[ISN] Renderman to the rescue

From: InfoSec News (isn@private)
Date: Tue Dec 20 2005 - 22:35:59 PST


December 20, 2005

Wireless computing has exploded in popularity over the last two years.  
But as a local former hacker and security consultant explains,
convenience comes at a price. The Sun's four-day computer security
series looks at wardriving.

Renderman throws the van's wheel left and pulls onto Jasper Avenue,
where the clear night is punctuated by neon. A laptop illuminates the
van's darkened cab, spitting out a stream of coloured letters, numbers
and names.

To Renderman, they're so telling they might as well be the video
screen at New York's fabled Times Square.

"If I wanted to create havoc, I could just drive down the street
knocking down network after network," he says with a tinge of despair.  
"Can you imagine the kind of problems that would cause on Jasper
Avenue, with all these offices?"


A Las Vegas magazine once described Renderman as "infamous,'' which he
admits was flattering. He's only famous to other hackers. Infamous
implies that Renderman is a household name, something he spent years
scrupulously avoiding. Now he's made it a mission to put the other
side of the story out there: hackers aren't bad guys. Some are just

"Oh yeah, I could do some serious damage. That's the thing - I'm of
enough moral fibre that I don't," he says.

These days, he's working hard on turning his talents into a career as
a security consultant. He has converted the van so that two antennas
on the roof will pick up signals from computer network wireless access
points at a distance, while another on the machine itself searches for
the same on a vertical plane. The software is doing a heck of a job -
more than 5,000 logged in under three hours.

Of those, fully 45% have no protection on them at all. The people who
bought them, Renderman notes, were probably duped by the misconception
that a wireless router is a good way to protect your computer system.  
In fact, it's just a convenient entry and interception point for a
"wardriver," a hacker gone mobile, unless it's encrypted. And even
then ...

But we'll get to that in a minute. For now, Renderman is taking time
out at a stop light to gaze around at the neon.

"What scares the crap out of me is the possibility of going downtown,
sitting in a parkade for eight hours and having a server in the trunk,
grabbing whatever connection it can, firing off a million addresses,
and when it's done that, seeing what else is out there and firing off
another million. The whole drive-by spamming thing is a very real

There are points when the exercise becomes downright scary. The
machine logs unprotected or poorly protected access points at a major
car dealership, the debit and credit card line at a major grocery
store chain, a law office, numerous government offices and just about
every hotel room downtown. There are even a couple that register as
being 20 metres away, when the only building 20 metres from the Impark
pay lot in which we're situated is a police station.

The easiest and most common thefts associated with wardriving are from
intercepting e-mail transmissions, although a sophisticated hacker
could also use them to run a "shell'' program allowing control of the
remote terminal.

Occasionally, he points to one of the names scrolling by, each
attached by its owner to a particular wireless router. "Lousy security
- wake up," says one. "Someone's got in there already and had a little
fun," he notes.


He's having fun too, but Renderman is also exasperated. "The trick
with all of this is that people don't think about it. They get the
wireless set up, they think 'oh yeah, we're high tech now,' and they
don't think to themselves 'why are we doing this? Do we have a need
for a wireless network?' "

Five years ago, there were fewer than 100 wireless access points in
the city. The advent of cheap wireless routers and the explosion of
laptop use has changed that dramatically. There are now upwards of
20,000 and few of them take protection very seriously, despite
Edmonton being a city full of corporate and government offices.

One of Render's favourite cruising spots is at the University of
Alberta, where students and some of the faculties routinely have
routers that haven't even been renamed. Each shows up either as
"default" or as brand names like "Linksys."

He points out that the university's internal network is
well-protected. But there's nothing protecting wireless users in the
point between their laptop and the connection hub.

"The university has this whole captive portal set up so that you have
to have a valid account to log in before it will let you out to the
rest of the Internet," he says. "That's fine. I was playing between
the space between the client and the access point. I didn't record any
of the passwords or anything.

"I just piped them all to the Linux (operating system) recycle bin.

"I was sitting there sipping on a cup of Tim Hortons coffee, looking
at my laptop and all those students are sitting there just wide open,
and all it takes is one computer science student who gets an idea in
his head to make a whole bunch of people's lives difficult."

In the years that he's honed his craft, Renderman has spent as much or
more time warning people about poor security as trying to compromise
it. We pass one connection for someone named "The Black Pearl.'' It's
not only ghosted so that few can see it, it's also encrypted with
WPA2, a much tougher new standard, and with other security Kismet
doesn't recognize.

He figures an encrypted wireless hub is kind of like having a car
alarm: it doesn't really make you safe, but it might make the thief
pick an easier target.

- - -

Of course, toughness is relative. Some people think actor Russell
Crowe is a tough guy. But he'd be dogmeat to a mixed martial arts
expert. Thus it is with encryption: from the day it's issued, there
are tough guys out there trying to break it down. A year ago, WEP - or
Wired Equivalency Privacy, the frequently unused encryption that comes
with some routers - was still aptly named. Then some hacker figured
out that all you had to do was intercept enough data to see a
repeating number sequence, which in all likelihood is the encryption
key to the wireless router.


A few miles away from Jasper, Leonard Rogers teaches a class of NAIT
students to intercept "packets" - the small, separate pieces of data
transferred between networked computers. Wireless computers are a
hacker's dream, because the packets are transmitted through thin air,
which means anyone can grab them legally, as long as they don't open

"I did a WEP test yesterday and it basically took me no time at all to
get through it. I managed it seven times in a row and I think the best
time was four minutes and 27 seconds," he says. "And most home users
don't even bother to set it up, that's the scary part."

The fact that Rogers is an expert isn't really the point. Freely
available software on the Internet known by the nickname "warez'' does
most of the work. One such program not only captures packets, it opens
them, separates content into categories for easy reading and generally
inserts encryption lines into the "header" - the form at the top of
the window.

Another disguises itself as an open wireless hub, then connects itself
with the real one it's imitating. When a computer user connects, he's
really connecting to the hacker's laptop, which can then grab anything
the hacker wants before allowing the packets of data to continue on to
the hub.

The only difference, in the end, is that Rogers can crack WEP a little
faster than most; hackers interviewed by the Sun required more than
100,000 packets on average and took between six and eight minutes to
do what Rogers did in four.

"The truth is, the tools are out there and readily available to
perform any kind of attack," he says. "The truth is we've developed an
entire generation of computer users who understand what they can do
but not how they work. We didn't develop a moral code behind it.

"We've taught our kids that computers are a tool that can be used, but
we haven't necessarily taught them what they should and shouldn't be
used for, so it's often open to interpretation."

And they don't really have to be good at hacking, because time is on
their side: anyone using WEP alone is unlikely to be paying enough
attention to catch them anyway.

- - -

Nervous yet? You probably shouldn't be. Being vulnerable still doesn't
make being hacked likely. And even if an average home user's hub is
accessed, most of the time it will just be by someone using it for
their own Internet connection.

Wireless networks at companies are another matter. When he's not
working as Renderman, Brad Haines offers his services up as a security
consultant to local firms who risk losing sensitive personal data. As
we drive by a car dealership, his laptop goes into overdrive, spitting
out a series of red and yellow lines of text indicating an unencrypted

"If I'm a customer there, I don't even want to know that," he says.  
"Can you imagine the information they're transmitting? Credit reports,
card numbers, bank transactions."

Hackers and wardrivers generally have two motivating factors: money
and challenge. The former is the domain of professionals and, as
Rogers puts it, "they're so good, you'd never even know they were
there. These are people who spend weeks researching a target and
knowing everything they can about it before the attack. They get in,
they get out, and no one's the wiser."

The rest is usually the domain of disgruntled teenagers. Renderman,
however, is a different cup of tea, and is quick to note that many
older hackers graduate from kiddie pranks to trying to teach others.

He gained some prominence a few years ago when the Canadian Security
and Intelligence Service put out a press release warning the public of
Renderman's "wardriving.'' But to understand the guy, you need to know
just a few things: one, he can pick a regular lock with regular
tumblers in about 12 seconds. Two, he's recognizable by his trademark
black fedora and, on more formal occasions, his zoot suits.

He explains the former: "You know the kid who's always taking things
apart? Well, I was always generally able to take them apart and put
them back together in working order. And sometimes I could make them
better. It's the challenge that makes you curious. A lock is a barrier
to get past."

He just smiles at the suggestion that perhaps the getup is his
superhero suit: just as Superman is recognizable by his red cape and
that stylized "S,'' Renderman can be picked out in a crowd by his
fedora, usually fighting for his own quirky perspectives on truth,
justice and the Internet way.

That doesn't mean he's become mainstream, far from it. He has found
security consulting tougher than expected, because moral convictions
get in the way of his ability to work with some large companies.


He's also the first to defend some hackers' actions that companies and
authorities deem offensive. A police car rolls by as we sit and
monitor the laptop, and the driver peers into our car to see what
we're up to.

"That's always a bit nervewracking because you're never sure if you're
going to get some overzealous guy who doesn't know it isn't illegal as
long as you don't try to read the signals you intercept," he notes.

I tell him of a conversation with a police Internet fraud specialist
who described hackers and wardrivers as "sociopaths," people with
remorse or empathy.

"Is it sociopathic to be curious? No. That's what this is all about.  
People think they've designed something that is secure for the public,
and some people enjoy the challenge of testing it. Anything beyond
that is up to the maturity of the individual."

TOMORROW: A futurist and an industry leader look at where computer
security is heading in the next year and the decades to come.

Earn your Master's degree in Information Security ONLINE
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.

This archive was generated by hypermail 2.1.3 : Tue Dec 20 2005 - 22:42:34 PST