
Just to bring this long post back on topic: just because you can take over the wireless internet of a train station, doesn't mean you should do it. It doesn't mean that it is permitted. There doesn't need to be a failsafe kernel monitoring and stopping every undesirable action that you can possibly perform. We can live with people being able to break the rules. It's called freedom.
How we know is more important than what we know.
One combo box on even the shittiest consumer routers. :-)
Karma: It's all a bunch of tree-huggin' hippy crap!
Well, this is the product:
guestBOX
And... this is the company:
Atlantis Technology Corporation
So, all that research... and it never occured to you to contact the vendor? Granted, maybe these are so plentiful some re-seller or VAR put in in there... but you didn't make mention of that line of thinking (or was this not the whole PDF?) so.... sorry, that's just sounding a little on the lame side.
Now, if they scoffed or blew you off at that point, okay maybe... but still. You knew the company from just looking at it. Did you try to contact them? I think that would be more telling than surfing through open Indexing on a web server like a kid curl'ing porn images.
http://fudge.org
BTW, for windows, there is a great tool called MacShift that will allow you to randomize your MAC address. Just make a shortcut and run it before you connect to any wireless network, and you'll have a different one each time. No tracing there.
-molo
Using your sig line to advertise for friends is lame.
its about a third-party "convienance" service that he cracked into; whoppee
Psst. Read the article. It has zero to do with WPA or encryption. It has to do with bad programing, bad passwords, and general bad administration.
My experience is that on windows platforms with mixed manufacturer hardware. It is a royal pain in the ass to setup WPA.
From TFA:
"...for some reason, even though I've asked it not to, Microsoft Windows XP occasionally opts for the best wireless connection instead of my wired ethernet cable, which is faster. When this occurs, I am able to browse the internet using the nearby company's DSL line (for which they are presumably footing the bill), but I usually cannot tell the difference."
Turn off your wireless card, dumbass.
Using this, set their access to $-100 (Negative 100) per hour, so that you get money every hour instead of having to pay it. This will surely attract business to the station.
-Palal
Give us a PDF link with out a proper warning is really bad form /..
Did this article really need to put in to a PDF?
Does anyone save any kind of bandwidth or anything by doing this? At least is it worth pissing off the people who are linked to it?
Artist will always make art.
Pathetic.
He didn't "take control of a train station" he found a way into the administrative access to the wireless network. The fact that he did this at a train station is totally irrelevant and only serves to be inflammatory "what could terrorists do with this?" nonsense. I'd say this is about the equivalent of someone finding a breach of security of pay toilets. Just because it's technical and happened at a train station doesn't make it news.
Did he find a way of stealing credit card information? I didn't see that in the summary anywhere or through skimming the article. That may be a more serious security breach, but simply being able to turn on free or password access? Big deal.
AccountKiller
take a old computer that you can sacrafice, load it up with audio & video files, slap in a p2p app, wireless nic, go wardriving for such a place, set it up and abandon it where it wont be easily found. lol
It would be interesting to see how many (if any) of these turnkey systems even think of implementing encryption in their db backends. How all those poor unprotected credit card numbers...
Its a mass transportation system so IIRC any 'attack' on it, whether cyber or otherwise, would count as terrorism under the U SAP AT RIOT act
Watch out...
In the free world the media isn't government run; the government is media run.
redmond:washington
And that's all I need to say.
thats the craziest thing ive ever heard, its a good thing someone nice stubled across it.
i have a roll of electrical tape.
I knew you could.
(Warning: here there be goatses!)
Mal-2
How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
You will be caught and be fined heavily! Just ask the other teenager how fun sitting in court was. This is not to mention damage to your entire professional life (I assume it exists).
Slashdotters here might encourge you, but remember that you will be sitting in the dock alone. In other words, you will be answer for YOU. Now before I get modded down, I be to remind whoever might read this that what I am saying is FACT.
What he wrote isn't an acedemic paper on security, it's bragging about cracking a system. His self-incriminating "whitepaper" fits the classic definition of 'unauthorized access of computing resources' as defined by so many laws (in Mass as well). This guy is an arrogant (for writing such a shitty whitepaper) idiot (for posting it!). He just committed a felony and he should be prosecuted to the fullest extent of the law.
RTFA! He did _not_ try to contact the administrators. He contacted the customer, and given the whitepaper he wrote, probably in a bragging sort of way. What the customer did was absolutely correct, they asked him to send his complain to abuse email at the vendor's website. Did he do that? No. This fella is just a common script-kiddie criminal, and should be locked up now before he does anything more "clever".
You've swallowed the Patriot Act and OHS' line all the way, haven't you? There are such laws ... but that doesn't make them right, just or reasonable, nor does it make the story's poster a terrorist or a vandal or anything else. He's really more akin to a passerby that noticed that you had left your premises wide open, and tried to tell you about it. He apparently tried to report the security failure to the responsible parties but was brushed off. So now they are doubly responsible for having the failure in the first place, and then failing to do anything about it when informed.
... there was no lock. There may be some expectation of privacy on the part of the wireless LAN's owners ... or there may not. So let's everybody lock our own doors, secure our own LANs, and keep the handcuffs for actual crooks.
By your rather low standard of evidence, it seems, if I accidentally accessed my neighbor's unsecured wireless LAN I should be cuffed and sent to jail? Please. Let's leave the totalitarian laws for the totalitarian nations of the world, and put responsibility where it is due. And apparently he didn't pick the lock
The higher the technology, the sharper that two-edged sword.
no, even if you are a journalist -- they have no exceptions for stupid crimes like this. The fella is guilty, by his own writing, of a felony punishable by up to 5 years in prison in Mass.
Last year or so I booted my laptop in an airport (which will not be specified)...suddenly I'm connected wtih a signal of about 60% to the airport's wireless network.
I enjoyed about ten minutes of free internet access. At least it wasn't as bad as it could have been for them. There were no shared files or printers, nor could I see any other computer on their workgroup.
"Unlike him, I didn't poke around, I reported the issue directly, called the programmers involved and got them a bit admonished."
It's good someone followed the hackers credo instead of the "because I can, I should" credo.
Wouldn't WPA undermine the entire purpose of a public Wi-Fi network?
While the use of default router passwords is of course stupid, it's important to think about what exactly this situation really is.
What the author of this white paper really accessed is the admin interface of a wireless internet service provider. With this access, he/she could steal internet service or allow others to do so, or even obtain personal customer data, includingcredit card information, and use it for his/her own gain. While these are of course Bad Things, they really come nowhere close to constituting a national security risk. An inconvenience and a violation of state and federal law, yes, but a national security risk, no.
What would change things is if it were actually possible to access _train station_ systems through the wireless network. However, these systems are not configured this way. The wireless access is provided by a 3rd party provider that handles only pay-for-service internet access. Anything related to station services or railway control would be handled by its own seperate network. The author of this white paper says nothing to indicate that it is possible to do anything that would touch train station operations or that would be of any use to terrorists in an attack on the "very important" nearby buildings.
Sounds like a whole lot of nothingness to me...
The whole article reeked with script kiddy. He blamed the "programmers" for seting up weak passwords. The programmers could be responsible for thier sofware to allow weak passwords, but he accuses them of being the ones who set the password. This makes him feel "more special" to think that he is getting around the programmers not guessing lame passwords. His traveling through the directory listings sounded exciting but he would never have gotten anywhere important if he didn't do the password game.
For someone who wants to report his findings his reluctance to use the abuse email is dumbfounding.
Ignoring the grandstanding title and the fact that the author astroturfed his own "article" and site, here's a quote:
A more farfetched, but very real possibility, is that computers or workers at airports and train stations also use these same networks to make everything tick. If that is the case, it might be possible for an intelligent high school student to start changing train timetables or rerouting baggage.
And his evidence for this is, what? His own personal opinion? He's been watching Hackers too much if he thinks the schedule board at South Station is networked; it's a -flip- chart (seriously, stick around for 5-10 minutes, and watch it update itself). I'd be amazed if it had anything better than a dedicated thinnet connection to an ancient PC. It's not like some kid with mad h@x0r skills is going to go bippity-boop and put up "TRAIN TO FUCKVILLE 4:20". No. That happens in Hollywood, where people "launch the genetic algorithmic viral defenses!". It does not happen in the real world.
There are a lot of cheap shots and snide remarks aimed at "The Guvmint", "The Man", etc. This guy sounds like he's about 19, not to mention he's just admitted to logging into places he knew he didn't belong AND changing settings (he changed the back, but still...) Sounds like a great federal inditement to me.
Some googling shows he's in his very early 20's(graduated from Harvard in 2004 in "3 years", which means he's maybe 21 now), runs some consulting company. Sounds like he's just out to promote his business like every other story submitter these days...
Please help metamoderate.
Did you even read the article?
- He guessed passwords, this is the _classic_ case of unauthorized access; a felony in most states. It's like walking up and jimmying a perfectly good lock.
- He did _not_ inform the company who was providing the service; instead he badmouthed the company to one of their customers (who really could care less, the free-wireless is just like a coke machine for patrons from their perspective)
- He seriously _thinks_ that he did nothing wrong, when he is not only a felon, but one that didn't report his findings to a resonable source.
IMHO, he's an arrogant child who needs 15 days in the clink to think hard about what he has done and to promise not to do it again. This whole conversation, ignoring that he _did_ commit a felony, and then acting like it isn't a big deal sends the _wrong_ message to script kiddies. This fella is a criminal. He broke/entered and he vandalized property (changed settings). He did so without any intention of informining the _owner_ of the box he broke into.
He deserves to be prosecuted to the fullest extent of the law.
"Tread carefully my friend! You are in the US, where frivolous law suites can be filed anytime, against anyone."
Well I don't like the color of your typeface. I'M GOING TO SUE YOU!
Did anyone ever read 'Marvels'?
It's a comic book that looks into the destruction of cities that superheros cause as they fight each other, and the effects on the familys of the victims.
Good cracker VS Bad cracker is the same.
They both fight their wars, about things the bystanders don't understand. Virus VS AntiVirus, Spyware VS AntiSpyware etc.
All of us bystanders else just watch, patch, update and hope for the best.
I used to work in Downtown Boston for a major retailer, and lets just say, from my 2nd floor office, I could see so many OPEN wifi networks, that netstumbler used to go nuts !
The reception I got from the companies when I pointed out their wifi was "insecure" was rather nasty... one admin actually started swearing, telling me that he would call the feds as I was "hacking", he had my MAC address ! (oh yea I'm so scared!)
Now, I call the company if I can find details, and leave a message in their general delivery vm. A few networks have since I started this practice fixed their networks, more just keep popping up!
At last count, sitting outside South Station awaiting to get on a train, I found over 45 networks, 4 were wep/wpa protected, heck one network I did a quick test on (downloading quicktime exe via wget as a quick-and-dirty speed test) nearly maxed out my G-wifi...
" .... really make me feel like going to some place in Richmond and doing a bit of wardriving ...."
Actually people should be thinking what this will mean for Grid WiFi. Kind of like an entire neighbourhood unlocked.
Yeah your probably right, what the hell kind of name is Donovan anyway?
In case you don't know what we're talking about here, this is how simple fork bombs can be:
Using your sig line to advertise for friends is lame.
In OS X, you set the priority for network connections. If there's ethernet available, it'll go for that, then wireless, then modem.
Linux and Windows probably have similar things.... maybe the author just had his head up his ass. But it's not reasonable to have to flick wireless off if you've physically inserted a cable. That should be a sufficient input to tell the machine how to connect.
Psst. Not everyone can read .PDFs.
Whenever I set up a wireless network for a client I always turn off SSID broadcast, turn on WEP, and enable MAC denials. Granted, you can always spoof a MAC address. Hell, almost every NIC I've run across has offered the capability to change the MAC address. But the author makes a good point about security and logging. In the corporate arena I've setup dial-up servers with TACACS ro RADIUS behind them to keep things nice and tight. But wireless doesn't really offer that. One of the local universities uses Blue Socket - that seems to be efficient enough. My bet is that guestBox will be out of business within a year.
That was a handy post.
Could this explain why Pretty Girls Don't Take The Subway?
Test passwords and test code is also a problem just ran into it in one of system that I had subcontracted from another company. Little bit of code that just happened to list all passwords and usernames when certain parameters from url were missing. It was a heart attack moment. I think I'll post AC for change.
good thing this white-hat security expert showed me how insecure their systems are.
If encryption was enabled nobody would be able to connect.
Not so. It's pretty well known that the encryption implementation in a/b (i think just them, not g) is flawed in which you can pick up the encryption key just by monitoring the air waves.
It says in the biography he started the company at the age of 15 from his bedroom, and the DNS registry was done in 1998. This makes it about 6 1/2 years ago, so he's late 21 or early 22. Arrogant little shit, ain't he?
OK, so next time I'm at a public hotspot at a coffee shop I'll break out snort and sniff their WEP key... no wait the point of a hotspot is for people to pay and authenticate their MAC address, not turn on encryption
Not exactly. WEP is flawed in such a way that given enough encrypted data packets and packets with 'weak' IV's (a field to facilitate the encryption) you can determine the WEP key. WPA, which is the new standard, is vulnerable to a brute force attack when it is set up in 'personal mode', i.e. shared secret and not auth against a RADIUS server.
802.11[a,b,g] does not have an encryption implementation. The encryption is implemented through WEP, WPA, LEAP, etc. It's an addon.
...You need a group of 12 terrorists to defeat a team of 12 CTs with CT-47s and a bomb! Wallhack, speedhack and autoaim help.
I'm just curious, but what OS are you using that doesn't have a free PDF viewer? Even if you're in text mode it's a very simple step to view it as text.
I dunno, but his Brain was in a movie once.
The higher the technology, the sharper that two-edged sword.
it's called 802.11i. Read about it here.
If you are really curious go find the IEEE standard documentation.
Your MAC address is (well SHOULD be) "unique and hard-coded to a physical piece of hardware". It is physically tied to your NIC, and you can not change it. What you can do however is change how it is represented in software, so that the other party never sees your actual physical MAC address, but the idea that you can actually change your MAC address is just plain wrong. Feel free to try, change the MAC, then switch the NIC to another machine and see if it retains the original or altered address.
This guy claims that he tried to report the problem, but was fearful of the company's legal department "coming down on him". Why was he fearful? Does he believe he did something illegal? Did he do more than what he said? Did he misuse this configuration error?
Did he have no fear of the legal concequences when he published his paper without notifying the company?
This is not journalism, nor is it a childish prank. Is this guy doing some real damage just so he can have his 15 minutes of Slashdot fame?
It's one thing to find a problem and report it to both authorities and soon after publish his findings. It's another to sit on the issue and publish it without properly notifying authorities.
It's another thing to find a problem and sit on it for a day or two.
It's another thing to misuse it for a while until you're busted.
Did someone get scared, and then report it to try to cover ass with a claim of "journalism"???
Public service, wireless... and without encryption. Nelson, your line.
The old DecNet required that all ethernet cards have the ability to change their mac address. Part of the protocol, and you couldn't connect to DecNet unless you had the right mac address. (which was changed as part of the network protocol, you normally didn't change this manually)
Just in case a customer ever tries to use their chipset with DecNet nearly all cards allow, software to change the mac address. Since all current chips have the ability, when designing a modification to the old chip it is easier to leave that ability in than take it out.
I don't know if anyone in the world still runs DecNet, but it isn't a chance network vendors are willing to take.
You know what I find creepy...not so much what this guy did, but if you look at all the posts proclaiming "This guy is a felon, lock him up" it's almost ALL done by Anonymous Cowards. Makes me wonder who all is doing it. Might just be one guy posting over and over and over, or it could be some hired hands trying to make a statement.
Either way, I'd like to see a followup to this at some point stating what happens with the guy next:
"Does he really get arrested, or is he hired on by wireless network providers? Stay tuned to find out!"
I'm surprised that nobody took the time to browse around the website where the pdf is. If you go to the front page of Think Computer Corp., you find a link to a press release telling that the flaws have been fixed.
Obviously the guy didn't publish the pdf before ensuring that all was well.
Well, it is nice that this guy actually bothered to write this up, but he seems to simply be using a lot of common mistakes and guesswork. On top of that, his knoweledge of some basic concepts in hardware administration and business processes is somewhat lacking.
First, MAC address are not unique. There is no universal table of MAC's that hardware manufacturers report to. I have installed ethernet cards from the SAME manufacturer that have had the SAME MAC address while setting up machines for a client.
Second, many of these errors are not necessarily the programmers fault. They are more than likely the responsibility of management being cheap and forcing programmers to do the jobs of multiple people. IT is seperate from software development. The fact that the network and server are insecure is the IT department/person's fault. In small companies this may be the same person, but in most large corporations that is not the case. Directory listing and permissions are generally the responsibility of the server administrator.
Now, the username issues are definitely scary. Leaving test accounts open with simple passwords is just plain stupid. The company I develop software for has over fifty million dollars worth of data on their servers. We also store credit card info for clients, etc. If we used common passwords like that, we would be fired. The admin would go through the database, see the passwords, and report them to our supervisor. Say goodbye! Not to mention, test accounts on production servers are bad practice anyway. If you are making any money, you are extremely stupid not to have a seperate development environment.
In my opionion, these problems seem to be more management and implementation problems, and not so much development problems as the author seems to suggest. They are still real problems though. That customer listing one for the phone company really scares me. ::shiver:: I hope SBC in Texas doesn't have problems like that.
Tired of free ipod spam sigs? Opt ou
"...happened to notice that it was possible to take control of the entire station's wireless network..."
Why didn't you? I highly doubt you could a worse job than the T is doing right now.
This would be a nice article, if it were accurate.
Its at least a partial fabrication. The Wrap does not run guestBOX.
I mean, just WOW. That's like going into the Mall of America, and leaving your windows rolled down and the keys in the ignition. You probably could have gotten away with doing that back in the 1940's, but sure as hell not nowadays.
Awesome.
Dear Department of Homeland Security,
We have recently come to our attention that you are using methods of pinpointing locations of individuals that may infringe on our "Latitude/Longetude" techniques (Patent Pending).
You are hereby ordered to cease & desist all location activity until you have properly licensed our intellectual property rights.
Yours Truly, -Microsoft Legal Team
WPA, which is the new standard, is vulnerable to a brute force attack when it is set up in 'personal mode', i.e. shared secret and not auth against a RADIUS server.
This is totally off the topic, but WPA is only vulnerable if you use short passwords. If you use passwords of 20 or greater characters, you're not vulnerable to a brute force attack. Really any symetric encryption algorithm with a poorly chosen or short password is vulnerable to an offline brute-force attack. Simply get a block of known text, a block of that text encrypted, and setup your brute force attack encrypting the known text with different passwords until you get the sample encrypted text. WPA is no different from AES in that way.
AccountKiller
The 'L' should have been uppercase, as all the other letters are uppercase. On the other hand, what do you expect from a region that cannot correctly pronounce any word with the letter 'R' in it?
You fail it wicked sick, losah.
I was hoping the Eagles could pull an upset, but they just weren't strong enough. They turned it over far too much and wasted a lot of time. I knew the Patriots would win, but the Eagles did better than I expected. I had them at 10 point underdogs.
LOL @ Freddie Mitchell failing it hard.
That's an acronym.
Then why the hell post a 'solution' when you don't know what the problem is?
Not only that, but it is trivial to buy a wireless card at a computer show or swap meet for cash. Totally anonymous, so some law enforcement agency knowing the MAC address, even if you couldn't change it in software, would be meaningless.
Save it, and go straight to 2600...This is worthy of them.
No. Freedom is when reasonable actions are not against the rules.
There are some rules ("no mass murder") that are good rules, and that you should not be able to break (with impunity, at least). These are the rules that actually make people's lives better.
If something is not a good rule, it should not be a rule. That you can get away with breaking it doesn't make it "okay". What you describe is nothing more than a fascist state with incompetent police.
When I was a kid, I was able to figure out the locks at North Station in Boston. For those of who who don't know, North Station is the other major train station in Boston.
Back in the 60's, when the world was a little bit more innocent, I was able to fit a master key to all of the locks in North Station, which was also Boston Garden (the arena for the Boston Celtics and the Boston Bruins).
I never used the key; in fact I threw it away once I made it. It was only a proof in concept.
The only thins I make are my wearable art (http://www.allyn.com/ and http://www.clearplastic.com/)
Locksmithing is no longer fun with all of the security paranoia. I buy my own locks to play with. The only fun thing I do in North Station anymore is to prance around in a leather juck strap and a clear plastic raincoat.
Cleara
I realize that you're being deliberately obtuse, but the use of quotes around the term "terrorist" was clearly meant to give the term a certain uncertainty. Who and what constitutes a terrorist very much depends on your politics, and frankly, many people in the US these days seem to use that term a little bit too freely.
Your picking the extreme "suicide bomber" example says nothing about the OP's point; suicide bombers may be considred terrorists, but not all the people that are considered terrorists are suicide bombers, or even necessarily guilty of a crime anyone can prove in a court of law (what a hassle habeus corpus is -- let's just get rid of it), or even accused of a crime.
The fact that this is not just says nothing about what ought to be done with real criminals. It simply points out that just because the scare term "terrorist" is applied to a person does not mean that they should immediately have all their rights stripped and be sent off to an offshore prison facility where the pesky rights our great nation affords to people in its territory are null and void.
I don't speak for the OP, of course, but I believe that was his point. Whatsmore, I think you understood that full well.
The only way to really track people is by using a transport protocol with authentication. Somehow I don't think the world is ever going to agree on one.
-- Jack
Not a huge fortune 500 computer company. Why WOULD you need an IT department for a train station? Sure if you're talking about Grand Central Station or some huge hub similar, but for most who cares? Most train stations have to skimp on seating, lighting, cleaning (trains in the U.S. are a pathetic sight compared to European or Japanese counterparts) and other much more important aspects over than hiring an IT professional to run a computer network thats probably smaller than one most /. readers have.
Three Microsoft engineers and three Apple employees are traveling by train to a computer conference. At the station, the three Microsoft engineers each buy tickets and watch as the three Apple employees buy only a single ticket.
"How are three people going to travel on only one ticket?" asks a Microsoft engineer.
"Watch and you'll see," answers the Apple employee. They all board the train. The Microsoft engineers take their respective seats, but all three Apple employees cram into a restroom and close the door behind them. Shortly after the train has departed, the conductor comes around collecting tickets. He knocks on the restroom door and says, "Ticket, please."
The door opens just a crack and a single arm emerges with a ticket in hand. The conductor takes the ticket and moves on.
The Microsoft engineers saw this and agreed it was quite a clever idea. So after the conference, the Microsoft engineers decide to do the same on the return trip and save some money.
When they get to the station, they buy a single ticket for the return trip. To their astonishment, the Apple employees don't buy any ticket, at all.
"How are you going to travel without a ticket?" asks one perplexed Microsoft engineer.
"Watch and you'll see," answers an Apple employee.
When they board the train the three Microsoft engineers cram into a restroom and the three Apple employees cram into another one nearby. The train departs.
Shortly afterward, one of the Apple employees leaves his restroom and walks over to the restroom where the Microsoft engineers are hiding. He knocks on the door and says, "Ticket, please..."
From atlantis's web site:
All contents of this Site are Copyright © 20001, Atlantis Technology Corporation. All rights reserved.
I guess that they are so far advanced that they don't need secure passwords anymore.
They also seem to believe in the DCMA act. GFG article author.
PHP info disclosures and sloppy password polices are so five years ago. Sure, they still happen - but it's hardly news-worthy. Releasing papers that contain this level of material no longer causes people to say "wow, you just discovered something intersting, we'll give you +1 Insightful" they will say "wow, you just broke the law and you're going to jail". There is a time for whistle blowing and a time for discretion - I think discretion was needed in this case.
... Ashcroft will be over shortly. And not to sing a cheesy song.
It's like walking up and jimmying a perfectly good lock.
huh? since when is L:P admin:admin or South:Station or wifi:wifi considered a perfectly good lock? If you believe that, I have an oragami based home-security system I would like to sell you.
This is a relatively formal security report - and I certaintly feel that I have right to know that a major wifi network that I might pay to use (with my CC# mind you) is compromised severly in security. Kudos for the publicity - he also mentions that he attempted private contact before writing this paper. Publishing this makes the purpotrater (South Station for acting under the pretention of providing a secure network) and potential victims (customers) very aware of the need to reconfigure the network.
75 out of 100 people that might have discovered this trick would have left it as "hey cool, free wifi access for me and my buds," another 20 or so out of 100 would have done much worse (we're talkin' goatse on the homepage).
At worst this was a subtle brag of "L33tness", at best a noble public security gesture.
and hey, if you lose your job at guestBox over this - I hear Diebold is looking for a few good men...
ôó
Why is this on the frontpage, this seems more like I would see it in 2600 or Blacklisted 411. This is not worthy of the frontpage of slashdot. It's not news that someone figured away around a train stations wifi spot. I'm sorry but it really looks more like poseur bragging.
Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
http://shit.slashdot.org/article.pl?sid=05/02/07/0 047208
And his evidence for this is, what? His own personal opinion?
While I agree with you on the fact that he's just speculating at that point, nevertheless a possibility exists for this sort of thing to happen.
Simple example: I went wardriving through town once. I found a lot of connections of course, but basically I just set the sniffer up on the laptop and drove around slowly. Later, when I got home, I checked out what I had found, and using timestamps I figured out where the different access points I had found were (I lacked a GPS then).
One of the ones I found was a drugstore. I looked at the raw trace and saw some really odd plaintext there. So I went back and left the laptop in the car while I went in and bought some stuff and took a look around.
What I found:
- Their cash registers were all wirelessly linked to some system in the back. When you scanned an item, the barcode was read, transmitted to the machine in the back, which looked up the price and spat it back to the register. Credit card authorization was handled the same way. All this was plaintext, as I looked at the data and found my credit card number as well as barcodes from the items I purchased in there. Didn't understand the formatting, but it wasn't too difficult to see my name and credit card number stand out like a shining beacon.
- Some kind of prescription transactions were wireless as well. While I didn't get a lot of data of this sort, there were packets containing various drug names, in plaintext, being sent over the air. I'd bet money that insurance information as well as whoever bought the prescription would have eventually gone out in the clear too.
The point being that security was basically non-existant for something you have a reasonable expectation of being private. I mean, when you design a wireless network to handle credit transactions, you'd think some form encryption would be pretty frickin' obvious, right? Let alone tossing somebody's prescription info out onto the airwaves.
So while he didn't state you could change the lights and has no idea if you can actually fuck with the trains, the point I think he was trying to make is that clearly security is not at the forefront of the minds of a lot of people for this sort of thing. Admittedly, my drugstore example happened a couple years back, and may have been fixed by now, but this sort of thing happens because people don't think about it being an issue. It's that part that needs to be fixed. Whether any given example can actually be compromised in a serious way is not the point.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
If reporting security problems does not get easier for so-called white hat hackers, then there is a very good chance that problems will not be reported until it is far too late.
Well actually your a Grey Hat hacker. White Hats are actually authorized to try and crack networks and usually get paid for it.
[Please type your sig here.]
Except that the system was running on php. What MCSE worth his certificate would be running php?
And the directory structure was not standard for Windows.
No Penguinoflight, you need to claim this as one of your people.
No reason to lie.
Actually this is some very basic HTML hacking. He went to their service, which re-directs all new people to their home page. He directory surfed around the web server, and found a few dozen other sites, as well as the company's home page. He tried some very basic password combinations, (like test:test), and got control over some active sites. These sites included customer information and credit card databases.
So really, the site that served images from an unobfuscated directory allowed the person to know what to look for, the directory was fully listed in a way that directories shouldn't. The passwords were very, very insecure. This had nothing to do with wireless security, but rather web services security, and basic things for security that people don't do.
The passwords in the article, BTW, no longer function. At least, not form my remote machine. Anyone reading this from South Station wish to see if the passwords still work on-network?
The ______ Agenda
When we live in a nation feeding off of the teat of insecurity and fear; this is the outcome. Exposing failure in Bureaucracy is tantamount to criminal behavior. Survival of the fittest my ass. "...something about casting the first stone...it's in there I assure you...I think is says something about forgiveness." - Atheists on the Bible
"If you have the scripts stored in a remote location, ie ftp, then your in for business."
You mean you're - thats the conjunction for "you are". The intelligence of most slashdot posters is (correct me if I'm wrong) way above average, yet I have seen a countless number of posts that make the same mistake - they use your for everything.
Yes, that really is the solution - silence the messenger. I think the real stupid crime lies with the wireless company with which South Station contracted.
Hah, if that is their definition for "taking over a train station", I must confess to a much bigger terrorist feat: In September 2004, I took over Copenhague Airport!
(Hey, it was just a matter of running tcpdump, and then stealing the first packet's IP and Mac. Easy.) What was more surprising though is that the same trick worked in a hotel network with a wired network. Didn't they hear about switches in Denmark?
While hanging around Mexico City airport with a few spare minutes, I decided to poke around their Prodigy pay-for-access service. I didn't get to the billing and actual access management bits, because it was pretty easy to find out passwords and architecture of their backend SAN components.
Actually getting info on how their systems were set up was, similiar to what's described in this article, just a matter of looking at webserver directory contents and checking out "hidden" links in their php scripts.
Cole's Law: Thinly sliced cabbage
You are wrong. There is a number that is used to initialize the MAC address. A MAC address is obviously in no way dependent on that number set in the NICs ROM, if it were we wouldn't be able to change it. Conceivably you could make a NIC with no MAC address preset. It would just randomly pick one each time it was initialized. I guess when we install software and alter a setting, that isn't changing the setting, since if I install the software on another machine the new install goes back to the default setting.
It wasn't the IT department of the railroad that screwed up. This was *outsourced*.
In otherwords, it was the fault of the people the station contracted to install wireless.
I have a sneaking suspicion had they used the IT department, this wouldn't have happened, but what do I know?
At that point I was on a crippled version of Windows XP at a school. I couldn't add programs (say, Adobe Acrobat Reader) to read it. I don't know how you read it without a specialized reader on XP. Popping it into Notepad and Wordpad certainly doesn't work.
/. reader.
And even if it did, that'd be a rather lot of work for the average
If you read my previous comment, I was on a computer without a PDF reader. The blurb made it appear as if it was an unsecured wireless network. (Which even if I had been able to read the article, I probably wouldn't have because unsecured wireless networks aren't news.)
I'm sorry, your mightyness.
But, when the song was written, it *was* called the "MTA". Only after it expanded to the north and south shore suburbs, (in the sixties?), was it renamed the Massachusetts Bay Transportation Authority. A bit later, they decided to save some paint (or maybe nobody wanted to be bothered to paint the extra letters) and called it the "T".
Legendary for no-show jobs, loads of "assistant" supervisors with T-issued SUVs, their own police department and being a black hole for money. Not to mention the fact that, as the fares continue to go up, the quality of service continues to go down. They have *just* discovered farecards (unfortunate for those who increased their take-home pay with quarters), so maybe there will finally be some accountability, but I wouldn't bet on it.
In the late 80's in Connecticut the DOT highway signs (the giant lightbulb-based info screens on the overpasses) were run by a PC at the DOT headquarters, which had a modem line for remote control. A couple of kids did in fact find the modem's number, dial in, and found out there was no password protection on running the things. They used the signs to say some very unflattering things about then-governor Lowell Weicker. IIRC a motorist called the DOT and clued them in. No mad h@x0r skills needed, just a not-obscure-enough phone number.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
They still haven't patched an injection hole in their registration system, even after I was nice and told them about it. Free wireless for the kid while waiting on Delta to lose my bags. Another NYC pay-service is in the hotels run by Affinia. Supposedly you have to register, etc. All you have to do is statically configure and they never bill you.
Comparing it to Windows will be a moot point, since El Dorado is going to have a 40% larger code base than XP.
Many parts of this article are simply lies and show that the author does not even understand the principles of wireless networking and the fact that everyone is responsible for his own network but he thinks he can write about it. This is ridiculous and another example of an idiot who has no clue spreading FUD and scaring people in order to make a few bucks. This is very irresponsible and counterproductive to the work of thousands of volunteers who are donating their time and equipment to build urgently needed open community wireless networks.
You don't even need to go that far. The orinoco drivers on my windoze laptop lets me change the MAC through the GUI on the fly. Finding an allowed one is a simple matter of running kismet for a couple of seconds.
Attention All Slashdot Readers:
/.
Maybe it would be a better idea not to name the specific places one cracks--esp. if you're doing the "journalism" to provide some sort of unrequested pro bono security audit to publish on the internet. If anywhere, your findings should first and primarily be reported to the parties respsonsible for a given system's upkeep and security. Publishing weaknesses is like putting an ad in the paper or signs in your neighborhood that indicate the addresses where all the broken door locks are. What about your first amendment rights? Well, my axiom is: just because you can doesn't mean you should. And I think this is on the same level of irresponsibility as yelling fire in a theater.
I think to do otherwise is simply exploiting a chance to grand-stand one's technical savvy at the expense of someone else. I think we see quite enough of that here at
IMHO
I might know what I'm talkin' about, but then again, this is Slashdot...
There exists NICs which allow you to use any MAC you want to (I own one).
i lust read a couple weeks ago that south station installed a new security system, all computerised. if you can get into that, then i'm impressed. if life were like deus ex...
Excellent piece. Anyone who bothered to RTF(boring,pedantic,condescending)A would quickly see that the headline is a complete fiction. All the author did was exploit a hole in a for-pay Public Access WiFi network. No opportunity to route trains onto otherwise occupied platforms. No threat to a "major transportation hub."
Just some guy doing trivial guesswork to get free wireless access...that happens to be at Boston's South Station
Was writing the article his post-priori justification for the service theft ?
From the author's "/shared" directory:
"Sorry! You've tried to access a page that you don't have permission to see. If you think you should be able to see it for some reason, please contact us to let us know about the problem."
"Please take note that this server is monitored regularly. If we notice you repeatedly trying to access pages you shouldn't, we may report you to the proper authorities."
Hm, would the author believe in tit-for-tat?
Next time the bastards are on strike this [.swf] [bad language] [etc] is getting blasted out at every station.
I realize that you're being deliberately obtuse, but the use of quotes around the term "terrorist" was clearly meant to give the term a certain uncertainty. Who and what constitutes a terrorist very much depends on your politics, and frankly, many people in the US these days seem to use that term a little bit too freely.
Perhaps, but we're hardly executing terrorists. The quote wasn't, "What about terrorist's right to habeus corpus," it was about their right to life. The only injuries that appear to be killing suspected terrorists are self inflicted, thus my comment. I think you knew that, but instead chose to call me obtuse.
Now if you want to say, "What about suspected terrorists right to due process," I'll support you 100%, and I agree that the term terrorist is overly used, and has been for about 3 and a half years now.. but the guv'mint is hardly lining up suspects in the streets and summarily executing them. They might be crossing the line with civil liberties, which again is still wrong, and it's a slippery slope, but let's keep it in perspective.
https://www.eff.org/https-everywhere
It's also 100% irrelevant whether you change it on the NIC or in the driver, because the end result is the same.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
A spokesman for MS claimed it "will be the most realistic train simulator ever!".
-- Argel
You don't consider locking someone up (possibly indefinitely), without accusing them and without trial, to be infringing on their right to life? Sure, it's not execution -- but who knows how long they'll be held? Who knows whether they're guilty or not, and if they are, of what?
I'll admit that I may have jumped on you prematurely -- I find the whole "us vs. the terrorists" mentality frustrating, and perhaps I wrongly assumed it of you -- but I think that stripping due process very much interferes with a person's right to live their lives as free individuals. From my perspective, locking me up forever isn't much different from killing me. In all likelyhood, the "terrorists" we're holding in Cuba aren't going to be there forever, but they certainly have been there a long time.
At any rate, at this point it's a semantic argument. It sounds as though we basically agree.
Why don't we recognize this bit of "news" for what it really is: shameless self-promotion by a marginal good guy. We'd damned well better give him the pat on the back (and consulting contract) he wants, lest he swing fully to the Dark Side and blame us all for his fall from grace.