Slashdot Mirror

← Back to Stories (view on slashdot.org)

Defcon "Warballoon" Finds 1/3 of Wireless Networks Unsecured

Posted by Soulskill on from the floating-point-operation dept.

avatar4d writes "Networkworld is reporting about a warballooning operation (similar to wardriving) that was disallowed by the management at the Riviera Hotel in Las Vegas, but was covertly launched anyway. The team found approximately 370 networks, and about a third of those were unsecured. In addition to that, the project managed to show how trusting the local law enforcement agencies really were: 'Near the end of the operation, a Las Vegas Metropolitan Police cruiser drove by the parking lot to see what was going on. Hill and his team waved. The police officers waved back and drove off.'"

25 of 209 comments (clear)

  1. i hate you all by blhack · · Score: 5, Funny

    Will everybody please STFU about securing your wifi..

    Cracking their wep when I'm on the road and without my gear is a pain in the ass!

    --
    NewslilySocial News. No lolcats allowed.
    1. Re:i hate you all by Anonymous Coward · · Score: 5, Interesting

      Yes, ours is "unsecured". It gets you to a DNS which answers only one query and an "internet" where the only thing that you can send to is an IPSEC VPN server. Much good may it do you. DefCon should concentrate on real security (is IPSEC as good as OpenVPN or does it's over-compexity make it more vulnerable) and not messing around with pretending to secure your wireless with WEP/WPA and all the other hop by hop garbage.

    2. Re:i hate you all by MrNaz · · Score: 5, Insightful

      More to the point about finding unsuspecting piggybackers, I don't see how it should be expected that the law should get involved to quickly unless a serious crime has been committed. I find this particularly alarming:

      In addition to that, the project managed to show how trusting the local law enforcement agencies really were: 'Near the end of the operation, a Las Vegas Metropolitan Police cruiser drove by the parking lot to see what was going on. Hill and his team waved. The police officers waved back and drove off.'

      So they'd prefer if the police stopped and strip search everyone doing something they considered suspicious? What kind of hackers are they if they think authority needs to always get up close and personal with anyone doing anything remotely out of the ordinary.

      It's a good thing that the police had a look, could see that a crime wasn't being committed, and decided to continue looking for something worthy of their time, not a bad thing as the absurd summary seems to suggest.

      --
      I hate printers.
  2. Networks on The Strip by superj711 · · Score: 5, Informative

    I don't believe this a good test of "security" since the majority of the hotels on the Strip have multiple unsecure Wifi networks for their guests. You have to go to a launch page first before you're even allowed access, sometimes entering a code.

    1. Re:Networks on The Strip by ghoti · · Score: 4, Insightful

      Exactly. 1/3 is actually a pretty good number, and shows that the casinos are taking security seriously. Plus, I wonder how many networks they didn't even see because they weren't broadcasting their SSIDs. This whole thing seems to be much more about doing something cool and making a lot of noise than any kind of serious analysis.

      --
      EagerEyes.org: Visualization and Visual Communication
  3. So let's get this straight by yourpusher · · Score: 5, Insightful

    If the police flip out over something we do, they're overreacting idiots that don't understand technology.

    But if the police don't flip out over something we do, they're underreacting idiots who aren't keeping us safe.

    Mmkay.

    1. Re:So let's get this straight by lukas84 · · Score: 4, Funny

      Police should only employ top specialists in every topic there is, so they can make a judgment on of any situation on site.

      That way, when somebody lies on the street and needs a heart transplant, the police can help him on-site. No special equipment needed, a chewing gum and a swiss army knife will do th etrick.

    2. Re:So let's get this straight by jd · · Score: 4, Insightful

      You make a good point, however I guess I would ask why any rational society would expect just those two modes of operation. Neither seems that useful. Wouldn't it be more logical to expect either the police to come over and say hi, or to take a note of the registration and car details (not necessarily visibly)? A standard social engineering technique used time immemorial has been to look as though you should be somewhere. Only an idiot looks suspicious, and it's not the idiots who should concern the police the most.

      In the first case, it's basic community policing 101. You don't prevent crime by looking intimidating, you prevent crime by being aware of what's happening and understanding why. The second option also works on the premise of being aware, but looks for standard social engineering practices and patterns, rather than cause-and-effect.

      In neither case is flipping out a productive or useful method. It doesn't help you recognize where or when problems are likely to occur, and only helps you catch the more dysfunctional criminals who are likely causing the least of the social headaches. However, it is by far the most common method used, because it's easy. Catching competent criminals is much harder, much more expensive, and gives a police department a worse score on offenses dealt with.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    3. Re:So let's get this straight by Drakonik · · Score: 5, Interesting

      A standard social engineering technique used time immemorial has been to look as though you should be somewhere.

      Quoted for truth. Several of my teachers told my class that if we wanted to, we could just wander around the school instead of going to classes, as long as we looked like we were on an errand. I'm not sure whether I should think that it's cool that I could get past authority figures by simply acting like I know that I belong, or whether I should be scared that someone who knows how to act like they belong somewhere can generally get access to that place.

    4. Re:So let's get this straight by NFN_NLN · · Score: 4, Funny

      "'Near the end of the operation, a Las Vegas Metropolitan Police cruiser drove by the parking lot to see what was going on. Hill and his team waved. The police officers waved back and drove off.'"

      The police probably one-up'd these nerds.

      Popo 1: What the fudge, those guys are launching some sort of balloon, let's check it out.
      Nerds: I smell bacon, let's wave to them in unison at... .5 Hz, synchronize now.
      Popo 2: Wait, wtf. Is that an albino convention... no wait they're all wearing 'Defcon' T's and khaki's. Let's get out of here before they start asking us about the number of joules my tazer outputs. Speaking of which, it just finished charging and I thought I saw a crack head down that last alley. Just wave back and let's get the hell out of here.
      Popo 1: I'm with you number two, switching to yellow alert, engines full reverse, Hahahaha.

    5. Re:So let's get this straight by MacJedi · · Score: 4, Funny

      Wow, 6 digit UIDs are considered (s)low now?

      --
      2^5
    6. Re:So let's get this straight by fm6 · · Score: 4, Funny

      Well, if 3-digit users like you aren't gonna participate (6 posts a year!), somebody has to play Village Elder.

  4. The Police just waved? by Meshach · · Score: 4, Insightful

    What else would the Police do with that situation? Is what the people were doing illegal?

    --
    "Maybe this world is another planet's hell"
    Aldous Huxley
    1. Re:The Police just waved? by hoofinasia · · Score: 5, Funny

      I don't care how big the parking lot, crowd, or equipment...
      Geeks with balloons are not scary.

    2. Re:The Police just waved? by JustinOpinion · · Score: 4, Insightful

      Agreed. The statement in the summary "...the project managed to show how trusting the local law enforcement agencies really were..." infuriates me. Police are not supposed to be harassing people left and right, trying to uncover illegal or just unsanctioned activities. The police were friendly, waved, and didn't bother to investigate something that by all rights did not look overtly illegal. They acted appropriately.

      I would much prefer that law enforcement err on the side of trust and friendliness. This probably means that some fraction of illegal actions will go undetected and unpunished (note that only a small fraction of those illegal actions are truly dangerous and unethical)... but that is the 'price' of freedom.

      Again, I applaud the police for not flipping out when they see people engaging in activities that they don't exactly understand (but for which there is no evidence of illegal action).

  5. Re:Only 1/3? by chunk08 · · Score: 4, Insightful

    I live in a very small farming town. I can pick up 3 networks from my house, there are 5 in town. Mine is the only secure one (WPA2). Try to explain it to anyone else and they'll say "Why shouldn't my neighbors get on my network?"

    --
    Do away with our corrupt tax code. Support the Fair Tax
  6. Open by choice? by ishmalius · · Score: 5, Interesting

    Don't assume people's motives for having an open AP. Rather than security ignorance, altruism is a perfectly good reason to turn off WEP and WPA.

    1. Re:Open by choice? by dwater · · Score: 4, Interesting

      I do.

      There's even an organisation around where I live/work that promotes it. It's called wippies :

      http://www.wippies.com/www.phtml

      For a free year long commitment, they will send you a free wifi router that will run a second wifi network 'on the side' for other subscribers to use when they're away from home. There's a google map of coverage somewhere on their site, but I can't find it right away...

      --
      Max.
  7. And what did you want the police to do? by the_skywise · · Score: 4, Insightful

    In addition to that, the project managed to show how trusting the local law enforcement agencies really were: 'Near the end of the operation, a Las Vegas Metropolitan Police cruiser drove by the parking lot to see what was going on. Hill and his team waved. The police officers waved back and drove off.'"

    Oh now they're too trusting?!

    What do you want?!

    Should they have played hardball and interrogated them, maybe arrested them and confiscated their equipment until they could ascertain they were safe so you could have a post about "out of control" law enforcement again?

    Perhaps they should've called out the bomb squads ala the Mooninites bomb scare?

    I, for one, vastly prefer this response.

  8. Not 'Unsecured'. It's 'Open System' by TechyImmigrant · · Score: 4, Insightful

    802.11 APs that people refer to as being 'unsecured' are in fact broadcasting a beacon declaring them to be 'Open System'. It is right there in the spec, section 8.2.2.2 .

    'Open System' means exactly that. Come on it. We're open.

    This is a good thing. I don't secure my wireless LAN. I secure my computers. If people want to borrow a bit of my bandwidth, go right ahead. My neighbor does it all the time when he can't get his crappy cable internet to work.

    This should be encouraged. Call them 'Open' and call it a good thing.

    --
    Evil people are out to get you.
  9. geeks are bringing us the police state by speedtux · · Score: 5, Interesting

    Are there really people stupid enough to think that awareness of security holes is something new? Every major piece of infrastructure over the last century has had major security holes. But rather than gleefully exploiting and exposing them for personal fame and fortune, the people who figured it out just shut up about them. Why? Because they understood that fixing those holes would be costly and intrusive, and it would ultimately still not make the system really safe.

    So, if you enjoy body cavity searches, universal surveillance cameras, automated defense systems, and dealing with proprietary and intrusive access controls everywhere you go electronically or physically, then go ahead and keep wardriving and warballooning and defconnning.

    Just be aware that it is your actions that are bringing us the police state, because once a bunch of geeks stands up and says "hey, your infrastructure isn't secure and we are at risk", then politicians and lawmakers have to act.

  10. Re:cops just waved by couchslug · · Score: 4, Funny

    "That's the most pathetic complaint I've heard in a very long time. Go to North Korea, assholes, you can get your police state fix there."

    That would be no fun without good connectivity. What good is a police state if I can't rant about it online?

    --
    "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
  11. Tempest in a Teapot by mschuyler · · Score: 4, Insightful

    You say that like it's a bad thing. Most WiFi networks are of such low power to render them effectively useless beyond a few feet of the origin of the signal. In my neighborhood with houses on half-acre to acre lots I can detect half a dozen networks. A couple are 'insecure,' but the signal is one bar in strength. Besides, I'm detecting them with my own network, so why do I want to 'steal' their bandwidth? Mine is faster. There aren't many people who want to cruise the neighborhood looking for unsecured signals so they can use their laptop in the privacy of their own automobile to surf the net. How uncomfortable is that? I surf with my feet propped up, a beer on the table, and the dog curled up at my feet.

    Then there are those networks that are intentionally unsecured. The local library has a router intentionally pointed at the parking lot (Gasp!) In the downtown area every hotel is within range of an unsecured network. They even have a placard that tells you how to connect--free!

    Sure, there are probably guys into taking advantage of you if your network is unsecured. Perhaps the issue is more prevalent in an apartment house or a dorm than single family residences, but I think this is more of a theoretical issue than a practical one. You can hypothesize your way to wild conclusions, but in the end, is this REALLY a serious problem?

    --
    How about a moderation of -1 pedantic.
  12. And the only question remaining... by ladybugfi · · Score: 5, Funny

    ...was Cory Doctorow in the balloon blogging? http://xkcd.com/239/

  13. Re:Only 1/3? by anagama · · Score: 4, Informative

    I'm not sure if you are making a joke, so just in case you aren't, I'll point out that MAC address filtering is no security at all. Your laptop is transmitting it's MAC as part of the regular wifi transmissions so sniffing it out of the air is trivial with Kismet or Kismac. Spoofing a MAC address is trivial on Linux and Windows machines, a bit more involved to make your OS X Leaopard system able to spoof but not rocket science, and apparently trivial with "spoofmac" on Tiger.

    Here's an overview:

    http://www.irongeek.com/i.php?page=security/changemac

    For Linux, if you just want a random MAC to make yourself even more anonymous:
    http://www.alobbs.com/macchanger

    Similar software exists for windows (google "windows macchanger")

    --
    What changed under Obama? Nothing Good