FC: Doonesbury, Allen Hutchinson on 802.11 networks and security

[InfoSec News <isn () c4i org>]

---------- Forwarded message ----------
Date: Mon, 22 Jul 2002 00:58:07 -0400
From: Declan McCullagh <declan () well com>
To: politech () politechbot com
Subject: FC: Doonesbury, Allen Hutchinson on 802.11 networks and security

This is hardly a new topic, but it's a good reminder. Also see
Sunday's Doonesbury:

http://www.doonesbury.com/shopping/buycomic.cfm?uc_fn=1&uc_full_date=20020721&uc_daction=X&uc_comic=db 


-Declan

---

From: "Allen Hutchison" <allen () hutchison org>
To: <declan () well com>
Subject: Watch your wireless configs...
Date: Sat, 20 Jul 2002 19:17:30 -0700


Declan,

I thought you might like this small piece I posted on my blog this evening.
Feel free to forward to politech if you find it interesting.

Regards,

Allen Hutchison
www.hutchison.org/allen
Allen () Hutchison org

-----------Forwarded Message------------
Watch your wireless configs

Last night I was playing around with the newest version of Lindows. I
haven't worked with the OS much to date, because it didn't have
support for my Cisco Aironet card. Since the card was the only way
laptop can connect to the network I didn't want interrupt that
ability. Anyway, yesterday a college of mine told me that Lindows now
had support for wireless cards. So, I took the plunge and installed
the OS on my laptop.

The first thing I noticed, after the installation completed, was that
my wireless card was blinking. I thought that the Lindows install had
grabbed the settings for my card before it wiped windows off the
machine. So I started trying to download software and access my
network resources. Then I noticed that the network seemed really
unresponsive. I started looking more closely at the network, and found
that Lindows had not grabbed my previous settings, and I was
associated with someone else's access point. To be sure I went to the
default router address with a www browser, and found that it was a
linksys.

Well, I thought, that isn't too strange, I have a linksys on my
network too. So I tried to log in, but it wouldn't take my password.
So I tried the default password on a linksys router "Admin" and I got
in. Then I realized that I wasn't logged into my network at all. I was
getting to the net through somebody else's access point somewhere else
in the network.

This person had never bothered to do anything to secure his network.
Upon further inspection with a sniffer, I found that I could grab all
of his traffic off the air in my office. He was using no encryption
and no access control. I could browse the shares on his computer, I
could see his password flying by. If I only knew where he lived, I
could go tell him, and help him set up something more secure. All I
know, however, is a general direction from my condo, South.

This goes to show how important it is for vendors to stress security
with their wireless products. Information is becoming more and more of
a commodity, and the information that describes us is moving around on
the Internet every day. When we install new technology, it is the
responsibility of a vendor to explain the security consequences. It
was obvious in the case of my mysterious neighbor that he hasn't
installed any security on his network. It is quite possible he isn't
even aware of the security hole he has opened onto his data.

Something to think about.




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Declan McCullagh's photographs are at http://www.mccullagh.org/
-------------------------------------------------------------------------
Like Politech? Make a donation here: http://www.politechbot.com/donate/
-------------------------------------------------------------------------



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.