RE: Anti-Warchalking attack?

["Paul D. Robertson" <proberts () patriot net>]

On Wed, 4 Sep 2002, Scott, Richard wrote:

> to ensure secure Wireless networks are architected.  By posting signs, isn't
> this entrapment and enticement mixing in that gray area again?  It will

If I'm enticing them to either a network that doesn't exist or to a 
honeynet (one might just say I'm advertising my honeynet) then it's only a 
big deal if (a) I'm a government, or (b) if I intend to prosecute them for 
hitting my honeynet.  I'd just use the honeynet for gathering MAC 
addresses, recon patterns, etc.

Good point though, so to be clear, I'm most certainly not advocating 
enticing folks to enter your "real" network and monitoring and prosecuting 
them.  In that case, I think the company would deserve the thrashing it'd 
(hopefully) get from the defense.  

That's part of my problem with this whole scheme though- there is zero 
authenticity in marks on a wall.

> depend on the virtue of the law of that country.  These signs could be
> interpreted as common hobo public signs that are used to permit access to a
> resource.  I am not going to venture to far down this road however, because
> as soon as you begin injecting incorrect information, the users will only
> address that data from trusted sources, the underground.

They're going to do that anyway though- but those are the folks you 
*really* want to guard against and take action against, not the ones who 
think that finding marks on a wall is an indication of their 'leet hax0r 
skillz.  

Poor protocol choices are poor protocol choices, if it's FTP, WEP or 
deciding that marks on a wall are indicative of permission to use a network.

We quickly get into murkier gray areas where an employee without 
authorization decides it can't hurt to invite anyone in sight of the 
building onto the network.  Let's say I work at a retail company, and I 
decide that all my high school buddies should be able to surf the 'Net 
through that company's wireless network, and what the heck- I just got 
this 'leet chalking card...  So I post the SSID and WEP key that my cash 
register[1] is using on the outside of the building.  Now, someone sees it 
and uses the network to download MP3s of copyrighted materials.  Let's say 
that someone else uses it to probe corporate HQ over my WAN, and a third 
person decides to attack a Web site.  Now, does RIAA, go after the guy who 
exercised "free speech" on the side of the building, the company, the 
end-user, or some combination of the above?  Does the company go after 
the employee (and for what?) How would the retailer protect itself?  How 
would it distinguish folks "just using the advertised network" from those 
who were "malicious?" What about the bad press?  Is the bad guy probing 
corporate safe from prosecution because of the implied invitation?

Once again, we're already stuck with crappy insecure protocols on the 
transport side.  I'm not a big fan of coupling them with crappy protocols 
on the usage side.

Paul
[1] Those who'd decide that such things shouldn't be connected to the 
Internet would also decide that nobody'd put in-the-clear 802.11 traffic 
in a retail POS environment[2].
[2] Sorry, it's just such a good example that I couldn't resist.  
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards