Announcement

Collapse
No announcement yet.

Hacking the worlds largest mall

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Hacking the worlds largest mall

    Blog entry: https://forum.defcon.org/blog.php?b=8

    So I was a bad boy over the holidays. I did a wireless audit of one of the worlds largest malls to see if anyone learned from the TJX data loss. In a word: No, they did'nt

    Since I was there, I also scanned the crowds for Bluetooth which yielded more than I thought.

    Article:http://www.renderlab.net/advisories/wested/
    Never drink anything larger than your head!






  • #2
    Re: Hacking the worlds largest mall

    Originally posted by renderman View Post
    Blog entry: https://forum.defcon.org/blog.php?b=8

    So I was a bad boy over the holidays. I did a wireless audit of one of the worlds largest malls to see if anyone learned from the TJX data loss. In a word: No, they did'nt

    Since I was there, I also scanned the crowds for Bluetooth which yielded more than I thought.

    Article:http://www.renderlab.net/advisories/wested/
    I get one of those "you do not have permission to access this page" errors when I try to view your blog entries.
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

    Comment


    • #3
      Re: Hacking the worlds largest mall

      Originally posted by renderman View Post
      Confirmed:

      Greyhatter, you do not have permission to access this page. This could be due to one of several reasons:

      1. Your user account may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
      2. If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.

      Geezus! Still running open or with WEP! How dangerous and foolish. The mall is a village!! Hack the mall!!! oh yeah!!!!
      Last edited by Greyhatter; January 17, 2008, 18:54.

      Comment


      • #4
        Re: Hacking the worlds largest mall

        That blog entry is a private area, so no one can see it except Render and Mods/Admins. Render has been sent a PM.
        Thorn
        "If you can't be a good example, then you'll just have to be a horrible warning." - Catherine Aird

        Comment


        • #5
          Re: Hacking the worlds largest mall

          Fixed, everyone has view/comment access now
          Never drink anything larger than your head!





          Comment


          • #6
            Re: Hacking the worlds largest mall

            Originally posted by Greyhatter View Post
            Geezus! Still running open or with WEP! How dangerous and foolish
            i wouldn't be surprised if a lot of the time this is a result of firmware limitations. some devices just simply do not have the ability to upgrade to the point that the support WPA or WPA2. certain operations may have setup their networks some time ago when enabling WEP was a sign that you had some "appreciation of security" and then possibly never asked their tech consultant to return to the premises since it's "been working ever since"

            i know i've encountered that once or twice... with networks that i've built. clients who were one-off jobs call me out of the blue and ask me to stop by since a disk array died or something, i walk back into an office i haven't set foot in since bill clinton was president, and realize that they're running WiFi on Linksys equipment so ancient that the spiders who made webs in the wires have died of old age. seeing WEP enabled there isn't as odd as one might think.

            all in all... an amazing bit of field work and reporting there, render. great job!
            "I'll admit I had an OiNK account and frequented it quite often… What made OiNK a great place was that it was like the world's greatest record store… iTunes kind of feels like Sam Goody to me. I don't feel cool when I go there. I'm tired of seeing John Mayer's face pop up. I feel like I'm being hustled when I visit there, and I don't think their product is that great. DRM, low bit rate, etc... OiNK it existed because it filled a void of what people want."
            - Trent Reznor

            Comment


            • #7
              Re: Hacking the worlds largest mall

              Originally posted by Deviant Ollam View Post
              then possibly never asked their tech consultant to return to the premises since it's "been working ever since"
              I suspect that this is the most likely reason for security flaws in smaller organizations. Unless the customer purchases a "managed service" (which is being pushed harder than in the past), they have to go out of their way and pay extra (which can be quite extreme if the original consultant isn't available) to have someone inspect a setup that works well enough. As silly as it sounds here, most people don't think of security as an arms war which requires constant vigilance.

              Comment


              • #8
                Re: Hacking the worlds largest mall

                Originally posted by Voltage Spike View Post
                I suspect that this is the most likely reason for security flaws in smaller organizations. Unless the customer purchases a "managed service" (which is being pushed harder than in the past), they have to go out of their way and pay extra (which can be quite extreme if the original consultant isn't available) to have someone inspect a setup that works well enough. As silly as it sounds here, most people don't think of security as an arms war which requires constant vigilance.
                I think that's most of what I was seeing. Alot of times it's setup at the opening of the store and not re-visted by corporate unless there is a problem. I allude to this in the article.

                Having done some contracting to be the eyes, ears and hands of the head office to make changes at store level, I can tell you that alot of places have no freaking idea what is going on at the store level, at least as long as the money and reciepts keep coming in.

                Part of the reasoning for doing this was boredom, which is always dangerous with me. The other was having something public to hopefully get some attention and light a fire under some asses since this sort of thing affects everyone who spends money anywhere.
                Never drink anything larger than your head!





                Comment


                • #9
                  Re: Hacking the worlds largest mall

                  http://www.renderlab.net/advisories/wested/


                  What I really what to know after reading this is:

                  1. What was the total vendor pool?

                  2. Of that pool, what percentages were wide open, WEP encrypted, and WPA/2?
                  Last edited by Greyhatter; January 19, 2008, 14:05.

                  Comment


                  • #10
                    Re: Hacking the worlds largest mall

                    Kick ass report Render. Question:

                    As private networks, couldn't it be possible that access was controlled by MAC address, and if so, wouldn't make a difference in intrusion / security?
                    "640k ought to be enough for anybody" - Bill Gates 1981

                    Comment


                    • #11
                      Re: Hacking the worlds largest mall

                      Originally posted by SlackJaw View Post
                      Kick ass report Render. Question:

                      As private networks, couldn't it be possible that access was controlled by MAC address, and if so, wouldn't make a difference in intrusion / security?
                      Spoofing a MAC can be done in under 10 seconds on a wireless (or wired) card, and affords no real security. I'd actually say it gives you a false sense of security.
                      Thorn
                      "If you can't be a good example, then you'll just have to be a horrible warning." - Catherine Aird

                      Comment


                      • #12
                        Re: Hacking the worlds largest mall

                        Originally posted by Thorn View Post
                        Spoofing a MAC can be done in under 10 seconds on a wireless (or wired) card, and affords no real security. I'd actually say it gives you a false sense of security.
                        I'll agree, with a quick caveat:

                        It's like running a firewall. It keeps out the amateurs. If you think it's absolute protection, you're in for a sad surprise. It surely cuts down on the noise, however.

                        Comment


                        • #13
                          Re: Hacking the worlds largest mall

                          Originally posted by Greyhatter View Post
                          http://www.renderlab.net/advisories/wested/


                          What I really what to know after reading this is:

                          1. What was the total vendor pool?

                          2. Of that pool, what percentages were wide open, WEP encrypted, and WPA/2?
                          I'm slowly sifting through the data, but there were over 300 networks detected. A fair chunk were the malls 'public' nets, alot were random SSID's I couldn't pin to a specific location (without DF gear and the obvious questions that raises).

                          Very few were wide open. Those that were, I wager were rogues or demo gear not hooked to anything interesting.

                          I did'nt walk through every store to get a complete picture, so things are skewed.

                          Let me know what specific info your interested in and I can add those stats. I like feedback like this.

                          I hope to put out an adendum with more data, but
                          Never drink anything larger than your head!





                          Comment


                          • #14
                            Re: Hacking the worlds largest mall

                            Originally posted by shrdlu View Post
                            I'll agree, with a quick caveat:

                            It's like running a firewall. It keeps out the amateurs. If you think it's absolute protection, you're in for a sad surprise. It surely cuts down on the noise, however.
                            Of course you're right, but as recent a 2 years ago, I felt comfortable with WEP, MAC based access, and not broadcasting SSID. Was I foolish even then?

                            Also, if some of these stores had older, WEP only AP's, do they not have alternatives short of buying WPA capable routers?

                            And one last question: Would there be benefits to putting the wireless device on a different subnet - firewalled from the segment where sensitive data resides?

                            Tommy
                            "640k ought to be enough for anybody" - Bill Gates 1981

                            Comment


                            • #15
                              Re: Hacking the worlds largest mall

                              Originally posted by shrdlu View Post
                              I'll agree, with a quick caveat:

                              It's like running a firewall. It keeps out the amateurs. If you think it's absolute protection, you're in for a sad surprise. It surely cuts down on the noise, however.
                              True, it does keep out the amateurs, but tells you nothing when someone more knowledgeable starts an attack on you. In my opinion, it's preferable to check logs (even low-end APs will maintain logs, and most support syslog) or run a cheap IDS that looks for new MACs. Both of those things will let you know what's going on, without a false sense that you're actually blocking out people based on something that's known to be easily defeated.

                              Originally posted by SlackJaw View Post
                              Of course you're right, but as recent a 2 years ago, I felt comfortable with WEP, MAC based access, and not broadcasting SSID. Was I foolish even then?
                              Sorry, Tommy, but the answer is "Yes, you were foolish even then." By mid-2005, the WEP weaknesses were well known and documented, and WPA gear was widely available. MAC-based access control is band-aid that, in my opinion, gives nothing but a false sense of security, as I point out above.

                              "Non-Broadcast" of the SSID is misleading. First of all, the AP never stops broadcasting the SSID, it merely stops sending out the SSID in response to a "Beacon Probe Request". Similar in nature to the the ICMP ping, the Beacon Probes are packet sent out to see what APs are on a given channel. They are part of the 802.11 standard, and are used as part of the Roaming function.

                              Secondly, APs broadcast the SSID every 1/10th second (the default setting which can be changed, but not turned off.)

                              Both of those things mean that APs with the AP "Non-Broadcast" setting are merely not responding to devices that are actively looking for APs. This will defeat active scanners such as NetStumbler, but not passive scanners such as Kismet. A lot of people think that's OK, since it again will defeat the amateurs, but it also breaks the Roaming function. So if you have two or more APs and are roaming between them, the automatic switching to the strongest AP will no longer take place. All-in-all, the "Non-Broadcasting" option merely gives another false sense of security.

                              Originally posted by SlackJaw View Post
                              Also, if some of these stores had older, WEP only AP's, do they not have alternatives short of buying WPA capable routers?
                              Aside from a subneting which you touched on below, not really, but that's hardly a defense, in that the WPA-enable equipment was priced so low in comparison to the earlier WEP-equiped APs. It would have been a "Penny wise, Pound foolish" type of thing, when the heightened security is viewed as part of the ROI.

                              Originally posted by SlackJaw View Post
                              And one last question: Would there be benefits to putting the wireless device on a different subnet - firewalled from the segment where sensitive data resides?
                              The benefits to subnetting are exactly very good. Some equipment (e.g. some Symbol wireless bar-code scanners) can't even do WEP. So isolating that information to a subnet the only carries UPC codes, pricing, stock codes, etc., makes a lot of sense. However, most places don't think about that, and will have wireless cash registers on the same open wireless network, doing things like broadcasting Credit Card info in the clear. It's stupid, but I've seen it with my own two eyes.
                              Thorn
                              "If you can't be a good example, then you'll just have to be a horrible warning." - Catherine Aird

                              Comment

                              Working...
                              X