3.5.08

Wifi - Wardriving and the fleecing of the traveler or randonneur

disclaimer: This article is for informational and educational purposes only. Hacking into a private security-enabled wireless network is illegal and is not the intent of this article.

Like sheep we are drawn to them. They are everywhere, in pockets and often located right at another addiction's distribution point, the coffee house. The WiFi hotspot is not a hotspot at all for connectivity, but for someone else's money.

When I fly into Vegas, I can feel the extra $$$ already leaving me as I know it will cost $15 per day at the hotel, and $40 at the convention center for three hours, and without adequate credit card transaction security.

In fact, the last trip to Vegas found my CC taken on one of those networks (I had a company firewall in place), and the rogue user began to selectively siphon $500 at a time from my account.

I drive or bike a good deal to my local destinations, so I'm not shy about getting on someone's unsecured network, doing what I have to and leaving. That is, if I haven't found a T-Mobile hotspot that I already pay for.
When in New York City, or a major city, there are times I am restricted to where the car, or a comfortable spot and PC can be, so sometimes I have to resort to looking at the person's router if its response is very slow.

Most people leave not only the default IP address and transmission unsecured, but also the router's password. A simple lookup and I find not less that 30 blackberrys consuming this network, and three PCs. I'm only going to be about 5 minutes, so I log on to the router, knock off the Blackberrys, keeping the users PC online, change the password on the router (I'll be changing that back before I leave), and limit the number of DHCP clients to 5.

I log off. I send my email and upload some large files and I'm almost out of there. I re-enter the router's admin app. and restore their settings, leaving the DHCP limit to 40, just in case they get another 30 visitors to crash their network.

Ethical or non-ethical? However you feel about the above, I can assure you that right now there could be"klingons" on your Wifi network at home, especially if you have not:
1. stopped broadcasting your SSID
2. changed your default router password and applied WEP or better, WPA2
3. limited the number of DHCP users
4. upgraded your firmware
5. filtered your MACs

Hey, we take some and we give; please feel free to pass along this advice and the very good reference below to your neighbor.

That is, after you've downloaded Madonna's latest CD...

From The Ethical Hacker:

Just as it’s important to know how to utilize the aforementioned tools, it is important to know best practices on how to secure your Wireless Network Against these tools.

NetStumbler – Do not broadcast your SSID. Ensure your WLAN is protected by using advanced Authentication and Encryption.

Kismet – There’s really nothing you can do to stop Kismet from finding your WLAN, so ensure your WLAN is protected by using advanced Authentication and Encryption

Airsnort – Use a 128-bit, not a 40-bit WEP encryption key. This would take longer to crack. If your equipment supports it, use WPA or WPA2 instead of WEP (may require firmware or software update).

Cowpatty – Use a long and complex WPA Pre-Shared Key. This type of key would have less of a chance of residing in a dictionary file that would be used to try and guess your key and/or would take longer. If in a corporate scenario, don’t use WPA with Pre-Shared Key, use a good EAP type to protect the authentication and limit the amount of incorrect guesses that would take place before the account is locked-out. If using certificate-like functionality, it could also validate the remote system trying to gain access to the WLAN and not allow a rogue system access.

ASLeap – Use long and complex credentials, or better yet, switch to EAP-FAST or a different EAP type.

Ethereal – Use encryption, so that anything sniffed would be difficult or nearly impossible to break. WPA2, which uses AES, is essentially unrealistic to break by a normal hacker. Even WEP will encrypt the data. When in a Public Wireless Hotspot (which generally do not offer encryption), use application layer encryption, like Simplite to encrypt your IM sessions, or use SSL. For corporate users, use IPSec VPN with split-tunneling disabled. This will force all traffic leaving the machine through an encrypted tunnel that would be encrypted with DES, 3DES or AES.
courtesy to Daniel V. Hoffman, CISSP, CWNA

http://www.ethicalhacker.net/content/view/16/24/
BTW, there's one gentleman who is an ASIS Vice President who does a great job giving a "wardriving" and prevention class. Should anyone be interested in him presenting at a conference or consulting on this subject, feel free to ask me for his contact information.

No comments: