'Evil Twin' Threat to Wireless Security 222
BarryNorton writes "The BBC are currently reporting on research from Cranfield University on the ability of unscrupulous third parties to spoof wireless networking clients into believing they are connected to a 'valid base station' and compromising their passwords for Internet banking etc. Of course the rest of the connection through the Internet, even from a trusted router, is insecure in any case and such sites should be using end-to-end security like SSL. Is there, therefore, anything (other than the cute name 'evil twin') to this story?"
Yes (Score:3, Insightful)
Yes. If they control the gateway they now have the capability to perform a man-in-the-middle attack.
Re:Yes (Score:3, Informative)
Re:Yes (Score:2)
Re:Yes (Score:2)
Re:Yes (Score:3)
Re:Yes (Score:2)
Setup a fake DNS, and I'm in.
Re:Yes (Score:2)
Re:Yes (Score:2)
Re:Yes (Score:3, Insightful)
Comment removed (Score:5, Informative)
Assuming only validated certificate authorities... (Score:2)
How would I go about that? Connection refused - there is a router encryption problem - click here
This will install the certificate authority, "Wireless Router". No, it's not a sure bet, but there's a good chance it would work.
Social engineering so often plays an important role in computer at
Oh yes it is (Score:2)
Nothing prevents you from asking the original target for it's cert and replaying that answer to the victim. They start the conversation and you finish it as you wish. Just intercept their logoff and your can do what you wish and they think they logged out. W
Re: (Score:3, Informative)
Javascript. (Score:2)
Internet Explorer (one of the most popular browsers) treats the option to "warn when going to a secure site" as the same as "warn when leaving a secure site".
How many people have disabled the warnings?
Worse: could a hijacker/phisher create a non-secure page and use javascript to overlay the "secure lock" logo on the relevant parts of the browser window? And erm, draw the necessary "windows/dialogs" to help the user check the certs?
Most people start with http://.../ inst
Re: (Score:2)
Re:Oh yes it is (Score:2)
Your computer asks the Evil Access Point (EAP) to validate the cert, the attacker transmits that request directly to the bankofslashdot.com. A certified session is created. But not just with your computer. It's done thru the EAP, to the outside world that EAP is you. Your password, your data is all going into a file encry
Re: (Score:2)
Re:Oh yes it is (Score:2)
Much harder than simply using malware to install a key logger and getting data that way. But now you are talking about exploiting the local OS through user carelessness and have bypassed the subject of a rouge wireless access point and the related subject of end to end SSL security. You are now saying can I hack the persons box and install malware to get data, which is way off topic since it no longer has any bearing wether they are usi
Comment removed (Score:5, Informative)
Re:Yes (Score:2, Informative)
Re:Yes (Score:4, Informative)
Well, the idea is the following:
The product of two primes has exactly the same information as the two primes themselves (there's exactly one way to factorize a number into primes). However while going from the two primes to the product is trivial (just multiply them), doing the reverse is actually hard.
Now RSA relies on a reversible transformation, where for encryption, you just can use the product directly, but for decryption you need the two primes separately. So if you send someone the product, he can easily encrypt a message with that key, but he cannot decrypt even the message he just encrypted, because to do so he would need to factorize the product, which is hard.
So essentially the public key in principle contains all the information to decrypt (otherwise it could not be used for encryption), but in a form where it is practically useless for decryption (because you just can't get at the necessary information in reasonable time).
Re:Yes, BUT (Score:2)
crime ring would go to Verisign for their signed
authority? If the CA is included in the browser,
the DNS cache poisoned, and the URL spoofed, how
would the end-user know any difference?
Re:Yes, BUT (Score:2)
It's great that you could get caught. (And it's debatable in such a case, because how do you track town which of the Starbucks you connected to a "T-Mobile" WAP at was the spoofed one?) But the person's already had access to your bank account, and possibly your computer (if you download any executables), so you've already lost.
Best thing to do is to not sign up for any wireless service in public at all (registering for T-mobile
Re:Yes (Score:2)
A couple of things here. 1) it would be trivial to buy one of those 10,000 extra stupid TLDs out there and really buy a cert for that domain. So for the bankofslashdot.org example, one could buy bankofslashdot.com or bankofshalsdot.info or
Comment removed (Score:4, Informative)
Re:Yes (Score:2)
Re:Yes (Score:5, Funny)
Re:Yes (Score:2)
Re:Yes (Score:2, Flamebait)
Anyone who thinks SSL is secure needs to get their learn-on.
Re:Yes (Score:2)
Once your box is rooted the CA trust could be messed with, but rooted is rooted. Game over. Same for if
Re:Yes (Score:2)
It makes my job so much easier.
Re:Yes (Score:5, Insightful)
Open web browser (usually defaults to google or MSN).
418 Connection Refused; Your <link...>router is having an encryption problem. Click <link...>router for more information.
User clicks on link, which installs Certificate Authority (with the requisite warnings). Seems simple to most users. There's an error about Wireless Encryption - and it wants to install a certificate. Since the user wasn't trying to hit a secure site at the time, it doesn't seem as immediately suspicious.
No, the "one percent"ers around here know the diff between a Cert and a C.A. But the other 99% don't. Hopefully, by the time they hit their online banking - they will have forgotten about the previous "router issue".
As usual, a small shaking of social engineering in a technical issue can turn a seemingly trivial security issue a very real security issue.
Re:Yes (Score:2)
Re:Yes (Score:2)
Which is... (Score:2)
Be careful (Score:5, Insightful)
Re:Be careful (Score:3, Interesting)
Seriously, anytime there is a man-in-the-middle, you have the potential of a man-in-the-middle attack. Imagine if you will a surveillance of an individual suspected of being involved in some nefarious political scheme. The individual is known to frequent his local Starbucks in the morning to have a cup of coffee and check his email, stocks, personal chat room
Re:Be careful (Score:2)
Actually, this isn't necessarily true, either.
One of the methods I've read for breaking into someone's network is to spoof the AP and boost the signal strength so the wireless device lands on your "evil" AP instead of the owners AP. Then, it can route traffic *back* to the user's AP, thus ensuring they have no idea that there's a "man in the middle."
Once in the middle, you get all sorts of opportunities to sniff data.
And sure... while it
Re:Be careful (Score:3, Informative)
Yes, but I think that Windows XP, when looking for a WAP, is pretty indiscriminant. I seem to remember setting up a linksys wireless router for a friend, changing all the defaults, using the encryption keys. Then one day when his laptop couldn't find the network, it just went to the next available network, an insecure WAP that was his neighbour's.
Re:Be careful (Score:3, Interesting)
It turns out one of our neighbours is running a totally unsecured wireless system, we can access their wireless router setup page and because they haven't bothered changing the password can muck about with it as much as we like.
Re: (Score:2)
Re:Be careful (Score:2)
If it's a secure network, I imagine that it'd be a little harder. My system not only matches the network name but also the key to connect to my router. The name would be easy to spoof, but the key would be a little harder. If the key doesn't match, then I can't connect anyways.
On the other hand, I can't t
Re: (Score:2)
Re:Be careful (Score:2)
Most people just click on the scan, pick a network and start working - especially when using a laptop. Of course the spoofer would not be using WEP. This is a combination of phishing with man in the middle.
The man in the middle is defeated by simple SSL authentication. However the phishing part of it, can replace the original website with something else (like forwarding to goatse
Airjack (Score:5, Interesting)
Alls you need
SSL? (Score:2)
Re:SSL? (Score:2)
Re:SSL? (Score:2)
I've been wonering how hard it would be to get a cert (from verisign) for something like "securebank.com" (where bank is the name of the bank you want to hijack) and use that certificate instead....
I know you would then have actually given Verisign a name and address to go with the Cert... but by the time anyone figured it out you would be out of the country (or maybe you could even spoof these somehow).
I don't know anyone that would take a close enough look at t
Easy (Score:2)
Re:Easy (Score:2)
Friedmud
Re:SSL? (Score:2)
The only danger here is if someone has a for pay account with a wi-fi service, and he/she surrenders their password to a phony logon screen.
All other encryption doesn't trust the data path, or any steps in between, farther than they can throw them. This is no different than a hostile party controlling a router or having a promiscous connection to a switch.
Chase.com insecurity.. (Score:2)
Take a look at the homepage of Chase:
http://www.chase.com/
The put a "secure" login on the page. Just look at the little lock there. Just like people are taught to look for.
The problem with this page is that it's not secure... A man-in-the-middle attacker could easily replace this page and where the login form goes to.
I've already complained to Chase about this many times, yet they don't believe that this is a securit
Seems improbable in practice (Score:2, Interesting)
But I suppose key sites you want to capture are all that are required and the rest can be passed through.
So who wants to get one of these going
Expected? (Score:3, Interesting)
Seriously, the only time this problem is going to be fixed is when it's EASY to perform encryption. Where's the easy support for GPG in email clients? SSL in web browsers was certainly a step in the right direction, but what about IM services, email, ftp? Most hosting companies (afaik) don't provide for secure ftp...
For this, you don't want GPG support ... (Score:2)
Such as, say, secure POP and secure IMAP which the major mail clients have all supported for years, and which most mail servers now support out of the box, but which, for some reason, most ISPs don't make the default (or occasionally, don't even make possible)
GPG defends against J. unethical sysadmin at your mailhost reading the content of your email; while it would provide a prot
Re:Expected? (Score:2)
The point is, there's always the point where you just have to say "I trust this" or "I trust those". It's relatively easy if you meet someone in person to give the key (but even then only if you already know them, or again have an independend means of identifyin
Re:Expected? (Score:2)
If you're just worried about having your conversation sniffed over a local wireless network, most Jabber servers support SSL between client and server. Since all communications, including those which go via transports to MSN etc. users, go over this link, it's a good way of securing all your IM.
End to End Security (Score:2)
Of course, only time will tell how much of a problem it turns out to. It's always hard to tell which security threats are going to turn into really big security problems.
Phil
Re:End to End Security (Score:2)
Everything else you touched on is a problem regardless of how you connect to the net. A hostile party could easily obtain this information, and more, with a copy of tcpdump and a promiscuous wifi card.
Re:End to End Security (Score:2)
Email interception (Score:5, Interesting)
Re:Email interception (Score:2)
Re:Email interception (Score:3, Informative)
If youur ISP does not provide it, get a better ISP.
Mind you, explaining this to my parents would be a long and fruitless excercise.
Details??? (Score:3, Interesting)
Also it would seem to me that the "evil twin" method would only work with unsecured access points, unless you know the WEP key for the secured access point you are trying to dupe. Anyone trying to connect to their favorite secured AP with their default WEP key would fail to connect to an "evil twin" unless it had the matching WEP key...
Re:Details??? (Score:3, Informative)
Re: (Score:2)
WEP's easily breakable... (Score:2)
WPA's potentially better in that it changes the WEP key every so often with the handshaked parties to make it dramatically more difficult to obtain the WEP key- but there's still a risk that the WPA key can be broken or sniffed out of the whole mix.
It's been said before (Score:3, Interesting)
Thist article misses the point.... (Score:4, Insightful)
Re:Thist article misses the point.... (Score:2)
Even if their browser denied them access to a site if the certificate didn't check out, they would complain that THE INTARAWEB IS BROKED!!
Maybe once enough of them have their life savings stolen, the stupid gene will die out?
Just use ssh or a VPN (Score:2)
I do this with commercial hotspots, free hotspots, wireless at hotels, conferences, etc. - not to mention wired connections at any network which isn't my own.
Virtual Private Network (Score:2, Interesting)
Re:Virtual Private Network (Score:2)
Heard this on BBC World Update this morning (Score:5, Informative)
The interviewee seemed to be doing his best to simplify the concepts involved, but it sounded as if he were focused on the problem of the initial authentication. For example, the User goes to a public place like a cafe that has a pay-as-you-go model, e.g. he pays a certain amount per minute; such places often require a credit card to initiate the session. (Some business centers in hotels work this way for Internet access.)
If the user sits down at WiFi-R-Us to check his mail, he will have to enter a credit card number. However, there might be a 'rogue' WAP in the area configured to look legitimate, e.g. Wi-Fi-Are-Us, complete with ripped HTML, etc. to make the authentication page look legitimate. (See 'Phishing 101'). The user then enters his information on what he thinks is the proper authentication server.
It's an interesting issue, and I was glad to see it getting some broad[er] exposure.
Re:Heard this on BBC World Update this morning (Score:3, Interesting)
So the phisher has a an account to wireless network and internet access, and you're paying for it. The phisher then has lots of bandwidth and information to do various other illegal things, with your money and your liability carrying the can for them.
Re:Heard this on BBC World Update this morning (Score:2)
I'm teaching a computer class this year... (Score:2)
Most people have come to trust brand names. Research shows, as does personal experience with my 3-year-old, that children in the US develop brand recognition at an early age, and associate Nike or, [shudder] Microsoft, with quality. It is of little wonder that when they see a hotspot wit
Re:I'm teaching a computer class this year... (Score:3, Interesting)
It is not unreasonable to base trust on a brand name. That is indeed the purpose of the brand: otherwise we would have to sort through bins of goods and analyze them carefully with each and every purchase. Which we do sometimes (with fruit), but not with everything. We just don't have time for that and in purchases over the internet, it is impossible. Collective opinion (including websites) is often the basis for this trust. The only thing you can ask of people is that they ask around sufficiently before fo
Re:I'm teaching a computer class this year... (Score:2)
Routers (Score:2, Informative)
The technique used in the art
Jamming and re-forwarding (Score:2)
Happy root kit downloading (Score:2)
Re:Happy root kit downloading (Score:2)
If you see him requesing the MD5 hash, just send the one of your modified file instead.
Re:Happy root kit downloading (Score:2)
Vee Pee Endpoint. (Score:2)
SoupIsGood Food
Linux bad guys (Score:2, Funny)
Guy sits down, opens his laptop, starts a Microsoft OS, opens IE and calls up his bank's homepage.
Other guy comes in, sits down, opens his laptop. He's running Linux!
Really, Linux on a BBC news piece, wow!
But then he starts evin twinning the Microsoft guy's wifi link. He's the Linux bad guy.
Nice one BBC.
Here a few workarounds (Score:2)
Here a few ideas:
1. An easy way to prevent this is to have your Access Point assign you a strange IP address. That way if you normally get 192.168.1.251... and you end up with 192.168.1.1... you have an idea something is wrong.
A simple way to get a clue.
2. Another way to do this is a bit more complex. If you have another computer or file server at home, set up a webserver. Make sure this system is wired. Set your computer's h
Re:Here a few workarounds (Score:2)
Here's how it's done (Score:2)
Set up a regular access point [hrp.com].
Install a web server like NoCat [nocat.net].
Subsitute the NoCat splash page with a copy of the T-Mobile (or whatever) login page. You can use wget [gnu.org] to grab this.
From there you use a plain old cgi script to pipe the userID, password, credit card number, etc. into a text file.
What a load of fud (Score:2)
Now I can see how this might apply to a corporate network with a gov
Re:What a load of fud (Score:2)
Perfect security is perfect paranoia. Perfect paranoia is perfect security. If it's not worth being paranoid about, it's not worth securing.
And no, you don't want to secure everything. Part of what allowed the British to crack the Enigma machine was the fact that the Germans used it for everything, including weather reports and repetitive status updates.
If someone is really interested in my google searches, bully for them. If I whip out the credit card, you bet I use one with no other transaction
Now hold the phone... (Score:3, Funny)
I prefer the term "Imposter Gateway." (Cough)
Practical tips for a linux user? (Score:2)
I know XP users seem to have it worse--from reading the comments to this story, XP seems to associate with *any* available access point automatically... eep!
If my machine can't contact its AP, the interface is not brought up and I am safe. If the real signal from my AP is jammed, and an attacker spoofs it, then I am still reasonably safe because my machine will try to use a WEP key which the attacker wil
cat intercepted-passwords.txt (Score:3, Funny)
Easy to fool the unsuspecting. (Score:2)
In
To your firewall rules, add:
iptables -A prerouting -s 192.168.0.0/24 -d 66.35.250.150 -j REDIRECT
Setup a local DNS, using internet DNS for all names except those already in hosts
Add an apache entry like
<Virtualhost slashdot.org$gt;
</VirtualHost>>
Whammo, all connections going to slashdot get redirected to the local machine. The local machine serves out
Re:Easy to fool the unsuspecting. (Score:2)
Pointed it to a local server, which just served up the corporate logo.
It seems maybe only one or two people noticed... Maybe it shows how much people surf at my office or actually notice ads.
Maybe I should have served up "Meeting at 2PM" and other announcements...
I wonder what the legal implications are if a company voluntarily hijacks ads on it's network. Or an individual does the same on his/
Access Points with teeth (Score:2, Interesting)
Not a good idea. (Score:2)
People who live in glasshouses shouldn't throw stones (or "bad packets"). With wireless networking, it's really a glasshouse in more ways than one.
If you depend on wireless networking that much, you definitely shouldn't be throwing bad packets around. The person you are DoSing may not need wireless networking as much as you do. An eye for an eye and the whole world goes blind and all that.
Good luck finding proof that it's an Evil AP.
Plus I'm not sure how clear the laws in variou
Re:Bandwagon (Score:2)
Although there may be some truth to this. After all, smart people are working to combat virii, spyware, etc. But I have never heard of a smart person making a law
Re:The real threat... (Score:2, Insightful)