Slashdot Mirror
Beware the Airport Wireless
schwit1 writes to tell us that a recent study by a Silicon Valley-based security company shows that black-hats have been ramping up their use of tempting free or unsecured wireless access points in high travel areas like airports and hotels. "According to their study, even the 'secure' networks weren't all too safe. Eighty percent of the private Wi-Fi networks at airports surveyed by Airtight were secured by the aging Wired Equivalent Privacy (WEP) protocol, which was cracked back in 2001. Almost as many — 77 percent — of the networks they surveyed were actually private, peer-to-peer networks, meaning they weren't official hotspots. Instead, they were running off someone else's computer."
In every wifi GUI tool I've used, ad-hoc networks show up with a special icon. I don't know about the public in general, but any decent Slashdot reader should know better than to connect to one!
Ever notice an SSID for "Free Public WiFi" just pop up while you're at your place of work?
When I first saw these, I assumed "someone got infected with some trojan which sets them up to pretend to be an open WiFi either to do a man-in-the-middle attack, or to infect my system with some kind of worm."
After a bit of digging, I discovered that this was actually not malicious, but was a viral-like spread due to some strange way that one of the MS Operating systems was handling ad-hoc wireless connections.
Here's a 2006 advisory on the issue
http://www.nmrc.org/pub/advise/20060114.txt
Here's a less technical explanation (in case you have to convert it to "boss speak")
http://erratasec.blogspot.com/2007/01/ad-hoc-wifi-virus.html
So, pretty much everyone says it's harmless.
However, my initial suspicians (about MitM or worm infections) could easily be made to come true, and anyone who google'd it would say "oh, I guess it's that 2006 thing, no worries"
Of course, being an ad-hoc node, it'll be kinda obvious to most geeks... and of course, most geeks would probably make sure they were tunneling or otherwise using the network safely anyhow.
John Q. Public on the other hand? hoo boy. ... AND it doesn't help that so many products, in the name of making things easier on John Q. Public, will just auto-associate when they see an available connection.
I don't really know where I'm going with all this except to say "Never trust any network outside your own, never EVER trust the Interwebs, and only trust your own network as far as you have to in order to make things work... especially if you're not the only one using it.", but you knew that already.
The Digital Sorceress
I was in an airport a couple of weeks ago (Denver?) The WiFi was "free", but they proxied all of your traffic through their servers and used that to encapsulate all web sites into a frame with advertisements above. They did allow SSH, so I just bypassed them by proxying my traffic through an SSH tunnel to my home machine.
While I was at University, there was often someone broadcasting the SSID "UNH-Wireless" in their Memorial Building. The official SSID was just unhwireless. UNH required you to register your MAC before they would forward your packets to the Internet, but the rogue SSID was open. Since the Memorial Building was where all the visitors ended up for lunch after tours, I wonder how many delicious things were intercepted.
(New Hampshire is the one that touches the ocean. The other one is Vermont, which is the one that touches Canadia.)
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
This article contains a lot of FUD. If you're banking or anything important money-wise you're probably using SSL with a signed certificate, even if you're a Joe Sixpack. If I'm doing anything work related I'm on a VPN. You should never, ever, trust that your connection through the "internets" is secure anyway. Wireless access doesn't change anything about that. This article is just trying to gain attention by using fear.
Just because I can hook a shark from a boat, I do no offer to wrestle it in the water.
What about if the hotspot doesn't actually give the user the real page, but instead phishing page? I doubt many normal users notice that HTTPS isn't on. Or like in the above The Real Hustle video, "for $1 you can get one hour of surfing time, just enter your credit card details" and you probably can guess what happens from there.
I don't doubt that the people who run such scams are doing something evil but this irrational insistence people have of using what they do not understand and then acting shocked if something goes wrong is in need of some serious "Darwinism" or "artificial selection" or whatever you like to call it. The basics of how to protect yourself are not that difficult to understand, the information is out there, and any literate adult can educate himself as easily as searching via Google. If putting a price on that kind of rampant ignorance is the only way to give it an incentive to be remedied, then so be it.
It shouldn't be that way. People should care enough to guard the things that are important to them, like the kinds of personal information phishing pages could harvest. The reasons why they don't seem to be rooted in apathy combined with a strong feeling that basic competency (which is a far cry from expertise) is some kind of horrible undue burden that is completely unreasonable to expect of them. There is a great deal of arrogance in the belief that safeguarding things that matter to you should always the responsibility of someone else, be it Microsoft or the airport or whomever. When that kind of hubris leads to problems, what legitimate complaint do they have? Why are they so often portrayed as helpless victims instead of held up as examples of negligence, of what not to do?
It is a miracle that curiosity survives formal education. - Einstein
Last time I was traveling, I was flying out to Portland, and I had connectivity issues with the free wi-fi offered by the airports. At one of them, I'd detect their SSID and successfully connect with a reasonably strong signal, but after going through their initial "terms of service" type page and using it for a couple minutes, I'd lose communications. The wi-fi said it was still connected but pings were just timing out and nothing would come up. I could disconnect, search for available wireless networks, and try to reconnect, which worked about half the time (but again, only for a few minutes).
All things considered, I'd rather find and use a rogue offering, set up a VPN tunnel, and use THAT!
Sure if the network is truly adhoc, but these aren't, the hacker needs to get the wifi from somewhere, and more often than not it is the official airport/coffeeshop wifi.
This is someone connecting to a wireless access point with their laptop, running the sniffing suite on the laptop, and running a portable access point out another ethernet jack or through USB. I have a great USB based access point that is able to repeat and share any signal I can get, I use it to route wifi over great distance over a cantenna and repeat it to all my devices, it will not show up as an ad hoc network. Mine is old they make them even better, smaller and cheaper now. Nobody is going to bat an eye at the hacker with a usb cable running into his laptop bag.
PS: Firefox with a proxy including DNS + Putty running a dynamic proxy + A linux box at home (such as a low power tomato router) with SSH access + Priv/Pub ssh keys + DynDNS static IPs = 3 second complete encryption of everything no matter how sketchy the access point.
PSS: People saying this isn't a problem, so much webmail is unsecured by default, so many passwords are emailed to users. Please just trust the security geeks, you are really really vulnerable to deep packet inspection and transparent proxies. Secondly you are trusting the blackhat's DNS, are you really going to notice when you go to paypal/etc and the HTTPS is missing just one time?
Web Developers: Celebrate to our roots! Animated Gifs and Tiled Backgrounds, dont let our history die!
I noticed someone setup a wireless access point next to the McDonalds in Rome complete with the golden arches asking you to type in a valid pasport ID, date of birth, etc to get online. It was even secure https with some bogus versign.
I asked the mcdonalds employees and they all said that there was no wireless. Sketch.
only problem is, that u have to be an uber-dork to exploit them... meaning extensive programming knowledge which i doubt any aviation worker has.. so it's a false warning really, as nobody is truly going to attack a single laptop on an airport (your not gonna do online-banking on a public connection, unless your an idiot...)
If you're checking the weather or airline schedules or Slashdot, it doesn't matter if you get eavesdropped on. If you're checking your work email, you want to be using an IPSEC VPN, so all your traffic is going to be protected inside that (unless you're doing split-tunnel...) and SSH is fine too.
The tricky case is using SSL-protected websites, when you can't trust the DNS and network not to be redirecting you to some bogus cracker site. If you pay attention to the certificate details, you can be safe, but if you're not paying attention and hit the "Yeah, Sure, Whatever" button, then you're hosed. An SSL VPN connection to work may or may not be, if your company is using an SSL VPN appliance - are you using passwords or one-time-access tokens? Does the cracker know how to break in to that given your authentication, as opposed to just stealing credit card or bank passwords?
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
If your system hasn't been compromised, it doesn't matter.
You could do your banking on an open, unsecured network, no WEP, no WPA, etc because your traffic between you and your banking institution has been encrypted from point to point.
That said, if I were you, I wouldn't do it.
I was once staying at a hotel for a convention and brought my laptop downstairs -- only to be presented with three different wireless network options, all of which looked like they *could* have been the hotel's access point, but slightly different. It would have been trivial to set up a network with a similar name and a dummy phishing page that looked identical to the hotel's.
Because someday you're going to run some program locally that for whatever reason wants to bind the 0.0.0.0 address and listen on some port. Web server, database server, chat client, p2p client, whatever. Unless you run netstat -a all the time, you don't *know* that there isn't something listening.
From an MIS/IT perspective, one solution to that is to provide something more convenient. Our laptops are issued with cellular broadband NICs and unlimited data plans for those with a demonstrated business need, and coverage is widespread enough now (especially in airports) that it's easier for them to access our corporate VPN that way than it is to connect to some arbitrary open WAP, especially after automating it so that they double-click one icon on their desktop, enter their password, and the rest "just works".
Ditto. I take it a step further. For one, I SSH to my own box for which I've got the public key for already and if it is changed the SSH will fail and throw nasty "someone changed the key" errors. For two, I go into "silent" mode where I firewall and block all inbound connections and silently drop them (even ping) and even more I firewall and block all outbound connections except my one ssh connection. My ssh script connects to my IP, so no need to use DNS either. All traffic is proxied through my ssh connection and out my server, and anything that would somehow evade my proxy (java and javascript sometimes somehow have a hack around method to bypass a proxy setting on a host) - it doesn't matter because iptable is going to drop that outbound traffic and never allow it to leave my box.
The only thing I usually have to do is first give a thumbs-up. For that, I have my usual locked-down inbound mode, all a "guest" Firefox profile that is set to no proxy and connect to hit the authentication/agreement terms page (for Starbucks, hotel wireless, etc.), and then once I get past that I flip my ssh script on which locks down my firewall and sshs to my system as described above.
I'm not sure about how easy that'd be to do on a Windows box. Can you firewall a Windows box from not making any outbound connections? It's been a while since I ran Windows as a Host (when I must, I run them as VM guests). But that would be my recommendation to anyone.
He mentioned getting email passwords, and with access to someone's email you can reset their passwords to more important sites. Not to mention that I've seen a place handling sensitive information that answered lost password requests by _mailing out the password_.
If your system hasn't been compromised, it doesn't matter.
It would if the network points to a poisoned DNS cache.