Re: Walmart using WEP

[Gary Nichols <gnichols () phx1 bcbsaz com>]

Perhaps I'm missing something here, but how exactly were these posts
reckless?  

Examples:

Is this reckless?: OMG Walmart had an open access point and I hax0red their
POS sysytem and dropped the price on all Britney Spears CDs to 25 cents! The
new WEP key is '0wn3d!'.

Yes.  That would be reckless, but I didn't see that in this thread.

Is this reckless?: It would appear that Walmart is using 802.11 networking
and WEP on their inventory scanners.  This could be bad if someone cracked
the WEP key.  Not a very good security practice.

No.  I don't see it.  Looks like a good discussion topic to me.

Is this reckless?: I saw an 802.11 WAP on top of a door at Walmart.  I
wonder if it's an open network.  The next time I war drive the neighborhood
I should check.

No.  The poster never made mention of connecting to the network.  Checking
the presence of a broadcasted SSID and its encryption method/status is *NOT
ILLEGAL*.  Most commercial entities appreciate it when you alert them that
they have an open access point on their network.  Of course, with everyone
screaming "HACKER! TERRORIST!" nowadays, white and grey hats alike are
paranoid to advise anyone of anything.

Now, if the poster connected to the network, grabbed an IP and started
snooping around... Well, then I'd be flaming him too.

Sorry to beat the horse to death, but I hear this argument all too
frequently and it just gets tiring.


> From: "Hawkins, Ray (721)" <Ray.Hawkins () protiviti com>
> Date: Thu, 27 Jul 2006 19:27:20 -0700
> To: Gary Nichols <gnichols () phx1 bcbsaz com>, <pen-test () securityfocus com>
> Conversation: Walmart using WEP
> Subject: RE: Walmart using WEP
>
> the community that the retired granny three doors down has a broken lock on
> her backdoor rather than just telling her directly.  No amount of
> pontificating over responsibility legitimizes reckless posts.
>
> -----Original Message-----
> From: Gary Nichols [mailto:gnichols () phx1 bcbsaz com]
> Sent: Thursday, July 27, 2006 9:07 PM
> To: pen-test () securityfocus com
> Subject: Re: Walmart using WEP
>
> Yes, this forum is for professionals to learn and share.  As a matter of
> fact, many of us actually learn from the mistakes of others.  I don't see
> anyone here advocating wardriving for the purpose of mischief.  I see a
> couple of people talking about how irresponsible some commercial entities
> are in deploying their wireless architectures, and one individual that was
> going to drive around and see if his theory held water.
>
> I had a chuckle when I read that "...war driving should be confined to
> legally permitted isolated networks...".  Wardriving doesn't lend itself to
> your suggestion by its very definition:
>
> http://en.wikipedia.org/wiki/Wardriving
>
> Don't apologize for not being impressed.  Most of us dressed-down for the
> list today.




The information in this E-mail message is confidential and for 
the sole use of the intended recipient.  If you are not the 
intended recipient, you are hereby notified that any 
dissemination, distribution, copying or use of this information 
is strictly prohibited.  If you received this communication in 
error, please notify the sender immediately.  Blue Cross and 
Blue Shield of Arizona, Inc. and its subsidiaries and affiliates 
are not responsible for errors, omissions or personal comments 
in this E-mail message.

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------