A couple weeks ago my DSL modem broke. No big deal, right? I contacted my landlord, who put in a request with the local Internet Service Provider to get me a new one. My request is still lost somewhere in the bureaucracy, so I've had to go hunting around my neighborhood to use the Internet. It's been an incredible nuisance, but it's also given me an opportunity to expand my knowledge of the cyber dark arts.
The more I learn about this stuff, the scarier the world is. Most people have no idea how vulnerable they are. I only know a little about networking and hacking, but I am seeing chinks in the armor everywhere I look. It's a good thing I'm one of the good guys.
From my living room I can access three unsecured wireless access points. The owners of these hotspots probably don't know how to set up their routers, and don't realize that almost everything they do online is transmitted cleartext. Even a mildly talented hacker can "sniff" this out of the air. Even worse, two of these routers are still in their default configuration. By typing in a specific IP address, anyone logged onto their network can access the router's configuration pages, logs, etc. This information is supposed to be protected by a username and password, but these neighbors still have the default username/password. I knew one combo, because the router was the same brand as mine (and it was boldly advertised in the network's SSID). I was able to look up the other username/combo on Google in about five seconds. I accessed both router configuration pages just to see if I could.
Because I'm not really a hacker, I just logged back out. But if I wanted to, I could have wreaked all kinds of mischief on these users. I could have set up a WEP or WPA password, effectively locking the user out of his or her own network. I could have set up remote access, allowing myself an entrance from anywhere on the net. I could have accessed logs. I probably could have tinkered with DNS settings, and steer the clueless user to fake versions of real web pages and harvest personal information like usernames and passwords. And if I wanted to, I could read the e-mails and instant messages passing through these networks. And all of this is just from my living room.
I repeated this experiment at my local Starbucks. The modem there is also in its default configuration. A hacker there could do a lot of damage to a lot of people.
The flip side of this scary knowledge is my own vulnerability. Until recently, I never realized how exposed I was at a coffee shop, airport, or other public wifi access point. Now I know: almost everything I do on the Internet at a public wifi hotspot can be "sniffed." All it takes is the right kind of wifi card and a free open source software program that you can download in about two minutes. I thought I would give this a try, so I downloaded the program and did some snooping--on myself. I let the program run in the background while I did my usual activities on the web like read blogs and e-mails. When I was done, I saved the "sniffed" data and began to parse it. It took some time to find my way around the raw data, but I eventually found and reconstructed the HTML for all the websites I visited. I could see all the web addresses and read all the blog posts.
My personal e-mail address is secure (any data passing through a web page beginning with https:// is encrypted), but I use Outlook and a special e-mail address to participate in a national security e-mail discussion group. I was alarmed to see that Outlook downloaded all these messages as cleartext. Even worse, Outlook passed my e-mail address AND PASSWORD cleartext to the mail server. Anyone who captured this would have indefinite access to my e-mail and to sensitive national security discussions. I'm a reasonably computer savvy guy, but it never occurred to me that Outlook would not be connecting securely to my email. Figuring out how to configure that is at the top of my todo list.
It gets worse. I mentioned that two of the three unsecured networks near my living room were unsecured. The third router had a different password, but that made me suspicious. If the user knew how to change his password, why was it unsecured? What was to stop a hacker from setting up an unsecured hotspot to lure in clueless surfers, then capturing their data? After tinkering around on the network for a while, I opened up my firewall and reviewed the log. Sure enough, another computer on the network was running port scans on my computer. In other words, a hacker was walking down a long hallway, trying each doorknob to see if anything was unlocked. He was looking for a way into my computer.
I'll never use an unsecured hotspot the same way. Anyone with a home network should use WEP or WPA to secure the hotspot with the password. Of course, WEP has its own problems--using another free software tool, any marginally talented hacker can crack a WEP password in about five minutes. That will be my next challenge when I have the time: trying to break into my own network.
Subscribe to:
Post Comments (Atom)
7 comments:
First. Great blog.
Second. Are you kidding me? Let's keep moving forward and get you into the 21st century. You're horribly behind (along with most people, and hence, this is still an important post). We're going to need to move you past DSL into some real broadband.
Quite frankly, being on the Internet is just like driving on the highway. Its relatively easy to be safe, but you need to understand and refrain from risky behaviors. You have done a good job of alerting your readers to the basic dangers.
JFS
You're exactly right, fastsurgeon. I'm not writing as some kind of expert. I am writing as an average Joe who decided to learn a little bit about cybersecurity, and it's really alarming to discover how clueless I've been... how clueless most of us are.
This is cybersecurity 101, and the knowledge has been around for years, but most of us still don't know cybersecurity 101.
Have you thought about porting your outlook email into your gmail account? I assume it's a pop3 or imap, and either can be managed from a standard gmail account, which you can (as you note) opt to port through https. That would allay at least one concern if you find yourself needing to use an open-access hotspot again.
Actually, you're understating the risks somewhat of wifi, actually. WEP, WPA, and even to a lesser extent WPA2 using TKIP are blown. Pretty much the only safe encryption technology on wifi is WPA2 with AES. Don't get me wrong, WPA2 w/TKIP is still mostly safe, but unless you're running WPA2 with AES, it's only a matter of time.
And if you ever (EVER!) browse over an untrusted network, wifi or not, you run the risk of having a malicious person on the network slipping you a javascript "implant" (not an ideal word, but it gets the point across) which can compromise you even after you leave the net.
Some great lecturing on the above topic can be found at http://www.shmoocon.org/presentations-all.html - just look for the lecture by Mike Kershaw (writer of kismet and lorcon). The video is at http://www.shmoocon.org/2010/videos/WirelessSecurity-Kershaw.m4v and is strongly recommended.
Oh yeah, by the way, I'd strongly recommend some experimentation with Backtrack (http://www.backtrack-linux.org/). Definitely one of the most powerful penetration testing and cyber-security tools out there. Also would recommend you read "Silence on the Wire" by Michal Zalewski. It's a great tool for teaching you low-level protocol things and getting in the mindset of how you tinker with systems. Feel free to contact me at mark@ my-google-acct-name followed by a .com.
It's a lot more dangerous than even you suspect if you are running Windows. Read up on Operation Aurora and APT. You can go to www.pauldotcom.com, to learn the latest tricks but the best book to learn hacking if you know C is Hacking the Art of Exploitation. Didier Stevens blog (http://blog.didierstevens.com/) can teach you many tricks regarding malicious files. This blog by a former AFCERT officer, http://taosecurity.blogspot.com/, will teach you a great deal about IT security. I would download an Ubuntu Live CD and use it when you surf at an Internet Cafe assuming it has no trouble seeing your wireless NIC. I would also download the F-Secure Rescue CD image (http://www.f-secure.com/linux-weblog/2009/09/22/rescue-cd-311/), burn it to CD, and scan your system occasionally with the CD. It's the safest way to ensure you catch any rootkits or trojans that infect your Windows system.
Unfortunately, the more IT Security you know, the more paranoid you will tend to be. However, crackers and thieves tend to target Windows systems because they are the low hanging fruit of the IT world.
Actually, you can get driveby downloads and all kinds of stuff these days from legitimate web sites that are compromised. I switched to Linux for two of my personal systems many years ago. My Windows PC is a glorified game console. I run VMware Workstation on it and occasionally surf the web from a small number of trusted sites when I need certain information, but I try not to surf the web from that system or go online at all. While Windows has gotten more secure than in the past, it's still full of security holes. The makers of the Backtrack Live CD have a great course on network penetration. I gave up trying to pass the exam, but I still learned a lot. It's a relatively cheap online course as well, under $600. I wouldn't take it though if you aren't planning on going into IT Security within the USAF (CyberCommand). You've got enough on your plate now as it is. But it doesn't hurt to know the basics and you obviously know how to use Wireshark which is a good start.
Thank you for all the recommendations from my readers! I downloaded BackTrack this week and have been playing around a little bit with it. I've looked into the Offensive Security courses... they look pretty sweet, but I should probably do the responsible, disciplined thing and focus on my Arabic for now.
In the meantime, I'll keep playing around. Now that I've started to learn about this stuff, I'm hooked.
Post a Comment