Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Wireless Networking PHP Programming IT Hardware

How to Take Over a Train Station 356

ThinkComp writes "Everyone knows that home wireless networks are insecure, but who would expect a major transportation hub to be vulnerable to the same problems? Well, waiting for my friend's train at South Station in Boston, MA, I happened to notice that it was possible to take control of the entire station's wireless network, including its home page and authorization method (free wireless, anyone?)--and those of thirty other businesses throughout Massachusetts, thanks to a few coding errors on the part of the wireless company with which South Station contracted."
This discussion has been archived. No new comments can be posted.

How to Take Over a Train Station

Comments Filter:
  • by Anonymous Coward on Sunday February 06, 2005 @07:54PM (#11593146)
    News at 11.
    • by krisp ( 59093 ) * on Sunday February 06, 2005 @07:58PM (#11593177) Homepage
      Nah, this shouldn't be news anyway. When you can get control of the arrival/departure boards and track switch control from your laptop on the wireless, then it will be news. Until then, the title is misleading!
      • by Colven ( 515018 ) on Sunday February 06, 2005 @08:31PM (#11593333)
        I don't know, I think it's news. I create very similar sites, so hearing about things like this is extremely helpful to my practices. And it could serve as a wake-up call to others who might be slacking.

        And, if their web site is that insecure, what makes you think their other systems (electronic and other) aren't similarly flawed?

        Regardless, what I would really like to hear is the behind the scenes stories from all companies involved.
        • by Talinom ( 243100 ) on Sunday February 06, 2005 @09:29PM (#11593599) Homepage Journal
          And it could serve as a wake-up call to others who might be slacking.

          I wish I could believe that.

          What will probably happen is they get hacked and any problems that arise will be considered a terrorist act. The company will get all sorts of sympathy from the unknowing public while the perp goes to federal "pound him in the ass" prison and owes $4 Billion in damages. The CEOs of the company will denounce the act, get fat bonuses, jump ship, and might even throw a quarter at the problem on their way out the door.

          But I feel that last part is overly optimistic.
      • by sharkey ( 16670 ) on Sunday February 06, 2005 @10:40PM (#11593886)
        Man, we have GOT to do this! I can't wait to see how many tickets are sold to Pussyhump, RI or Shithouse Falls, SD.
    • by Anonymous Coward
      Oh damn its 12 where I am... Did I miss anything?!
    • by cgenman ( 325138 ) on Monday February 07, 2005 @01:39AM (#11594498) Homepage
      I happened to notice that it was possible to take control of the entire station's wireless network,

      That's great. Can you wait until after I get to work on Monday before you do this? Thanks.

    • Not wireless (Score:5, Informative)

      by cgenman ( 325138 ) on Monday February 07, 2005 @01:56AM (#11594547) Homepage
      Actually this is some very basic HTML hacking. He went to their service, which re-directs all new people to their home page. He directory surfed around the web server, and found a few dozen other sites, as well as the company's home page. He tried some very basic password combinations, (like test:test), and got control over some active sites. These sites included customer information and credit card databases.

      So really, the site that served images from an unobfuscated directory allowed the person to know what to look for, the directory was fully listed in a way that directories shouldn't. The passwords were very, very insecure. This had nothing to do with wireless security, but rather web services security, and basic things for security that people don't do.

      The passwords in the article, BTW, no longer function. At least, not form my remote machine. Anyone reading this from South Station wish to see if the passwords still work on-network?

  • by LiquidCoooled ( 634315 ) on Sunday February 06, 2005 @07:55PM (#11593152) Homepage Journal
    Here [google.co.uk] :)
  • by Rosco P. Coltrane ( 209368 ) on Sunday February 06, 2005 @07:55PM (#11593158)
    Everyone knows that home wireless networks are insecure, but who would expect a major transportation hub to be vulnerable to the same problems?

    Well, would you expect railroad company employees to be any smarter about computer things than your average Joe Blow surfing the innurnet down the street?

    I'd be more surprised to find open hubs around, say, Linksys buildings. But then again, only slightly more surprised, mind you.
    • by Kris_J ( 10111 ) * on Sunday February 06, 2005 @08:43PM (#11593384) Homepage Journal
      WTF? I would expect the IT Department of any given company to be smarter about computer things than your average Joe Blow. Who do think installs this stuff, the CEO, a secretary perhaps, maybe the cleaners?
      • by imogthe ( 742394 ) on Sunday February 06, 2005 @10:08PM (#11593786)
        So would I. And I would expect a policeman to know the law to the lette and a doctor to know everything there is to know about the human body. I would expect the meter maids to never get a parking ticket and a chef to always make fantastic food.
        But guess what? All these people are like you and me. Yes, better educated within their particular field but still as fallible(?) as any other person. A cop on the beat will not know about IP law. A doctor will have specialised in a particular field of medicine. Anyone could misjudge the meter and the guy with the hot dog stand could serve you food that will kill you.
        Until recently I (kind of) had all these expectations. That changed when I started my education as a network engineer and looked into doing practice work with the university IT department. Know what? They are just regular guys. They go for a pint after work on a friday. They do normal stuff all the time and they are not ubermensch as we like to think. Not all companies can afford to employ the cream of the crop in all departments. After all, a company's main purpose is to MAKE MONEY. Everything else comes second. This includes the computers and IT infrastructure. If 10Mb ethernet can do, it will have to do and if an unsecure wi-fi access point can do, I suppose it will have to do too.

        I suppose my point is that you may not be too far off saying the cleaners were involved in the IT rollout. In the real world we all wear many hats, some better fitting than others.
        • by Kris_J ( 10111 ) * on Monday February 07, 2005 @02:40AM (#11594673) Homepage Journal
          Great logic there. "Expert X isn't perfect, therefore they're no better than the average idiot." This is just bizzare.
          • Great logic there. "Expert X isn't perfect, therefore they're no better than the average idiot."

            The average idiot couldn't set this thing up in the first place. These idiots were special.

            Laypeople aren't that dangerous because they aren't that trusted. It takes an expert or professional making a small mistake on somthing very important to really cause a problem.

            He was just saying the proverbial "noone's perfect"
        • Sorry, but this is incredible piffle.

          I don't expect my doctor to know everything about the human body, but I'd expect him to have a certain degree of basic competence. If he asks me to remind him which is the leg and which is the arm, I'm out of there.

          Connecting a wifi network in a public place to the machine you do your credit card authentication to is incredibly stupid, even without leaving default passwords in place.

          BTW, do we know that it is the IT department that put this in, and not someone pluggin
        • I would expect the policeman to attempt to stop someone running down the street with an automatic rifle.

          I would expect the doctor to wear gloves and mask for his and my protection.

          I would expect the meter maid to see that the needle is in the red.

          I would expect the chef to ensure that the vegetables are clean? (That one's a stretch, but so was yours =)

          Securing a publicly-accessible portal (wireless or otherwise) should be basic knowledge. Perhaps not the method itself, but knowing that a method needs
      • Not a huge fortune 500 computer company. Why WOULD you need an IT department for a train station? Sure if you're talking about Grand Central Station or some huge hub similar, but for most who cares? Most train stations have to skimp on seating, lighting, cleaning (trains in the U.S. are a pathetic sight compared to European or Japanese counterparts) and other much more important aspects over than hiring an IT professional to run a computer network thats probably smaller than one most /. readers have.
        • by Kris_J ( 10111 ) * on Monday February 07, 2005 @02:50AM (#11594714) Homepage Journal
          Gee, let's see, I would expect a train station to have an IT department because I've worked in one. I did a three month project with "Westrail", the government department that manages the trains in Western Australia. There's a big central organisation with a big IT deparment and staff go out to the various stations (easy to get to, just hop on the train) to do IT stuff. Do you really think an individual station is an isolated company?
      • "Who do think installs this stuff, the CEO, a secretary perhaps, maybe the cleaners?"

        Unfortunatly, yes. At the downtown offices of one of the clients I support, one of the corner office managers setup an out-of-the-box secured Linksys so he would not have to plug in his ethernet to his laptop. It wasn't until two weeks later that I discovered the device while troubleshooting connectivity issues. Since he plugged it directly to the ethernet port in his office and the switches in this location (it is only

    • I would expect them to treat their systems contractors like anybody else, as if the lives of people depended on the quality of their work. Apologizing for the train operator for not hiring qualified systems people doesn't change the fact that a system was implemented that could be taken over relatively easy. They wouldn't let just anybody in the control room at Paddington station in London, would they? Apparently there's been a breakdown in standards if "make sure random people can't control the system" isn
      • by timeOday ( 582209 ) on Sunday February 06, 2005 @11:28PM (#11594016)
        They wouldn't let just anybody in the control room at Paddington station in London, would they?
        This is irrelevant. Nobody took over a train station; the story title is a lie. All they did was circumvent the payment system for wifi internet access and avoid paying an hourly fee for internet access. The fact that this was at a train station has nothing to do with the story, except making it read better.
  • by Anonymous Coward on Sunday February 06, 2005 @07:55PM (#11593159)
    Should you not tell anyone and get free wireless for life, or just goatse everyone?
  • by Jonathan the Nerd ( 98459 ) on Sunday February 06, 2005 @07:57PM (#11593170) Homepage
    Please remain where you are. The Department of Homeland Security has already pinpointed your location, and agents will be arriving shortly. Resistance is futile.
    • Re:They're coming (Score:2, Insightful)

      by mincognito ( 839071 )
      The password cracking might be illegal but I don't see any illegality in accessing "hidden" directories. If you fail to secure your network the line between legal and illegal access evaporates.
      • Common sense would agree with you, but the law doesn't necessarily. Under the DMCA, looking at something you're not supposed to is a crime. The guy appears to be a good citizen - he tried to report the problem, but no one would listen. Now that he's gone public, don't be surprised if the legal beagles hunt him down and prosecute without mercy. Let no good deed go unpunished. Don't you feel so much safer knowing that we can fill the jails with "dangerous" criminals like white hat hackers? We'll only be rea
    • by JumperCable ( 673155 ) on Sunday February 06, 2005 @10:52PM (#11593911)
      Dear Department of Homeland Security,
      We have recently come to our attention that you are using methods of pinpointing locations of individuals that may infringe on our "Latitude/Longetude" [slashdot.org] techniques (Patent Pending).

      You are hereby ordered to cease & desist all location activity until you have properly licensed our intellectual property rights.

      Yours Truly, -Microsoft Legal Team
  • by bloo9298 ( 258454 ) on Sunday February 06, 2005 @07:59PM (#11593178)

    Summary: here's documentation of my illegal access to a system, please prosecute me, thanks.

    • No, as long as he gives up fellow hackers [slashdot.org], he'll go free. :)
    • Re:Illegal access (Score:3, Insightful)

      by jdreed1024 ( 443938 )
      Summary: here's documentation of my illegal access to a system, please prosecute me, thanks.

      Well, I was totally on his side until the "I changed the access mode from 'credit card' to 'free'". That's bullshit. I know he immediately changed it back, but that's wrong. Nothing gives him the right to do that. Surely bringing up the admin page was enough to be able to contact the admins and tell them they fucked up. Before he did that, he might have had a chance of claiming complete innocence.

      It's like th

      • Re:Illegal access (Score:3, Insightful)

        by dustmite ( 667870 )

        Awfully alarmist, but I don't see how you can equate changing the access mode from 'credit card' to 'free' and immediately changing it back again with continually making withdrawals at an ATM. That's insane. That doesn't mean what he did is correct, but it is certainly NOTHING like "the people who abused the ATMs".

  • by silid ( 733394 ) on Sunday February 06, 2005 @07:59PM (#11593184)
    no more running for trains - use your ipaq as a remote control for your very own train set.
    and close the doors when you are all the way through

    next stop: home
  • ...icle: "Unless something is done to force accountability for wireless devices, perhaps by recording ethernet MAC addresses (which are unique and hard-coded to a physical piece of hardware)" ... uh, no they aren't. Most devices allow you to change your MAC with impunity. Others can be hacked to do so, by tweaking their firmware. MAC addresses meant something back in the day when they were hard to change (it's never been impossible) but those days are long gone.
    • by molo ( 94384 ) on Sunday February 06, 2005 @08:18PM (#11593274) Journal
      BTW, for windows, there is a great tool called MacShift [washington.edu] that will allow you to randomize your MAC address. Just make a shortcut and run it before you connect to any wireless network, and you'll have a different one each time. No tracing there.

      -molo
    • by bluGill ( 862 ) on Sunday February 06, 2005 @10:12PM (#11593796)

      The old DecNet required that all ethernet cards have the ability to change their mac address. Part of the protocol, and you couldn't connect to DecNet unless you had the right mac address. (which was changed as part of the network protocol, you normally didn't change this manually)

      Just in case a customer ever tries to use their chipset with DecNet nearly all cards allow, software to change the mac address. Since all current chips have the ability, when designing a modification to the old chip it is easier to leave that ability in than take it out.

      I don't know if anyone in the world still runs DecNet, but it isn't a chance network vendors are willing to take.

  • by Anonymous Coward on Sunday February 06, 2005 @08:02PM (#11593200)
    All your trains are belong to us!
  • by Anonymous Coward on Sunday February 06, 2005 @08:03PM (#11593201)
    This person merely tried common tricks to expose the network settings. Here's a summary:

    1.) Try the default login/password combination and make some educated guesses.

    2.) Look at the source code of web pages.

    3.) Don't be an idiot admin and leave your system wider than your momma.
  • Not just wireless (Score:5, Insightful)

    by fred911 ( 83970 ) on Sunday February 06, 2005 @08:05PM (#11593212) Journal
    Sure wifi allowed access to the start page, but the same weakness (lam0r administration) would show up on lets say a wired public terminal. Wifi just makes criminal actions so much harder to catch.
    • Re:Not just wireless (Score:5, Interesting)

      by utlemming ( 654269 ) on Sunday February 06, 2005 @08:47PM (#11593414) Homepage
      With a Laptop, and Knoppix and a tad bit of skill (or some really good scripts) you can really have some illicit fun. Knoppix makes it a whole lot harder to find forensic evidence in case you're caught. All you have to do is drop out the battery and then all the evidence is wiped away (save some circumstantial evidence in the form of a Knoppix cd, and a rebooting computer). If you have the scripts stored in a remote location, ie ftp, then your in for business. Since you don't have any of the stuff stored on disk, and the MAC is so easily changed, it can pretty tough to prove -- they would have to essentially follow you and collect evidence on the signal your sending out. As a previous post said, a good administrator will allow open access that is routed through a proxy server to authenticate. But then you still have problems with keeping the authentication. All I can say is that I hope that I never have to maintain a wirless network and make sure that it is secure. The headache of maintaining a 5 person WPA "protected" WiFi is enough of a headache to make my life difficult enough.

      I just got a Wireless router the other day. What my room mates couldn't understand is why I locked down the router so hard. They were amazed that I had to put the WPA key on all the computers, and why I also did MAC and IP filtering. They just couldn't understand. Although it is not totally secure, hopefully it is enough to keep the dorks out and at the same time allow for wireless inconvience. The last thing that I want to worry about is some dork running around with a laptop and deciding that my internet is his internet and then doing something stupid.

  • by vudufixit ( 581911 ) on Sunday February 06, 2005 @08:05PM (#11593218)
    When you can play with the real thing?
  • accountability? (Score:4, Informative)

    by l2718 ( 514756 ) on Sunday February 06, 2005 @08:07PM (#11593229)

    Very good article. However, one of the author's ideas for improving security doesn't actually hold water. The problem is to verify the identity of people being assigned dynamic IP addresses on a wireless network. He proposes

    "... to force accountability, ... by recording MAC addresses (which are unique and hard-coded to a physical piece of hardware)"

    Actually, most network cards allow you to set the MAC address by software if the factory one isn't good for you. For example, this is needed for drop-in-replacement functionality.

  • Well? (Score:5, Funny)

    by NoseBag ( 243097 ) on Sunday February 06, 2005 @08:10PM (#11593244)
    Did you refund your friend's tickets?
  • by Anonymous Coward
    unless are a journalist. With patriot act, you are not allowed to expose weaknesses like this in such an irresponsible fashion.
  • by Anonymous Coward on Sunday February 06, 2005 @08:14PM (#11593263)
    This fella just cracked the "wireless" router put in place for patrons; he didn't break into the train station's systems. The title should be changed. Also, his writeup is well, boring (and obvious), like I found a wireless router in a similar state about a year ago in a coffee house. Unlike him, I didn't poke around, I reported the issue directly, called the programmers involved and got them a bit admonished.
  • by QuantumG ( 50515 ) <qg@biodome.org> on Sunday February 06, 2005 @08:14PM (#11593264) Homepage Journal
    I've always found the mentality of computer security experts quite strange. It must be the effect of unix. For those who never had the experience of using a "user" account on a unix box as their sole source of computation, let me explain. Basically you're required to log into the machine. After that you can do anything you want. The unix kernel will ensure that no user can affect any other user unless that user permits it. It's this attitude of "anything that is not denied by the kernel is permitted" that I really don't get.

    At first this wasn't entirely the case. Consider, for example, copying all the files from /usr/bin to your home directory 1000 times. Back in the old days that would be enough to fill up the harddrive which would quickly stop other people from using the system. You could affect other people, the kernel didn't stop you, so it must be allowed right! Well no. You're wasting resources and being an asshole. But rather than put a sign on the wall that said "please don't waste disk space" someone decided this was a "security" issue and implemented disk quotas into the kernel. Now you can't affect other users by using up all the disk space.

    Consider the "fork bomb" issue. For those who don't know, this is just like using up all the harddrive space, except instead of disk you're wasting memory. A fork bomb will quickly bring an older unix machine to its knees, and back in the days when I had the joy of sharing a unix lab with other students, a fork bomb would go off at least twice a day. Why? Cause if the kernel permitted it, it must be ok right? Now there's protections in most kernels just to detect a fork bomb and stop it.

    Such a strange way of thinking. Thankfully most unix users do not try to apply this attitude to the real world. If there were to see the police or the government as some kind of kernel they might be surprised to find that they could kick over granny in the street or go ballistic with an automatic weapon. The police didn't stop me, it must be ok, right?

    Just to bring this long post back on topic: just because you can take over the wireless internet of a train station, doesn't mean you should do it. It doesn't mean that it is permitted. There doesn't need to be a failsafe kernel monitoring and stopping every undesirable action that you can possibly perform. We can live with people being able to break the rules. It's called freedom.

    • great comment! this is how i view the world
    • by gehrehmee ( 16338 ) on Sunday February 06, 2005 @08:31PM (#11593332) Homepage
      You're missing the point.

      It's not about pranks.It's not a question of what the reviewer should and shouldn't do.

      It's a question of what he could do, and therefore what someone with malicious intent could do. Expecting people's actions to just natually blend into the common good is great and all, but it's simply not going to happen. There's a reason for police there's a reason for locks on doors, there's a reason for computer security, and there's a reason I don't leave my lunch out when my cat is in the room. Somebody's going to take advantage, and I'm going to get screwed.

      • It's a question of what he could do...

        There's a reason for police there's a reason for locks on doors, there's a reason for computer security, and there's a reason I don't leave my lunch out when my cat is in the room. Somebody's going to take advantage, and I'm going to get screwed.


        If this isn't the largest piece of FUD I've seen this month, I don't know what is. Good god man, it's just wireless internet access. Get a grip. There's no magic train derailing webapp on the website. The ticketing isn'
        • If this isn't the largest piece of FUD I've seen this month, I don't know what is. Good god man, it's just wireless internet access. Get a grip. There's no magic train derailing webapp on the website. The ticketing isn't tied into the system. It's about as harmless as some idiot flooding the bathroom at the train station. A pain in the ass? Absolutely. A reason to start wondering in deeply fearfull tones "what could he do? Umm.. no.

          Considering that he was able to obtain a list of usernames and passwords a

          • Considering that he was able to obtain a list of usernames and passwords as well as change the prices charged for WiFi access -- anything from "Free" to perhaps hundreds of dollars per hour -- he could have either caused the station to lose revenue or, at worst, jacked up the price, use others' login accounts, and maybe their credit cards would have been automatically billed without them knowing.


            Holy smokes! Call the fire department!! Why does everyone get all hopped up whenever CCs are involved, as if
      • by StikyPad ( 445176 ) on Sunday February 06, 2005 @10:15PM (#11593805) Homepage
        It's not about pranks.It's not a question of what the reviewer should and shouldn't do...There's a reason for police there's a reason for locks on doors, there's a reason for computer security, and there's a reason I don't leave my lunch out when my cat is in the room.

        It's all about what you should and shouldn't do.

        Understand something: Police aren't around (at least in the US) to PREVENT crime, they're there to respond after the fact. Locks don't prevent theft; they merely deter the casual person from entering a space, or making off with a bike, or a laptop, etc. Anyone who's determined to do something can usually find a way to do it.

        You might be surprised to learn that most physical security isn't really about preventing unathorized access, it's about deterring people from trying. Security guards aren't some super-vigilant breed of human that can focus their attention on every detail of a situation for extended periods of time. They might be looking around with a suspicious expression (if they're really gung-ho, and not reading a magazine), but they're almost definately thinking about something unrelated.

        So why do we expect better from software that's been written by people? If someone wants to gain access to a system, they will. It's all about posturing and setting up an interface with a "secure feel," just like the security gate at a building. Sure, you don't just leave the gate open and let the guard leave the station unattended, but there comes a point where you're expending more resources by keeping a facility secure than you stand to lose by having the facility compromised.

        I'm not trying to make excuses for wanton disregard of basic practices.. there's no point in having a gate if you have no fence after all. But to expect any security to be bullet-proof is being unrealistic.
    • by OG ( 15008 )
      I find it strange that you find it strange. In the reality I inhabit, there are people all over the place who are ready to take advantage of a situation because they see fit. Not everyone has the same set of ethics you do, and it's only smart to try to protect yourself and your property. Some scientists even theorize that nature keeps a certain number of those people around to help maintain a balance. You may be ready for a utopian world, but most other people on our planet aren't.
    • by putaro ( 235078 ) on Sunday February 06, 2005 @08:59PM (#11593460) Journal
      The author raised good points - not only is the system insecurity a problem for the owners but also, in all likelihood, it is a problem for all of the users because if you use the system the way you're supposed to and pay with your credit card the database for the credit card is probably accessible.

      Every type of security involves a series of compromises between risk and effort. Most businesses keep their cash in a cash register with someone watching it, not in an open box next to the door.

      The result of people being able to "break the rules" in computer security is not freedom but chaos. Viruses, malware and spyware are all the result of other people being able to break YOUR rules in YOUR computer (well, I assume you have a rule against people doing naughty things on your machine).

      Being able to break "laws" is what freedom and responsibility are about. Having mechanical enforcement of all of our laws would be called a police state. Having locks on your doors is not.
    • The problem is, leaving a high speed internet connection that is accessable via wireless open and unsecure is like keeping a note on your front door saying 'door unlocked, Loaded .45 gun in upstairs bedroom, right side nightstand drawer' It's not 'freedom' to Solicit passerbys that you've left your doors unlocked, and a loaded firearm where anyone can grab it. And that Is a PERFECT analogy of an open wireless access system(unlocked home) that is connected to a broadband internet connection(loaded gun) With
    • What systems detect fork bombs? Last time I tried it, it was very easy to bring a linux or FreeBSD system to its knees. It wasn't even a memory consumption issue, it simply starved other processes of CPU time and lengthened the time needed for the scheduler to decide on which process to run. It can be hard to recover from, and it grows geometricly.

      In case you don't know what we're talking about here, this is how simple fork bombs can be:

      void main() {
      while(1) {
      fork();
      }
      }

    • by AJWM ( 19027 ) on Sunday February 06, 2005 @09:27PM (#11593588) Homepage
      Do you lock your front door? Leave your keys in the ignition? If you really don't understand the attitude, and are not merely saying that for the sake of a post, then you don't lock your front door and you do leave your car keys in the ignition (without locking the car doors).

      It is certainly not permitted for random strangers to enter your house or drive your car, so why worry about locks? Leaving doors unlocked and car keys in the ignition is much more convenient.

      I suspect you understand this attitude far more than you pretend. And no, the attitude of most users is not that you can do these things if it isn't physically prevented -- just as most people are basically honest and won't trespass or steal your car. It's the few assholes you have to be on guard against. Recall the price of freedom.
  • guestBox (Score:5, Interesting)

    by Fudge.Org ( 7036 ) on Sunday February 06, 2005 @08:16PM (#11593268) Homepage Journal
    Ok.

    Well, this is the product:

    guestBOX [guestboxuser.com]

    And... this is the company:

    Atlantis Technology Corporation [atlantistech.com]

    So, all that research... and it never occured to you to contact the vendor? Granted, maybe these are so plentiful some re-seller or VAR put in in there... but you didn't make mention of that line of thinking (or was this not the whole PDF?) so.... sorry, that's just sounding a little on the lame side.

    Now, if they scoffed or blew you off at that point, okay maybe... but still. You knew the company from just looking at it. Did you try to contact them? I think that would be more telling than surfing through open Indexing on a web server like a kid curl'ing porn images.

  • Using this, set their access to $-100 (Negative 100) per hour, so that you get money every hour instead of having to pay it. This will surely attract business to the station.
  • He didn't "take control of a train station" he found a way into the administrative access to the wireless network. The fact that he did this at a train station is totally irrelevant and only serves to be inflammatory "what could terrorists do with this?" nonsense. I'd say this is about the equivalent of someone finding a breach of security of pay toilets. Just because it's technical and happened at a train station doesn't make it news.

    Did he find a way of stealing credit card information? I didn't see
    • The fact that he did this at a train station is totally irrelevant

      Well, it does make it easier for someone to leave the scene of the crime. :)

      I'm not violating a Patriot Act provision regarding giving assistance in committing crimes by suggesting people could use a TRAIN to leave the TRAIN STATION to avoid getting caught, right? ;)

  • Its a mass transportation system so IIRC any 'attack' on it, whether cyber or otherwise, would count as terrorism under the U SAP AT RIOT act

    Watch out...
  • I knew you could. [evilscheme.org]

    (Warning: here there be goatses!)

    Mal-2
  • Tread carefully! (Score:5, Insightful)

    by bogaboga ( 793279 ) on Sunday February 06, 2005 @08:45PM (#11593396)
    Tread carefully my friend! You are in the US, where frivolous law suites can be filed anytime, against anyone.

    You will be caught and be fined heavily! Just ask the other teenager how fun sitting in court was. This is not to mention damage to your entire professional life (I assume it exists).

    Slashdotters here might encourge you, but remember that you will be sitting in the dock alone. In other words, you will be answer for YOU. Now before I get modded down, I be to remind whoever might read this that what I am saying is FACT.

  • Woah There... (Score:3, Insightful)

    by zachlipton ( 448206 ) on Sunday February 06, 2005 @08:56PM (#11593449)
    While the use of default router passwords is of course stupid, it's important to think about what exactly this situation really is.

    What the author of this white paper really accessed is the admin interface of a wireless internet service provider. With this access, he/she could steal internet service or allow others to do so, or even obtain personal customer data, includingcredit card information, and use it for his/her own gain. While these are of course Bad Things, they really come nowhere close to constituting a national security risk. An inconvenience and a violation of state and federal law, yes, but a national security risk, no.

    What would change things is if it were actually possible to access _train station_ systems through the wireless network. However, these systems are not configured this way. The wireless access is provided by a 3rd party provider that handles only pay-for-service internet access. Anything related to station services or railway control would be handled by its own seperate network. The author of this white paper says nothing to indicate that it is possible to do anything that would touch train station operations or that would be of any use to terrorists in an attack on the "very important" nearby buildings.

    Sounds like a whole lot of nothingness to me...
  • by SuperBanana ( 662181 ) on Sunday February 06, 2005 @09:00PM (#11593468)

    Ignoring the grandstanding title and the fact that the author astroturfed his own "article" and site, here's a quote:

    A more farfetched, but very real possibility, is that computers or workers at airports and train stations also use these same networks to make everything tick. If that is the case, it might be possible for an intelligent high school student to start changing train timetables or rerouting baggage.

    And his evidence for this is, what? His own personal opinion? He's been watching Hackers too much if he thinks the schedule board at South Station is networked; it's a -flip- chart (seriously, stick around for 5-10 minutes, and watch it update itself). I'd be amazed if it had anything better than a dedicated thinnet connection to an ancient PC. It's not like some kid with mad h@x0r skills is going to go bippity-boop and put up "TRAIN TO FUCKVILLE 4:20". No. That happens in Hollywood, where people "launch the genetic algorithmic viral defenses!". It does not happen in the real world.

    There are a lot of cheap shots and snide remarks aimed at "The Guvmint", "The Man", etc. This guy sounds like he's about 19, not to mention he's just admitted to logging into places he knew he didn't belong AND changing settings (he changed the back, but still...) Sounds like a great federal inditement to me.

    Some googling shows he's in his very early 20's(graduated from Harvard in 2004 in "3 years", which means he's maybe 21 now), runs some consulting company. Sounds like he's just out to promote his business like every other story submitter these days...

    • On the internet, nobody knows you're a dog...

      A quick Google turns up an interesting story from his undergraduate days [thecrimson.com] at Harvard, when he ran a web site that required that users use the same password on his web site as on their university accounts. Tsk, tsk.

    • by Otto ( 17870 ) on Monday February 07, 2005 @01:23AM (#11594445) Homepage Journal
      And his evidence for this is, what? His own personal opinion?

      While I agree with you on the fact that he's just speculating at that point, nevertheless a possibility exists for this sort of thing to happen.

      Simple example: I went wardriving through town once. I found a lot of connections of course, but basically I just set the sniffer up on the laptop and drove around slowly. Later, when I got home, I checked out what I had found, and using timestamps I figured out where the different access points I had found were (I lacked a GPS then).

      One of the ones I found was a drugstore. I looked at the raw trace and saw some really odd plaintext there. So I went back and left the laptop in the car while I went in and bought some stuff and took a look around.

      What I found:
      - Their cash registers were all wirelessly linked to some system in the back. When you scanned an item, the barcode was read, transmitted to the machine in the back, which looked up the price and spat it back to the register. Credit card authorization was handled the same way. All this was plaintext, as I looked at the data and found my credit card number as well as barcodes from the items I purchased in there. Didn't understand the formatting, but it wasn't too difficult to see my name and credit card number stand out like a shining beacon.
      - Some kind of prescription transactions were wireless as well. While I didn't get a lot of data of this sort, there were packets containing various drug names, in plaintext, being sent over the air. I'd bet money that insurance information as well as whoever bought the prescription would have eventually gone out in the clear too.

      The point being that security was basically non-existant for something you have a reasonable expectation of being private. I mean, when you design a wireless network to handle credit transactions, you'd think some form encryption would be pretty frickin' obvious, right? Let alone tossing somebody's prescription info out onto the airwaves.

      So while he didn't state you could change the lights and has no idea if you can actually fuck with the trains, the point I think he was trying to make is that clearly security is not at the forefront of the minds of a lot of people for this sort of thing. Admittedly, my drugstore example happened a couple years back, and may have been fixed by now, but this sort of thing happens because people don't think about it being an issue. It's that part that needs to be fixed. Whether any given example can actually be compromised in a serious way is not the point.
  • mmmkay... (Score:3, Insightful)

    by Infinityis ( 807294 ) on Sunday February 06, 2005 @10:12PM (#11593800) Homepage
    You know what I find creepy...not so much what this guy did, but if you look at all the posts proclaiming "This guy is a felon, lock him up" it's almost ALL done by Anonymous Cowards. Makes me wonder who all is doing it. Might just be one guy posting over and over and over, or it could be some hired hands trying to make a statement.

    Either way, I'd like to see a followup to this at some point stating what happens with the guy next:

    "Does he really get arrested, or is he hired on by wireless network providers? Stay tuned to find out!"
  • Hmm (Score:5, Interesting)

    by patryn20 ( 812091 ) on Sunday February 06, 2005 @10:19PM (#11593815)

    Well, it is nice that this guy actually bothered to write this up, but he seems to simply be using a lot of common mistakes and guesswork. On top of that, his knoweledge of some basic concepts in hardware administration and business processes is somewhat lacking.

    First, MAC address are not unique. There is no universal table of MAC's that hardware manufacturers report to. I have installed ethernet cards from the SAME manufacturer that have had the SAME MAC address while setting up machines for a client.

    Second, many of these errors are not necessarily the programmers fault. They are more than likely the responsibility of management being cheap and forcing programmers to do the jobs of multiple people. IT is seperate from software development. The fact that the network and server are insecure is the IT department/person's fault. In small companies this may be the same person, but in most large corporations that is not the case. Directory listing and permissions are generally the responsibility of the server administrator.

    Now, the username issues are definitely scary. Leaving test accounts open with simple passwords is just plain stupid. The company I develop software for has over fifty million dollars worth of data on their servers. We also store credit card info for clients, etc. If we used common passwords like that, we would be fired. The admin would go through the database, see the passwords, and report them to our supervisor. Say goodbye! Not to mention, test accounts on production servers are bad practice anyway. If you are making any money, you are extremely stupid not to have a seperate development environment.

    In my opionion, these problems seem to be more management and implementation problems, and not so much development problems as the author seems to suggest. They are still real problems though. That customer listing one for the phone company really scares me. ::shiver:: I hope SBC in Texas doesn't have problems like that.

  • When I was a kid, I was able to figure out the locks at North Station in Boston. For those of who who don't know, North Station is the other major train station in Boston.

    Back in the 60's, when the world was a little bit more innocent, I was able to fit a master key to all of the locks in North Station, which was also Boston Garden (the arena for the Boston Celtics and the Boston Bruins).

    I never used the key; in fact I threw it away once I made it. It was only a proof in concept.

    The only thins I make are my wearable art (http://www.allyn.com/ [allyn.com] and http://www.clearplastic.com/ [clearplastic.com])

    Locksmithing is no longer fun with all of the security paranoia. I buy my own locks to play with. The only fun thing I do in North Station anymore is to prance around in a leather juck strap and a clear plastic raincoat.

  • by Jack Greenbaum ( 7020 ) on Monday February 07, 2005 @12:22AM (#11594248) Homepage Journal
    The end of the article suggests that recording MAC addresses is a way to track users on the internet, the author implies they cannot be forged. Hah! Ethernet and wifi devices have to store their MAC address somewhere, and that somewhere when power is on is in a register that is almost always writable by a device driver. Furthermore, since MAC addresses only stay on the physical subnet, there is no was to identify the MAC address from the other side of a router.

    The only way to really track people is by using a transport protocol with authentication. Somehow I don't think the world is ever going to agree on one.

    -- Jack

  • by sjf ( 3790 ) on Monday February 07, 2005 @10:16AM (#11596450)
    Excellent piece. Anyone who bothered to RTF(boring,pedantic,condescending)A would quickly see that the headline is a complete fiction. All the author did was exploit a hole in a for-pay Public Access WiFi network. No opportunity to route trains onto otherwise occupied platforms. No threat to a "major transportation hub."

    Just some guy doing trivial guesswork to get free wireless access...that happens to be at Boston's South Station

    Was writing the article his post-priori justification for the service theft ?

Genius is ten percent inspiration and fifty percent capital gains.

Working...