http://www.edmontonsun.com/News/Special/2005/12/20/1361070-sun.html By JEREMY LOOME EDMONTON SUN December 20, 2005 Wireless computing has exploded in popularity over the last two years. But as a local former hacker and security consultant explains, convenience comes at a price. The Sun's four-day computer security series looks at wardriving. Renderman throws the van's wheel left and pulls onto Jasper Avenue, where the clear night is punctuated by neon. A laptop illuminates the van's darkened cab, spitting out a stream of coloured letters, numbers and names. To Renderman, they're so telling they might as well be the video screen at New York's fabled Times Square. "If I wanted to create havoc, I could just drive down the street knocking down network after network," he says with a tinge of despair. "Can you imagine the kind of problems that would cause on Jasper Avenue, with all these offices?" HE WAS FLATTERED A Las Vegas magazine once described Renderman as "infamous,'' which he admits was flattering. He's only famous to other hackers. Infamous implies that Renderman is a household name, something he spent years scrupulously avoiding. Now he's made it a mission to put the other side of the story out there: hackers aren't bad guys. Some are just curious. "Oh yeah, I could do some serious damage. That's the thing - I'm of enough moral fibre that I don't," he says. These days, he's working hard on turning his talents into a career as a security consultant. He has converted the van so that two antennas on the roof will pick up signals from computer network wireless access points at a distance, while another on the machine itself searches for the same on a vertical plane. The software is doing a heck of a job - more than 5,000 logged in under three hours. Of those, fully 45% have no protection on them at all. The people who bought them, Renderman notes, were probably duped by the misconception that a wireless router is a good way to protect your computer system. In fact, it's just a convenient entry and interception point for a "wardriver," a hacker gone mobile, unless it's encrypted. And even then ... But we'll get to that in a minute. For now, Renderman is taking time out at a stop light to gaze around at the neon. "What scares the crap out of me is the possibility of going downtown, sitting in a parkade for eight hours and having a server in the trunk, grabbing whatever connection it can, firing off a million addresses, and when it's done that, seeing what else is out there and firing off another million. The whole drive-by spamming thing is a very real possibility." There are points when the exercise becomes downright scary. The machine logs unprotected or poorly protected access points at a major car dealership, the debit and credit card line at a major grocery store chain, a law office, numerous government offices and just about every hotel room downtown. There are even a couple that register as being 20 metres away, when the only building 20 metres from the Impark pay lot in which we're situated is a police station. The easiest and most common thefts associated with wardriving are from intercepting e-mail transmissions, although a sophisticated hacker could also use them to run a "shell'' program allowing control of the remote terminal. Occasionally, he points to one of the names scrolling by, each attached by its owner to a particular wireless router. "Lousy security - wake up," says one. "Someone's got in there already and had a little fun," he notes. EXASPERATED He's having fun too, but Renderman is also exasperated. "The trick with all of this is that people don't think about it. They get the wireless set up, they think 'oh yeah, we're high tech now,' and they don't think to themselves 'why are we doing this? Do we have a need for a wireless network?' " Five years ago, there were fewer than 100 wireless access points in the city. The advent of cheap wireless routers and the explosion of laptop use has changed that dramatically. There are now upwards of 20,000 and few of them take protection very seriously, despite Edmonton being a city full of corporate and government offices. One of Render's favourite cruising spots is at the University of Alberta, where students and some of the faculties routinely have routers that haven't even been renamed. Each shows up either as "default" or as brand names like "Linksys." He points out that the university's internal network is well-protected. But there's nothing protecting wireless users in the point between their laptop and the connection hub. "The university has this whole captive portal set up so that you have to have a valid account to log in before it will let you out to the rest of the Internet," he says. "That's fine. I was playing between the space between the client and the access point. I didn't record any of the passwords or anything. "I just piped them all to the Linux (operating system) recycle bin. "I was sitting there sipping on a cup of Tim Hortons coffee, looking at my laptop and all those students are sitting there just wide open, and all it takes is one computer science student who gets an idea in his head to make a whole bunch of people's lives difficult." In the years that he's honed his craft, Renderman has spent as much or more time warning people about poor security as trying to compromise it. We pass one connection for someone named "The Black Pearl.'' It's not only ghosted so that few can see it, it's also encrypted with WPA2, a much tougher new standard, and with other security Kismet doesn't recognize. He figures an encrypted wireless hub is kind of like having a car alarm: it doesn't really make you safe, but it might make the thief pick an easier target. - - - Of course, toughness is relative. Some people think actor Russell Crowe is a tough guy. But he'd be dogmeat to a mixed martial arts expert. Thus it is with encryption: from the day it's issued, there are tough guys out there trying to break it down. A year ago, WEP - or Wired Equivalency Privacy, the frequently unused encryption that comes with some routers - was still aptly named. Then some hacker figured out that all you had to do was intercept enough data to see a repeating number sequence, which in all likelihood is the encryption key to the wireless router. A HACKER'S DREAM A few miles away from Jasper, Leonard Rogers teaches a class of NAIT students to intercept "packets" - the small, separate pieces of data transferred between networked computers. Wireless computers are a hacker's dream, because the packets are transmitted through thin air, which means anyone can grab them legally, as long as they don't open them. "I did a WEP test yesterday and it basically took me no time at all to get through it. I managed it seven times in a row and I think the best time was four minutes and 27 seconds," he says. "And most home users don't even bother to set it up, that's the scary part." The fact that Rogers is an expert isn't really the point. Freely available software on the Internet known by the nickname "warez'' does most of the work. One such program not only captures packets, it opens them, separates content into categories for easy reading and generally inserts encryption lines into the "header" - the form at the top of the window. Another disguises itself as an open wireless hub, then connects itself with the real one it's imitating. When a computer user connects, he's really connecting to the hacker's laptop, which can then grab anything the hacker wants before allowing the packets of data to continue on to the hub. The only difference, in the end, is that Rogers can crack WEP a little faster than most; hackers interviewed by the Sun required more than 100,000 packets on average and took between six and eight minutes to do what Rogers did in four. "The truth is, the tools are out there and readily available to perform any kind of attack," he says. "The truth is we've developed an entire generation of computer users who understand what they can do but not how they work. We didn't develop a moral code behind it. "We've taught our kids that computers are a tool that can be used, but we haven't necessarily taught them what they should and shouldn't be used for, so it's often open to interpretation." And they don't really have to be good at hacking, because time is on their side: anyone using WEP alone is unlikely to be paying enough attention to catch them anyway. - - - Nervous yet? You probably shouldn't be. Being vulnerable still doesn't make being hacked likely. And even if an average home user's hub is accessed, most of the time it will just be by someone using it for their own Internet connection. Wireless networks at companies are another matter. When he's not working as Renderman, Brad Haines offers his services up as a security consultant to local firms who risk losing sensitive personal data. As we drive by a car dealership, his laptop goes into overdrive, spitting out a series of red and yellow lines of text indicating an unencrypted network. "If I'm a customer there, I don't even want to know that," he says. "Can you imagine the information they're transmitting? Credit reports, card numbers, bank transactions." Hackers and wardrivers generally have two motivating factors: money and challenge. The former is the domain of professionals and, as Rogers puts it, "they're so good, you'd never even know they were there. These are people who spend weeks researching a target and knowing everything they can about it before the attack. They get in, they get out, and no one's the wiser." The rest is usually the domain of disgruntled teenagers. Renderman, however, is a different cup of tea, and is quick to note that many older hackers graduate from kiddie pranks to trying to teach others. He gained some prominence a few years ago when the Canadian Security and Intelligence Service put out a press release warning the public of Renderman's "wardriving.'' But to understand the guy, you need to know just a few things: one, he can pick a regular lock with regular tumblers in about 12 seconds. Two, he's recognizable by his trademark black fedora and, on more formal occasions, his zoot suits. He explains the former: "You know the kid who's always taking things apart? Well, I was always generally able to take them apart and put them back together in working order. And sometimes I could make them better. It's the challenge that makes you curious. A lock is a barrier to get past." He just smiles at the suggestion that perhaps the getup is his superhero suit: just as Superman is recognizable by his red cape and that stylized "S,'' Renderman can be picked out in a crowd by his fedora, usually fighting for his own quirky perspectives on truth, justice and the Internet way. That doesn't mean he's become mainstream, far from it. He has found security consulting tougher than expected, because moral convictions get in the way of his ability to work with some large companies. A POLICE CAR ROLLS BY He's also the first to defend some hackers' actions that companies and authorities deem offensive. A police car rolls by as we sit and monitor the laptop, and the driver peers into our car to see what we're up to. "That's always a bit nervewracking because you're never sure if you're going to get some overzealous guy who doesn't know it isn't illegal as long as you don't try to read the signals you intercept," he notes. I tell him of a conversation with a police Internet fraud specialist who described hackers and wardrivers as "sociopaths," people with remorse or empathy. "Is it sociopathic to be curious? No. That's what this is all about. People think they've designed something that is secure for the public, and some people enjoy the challenge of testing it. Anything beyond that is up to the maturity of the individual." TOMORROW: A futurist and an industry leader look at where computer security is heading in the next year and the decades to come. _________________________________________ Earn your Master's degree in Information Security ONLINE www.msia.norwich.edu/csi Study IA management practices and the latest infosec issues. Norwich University is an NSA Center of Excellence.
This archive was generated by hypermail 2.1.3 : Tue Dec 20 2005 - 22:42:34 PST