Any Half-Decent Hacker Could Break Into Mar-a-Lago

MrCreosote writes: Properties owned and run by the Trump Organization, including places where Trump spends much of his time and has hosted foreign leaders, are a network security nightmare. From a report via ProPublica (co-published with Gizmodo): "We parked a 17-foot motor boat in a lagoon about 800 feet from the back lawn of The Mar-a-Lago Club in Palm Beach and pointed a 2-foot wireless antenna that resembled a potato gun toward the club. Within a minute, we spotted three weakly encrypted Wi-Fi networks. We could have hacked them in less than five minutes, but we refrained. A few days later, we drove through the grounds of the Trump National Golf Club in Bedminster, New Jersey, with the same antenna and aimed it at the clubhouse. We identified two open Wi-Fi networks that anyone could join without a password. We resisted the temptation. We have also visited two of President Donald Trump's other family-run retreats, the Trump International Hotel in Washington, D.C., and a golf club in Sterling, Virginia. Our inspections found weak and open Wi-Fi networks, wireless printers without passwords, servers with outdated and vulnerable software, and unencrypted login pages to back-end databases containing sensitive information. The risks posed by the lax security, experts say, go well beyond simple digital snooping. Sophisticated attackers could take advantage of vulnerabilities in the Wi-Fi networks to take over devices like computers or smart phones and use them to record conversations involving anyone on the premises."

Re: Heaven forbid

he's talking about Mrs. Clinton.

Re:Incoming law enforcement

[DontBeAMoran]

They did not connect to the unprotected networks (i.e. networks that are open, by design). They also did not connect to the weakly protected networks (which would have been illegal, but their point was that hackers and foreign governments could easily access them).

Re:Heaven forbid

[Dunbal]

When the police comes into your house with a warrant I'm pretty sure you're not allowed to lock certain rooms and bar them from going in there. THEY decide what is "personal" and what is "evidence" - not you. In fact if you DO tell them "please don't look in that drawer" that is the FIRST place they're going to look.

The deleted personal emails were personal only because we have Hillary's word for it... and the toilet at the crackhouse is running not because someone flushed some drugs down there but someone just had to pee right when the door got broken open. The crackhead said so.

All they had to do was walk in

[laughingskeptic]

and read the sign that says "This month's WiFi Password is GOLF". It's a country club. They assume you belong there, unless you don't look like you belong there. What is the point of securing a network that has a publicly available password?

Re:Wow. You da man. Accessing a public network!

[__aaclcg7560]

Mar-a-lago is a resort.

So is Camp David. Which one is more secure for national security?

Re:Wow. You da man. Accessing a public network!

[GLMDesigns]

Sorry this is a public resort. It's a golf club, public events are held there. And yes. Trump has a private residence there. I'm pretty sure there is more than one network there.

This is analogous to Trump owning the Waldorf Hotel and having a suite there and someone hacking the hotel's public network. Big deal. Again, that's the equivalent of hacking a Starbucks.

Re:Crappy pentest is crappy

[Lordpidey]

1. Was this done with written permission from the network owner? If not, you opened yourself up to legal action by the network owner if they choose to pursue it.

Listening to SSID broadcast is hardly illegal.

Re:Is secure hotel wifi possible?

[AmiMoJo]

Yes. WPA2 provides isolation between users, for example, so you can't simply wireshark everyone else's traffic. WEP is broken and doesn't provide adequate isolation any more.

If their APs/routers are using WEP, chances are they are out of date and vulnerable to other attacks. If someone can get into the router, they can change things like the default gateway, DNS settings or maybe tunnel traffic through their own VPN.

I'm surprised that the security services have not helped them to secure their systems, considering how much time Trump spends there. Even if his phone is secure, he has staff and family with him, and other guests and staff members might have their electronics turned into unwitting bugs. Remember that the adversary is foreign intelligence, using state level exploits and malware.

Re:Incoming law enforcement

[Kierthos]

Because he's an arrogant prick who thinks that he can do whatever he wants without consequences.

Re:Incoming law enforcement

They say they didn't connect, but then claim it gives access to unencrypted login pages and databases with sensitive information. I'm not sure how you can deduce any of that without connecting and snooping around a bit.

I think they broke the law, claimed they didn't, and aren't smart enough to realize that they gave themselves away.

Re: Heaven forbid

[Attila+Dimedici]

Not really, when his opposition IS telling people to riot and be violent at his rallies. It is not the Trump supporters who are starting the violence, it is the people being paid by the various Soros front groups who are starting the violence in almost all of the cases.