Firewall Wizards mailing list archives
Re: Anti-Warchalking attack?
From: "Paul D. Robertson" <proberts () patriot net>
Date: Tue, 3 Sep 2002 21:31:42 -0400 (EDT)
On Wed, 4 Sep 2002, Darren Reed wrote:
So, I got to thinking and got some off-list mail that made me think of a couple of interesting things. An interesting anti-warchalking attack could be to put false chalks with invalid SSIDs and WEP keys around the building(s).I've one problem for you. What sort of chalk marks are people meant to put on buildings? You seem to think that it is a press-hype thing, with only one person who has real confirmation of their existance.
I think it's *mostly* press-hyped, or at least the malicious use of it to identify and "out" other's networks is mostly press-hyped. However, like most overhyped "cool" things, I'm sure it'll become a self-fulfilling prophecy for a while. What better way to kill it early than to attack it during the transition period? While I realize that there are people who advertise their own networks, I think that the potential for damage for folks with large networks and angry people who've "moved on to persue other opportunities" makes the whole idea bad. Couple that with people who deploy networks and don't understand the technology and it gets worse. IMO, the folks wishing to provide open access should have chosen a common SSID and perhaps even a common WEP key. People who conciously choose to make their nets open shouldn't have a problem doing that- taking the insecure default, or worse-yet having to manage keychanges and SSID changes over a large enterprise because the intern in the mail room is pissed at his boss and things it'd be cool to publish your WEP keys and SSIDs in midtown Manhattan is a bad thing. Someone's pissed off kid chalking the home "behind the VPN" access point is a bad thing. The default of attackable and exploitable until made otherwise is a bad thing, some people will take advantage of this and *worse-yet* will encourage others to (perhaps inadvertantly) trespass on networks that don't belong to them. The last thing we need is some poor innocent being prosecuted for hacking because they saw a chalk with the WEP key and SSID and thought it was made by the network operator, but it was really put there by the receptionist's ex-husband. Our choices include (a) try to educate every network operator, (b) try to hunt down all the bad guys, (c) get the vendors to ship things securely, (d) make the practice useless, or (e) ignore it all. The first few haven't worked for much of anything else computer-wise. Also, what I said was that of the respondants to my question, only one had seen any evidence of it- I gave the sample size (statistically invalid) and rough geography to show that it didn't cover a lot of places where I'd suspect it might actually happen. When I posed the original question, I said I'd summarize the responses, and they'd trailed off to nought- so I summarized the responses. If I were going to chalk a honeypot, I'd probably do it as a closed node and start collecting MAC addresses of those who show up and after vetting them, nuke them from the valid wireless network if I had one. If there are more "invalid" chalks than good, then chalking ceases to be anything useful. Given the potential for damage by just made former employees, I think its failure modes are in-bounds for most places. [I suspect that "valid" people chalking their own nets is more common on the west coast of the US than the east, since we dont' tend to play well with others on this side of the country.] Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Anti-Warchalking attack? Paul Robertson (Sep 03)
- PIX VPN Question Richard Worwood (Sep 03)
- Re: Anti-Warchalking attack? Marcus J. Ranum (Sep 03)
- Re: Anti-Warchalking attack? Darren Reed (Sep 03)
- Re: Anti-Warchalking attack? H. Morrow Long (Sep 03)
- Re: Anti-Warchalking attack? Paul D. Robertson (Sep 03)
- <Possible follow-ups>
- RE: Anti-Warchalking attack? Behm, Jeffrey L. (Sep 04)
- RE: Anti-Warchalking attack? Scott, Richard (Sep 04)
- RE: Anti-Warchalking attack? Paul D. Robertson (Sep 04)
- Re: Anti-Warchalking attack? John McDermott (Sep 04)
- RE: Anti-Warchalking attack? Paul D. Robertson (Sep 04)