Slashdot Mirror

← Back to Stories (view on slashdot.org)

Avast Suckers GOP Delegates Into Connecting To Insecure Wi-Fi Hotspots (theregister.co.uk)

Posted by EditorDavid on from the making-Wi-Fi-great-again dept.

Avast conned more than 1,200 people into connecting to fake wi-fi hotspots set up near the Republican convention and the Cleveland airport, using common network names like "Google Starbucks" and "Xfinitywifi" as well as "I vote Trump! free Internet". An anonymous reader quotes this report from The Register: With mobile devices often set to connect to known SSIDs automatically, users can overlook the networks to which they are connecting... Some 68.3 percent of users' identities were exposed when they connected, and 44.5 per cent of Wi-Fi users checked their emails or chatted via messenger apps... In its day-long experiment Avast saw more than 1.6Gbps transferred from more than 1,200 users.
Avast didn't store the data they collected, but they did report statistics on which sites were accessed most frequently. "5.1 percent played Pokemon Go, while 0.7 percent used dating apps like Tinder, Grindr, OKCupid, Match and Meetup, and 0.24 percent visited pornography sites like Pornhub."

12 of 109 comments (clear)

  1. Will you do the same at the Democrat convention? by Anonymous Coward · · Score: 5, Interesting

    Results will be skewed, because the Dem convention delegates will know that somebody is (probably) waiting to entrap them. The Pubs won't have had the same emphasis placed on cyber security before their convention.

    And if the results are bad for the Dems, will you all publish?

  2. Re:BREAKING NEWS by phantomfive · · Score: 5, Insightful

    That is not being a moron. There is no way to be sure that a particular SSID belongs to who it claims (unless you do some kind of certificate exchange).

    --
    "First they came for the slanderers and i said nothing."
  3. Re:Impeach! by Pedohammad · · Score: 2, Informative

    Let's ask Hillary. She is kind of an export on that subject.

  4. Re: Impeach! by Anonymous Coward · · Score: 3, Interesting

    It's only a felony for the little people.

    Clintons don't have to follow the same laws.

    Dumbass OP shouldn't have touched this one if he's a Clinton supporter.

    The sane people in this country who aren't drowning in koolaid or ever worked anywhere in security know she should absolutely be in prison right now. No buts what's ifs.

    She is a criminal who put this nations security at risk in a direct and premeditated effort to skirt the freedom of information act, committing two crimes at one go.

    Only a Clinton could be so blatantly corrupt, get away with it and still have millions of mindless supporters like the OP, because she has a vagina.

  5. I look forward to DNC results by SuperKendall · · Score: 4, Insightful

    Surely they plan to do the same thing at the Democratic convention - does anyone doubt the results would be similar? People in general, no matter political affiliation, are prone to connect to insecure WiFi. How is that even news?

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  6. Re:BREAKING NEWS by phantomfive · · Score: 2

    Incidentally, a lot of "security" consultants use this trick.....they set up a fake wireless access point in an office, and when a lot of people accidentally connect to it, thy sniff some passwords. After that, they show it to the boss and say, "look how insecure you are!" The boss is shocked and they send a bill, even though they've done nearly nothing.

    If they're a level up, they might have an automated Metasploit script to throw at servers.

    --
    "First they came for the slanderers and i said nothing."
  7. Re: Impeach! by Anonymous Coward · · Score: 2, Interesting

    Benghazi is not something that defines her, it's merely a drop in the ocean of what she has done so far and what she is capable of doing.

    Vote whoever, just not her.

  8. Re:and the point here? by lister+king+of+smeg · · Score: 2

    So devices automatically connected to spoofed names.. how is that 'news' or relevant to the convention? How would anyone really know if you hit a spoofed wifi like xfinity?

    The only thing of note here is that everyone should be using vpn if they are using public wifi.

    So what if it s fake? check sites that you login to have a valid https cert. if the cert is bad most major browsers will give you repeated warnings not to trust the site. if you are just browsing reddit or slashdot or watching youtube who cares.

    --
    ---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
  9. Re:Will you do the same at the Democrat convention by Mashiki · · Score: 2

    Considering the stuff coming out of the 20k emails leaked by wikileaks? There's going to be a lot of very nervous people at the DNC this week, so yep I expect that they figure someone will want to fish for information and they'll likely have signs up saying only xyz are approved hotspots or some such.

    --
    Om, nomnomnom...
  10. Re:BREAKING NEWS by Sarten-X · · Score: 3, Insightful

    So in other words, they did their job and got paid.

    They were contracted to find vulnerabilities, and they accurately determined that user credentials were easily compromised with a basic attack. If they were not pentesters, but rather actual attackers, they would have everything they need to access the company servers and start wreaking havoc. Even if they only sniffed users' personal credentials, they still have enough access to start social engineering or coercion attacks against the employees.

    Depending on the terms of the contract, the consultants may not be allowed to test passwords they find. They may only be allowed to report that they found something that looks like it should be a password.

    Of course, it may also highlight some other key details, like company devices automatically connecting to known SSIDs, or a lack of encryption on the legitimate wireless network. If their attack went undetected by the company's security team, a suitably-paranoid company may want to install systems to detect rogue access points.

    A colleague of mine once was hired to do a week of pentesting. The first morning, he tailgated through a locked door by carrying some boxes, found an unlocked network closet, and connected to the client's network and started sniffing unencrypted traffic, including plaintext passwords for the admins. Those let him access every server he tried, and he ended up cutting the test short by lunch. He delivered a brief report in the afternoon, essentially saying that the general approach to security was so bad that further testing wouldn't be productive. His recommendation was to cancel the security testing contract and move the budget to basic security training.

    --
    You do not have a moral or legal right to do absolutely anything you want.
  11. Kids these days by Areyoukiddingme · · Score: 5, Interesting

    People use free WiFi without encryption. Not only is this unremarkable, it should not be in any way remarkable. The Internet Protocol and its children, UDP and TCP, were designed from the very beginning with one overriding goal: the intelligence is at the edges. Only the nodes matter. Everything else is just transit. Whether or not Layer 2 is encrypted is irrelevant. Only Layer 6/7 encryption can be trusted.[1] It is equally as safe to use any random wifi hotspot as it is to use your cable modem at home.

    Knowing what we know about NSA spying, let me repeat that: it is equally as safe to use any random wifi hotspot as it is to use your cable modem. Historically, the various protocols that were designed to run over TCP/IP and UDP[2] largely assumed that transit would be benign. That's because IMAP and POP and HTTP were designed by engineers who were unaccustomed to designing a world that's proof against flaming assholes. Those days are over.

    Now that the whole world uses the Internet, engineers have to design protocols and systems that are proof against flaming assholes. It's no longer optional. Avast saw identity leakage because not all software has come to grips with the new reality. Eventually, when all the software is updated, there will be nothing to report. The grand strength of the design of the Internet will once again make itself felt: upgrade the nodes to use encryption (math is your friend) and transit is just transit, as was and ever shall be. You and I already have the ability to upgrade the nodes under our control to be proof against flaming assholes. Eventually the nodes that Jane and John Q. Public buy will come configured that way out of the box.

    We just want our packets routed. The SSID will be totally irrelevant. People who already treat it as if it is aren't wrong. They just need to use a slightly smarter node. Apparently 30% of users already have one.

    ---
    [1] Or possibly you can squeeze it all the way down to Layer 4, if you use Authentication Header and Encapsulating Security Payload. (IPSEC)
    [2] Why does no one ever write UDP/IP?

  12. Pineapple by Whatchamacallit · · Score: 2

    A Pineapple is a home made device using a small router connected to a cellular hotspot. Every computer actually broadcasts the networks it has saved in order to locate one of the networks. The Pineapple sees these probes and instantly becomes that wifi network allowing them to connect without a password. Then all traffic is passed onto the hotspot but at this point the attacker is a man in the middle and can intercept all traffic. Unless the user is using encryption such as SSL, VPN, there is quick a bit of information that can be obtained. Also any zero days could be attempted to hack their device.

    Walk through any airport with a Pineapple and you will hit 1,200 people easily. The Pineapple is cooler than setting up multiple phony hotspots because it can fit in your pocket or laptop bag and you can just walk around scooping up connections to investigate.