[ISN] Wireless Web puts personal data at risk

From: InfoSec News (isn@private)
Date: Tue Jun 21 2005 - 23:43:30 PDT


Forwarded from: Mark Bernard <Mark.Bernard@private>

Dear Associates,

If you don't believe that this article speaks about something that
could actually happen then why not attempt it in a controlled
situation? If you don't succeed then you're likely not skilled enough
to be successful and if you do well what else can I say.

Many times while conducting penetration testing for my international
clients against off shore targets I was told by both management and
technical staff that a particular system and its information was safe,
secure only to prove them wrong. The stakes were high, because you see
in that particular organization if a system was penetrated the entire
departments annual salary increase was withheld. That's company
policy!

Could there be other organizations who are so sure about the
effectiveness of their own security systems?  You bet, lots !!  But
not many who'll stake their annual salary increase on it......

Please note the reference to a new vulnerability known as Evil Twins.
This vulnerability is created when somebody comes along and sets up a
duplicate hotspot and uses it to capture private information. How easy
would that be, very easy just ask your local Radio Shack retailer.
What if someone did this just outside a legitimate business?

Of course that might be illegal, but do you really think that somebody
who's not planning on being caught or identified would be concerned if
its right or wrong? Especially if there's a potential for financial
gain. Please don't kid yourself....

Businesses need to follow through on the concept of due-diligence or
standard-of-due-care, because many are managing security with true
obscurity and obscurity is going they same way that the dinosaurs
went.

Enjoy the read !

Best regards,
Mark.

========= beginning of excerpt ========

http://www.cnn.com/2005/TECH/internet/06/21/hotspot.hacking/index.html

Wireless Web puts personal data at risk 
By Daniel Sieberg
CNN
June 21, 2005;

ATLANTA, Georgia (CNN) -- What comes to mind when you think of
wireless Web surfing? It may not be security, or lack of it. There are
nearly 30,000 public wireless "hot spots" in the United States at
places such as parks and cafes, but there's more to consider than just
where to log on. The convenience comes with a caveat.

"Understand that the information you're sending is very similar to
standing up here in the park and shouting out all the information --
would I normally do that?" said Richard Rushing, a wireless expert
with security firm Air Defense who visited an Atlanta park to show
security vulnerabilities.

Rushing is considered an "ethical hacker" and works with companies to
strengthen their wireless networks. He said many people don't realize
they could have all their personal data stolen while checking out
their checking account.

"It's great to be able to sit somewhere and work without having any
wires attached, no nothing attached, but you have that risk that it
comes back to," Rushing said.

At the park, Rushing was able to log onto an unsecured hotel wireless
signal in a matter of seconds. To illustrate how vulnerable such
networks can be, Rushing then sent an e-mail and intercepted the
entire contents of the message. He could've done the same thing to any
of the dozens of people sitting nearby in the park.

"At any point in time, I can reach out and touch everyone's laptop at
the hot spot, and there's usually not any way of preventing that --
from me touching and looking at other people's stuff at the hot spot
itself," Rushing said.

He also demonstrated a growing concern called "evil twins" -- fake
wireless hot spots that look like the real thing.

For example, he said, a hacker could be sitting around the corner
sending out a wireless signal. It may look like a legitimate one, even
offering people a chance to sign up for service. But if you log on,
the hacker then would have complete access to your machine.

He said anybody with some tech know-how and the right tools can break
into the basic level of wireless security that's commonly used. There
are even how-to video instructions online.

Rushing said people need to imagine that nothing is truly private at a
wireless hot spot.

"A lot of the time you really want to stay away from doing certain
things at the hot spot that you would normally not do if you knew
somebody would be watching," he said.

Nevertheless, Rushing doesn't discourage using wireless. He tells
people to be aware of what they're sending and the potential for
theft. In other words, it's a good chance to read the baseball scores,
but even if you're sitting by yourself, it doesn't mean you are all
alone.

There may be no wires attached, but the convenience still comes with
strings.

========= end of excerpt ===========

Best regards,
Mark.


Mark E. S. Bernard, CISM, CISSP, PM,
Principal, Risk Management Services,

e-mail: Mark.Bernard@private
Web: http://www.TechSecure.ca
Phone: (506) 325-0444


Leadership Quotes by Kenneth Blanchard: "The key to successful
leadership today is influence, not authority."



_________________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 - 
2,000+ international security experts, 
10 tracks, no vendor pitches.
www.blackhat.com 



This archive was generated by hypermail 2.1.3 : Tue Jun 21 2005 - 23:50:24 PDT