Security News > 2005 > June > Wireless Web puts personal data at risk
Forwarded from: Mark Bernard Dear Associates, If you don't believe that this article speaks about something that could actually happen then why not attempt it in a controlled situation? If you don't succeed then you're likely not skilled enough to be successful and if you do well what else can I say. Many times while conducting penetration testing for my international clients against off shore targets I was told by both management and technical staff that a particular system and its information was safe, secure only to prove them wrong. The stakes were high, because you see in that particular organization if a system was penetrated the entire departments annual salary increase was withheld. That's company policy! Could there be other organizations who are so sure about the effectiveness of their own security systems? You bet, lots !! But not many who'll stake their annual salary increase on it...... Please note the reference to a new vulnerability known as Evil Twins. This vulnerability is created when somebody comes along and sets up a duplicate hotspot and uses it to capture private information. How easy would that be, very easy just ask your local Radio Shack retailer. What if someone did this just outside a legitimate business? Of course that might be illegal, but do you really think that somebody who's not planning on being caught or identified would be concerned if its right or wrong? Especially if there's a potential for financial gain. Please don't kid yourself.... Businesses need to follow through on the concept of due-diligence or standard-of-due-care, because many are managing security with true obscurity and obscurity is going they same way that the dinosaurs went. Enjoy the read ! Best regards, Mark. ========= beginning of excerpt ======== http://www.cnn.com/2005/TECH/internet/06/21/hotspot.hacking/index.html Wireless Web puts personal data at risk By Daniel Sieberg CNN June 21, 2005; ATLANTA, Georgia (CNN) -- What comes to mind when you think of wireless Web surfing? It may not be security, or lack of it. There are nearly 30,000 public wireless "hot spots" in the United States at places such as parks and cafes, but there's more to consider than just where to log on. The convenience comes with a caveat. "Understand that the information you're sending is very similar to standing up here in the park and shouting out all the information -- would I normally do that?" said Richard Rushing, a wireless expert with security firm Air Defense who visited an Atlanta park to show security vulnerabilities. Rushing is considered an "ethical hacker" and works with companies to strengthen their wireless networks. He said many people don't realize they could have all their personal data stolen while checking out their checking account. "It's great to be able to sit somewhere and work without having any wires attached, no nothing attached, but you have that risk that it comes back to," Rushing said. At the park, Rushing was able to log onto an unsecured hotel wireless signal in a matter of seconds. To illustrate how vulnerable such networks can be, Rushing then sent an e-mail and intercepted the entire contents of the message. He could've done the same thing to any of the dozens of people sitting nearby in the park. "At any point in time, I can reach out and touch everyone's laptop at the hot spot, and there's usually not any way of preventing that -- from me touching and looking at other people's stuff at the hot spot itself," Rushing said. He also demonstrated a growing concern called "evil twins" -- fake wireless hot spots that look like the real thing. For example, he said, a hacker could be sitting around the corner sending out a wireless signal. It may look like a legitimate one, even offering people a chance to sign up for service. But if you log on, the hacker then would have complete access to your machine. He said anybody with some tech know-how and the right tools can break into the basic level of wireless security that's commonly used. There are even how-to video instructions online. Rushing said people need to imagine that nothing is truly private at a wireless hot spot. "A lot of the time you really want to stay away from doing certain things at the hot spot that you would normally not do if you knew somebody would be watching," he said. Nevertheless, Rushing doesn't discourage using wireless. He tells people to be aware of what they're sending and the potential for theft. In other words, it's a good chance to read the baseball scores, but even if you're sitting by yourself, it doesn't mean you are all alone. There may be no wires attached, but the convenience still comes with strings. ========= end of excerpt =========== Best regards, Mark. Mark E. S. Bernard, CISM, CISSP, PM, Principal, Risk Management Services, e-mail: Mark.Bernard () TechSecure ca Web: http://www.TechSecure.ca Phone: (506) 325-0444 Leadership Quotes by Kenneth Blanchard: "The key to successful leadership today is influence, not authority." _________________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 23-28 - 2,000+ international security experts, 10 tracks, no vendor pitches. www.blackhat.com
News URL
http://www.cnn.com/2005/TECH/internet/06/21/hotspot.hacking/index.html