Drive-by spam hits wireless LANs
And you think the terresterial sources are hard to shut down....
Drive-by spam hits wireless LANs
By Graeme Wearden Special to CNET News.com September 6, 2002, 10:14 AM PT http://news.com.com/2100-1033-956911.html
LONDON--The proliferation of insecure corporate wireless networks is fueling the growth of drive-by spamming, a security expert warned on Thursday.
It always figures, that when you create a commons, virtual or actual that someone will come along and mess it up. joelja On Tue, 10 Sep 2002, blitz wrote:
And you think the terresterial sources are hard to shut down....
Drive-by spam hits wireless LANs
By Graeme Wearden Special to CNET News.com September 6, 2002, 10:14 AM PT http://news.com.com/2100-1033-956911.html
LONDON--The proliferation of insecure corporate wireless networks is fueling the growth of drive-by spamming, a security expert warned on Thursday.
-- -------------------------------------------------------------------------- Joel Jaeggli Academic User Services joelja@darkwing.uoregon.edu -- PGP Key Fingerprint: 1DE9 8FCA 51FB 4195 B42A 9C32 A30D 121E -- In Dr. Johnson's famous dictionary patriotism is defined as the last resort of the scoundrel. With all due respect to an enlightened but inferior lexicographer I beg to submit that it is the first. -- Ambrose Bierce, "The Devil's Dictionary"
blitz wrote:
And you think the terresterial sources are hard to shut down....
Drive-by spam hits wireless LANs
By Graeme Wearden Special to CNET News.com September 6, 2002, 10:14 AM PT http://news.com.com/2100-1033-956911.html
LONDON--The proliferation of insecure corporate wireless networks is fueling the growth of drive-by spamming, a security expert warned on Thursday.
I must be honest, I havn't heard of any reports here in Sweden (or anywhere else) that this is a real problem, are there any true incidents that this has happend? /J
I must be honest, I havn't heard of any reports here in Sweden (or anywhere else) that this is a real problem, are there any true incidents that this has happend?
Yes. If you sit with your laptop in the park across from our office you can see 3 unprotected wireless domains. There was an article [although I can't remember what publication] featuring a few people driving through the City of London [London's financial community area] they found serveral unprotected LANs. Regards, Neil. -- Neil J. McRae - Alive and Kicking neil@DOMINO.ORG
Neil J. McRae wrote:
I must be honest, I havn't heard of any reports here in Sweden (or anywhere else) that this is a real problem, are there any true incidents that this has happend?
Yes. If you sit with your laptop in the park across from our office you can see 3 unprotected wireless domains. There was an article [although I can't remember what publication] featuring a few people driving through the City of London [London's financial community area] they found serveral unprotected LANs.
Regards, Neil.
Just cause there are unprotected WLANs dosn't imply that spammers use them (perhaps its to hard for the spammers ;)). Corporations should protect ther WLANs but saying that spamming is a great threat is to overdo it. Regards John
Just cause there are unprotected WLANs dosn't imply that spammers use them (perhaps its to hard for the spammers ;)). Corporations should protect ther WLANs but saying that spamming is a great threat is to overdo it.
I agree, but people said that the spammers wouldn't be able to deal with BGP route advertisement but there was cases of spammers injecting routes sending out spam then removing those routes. Wlan is easy. Neil. -- Neil J. McRae - Alive and Kicking neil@DOMINO.ORG
Neil J. McRae wrote:
Just cause there are unprotected WLANs dosn't imply that spammers use them (perhaps its to hard for the spammers ;)). Corporations should protect ther WLANs but saying that spamming is a great threat is to overdo it.
I agree, but people said that the spammers wouldn't be able to deal with BGP route advertisement but there was cases of spammers injecting routes sending out spam then removing those routes. Wlan is easy.
Neil.
Yes you are right, but I think that the article on news.com dosn't contain any valuable information but are just there to scare ppl. It isn't so hard to make admins secure the open hotspots, the problem is how to handle ppl who buy hour access at a café. (IMHO) /John
On Wed, Sep 11, 2002 at 12:45:23PM +0200, John Angelmo wrote:
Just cause there are unprotected WLANs dosn't imply that spammers use them (perhaps its to hard for the spammers ;)). Corporations should protect ther WLANs but saying that spamming is a great threat is to overdo it.
To some extent. Imagine a few of the following scenarios: 1) You wok for an ISP and have access through them. One large enough that they apply their AUP to their own people. You have ISDN/DSL or some other connection w/ reverse-dns for your personal domain @ home. Someone drives by your place, finds your unprotected lan, sends spam, hacks, etc.. complaints come in, you lose job because you were a spammer and your employer needs to stop, etc. 2) You are a small company, someone does this, and you get blacklisted as a spamhaus. you are unable to get internet access. 3) you have a cable modem as your only high-speed connectivity. you have one of the linksys/whatever nat+802.11a/b boxen. you get used, you get blacklisted and can not get high-speed pr0n again. While these seem like minor annoyances in some cases, they can be quite dramatic to the person on the receiving end. I wish the wireless vendors would use a somewhat more inteligent approach and turn WEP on by default when shipping their units and at the cost of a few cents more they can print a sticker on the box that can be removed later that has the uniqe WEP key for that unit. Similar to the way when you go to the hardware store you can play match-up to get the same key for multiple locks. - Jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Jared Mauch wrote:
Imagine a few of the following scenarios:
1) You wok for an ISP and have access through them. One large enough that they apply their AUP to their own people. You have ISDN/DSL or some other connection w/ reverse-dns for your personal domain @ home. Someone drives by your place, finds your unprotected lan, sends spam, hacks, etc.. complaints come in, you lose job because you were a spammer and your employer needs to stop, etc. 2) You are a small company, someone does this, and you get blacklisted as a spamhaus. you are unable to get internet access. 3) you have a cable modem as your only high-speed connectivity. you have one of the linksys/whatever nat+802.11a/b boxen. you get used, you get blacklisted and can not get high-speed pr0n again.
While these seem like minor annoyances in some cases, they can be quite dramatic to the person on the receiving end. I wish the wireless vendors would use a somewhat more inteligent approach and turn WEP on by default when shipping their units and at the cost of a few cents more they can print a sticker on the box that can be removed later that has the uniqe WEP key for that unit. Similar to the way when you go to the hardware store you can play match-up to get the same key for multiple locks.
Hi In some way you are right, but still I think it's even worse to use WEP cause then the admins might think it's safe, it takes about 15 minutes to crack a wepkey, so instead of drive-by spamming you could call it drive-by, have a bagle, start spamming. The most hardware/software indipendent solution I have seen so far is the use of VPN, simply place the WLAN outside your own LAN. /John
On Wed, Sep 11, 2002 at 07:08:53PM +0200, John Angelmo wrote:
Jared Mauch wrote: In some way you are right, but still I think it's even worse to use WEP cause then the admins might think it's safe, it takes about 15 minutes to crack a wepkey, so instead of drive-by spamming you could call it drive-by, have a bagle, start spamming.
I'm not trying to fix the underlying wireless encryption option just provide a simple way that the manufacturers can ship a 'more secure' out-of-the-box-product.
The most hardware/software indipendent solution I have seen so far is the use of VPN, simply place the WLAN outside your own LAN.
Absolutely. There are a lot of things one can do: 1) enable wep 2) rotate wep keys 3) authenticate by mac-address 4) restrict dhcp to known mac-addresses 5) force utilization of vpn/ipsec client Obviously not all of these solutions are available in all cases, but in a home or small lan-environment a subset of these will increase security (even if it's reinforcing the screen door with 1/16" of balsa wood) - jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
On Wed, 11 Sep 2002, Jared Mauch wrote:
There are a lot of things one can do:
1) enable wep 2) rotate wep keys 3) authenticate by mac-address 4) restrict dhcp to known mac-addresses 5) force utilization of vpn/ipsec client
Suddenly laying down UTP doesn't seem so bad anymore...
Obviously not all of these solutions are available in all cases, but in a home or small lan-environment a subset of these will increase security (even if it's reinforcing the screen door with 1/16" of balsa wood)
You can forget rotating WEP keys on anything that isn't four times as expensive as what most people have at home. Authentication by MAC address doesn't buy you anything since someone else can "borrow" the MAC address. Does anyone have experience with using asymmetric WEP keys? (= key 1 for AP -> client and key 2 for client -> AP.) I'm thinking about doing this so I can at least obscure my upstream traffic even if the downstream WEP key is public knowledge. Obviously this isn't anything near safe, but this way I'd risk the inconvenience of someone stealing my HTTP cookies or passwords and messing up my settings for some non-essential web services. (Anything even remotely sensitive will run over SSH or SSL of course.)
{WEP != encryption... thread} As it happens, I'm looking at a consumer 802.11 product that will have real encryption. It should be released Real Soon Now & I'll be happy to say more when that happens.. -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
* wb8foz@nrk.com (David Lesher) [Wed 11 Sep 2002, 20:38 CEST]:
As it happens, I'm looking at a consumer 802.11 product that will have real encryption. It should be released Real Soon Now & I'll be happy to say more when that happens..
No Wires Needed is among the companies working on bringing some real crypto to wireless networking (no idea if you meant them specifically), but I have no idea whether their work will be open-standards based. Regards, -- Niels. -- "Patient" is Latin for "sufferer".
In some way you are right, but still I think it's even worse to use WEP cause then the admins might think it's safe, it takes about 15 minutes to crack a wepkey, so instead of drive-by spamming you could call it drive-by, have a bagle, start spamming.
WEP != security, true.
The most hardware/software indipendent solution I have seen so far is the use of VPN, simply place the WLAN outside your own LAN.
This would prevent drive-by spamming if combined with a filtering policy that makes the wireless LAN useful only for (authenticated) VPN access and the minimal amount of glue (DHCP, DNS to a specific resolver) required to make the VPN work. If the wireless LAN has access to any host you don't control directly, the risk of there being a conduit to access the wireless LAN in ways that you don't intend goes up. Stephen
The cost of enabling/labeling may be only a 'few cents more' but the cost of support when Joe Sixpack forgets his key/loses the label is another story altoghether. There's a reason most equipment, not just wireless, is deliverd in 'chimp simple' configuration... Best regards, _________________________ Alan Rowland -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Jared Mauch Sent: Wednesday, September 11, 2002 5:01 AM To: John Angelmo Cc: Neil J. McRae; blitz; nanog@merit.edu Subject: Re: Drive-by spam hits wireless LANs On Wed, Sep 11, 2002 at 12:45:23PM +0200, John Angelmo wrote:
Just cause there are unprotected WLANs dosn't imply that spammers use them (perhaps its to hard for the spammers ;)). Corporations should protect ther WLANs but saying that spamming is a great threat is to overdo it.
To some extent. Imagine a few of the following scenarios: 1) You wok for an ISP and have access through them. One large enough that they apply their AUP to their own people. You have ISDN/DSL or some other connection w/ reverse-dns for your personal domain @ home. Someone drives by your place, finds your unprotected lan, sends spam, hacks, etc.. complaints come in, you lose job because you were a spammer and your employer needs to stop, etc. 2) You are a small company, someone does this, and you get blacklisted as a spamhaus. you are unable to get internet access. 3) you have a cable modem as your only high-speed connectivity. you have one of the linksys/whatever nat+802.11a/b boxen. you get used, you get blacklisted and can not get high-speed pr0n again. While these seem like minor annoyances in some cases, they can be quite dramatic to the person on the receiving end. I wish the wireless vendors would use a somewhat more inteligent approach and turn WEP on by default when shipping their units and at the cost of a few cents more they can print a sticker on the box that can be removed later that has the uniqe WEP key for that unit. Similar to the way when you go to the hardware store you can play match-up to get the same key for multiple locks. - Jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
This is what console ports / direct cable connects to a mgmt port (usb or whatnot) are useful for. As well as an overall 'clear config' button on the unit. Now if someone can help me figure out the unlock code for the microwave in the house i bought so i can stop unplugging it, let me know :) - jared On Wed, Sep 11, 2002 at 10:11:12AM -0700, Al Rowland wrote:
The cost of enabling/labeling may be only a 'few cents more' but the cost of support when Joe Sixpack forgets his key/loses the label is another story altoghether. There's a reason most equipment, not just wireless, is deliverd in 'chimp simple' configuration...
Wanna bet if Joe Sixpack bothers to re-enable anything he doesn't have to after his first use of the clear config button/power cycle? This also breaks physical security. Find the power panel on the house (accessible by fire code) cycle the power, hack into the now open system... Hey, that's just as plausible as most of the other scenarios in this thread. :O That's why my Linksys maintains its state through a power cycle. One of the reasons I specifically selected it. As far as the microwave, RTFM. Oh, wait, if its not a new house the original Joe Sixpack typical "I don't need no stupid manual" 'Merican likely threw them away. Might try the manufacturer's web site. Many include PDF manual files and maybe even a Customer Support page. Apologies if you've already been there. Best regards, _________________________ Alan Rowland -----Original Message----- From: Jared Mauch [mailto:jared@puck.Nether.net] Sent: Wednesday, September 11, 2002 10:16 AM To: Al Rowland Cc: nanog@merit.edu Subject: Re: Drive-by spam hits wireless LANs This is what console ports / direct cable connects to a mgmt port (usb or whatnot) are useful for. As well as an overall 'clear config' button on the unit. Now if someone can help me figure out the unlock code for the microwave in the house i bought so i can stop unplugging it, let me know :) - jared On Wed, Sep 11, 2002 at 10:11:12AM -0700, Al Rowland wrote:
The cost of enabling/labeling may be only a 'few cents more' but the cost of support when Joe Sixpack forgets his key/loses the label is another story altoghether. There's a reason most equipment, not just wireless, is deliverd in 'chimp simple' configuration...
* alan_r1@corp.earthlink.net (Al Rowland) [Wed 11 Sep 2002, 19:13 CEST]:
The cost of enabling/labeling may be only a 'few cents more' but the cost of support when Joe Sixpack forgets his key/loses the label is another story altoghether. There's a reason most equipment, not just wireless, is deliverd in 'chimp simple' configuration...
Lucent access points - at least, the residential gateways - actually come with WEP enabled by default. (Not that it's beyond trivial to guess the key, though) Regards, -- Niels. -- "Patient" is Latin for "sufferer".
Getting your entire corporate LAN dumped into the RBL mess could be devastating, how much productivity lost? How much time wasted getting OFF the RBL? How many contacts missed, correspondences missed? You could be getting into a very rough ride for some days to some weeks, as the block information propagates down the food chain, then as the un-block does likewise. Its just better to take the defensive and encrypt in the first place. Agreed, for cyber-squatter places like coffee shops and airports, this could be a pain. At 08:01 9/11/02 -0400, you wrote:
On Wed, Sep 11, 2002 at 12:45:23PM +0200, John Angelmo wrote:
Just cause there are unprotected WLANs dosn't imply that spammers use them (perhaps its to hard for the spammers ;)). Corporations should protect ther WLANs but saying that spamming is a great threat is to overdo it.
To some extent.
Imagine a few of the following scenarios:
1) You wok for an ISP and have access through them. One large enough that they apply their AUP to their own people. You have ISDN/DSL or some other connection w/ reverse-dns for your personal domain @ home. Someone drives by your place, finds your unprotected lan, sends spam, hacks, etc.. complaints come in, you lose job because you were a spammer and your employer needs to stop, etc. 2) You are a small company, someone does this, and you get blacklisted as a spamhaus. you are unable to get internet access. 3) you have a cable modem as your only high-speed connectivity. you have one of the linksys/whatever nat+802.11a/b boxen. you get used, you get blacklisted and can not get high-speed pr0n again.
I believe the question was use of the access to spam, not just that the majority of users leave their equipment (all, not just the wireless part) in the original, out-of-the-box configuration. Remember those comments on the flahsing 12:00 on most VCRs? BTW, everyone out there with a random number/character upper/lower case password at least 12 characters long on every piece of equipment they own, different username/password on each piece please, raise your hand. Thought so. ;) Note my hand is not raised. I'd go nuts. Although the approriate pieces do conform to this. Best regards, _________________________ Alan Rowland -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Neil J. McRae Sent: Wednesday, September 11, 2002 3:37 AM To: John Angelmo Cc: blitz; nanog@merit.edu Subject: Re: Drive-by spam hits wireless LANs
I must be honest, I havn't heard of any reports here in Sweden (or anywhere else) that this is a real problem, are there any true incidents that this has happend?
Yes. If you sit with your laptop in the park across from our office you can see 3 unprotected wireless domains. There was an article [although I can't remember what publication] featuring a few people driving through the City of London [London's financial community area] they found serveral unprotected LANs. Regards, Neil. -- Neil J. McRae - Alive and Kicking neil@DOMINO.ORG
participants (11)
-
Al Rowland -
blitz -
David Lesher -
Iljitsch van Beijnum -
Jared Mauch -
Jared Mauch
-
Joel Jaeggli -
John Angelmo -
neil@DOMINO.ORG -
Niels Bakker -
Stephen Stuart