Olympus-OM
[Top] [All Lists]

Re: [OM] OT: A Close Call

Subject: Re: [OM] OT: A Close Call
From: Ken Norton <ken@xxxxxxxxxxx>
Date: Fri, 7 Jul 2017 09:17:28 -0500
>      There had been a warning on the morning news about a new form of 
> hacking, where the wifi hub is spoofed and you're connected to the hacker.  
> Cute.


Ain't new. It's been around for a LONG time. But it is getting endemic
to most public WiFi hotspots. On our last trip to Colorado, I found
spoofers at both hotels and at one Starbucks. That was 100% of our
hotel stays, and 50% of the Starbucks in just a four-day trip. I'm
sure I would have found more at the other 9 Starbucks that we visited,
but those weren't visits that used the WiFi.

There is a nifty app available for an Android cellphone that does
spoofing, but most people use either dedicated hardware (a cool little
battery powered box that fits in a belt holster under your shirt) or a
laptop with an extra USB WiFi adapter running a LINUX program. The
idea is simple. Your device attaches to the Internet per normal, but
then your device has a second WiFi adapter in it that has the same
SSID as the hotspot. Either through proximity, directional antennas,
or other means, your fake hotspot becomes the preferred connection for
those around you. If you can disrupt the correct hotspot, your fake
hotspot will attach to the clients before the proper one can again.
Your fake hotspot will get the clients reattached (by spoofing the MAC
address and SSID of the real hotspot, your client computers would
never know what happened. Your device or computer is then able to
scrape everything that traverses the connection.

However, it gets worse.

The fake hotspot isn't just scraping the traffic, but can intrude in
ways that will make your blood boil. HTTPS is supposed to be the
end-all, be-all in secure communications. Right? Normally, yes, but in
this scenario, I can screw with you big time. Let's say you log into
gmail. The login screen pulls up the HTTPS address like you expect.
Even McAfee and what-not is reporting a healthy connection. What your
computer doesn't know is that my fake hotspot has established a proper
HTTPS connection to the server with YOUR mac address, and is serving
you a fake screen to your computer. Your computer still shows HTTPS,
but what you don't know is that it is anything but secure. You aren't
communicating with gmail, you are communicating with the spoofer
device and the spoofer device is communicating with the server. Until
recently, most hackers only scraped your login ID and password, and
then would break the link and let you relog back in per normal. To
stay "hidden" they would get only the information they needed and
would then go back into listen-mode only. Active hot-spot spoofing is
easily detectable and a crime. Listening usually isn't.

So, let's talk about one common hack that every 12 year old can do in
his/her sleep and is something everybody learns how to do in the first
hour of playing with these tools. Your computer and other devices with
WiFi adapters are constantly looking for networks to attach to. Let's
say that your home WiFi router has an SSID of "HOMEWIFI". While you
are out and about, your device is constantly broadcasting that SSID
out there. "Hey, HOMEWIFI, Are you there? Hey, STARBUCKS-WIFI, Are you
there? Hey, COMFORTINN-WIFI, Are you there?" Anything in your
auto-attach list is being broadcast in the blind as your device is
looking for known networks to attach to. My device announces itself in
a way that your device will recognize as a possible network, so your
device answers back "I'm looking for ______". The spoofing device then
can respond with that SSID and establish contact or can ignore. The
sad thing is that over 75% of all WiFi SSID's are literally mapped
with LAT/LON and street address. If your home WiFi router SSID is
"SCHNOZZ-27af28112", I can do a lookup and find where that device was
last found by somebody war-driving. That provides no direct answers
for a hacker, but does provide substantial clues and pieces of the
puzzle that fit the big picture of what he is looking for.

But, what if you are an idiot and either your home WiFi router or one
you attached to in the past was the default "Linksys" or "Netgear"?
Spoofers have all the factory default SSIDs and Keys built in. If your
device is set up to auto-connect, I GOT YOU. Boom. In seconds, your
cellphone, is connected to the Internet through me.

RULE #1: NEVER ALLOW ANY MOBILE DEVICES TO AUTO-CONNECT TO ANY WIFI
NETWORK. EVEN YOUR "TRUSTED" HOME NETWORK. This includes cellphones,
iPADs and Laptop computers.

RULE #2: REMOVE ALL NON-HOME/WORK WIFI HOTSPOTS OUT OF YOUR NETWORK
LIST THE MOMENT YOU DISCONNECT FROM THE NETWORK. Do Not leave
"COMFORTINN-WIFI" in your list. Get rid of it. Because your device is
broadcasting every one of those out there for a hacker to intercept
and figure out where you've been and also an easy way to walk right
through your front door.

As to whether the hacker got inside Chris' computer? Doubtful. Just
because I'm intercepting communications doesn't mean that I can get
inside your computer. His various types of security software would
have seen the intrusion into his computer, but would not have seen the
external intercept.

AG SCHNOZZ
-- 
_________________________________________________________________
Options: http://lists.thomasclausen.net/mailman/listinfo/olympus
Archives: http://lists.thomasclausen.net/mailman/private/olympus/
Themed Olympus Photo Exhibition: http://www.tope.nl/

<Prev in Thread] Current Thread [Next in Thread>
Sponsored by Tako
Impressum | Datenschutz