Slashdot Mirror

← Back to Stories (view on slashdot.org)

Simple Rogue WiFi Hotspot Captures High Profile Data

Posted by samzenpus on from the protect-ya-neck dept.

jones_supa writes Gustav Nipe, president of Sweden's Pirate Party's youth wing, was successful with somewhat trivial social engineering experiment in the area of the Sälen security conference. He set up a WiFi hotspot named "Öppen Gäst" ("Open Guest") without any kind of encryption. What do you know, a large amount of unsuspecting high profile guests associate with the network. Nipe says he was able to track which sites people visited as well as the emails and text messages of around 100 delegates, including politicians and journalists as well as security experts. He says that he won't be revealing which sites were visited by specific experts, as the point was just to draw attention to the issue of rogue network monitoring. The stunt has already sparked criticism in Swedish newspapers and on social media, with some angry comments saying that Nipe breached Sweden's Personal Data Act.

17 of 67 comments (clear)

  1. You want to protect your data? by ArcadeMan · · Score: 5, Insightful

    If you want to protect your data, don't connect to an open WiFi hotspot.

    Also, shame on the so-called "security experts" who used it.

    --
    Get free satoshi (Bitcoin) and Dogecoins
    1. Re:You want to protect your data? by Cramer · · Score: 5, Insightful

      Are you 100% certain the cnn.com you think you asked for a page is actually cnn.com and not some i'm-gonna-fill-your-browser-full-of-malware spoof?

    2. Re:You want to protect your data? by davester666 · · Score: 5, Funny

      can't be any worse than the reall cnn.com

      --
      Sleep your way to a whiter smile...date a dentist!
    3. Re:You want to protect your data? by hcs_$reboot · · Score: 2

      TFA says the guy tracked sites and mails etc... Who nowadays doesn't use encryption when it comes to mail? Maybe "he won't be revealing which sites were visited" because that would demonstrate how useless the data he tracked is, "https://google.com", "https://mail.google.com", ....

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    4. Re:You want to protect your data? by TheRaven64 · · Score: 3, Insightful

      I wonder how many people would actually notice if they got SSL errors for Google addresses and how many would just click 'accept' and move on.

      --
      I am TheRaven on Soylent News
    5. Re:You want to protect your data? by retroworks · · Score: 4, Insightful

      Agree with this AC.

      What I'm more concerned about and don't know the answer to are the Smart Phone apps which may check for their own "updates" while I'm on a sinister wifi hotspot. Will a "Bank of App" program open an auto update query in the background, and disclose any details I don't intend it to? I never "save passwords" and rarely enter them in unknown wireless environments.

      The Swedish guy probably did a public service, but the alarms seem aimed at people who don't know the risks. "Never use wifi, and never read CNN online" hyperbole just fatigues people and causes people to treat it as an acceptable risk rather than something they can cope with through caution. The "what if its a fake CNN site" question is a totally separate problem which could occur on a verified hotspot, or wired account... And so what if it's a fake CNN site? They get my lowest concern throwaway password, as I have no money at CNN. I too always am careful which sites I go to on public wifi hotspots.

      --
      Gently reply
    6. Re:You want to protect your data? by fuzzyfuzzyfungus · · Score: 3, Informative

      What's wrong with that? Whenever I use an open hotspot, I *assume* the worst... if I can ssh to https into whatever, so what?

      If I don't care about stuff, (e.g. reading cnn.com, for example), then who cares if it's encrypted or not?

      Stunts like this scare people into not using/providing open internet access... I'd rather we have *more* open wifis (monitor whatever you want out of them), just have them be all over whenever I need them.

      I largely agree with you, open hotspots are excessively demonized(both 'if you touch one you'll get cyber-syphilis!' and 'if you operate one pedophiles will smell it from miles away and you'll go to jail forever!'); but they can be dangerous, and people frequently don't take enough precautions.

      Awareness of VPNs is actually pretty high, all things considered; but mostly for the purposes of getting Netflix in foreignistan, or getting to facebook at school/work. This tends to mean that even people who know about, and use, them typically don't ensure that all chatter from their computer(unless you are very careful, that's often a lot, from all sorts of updaters, autodiscovery agents, and annoying background processes) goes over the VPN, since their use of VPNs is all about ensuring that a specific, normally blocked, bit of traffic makes it out alive, rather than ensuring that no traffic leaks locally.

      The area I would argue with you about is 'unimportant' HTTP: Do I care that somebody knows I visited CNN? No. However, if I make an HTTP connection, do I have the slightest assurance that I'm actually visiting CNN, rather than 'CNN, plus some rewrites that add a suite of common browser exploits'? Not so much. That can, and does, happen even on a trusted connection, through sites being hacked or ad network fuckery; but adding another party who can trivially rewrite the site with god-knows-what isn't really something you want.

      If you have a proper VPN, with all traffic either heading over it or blocked before it leaves your system, though, all good.

  2. Hackers Obey the Law!! by muphin · · Score: 5, Insightful
    i like the quote:

    with some angry comments saying that Nipe breached Sweden's Personal Data Act

    like hackers really care about obeying laws?

    --
    It's not a typo if you understood the meaning!
    1. Re:Hackers Obey the Law!! by bunratty · · Score: 2, Insightful

      Most people who go to prison don't particularly care about obeying laws. That attitude doesn't seem to result in much leniency from the courts.

      --
      What a fool believes, he sees, no wise man has the power to reason away.
    2. Re:Hackers Obey the Law!! by yacc143 · · Score: 3, Funny

      Worse, did not the delegate commit Theft of Service by using a WLAN they were not authorized to?

  3. dupe by Kunedog · · Score: 4, Informative

    still on the first page
    http://mobile.slashdot.org/sto...

  4. some things for any judge to consider by ihtoit · · Score: 5, Informative

    An open network connection at a security conference. That's either a honeypot or a freebie. Were it me, I'd assume the latter, but I wouldn't be doing my online banking through it. If I were an attendee, I'd know better.
    If he's guilty of providing free internet service then people the world over who open their wifi connections are also guilty. I say, and cue the flaming for this, that data security starts and ends with the owner of the data. Take some fucking responsibility for yourself instead of relying on a Government that doesn't give a fuck about you, to do it for you. If anybody should be prosecuted for leaking data in clear text through an unencrypted radio stream (he was literally the guy on the next bench listening in on a shouted conversation, here!), then it should be the administrators of the websites that were visited for not using properly secured data channels such as SSL, endpoint encryption, tunnelling or whatever.

    --
    Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
    1. Re:some things for any judge to consider by Minupla · · Score: 3, Interesting

      An open network connection at a security conference. That's either a honeypot or a freebie.

      This. At the security conference I attend (defcon), assuming you got drunk enough to be dumb enough to connect an open hotspot, you'd be thanking your lucky stars if the worst that happened to you was getting on the wall of sheep (which is essentially the same stunt this guy pulled, with the information projected on a wall for everyone to see). I personally VPN *everything* during that week, and if I have to absolutely connect to a work system, I drive to a random McDs outside of the conference and do my VPNing from there (it's usually faster and more reliable then any network at the conference too, since it's not the prize in a big game of Spy vs Spy).

      Min

      --
      On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
  5. The danger of open networks by ruir · · Score: 3, Interesting

    I remember seeing a open network in lots of odd places, like trains, when you had no wifi in trains. It was usually in hadhoc mode. Some time later on I learnt it was a virus in Windows that opened it up to try to propagate to other hosts.

  6. At some point ... by cascadingstylesheet · · Score: 2

    ... you have to take responsibility for what you are doing.

    Yes, I could call up the post office and ask if that new blue mailbox on the street corner that says "post office" is legit. That would be so efficient, societal-ly speaking, huh?

    Or we could just throw people in jail who set up fake post boxes.

  7. VPN? by plaukas+pyragely · · Score: 2

    I'd say use VPN and enjoy even dodgiest open WiFi hotspots.

  8. I weep for humanity by BVis · · Score: 2

    I keep seeing stuff like this. Someone who is not stupid makes enough rope available, someone who IS stupid hangs themselves with it, and the first guy takes all the blame. We protect the stupid at all costs. The appropriate response to this is "Don't connect to hotspots you're not sure about, and if you do, take appropriate measures (VPN, https, etc)". No, this is too hard for the shitheads out there who keep getting protected from their own stupidity.

    What I think the non-stupid people need to do is to stop helping these people. Next time, this guy should just keep quiet about what he did at the conference, and quietly sell the incriminating information he collects. Eventually the stupid people will either get tired of having their identities/all their money stolen, and wise the fuck up, or they won't and will be removed from the useful ranks of society. Either way the situation improves.

    I'm not saying I'm smarter than anyone else. I'm saying that if I do something stupid, it's my own damn fault. We don't blame the truck driver when someone plays in traffic. The internet has been part of society in one way or another for over twenty years. It's long enough.

    --
    Never underestimate the power of stupid people in large groups.