Beyond evil twin hotspots -- the pervasive retaking of control

[David Farber <dave () farber net>]

Begin forwarded message:

From: Bob Frankston <Bob2-19-0501 () bobf frankston com>
Date: March 17, 2007 2:02:52 PM EDT
To: dave () farber net, ip () v2 listbox com
Subject: Beyond evil twin hotspots -- the pervasive retaking of control

Preface – this is a bit rambling because there are a number of  
interrelated issues. But it’s a reminder that the world of telecom is  
full of twisting and winding passages. We’re so used to spelunking  
the depths of telecom that it’s hard to accept the simplicity of the  
Internet – after all, how could we get from point A to B without  
wandering those imaginary passages – they seem so very real.

Rereading my own comments reminds me of a related problem and why I  
had to dump FiOSTV. Too bad our public policy on broadband and net  
neutrality is based on these kind of naïve dependences such as  
assuming we have the Internet because of rather than despite  
broadband (AKA B-ISDN). Ultimately the net is about what we can do as  
owners. Even if we don’t (yet) own the infrastructure we use End-to- 
End principles to wrest control as in the days of modems (vs ISDN).

Before getting to router issues I had a reminder of how many traps  
there are for the unwary or disabled. I’m helping someone with mental  
illness. She doesn’t remember but apparently placed a number of  
operator-assisted calls to her son in Israel in January -- $1000  
worth. That may seem like a lot but at $10/minute it doesn’t take  
long. These calls would be 10¢ if she dialed direct and had bet $4/ 
month with Verizon (the fee for reducing the cost of 10x for  
international calls).

It’s one thing to be trapped by “evil twin routers” but another to  
have to be wary when dealing with your “friendly” phone company just  
placing calls. A single misdial to Djibouti (similar number) cost  
$50! I guess I shouldn’t be surprised that Verizon is insisting on  
payment though how does one justify a factor of 100x cost difference.  
Even more extreme when you consider this person has a DSL connection  
and thus there needn’t have been any charge at all. What is  
especially frustrating is that unlike the Internet there is no easy  
way to put a rule in the system – specs are specs and that’s that.  
This is indeed lottery pricing that would not be possible if there  
were real competition rather than faux competition within the gaming  
rules set by the FCC.

It’s an echo of the Moldova scandal when people downloaded programs  
that would dial Moldova and were forced to pay the outrageous  
charges. At least back then we weren’t use to using VoIP which made  
it so obvious the costs are totally bogus. Yet our policy makers seem  
to treat them as real.

The tendency to treat these artifacts as if they were immovable  
physical objects is a source of frustration for those of us who know  
these are just conventions and not real at all. I compare it to  
approximating 1.3 as 1 and then 1.3+1.3+1.3 = 3.000 when we then  
reintroduce presumed precision. Piling policy atop policy while  
treating each arbitrary model as reality seems to be the hallmark of  
our regulatory system.

It’s against this backdrop that the acceptance of broadband is so  
dangerous – the Verizon FiOSTV router is part of the campaign to take  
bake control that goes far beyond mere non-neutrality. Remember that  
convergence means everything converges on IMS and 3G.

I use a Dual-WAN router for reliability but also because I sometimes  
get higher speeds using multiple pipes. Since MIT is peered directly  
with the local providers I was able to achieve over 30mbps when  
copying files using Bit Torrent. Normally BT is far slower than  
copying directly simply because of asymmetric connections and the low  
probability of proximate caching. Too bad a number of web sites seem  
to rely on the IP address across sessions – the statelessness  
requirement doesn’t get tested often enough so it’s forgotten.

When I decided to try out FiOSTV I found I had to use their router.  
The specs are very good for the Antec but then phone companies revel  
in specs. In practice it seems to have problems due to limits on NAT  
tables and other issues that others have written about. At first I  
put up with the problems and cascaded one path of my Dual WAN router  
through it. But since only Verizon could fix the problem I would have  
to wait till they deemed it in their interest. After all, they had to  
deal with millions of users and a single exception wasn't that  
important.

This is a repeat of the X.400/SMTP battle. X.400 took ten years for a  
change cycle whereas SMTP took a weekend but you can fix your own  
bugs immediately and even try out new features.

I had a similar experience in speaking to a CTO at a cellular  
manufacturer -- he looked to corporate buyers for implementing new  
features. A corporation would buy a few thousand just to run an  
application so it made sense from his perspective even if it denied  
us wonderful surprises. We see this all over – it is why, as I've  
noted in the past, the STB (Set Top Boxes) can't compete with PC  
gamer video boards for dealing with compression.

The FiOSTV situation gives us additional cause for concern as they  
insist in owning the wires in my home -- again -- because they say  
the Internet wasn't designed for video bits – we “know” that only  
RG-6 can carry video. This whole broadband issue does make a mockery  
of neutrality -- if the first mile playing field is vertical why does  
the rest matter much? It’s as if they are trying to return us to 1960  
when they were in full control of the wires and devices in our homes.

Once caveat is that Dual WAN routers for consumers seem to have  
appeared in 2004 and are still stuck there. Another reminder that as  
much as we can do as individuals we have to build on what is  
available. As I much as I do want to program it all myself I do need  
many others contributing their efforts in order to create  
opportunity. The alternative of waiting for a small number of  
companies to accidentally do what is my interest, especially when it  
is conflict with theirs, is indeed problematic. Even more problematic  
is asking Congress for favors rather eliminating the need to ask them  
by giving us the rights of ownership.

http://www.frankston.com/?Name=FTCBBW for more on the policy issues.



-----Original Message-----
From: David Farber [mailto:dave () farber net]
Sent: Saturday, March 17, 2007 10:00
To: ip () v2 listbox com
Subject: [IP] Re: thieves stealing data thru "evil twin" hotspots







Begin forwarded message:



From: Bob Frankston <Bob2-19-0501 () bobf frankston com>

Date: March 16, 2007 8:40:04 PM EDT

To: dave () farber net, ip () v2 listbox com

Cc: "'Paul Saffo'" <Paul () Saffo Com>

Subject: RE: [IP] thieves stealing data thru "evil twin" hotspots



This is a reminder of the importance of end-to-end security

(including encryption). Link-level security only gives the illusion

of security. Of course it's also a reminder of the risks of the

bubble-baby security offering by firewalls. Unfortunately, these

firewalls seem necessary because too many systems are very

vulnerable. But when you remove a system from this cocoon of safety

it isn't necessary ready for the world.







One example of the damage done by these firewalls is that new systems

seemed to be designed with the assumption the firewall is a security

boundary so that “public” means “within this LAN”. That only

perpetuates the problem. We must separate our security topology from

the accidental properties of the physical topology or else these

problems with only become worse while leaving the computer systems

themselves inflexibly dependent upon the accidental paths of wires.







For the road a good work-around is to setup one's own VPN to a home

system but that's too difficult for most people. At very least you

should be able to setup a relationship between any pair of machines

such as your laptop and your home computer.







A full design of resilient trust systems is difficult -- especially

when systems can be compromised -- but we should at least setup a

relationship between the computer back home or in the office and the

one you take on the road.







We're not going to eliminate all threats but we should try to deal

with the most obvious problem -- the need to trust every element on

the paths we use to communicate. Of course the more independent we

are of the path the less traditional telecom models apply.







Encryption makes it more difficult to apply strategies such as

blocking a particular port. Port blocking may make sense if we can

detect extreme cases but such approaches are at odds with giving us

more control over how we communicate. Worse port blocking leads to

the temptation to treat the use of encryption as a crime rather than

responsible behavior.











-----Original Message-----

From: David Farber [mailto:dave () farber net]

Sent: Friday, March 16, 2007 17:12

To: ip () v2 listbox com

Subject: [IP] thieves stealing data thru "evil twin" hotspots















Begin forwarded message:







From: Paul Saffo <paul () saffo com>



Date: March 16, 2007 4:58:01 PM EDT



To: Dave Farber <dave () farber net>



Subject: LAT: thieves stealing data thru "evil twin" hotspots







http://www.latimes.com/news/local/la-me-



wifihack16mar16,0,5875273.story?coll=la-headlines-california



Ensnared on the wireless Web







Hackers' latest tactic to steal information is setting up fake



hotspots that users unwittingly use to access Internet.



By Tami Abdollah



Times Staff Writer







March 16, 2007







As Los Angeles and hundreds of other communities push to turn



themselves into massive wireless hotspots, unsuspecting Internet



users are stumbling onto hacker turf, giving computer thieves nearly



effortless access to their laptops and private information,



authorities and high-tech security experts say.







It's an invasion with a twist: People who think they are signing on



to the Internet through a wireless hotspot might actually be



connecting to a look-alike network, created by a malicious user who



can steal sensitive information, said Geoff Bickers, a special agent



for the FBI's Los Angeles cyber squad.







It is not clear how many people have been victimized, and few



suspects have been charged with Wi-Fi hacking. But Bickers said that



over the last couple of years, these hacking techniques have become



increasingly common, and are often undetectable. The risk is



especially high at cafes, hotels and airports, busy places with heavy



turnover of laptop users, authorities said.







"Wireless is a convenience, that's why people use it," Bickers said.



"There's an axiom in the computer world that convenience is the enemy



of security. People don't use wireless because they want to be



secure. They use wireless because it's easy."







For Mark Loveless, just one letter separated security from scam.







Logging on to his hotel's free wireless Internet in San Francisco



last month, Loveless had two networks to choose between on his laptop



screen — same name, one beginning with a lowercase letter, one with a



capital. He chose the latter and, as he had done earlier that day,



connected. But this time, a screen popped up asking for his log-in



and password.







Loveless, a 46-year-old security analyst from Texas, immediately



disconnected. A former hacker, he knew an attack when he saw one, he



said.







Most Internet users do not.







About 14.3 million American households use wireless Internet, and



this figure is projected to grow to nearly 49 million households by



2010, according to JupiterResearch, which specializes in business and



technology market research.







"There's literally probably millions of laptops in the U.S. that are



configured to join networks named Linksys or D-Link when they are



available," said Corey O'Donnell, vice president of marketing for



Authentium, a company that provides security software. "So if I'm a



hacker, it's as easy as setting up a network with one of those names



and waiting for the fish to come."







Linksys and D-Link are two of the many commercial brands of wireless



routers, products that allow a user to connect to the Internet using



radio frequency.







As the field of wireless connectivity expands, so too does a hacker's



playground. More than 300 municipalities across the country are



planning or already operating Wi-Fi service.







Los Angeles Mayor Antonio Villaraigosa last month announced plans for



citywide Wi-Fi in 2009. USC already offers free wireless, and by the



end of March, Los Angeles International Airport will officially offer



wireless at all its terminals under a new contract with T-Mobile.







Some airlines already offer Wi-Fi at LAX. "There are no signs for any



service at all, so if any passenger is accessing a free wireless



service … they should be cautious," said Nancy Castles, an airport



spokeswoman.







A survey at Chicago's O'Hare Airport by Authentium revealed 76 peer-



to-peer networks, or access points that are connected to via another



user's computer, with 27 of them advertising access to free Wi-Fi — a



trademarked term for the technical specifications of wireless local



area network operation. The company also found that three of the



networks had fake or misleading addresses, one sign the hotspots



could be hackers.







"At a busy place like O'Hare, in one hour a bad guy could get 20



laptops to connect to his network and steal the users' account



information," said Ray Dickenson, vice president of product



management at Authentium, who conducted the survey last September.







Corporate networks are sometimes the most vulnerable, as employers



push for a more mobile workforce without always educating its users



on the security risks of wireless Internet.







Many workers rely on corporate firewalls in the office and an



automatic default network setting that links them to their corporate



networks. Outside the office, the firewall is no longer in place.



That means the computer is unprotected. Once hackers have "got a



toehold in a network, it's pretty much game over," Bickers said.







Most laptops are configured to search for open wireless points and



common wireless names, whether or not the user is trying to get



online. That leaves people open to hacking.







In two new attacks, called "evil twin" and "man in the middle,"



hackers create Wi-Fi access points titled whatever they like, such as



"Free Airport Wireless" or an established, commercial name.







In the "evil twin" attack, the user turns on a laptop, which may



automatically try to connect. When it does, it is connecting to a



fake access point, or "evil twin," and the hacker gets into personal



files, steals passwords or plants a virus.







The hacker can become a "man in the middle" when he funnels the



user's Internet connection through this false access point to a true



wireless connection. The unsuspecting Wi-Fi surfer may then proceed



to enter credit card information, access e-mail or reveal other



sensitive data that can be tracked by the hacker. Meanwhile, the



session appears ordinary to the user.







Although the FBI has been aware of this kind of attack for about five



years, its use has increased in the last couple of years and is being



seen as a "huge threat," Bickers said.







"The actual tools you need, the software, the hardware, etc., to



mount this sort of attack has become insanely easy to acquire,"



Bickers said. "You need a laptop, wireless radio and the ability to



download a free tool and run it. It literally is child's play."







The creation of the access point itself is not generally considered



criminal; it's what happens next — tracking people's Internet use —



that can cross the line.







These hacking techniques are considered to be "tantamount to a



computer intrusion and illegal interception of wireless communication



that can be prosecuted under federal law," Bickers said.







But computer evidence and statistics are hard to come by, said Arif



Alikhan, a former federal prosecutor and former chief of the cyber



and intellectual property crimes section for the U.S. attorney's



office in Los Angeles. People can unwittingly compromise their



computers in a multitude of ways, and often there's no trace.







"You can tell how many burglaries occur because you're victimized,



and someone knows they're victimized," Alikhan said. "People don't



always know if someone is using their wireless network, and it's very



difficult to tell unless you trace back every single connection…. It



happens more than I think we all realize."







The U.S. attorney's office will not comment on pending



investigations; however, wireless hacking cases are relatively new,



and few if any current cases involve "evil twin" or "man in the



middle" attacks, law enforcement authorities said.







"This is a classic case of law and law enforcement being a little



behind the technological curve," Bickers said.







Other types of wireless-related Internet hacking cases have recently



popped up across the country.







Nicholas Tombros was found guilty in 2004, under the federal Can-Spam



Act, of "war-spamming." He drove around the Venice Beach area with



his laptop and used unprotected wireless access points to send spam.



He could receive up to three years in federal prison at his



sentencing next month.







He is the only defendant who has been charged in a case involving



wireless hacking by the Greater Los Angeles section of the U.S.



Department of Justice's cyber and intellectual property crimes



division since it was established in October 2001, according to



Assistant U.S. Atty. Wesley L. Hsu, deputy chief of the section.







"They are technically difficult cases…. They're difficult cases to



put together, so law enforcement is having to sort of catch up," Hsu



said.







On Sept. 30, Gov. Arnold Schwarzenegger signed into law the Wi-Fi



User Protection Bill, which aims to block unauthorized sharing of



open Wi-Fi networks and inform users of the dangers of unsecured



networks. Starting in October, warnings and tips will be required on



all wireless home-networking equipment sold in California.







The law specifically addresses "piggybacking" — or the use of another



person's wireless network to access the Internet — a problem that



security experts say has been a concern for years.







tami.abdollah () latimes com















-------------------------------------------



Archives: http://v2.listbox.com/member/archive/247/@now



Powered by Listbox: http://www.listbox.com







-------------------------------------------

Archives: http://v2.listbox.com/member/archive/247/@now

Powered by Listbox: http://www.listbox.com



-------------------------------------------
Archives: http://v2.listbox.com/member/archive/247/@now
Powered by Listbox: http://www.listbox.com