I recently wrote an article in WV Inc magazine talking about insecurity in wireless networks. It recounted an excersize whereby I drove through our metro area and located a staggering percentage of wide-open wireless networks. I should extend a bit on the potential security ramifications of a situation like this.
Open WIFI networks are the only way to be truly anonymous on the internet.
Think about that for a second. Hackers commonly bunny-hop through a series of compromised (hacked) computers, often in multiple countries, to help hide thier tracks. You may recieve an internet attack that comes from some server in Romania. But that server may have been compromised by a server in China. And that server may have been compromised by a hacker sitting in New Jersey. So to make it very difficult to catch him (language barriers, national boundries, jurisdictional legal issues etc...) he connects to China, connects from China to Romania, and uses the Romanian server to attack you.
Yes, this method makes it very difficult, but not impossible to track him down. A good forensic investigation following the chain of compromised machines backwards would in theory lead you from your site, to Romania, China, and eventually to New Jersey if you're a good enough forensic investigator and you have some luck and good international people skills on your side.
Before we get to the "wifi commando raid" I'd like to talk a little bit about the law of averages. Every day, I see a dozen or so vulnerabilities in various pieces of hardware and software announced on various security lists and notification services. Seriously. Every day. The law of averages dictates that out there somewhere, there are a significant number of people who are discovering these vulnerabilities. It also states that some of them are not Good Guys. And likewise, some percentage of those, are Smart Bad Guys. A Smart Bad Guy will sit on a vulnerability he's discovered and not announce it to the community. He'll also wait for the right opportunity to capitalize on this vulnerability.
Imagine the following scenario. Some of the most effective and damaging systems compromises I'm aware of are of the "fire and forget" nature. A Smart Bad Guy discovers a vulnerability in some enormously popular piece of software and tells no one about it. He does his homework, he builds a nice, effective, automatic piece of software that mines some target for data. He then heads off war-driving and finds a couple of open wifi networks. Let's call them "Open WIFI A" and "Open WIFI B." Given that open wifi networks are generally not run by the network security astute, silently compromising some machine, and completely gaining control of someone's home wireless network and router wouldn't be all that hard. (It isn't hard. I promise). He then sets up a data recipient machine on "Open WIFI B." This machine will recieve his stolen data.
Now it's time for the commando raid. There are only three points where he's in any real risk of being caught. One we've already discussed. That's where he compromises "Open WIFI B." Now we get to the second (and least risky) point of exposure for the hacker. It's time to conduct the raid. He returns to "Open WIFI A" (or finds a completely new open wifi) and fires off his automagic exploit/attack. He or walked up to within range of "Open WIFI A," fired off his exploit (this would take all of about two minutes), packed up, and left. Now he waits on the exploit to do its thing.
If he's good, there's a pretty good chance that no one will notice the compromised data leaving the target's network headed for the data repository on "Open WIFI B." He waits his pre-determined period of time for the data to be gathered and transmitted to his data repository. Now comes the most risky part of his maneuver. He returns to "Open WIFI B," connects, retrieves the data, packs up and leaves.
I've talked about risk for our theoretical hacker. But in reality, there just isn't much. In most environments, someone would have to catch him on thier wireless network at any point in this, and be able to triangulate via radio frequency to pinpoint him. And there's no reason 99% of this couldn't be done on the move. In the back of a van. From a car. From a bus. There is no ISP installation address for his car. There's no cable company address on file for it. There's no telephone company address on file. Imagine doing this from under-funded and under-clued munincipalities who have set up open WIFI city wide.
This is a real threat. I'd love to hear discussion on how to counter it.
Subscribe to:
Post Comments (Atom)
2 comments:
How funny. I mentioned your article to one of our IS people just the other day. I am admittedly ignorant, but intrigued, where it comes to WiFi technology. Anyway you provided some interesting fodder for conversation. Save for the Blankenship interview, it was the most memorable article in the publication.
The interesting (maddening?) part is that they chopped a lot of that article (particulary how to counter threats) in the editorial process. I guess they needed to trim it down for space.
I had a lot more information in there about how to counter threats than actually made it to print.
Post a Comment