'Evil Twin' Threat to Wireless Security

BarryNorton writes "The BBC are currently reporting on research from Cranfield University on the ability of unscrupulous third parties to spoof wireless networking clients into believing they are connected to a 'valid base station' and compromising their passwords for Internet banking etc. Of course the rest of the connection through the Internet, even from a trusted router, is insecure in any case and such sites should be using end-to-end security like SSL. Is there, therefore, anything (other than the cute name 'evil twin') to this story?"

Yes

[lachlan76]

Is there, therefore, anything (other than the cute name 'evil twin') to this story?

Yes. If they control the gateway they now have the capability to perform a man-in-the-middle attack.

Re:Yes

[keesh]

...which you can do if you own any popular router anyway, which is why SSL includes various things that make man in the middle ineffective.

Re:Yes

[lachlan76]

Could you elaborate? Why is it not feasible to negotiate a session at the router, and one to the site, and re-encrypt the data at the gateway?

Re:Yes

[quigonn]

It is feasible, but that's exactly what server certificates are for, as they are pretty hard to spoof.

Re:Yes

[lachlan76]

Because no-one has ever managed to get legit certificates in the name of a major company? Right?!

Re:Yes

[lachlan76]

No, the social engineering attack only makes the man-in-the-middle attack more feasible. It means I (the attacker) now has a valid cert in the name of the bank.

Setup a fake DNS, and I'm in.

Re:Yes

[irc.goatse.cx troll]

Maybe if its the first time logging into the bank, otherwise your new cert won't match against the old bank cert, and I won't login. Some might, but they'd probably login if you just removed the SSL entirely.

Re:Yes

[lachlan76]

Quite a few would log in because they have a certificate signed by Verisign/Thawte/whoever saying that it is their bank.

Re:Yes

[Delirium Tremens]

It is actually easy once you also spoof the DNS servers -- which is a piece of cake when you already own the gateway and the DHCP server.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Assuming only validated certificate authorities...

[Allen Zadr]

Right, so you would have to take the additional step of getting the user to install the router's own certificate authority key. If the user does this, then the router can sign it's own keys in the name of anybody.

How would I go about that? Connection refused - there is a router encryption problem - click here
This will install the certificate authority, "Wireless Router". No, it's not a sure bet, but there's a good chance it would work.

Social engineering so often plays an important role in computer at

Oh yes it is

[infonography]

If your doing a MitM attack, your routing certs from the whereever you say. Your fake DNS jives with the real DNS, meaning you route victums to x.x.x.x and they pass thru z.z.z.z Your not just fooling the user and his/her computer your fooling the cert.

Nothing prevents you from asking the original target for it's cert and replaying that answer to the victim. They start the conversation and you finish it as you wish. Just intercept their logoff and your can do what you wish and they think they logged out. W

Re:

[account_deleted]

Comment removed based on user account deletion

Javascript.

[TheLink]

There's are a few problems though.

Internet Explorer (one of the most popular browsers) treats the option to "warn when going to a secure site" as the same as "warn when leaving a secure site".

How many people have disabled the warnings?

Worse: could a hijacker/phisher create a non-secure page and use javascript to overlay the "secure lock" logo on the relevant parts of the browser window? And erm, draw the necessary "windows/dialogs" to help the user check the certs?

Most people start with http://.../ inst

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Oh yes it is

[infonography]

Perhaps your missing the point here as well. Your context is wrong. The attacker has all your traffic from start to finish. To both sides the attack is coming from inside the transmission.

Your computer asks the Evil Access Point (EAP) to validate the cert, the attacker transmits that request directly to the bankofslashdot.com. A certified session is created. But not just with your computer. It's done thru the EAP, to the outside world that EAP is you. Your password, your data is all going into a file encry

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Oh yes it is

[HrothgarReborn]

Heck, how hard would it be for malware to add a certificate authority?

Much harder than simply using malware to install a key logger and getting data that way. But now you are talking about exploiting the local OS through user carelessness and have bypassed the subject of a rouge wireless access point and the related subject of end to end SSL security. You are now saying can I hack the persons box and install malware to get data, which is way off topic since it no longer has any bearing wether they are usi

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Yes

[mjs]

I don't think SSL uses RSA for encryption exactly: it uses RSA "encryption" to securely send a key from the server to the client; a symmetric key cipher (like Blowfish or AES) is then used to send the actual data back and forth. (Symmetric key ciphers are much faster than asymmetric ciphers.) i.e. public key cryptography is only used in the "negotiation" stage.

Re:Yes

[maxwell demon]

How does it work? Products of two very big prime numbers, don't ask me more than that 'cos I seriously don't know.

Well, the idea is the following:

The product of two primes has exactly the same information as the two primes themselves (there's exactly one way to factorize a number into primes). However while going from the two primes to the product is trivial (just multiply them), doing the reverse is actually hard.

Now RSA relies on a reversible transformation, where for encryption, you just can use the product directly, but for decryption you need the two primes separately. So if you send someone the product, he can easily encrypt a message with that key, but he cannot decrypt even the message he just encrypted, because to do so he would need to factorize the product, which is hard.

So essentially the public key in principle contains all the information to decrypt (otherwise it could not be used for encryption), but in a form where it is practically useless for decryption (because you just can't get at the necessary information in reasonable time).

Re:Yes, BUT

[quarkscat]

Isn't there a possibility that a well organized
crime ring would go to Verisign for their signed
authority? If the CA is included in the browser,
the DNS cache poisoned, and the URL spoofed, how
would the end-user know any difference?

Re:Yes, BUT

[ShakaUVM]

I had a long conversation about this topic with a friend of mine at Microsoft.

It's great that you could get caught. (And it's debatable in such a case, because how do you track town which of the Starbucks you connected to a "T-Mobile" WAP at was the spoofed one?) But the person's already had access to your bank account, and possibly your computer (if you download any executables), so you've already lost.

Best thing to do is to not sign up for any wireless service in public at all (registering for T-mobile

Re:Yes

[hackstraw]

A "man in the middle" would have a little bit of difficulty, as there's no way they could sign the session key they send to the client because that session key can only be signed if you have access to the private key, which they don't have.

A couple of things here. 1) it would be trivial to buy one of those 10,000 extra stupid TLDs out there and really buy a cert for that domain. So for the bankofslashdot.org example, one could buy bankofslashdot.com or bankofshalsdot.info or .biz, or any of the ones tha

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Yes

[jqh1]

The man in the middle can set up an http proxy, route all IP addresses to it, and present their own certificate. Sure, it won't be from the bank, and it may be difficult to come up with one that's signed by a trusted CA, but the little lock in the browser status bar will look the same... Then, they can happily decrypt all transmissions both ways and see what's going back and forth.

Re:Yes

[lachlan76]

If you check carefully, you'll find out that your password has been sniffed, your box 0wn3d, and you have actually been connecting to 127.0.0.1 ;)

Re:Yes

[wasabii]

Because your web browser will say "Alert the certificate is not valid!" That's hte point of SSL. Not just to encrypt, but to ensure the integrity of the entire connection between both end points. Private/public key... only the web server and web client have one. The guys in the middle don't.

Re:Yes

[scovetta]

How often do you look at the name in the SSL certificate for each page that you're on? Do you regularly review your CA trust configuration? SSL is *very* susceptible to MITM attacks. Are you also using a local DNS server or are you asking the router for the IP of "www.capital1.com"? Are you at least resolving the IP independently and verifying?

Anyone who thinks SSL is secure needs to get their learn-on.

Re:Yes

[hobo2k]

You a right about me needing to get my learn on, but what you say is contrary to what I thought I knew. The SSL cert is based on the domain name, right? The IP shouldn't matter because without physical possession of the CA issued certificate you can't pretend to be that domain. And the user doesn't need to always check that the server's cert matches the domain name because the browser will do that.

Once your box is rooted the CA trust could be messed with, but rooted is rooted. Game over. Same for if

Re:Yes

[Christopher Bibbs]

From my experience, you feed the user a dynamically generated certificate with your fake CA and the warning is that stupid "This certificate was issued by a an authority you do not trust" message. *EVERYONE* clicks 'ok'. No really, I haven't had a problem with it yet. Most of them report never even seeing the message. Some go so far as to install my fake CA so they never get the warning again.

It makes my job so much easier.

Re:Yes

[Allen Zadr]

Not even necessary...

Open web browser (usually defaults to google or MSN).
418 Connection Refused; Your <link...>router is having an encryption problem. Click <link...>router for more information.
User clicks on link, which installs Certificate Authority (with the requisite warnings). Seems simple to most users. There's an error about Wireless Encryption - and it wants to install a certificate. Since the user wasn't trying to hit a secure site at the time, it doesn't seem as immediately suspicious.

No, the "one percent"ers around here know the diff between a Cert and a C.A. But the other 99% don't. Hopefully, by the time they hit their online banking - they will have forgotten about the previous "router issue".

As usual, a small shaking of social engineering in a technical issue can turn a seemingly trivial security issue a very real security issue.

Re:Yes

[Delirium Tremens]

... until the DNS server or DHCP sever is compromised.

Re:Yes

[jellomizer]

Sure but this isn't nessarly like a man in the middle. Lets say you modify your Fake Accesspoint so it asks for WEP key like normal WiFi But when one is entered automaticlly start sending data on that key. So Now they have the WEP Key for the real access point on file, next you just route and record the traffic. You will not be seen as causing a Man in the Middle Attack just a router who seems to make a copy of every packet it routes and stores them. But if they want to get really fancy they could make

Which is...

[the_mighty_$]

For those that don't know, Wikipedia has a nice article explaining [wikipedia.org] man-in-the-middle attacks.

Be careful

[drivinghighway61]

So, in other words, be careful when you connect to an unfamiliar access point? Shouldn't people already be doing this? This is about the same parallel as "Don't take candy from strangers."

Re:Be careful

[It doesn't come easy]

Actually, ANY access point is risky unless you run it yourself (after all, it's a well known fact that all sys admins are voyeurs of the worse sort)

Seriously, anytime there is a man-in-the-middle, you have the potential of a man-in-the-middle attack. Imagine if you will a surveillance of an individual suspected of being involved in some nefarious political scheme. The individual is known to frequent his local Starbucks in the morning to have a cup of coffee and check his email, stocks, personal chat room

Re:Be careful

[Not_Wiggins]

Actually, ANY access point is risky unless you run it yourself

Actually, this isn't necessarily true, either.

One of the methods I've read for breaking into someone's network is to spoof the AP and boost the signal strength so the wireless device lands on your "evil" AP instead of the owners AP. Then, it can route traffic *back* to the user's AP, thus ensuring they have no idea that there's a "man in the middle."

Once in the middle, you get all sorts of opportunities to sniff data.

And sure... while it

Re:Be careful

[peter_gzowski]

Shouldn't people already be doing this?

Yes, but I think that Windows XP, when looking for a WAP, is pretty indiscriminant. I seem to remember setting up a linksys wireless router for a friend, changing all the defaults, using the encryption keys. Then one day when his laptop couldn't find the network, it just went to the next available network, an insecure WAP that was his neighbour's.

Re:Be careful

[CmdrGravy]

My Dad just bought a wireless kit for his Windows PC and laptop and a few days ago he noticed that even though he had turned off the base station a laptop he was repairing for someone was still somehow accessing the Internet.

It turns out one of our neighbours is running a totally unsecured wireless system, we can access their wireless router setup page and because they haven't bothered changing the password can muck about with it as much as we like.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Be careful

[borkus]

No, that's not the point at all. The point is that it's very easy to set up a WAP that looks like someone else's WAP, so they log into it without realizing they're logging into someone else's network.

If it's a secure network, I imagine that it'd be a little harder. My system not only matches the network name but also the key to connect to my router. The name would be easy to spoof, but the key would be a little harder. If the key doesn't match, then I can't connect anyways.

On the other hand, I can't t

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Be careful

[Gopal.V]

> So, in other words, be careful when you connect to an unfamiliar access point? Shouldn't people already be doing this?

Most people just click on the scan, pick a network and start working - especially when using a laptop. Of course the spoofer would not be using WEP. This is a combination of phishing with man in the middle.

The man in the middle is defeated by simple SSL authentication. However the phishing part of it, can replace the original website with something else (like forwarding to goatse

Airjack

[Megor1]

http://sourceforge.net/projects/airjack/

Alls you need

SSL?

[bendelo]

I imagine an SSL man-in-the-middle attack [sans.org] could also be quite effective (assuming their browser hasn't already seen the 'bank.com' certificate to know its changed.

Re:SSL?

[ColourlessGreenIdeas]

Assunming the bank isn't using a broken proprietary app, it doesn't matter whether the client has seen bank.com's cert before. If the returned cert isn't from bank.com or isn't signed by a trusted root (i.e. verisign etc) then a reasonably scary but quite incomprehensible warning dialog should appear. Some people will ignore it of course; it'd be interesting to know how many.

Re:SSL?

[friedmud]

"If the returned cert isn't from bank.com"

I've been wonering how hard it would be to get a cert (from verisign) for something like "securebank.com" (where bank is the name of the bank you want to hijack) and use that certificate instead....

I know you would then have actually given Verisign a name and address to go with the Cert... but by the time anyone figured it out you would be out of the country (or maybe you could even spoof these somehow).

I don't know anyone that would take a close enough look at t

Easy

[ColourlessGreenIdeas]

I have little faith in Verisign, so I assume that you could easily get the securebank.com cert. If they won't sell it, someone even more useless will. Maybe not for citibank, but certainly for an Your scheme has a minor hole in that you can't use DNS to do the redirect; it'll point to the securebank.com but the browser will still think it's bank.com, and so will expect a bank.com cert. The redirect you're expecting happens at the HTTP level, but the SSL handshake will happen first so they'll still see the w

Re:Easy

[friedmud]

That's why I said redirect you to a... page that redirects you (via javascript)... to the securebank.com. But you're right that a browser still might give a warning that you're being auto-redirected to an SSL site... but I think that would be browser dependent.

Friedmud

Re:SSL?

[EvilTwinSkippy]

You realize the SSL is specifically designed to twart man-in-the-middle attacks, don't you?

The only danger here is if someone has a for pay account with a wi-fi service, and he/she surrenders their password to a phony logon screen.

All other encryption doesn't trust the data path, or any steps in between, farther than they can throw them. This is no different than a hostile party controlling a router or having a promiscous connection to a switch.

Chase.com insecurity..

[slashkitty]

Yes, SSL is effect at this. However, many banks don't practice complete SSL security.

Take a look at the homepage of Chase:
http://www.chase.com/

The put a "secure" login on the page. Just look at the little lock there. Just like people are taught to look for.

The problem with this page is that it's not secure... A man-in-the-middle attacker could easily replace this page and where the login form goes to.

I've already complained to Chase about this many times, yet they don't believe that this is a securit

Seems improbable in practice

[wildBoar]

That was my first thought. To properly spoof all the sites so a user is fooled.

But I suppose key sites you want to capture are all that are required and the rest can be passed through.

So who wants to get one of these going :-)

Expected?

[Aurix]

You can never trust what you're connecting to... It's the age old problem, you're asking for anything you get without performing proper encryption between both links.

Seriously, the only time this problem is going to be fixed is when it's EASY to perform encryption. Where's the easy support for GPG in email clients? SSL in web browsers was certainly a step in the right direction, but what about IM services, email, ftp? Most hosting companies (afaik) don't provide for secure ftp...

For this, you don't want GPG support ...

[fizbin]

Instead, what you want to avoid this attack (unscrupulous network device in the middle) is SSL-enabled mail checking protocols.

Such as, say, secure POP and secure IMAP which the major mail clients have all supported for years, and which most mail servers now support out of the box, but which, for some reason, most ISPs don't make the default (or occasionally, don't even make possible)

GPG defends against J. unethical sysadmin at your mailhost reading the content of your email; while it would provide a prot

Re:Expected?

[maxwell demon]

Well, while encryption makes things a lot more secure, it actually doesn't completely solve the problem. It just reduces it to the problem of "how do I make sure that the certificate really belongs to the person/organization I believe it belongs to?"
The point is, there's always the point where you just have to say "I trust this" or "I trust those". It's relatively easy if you meet someone in person to give the key (but even then only if you already know them, or again have an independend means of identifyin

Re:Expected?

[alexpage]

Or use Jabber - Jabber supports OpenPGP which means you can use it with your existing GPG setup to securely communicate with other users, if you're talking to another Jabber user.

If you're just worried about having your conversation sniffed over a local wireless network, most Jabber servers support SSL between client and server. Since all communications, including those which go via transports to MSN etc. users, go over this link, it's a good way of securing all your IM.

End to End Security

[Phillip2]

This is a problem. While it would be nice to think that everyone used SSL or a VPN to encrypt all of their traffic it doesn't always happen. Many people for example, only use encryption when away from work. What's to stop someone setting up this sort of facilities within what people suppose to be a secure environment.

Of course, only time will tell how much of a problem it turns out to. It's always hard to tell which security threats are going to turn into really big security problems.

Phil

Re:End to End Security

[EvilTwinSkippy]

This doesn't cover SSL or VPN or any kind of uber wulu sophisticated attack. This is someone setting up a piece of equipment to steal poeple's logon to a wireless network.

Everything else you touched on is a problem regardless of how you connect to the net. A hostile party could easily obtain this information, and more, with a copy of tcpdump and a promiscuous wifi card.

Re:End to End Security

[spooky_nerd]

Exactly. This is why I run my own VPN server at home. If I want to get email when I'm using a public hot spot, I just VPN to my home server on comcast cable. Then I check mail using SSL. So I have an encrypted SSL connection tunneled inside an encrypted VPN connection. Now if only everyone else was as paranoid as I am.

Email interception

[rednip]

I think that Email Interception [wildid.com] is the real hole here, rather than depending on unsecure websites. If you can see at which sites a person does secure transactions, you can use the 'email password' functionality to send that user an unencrypted email containing the password or reset link. That email would be easily read by a packet sniffer. Of course the victim would have to have their email client get the email, but email is the first thing that most people check. Sure the victim would get the password reset email, but most would believe that it is just a glitch.

Re:Email interception

[lachlan76]

Another possibility is to spoof the email's from address, set a local DNS record to redirect the password-reset locally, and just get the user to give a probable password.

Re:Email interception

[EasyTarget]

SSL POP
If youur ISP does not provide it, get a better ISP.

Mind you, explaining this to my parents would be a long and fruitless excercise.

Details???

[CommanderData]

TFA has no info on how this is being done. Are the "Cybercriminals" using a regular computer with a wireless card and wired network bridged- forwarding packets and saving a copy for themselves, or are they using a WRT54G with rewritten firmware (OpenWRT? [openwrt.org]) and to capture packets? Why go through all the trouble when you can park your butt down in the coffee shop with your laptop and latte and sniff everyone directly.

Also it would seem to me that the "evil twin" method would only work with unsecured access points, unless you know the WEP key for the secured access point you are trying to dupe. Anyone trying to connect to their favorite secured AP with their default WEP key would fail to connect to an "evil twin" unless it had the matching WEP key...

Re:Details???

[armypuke]

Perhaps you should read WEP: Dead Again, Part 1 [securityfocus.com]. It compares various WEP cracking tools to see how fast they can crack WEP keys with varying amounts of packets. While the popular AirSnort [shmoo.com] usually needs over 10 million encrypted packets to crack a WEP key, aircrack [cr0.net] usually needs around 500,000. That's the difference between being able to gather enough packets in a day versus a week or more.

Re:

[account_deleted]

Comment removed based on user account deletion

WEP's easily breakable...

[Svartalf]

Tried it against my own AP. Nice, nifty little program called airsnort- within 4 hours or less you can have the million or so packets needed to crack pretty much any sized key for WEP.

WPA's potentially better in that it changes the WEP key every so often with the handshaked parties to make it dramatically more difficult to obtain the WEP key- but there's still a risk that the WPA key can be broken or sniffed out of the whole mix.

It's been said before

[Baorc]

and I'll say it again, the average person (not average slashdot person) wants things fast and easy. So anything requiring the least effort is the best route for them. And for some people, that is doing banking on a wireless connection without proper encryption. Of course, this is just one of the many problems that exist with doing online banking without taking precautions or cleaning your cookies afterwards. As long as these settings are not done by default for such interactions, there will always be some people to steal from. Quite easily too might I add.

Thist article misses the point....

[Ajmuller]

The security lapse isn't with bad software, it's with bad policy and hapless users. If you connect to a fraudlent base station, then you can intercept banking passwords even on with connections that use end-to-end encryption. Why, and why isn't this protected. Simple. If you connect to a website, even the most-secure site in the world using SSL. If there is something wrong with the SSL certificate you will be presented with a dialog asking you if you want to accept the certificate. 99% of people blindly click yes, because clicking no means that it "wont work" and clicking yes means it "will work". So to the average user there is no downside to clicking yes and a large downside to clicking no. Enough with the psychology though. Once you have clicked yes on this dialog the entire chain of communication is now suspect. You cannot be sure that there is not someone sniffing your connection. Even if you check the certificate and everything looks OK (Sane information in text fields) you still can't be sure that it's valid unless you compare the signature of the SSL certificate with a known-good one. So, the real danger here lies in unsigned SSL certificates and hapless users. This type of attack is just as easy to orchestrate (if not easier) by associating with any wireless access point and spoofing dns or even on a wired network.

Re:Thist article misses the point....

[cortana]

You can't fix stupidity with technology.

Even if their browser denied them access to a site if the certificate didn't check out, they would complain that THE INTARAWEB IS BROKED!!

Maybe once enough of them have their life savings stolen, the stupid gene will die out? :)

Just use ssh or a VPN

[Mordant]

to connect back to a trusted network (i.e., one under your own control) so that you do all your email, browsing, etc. from there, and you'll be fine.

I do this with commercial hotspots, free hotspots, wireless at hotels, conferences, etc. - not to mention wired connections at any network which isn't my own.

Virtual Private Network

[CypherXero]

This is exactly the reason why VPN was created, for situtations like this. Just create a secure tunnel across the internet, and they can't sniff your data.

Re:Virtual Private Network

[maxwell demon]

Which of course only works if there's a running, trusted computer to connect to on the net.

Heard this on BBC World Update this morning

[sczimme]

The interviewee seemed to be doing his best to simplify the concepts involved, but it sounded as if he were focused on the problem of the initial authentication. For example, the User goes to a public place like a cafe that has a pay-as-you-go model, e.g. he pays a certain amount per minute; such places often require a credit card to initiate the session. (Some business centers in hotels work this way for Internet access.)

If the user sits down at WiFi-R-Us to check his mail, he will have to enter a credit card number. However, there might be a 'rogue' WAP in the area configured to look legitimate, e.g. Wi-Fi-Are-Us, complete with ripped HTML, etc. to make the authentication page look legitimate. (See 'Phishing 101'). The user then enters his information on what he thinks is the proper authentication server.

It's an interesting issue, and I was glad to see it getting some broad[er] exposure.

Re:Heard this on BBC World Update this morning

[akadruid]

Not only that, but many places work on a large scale subscription model, so you deposit you CC details with BT or T-Mobile, and then log on at any one of dozens of places.

So the phisher has a an account to wireless network and internet access, and you're paying for it. The phisher then has lots of bandwidth and information to do various other illegal things, with your money and your liability carrying the can for them.

Re:Heard this on BBC World Update this morning

[dustinbarbour]

I part of a research team studying wireless security for a large metropolitan police department and we've actually performed studies and real-world test of this same thing. As with most things wireless, perfectly easy to dupe most anyone. Just another reason I'm still wired at home.

I'm teaching a computer class this year...

[cvd6262]

To college students working on their teaching certs. The funny thing is the department specifically asked me to teach a 2-hour lesson security "for the common person". Boy, has it opened my eyes to how trusting people are.

Most people have come to trust brand names. Research shows, as does personal experience with my 3-year-old, that children in the US develop brand recognition at an early age, and associate Nike or, [shudder] Microsoft, with quality. It is of little wonder that when they see a hotspot wit

Re:I'm teaching a computer class this year...

[michaelggreer]

It is not unreasonable to base trust on a brand name. That is indeed the purpose of the brand: otherwise we would have to sort through bins of goods and analyze them carefully with each and every purchase. Which we do sometimes (with fruit), but not with everything. We just don't have time for that and in purchases over the internet, it is impossible. Collective opinion (including websites) is often the basis for this trust. The only thing you can ask of people is that they ask around sufficiently before fo

Re:I'm teaching a computer class this year...

[dr_dank]

Kismet-qt on the Zaurus has a string capture function that can pluck plaintext out of the air.

Routers

[armypuke]

Adding your own hardware to a network to hijack network connections is not new. BlackHat Briefings has a good presentation on fun things you can do with routers. Some of the more interesting techniques require that you have physical access so that you can add your own router to the network. Your router can then be used to hijack HSRP and other things. I almost came to the conclusion that a wireless AP is easier to hide, but it still needs to plug in to a network somewhere.

The technique used in the art

Jamming and re-forwarding

[fizbin]

Actually, that in and of itself isn't too hard - all an attacker would have to do is broadcast a very strong signal on a channel different than the one the accesspoint is using, but with the same SSID, and then have a second wireless card locked to the correct channel communicating with the "real" accesspoint. I don't know about Linux wireless, but my windows laptop has no problem reconnecting if I change the channel my access point is using. (and this is after I've locked it down so that it won't autocon

Happy root kit downloading

[hobo2k]

One attack of non-SSL communication would be to target software downloads. When you see an exe, msi, zip come through in the clear, simply add your virus to it. Unless the user double-checks the md5 hash, the user will probably never know what hit him.

Re:Happy root kit downloading

[maxwell demon]

Unless the user double-checks the md5 hash, the user will probably never know what hit him.

If you see him requesing the MD5 hash, just send the one of your modified file instead.

Re:Happy root kit downloading

[TheLink]

Don't forget the various gpg/pgp public keys ;).

Vee Pee Endpoint.

[SoupIsGood Food]

Why someone [apple.com] doesn't just slap an open-standard VPN server onto the base station is byond me. Solves a bazillion problems all at once.

SoupIsGood Food

Linux bad guys

[streepje]

I watched the piece on BBC TV news this morning.

Guy sits down, opens his laptop, starts a Microsoft OS, opens IE and calls up his bank's homepage.

Other guy comes in, sits down, opens his laptop. He's running Linux!
Really, Linux on a BBC news piece, wow!

But then he starts evin twinning the Microsoft guy's wifi link. He's the Linux bad guy. :-(

Nice one BBC.

Here a few workarounds

[digitalgimpus]

Isn't this really a new varient of 'man in the middle' (quite literally)?

Here a few ideas:

1. An easy way to prevent this is to have your Access Point assign you a strange IP address. That way if you normally get 192.168.1.251... and you end up with 192.168.1.1... you have an idea something is wrong.

A simple way to get a clue.

2. Another way to do this is a bit more complex. If you have another computer or file server at home, set up a webserver. Make sure this system is wired. Set your computer's h

Re:Here a few workarounds

[Chanc_Gorkon]

Except it's EASY to sniff the WEP key. WEP keys are also pre-shared, so it would be damn easy to get the WEP key. No, we should be using WPA with a Radius server serving up the keys.

Here's how it's done

[max born]

This is old news.

Set up a regular access point [hrp.com].

Install a web server like NoCat [nocat.net].

Subsitute the NoCat splash page with a copy of the T-Mobile (or whatever) login page. You can use wget [gnu.org] to grab this.

From there you use a plain old cgi script to pipe the userID, password, credit card number, etc. into a text file.

What a load of fud

[Gyorg_Lavode]

Give me a break. My connection passes over 30 hops on the internet, none of which I know. It is detectable from 55 miles in any direction w/ LoS. And I'm supposed to worry about the fact that I might not be able to trust the guy runnin the AP? give me a break. The internet has always had insecure routers. Anyone who works in IT or security has known to assume that the routers are hostile. Must have been a slow news day at the beeb.

Now I can see how this might apply to a corporate network with a gov

Re:What a load of fud

[EvilTwinSkippy]

Amen.

Perfect security is perfect paranoia. Perfect paranoia is perfect security. If it's not worth being paranoid about, it's not worth securing.

And no, you don't want to secure everything. Part of what allowed the British to crack the Enigma machine was the fact that the Germans used it for everything, including weather reports and repetitive status updates.

If someone is really interested in my google searches, bully for them. If I whip out the credit card, you bet I use one with no other transaction

Now hold the phone...

[EvilTwinSkippy]

I object to this being called an "Evil Twin" attack.

I prefer the term "Imposter Gateway." (Cough)

Practical tips for a linux user?

[cortana]

What is the best way that I can ensure that the WAP I am connecting through is the WAP I believe it is?

I know XP users seem to have it worse--from reading the comments to this story, XP seems to associate with *any* available access point automatically... eep!

If my machine can't contact its AP, the interface is not brought up and I am safe. If the real signal from my AP is jammed, and an attacker spoofs it, then I am still reasonably safe because my machine will try to use a WEP key which the attacker wil

cat intercepted-passwords.txt

[daveewart]

When they showed this story, the 'attacker' was a BBC-stereotypical geek running some Linux-like OS. There was a close-up of him typing

cat intercepted-passwords.txt

in an xterm. "Ooh, *command-line*. That's evil!"

Easy to fool the unsuspecting.

[phorm]

So you have somebody connecting to your network, right? Here's a partial example from memory

In /etc/hosts, add 127.0.0.1 slashdot.org

To your firewall rules, add:
iptables -A prerouting -s 192.168.0.0/24 -d 66.35.250.150 -j REDIRECT

Setup a local DNS, using internet DNS for all names except those already in hosts

Add an apache entry like
<Virtualhost slashdot.org$gt;
</VirtualHost>>

Whammo, all connections going to slashdot get redirected to the local machine. The local machine serves out

Re:Easy to fool the unsuspecting.

[TheLink]

April 1st 2004, I added *.doubleclick.net and wildcarded a few other ad domains to the DNS server in my office.

Pointed it to a local server, which just served up the corporate logo.

It seems maybe only one or two people noticed... Maybe it shows how much people surf at my office or actually notice ads.

Maybe I should have served up "Meeting at 2PM" and other announcements...

I wonder what the legal implications are if a company voluntarily hijacks ads on it's network. Or an individual does the same on his/

Access Points with teeth

[dongkiru]

There's a small SF Bay Area startup that makes specialized wireless access points. You setup a network of the access points. The access points know about all other access points that *should* be there. When it detects another access point that is acting like an "evil twin," the network of access points can not only locate the evil AP to within few meters, but also DOS it with bunch of bad packets to knock it off the network. The CS department in Berkeley uses it. It can also be configured to knock out

Not a good idea.

[TheLink]

This is _wireless_ stuff.

People who live in glasshouses shouldn't throw stones (or "bad packets"). With wireless networking, it's really a glasshouse in more ways than one.

If you depend on wireless networking that much, you definitely shouldn't be throwing bad packets around. The person you are DoSing may not need wireless networking as much as you do. An eye for an eye and the whole world goes blind and all that.

Good luck finding proof that it's an Evil AP.

Plus I'm not sure how clear the laws in variou

Re:Bandwagon

[harrkev]

We've already had 'end of the internet' panics from them in the last year about spam, virii, child porn, spyware, and lack of bandwidth.

And don't forget "badly written laws will criminalize browsers, telnet, and FTP."

Although there may be some truth to this. After all, smart people are working to combat virii, spyware, etc. But I have never heard of a smart person making a law ;)

Re:The real threat...

[BrakesForElves]

Well of course you're dead on about slashdot readers. But what about the kid who makes one extra click to surf the new, secure https://disney.com in the morning, whose dad surfs his bank that evening? Hell, with 80% of the wireless routers in residences running default SSID's and no WEP or WAP, one could even launch this attack on a stationary target, where the likelihood of eventual compromise over a period of hours or days would approach certainty. Good luck associating that cause and effect!