Re: Anti-Warchalking attack?

["Paul D. Robertson" <proberts () patriot net>]

On Wed, 4 Sep 2002, Darren Reed wrote:

> > So, I got to thinking and got some off-list mail that made me think of a 
> > couple of interesting things.
> >
> > An interesting anti-warchalking attack could be to put false chalks with 
> > invalid SSIDs and WEP keys around the building(s).  
>
> I've one problem for you.  What sort of chalk marks are people meant to put
> on buildings?  You seem to think that it is a press-hype thing, with only
> one person who has real confirmation of their existance.

I think it's *mostly* press-hyped, or at least the malicious use of 
it to identify and "out" other's networks is mostly press-hyped.  

However, like most overhyped "cool" things, I'm sure it'll become a 
self-fulfilling prophecy for a while.
  
What better way to kill it early than to attack it during the transition 
period?  While I realize that there are people who advertise their own 
networks, I think that the potential for damage for folks with large 
networks and angry people who've "moved on to persue other opportunities" 
makes the whole idea bad.  Couple that with people who deploy networks and 
don't understand the technology and it gets worse.  IMO, the folks wishing 
to provide open access should have chosen a common SSID and perhaps even a 
common WEP key.  People who conciously choose to make their nets open 
shouldn't have a problem doing that- taking the insecure default, or 
worse-yet having to manage keychanges and SSID changes over a large 
enterprise because the intern in the mail room is pissed at his boss and 
things it'd be cool to publish your WEP keys and SSIDs in midtown 
Manhattan is a bad thing.  Someone's pissed off kid chalking the home 
"behind the VPN" access point is a bad thing.  The default of attackable and 
exploitable until made otherwise is a bad thing, some people will take 
advantage of this and *worse-yet* will encourage others to 
(perhaps inadvertantly) trespass on networks that don't belong to them.  

The last thing we need is some poor innocent being prosecuted for hacking 
because they saw a chalk with the WEP key and SSID and thought it was made 
by the network operator, but it was really put there by the 
receptionist's ex-husband.  

Our choices include (a) try to educate every network operator, (b) try to 
hunt down all the bad guys, (c) get the vendors to ship things securely, (d) 
make the practice useless, or (e) ignore it all.  The first few haven't 
worked for much of anything else computer-wise. 

Also, what I said was that of the respondants to my question, only one had 
seen any evidence of it- I gave the sample size (statistically invalid) and 
rough geography to show that it didn't cover a lot of places where I'd 
suspect it might actually happen.  When I posed the original question, I 
said I'd summarize the responses, and they'd trailed off to nought- so I 
summarized the responses.

If I were going to chalk a honeypot, I'd probably do it as a closed node 
and start collecting MAC addresses of those who show up and after vetting 
them, nuke them from the valid wireless network if I had one.  If there 
are more "invalid" chalks than good, then chalking ceases to be anything 
useful.  Given the potential for damage by just made former employees, I 
think its failure modes are in-bounds for most places.

[I suspect that "valid" people chalking their own nets is more common on 
the west coast of the US than the east, since we dont' tend to play well 
with others on this side of the country.] 
  
Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards