There Are No More Secrets Ron DuFresne <c> 2002 A few weeks ago Best Buy was embarrassed throughout the country with the finding that it was using POS <point of sales> cash registers that worked with wireless technology to cash various customers out when making purchases. What was so humiliating for them was the discovery that these POS systems had been installed and implimented without any sense of security. There was no encryption enabled with these devices so they transmitted customer information via the airwaves to anyone that wished to capture it with the various techniques many people are now employing to "map" wireless networks and security issues. This customer information included credit card information. Nasty hackers could indeed use this information for various fradulent activities. This breach of customer privacy was deemed serious enough when it became highly visualized via the vuln-dev mailing list, maintained by Blue Boar, off securityfocus.com. The flurry of correspondence on this list resulted in the media picking up the information and running with it also. http://www.msnbc.com/news/746380.asp This ended up by prompting Best Buy to make changes to the cashiering systems as was noted in their response to one of the lists posters that apparently made direct contact with Best Buy management: Thank you for contacting Best Buy's corporate headquarters with your concerns. Regarding this issue, Best Buy has deactivated our temporary wireless cash registers that transmit information via LAN connections. These registers are not Best Buy's main register terminals and represent a small percentage of the transactions processed within our stores. Please be assured that customer privacy is of the utmost importance to Best Buy and we will further investigate this matter. We do appreciate your taking the time to share your concerns with us. Respectfully, Alex Reynolds Contact Center Escalations Best Buy Enterprise Customer Care Now, it had been suggested in the vuln-dev mailing list that Best Buy was a single example, and just the tip of the iceberg, as anyone looking into the issues of wireless implimentations and issues via their own sniffing and the various wireless mapping projects accross the US have laid bare. http://sysinfo.com/wire1.html The above paper cites some wireless mapping work in the NC Research Triangle Park area by local resident Alan Clegg, with direct links to his mapping efforts. Recently Mr. Clegg contacted this author via e-mail concerning another thread in the firewalls security mailing list hosted by gnac.net, on another wireless related topic, to let us know that in the RTP area, he had mapped both Petsmart and CVS Pharmacies using wireless technolgies without any encryption enabled. Whih starts to expose more of the proposed iceberg syndrome to light. Granted, WEP, Wired Equivalent Privacy, is not the best, it can be broken, but, it takes far more effort then clear text flowing through the airwaves avialable to anyone with a few hundred dollars worth of equipment to pick it up like one might grab police calls with a scanner. If wireless is going to be used, it should at least function in the most secure manner avaailable, anything less demonstrates not only a lack of understanding, but, in cases like these a complete failure of corporate institutions to take even minimal care with the private information of their customers. Petsmart, following along the heels of the embarassment and humiliation of Best buy in letting credit card information flow freely into the airwaves is bad enough, but, CVS Pharmacies, soon to be tasked with HIPPA <Health Insurance Portability and Accountability Act> compliance early next Spring demonstrates at the best careless indifference to those they are serving. The Standards for Privacy of Individually Identifiable Health Information are designed to help guarantee privacy and confidentiality of patient medical and insurance information. Those who miss the deadline for compliance face steep fines and Federal criminal penalties. The glaring exposure of customer information by companies and health related organizations like CVS Pharmacies is a glaring deficiency and total disregard of very sensitive customer information. And yet the iceberg of such negligence in wireless rollouts is still but a shadow of the issue of private and finacial information leakage many are suffering already, without much awareness of the fact. http://www.symbol.com/news/pressreleases/pr_foodndrug_cvs.html The various vendors marketing wireless toys are not blameless either. In fact a large burden of the blame for leakage of information and the vulnerable systems being pushed into place by companies like Best Buy and Petsmart, as well as CVS and others relates to how they distribute their wares. They do so with the most insecure "plug and pray" configurations possible, most often with documentation about how to try and secure these toys burried deep in their distribution media. Until vedors take some sense of responsibility and force their customers to shoot themselves in the foot, rather then pushing out products that are configured in a manner whence their customers are shot in the head from the point of installation, we will continue to have some very exploitable setups by the less clued network folks these vendors are making their money from. Additionally see, note the terms 'opt' when they document configuration issues at the site, as well as targeted customer categories listed, then wonder where *your* private information might be leaking from: http://www.symbol.com/products/wireless/wireless_sp24_11mbps.html ... AP 41X1 Access Point Series It's known as the intelligent access point. Built beyond defined standards, the AP 41X1 integrates features only possible from the wireless engineering experts at Symbol. Advanced algorithms prioritize data, voice and multimedia transmission for uninterrupted, quality service. An embedded HTTP server allows administrators to use any Web browser to monitor performance, change configuration, and run diagnostics on any AP 41X1 from anywhere on the network. Antenna options provide maximum range and throughput to support application requirements with coverage up to 300 ft./90 m indoors and 1500 ft./460 m outdoors and will support up to 256 clients as well as Simple Network Management Protocol (SNMP). ... WEP Encryption for High-Speed Security Wired Equivalent Privacy (WEP) encryption combined with access control lists and domain identification features provide powerful user authentication and data encryption and decryption capabilities for data security. Wireless clients may also opt to use 128-bit encryption keys and the RC4 algorithm to further encrypt the wireless portion of data transmission. ... Retail Healthcare Hospitality Education and Corporate Training Manufacturing Government More Flexible Office and Public Space Environments Thanks; To Alan Clegg for the mapping info and heads up to these sites, as well as their wireless vendors. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too!
This archive was generated by hypermail 2b30 : Tue May 28 2002 - 22:41:27 PDT