Slashdot Mirror
"Free Wi-Fi" Scam In the Wild
DeadlyBattleRobot writes in with a story from Computerworld about a rather simple scam that has been observed in the wild in several US airports. Bad guys set up a computer-to-computer (ad hoc) network and name it "Free Wi-Fi." You join it and, if you have file sharing enabled, your computer becomes a zombie. The perp has set up Internet sharing so you actually get the connectivity you expected, and you are none the wiser. Of course no one reading this would fall for such an elementary con. The article gives detailed instructions on how to make sure your computer doesn't connect automatically to any offered network, and how to tell if an access point is really an ad hoc network (it's harder on Vista).
To avoid this, just avoid ad-hoc connections. That will work until the perps start using Infrastructure (Access Point) connections with a bridge to the real one. You can even set up Windows XP so that it won't allow you to make ad-hoc connections.
GreyPoopon
--
Why is it I can write insightful comments but can't come up with a clever signature?
I've seen this in the B terminal of Dulles Airport, everytime I fly out. I guess it could be someone who works there or something. But since it was ad-hoc I never connected.
Kilroy was here.
When you connect to a network, a little wizard pops up asking you if it's "Home", "Work", or "Public Location". Choose Public Location and sharing will be disabled automatically.
I saw exactly this at the National Archives in College Park, MD. I told the local IT bubbas, but they just gave me blank stares. It was particularly disturbing because the average researcher at the archives won't have the technical sophistication to realize what's going on, and will then take their zombified system back to a university network.
eg. if I ssh to my home computer, or use access an https site am I still ok?
As long as you exchange keys with the actual end host, and not the man-in-the-middle, you're fine.
If the Man-in-the-middle tries to give you his own SSL key, your browser will throw up an error message that the key is invalid. If you click "accept key", then you're hosed and the attacker can read all your traffic.
As far as ssh goes, if you've connected to the host before, SSH will (or at least on the clients I've used) throw up a big warning message that someone is trying to hack you. If you haven't connected, no such warning will appear and if you type in your password the attacker will get your password, and everything you type in your ssh session.
AccountKiller
This is one of the funniest threads I have read in a while, partly because I turned to a friend while reading the Slashdot write-up and said "Wow, they still give Internet access? My machine is secure enough, I would use that instead of paying the $7.95/day they want in some airports!"
Then I read this thread.
And pointed out my UserID to the same friend.
Too bad - I have actually seen that "Free Wi-Fi" ad-hoc network in a few airports in the last month or so (I think in Midway airport in Chicago). I did not join it, since I knew the SSID of the official wireless service (and knew that it was paid access)
In interesting thing to do is to join the network, fire up a Bonjour Browser (or your other favorite ZeroConf browser) and see available services. If people are sharing their iTunes libraries, if they have a ZerConf chat program, and so on...
- (c) 2018 Hank Zimmerman
With Linux and the hostap driver I can set up a legitimate access point. Ad hoc isn't a necessary part of this scam, and I don't see how avoiding ad hoc networks will prevent anything.
Besides the possible risk from malware infection if you have enabled file sharing, this really is the same man-in-the-middle attack that was so prominant in the 80's and early 90's. A problem which has been mostly fixed by the adoption of SSH over telnet. And is practically non-existant over HTTP today beacuse of the use of SSL on servers. And with regards to malware, how does this differ from picking up some spyware from the pr0n site you "accidently" visited?
I see no problem here that cannot be solved by adopting the same principles that you would use for ordinary domestic internet access:
1) Turn on your firewall and close all open ports.
2) Don't send sensitive data over an unsecured network.
Nothing sucks like a Vax, nothing blows like a PowerMac G4
The network isn't the problem here, your computer's configuration is. All of my machines can safely connect to an untrusted network (and they do---my non-firewalled, non-NATted internet feed) without being turned into zombies.
The message here shouldn't be "don't connect to untrusted networks," it should be "secure your machine."
Once you do that, these guys are just being nice and giving you a free connection!
-rsw
http://www.historybuff.com/library/refbarnum.html
Someone's been reading this, haven't they? :)
..... but I could, if I had what fone phreaks once referred to as a "Sky Blue Pink Box with Yellow Spots On". Oh, wait, such a thing already exists!
If / when I ever get any wireless kit, I will change the name of my neighbours' unprotected router (currently set to the make and model name; a quick Google search revealed the default password) to "pWn3d", have my router emulate theirs but with suitably distorted graphics, and see what happens. Jut a shame I can't listen in on their call to tech support
Now, that does sound like serious PHUN!
Je fume. Tu fumes. Nous fûmes!
Wireless network cards can be set up as access points to. So just looking for if it's an ad-hoc network does not protect you. Turn off all sharing when connecting through public access points and use encryption.
There you go - free wi-fi!
Opinions expressed above are mine, and not my employees'.
If you use a CA, stunnel is quite secure. If you search, certificates are available for less than $20/year.
Kindness is the language which the deaf can hear and the blind can see. - Mark Twain
Most banks offer a SSL encrypted login page but don't explicitly encourage people to use it. For example, if you go Washington Mutual's homepage, you can login, although the login page is not encrypted. With a little bit of digging, however, you can find the SSL encrypted login page. I assume they make you work for the encrypted page to avoid the overhead of creating an SSL connection with every person that happens to visit the WaMu homepage. I am not a web developer, but I think that if a form posts to an HTTPS site, then the form data is encrypted before being sent. However, there is no way to know whether a form intends to post to an HTTPS site except by digging through the page source. Perhaps this is why a lot of banking sites are now using the two page login sequence.
Gmail has a secure login page as well but you have to explicitly type in https in order to get to it.
These open WiFi networks are really scary. A criminal could park his car next to Starbucks with a laptop and an AP in the trunk. The AP would broadcast an SSID with the name "Starbucks" and forward almost all packets transparently. However, for banking websites, the laptop would form an SSL connection to the bank and forward an unencrypted page to the user. A lot of people wouldn't notice that the connection wasn't secure, especially if all other websites seemed to be working fine. I don't know if a hacker would really want to read your Gmail, but he would be thrilled to get the login info for your bank!
It is too easy to get screwed (and not even realize it) using an open WiFi network. At least if you physically lose your credit card or know that a hacker has gotten your information, you can cancel or freeze your accounts. But if you don't know your account has been compromised, it could be totally drained by the time you realize it. My advice is don't do anything requiring a login on an open WiFi network unless you use a secure VPN tunnel to a machine that you trust. Also, don't keep very much money in your checking/ATM account; invest it or put it in a savings account where it is not as easy to clean you out in one shot.
I switched away from Bank of America partially because they required me to enter my card number and PIN as part of the login process. They claimed it was secure because you entered the two pieces of data on two consecutive web pages. But I might not notice if that second page was not SSL encrypted but was otherwise identical to the real page. WaMu requires an Internet-only login and password. If a hacker somehow got my online banking login info, he/she would not be able to clean me out through an ATM. But if my BofA info had been stolen online, they would have been able to make a fake ATM card and withdraw everything in the account.
Another scary thing that I just realized is that phishers could use the same trick that I mentioned above. They could set up a similar sounding banking website except forming an HTTP connection rather than an HTTPS connection. However, they would forward the data so that it would seem to the end user that everything is fine. They could even create an unsigned certificate and use SSL between the phishing server and the user. Of course, the user would have to accept the certificate, but most people just blindly click "Accept", don't they? I don't know if phishers are using this technique yet, but I would definitely watch out for it in the future.
try this: https://mail.google.com/mail/ (gmail) It starts a secured connection, and stays secure. I use it at work - since stupid WebSense blocks all webmail accounts that don't start with a secured connection.
My Slashdot Journal! YAY!
I don't understand how a windows computer could become a zombie simply by having filesharing enabled. I supposed an attacker could place an executable on a user's writeable share directory, but the user would still have to run the executable in order for his or her computer in order to actually become "infected". The only thing I can see this type of ad-hoc sharing being good for is to snoop personal information either by acting as a proxy for the user or sniffing unencrypted traffic.