Slashdot Mirror
Beware the Airport Wireless
schwit1 writes to tell us that a recent study by a Silicon Valley-based security company shows that black-hats have been ramping up their use of tempting free or unsecured wireless access points in high travel areas like airports and hotels. "According to their study, even the 'secure' networks weren't all too safe. Eighty percent of the private Wi-Fi networks at airports surveyed by Airtight were secured by the aging Wired Equivalent Privacy (WEP) protocol, which was cracked back in 2001. Almost as many — 77 percent — of the networks they surveyed were actually private, peer-to-peer networks, meaning they weren't official hotspots. Instead, they were running off someone else's computer."
Isn't this quite old story? Already years ago I read that people have been setting their own hotspots near crowded places, and it works good because if you get better signal than the official hotspot the computers usually pick your hotspot first. This was even covered in The Real Hustle many seasons ago.
And for that matter, you're in a insecure place connecting via some random network. Its just stupid.
I cracked my own network in minutes using this method. Can someone point me to a less complicated method?
In truth, the current state of affairs is about what anyone who has been following security news and publications for awhile would expect. There's been a rise in the level of networks that aren't "open", but instead encrypted in some fashion. That's because of the endless parade of articles about pedophiles using laptops and the FBI busting down innocent people's doors to find (da-dum!) the wifi router. So while people are very good at being afraid and then doing something vaguely rational about it, "smart" is one word I wouldn't use to describe the public's response. Most of them still use passwords. Many of them don't know the difference between WEP, WPA, and WPA2 and just set it to whatever option gives them the least amount of grief (Windows likes spit out key-length errors when using WPA -- usually because of an extra space at the end of the copied string)... Which is usually a simple password. So they use 0.008% of the available keyspace, breathe a sigh of relief, and then go to the store to buy duct tape and gas masks because CNN says it'll help keep the terrorists out.
#fuckbeta #iamslashdot #dicemustdie
What's the big deal? Why worry about the insecurity of the local wireless network when you're connecting to the Internet... hello, it's insecure!! If your computer isn't secure it doesn't matter whether the local network is or isn't, your computer is still insecure. If you are doing things across the network that you want to keep private and you aren't doing them over SSL/SSH/VPN you are an idiot regardless of whether the local wifi uses WEP, WPA2, or no encryption at all.
In every wifi GUI tool I've used, ad-hoc networks show up with a special icon. I don't know about the public in general, but any decent Slashdot reader should know better than to connect to one!
How can this affect a normal user? Aren't HTTPS sites and other safe regardless of this?
Ever see a black hat naked before Jimmy?
I'm sorry I don't have anything good to say. I'm late for my flight anyway!
Can you get arrested as a terrorist if you hack airport networks?
(-1, Raw and Uncut is the only way to read)
Ever notice an SSID for "Free Public WiFi" just pop up while you're at your place of work?
When I first saw these, I assumed "someone got infected with some trojan which sets them up to pretend to be an open WiFi either to do a man-in-the-middle attack, or to infect my system with some kind of worm."
After a bit of digging, I discovered that this was actually not malicious, but was a viral-like spread due to some strange way that one of the MS Operating systems was handling ad-hoc wireless connections.
Here's a 2006 advisory on the issue
http://www.nmrc.org/pub/advise/20060114.txt
Here's a less technical explanation (in case you have to convert it to "boss speak")
http://erratasec.blogspot.com/2007/01/ad-hoc-wifi-virus.html
So, pretty much everyone says it's harmless.
However, my initial suspicians (about MitM or worm infections) could easily be made to come true, and anyone who google'd it would say "oh, I guess it's that 2006 thing, no worries"
Of course, being an ad-hoc node, it'll be kinda obvious to most geeks... and of course, most geeks would probably make sure they were tunneling or otherwise using the network safely anyhow.
John Q. Public on the other hand? hoo boy. ... AND it doesn't help that so many products, in the name of making things easier on John Q. Public, will just auto-associate when they see an available connection.
I don't really know where I'm going with all this except to say "Never trust any network outside your own, never EVER trust the Interwebs, and only trust your own network as far as you have to in order to make things work... especially if you're not the only one using it.", but you knew that already.
The Digital Sorceress
I was in an airport a couple of weeks ago (Denver?) The WiFi was "free", but they proxied all of your traffic through their servers and used that to encapsulate all web sites into a frame with advertisements above. They did allow SSH, so I just bypassed them by proxying my traffic through an SSH tunnel to my home machine.
While I was at University, there was often someone broadcasting the SSID "UNH-Wireless" in their Memorial Building. The official SSID was just unhwireless. UNH required you to register your MAC before they would forward your packets to the Internet, but the rogue SSID was open. Since the Memorial Building was where all the visitors ended up for lunch after tours, I wonder how many delicious things were intercepted.
(New Hampshire is the one that touches the ocean. The other one is Vermont, which is the one that touches Canadia.)
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
So what? I'm in an airport using https over wpa, or I'm just surfing news etc. I don't care how it's getting on the net.
This article contains a lot of FUD. If you're banking or anything important money-wise you're probably using SSL with a signed certificate, even if you're a Joe Sixpack. If I'm doing anything work related I'm on a VPN. You should never, ever, trust that your connection through the "internets" is secure anyway. Wireless access doesn't change anything about that. This article is just trying to gain attention by using fear.
Just because I can hook a shark from a boat, I do no offer to wrestle it in the water.
Last time I was traveling, I was flying out to Portland, and I had connectivity issues with the free wi-fi offered by the airports. At one of them, I'd detect their SSID and successfully connect with a reasonably strong signal, but after going through their initial "terms of service" type page and using it for a couple minutes, I'd lose communications. The wi-fi said it was still connected but pings were just timing out and nothing would come up. I could disconnect, search for available wireless networks, and try to reconnect, which worked about half the time (but again, only for a few minutes).
All things considered, I'd rather find and use a rogue offering, set up a VPN tunnel, and use THAT!
Comment removed based on user account deletion
No one should ever rely on the network layer for security, because networks are by nature insecure. Run traceroute sometime if you're curious to see how many nodes are located between your computer and your bank/stock broker/webmail. Every one of those nodes can see every one of your packets. The only solution is to use application layer encryption, and once you've done that, it doesn't matter who is spying on your traffic.
You'll notice that this study was done by "AirTight Networks, a wireless security company." In other words, they are fear-mongering in order to try to sell more of their products. No matter how secure you make your wireless network, it still won't stop anyone even 1 hop away from seeing all of your traffic. As security professionals, the researchers from AirTight Networks know this, which makes their study all the more stupid and despicable.
I was kind of shocked that hak5 episodes (downloadable to my tivo) educates and actually encourages. this type of fake wifi. Google Jasager.
Sure if the network is truly adhoc, but these aren't, the hacker needs to get the wifi from somewhere, and more often than not it is the official airport/coffeeshop wifi.
This is someone connecting to a wireless access point with their laptop, running the sniffing suite on the laptop, and running a portable access point out another ethernet jack or through USB. I have a great USB based access point that is able to repeat and share any signal I can get, I use it to route wifi over great distance over a cantenna and repeat it to all my devices, it will not show up as an ad hoc network. Mine is old they make them even better, smaller and cheaper now. Nobody is going to bat an eye at the hacker with a usb cable running into his laptop bag.
PS: Firefox with a proxy including DNS + Putty running a dynamic proxy + A linux box at home (such as a low power tomato router) with SSH access + Priv/Pub ssh keys + DynDNS static IPs = 3 second complete encryption of everything no matter how sketchy the access point.
PSS: People saying this isn't a problem, so much webmail is unsecured by default, so many passwords are emailed to users. Please just trust the security geeks, you are really really vulnerable to deep packet inspection and transparent proxies. Secondly you are trusting the blackhat's DNS, are you really going to notice when you go to paypal/etc and the HTTPS is missing just one time?
Web Developers: Celebrate to our roots! Animated Gifs and Tiled Backgrounds, dont let our history die!
I noticed someone setup a wireless access point next to the McDonalds in Rome complete with the golden arches asking you to type in a valid pasport ID, date of birth, etc to get online. It was even secure https with some bogus versign.
I asked the mcdonalds employees and they all said that there was no wireless. Sketch.
This is one reason why I typically just use my 3G data card nowadays.
If you're checking the weather or airline schedules or Slashdot, it doesn't matter if you get eavesdropped on. If you're checking your work email, you want to be using an IPSEC VPN, so all your traffic is going to be protected inside that (unless you're doing split-tunnel...) and SSH is fine too.
The tricky case is using SSL-protected websites, when you can't trust the DNS and network not to be redirecting you to some bogus cracker site. If you pay attention to the certificate details, you can be safe, but if you're not paying attention and hit the "Yeah, Sure, Whatever" button, then you're hosed. An SSL VPN connection to work may or may not be, if your company is using an SSL VPN appliance - are you using passwords or one-time-access tokens? Does the cracker know how to break in to that given your authentication, as opposed to just stealing credit card or bank passwords?
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Always use a rubber duck.
If i can get outside and not pay anything, why should i care that its not 'official'? Really, i'm not joking.
---- Booth was a patriot ----
What about if the hotspot doesn't actually give the user the real page, but instead phishing page? I doubt many normal users notice that HTTPS isn't on.
Even ignoring that, there's two other things that would make people think twice:
1) Fake cert, people would see an alert (though as you say perhaps they are not even trying)
2) The bigger issue is that when they go to the site, they would not be logged in automatically or the form to login would not auto-fill. A lot of people use this so much now they'd be hard pressed to actually enter the real password themselves if autofill fails!
You have the same problem anyway even if using an "official" WAP outside home, since you cannot trust that the thing has not been compromised.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
The thing that gets me is that this only covers half of the story. They ignore the white hats. :)
When I'm at a hotel for example, I'll usually bring a pair of Airport Express units. Take one, join it to the hotel's "paid" wifi, then nat over to the other in bridged mode via cross-cable, and create a new network with the ESSID "Hey look, free Wifi!". :)
Then again, my hat might always start changing colors on you, so watch out.
*weeeooooohhhh* ;)
Karma: Chameleon (mostly due to the fact that you come and go).
...because it NEEDS TO BE. If you are using public wireless without a VPN, YOUR ARE A FOOL. If you can't setup your own, use a cheap, public provider such as Witopia (I've had outstanding experience with them in the past).
I didn't know that was wrong. I'll stop. maybe.
Seriously, I always VPN myself back to base every time I use a network I don't trust completely. If someone can break my crypto, he or she deserves my data.
Setting up a VPN is easy, quick and painless. Why not do it?
http://www.dieblinkenlights.com
He mentioned getting email passwords, and with access to someone's email you can reset their passwords to more important sites. Not to mention that I've seen a place handling sensitive information that answered lost password requests by _mailing out the password_.
A good tunnel will keep you safe and allow you to capitalize on the rogue's motives.
Your suggestion also highlights the god awful ignorance being spouted by Fox and Symantec in the article. Slashdot should be ashamed at posting such a crappy article that doesn't even mention SSL or VPNs as a safety measure!
When I'm in a crowded airport and have a long layover - the first thing I do is broadcast a free ad-hoc network with an SID "Free till flight x departs" in airports that charge for WiFi before my flight departs. Just trying to be nice.
I shouldn't have to remind people that the Internet is not secure. Not taking proper precautions (Using a VPN, SSL..etc) or being a gullable sucker and downloading botnetzombie.exe from your favorite porn site has the potential of being just as stupid in an airport as it is at home or while attending defcon later this month.
Back a couple of years ago, I was waiting for a flight out of the airport in Hartford and turned on my laptop. I forgot that I had my wireless turned on and up came the list of available connections. One was called "Friends of Engtech" - Engtech was a project that I was working on at the time. I don't have a clue how they picked up that phrase unless I had a shared folder called that - but I'm pretty sure that I didn't. I immediately switched off my antenna and disabled the wireless connection.
But I run OpenVPN. The first thing I do upon connecting is create an OpenVPN tunnel to our corporate server. I then route all traffic over the VPN connection (except for the actual encrypted OpenVPN packets themselves, of course: those need a special host route.)
I use an IP address to connect to the OpenVPN server so spoofed DNS won't affect me, and once connected, I of course use our corporate DNS servers.
Problem solved.