So my question is pretty simple. You have all these major companies such as google/earthlink/sprint/etc. building wifi networks. Lets say I want to collect peoples information so I setup an AP with the same ssid as google's ap so people connect to it and I log all of their traffic. Most people won't check beyond the ssid to look at the mac address but even that could be spoofed. Is there anyway to verify a certain ap beyond mac/ssid, will there be in the future? How do these companies plan to mitigate this threat or are they just going to hope consumers are smart enough to figure it out? Ross Hosman Network/Systems Administrator E: rhosman@corp.hometel.com P: 618-644-2111 x 238 C: 314-898-3381 Y!: rosshosman
On Nov 21, 2005, at 9:42 AM, Ross Hosman wrote:
So my question is pretty simple. You have all these major companies such as google/earthlink/sprint/etc. building wifi networks. Lets say I want to collect peoples information so I setup an AP with the same ssid as google's ap so people connect to it and I log all of their traffic. Most people won't check beyond the ssid to look at the mac address but even that could be spoofed. Is there anyway to verify a certain ap beyond mac/ssid, will there be in the future? How do these companies plan to mitigate this threat or are they just going to hope consumers are smart enough to figure it out?
Why would you even need to set up an AP? Why not just sit and sniff traffic? Gets you the _exact_ same information. And why worry about Google, etc., when Starbucks and airports have been doing this for _years_? Lastly, most consumers are smart enough to know to use encryption (the little pad-lock in their browser). Some aren't. Changing the WiFi architecture is not going to save those who aren't. -- TTFN, patrick
--- "Patrick W. Gilmore" <patrick@ianai.net> wrote:
On Nov 21, 2005, at 9:42 AM, Ross Hosman wrote:
So my question is pretty simple. You have all these major companies such as google/earthlink/sprint/etc. building wifi networks. Lets say I want to collect peoples information so I setup an AP with the same ssid as google's ap so people connect to it and I log all of their traffic. Most people won't check beyond the ssid to look at the mac address but even that could be spoofed. Is there anyway to verify a certain ap beyond mac/ssid, will there be in the future? How do these companies plan to mitigate this threat or are they just going to hope consumers are smart enough to figure it out?
Why would you even need to set up an AP? Why not just sit and sniff traffic? Gets you the _exact_ same information.
And why worry about Google, etc., when Starbucks and airports have been doing this for _years_?
Lastly, most consumers are smart enough to know to use encryption (the little pad-lock in their browser). Some aren't. Changing the WiFi architecture is not going to save those who aren't.
-- TTFN, patrick
I have to disagree that most consumers are smart enough to use encryption. Most consumers are dumb as a brick when it comes to the internet and especially security. Take a look at the average AOL user and you'll see what I'm saying. Starbucks and t-mobile is a little bit different as these networks aren't concentrated. As we companies start covering entire cities I believe you could start seeing this as becoming a regular problem. __________________________________ Start your day with Yahoo! - Make it your home page! http://www.yahoo.com/r/hs
On Mon, 21 Nov 2005, Patrick W. Gilmore wrote:
On Nov 21, 2005, at 9:42 AM, Ross Hosman wrote:
So my question is pretty simple. You have all these major companies such as google/earthlink/sprint/etc. building wifi networks. Lets say I want to collect peoples information so I setup an AP with the same ssid as google's ap so people connect to it and I log all of their traffic. Most people won't check beyond the ssid to look at the mac address but even that could be spoofed. Is there anyway to verify a certain ap beyond mac/ssid, will there be in the future? How do these companies plan to mitigate this threat or are they just going to hope consumers are smart enough to figure it out?
Why would you even need to set up an AP? Why not just sit and sniff traffic? Gets you the _exact_ same information.
man in the middle is easier if you are the gateway, no need to steal arp
And why worry about Google, etc., when Starbucks and airports have been doing this for _years_?
yup
Lastly, most consumers are smart enough to know to use encryption (the little pad-lock in their browser). Some aren't. Changing the WiFi architecture is not going to save those who aren't.
'most consumers' .. cmon, less than one percent.. seriously.. ymmv tho, eg at airports you stand a higher chance of sniffing a vpn connection but as has been demonstrated many times, even us techies havent got our heads around encryption yet. heres some fun, next time you're at nanog or your favourite geek conference, just run 'tcpdump -w - -s1500 -nn|strings|grep -i password' and be prepared to hit scroll lock ;) Steve
* steve@telecomplete.co.uk (Stephen J. Wilcox) [Mon 21 Nov 2005, 16:07 CET]:
On Mon, 21 Nov 2005, Patrick W. Gilmore wrote:
Why would you even need to set up an AP? Why not just sit and sniff traffic? Gets you the _exact_ same information. man in the middle is easier if you are the gateway, no need to steal arp
It's *wireless*! You can just sit and sniff traffic, no need to play ARP games to redirect traffic to you.
heres some fun, next time you're at nanog or your favourite geek conference, just run 'tcpdump -w - -s1500 -nn|strings|grep -i password' and be prepared to hit scroll lock ;)
I've visited conferences where the wireless LAN was deemed "secure" by the organisation because they had outlawed sniffers. -- Niels.
On Nov 21, 2005, at 10:36 AM, Niels Bakker wrote:
heres some fun, next time you're at nanog or your favourite geek conference, just run 'tcpdump -w - -s1500 -nn|strings|grep -i password' and be prepared to hit scroll lock ;)
I've visited conferences where the wireless LAN was deemed "secure" by the organisation because they had outlawed sniffers.
That line of thinking is unfortunately not unique to outlawing sniffers ;-)..
On Mon, 21 Nov 2005, Niels Bakker wrote:
* steve@telecomplete.co.uk (Stephen J. Wilcox) [Mon 21 Nov 2005, 16:07 CET]:
heres some fun, next time you're at nanog or your favourite geek conference, just run 'tcpdump -w - -s1500 -nn|strings|grep -i password' and be prepared to hit scroll lock ;)
I've visited conferences where the wireless LAN was deemed "secure" by the organisation because they had outlawed sniffers.
yes, there are stupid people everywhere... Perhaps asking the question in another way is in order: "Given a large and widely available wireless network solution for 'consumers', how would you propose to raise the 'security' for users of that network?' Would you force WEP? Would you force WPA/WPA-2? Would you force ipsec? Would you skip transport level encryption in favor of application level security? Would you do widespread and widescale education efforts for the users? -chris
--- "Christopher L. Morrow" <christopher.morrow@mci.com> wrote:
yes, there are stupid people everywhere... Perhaps asking the question in another way is in order:
"Given a large and widely available wireless network solution for 'consumers', how would you propose to raise the 'security' for users of that network?'
Would you force WEP? Would you force WPA/WPA-2? Would you force ipsec? Would you skip transport level encryption in favor of application level security? Would you do widespread and widescale education efforts for the users?
-chris
Google has come out with their secure access product which helps but reminding someone's grandma to use that product when she is using a wifi network is going to be near impossible. For one she doesn't know what wifi is, she just knows how to connect her computer to the internet and click that email icon on her desktop. Education will also be nearly impossible as many can hardly grasp simple concepts. With wireless encryption you could setup your "fake" AP to use it between the user and the AP then just sniff the traffic on the end. __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com
On Mon, 21 Nov 2005, Niels Bakker wrote:
* steve@telecomplete.co.uk (Stephen J. Wilcox) [Mon 21 Nov 2005, 16:07 CET]:
On Mon, 21 Nov 2005, Patrick W. Gilmore wrote:
Why would you even need to set up an AP? Why not just sit and sniff traffic? Gets you the _exact_ same information. man in the middle is easier if you are the gateway, no need to steal arp
It's *wireless*! You can just sit and sniff traffic, no need to play ARP games to redirect traffic to you.
i was more thinking in terms of breaking into encrypted sessions by spoofing the server and client
heres some fun, next time you're at nanog or your favourite geek conference, just run 'tcpdump -w - -s1500 -nn|strings|grep -i password' and be prepared to hit scroll lock ;)
I've visited conferences where the wireless LAN was deemed "secure" by the organisation because they had outlawed sniffers.
hehe :) Steve
On Mon, 21 Nov 2005, Stephen J. Wilcox wrote:
On Mon, 21 Nov 2005, Patrick W. Gilmore wrote:
On Nov 21, 2005, at 9:42 AM, Ross Hosman wrote:
So my question is pretty simple. You have all these major companies such as google/earthlink/sprint/etc. building wifi networks. Lets say I want to collect peoples information so I setup an AP with the same ssid as google's ap so people connect to it and I log all of their traffic. Most people won't check beyond the ssid to look at the mac address but even that could be spoofed. Is there anyway to verify a certain ap beyond mac/ssid, will there be in the future? How do these companies plan to mitigate this threat or are they just going to hope consumers are smart enough to figure it out?
Why would you even need to set up an AP? Why not just sit and sniff traffic? Gets you the _exact_ same information.
man in the middle is easier if you are the gateway, no need to steal arp
you don't have to steal arp on a wireless network, you just sniff the frames as they go by.
And why worry about Google, etc., when Starbucks and airports have been doing this for _years_?
yup
Lastly, most consumers are smart enough to know to use encryption (the little pad-lock in their browser). Some aren't. Changing the WiFi architecture is not going to save those who aren't.
'most consumers' .. cmon, less than one percent.. seriously.. ymmv tho, eg at airports you stand a higher chance of sniffing a vpn connection but as has been demonstrated many times, even us techies havent got our heads around encryption yet.
heres some fun, next time you're at nanog or your favourite geek conference, just run 'tcpdump -w - -s1500 -nn|strings|grep -i password' and be prepared to hit scroll lock ;)
Steve
-- -------------------------------------------------------------------------- Joel Jaeggli Unix Consulting joelja@darkwing.uoregon.edu GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
* joelja@darkwing.uoregon.edu (Joel Jaeggli) [Mon 21 Nov 2005, 18:52 CET]:
On Mon, 21 Nov 2005, Stephen J. Wilcox wrote:
On Mon, 21 Nov 2005, Patrick W. Gilmore wrote:
Why would you even need to set up an AP? Why not just sit and sniff traffic? Gets you the _exact_ same information.
man in the middle is easier if you are the gateway, no need to steal arp
you don't have to steal arp on a wireless network, you just sniff the frames as they go by.
As others pointed out (to me as well), for a _man in the middle_ attack (e.g. impersonating www.paypal.com) it is necessary to play ARP games or otherwise insert yourself in the flow of traffic. -- Niels.
As others pointed out (to me as well), for a _man in the middle_ attack (e.g. impersonating www.paypal.com) it is necessary to play ARP games or otherwise insert yourself in the flow of traffic.
not really. you just need to be there first with a bogus, redirecting, dns response. randy
Randy Bush wrote:
As others pointed out (to me as well), for a _man in the middle_ attack (e.g. impersonating www.paypal.com) it is necessary to play ARP games or otherwise insert yourself in the flow of traffic.
not really. you just need to be there first with a bogus, redirecting, dns response.
I wish I had a nickel (ok, a dollar) for every bogus laptop I've seen in hotels and airports that was setup for "co_presidents_club", "starbucks", "t-mobile" AND "tmobile", "corporate", etc. I've often wondered if those users were really being malicious, plain stupid, or were carrying around a laptop "owned" by someone else. Either way, there are PLENTY of systems out there pretending to be something they aren't. I often try to connect to them and get some data, but most either won't give an IP, or if they do, they don't forward packets or respond with anything worthwhile. I run a pretty tight system, so perhaps those faux APs are trying to detect other configs (Client for MS/Netware, F/P Sharing, SNMP, WINS, IPX, etc). -Jim P.
On Mon, 21 Nov 2005, Jim Popovitch wrote:
Randy Bush wrote:
As others pointed out (to me as well), for a _man in the middle_ attack (e.g. impersonating www.paypal.com) it is necessary to play ARP games or otherwise insert yourself in the flow of traffic.
not really. you just need to be there first with a bogus, redirecting, dns response.
I wish I had a nickel (ok, a dollar) for every bogus laptop I've seen in hotels and airports that was setup for "co_presidents_club", "starbucks", "t-mobile" AND "tmobile", "corporate", etc. I've often wondered if those users were really being malicious, plain stupid, or were carrying around a laptop "owned" by someone else.
They were configured with a specific ssid at one point and are now beaconing in adhoc mode becasue they can't find that ssid. Crappy driver implentation is that root cause of that.
Either way, there are PLENTY of systems out there pretending to be something they aren't. I often try to connect to them and get some data, but most either won't give an IP, or if they do, they don't forward packets or respond with anything worthwhile.
Dumb users in adhoc mode.
I run a pretty tight system, so perhaps those faux APs are trying to detect other configs (Client for MS/Netware, F/P Sharing, SNMP, WINS, IPX, etc).
No they're just poor clueless users with bad software.
-Jim P.
-- -------------------------------------------------------------------------- Joel Jaeggli Unix Consulting joelja@darkwing.uoregon.edu GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
On Mon, 21 Nov 2005, Randy Bush wrote:
As others pointed out (to me as well), for a _man in the middle_ attack (e.g. impersonating www.paypal.com) it is necessary to play ARP games or otherwise insert yourself in the flow of traffic.
not really. you just need to be there first with a bogus, redirecting, dns response.
That's right. Remember all they need to do is sniff wireless traffic for dns request for "paypal.com" and then send a UDP packet back as an answer (from closer location - might even be on the wireless network) that has faked its origin as if it came from dns server the user asked and has some other address for paypal. The good news is that if SSL is used (dns request is due to user going to https://www.paypal...) then it will not properly work because they can not fake SSL cert for paypal from verisign, so some kind of warning about cert being self-signed and not issued by known provider would probably be displayed, but many users will ignore such warnings. But lets know imagine different situation and instead of paypal, lets imagine user doing ssh to shell.mywork.com. Now lets imagine that dns request has been sniffed and instead of getting real address for shell.mywork.com, you get an address for wireless ip address of someone else nearby that has redirecting ssh server. That special ssh server would provide its own cert pretending to be shell.mywork.com and would internally do proxy to another ssh session that is actually going to real shell.mywork.com. Ho do you like this scenario? So just in case do remember that when you ssh from insecure wireless network node (even on NANOG conference) that you do it to the server that you already previously did ssh to (and so have public key in .ssh/known_hosts) and dont just assume that because its ssh you're safe. -- William Leibzon Elan Networks william@elan.net
On Mon, 21 Nov 2005, Joel Jaeggli wrote:
On Mon, 21 Nov 2005, Stephen J. Wilcox wrote:
On Mon, 21 Nov 2005, Patrick W. Gilmore wrote:
On Nov 21, 2005, at 9:42 AM, Ross Hosman wrote:
Why would you even need to set up an AP? Why not just sit and sniff traffic? Gets you the _exact_ same information.
man in the middle is easier if you are the gateway, no need to steal arp
you don't have to steal arp on a wireless network, you just sniff the frames as they go by.
What do you learn by looking at someone's ipsec, ssl-wrappered, or ssh tunneled traffic?
no, we're not trying to do that, you dont really think that because its encrypted it cant be decrypted do you? for example, we want to intercept the encrypted data which we do by putting ourselves inbetween the client and the server and pretending to be the server to the client and the client to the server.. we relay security information and hope the user clicks 'yes' when they are told the host key has changed you dont have to break the code if the endpoints trust sessions with you and share their encryption keys Steve
In message <Pine.LNX.4.44.0511212148070.25860-100000@server2.tcw.telecomplete.n et>, "Stephen J. Wilcox" writes:
we relay security information and hope the user clicks 'yes' when they are told the host key has changed
you dont have to break the code if the endpoints trust sessions with you and share their encryption keys
Put another way, security is as much a matter of proper usage as proper algorithms and proper code. See http://www.fas.org/irp/eprint/heath.pdf for a story of how the NSA and the US Navy got that wrong. For that matter, read Leo Marks' wonderful memoir "Between Silk and Cyanide". He's telling a story, not trying to teach, but the message is there nonetheless. As technologists, of course, it's incumbent on us to design security systems that help the user understand consequences of actions, and to help avoid dangerous situations. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
On Mon, 21 Nov 2005, Stephen J. Wilcox wrote: <snip>
What do you learn by looking at someone's ipsec, ssl-wrappered, or ssh tunneled traffic?
no, we're not trying to do that, you dont really think that because its encrypted it cant be decrypted do you?
I do believe (reasonably so, I think) that if I'm going have a conversation with a second party whom I already trust, that a third party will have trouble inserting themself into the path of that conversation without revealing their presence.. <snip>
you dont have to break the code if the endpoints trust sessions with you and share their encryption keys
Successfully inserting yourself in the middle requires some social-engineering or really bad protocol design. The former can be mitigated through vigilance, the later falls into the realm of peer review and security research. If I may paraphrase the original posters question (Ross Hosman), it was: Do large wireless buildouts present a new security threat due to the potential to spoof AP's? The answer to that is no, this is a threat we live with currently. We have tools to mitigate the risks associated with it. You can say that consumers are stupid, and won't figure this out, and that may be true; however when it's starts to cost them losts money, they will sit-up take notice and buy tools to solve this problem for them, just like they do with any other security threat that goes beyond being an anoyance. probably said product will be blue, say linksys on it, and have the word vpn (among others) buried on the packaging someplace.
Steve
-- -------------------------------------------------------------------------- Joel Jaeggli Unix Consulting joelja@darkwing.uoregon.edu GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
On Mon, 21 Nov 2005, Joel Jaeggli wrote:
On Mon, 21 Nov 2005, Stephen J. Wilcox wrote:
<snip>
What do you learn by looking at someone's ipsec, ssl-wrappered, or ssh tunneled traffic?
no, we're not trying to do that, you dont really think that because its encrypted it cant be decrypted do you?
I do believe (reasonably so, I think) that if I'm going have a conversation with a second party whom I already trust, that a third party will have trouble inserting themself into the path of that conversation without revealing their presence..
this is assuming that you are talking to the second party and not in fact me sitting in the middle grabbing credentials, possibly by this stage already pretending to be that second party its also assuming you understand your certificates, keys and trust. i'd bet most users will click yes when presented with a 'do you trust this new key' message.
you dont have to break the code if the endpoints trust sessions with you and share their encryption keys
Successfully inserting yourself in the middle requires some social-engineering or really bad protocol design. The former can be mitigated through vigilance, the later falls into the realm of peer review and security research.
you forgot to include 'or user error'.. the protocol may be fantastic but if the user fails to notice a security alert or does something stupid it can be compromised. depending on how good you are you may be able to thwart all but the determined hacker, altho to be fair most people are not going to be a target once they employ basic security such as weak encryption. but if you are a target then its vital to be using strong trusted secuity and know your onions!
If I may paraphrase the original posters question (Ross Hosman), it was:
Do large wireless buildouts present a new security threat due to the potential to spoof AP's?
The answer to that is no, this is a threat we live with currently. We have tools to mitigate the risks associated with it.
mmmmmm.. i'd say yes. wifi is still pretty niche, its in the offices, its in airports and starbucks. once billy bob and his grandpa start using it tho you're bringing it to the masses who arent IT trained, who havent had a security brief, who are running windows thats not been patched for 2 years and who think 'billy' is reasonable for their password so the technology is the same, but the users are new
You can say that consumers are stupid, and won't figure this out,
okay "consumers are stupid, and won't figure this out" :-)
and that may be true; however when it's starts to cost them losts money, they will sit-up take notice and buy tools to solve this problem for them, just like they do with any other security threat that goes beyond being an anoyance. probably said product will be blue, say linksys on it, and have the word vpn (among others) buried on the packaging someplace.
i'm thinking beyond your corporate staff who are currently using these systems (and quite badly if my casual network sniffing in environments with supposedly clued individuals is anything to go by!) my 2-cents :0) Steve
On Mon, 21 Nov 2005, Stephen J. Wilcox wrote:
this is assuming that you are talking to the second party and not in fact me sitting in the middle grabbing credentials, possibly by this stage already pretending to be that second party
Sorry, if you don't have the second parties private key, you don't get to be them. and if you do have it, then there's no reason for you be in the middle.
its also assuming you understand your certificates, keys and trust. i'd bet most users will click yes when presented with a 'do you trust this new key' message.
[joelja@twin ~]$ ssh -l joelja twin @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is c3:b4:d9:ba:f9:ab:58:0e:98:d4:12:6c:cf:d2:3c:55. Please contact your system administrator. Add correct host key in /home/joelja/.ssh/known_hosts2 to get rid of this message. Offending key in /home/joelja/.ssh/known_hosts2:24 RSA host key for twin has changed and you have requested strict checking. The authenticity of host 'twin (128.223.214.27)' can't be established. is fairly unequivical...
you dont have to break the code if the endpoints trust sessions with you and share their encryption keys
Successfully inserting yourself in the middle requires some social-engineering or really bad protocol design. The former can be mitigated through vigilance, the later falls into the realm of peer review and security research.
you forgot to include 'or user error'.. the protocol may be fantastic but if the user fails to notice a security alert or does something stupid it can be compromised.
depending on how good you are you may be able to thwart all but the determined hacker, altho to be fair most people are not going to be a target once they employ basic security such as weak encryption. but if you are a target then its vital to be using strong trusted secuity and know your onions!
If I may paraphrase the original posters question (Ross Hosman), it was:
Do large wireless buildouts present a new security threat due to the potential to spoof AP's?
The answer to that is no, this is a threat we live with currently. We have tools to mitigate the risks associated with it.
mmmmmm.. i'd say yes. wifi is still pretty niche, its in the offices, its in airports and starbucks.
once billy bob and his grandpa start using it tho you're bringing it to the masses who arent IT trained, who havent had a security brief, who are running windows thats not been patched for 2 years and who think 'billy' is reasonable for their password
so the technology is the same, but the users are new
You can say that consumers are stupid, and won't figure this out,
okay "consumers are stupid, and won't figure this out" :-)
and that may be true; however when it's starts to cost them losts money, they will sit-up take notice and buy tools to solve this problem for them, just like they do with any other security threat that goes beyond being an anoyance. probably said product will be blue, say linksys on it, and have the word vpn (among others) buried on the packaging someplace.
i'm thinking beyond your corporate staff who are currently using these systems (and quite badly if my casual network sniffing in environments with supposedly clued individuals is anything to go by!)
my 2-cents :0)
Steve
-- -------------------------------------------------------------------------- Joel Jaeggli Unix Consulting joelja@darkwing.uoregon.edu GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
In message <Pine.LNX.4.64.0511211400000.12605@twin.uoregon.edu>, Joel Jaeggli w rites:
On Mon, 21 Nov 2005, Stephen J. Wilcox wrote:
<snip>
What do you learn by looking at someone's ipsec, ssl-wrappered, or ssh tunneled traffic?
no, we're not trying to do that, you dont really think that because its encrypted it cant be decrypted do you?
I do believe (reasonably so, I think) that if I'm going have a conversation with a second party whom I already trust, that a third party will have trouble inserting themself into the path of that conversation without revealing their presence..
<snip>
you dont have to break the code if the endpoints trust sessions with you and share their encryption keys
Successfully inserting yourself in the middle requires some social-engineering or really bad protocol design. The former can be mitigated through vigilance, the later falls into the realm of peer review and security research.
The problem is "vigilance", especially as applied to non-security aware users. Here's a quick test: pick a bunch of smart, non-geek computer users and ask them what a certificate is and what a certificate authority is. Then inquire what they'd do when the web page they were looking at had some text similar to what I posted yesterday. You're absolutely right that sufficient vigilance -- coupled with good user interfaces -- should be adequate. Note my qualifiers: "sufficient", "good", "should be". Demonstrably, they're not. (A few years ago, a company I know of deployed a browser+Java-based expense voucher application. The login screen said "when you're asked if this applet should have extra permissions, just click yes, even though the pop-up warns that that could be dangerous". A security-clueful person I know complained about the bad habits this was instilling. The answer he got back was "we've checked it out; this application really is ok". Talk about unclear on the concept... That said, ssh (which you cited in another post) does a better job. It gives a very big warning that stresses the danger. By contrast, Firefox (and I think IE, though I'd have to find a Windows machine to test that) tells you that various forms of certificate problems are unlikely. The big thing ssh does is that it keeps a history -- it binds the warning to your previous history. That's a much better strategy than relying on ~80 CAs you've never heard of.
If I may paraphrase the original posters question (Ross Hosman), it was:
Do large wireless buildouts present a new security threat due to the potential to spoof AP's?
The answer to that is no, this is a threat we live with currently. We have tools to mitigate the risks associated with it.
You can say that consumers are stupid, and won't figure this out, and that may be true; however when it's starts to cost them losts money, they will sit-up take notice and buy tools to solve this problem for them, just like they do with any other security threat that goes beyond being an anoyance. probably said product will be blue, say linksys on it, and have the word vpn (among others) buried on the packaging someplace.
Given reports I've seen about public terminal usage, I'm much more skeptical. See, for example, http://www.theregister.co.uk/2005/09/21/airport_pc_security_lax/ I frequently take the train to Washington; I've occasionally noticed other PCs that appear to be looking for an access point. I've been tempted to put my machine into host AP mode (or use my travel access point -- these trains generally have AC power), run a dhcp server, and see what passwords I get. But I've never been able to convince myself that it would be legal, let alone ethical. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Steven M. Bellovin wrote:
I frequently take the train to Washington; I've occasionally noticed other PCs that appear to be looking for an access point. I've been tempted to put my machine into host AP mode (or use my travel access point -- these trains generally have AC power), run a dhcp server, and see what passwords I get. But I've never been able to convince myself that it would be legal, let alone ethical.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
I have in fact done this (well something similar). On a train from Boston to New York I turned on my wireless card in ad-hoc mode, setup a DHCP server and setup my phone for GPRS. Bingo, I had four other people get addresses from me and presumably "do stuff" I didn't sniff their traffic though. Good 'ole Windows (which they were presumably running, I wasn't) was happy to go from infrastructure mode to ad-hoc mode and associate with me. There is a fundamental security dilemma here. Years ago the original designers of Privacy Enhanced Mail (PEM) had the notion that users couldn't be trusted, so the idea was that there would be one root CA and it would only issue certificates to people who proved who they were. Software would only trust this one CA. In this fashion, if the software said "This came from Jeff Schiller, of MIT" by golly that is where it came from. No end-user preferences to get wrong, no dialog boxes to click away unread. I even remember arguments along the lines of if a signature verification failed, the message would be discarded and the user not permitted to read the "damaged" message. The dilemma is that when you build such a system, the guy who is the root always turns out to be a reptile (or is eaten by a reptile who takes her place). -Jeff -- ============================================================================= Jeffrey I. Schiller MIT Network Manager Information Services and Technology Massachusetts Institute of Technology 77 Massachusetts Avenue Room W92-190 Cambridge, MA 02139-4307 617.253.0161 - Voice jis@mit.edu ============================================================================
There is a fundamental security dilemma here. Years ago the original designers of Privacy Enhanced Mail (PEM) had the notion that users couldn't be trusted, so the idea was that there would be one root CA and it would only issue certificates to people who proved who they were. Software would only trust this one CA. In this fashion, if the software said "This came from Jeff Schiller, of MIT" by golly that is where it came from. No end-user preferences to get wrong, no dialog boxes to click away unread. I even remember arguments along the lines of if a signature verification failed, the message would be discarded and the user not permitted to read the "damaged" message.
The dilemma is that when you build such a system, the guy who is the root always turns out to be a reptile (or is eaten by a reptile who takes her place).
-Jeff
Jeff you hit a hot button <grin>... You would love the BGP RP-Sec stuff going on at IETF etc... I "think" root authority for live routing protocols is out of the picture. However, you may want to stay tuned and speak up if you feel a root authority for routing protocols is bad. Regards, Blaine
Oh, I am quite aware of the BGP RP-Sec work and many people have heard my opinion on this topic, including some on this mailing list. But I'll re-iterate. Hierarchical relationships breed "reptiles" because of the inherent asymmetric business relationship that results. The "leaves" *must* do business with the root, but the root does *not* have to do business with the "leaves." This results in the root calling the shots, for its own benefit and profit. Frankly, I am quite impressed with the address registries. For the most part they are the exception. I believe this is because they are still run by or heavily influenced by the "wide eyed academics" (as I have been accused of being) who believe in the Internet Dream... (you know who you are!). However there is also a "check and balance" in that if the registries become unreasonable, people will think about ignoring them, and they have to know this, if not explicitly, implicitly. However, I fear creating yet another hierarchy which must work for the Internet to work. One based on a PKI would not have to be reasonable, as the "leaves" would have a harder time ignoring it. Piss off the hierarchy, and forget about being routed. I would much prefer an arrangement where the PKI for BGP was controlled by the providers. So an institution would have its "certificate" signed by its upstream (or one of its upstream) providers. In such a transaction the balance of power is much more symmetric and therefore likely to be reasonable. The providers could cross-certificate to build a "root free" (as in "default free" zone) mesh (aka "Web of Trust."). -Jeff Blaine Christian wrote:
Jeff you hit a hot button <grin>... You would love the BGP RP-Sec stuff going on at IETF etc...
I "think" root authority for live routing protocols is out of the picture. However, you may want to stay tuned and speak up if you feel a root authority for routing protocols is bad.
Regards,
Blaine
-- ============================================================================= Jeffrey I. Schiller MIT Network Manager Information Services and Technology Massachusetts Institute of Technology 77 Massachusetts Avenue Room W92-190 Cambridge, MA 02139-4307 617.253.0161 - Voice jis@mit.edu ============================================================================
In message <73345C98-EB2D-4DB5-A8BD-D23D77A51E49@ianai.net>, "Patrick W. Gilmor e" writes:
On Nov 21, 2005, at 9:42 AM, Ross Hosman wrote:
So my question is pretty simple. You have all these major companies such as google/earthlink/sprint/etc. building wifi networks. Lets say I want to collect peoples information so I setup an AP with the same ssid as google's ap so people connect to it and I log all of their traffic. Most people won't check beyond the ssid to look at the mac address but even that could be spoofed. Is there anyway to verify a certain ap beyond mac/ssid, will there be in the future? How do these companies plan to mitigate this threat or are they just going to hope consumers are smart enough to figure it out?
Why would you even need to set up an AP? Why not just sit and sniff traffic? Gets you the _exact_ same information.
And why worry about Google, etc., when Starbucks and airports have been doing this for _years_?
Lastly, most consumers are smart enough to know to use encryption (the little pad-lock in their browser). Some aren't. Changing the WiFi architecture is not going to save those who aren't.
By setting up a fake AP, you can launch active attacks. Sure, people won't get the right certificate -- and they're not going to notice, especially if the (unencrypted) initial web splash page says something like "For added security, all SSL connections from this hotspot will use Starbucks-brand certificates. Please configure your browser to accept them -- it will protect you from fraud." --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
By setting up a fake AP, you can launch active attacks. Sure, people won't get the right certificate -- and they're not going to notice, especially if the (unencrypted) initial web splash page says something like "For added security, all SSL connections from this hotspot will use Starbucks-brand certificates. Please configure your browser to accept them -- it will protect you from fraud."
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
I am very happy to agree with Steve. But I'd also like to add something. Security does not have to be end-user based... risking the wrath of Randy, let us hail Vietnam for a moment.. One of the technologies first employed in Vietnam (I may be wrong, my history isn't that good) was that of tracking radiation, and specifically, EM radiation by creating the first "smart bombs". You could see this type of "physical" electronic warfare also employed in Iraq with the US Gov't bombing the center of GSM-blocking signal generators. Locating where a transmission comes from, supposing it comes from a centralized source, is rather easy. Missiles for your local ISP to use? I find this rather amusing and a clear path to take. Locating these fake AP's will be easy, at least for the foreseeable future until the Bad Guys start employing ANCIENT tricks to start evading.... There are other risks and the future will show them as bad or imperfect implementations and designs will show up... for now I don't see anyone bothering beyond the goals of interest or fun. That will change to profit very soon, though, as the technology takes off. Gadi.
You could see this type of "physical" electronic warfare also employed in Iraq with the US Gov't bombing the center of GSM-blocking signal generators.
GPS. Nor GSM.. but I suppose it woudl work the same way. -- My blog: http://blogs.securiteam.com/?author=6 "The third principle of sentient life is the capacity for self-sacrifice --- the conscious ability to override evolution and self-preservation for a cause, a friend, a loved one." -- Draal, "A Voice in the Wilderness", Babylon 5.
In message <4381ECC3.1090206@linuxbox.org>, Gadi Evron writes:
By setting up a fake AP, you can launch active attacks. Sure, people won't get the right certificate -- and they're not going to notice, especially if the (unencrypted) initial web splash page says something like "For added security, all SSL connections from this hotspot will use Starbucks-brand certificates. Please configure your browser to accept them -- it will protect you from fraud."
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
I am very happy to agree with Steve. But I'd also like to add something.
Security does not have to be end-user based... risking the wrath of Randy, let us hail Vietnam for a moment..
One of the technologies first employed in Vietnam (I may be wrong, my history isn't that good) was that of tracking radiation, and specifically, EM radiation by creating the first "smart bombs".
You could see this type of "physical" electronic warfare also employed in Iraq with the US Gov't bombing the center of GSM-blocking signal generators.
Locating where a transmission comes from, supposing it comes from a centralized source, is rather easy.
Missiles for your local ISP to use? I find this rather amusing and a clear path to take.
Leaving the politics aside, it's a lot harder than it seems. After an active attack at a security conference a few years ago, a prof had some of his grad students investigate it. Multipath, variable signal attenuation, and the like make it very, very hard. (If it worked, the idea was to embed the localizer in a WiFi-equipped Sony Aibo -- a robot dog to hunt down miscreants...) Btw -- a lot of hot spots already do ARP-filtering to block ARP-level attacks on the default router's MAC address. This problem is already out there. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Leaving the politics aside, it's a lot harder than it seems. After an active attack at a security conference a few years ago, a prof had some of his grad students investigate it. Multipath, variable signal attenuation, and the like make it very, very hard. (If it worked, the idea was to embed the localizer in a WiFi-equipped Sony Aibo -- a robot dog to hunt down miscreants...)
Btw -- a lot of hot spots already do ARP-filtering to block ARP-level attacks on the default router's MAC address. This problem is already out there.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
I am always careful when I write "ALL", "EVERY*" or "VERY", however, it is very simple. Point is that like with everything else, the Bad Guys learn and have a fountain of knowledge called recent Internet history to learn from. Employing different evasion techniques can indeed be a problem and this will turn into a very disturbing war of cop and thief, never ending and always advancing.. yet, it does allow for an active hand in combating these individuals if operational teams will be ready and equipped to answer the call when the time comes, instead of after it's already an epidemic. Further, just one solution is never enough... strong security, security policy and intrusion detection systems for the real systems and AP's are going to be essential. Once again I fear these things will not be invested upon until they are useless and a money-drain. But aside to all that I must once again bow before your wisdom and humble my opinion to "yeah, it's not that simple". :) "Google wifi security operations". Yummy! Now my mind is just floating with ideas.. I hope theirs are as well. Gadi.
On Nov 21, 2005, at 9:42 AM, Ross Hosman wrote:
So my question is pretty simple. You have all these major companies such as google/earthlink/sprint/etc. building wifi networks. Lets say I want to collect peoples information so I setup an AP with the same ssid as google’s ap so people connect to it and I log all of their traffic. Most people won’t check beyond the ssid to look at the mac address but even that could be spoofed. Is there anyway to verify a certain ap beyond mac/ssid, will there be in the future? How do these companies plan to mitigate this threat or are they just going to hope consumers are smart enough to figure it out?
You're making an assumption that all these services will work like any old AP or traditional WISP, perhaps one with open SSID, which may or may not be true. As far as open SSID is concerned, as you probably already know, there's nothing much other than VPN client from a machine you trust to some place you trust that is going to help you. Such is the nature of the beast. As far as other abuse prevention voodoo and other operation and implementation specifics, I somehow doubt anyone will spill their guts here. One path to find a few of the answers is to discuss this very subject with the equipment vendors in this space, which shouldn't infringe on any proprietary information of the operators. This is still a very much evolving technology as well, so, expect fairly rapid developments to address needs as they emerge. Best regards, Christian
On Mon, 21 Nov 2005, Ross Hosman wrote:
So my question is pretty simple. You have all these major companies such as google/earthlink/sprint/etc. building wifi networks. Lets say I want to collect peoples information so I setup an AP with the same ssid as google's ap so people connect to it and I log all of their traffic. Most people won't check beyond the ssid to look at the mac address but even that could be spoofed. Is there anyway to verify a certain ap beyond mac/ssid, will there be in the future? How do these companies plan to mitigate this threat or are they just going to hope consumers are smart enough to figure it out?
What do you learn by looking at someone's ipsec, ssl-wrappered, or ssh tunneled traffic? Clear-text data-streams have the same liability almost everywhere (in the public sphere), so if you want to move data that has any importance at all you protect the data end-to-end.
Ross Hosman Network/Systems Administrator E: rhosman@corp.hometel.com P: 618-644-2111 x 238 C: 314-898-3381 Y!: rosshosman
-- -------------------------------------------------------------------------- Joel Jaeggli Unix Consulting joelja@darkwing.uoregon.edu GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
participants (16)
-
Blaine Christian
-
Christian Kuhtz
-
Christian Kuhtz
-
Christopher L. Morrow
-
Gadi Evron
-
Jeffrey I. Schiller
-
Jim Popovitch
-
Joel Jaeggli
-
Niels Bakker
-
Patrick W. Gilmore
-
Randy Bush
-
Ross Hosman
-
Ross Hosman
-
Stephen J. Wilcox
-
Steven M. Bellovin
-
william(at)elan.net