NetStumbler,Kismet and couple other tools. Matt -----Original Message----- From: sanjayat_private [mailto:sanjayat_private] Sent: Thu 5/30/2002 4:18 PM To: Matthew F. Caldwell Cc: vuln-devat_private Subject: RE: wireless woes ... Stats on WEP usage. What software did you use to collect the data? Sanjay K. Patel Rexwire Inc They Hack We Protect ™ -----Original Message----- From: Matthew F. Caldwell [mailto:mattcat_private <mailto:mattcat_private> ] Sent: Thursday, May 30, 2002 11:54 AM To: Ron DuFresne; Andy Wood Cc: vuln-devat_private Subject: RE: wireless woes ... Stats on WEP usage. While conducting an aerial (yes FLY-BY hacking) wireless audit for a client, the following information was gleaned. I thought the statistics were nice to give a good perspective in a metropolitan area. The reason for flying was, well RF at high frequencies "line of sight" rules. This flight was conducted around 3000ft MSL with a 15db Gain Antenna mounted on the wing , and a Lucent gold card. 382 Access Points total Detected 191 Access Points had default SSID's (linksys, default, etc.) 92 Access Points had WEP To sum up only 24% had WEP and 50 percent had default SSID’s, which means they more than likely, have default passwords etc. -----Original Message----- From: Ron DuFresne [mailto:dufresneat_private <mailto:dufresneat_private> ] Sent: Thu 5/30/2002 2:28 AM To: Andy Wood Cc: vuln-devat_private; firewallsat_private Subject: RE: wireless woes in the triangle and beyond! Interesting question. I did a google browse, got page after page of info on all the different wireless offerings various disney sites are using about the globe, so far have found no info on their 'security' measures. Though I did see in the mix that fedex and various others players are doing this. But, it is interesting, that since 9/11 so many companies are playing the wireless game, and so many of those are playing it in the most insecure manner possible, that those terrorists, the sleepers and others jumping ship in our harbours, only need a laptop and cheap tools to addon to get quite a bit of information to do their nasty work. It's interesting how many folks soon having to face HIPPA have glaring holes in their wireless realm. How did CCR put it, I see a bad moon arisin, I see trouble on the way... I have not done a full investigation, but, I'm betting there are folks that have mapped the disney setup east and west coast. I'd be interested if others locate URL's on their setup from those mapping projects unerway and completed. I'm additionally interested in getting information about documentation of various vendor devices relating on how to secure their equipment, folks can contact me offlist if they are willing to share what they have. Thanks, Ron DuFresne On Wed, 29 May 2002, Andy Wood wrote: > A question that might help is: Has anyone taken a look @ Disney? > That can go either way, but Disney uses wireless EXTENSIVELY! Maybe > they have this solved, maybe not….I'm several hundred miles away and not > interested in a packet pilgrimage. > > Andy > > -----Original Message----- > From: Ron DuFresne [HYPERLINK > "mailto:dufresneat_private"mailto:dufresneat_private <mailto:dufresneat_private> ] > Sent: Tuesday, May 28, 2002 10:40 PM > To: firewallsat_private > Cc: vuln-devat_private > Subject: wireless woes in the triangle and beyond! > > > > > There Are No More Secrets > > Ron DuFresne <c> 2002 > > A few weeks ago Best Buy was embarrassed throughout the country with the > finding that it was using POS <point of sales> cash registers that > worked with wireless technology to cash various customers out when > making purchases. What was so humiliating for them was the discovery > that these POS systems had been installed and implimented without any > sense of security. There was no encryption enabled with these devices > so they transmitted customer information via the airwaves to anyone that > wished to capture it with the various techniques many people are now > employing to "map" wireless networks and security issues. This customer > information included credit card information. Nasty hackers could > indeed use this information for various fradulent activities. This > breach of customer privacy was deemed serious enough when it became > highly visualized via the vuln-dev mailing list, maintained by Blue > Boar, off securityfocus.com. The flurry of correspondence on this list > resulted in the media picking up the information and running with it > also. > > HYPERLINK > "http://www.msnbc.com/news/746380.asp"http://www.msnbc.com/news/746380.a <http://www.msnbc.com/news/746380.asp> > sp > > This ended up by prompting Best Buy to make changes to the cashiering > systems as was noted in their response to one of the lists posters that > apparently made direct contact with Best Buy management: > > > > Thank you for contacting Best Buy's corporate headquarters > with your concerns. Regarding this issue, Best Buy has deactivated our > temporary wireless cash registers that transmit information via LAN > connections. These registers are not Best Buy's main register terminals > and represent a small percentage of the transactions processed within > our stores. Please be assured that customer privacy is of the utmost > importance to Best Buy and we will further investigate this matter. > > We do appreciate your taking the time to share your concerns with us. > > Respectfully, > Alex Reynolds > Contact Center Escalations > Best Buy Enterprise Customer Care > > > > Now, it had been suggested in the vuln-dev mailing list that Best Buy > was a single example, and just the tip of the iceberg, as anyone looking > into the issues of wireless implimentations and issues via their own > sniffing and the various wireless mapping projects accross the US have > laid bare. > > > HYPERLINK "http://sysinfo.com/wire1.html"http://sysinfo.com/wire1.html <http://sysinfo.com/wire1.html> > > > The above paper cites some wireless mapping work in the NC Research > Triangle Park area by local resident Alan Clegg, with direct links to > his mapping efforts. Recently Mr. Clegg contacted this author via > e-mail concerning another thread in the firewalls security mailing list > hosted by gnac.net, on another wireless related topic, to let us know > that in the RTP area, he had mapped both Petsmart and CVS Pharmacies > using wireless technolgies without any encryption enabled. Whih starts > to expose more of the proposed iceberg syndrome to light. Granted, WEP, > Wired Equivalent Privacy, is not the best, it can be broken, but, it > takes far more effort then clear text flowing through the airwaves > avialable to anyone with a few hundred dollars worth of equipment to > pick it up like one might grab police calls with a scanner. If wireless > is going to be used, it should at least function in the most secure > manner avaailable, anything less demonstrates not only a lack of > understanding, but, in cases like these a complete failure of corporate > institutions to take even minimal care with the private information of > their customers. Petsmart, following along the heels of the > embarassment and humiliation of Best buy in letting credit card > information flow freely into the airwaves is bad enough, but, CVS > Pharmacies, soon to be tasked with HIPPA <Health Insurance Portability > and Accountability Act> compliance early next Spring demonstrates at the > best careless indifference to those they are serving. The Standards for > Privacy of Individually Identifiable Health Information are designed to > help guarantee privacy and confidentiality of patient medical and > insurance information. Those who miss the deadline for compliance face > steep fines and Federal criminal penalties. The glaring exposure of > customer information by companies and health related organizations like > CVS Pharmacies is a glaring deficiency and total disregard of very > sensitive customer information. And yet the iceberg of such negligence > in wireless rollouts is still but a shadow of the issue of private and > finacial information leakage many are suffering already, without much > awareness of the fact. > > > HYPERLINK > "http://www.symbol.com/news/pressreleases/pr_foodndrug_cvs.html"http://w <http://www.symbol.com/news/pressreleases/pr_foodndrug_cvs.html> > ww.symbol.com/news/pressreleases/pr_foodndrug_cvs.html > > > The various vendors marketing wireless toys are not blameless either. > In fact a large burden of the blame for leakage of information and the > vulnerable systems being pushed into place by companies like Best Buy > and Petsmart, as well as CVS and others relates to how they distribute > their wares. They do so with the most insecure "plug and pray" > configurations possible, most often with documentation about how to try > and secure these toys burried deep in their distribution media. Until > vedors take some sense of responsibility and force their customers to > shoot themselves in the foot, rather then pushing out products that are > configured in a manner whence their customers are shot in the head from > the point of installation, we will continue to have some very > exploitable setups by the less clued network folks these vendors are > making their money from. > > > > Additionally see, note the terms 'opt' when they document configuration > issues at the site, as well as targeted customer categories listed, then > wonder where *your* private information might be leaking from: > > > HYPERLINK > "http://www.symbol.com/products/wireless/wireless_sp24_11mbps.html"http <http://www.symbol.com/products/wireless/wireless_sp24_11mbps.html> : > //www.symbol.com/products/wireless/wireless_sp24_11mbps.html > > > ... > AP 41X1 Access Point Series > > It's known as the intelligent access point. Built beyond defined > standards, the AP 41X1 integrates features only possible from the > wireless engineering experts at Symbol. Advanced algorithms prioritize > data, voice and multimedia transmission for uninterrupted, quality > service. An embedded HTTP server allows administrators to use any Web > browser to monitor performance, change configuration, and run > diagnostics on any AP 41X1 from anywhere on the network. Antenna options > provide maximum range and throughput to support application > requirements with coverage up to 300 ft./90 m indoors and 1500 ft./460 m > outdoors and will support up to 256 clients as well as Simple Network > Management Protocol (SNMP). > > ... > WEP Encryption for High-Speed Security Wired Equivalent Privacy (WEP) > encryption combined with access control lists and domain identification > features provide powerful user authentication and data encryption and > decryption capabilities for data security. Wireless clients may also > opt to use 128-bit encryption keys and the RC4 algorithm to further > encrypt the wireless portion of data transmission. ... > > > Retail > > > Healthcare > > > Hospitality > > > Education and Corporate Training > > > Manufacturing > > > Government > > > More Flexible Office and Public Space Environments > > > > > > Thanks; > > To Alan Clegg for the mapping info and heads up to these > sites, as well as their wireless vendors. > > > -- > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > admin & senior security consultant: sysinfo.com > HYPERLINK "http://sysinfo.com"http://sysinfo.com <http://sysinfo.com> > > "Cutting the space budget really restores my faith in humanity. It > eliminates dreams, goals, and ideals and lets us get straight to the > business of hate, debauchery, and self-annihilation." > -- Johnny Hart > > testing, only testing, and damn good at it too! > > > > > > > > > > > > > --- > Incoming mail is certified Virus Free. > Checked by AVG anti-virus system (HYPERLINK > "http://www.grisoft.com"http://www.grisoft.com <http://www.grisoft.com> ). > Version: 6.0.365 / Virus Database: 202 - Release Date: 5/24/2002 > > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com <http://www.grisoft.com> ). > Version: 6.0.365 / Virus Database: 202 - Release Date: 5/24/2002 > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything.
This archive was generated by hypermail 2b30 : Thu May 30 2002 - 15:17:51 PDT