Re: Hacking the worlds largest mall

And related to this:
Any security measure that is said to be, "ok because it keeps out the amateurs," has the obvious problem in suggesting that it does not keep out the experienced.

Beyond the above, there is an even more serious risk in the assumption that something is, "ok because it keeps out amateurs." We live in a world where technological innovations appear every day, and the number of people working on such innovations is increasing.
Todays techniques to, "protect," a system from today's amateur is just one automation innovation away from being a tool in the toolbox of tomorrow's amateur.

(If it is not obvious, I am agreeing with Thorn, but trying to emphasize often overlooked risks with the assumption that, security by obscurity is often good. Though there is different packaging, the, "protection," of systems using the above is yet another example of, "security by obscurity," which is often not security at all.)

There is something that works to the benefit of people looking to keep, "the bad guys out." When a person learns more about how to defeat systems, and violate system security, they become more educated and more experienced. At some point, many will consider their own personal risk, in losing their freedom and continued opportunity to explore the same systems with which they share intimacy in their day-to-day lives. At this point, many will choose to not risk their own personal freedoms for, "shits and giggles." Those lacking such wisdom are cursed with hubris as their ego persuades them to take risks which will ultimately cause them to forfeit future opportunities in exploration.

There is a great deal of wisdom in understanding of the economist's opportunity cost. :-)

Re: Hacking the worlds largest mall

Exactly, although some people do feel that the greater number of amateurs pose an overall greater risk than the professionals, simply from a numerical viewpoint. There are also those whose viewpoint is that "you can't really stop a professional, only slow them down." While it is true to some extent, it's also somewhat defeatist in my opinion.

In police work, we used to see this phenomenon pretty clearly with burglars. Most are young men*, age 15 to 30. When they would hit a certain age, (~25-30 y.o.) when the risks of losing freedom. family, job, etc., started to outweighed the ill-gotten gains, and they would quit, or at least go to a more lucrative and less risky illegal activity.

*Although, there was one burglary gang of all young women in the 1990s. It was rather unique at the time.

Re: Hacking the worlds largest mall

Was not looking for names of vendors but rather just the total sample. From what your saying a larger percentage of vendors still use WEP and believe they are secure. Of the 300 hits would the vendors using WEP constitute 50%, and the WAP\2 constitute 48%, while wide open was 2%? That's what I'm curious about.

While you did not name PPH International, or the doctors office, I concede there are some vendors at a much higher risk for more than just credit card theft. Credit cards have liability limits especially when stolen, however, a young lady could lose much more regardless if she does not have the ability to pay PPH or even a private doctors office. If this is PPH's view of privacy then perhaps The United Way and other funders should be aware of it? Your study should raise many private, public, and legislative concerns.

Re: Hacking the worlds largest mall

I'll pull something together tonight. I'll have to see if I can find something to quickly parse these logs since I don't want to do it by hand, and I need to remove the public nets.

You are quite right that depending on the breakdown, it does change the perception of the level of security overall. Though I will point out that to have any with just WEP is probobly a bad thing.

I have not idea who PPH International is, but You are right. I tried to frame things around what happened at TJX. Most of that was CC#'s but there was a huge amount of personal info that would have been even more valuable.

Re: Hacking the worlds largest mall


No rush here. I was just curious about the percentages as they could be generalized to other malls in North America and perhaps worldwide?

The next time you do this test why not borrow or rent a wheelchair and take a buddy as eyewitness and impartial secondary observer. No one would question a disabled person in an wheelchair with a laptop while his buddy overlooked and pushed from behind. This would keep the overheating laptop and trench coat issues at bay. Here in the U.S. a guy walking through a mall sporting a backpack and a long trench coat could eventually draw live fire if not a search for reasonable suspicion. Yes it's becoming that bad here.

Oops.. I thought you might have been referring to Planned Parenthood in Canada.

Re: Hacking the worlds largest mall

I leave for Norway in a week so I'm a bit busy with that. Stats might have to wait, but your not the only person to ask.

As for the wheelchair, I don't think I'd need one. Just need to do this in summer where I can ditch the coat.

You know, I never thought for a second about wearing the coat, etc. I've never been hassled or had anyone question anything. Damn I love this country sometimes.

Re: Hacking the worlds largest mall

Quick update.

Greyhatter and others were curious about the number of WEP/WPA/OPEN nets discovered. I ran some quick tools to get stats. These include the public nets for the mall and hotel, but still give you an idea of what's there:

http://www.renderlab.net/advisories/...lessstats.html

For the impatient:

Total found Networks: 489
Access-Points: 427 / 87%
Ad-Hoc: 5 / 1%
Other: 57 / 12%

WEP encrypted: 105 / 21%
WPA encrypted: 136 / 28%
Not encrypted: 248 / 51%

Hidden ESSID: 79 / 19%

Channel:
1: 117 / 24%
2: 2 / 0%
3: 5 / 1%
4: 10 / 2%
5: 2 / 0%
6: 165 / 34%
7: 3 / 1%
8: 8 / 2%
9: 6 / 1%
10: 1 / 0%
11: 113 / 23%
12: 0 / 0%
13: 0 / 0%
14: 0 / 0%

Re: Hacking the worlds largest mall

I''l let you know how that goes next winter. I usually wear a black duster. If it's not that it's the shorter version of it. Both are pretty bulky, though I know for a fact I can conceal a shorty AR-15 under the duster. I'm missing Alaska already.

Re: Hacking the worlds largest mall

Thanks for that renderman. If I remember you did inform the mall owners who in turn were supposed to inform the vendors of your findings? That being the case next Christmas shopping season should show an improvement of the wide opens and WEP. I still wonder what % of wide open or WEP were sensitive data ie medical, financial (ie bank) vs simple credit transactions. I'd say you'll have established a baseline for serious publication if you repeat this year using the same conditions. I'd still go for the friend and wheelchair approach over the backpack and long trench coat (easier on you, the friend, and the laptop).

Re: Hacking the worlds largest mall

Laptops and laptopn bags are not uncommon at malls here in the DC area.

We went to the mall yesterday and the large food court as well as Barnes & Nobels both have prominent signs offering free wireless Internet.

You can also get Internet access by connecting to the wireless at the Apple Store - although I have found it more difficlut since the introduction of the iPhone - seems it eats up their bandwidth to have dozens of laptops, iPhones and iTouches all connected for customers to play with.