Re: Hacking the worlds largest mall

Laptops and laptopn bags are not uncommon at malls here in the DC area.

We went to the mall yesterday and the large food court as well as Barnes & Nobels both have prominent signs offering free wireless Internet.

You can also get Internet access by connecting to the wireless at the Apple Store - although I have found it more difficlut since the introduction of the iPhone - seems it eats up their bandwidth to have dozens of laptops, iPhones and iTouches all connected for customers to play with.

Re: Hacking the worlds largest mall

Thanks for that renderman. If I remember you did inform the mall owners who in turn were supposed to inform the vendors of your findings? That being the case next Christmas shopping season should show an improvement of the wide opens and WEP. I still wonder what % of wide open or WEP were sensitive data ie medical, financial (ie bank) vs simple credit transactions. I'd say you'll have established a baseline for serious publication if you repeat this year using the same conditions. I'd still go for the friend and wheelchair approach over the backpack and long trench coat (easier on you, the friend, and the laptop).

Re: Hacking the worlds largest mall

I''l let you know how that goes next winter. I usually wear a black duster. If it's not that it's the shorter version of it. Both are pretty bulky, though I know for a fact I can conceal a shorty AR-15 under the duster. I'm missing Alaska already.

Re: Hacking the worlds largest mall

Quick update.

Greyhatter and others were curious about the number of WEP/WPA/OPEN nets discovered. I ran some quick tools to get stats. These include the public nets for the mall and hotel, but still give you an idea of what's there:

http://www.renderlab.net/advisories/...lessstats.html

For the impatient:

Total found Networks: 489
Access-Points: 427 / 87%
Ad-Hoc: 5 / 1%
Other: 57 / 12%

WEP encrypted: 105 / 21%
WPA encrypted: 136 / 28%
Not encrypted: 248 / 51%

Hidden ESSID: 79 / 19%

Channel:
1: 117 / 24%
2: 2 / 0%
3: 5 / 1%
4: 10 / 2%
5: 2 / 0%
6: 165 / 34%
7: 3 / 1%
8: 8 / 2%
9: 6 / 1%
10: 1 / 0%
11: 113 / 23%
12: 0 / 0%
13: 0 / 0%
14: 0 / 0%

Re: Hacking the worlds largest mall

I leave for Norway in a week so I'm a bit busy with that. Stats might have to wait, but your not the only person to ask.

As for the wheelchair, I don't think I'd need one. Just need to do this in summer where I can ditch the coat.

You know, I never thought for a second about wearing the coat, etc. I've never been hassled or had anyone question anything. Damn I love this country sometimes.

Re: Hacking the worlds largest mall


No rush here. I was just curious about the percentages as they could be generalized to other malls in North America and perhaps worldwide?

The next time you do this test why not borrow or rent a wheelchair and take a buddy as eyewitness and impartial secondary observer. No one would question a disabled person in an wheelchair with a laptop while his buddy overlooked and pushed from behind. This would keep the overheating laptop and trench coat issues at bay. Here in the U.S. a guy walking through a mall sporting a backpack and a long trench coat could eventually draw live fire if not a search for reasonable suspicion. Yes it's becoming that bad here.

Oops.. I thought you might have been referring to Planned Parenthood in Canada.

Re: Hacking the worlds largest mall

I'll pull something together tonight. I'll have to see if I can find something to quickly parse these logs since I don't want to do it by hand, and I need to remove the public nets.

You are quite right that depending on the breakdown, it does change the perception of the level of security overall. Though I will point out that to have any with just WEP is probobly a bad thing.

I have not idea who PPH International is, but You are right. I tried to frame things around what happened at TJX. Most of that was CC#'s but there was a huge amount of personal info that would have been even more valuable.

Re: Hacking the worlds largest mall

Was not looking for names of vendors but rather just the total sample. From what your saying a larger percentage of vendors still use WEP and believe they are secure. Of the 300 hits would the vendors using WEP constitute 50%, and the WAP\2 constitute 48%, while wide open was 2%? That's what I'm curious about.

While you did not name PPH International, or the doctors office, I concede there are some vendors at a much higher risk for more than just credit card theft. Credit cards have liability limits especially when stolen, however, a young lady could lose much more regardless if she does not have the ability to pay PPH or even a private doctors office. If this is PPH's view of privacy then perhaps The United Way and other funders should be aware of it? Your study should raise many private, public, and legislative concerns.

Re: Hacking the worlds largest mall

Exactly, although some people do feel that the greater number of amateurs pose an overall greater risk than the professionals, simply from a numerical viewpoint. There are also those whose viewpoint is that "you can't really stop a professional, only slow them down." While it is true to some extent, it's also somewhat defeatist in my opinion.

In police work, we used to see this phenomenon pretty clearly with burglars. Most are young men*, age 15 to 30. When they would hit a certain age, (~25-30 y.o.) when the risks of losing freedom. family, job, etc., started to outweighed the ill-gotten gains, and they would quit, or at least go to a more lucrative and less risky illegal activity.

*Although, there was one burglary gang of all young women in the 1990s. It was rather unique at the time.

Re: Hacking the worlds largest mall

And related to this:
Any security measure that is said to be, "ok because it keeps out the amateurs," has the obvious problem in suggesting that it does not keep out the experienced.

Beyond the above, there is an even more serious risk in the assumption that something is, "ok because it keeps out amateurs." We live in a world where technological innovations appear every day, and the number of people working on such innovations is increasing.
Todays techniques to, "protect," a system from today's amateur is just one automation innovation away from being a tool in the toolbox of tomorrow's amateur.

(If it is not obvious, I am agreeing with Thorn, but trying to emphasize often overlooked risks with the assumption that, security by obscurity is often good. Though there is different packaging, the, "protection," of systems using the above is yet another example of, "security by obscurity," which is often not security at all.)

There is something that works to the benefit of people looking to keep, "the bad guys out." When a person learns more about how to defeat systems, and violate system security, they become more educated and more experienced. At some point, many will consider their own personal risk, in losing their freedom and continued opportunity to explore the same systems with which they share intimacy in their day-to-day lives. At this point, many will choose to not risk their own personal freedoms for, "shits and giggles." Those lacking such wisdom are cursed with hubris as their ego persuades them to take risks which will ultimately cause them to forfeit future opportunities in exploration.

There is a great deal of wisdom in understanding of the economist's opportunity cost. :-)

Re: Hacking the worlds largest mall

True, it does keep out the amateurs, but tells you nothing when someone more knowledgeable starts an attack on you. In my opinion, it's preferable to check logs (even low-end APs will maintain logs, and most support syslog) or run a cheap IDS that looks for new MACs. Both of those things will let you know what's going on, without a false sense that you're actually blocking out people based on something that's known to be easily defeated.

Sorry, Tommy, but the answer is "Yes, you were foolish even then." By mid-2005, the WEP weaknesses were well known and documented, and WPA gear was widely available. MAC-based access control is band-aid that, in my opinion, gives nothing but a false sense of security, as I point out above.

"Non-Broadcast" of the SSID is misleading. First of all, the AP never stops broadcasting the SSID, it merely stops sending out the SSID in response to a "Beacon Probe Request". Similar in nature to the the ICMP ping, the Beacon Probes are packet sent out to see what APs are on a given channel. They are part of the 802.11 standard, and are used as part of the Roaming function.

Secondly, APs broadcast the SSID every 1/10th second (the default setting which can be changed, but not turned off.)

Both of those things mean that APs with the AP "Non-Broadcast" setting are merely not responding to devices that are actively looking for APs. This will defeat active scanners such as NetStumbler, but not passive scanners such as Kismet. A lot of people think that's OK, since it again will defeat the amateurs, but it also breaks the Roaming function. So if you have two or more APs and are roaming between them, the automatic switching to the strongest AP will no longer take place. All-in-all, the "Non-Broadcasting" option merely gives another false sense of security.

Aside from a subneting which you touched on below, not really, but that's hardly a defense, in that the WPA-enable equipment was priced so low in comparison to the earlier WEP-equiped APs. It would have been a "Penny wise, Pound foolish" type of thing, when the heightened security is viewed as part of the ROI.

The benefits to subnetting are exactly very good. Some equipment (e.g. some Symbol wireless bar-code scanners) can't even do WEP. So isolating that information to a subnet the only carries UPC codes, pricing, stock codes, etc., makes a lot of sense. However, most places don't think about that, and will have wireless cash registers on the same open wireless network, doing things like broadcasting Credit Card info in the clear. It's stupid, but I've seen it with my own two eyes.

Re: Hacking the worlds largest mall

Of course you're right, but as recent a 2 years ago, I felt comfortable with WEP, MAC based access, and not broadcasting SSID. Was I foolish even then?

Also, if some of these stores had older, WEP only AP's, do they not have alternatives short of buying WPA capable routers?

And one last question: Would there be benefits to putting the wireless device on a different subnet - firewalled from the segment where sensitive data resides?

Tommy

Re: Hacking the worlds largest mall

I'm slowly sifting through the data, but there were over 300 networks detected. A fair chunk were the malls 'public' nets, alot were random SSID's I couldn't pin to a specific location (without DF gear and the obvious questions that raises).

Very few were wide open. Those that were, I wager were rogues or demo gear not hooked to anything interesting.

I did'nt walk through every store to get a complete picture, so things are skewed.

Let me know what specific info your interested in and I can add those stats. I like feedback like this.

I hope to put out an adendum with more data, but

Re: Hacking the worlds largest mall

I'll agree, with a quick caveat:

It's like running a firewall. It keeps out the amateurs. If you think it's absolute protection, you're in for a sad surprise. It surely cuts down on the noise, however.

Re: Hacking the worlds largest mall

Spoofing a MAC can be done in under 10 seconds on a wireless (or wired) card, and affords no real security. I'd actually say it gives you a false sense of security.