Re: Hacking the worlds largest mall

I get one of those "you do not have permission to access this page" errors when I try to view your blog entries.

Re: Hacking the worlds largest mall

Confirmed:

Greyhatter, you do not have permission to access this page. This could be due to one of several reasons:

1. Your user account may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
2. If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.

Geezus! Still running open or with WEP! How dangerous and foolish. The mall is a village!! Hack the mall!!! oh yeah!!!!

Re: Hacking the worlds largest mall

That blog entry is a private area, so no one can see it except Render and Mods/Admins. Render has been sent a PM.

Re: Hacking the worlds largest mall

Fixed, everyone has view/comment access now

Re: Hacking the worlds largest mall

i wouldn't be surprised if a lot of the time this is a result of firmware limitations. some devices just simply do not have the ability to upgrade to the point that the support WPA or WPA2. certain operations may have setup their networks some time ago when enabling WEP was a sign that you had some "appreciation of security" and then possibly never asked their tech consultant to return to the premises since it's "been working ever since"

i know i've encountered that once or twice... with networks that i've built. clients who were one-off jobs call me out of the blue and ask me to stop by since a disk array died or something, i walk back into an office i haven't set foot in since bill clinton was president, and realize that they're running WiFi on Linksys equipment so ancient that the spiders who made webs in the wires have died of old age. seeing WEP enabled there isn't as odd as one might think.

all in all... an amazing bit of field work and reporting there, render. great job!

Re: Hacking the worlds largest mall

I suspect that this is the most likely reason for security flaws in smaller organizations. Unless the customer purchases a "managed service" (which is being pushed harder than in the past), they have to go out of their way and pay extra (which can be quite extreme if the original consultant isn't available) to have someone inspect a setup that works well enough. As silly as it sounds here, most people don't think of security as an arms war which requires constant vigilance.

Re: Hacking the worlds largest mall

I think that's most of what I was seeing. Alot of times it's setup at the opening of the store and not re-visted by corporate unless there is a problem. I allude to this in the article.

Having done some contracting to be the eyes, ears and hands of the head office to make changes at store level, I can tell you that alot of places have no freaking idea what is going on at the store level, at least as long as the money and reciepts keep coming in.

Part of the reasoning for doing this was boredom, which is always dangerous with me. The other was having something public to hopefully get some attention and light a fire under some asses since this sort of thing affects everyone who spends money anywhere.

Re: Hacking the worlds largest mall

http://www.renderlab.net/advisories/wested/


What I really what to know after reading this is:

1. What was the total vendor pool?

2. Of that pool, what percentages were wide open, WEP encrypted, and WPA/2?

Re: Hacking the worlds largest mall

Kick ass report Render. Question:

As private networks, couldn't it be possible that access was controlled by MAC address, and if so, wouldn't make a difference in intrusion / security?

Re: Hacking the worlds largest mall

Spoofing a MAC can be done in under 10 seconds on a wireless (or wired) card, and affords no real security. I'd actually say it gives you a false sense of security.

Re: Hacking the worlds largest mall

I'll agree, with a quick caveat:

It's like running a firewall. It keeps out the amateurs. If you think it's absolute protection, you're in for a sad surprise. It surely cuts down on the noise, however.

Re: Hacking the worlds largest mall

I'm slowly sifting through the data, but there were over 300 networks detected. A fair chunk were the malls 'public' nets, alot were random SSID's I couldn't pin to a specific location (without DF gear and the obvious questions that raises).

Very few were wide open. Those that were, I wager were rogues or demo gear not hooked to anything interesting.

I did'nt walk through every store to get a complete picture, so things are skewed.

Let me know what specific info your interested in and I can add those stats. I like feedback like this.

I hope to put out an adendum with more data, but

Re: Hacking the worlds largest mall

Of course you're right, but as recent a 2 years ago, I felt comfortable with WEP, MAC based access, and not broadcasting SSID. Was I foolish even then?

Also, if some of these stores had older, WEP only AP's, do they not have alternatives short of buying WPA capable routers?

And one last question: Would there be benefits to putting the wireless device on a different subnet - firewalled from the segment where sensitive data resides?

Tommy

Re: Hacking the worlds largest mall

True, it does keep out the amateurs, but tells you nothing when someone more knowledgeable starts an attack on you. In my opinion, it's preferable to check logs (even low-end APs will maintain logs, and most support syslog) or run a cheap IDS that looks for new MACs. Both of those things will let you know what's going on, without a false sense that you're actually blocking out people based on something that's known to be easily defeated.

Sorry, Tommy, but the answer is "Yes, you were foolish even then." By mid-2005, the WEP weaknesses were well known and documented, and WPA gear was widely available. MAC-based access control is band-aid that, in my opinion, gives nothing but a false sense of security, as I point out above.

"Non-Broadcast" of the SSID is misleading. First of all, the AP never stops broadcasting the SSID, it merely stops sending out the SSID in response to a "Beacon Probe Request". Similar in nature to the the ICMP ping, the Beacon Probes are packet sent out to see what APs are on a given channel. They are part of the 802.11 standard, and are used as part of the Roaming function.

Secondly, APs broadcast the SSID every 1/10th second (the default setting which can be changed, but not turned off.)

Both of those things mean that APs with the AP "Non-Broadcast" setting are merely not responding to devices that are actively looking for APs. This will defeat active scanners such as NetStumbler, but not passive scanners such as Kismet. A lot of people think that's OK, since it again will defeat the amateurs, but it also breaks the Roaming function. So if you have two or more APs and are roaming between them, the automatic switching to the strongest AP will no longer take place. All-in-all, the "Non-Broadcasting" option merely gives another false sense of security.

Aside from a subneting which you touched on below, not really, but that's hardly a defense, in that the WPA-enable equipment was priced so low in comparison to the earlier WEP-equiped APs. It would have been a "Penny wise, Pound foolish" type of thing, when the heightened security is viewed as part of the ROI.

The benefits to subnetting are exactly very good. Some equipment (e.g. some Symbol wireless bar-code scanners) can't even do WEP. So isolating that information to a subnet the only carries UPC codes, pricing, stock codes, etc., makes a lot of sense. However, most places don't think about that, and will have wireless cash registers on the same open wireless network, doing things like broadcasting Credit Card info in the clear. It's stupid, but I've seen it with my own two eyes.