Avast Suckers GOP Delegates Into Connecting To Insecure Wi-Fi Hotspots

Avast conned more than 1,200 people into connecting to fake wi-fi hotspots set up near the Republican convention and the Cleveland airport, using common network names like "Google Starbucks" and "Xfinitywifi" as well as "I vote Trump! free Internet". An anonymous reader quotes this report from The Register: With mobile devices often set to connect to known SSIDs automatically, users can overlook the networks to which they are connecting... Some 68.3 percent of users' identities were exposed when they connected, and 44.5 per cent of Wi-Fi users checked their emails or chatted via messenger apps... In its day-long experiment Avast saw more than 1.6Gbps transferred from more than 1,200 users.
Avast didn't store the data they collected, but they did report statistics on which sites were accessed most frequently. "5.1 percent played Pokemon Go, while 0.7 percent used dating apps like Tinder, Grindr, OKCupid, Match and Meetup, and 0.24 percent visited pornography sites like Pornhub."

Re:BREAKING NEWS

[phantomfive]

That is not being a moron. There is no way to be sure that a particular SSID belongs to who it claims (unless you do some kind of certificate exchange).

I look forward to DNC results

[SuperKendall]

Surely they plan to do the same thing at the Democratic convention - does anyone doubt the results would be similar? People in general, no matter political affiliation, are prone to connect to insecure WiFi. How is that even news?

Re:BREAKING NEWS

[Sarten-X]

So in other words, they did their job and got paid.

They were contracted to find vulnerabilities, and they accurately determined that user credentials were easily compromised with a basic attack. If they were not pentesters, but rather actual attackers, they would have everything they need to access the company servers and start wreaking havoc. Even if they only sniffed users' personal credentials, they still have enough access to start social engineering or coercion attacks against the employees.

Depending on the terms of the contract, the consultants may not be allowed to test passwords they find. They may only be allowed to report that they found something that looks like it should be a password.

Of course, it may also highlight some other key details, like company devices automatically connecting to known SSIDs, or a lack of encryption on the legitimate wireless network. If their attack went undetected by the company's security team, a suitably-paranoid company may want to install systems to detect rogue access points.

A colleague of mine once was hired to do a week of pentesting. The first morning, he tailgated through a locked door by carrying some boxes, found an unlocked network closet, and connected to the client's network and started sniffing unencrypted traffic, including plaintext passwords for the admins. Those let him access every server he tried, and he ended up cutting the test short by lunch. He delivered a brief report in the afternoon, essentially saying that the general approach to security was so bad that further testing wouldn't be productive. His recommendation was to cancel the security testing contract and move the budget to basic security training.