Slashdot Mirror
Avast Suckers GOP Delegates Into Connecting To Insecure Wi-Fi Hotspots (theregister.co.uk)
Avast conned more than 1,200 people into connecting to fake wi-fi hotspots set up near the Republican convention and the Cleveland airport, using common network names like "Google Starbucks" and "Xfinitywifi" as well as "I vote Trump! free Internet". An anonymous reader quotes this report from The Register:
With mobile devices often set to connect to known SSIDs automatically, users can overlook the networks to which they are connecting... Some 68.3 percent of users' identities were exposed when they connected, and 44.5 per cent of Wi-Fi users checked their emails or chatted via messenger apps... In its day-long experiment Avast saw more than 1.6Gbps transferred from more than 1,200 users.
Avast didn't store the data they collected, but they did report statistics on which sites were accessed most frequently. "5.1 percent played Pokemon Go, while 0.7 percent used dating apps like Tinder, Grindr, OKCupid, Match and Meetup, and 0.24 percent visited pornography sites like Pornhub."
Avast didn't store the data they collected, but they did report statistics on which sites were accessed most frequently. "5.1 percent played Pokemon Go, while 0.7 percent used dating apps like Tinder, Grindr, OKCupid, Match and Meetup, and 0.24 percent visited pornography sites like Pornhub."
Results will be skewed, because the Dem convention delegates will know that somebody is (probably) waiting to entrap them. The Pubs won't have had the same emphasis placed on cyber security before their convention.
And if the results are bad for the Dems, will you all publish?
I didn't know. Am I supposed to be using it to find 'chicks'?
All web browsers should have pornhub be the default landing page, make it easy on everyone.
That is not being a moron. There is no way to be sure that a particular SSID belongs to who it claims (unless you do some kind of certificate exchange).
"First they came for the slanderers and i said nothing."
Let's ask Hillary. She is kind of an export on that subject.
It's only a felony for the little people.
Clintons don't have to follow the same laws.
Dumbass OP shouldn't have touched this one if he's a Clinton supporter.
The sane people in this country who aren't drowning in koolaid or ever worked anywhere in security know she should absolutely be in prison right now. No buts what's ifs.
She is a criminal who put this nations security at risk in a direct and premeditated effort to skirt the freedom of information act, committing two crimes at one go.
Only a Clinton could be so blatantly corrupt, get away with it and still have millions of mindless supporters like the OP, because she has a vagina.
Surely they plan to do the same thing at the Democratic convention - does anyone doubt the results would be similar? People in general, no matter political affiliation, are prone to connect to insecure WiFi. How is that even news?
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Incidentally, a lot of "security" consultants use this trick.....they set up a fake wireless access point in an office, and when a lot of people accidentally connect to it, thy sniff some passwords. After that, they show it to the boss and say, "look how insecure you are!" The boss is shocked and they send a bill, even though they've done nearly nothing.
If they're a level up, they might have an automated Metasploit script to throw at servers.
"First they came for the slanderers and i said nothing."
Benghazi is not something that defines her, it's merely a drop in the ocean of what she has done so far and what she is capable of doing.
Vote whoever, just not her.
Right, because only a moron has their wireless device set to automatically re-connect to SSIDs they have previously connected to - if you read the excerpt above you'll see they used SSIDs identical to popular hotels, coffee shops, etc.
And of course, by moron I mean everyone that accepts the defaults on their iPhone, Android, other device.
Ken
I'm impressed, I would have put those numbers much higher.
Ken
Avast conned more than 1,200 people into connecting to fake wi-fi hotspots set up near the Republican convention and the Cleveland airport
...meaning they caught a lot of non-Republicans in their little "sting operation". All in all, a non-news story. I'm sure they were really hoping that they'd find 10% of the people looking at porn, or something more salacious. Why call out porn and dating apps in the first place?
All this proves is that we really need encryption everywhere, and that we need to make sure it's turned on by default, so that ordinary users don't have to think about it too much (because let's face it - that will never happen). Eventually, anything that's NOT encrypted should signal a warning to the user, although the transition will need to be gradual. Services like Let's Encrypt are slowly eroding any excuses not to make everything secure by default.
Irony: Agile development has too much intertia to be abandoned now.
So devices automatically connected to spoofed names.. how is that 'news' or relevant to the convention? How would anyone really know if you hit a spoofed wifi like xfinity?
The only thing of note here is that everyone should be using vpn if they are using public wifi.
So what if it s fake? check sites that you login to have a valid https cert. if the cert is bad most major browsers will give you repeated warnings not to trust the site. if you are just browsing reddit or slashdot or watching youtube who cares.
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
Considering the stuff coming out of the 20k emails leaked by wikileaks? There's going to be a lot of very nervous people at the DNC this week, so yep I expect that they figure someone will want to fish for information and they'll likely have signs up saying only xyz are approved hotspots or some such.
Om, nomnomnom...
So in other words, they did their job and got paid.
They were contracted to find vulnerabilities, and they accurately determined that user credentials were easily compromised with a basic attack. If they were not pentesters, but rather actual attackers, they would have everything they need to access the company servers and start wreaking havoc. Even if they only sniffed users' personal credentials, they still have enough access to start social engineering or coercion attacks against the employees.
Depending on the terms of the contract, the consultants may not be allowed to test passwords they find. They may only be allowed to report that they found something that looks like it should be a password.
Of course, it may also highlight some other key details, like company devices automatically connecting to known SSIDs, or a lack of encryption on the legitimate wireless network. If their attack went undetected by the company's security team, a suitably-paranoid company may want to install systems to detect rogue access points.
A colleague of mine once was hired to do a week of pentesting. The first morning, he tailgated through a locked door by carrying some boxes, found an unlocked network closet, and connected to the client's network and started sniffing unencrypted traffic, including plaintext passwords for the admins. Those let him access every server he tried, and he ended up cutting the test short by lunch. He delivered a brief report in the afternoon, essentially saying that the general approach to security was so bad that further testing wouldn't be productive. His recommendation was to cancel the security testing contract and move the budget to basic security training.
You do not have a moral or legal right to do absolutely anything you want.
I'm not sure the R's have those things either, but exactly how few people would have to connect to porn before it didn't get the headline? The number they report is POINT TWO FOUR. That's a quarter of one percent. That means that out of every four hundred that connected, one of them needed to spank one out. Those are shockingly low numbers for people. I bet you won't hear what the Democrats do- even if they only access porn at the same rate as the general public, they'll still blow these Republican numbers out of the water.
So in other words, they did their job and got paid.
Problem is the company probably is no more practically secure after the consultants came than before.
The first morning, he tailgated through a locked door by carrying some boxes, found an unlocked network closet, and connected to the client's network and started sniffing unencrypted traffic, including plaintext passwords for the admins.....He delivered a brief report in the afternoon, essentially saying that the general approach to security was so bad that further testing wouldn't be productive.
Yeah, that's a pretty common sort of scenario.
"First they came for the slanderers and i said nothing."
Apart from "I vote Trump! free Internet" there is also a "I vote Hillary ! free Internet".
Expectedly...
"Of the people connecting to the fake candidate name Wi-Fi in Cleveland, 70 per cent connected to the Trump-related Wi-Fi, 30 per cent to the Clinton-related Wi-Fi."
What law prohibits setting up a wireless network?
What law prohibits inspecting the traffic traversing your own network?
"If there was a gay Afro-Puertorican Linux distribution, I'd give it a try" ~lucm
People use free WiFi without encryption. Not only is this unremarkable, it should not be in any way remarkable. The Internet Protocol and its children, UDP and TCP, were designed from the very beginning with one overriding goal: the intelligence is at the edges. Only the nodes matter. Everything else is just transit. Whether or not Layer 2 is encrypted is irrelevant. Only Layer 6/7 encryption can be trusted.[1] It is equally as safe to use any random wifi hotspot as it is to use your cable modem at home.
Knowing what we know about NSA spying, let me repeat that: it is equally as safe to use any random wifi hotspot as it is to use your cable modem. Historically, the various protocols that were designed to run over TCP/IP and UDP[2] largely assumed that transit would be benign. That's because IMAP and POP and HTTP were designed by engineers who were unaccustomed to designing a world that's proof against flaming assholes. Those days are over.
Now that the whole world uses the Internet, engineers have to design protocols and systems that are proof against flaming assholes. It's no longer optional. Avast saw identity leakage because not all software has come to grips with the new reality. Eventually, when all the software is updated, there will be nothing to report. The grand strength of the design of the Internet will once again make itself felt: upgrade the nodes to use encryption (math is your friend) and transit is just transit, as was and ever shall be. You and I already have the ability to upgrade the nodes under our control to be proof against flaming assholes. Eventually the nodes that Jane and John Q. Public buy will come configured that way out of the box.
We just want our packets routed. The SSID will be totally irrelevant. People who already treat it as if it is aren't wrong. They just need to use a slightly smarter node. Apparently 30% of users already have one.
---
[1] Or possibly you can squeeze it all the way down to Layer 4, if you use Authentication Header and Encapsulating Security Payload. (IPSEC)
[2] Why does no one ever write UDP/IP?
Maybe you should read the Republican Platform before you claim what's in it. A lot of double speak as in anti-environment talk, anti-EPA put under Environment Protection. & the "Renewing American Values" section... eye opener for sure. I could go on but what's the point? They had a gay person speak! There were some black people there too!
SLOWER TRAFFIC KEEP RIGHT
0.24 percent visited pornography
I suppose that sounds more impressive the saying 3 out of over 1200 random people.
And how many of the "GOP delegates" connected to “I vote Hillary! free Internet”?
I have been running an open wifi for 4 years now with multiple access points covering my neighborhood corner which gets a good amount of pedestrian traffic. A typical month I'll get 225 unique visitors and about 35 unique visitors per day. Four years ago it was common for people to pop email and send passwords in the clear. Nowadays with all the new devices almost everything is end to end encrypted. I doubt Avast got anything more than device ids and dhcp names and of course all the destinations a device hit. Windows boxes however can be extremely chatty and for some reason not know they're connected to a foreign network.
It would be funny to learn the percentage of devices accessing porn. I heard Republicans consume more porn than Democrats.
The weren't "practically" secure before the test, and given the extreme lack of protection, probably weren't even aware of it. Now they are aware of it, and can start pursuing better options for protection. The servers and networks haven't changed, but the improvement in awareness puts them in a much better position. Now they can improve.
Again, a consultant's job really boils down to the terms of the contract. If the contract says to evaluate the company security, that's what you do. If the result of that evaluation is to simply say "your company is horrifyingly insecure", then sometimes that's the job. To that end, it's rather silly to spend a week deeply probing Apache vulnerabilities or zero-day injection attacks when executives are broadcasting their passwords in plaintext. Attackers don't care if their exploits are inelegant or obvious. Low-hanging fruit is still fruit.
Security is not a checklist, despite what managers might think. You can't just hire a security consultant to run a test, then stick on his list of band-aid fixes and be done with it. Rather, every employee, vendor, contractor, and visitor must have the appropriate training and controls to ensure that the company is secure, and that diligence must continue even when the contractor's gone. From the manager's perspective, a consultant who's done a thorough investigation and turns in a textbook for a report has done impressive work... but a consultant who brings clear attention to an endemic problem of security negligence has done better work.
If I'm a manager, that kind of concise finding is something I can elevate and focus on fixing, rather than having it buried inside a report of a thousand low-exposure vulnerabilities.
You do not have a moral or legal right to do absolutely anything you want.
Even for the hotspots near the convention, the researchers don't appear to have distinguished between Republican delegates connecting, and all others connecting such as venue workers, media personnel, protesters, or simply random citizens walking nearby. As for the airport hotspot, I somehow doubt that convention delegates spent the majority of their time hanging out at the airport, several miles from the venue. This experiment undoubtedly captured a lot of non-delegates.
Dating is only tiny sliver of what meetup.com. Take for example the hundreds of these politics-related meetups.
And if the results are bad for the Dems, will you all publish?
Of course, they will. Avast is a scamware company. They thrive on misinformation, fear, and publicity.
http://avastscam.com/a-track-record-of-fraud/
Avast's CEO has even blamed its affiliates for their scams, which he claims they deactivated and are no longer forwarding phone calls from their 800 numbers to, but once the bad press died down, nothing changed, and their current affiliates are still scaring grandpas and grandmas everywhere into shelling out hundreds of dollars for worthless Avast products that claim to fix problems that those people didn't even have in the first place.
The only story that everyone seems to be missing right now is the fact that a well-known scamware company was able to place wireless hotspots within the Republican National Convention, and is actually bragging about it after the fact. I ask you. How many convention goers used their credit cards from the convention floor during that time? How many people logged into their banks to wire donations? How many used those hotspots to check email from their own private insecure servers sitting in their homes? Don't tell me that Democrats are the only ones doing it. Colin Powell, for instance, admitted as such for when he was Secretary of State.
By letting Avast scam artists get into their convention, the republicans really made a huge mistake.
A Pineapple is a home made device using a small router connected to a cellular hotspot. Every computer actually broadcasts the networks it has saved in order to locate one of the networks. The Pineapple sees these probes and instantly becomes that wifi network allowing them to connect without a password. Then all traffic is passed onto the hotspot but at this point the attacker is a man in the middle and can intercept all traffic. Unless the user is using encryption such as SSL, VPN, there is quick a bit of information that can be obtained. Also any zero days could be attempted to hack their device.
Walk through any airport with a Pineapple and you will hit 1,200 people easily. The Pineapple is cooler than setting up multiple phony hotspots because it can fit in your pocket or laptop bag and you can just walk around scooping up connections to investigate.
I forget where I read it but I think I remember reading an article some years ago where someone stood up a free Wifi network named something along the lines of "get hacked" and it still had many, many users...
If it's free WiFi people will use it regardless of potential danger, the name is literally nothing.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Trump doesn't follow the platform, so why should it matter what it says?
I think you are confused and ignorant of what is really going on now.
I'll bet in fact YOU have not read the platform and just believe someone else's lies as to what is really in it.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Security is not a checklist, despite what managers might think.
Yeah, you're right.
You can't just hire a security consultant to run a test, then stick on his list of band-aid fixes and be done with it.
And yet that's what many snake-oil consultants offer.
"First they came for the slanderers and i said nothing."
A) Twenty blind lesbians at a fish market...
You think... well, you would be wrong about your thoughts. I've certainly have not read all of the platform, only some of it, the parts I was referring to. Whoever wins the election, it won't matter much what they personally think or plan to do, the president does not pass laws. So Trump can shoot off his big fat goofy ass mouth all he likes but he won't be able to do much without the backing of Congress.
You really need to read the platform because you should not be confused & ignorant as to what you are actually voting for. The party, not the person, whether you like it (or believe it) or not.
SLOWER TRAFFIC KEEP RIGHT
Incidentally, a lot of "security" consultants use this trick.....they set up a fake wireless access point in an office, and when a lot of people accidentally connect to it, thy sniff some passwords.
Indeed they do expose a serious security risk: browsers (or other software) sending login credentials in plain text over an untrusted connection (which is ANY connection on the Internet, except maybe a patch cable between your laptop and the server you try to connect to).
and even Slashdot has switched to https recently (just yesterday noticed it, not so long ago I was still connecting on http)
You can't just hire a security consultant to run a test, then stick on his list of band-aid fixes and be done with it.
And yet that's what many snake-oil consultants offer.
...but a comprehensive practical test is what you complained about in the first place!
they set up a fake wireless access point in an office, and when a lot of people accidentally connect to it, th[e]y sniff some passwords. After that, they show it to the boss and say, "look how insecure you are!" The boss is shocked and they send a bill, even though they've done nearly nothing.
If they're a level up, they might have an automated Metasploit script to throw at servers.
So let me get this straight... a consultant who walks in and says "look how insecure you are!" and raises general awareness of security is a bad thing, per your earlier post. A consultant who offers a list of exploits is only "a level up" from that. Per your last post, you agree that a consultant delivering just a list of patches is bad.
What do you think a good security consultant would deliver, exactly?
You do not have a moral or legal right to do absolutely anything you want.
What do you think a good security consultant would deliver, exactly?
A) actual skills, not just a script-kiddy with corporate backing.
B) when they were done, they would leave a place relatively more secure. For example, I can go to a place and say, "look, your windows are insecure, and if you put bars on the windows, it will be more secure." That will be 100% accurate, but not particularly useful, and in practice doesn't address most threats companies face.
C) the primary focus generally should be on securing against remote attacks, because that's where your highest exposure is. Anyone can plop down a wifi pineapple, but most people who do so are security consultants. In practice, black-hats favor remote exploits.
"First they came for the slanderers and i said nothing."
A) actual skills, not just a script-kiddy with corporate backing.
Elitism. Got it.
B) when they were done, they would leave a place relatively more secure. For example, I can go to a place and say, "look, your windows are insecure, and if you put bars on the windows, it will be more secure." That will be 100% accurate, but not particularly useful, and in practice doesn't address most threats companies face.
That depends entirely on the client. Bars on the windows are important for a convenience store in a bad neighborhood. Similarly, a reinforced perimeter is important for any facility whose risk is more physical than electronic. One example that comes to mind is a store's cash supply. I've seen a restaurant whose cash was stored in the manager's office, which had a single-pane window into the dining area.
C) the primary focus generally should be on securing against remote attacks, because that's where your highest exposure is. Anyone can plop down a wifi pineapple, but most people who do so are security consultants. In practice, black-hats favor remote exploits.
Black-hats favor whatever gets to their target. Remote exploits are easy and safe, but also easily foiled by a suitable firewall. Rogue wi-fi is also already very common in business-oriented hotels, sometimes even going so far as to spoof the hotel's captive portal. Their goal is to capture corporate logins, providing easy access for corporate espionage. The only effective defense is user education.
Here again, it depends on the client's needs. If the attack is worth more than the price of a plane ticket, any suitably-motivated attacker could come to the office for a visit. If the company regularly sends travelers to hotels, those travelers should be aware of the risks they face. In a very obvious example, I once heard of a political convention with some rogue APs set up monitoring users' traffic. They could have easily injected drive-by downloads to try to get malware behind corporate firewalls, or even directly onto target devices.
The reality of information security is that the least-impressive attacks are often the most effective. The single most effective step to make a company safer is to ensure that they are thinking about all aspects of security, not just focusing on one particular class of attack.
You do not have a moral or legal right to do absolutely anything you want.
The ISP is not publishing their results at this time. Neither are Starbucks or McDonalds. So I disagree with your suggestion that connecting to "real" hotspots vs these "faked" ones is an identical situation.
But I do agree that we would be better off if we all assumed that all Internet traffic should be considered to be "untrusted" and that end to end encryption, including anonymity would make us all a lot safer from profiling and reduce the potential for invasion of privacy (like these guys did).
Q) What's the very definition of confusion?
A) Twenty blind lesbians at a fish market...
How many people on Slashdot will even get that joke?
Hilarious though.
They don't need to worry about that anymore. They simply won't prosecute them, just like Hillary. So they can feel free to talk about their illegal donations and so on.