How to Take Over a Train Station 356
ThinkComp writes "Everyone knows that home wireless networks are insecure, but who would expect a major transportation hub to be vulnerable to the same problems? Well, waiting for my friend's train at South Station in Boston, MA, I happened to notice that it was possible to take control of the entire station's wireless network, including its home page and authorization method (free wireless, anyone?)--and those of thirty other businesses throughout Massachusetts, thanks to a few coding errors on the part of the wireless company with which South Station contracted."
That's a stupid question (Score:3, Insightful)
Well, would you expect railroad company employees to be any smarter about computer things than your average Joe Blow surfing the innurnet down the street?
I'd be more surprised to find open hubs around, say, Linksys buildings. But then again, only slightly more surprised, mind you.
who did you tell? (Score:1, Insightful)
Re:wireless is insecure? (Score:5, Insightful)
What a waste of bandwidth (Score:5, Insightful)
1.) Try the default login/password combination and make some educated guesses.
2.) Look at the source code of web pages.
3.) Don't be an idiot admin and leave your system wider than your momma.
Not just wireless (Score:5, Insightful)
Re:Security Risk (Score:1, Insightful)
You are now guilty of terrorism or treason/spy.... (Score:2, Insightful)
Such strange attitudes (Score:5, Insightful)
At first this wasn't entirely the case. Consider, for example, copying all the files from /usr/bin to your home directory 1000 times. Back in the old days that would be enough to fill up the harddrive which would quickly stop other people from using the system. You could affect other people, the kernel didn't stop you, so it must be allowed right! Well no. You're wasting resources and being an asshole. But rather than put a sign on the wall that said "please don't waste disk space" someone decided this was a "security" issue and implemented disk quotas into the kernel. Now you can't affect other users by using up all the disk space.
Consider the "fork bomb" issue. For those who don't know, this is just like using up all the harddrive space, except instead of disk you're wasting memory. A fork bomb will quickly bring an older unix machine to its knees, and back in the days when I had the joy of sharing a unix lab with other students, a fork bomb would go off at least twice a day. Why? Cause if the kernel permitted it, it must be ok right? Now there's protections in most kernels just to detect a fork bomb and stop it.
Such a strange way of thinking. Thankfully most unix users do not try to apply this attitude to the real world. If there were to see the police or the government as some kind of kernel they might be surprised to find that they could kick over granny in the street or go ballistic with an automatic weapon. The police didn't stop me, it must be ok, right?
Just to bring this long post back on topic: just because you can take over the wireless internet of a train station, doesn't mean you should do it. It doesn't mean that it is permitted. There doesn't need to be a failsafe kernel monitoring and stopping every undesirable action that you can possibly perform. We can live with people being able to break the rules. It's called freedom.
Re:Security Risk (Score:5, Insightful)
Re:They're coming (Score:2, Insightful)
Re:Such strange attitudes (Score:5, Insightful)
It's not about pranks.It's not a question of what the reviewer should and shouldn't do.
It's a question of what he could do, and therefore what someone with malicious intent could do. Expecting people's actions to just natually blend into the common good is great and all, but it's simply not going to happen. There's a reason for police there's a reason for locks on doors, there's a reason for computer security, and there's a reason I don't leave my lunch out when my cat is in the room. Somebody's going to take advantage, and I'm going to get screwed.
Re:wireless is insecure? (Score:5, Insightful)
And, if their web site is that insecure, what makes you think their other systems (electronic and other) aren't similarly flawed?
Regardless, what I would really like to hear is the behind the scenes stories from all companies involved.
Totally misleading article leadin. (Score:2, Insightful)
Did he find a way of stealing credit card information? I didn't see that in the summary anywhere or through skimming the article. That may be a more serious security breach, but simply being able to turn on free or password access? Big deal.
Re:Such strange attitudes (Score:3, Insightful)
Re:That's a stupid question (Score:4, Insightful)
Re:Thanks for the Warning!! (Score:2, Insightful)
Tread carefully! (Score:5, Insightful)
You will be caught and be fined heavily! Just ask the other teenager how fun sitting in court was. This is not to mention damage to your entire professional life (I assume it exists).
Slashdotters here might encourge you, but remember that you will be sitting in the dock alone. In other words, you will be answer for YOU. Now before I get modded down, I be to remind whoever might read this that what I am saying is FACT.
Re:this isn't that funnny -- I just reported him.. (Score:3, Insightful)
By your rather low standard of evidence, it seems, if I accidentally accessed my neighbor's unsecured wireless LAN I should be cuffed and sent to jail? Please. Let's leave the totalitarian laws for the totalitarian nations of the world, and put responsibility where it is due. And apparently he didn't pick the lock
Woah There... (Score:3, Insightful)
What the author of this white paper really accessed is the admin interface of a wireless internet service provider. With this access, he/she could steal internet service or allow others to do so, or even obtain personal customer data, includingcredit card information, and use it for his/her own gain. While these are of course Bad Things, they really come nowhere close to constituting a national security risk. An inconvenience and a violation of state and federal law, yes, but a national security risk, no.
What would change things is if it were actually possible to access _train station_ systems through the wireless network. However, these systems are not configured this way. The wireless access is provided by a 3rd party provider that handles only pay-for-service internet access. Anything related to station services or railway control would be handled by its own seperate network. The author of this white paper says nothing to indicate that it is possible to do anything that would touch train station operations or that would be of any use to terrorists in an attack on the "very important" nearby buildings.
Sounds like a whole lot of nothingness to me...
Re:Such strange attitudes (Score:4, Insightful)
Every type of security involves a series of compromises between risk and effort. Most businesses keep their cash in a cash register with someone watching it, not in an open box next to the door.
The result of people being able to "break the rules" in computer security is not freedom but chaos. Viruses, malware and spyware are all the result of other people being able to break YOUR rules in YOUR computer (well, I assume you have a rule against people doing naughty things on your machine).
Being able to break "laws" is what freedom and responsibility are about. Having mechanical enforcement of all of our laws would be called a police state. Having locks on your doors is not.
Re:guestBox (Score:3, Insightful)
Of Astroturf and Grandstanding (Score:5, Insightful)
Ignoring the grandstanding title and the fact that the author astroturfed his own "article" and site, here's a quote:
A more farfetched, but very real possibility, is that computers or workers at airports and train stations also use these same networks to make everything tick. If that is the case, it might be possible for an intelligent high school student to start changing train timetables or rerouting baggage.
And his evidence for this is, what? His own personal opinion? He's been watching Hackers too much if he thinks the schedule board at South Station is networked; it's a -flip- chart (seriously, stick around for 5-10 minutes, and watch it update itself). I'd be amazed if it had anything better than a dedicated thinnet connection to an ancient PC. It's not like some kid with mad h@x0r skills is going to go bippity-boop and put up "TRAIN TO FUCKVILLE 4:20". No. That happens in Hollywood, where people "launch the genetic algorithmic viral defenses!". It does not happen in the real world.
There are a lot of cheap shots and snide remarks aimed at "The Guvmint", "The Man", etc. This guy sounds like he's about 19, not to mention he's just admitted to logging into places he knew he didn't belong AND changing settings (he changed the back, but still...) Sounds like a great federal inditement to me.
Some googling shows he's in his very early 20's(graduated from Harvard in 2004 in "3 years", which means he's maybe 21 now), runs some consulting company. Sounds like he's just out to promote his business like every other story submitter these days...
RTFA: he is a felon, he didn't report what he did (Score:0, Insightful)
- He guessed passwords, this is the _classic_ case of unauthorized access; a felony in most states. It's like walking up and jimmying a perfectly good lock.
- He did _not_ inform the company who was providing the service; instead he badmouthed the company to one of their customers (who really could care less, the free-wireless is just like a coke machine for patrons from their perspective)
- He seriously _thinks_ that he did nothing wrong, when he is not only a felon, but one that didn't report his findings to a resonable source.
IMHO, he's an arrogant child who needs 15 days in the clink to think hard about what he has done and to promise not to do it again. This whole conversation, ignoring that he _did_ commit a felony, and then acting like it isn't a big deal sends the _wrong_ message to script kiddies. This fella is a criminal. He broke/entered and he vandalized property (changed settings). He did so without any intention of informining the _owner_ of the box he broke into.
He deserves to be prosecuted to the fullest extent of the law.
Re:Thanks for the Warning!! (Score:3, Insightful)
Re:They're coming (Score:2, Insightful)
Re:who did you tell? (Score:5, Insightful)
Imagine you're an admin and somebody reports that you left the entire network wide open, that at least thirty different businesses' private customer data is in a compromisable position, all due to your incompetence. What are you going to do? Admit it? Hardly
The fault lies with the admin of the network, and if you ignore smart users that try to help, you deserve what happens when a real criminal comes along, downloads and sells all your customers' credit card info and then trashes your network.
Fact is, laws against what this man did are useless
Re:moderators: parent post is _not_ informative (Score:3, Insightful)
Re:Such strange attitudes (Score:5, Insightful)
It is certainly not permitted for random strangers to enter your house or drive your car, so why worry about locks? Leaving doors unlocked and car keys in the ignition is much more convenient.
I suspect you understand this attitude far more than you pretend. And no, the attitude of most users is not that you can do these things if it isn't physically prevented -- just as most people are basically honest and won't trespass or steal your car. It's the few assholes you have to be on guard against. Recall the price of freedom.
Re:wireless is insecure? (Score:5, Insightful)
I wish I could believe that.
What will probably happen is they get hacked and any problems that arise will be considered a terrorist act. The company will get all sorts of sympathy from the unknowing public while the perp goes to federal "pound him in the ass" prison and owes $4 Billion in damages. The CEOs of the company will denounce the act, get fat bonuses, jump ship, and might even throw a quarter at the problem on their way out the door.
But I feel that last part is overly optimistic.
Re:Such strange attitudes (Score:3, Insightful)
It's a question of what he could do...
There's a reason for police there's a reason for locks on doors, there's a reason for computer security, and there's a reason I don't leave my lunch out when my cat is in the room. Somebody's going to take advantage, and I'm going to get screwed.
If this isn't the largest piece of FUD I've seen this month, I don't know what is. Good god man, it's just wireless internet access. Get a grip. There's no magic train derailing webapp on the website. The ticketing isn't tied into the system. It's about as harmless as some idiot flooding the bathroom at the train station. A pain in the ass? Absolutely. A reason to start wondering in deeply fearfull tones "what could he do? Umm.. no.
Re:Such strange attitudes (Score:3, Insightful)
Considering that he was able to obtain a list of usernames and passwords as well as change the prices charged for WiFi access -- anything from "Free" to perhaps hundreds of dollars per hour -- he could have either caused the station to lose revenue or, at worst, jacked up the price, use others' login accounts, and maybe their credit cards would have been automatically billed without them knowing.
Did you even RTFA?
Re:That's a stupid question (Score:4, Insightful)
But guess what? All these people are like you and me. Yes, better educated within their particular field but still as fallible(?) as any other person. A cop on the beat will not know about IP law. A doctor will have specialised in a particular field of medicine. Anyone could misjudge the meter and the guy with the hot dog stand could serve you food that will kill you.
Until recently I (kind of) had all these expectations. That changed when I started my education as a network engineer and looked into doing practice work with the university IT department. Know what? They are just regular guys. They go for a pint after work on a friday. They do normal stuff all the time and they are not ubermensch as we like to think. Not all companies can afford to employ the cream of the crop in all departments. After all, a company's main purpose is to MAKE MONEY. Everything else comes second. This includes the computers and IT infrastructure. If 10Mb ethernet can do, it will have to do and if an unsecure wi-fi access point can do, I suppose it will have to do too.
I suppose my point is that you may not be too far off saying the cleaners were involved in the IT rollout. In the real world we all wear many hats, some better fitting than others.
mmmkay... (Score:3, Insightful)
Either way, I'd like to see a followup to this at some point stating what happens with the guy next:
"Does he really get arrested, or is he hired on by wireless network providers? Stay tuned to find out!"
Re:Such strange attitudes (Score:4, Insightful)
It's all about what you should and shouldn't do.
Understand something: Police aren't around (at least in the US) to PREVENT crime, they're there to respond after the fact. Locks don't prevent theft; they merely deter the casual person from entering a space, or making off with a bike, or a laptop, etc. Anyone who's determined to do something can usually find a way to do it.
You might be surprised to learn that most physical security isn't really about preventing unathorized access, it's about deterring people from trying. Security guards aren't some super-vigilant breed of human that can focus their attention on every detail of a situation for extended periods of time. They might be looking around with a suspicious expression (if they're really gung-ho, and not reading a magazine), but they're almost definately thinking about something unrelated.
So why do we expect better from software that's been written by people? If someone wants to gain access to a system, they will. It's all about posturing and setting up an interface with a "secure feel," just like the security gate at a building. Sure, you don't just leave the gate open and let the guard leave the station unattended, but there comes a point where you're expending more resources by keeping a facility secure than you stand to lose by having the facility compromised.
I'm not trying to make excuses for wanton disregard of basic practices.. there's no point in having a gate if you have no fence after all. But to expect any security to be bullet-proof is being unrealistic.
Re:Such strange attitudes (Score:3, Insightful)
Considering that he was able to obtain a list of usernames and passwords as well as change the prices charged for WiFi access -- anything from "Free" to perhaps hundreds of dollars per hour -- he could have either caused the station to lose revenue or, at worst, jacked up the price, use others' login accounts, and maybe their credit cards would have been automatically billed without them knowing.
Holy smokes! Call the fire department!! Why does everyone get all hopped up whenever CCs are involved, as if this is the ultimate security breach and CCs normally have tight security sit in steel vaults until a computer or the internet comes along? On a daily basis you give your CC to all kinds of different businesses and low paid employees. Any one of which could get your CC # and bill it for whatever they want. Compared to normal security breaches that exist every day, this one is pretty minor. Anyway, the point I'm trying to make is that the GP article was just fear mongering. The whole "what could he do" thread is just scaring people with the unknown. What could he do? Not a hell of a lot.
Re:Illegal access (Score:3, Insightful)
Well, I was totally on his side until the "I changed the access mode from 'credit card' to 'free'". That's bullshit. I know he immediately changed it back, but that's wrong. Nothing gives him the right to do that. Surely bringing up the admin page was enough to be able to contact the admins and tell them they fucked up. Before he did that, he might have had a chance of claiming complete innocence.
It's like the the people who abused the ATMs in New York after 9/11. When they made the first withdrawal and saw that their balance didn't decline, they should have called the bank and reported it. Nothing gave them the right to keep making withdrawals. If I leave me door unlocked, it may make me an idiot, but it doesn't give some dude the right to come in to my house, and take something and walk out the door, even if you come right back in and put it back.
Re:That's a stupid question (Score:4, Insightful)
Re:Such strange attitudes (Score:3, Insightful)
Let's consider all the things you can do in the bathroom to be an asshole. For one, you can flood it. You also can clog up the toilets. You also can break the doors off the stalls. You also can break the taps. Hell, you can make everyone's day at the train station a real hell if you go nuts in the toilets. Now for some reason, regardless of the fact that there's no big beefy security guard monitoring everyone's actions in the train station every instant of the day, the amount of mayhem to be witnessed by the average commuter.
To bring it back to the wifi network, I'd much prefer it if we didn't have someone sitting at a workstation monitoring every bit of traffic that goes over the network to ensure that no-one is doing anything underhanded. But in the interests of "computer security" we're all too willing to encourage this kind of monitoring, just in case someone is doing something wrong.
Re:wireless is insecure? (Score:1, Insightful)
Re:That's a stupid question (Score:3, Insightful)
The average idiot couldn't set this thing up in the first place. These idiots were special.
Laypeople aren't that dangerous because they aren't that trusted. It takes an expert or professional making a small mistake on somthing very important to really cause a problem.
He was just saying the proverbial "noone's perfect"
Re:Illegal access (Score:3, Insightful)
Awfully alarmist, but I don't see how you can equate changing the access mode from 'credit card' to 'free' and immediately changing it back again with continually making withdrawals at an ATM. That's insane. That doesn't mean what he did is correct, but it is certainly NOTHING like "the people who abused the ATMs".
Re:Its a TRAIN STATION for crying out loud... (Score:3, Insightful)
Chances are, the Wireless Internet is a service of Amtrak's Acela Lounge. There is a business lounge with net access and coffee and newspapers, and it probably bleeds over. The name is South Station because that's where it is.
The MBTA doesn't provide wireless at any other station , to my knowledge. (which i'd like to think is good, I ride the Red Line into South Station every day.)
Truth is, stations like South Station aren't wholly owned government agencies, like the trains that another poster mentioned in Australia. Its a government and business venture. Amtrak and the MBTA are government-sponsored, but operate independently, as does the management of the major transit points like South Station. The management of South Station or the Acela Lounge / Amtrak group hired a company to set up the wireless, probably just to bring in a few bucks and offer convienence to travelers. This is the same group that collects rent checks from the businesses in the food court, kicks the homeless out of the doorways, and makes sure the escalators never work. Don't expect them to have an IT department. They probably have one or two electricians who fix the arrival/departure electronic systems, but no IT staff.
Re:That's a stupid question (Score:3, Insightful)
I would expect the doctor to wear gloves and mask for his and my protection.
I would expect the meter maid to see that the needle is in the red.
I would expect the chef to ensure that the vegetables are clean? (That one's a stretch, but so was yours =)
Securing a publicly-accessible portal (wireless or otherwise) should be basic knowledge. Perhaps not the method itself, but knowing that a method needs to be found and used.