RE: Sneaking a peek on Wlan in airports

["Erin Carroll" <amoeba () amoebazone com>]

Thor,

Some comments below inline 

> While I agree that one should try to leave conjecture alone 
> and just "answer the question," it's not always that easy to 
> do.  Most of the people on this list (well, ones that post 
> anyway) are detail oriented, technical, pedantic people.  It 
> comes with the job.  So when you see a question that's just 
> "not quite right," you have to ask the obvious "how did you 
> get here from there" 
> questions, particularly when the scenarios smack of white lie.

I'm not disagreeing with your viewpoint, I personally agree. You do have to
bear in mind however that as the list moderator my main focus is to foster
new and interesting discussions and keep the flaming to a minimum. So you'll
see me let through even one-line responses or repeats of information because
at least they took the time (however small) to respond. With somewhere above
15k subscribers to pen-test there are a *lot* of different ways one could
answer what seems a simple question and I'm hoping that the lurkers out
there will chime in. Besides, there are only so many times I can see another
"how do I do X" without groaning when a simple list archive search or 5
minutes on google would have answered. But, since the answers may be new
info to list newcomers I let those go through. I've been in the industry a
long time but every now and then someone points out a tool/method/view that
is illuminating or intriguing in response to a question that had been asked
and answered many times before. 


> The simple "what would you do" question brings a lot with it. 
>  Personally, it is painfully obvious (or should be) to anyone 
> that people will use unsecured, public networks in insecure 
> ways.  Being surprised by seeing a
> POP3 username/password on a wlan is a "red flag" in itself.  
> To have an apparent pen-tester working for PWC post to a list 
> asking what he should do in such a case is simply suspect (to 
> me, anyway) - so I think it is natural for people to ask WTF?

True. But my effort is to have WTF addressed constructively and avoid
responses which consist of only the WTF ;)
 
>  I would much rather see someone say "I was sniffing traffic 
> on a wireless network."  If the "my laptop came out of hibernation" 
> scenario is true, then the real lesson should be "if you are 
> a professional pen-tester for PWC, you should not, under any 
> circumstances, have your laptop set to automatically connect 
> to the first unsecured wireless lan it comes across."  The OP 
> was (obviously) performing a sniff on another wireless 
> network before, presumably as part of a pen-test, and just 
> put his lappy into hibernation.  In such a case, 
> automatically having his laptop connect to an unsecured 
> network could actually have resulted in a breech of 
> the data he was previously testing.   The question therefore 
> is not "what do 
> I do when, gasp, I see a pop3 password" but rather "is this 
> the way PWC trains their pen-testers, and is this the way PWC 
> goes about protecting their customer's confidential data?"

And the above is a great response and example of going beyond the WTF. Other
list member may now have a "oh, that's a good point. I should pay attention
and not do this in the future because of those reasons". These are things
people with a lot of experience take for granted as obvious but as you know,
sometimes you have to point out the pink elephant in the room... Or in this
case provide a diagram of what a pink elephant looks like.

> That being said, when you see POP3 password, SMTP mail data, 
> HTTP base64 encoded basic authentication data on an unsecured 
> wlan, the obvious thing to do is see if it gets you free porn somehow.

Heh. I thought that was standard operating procedure in the pen-tester
manual listed right after "Find nearest source of caffeine and hook up the
IV."


--
Erin Carroll
Moderator
SecurityFocus pen-test list
"Do Not Taunt Happy-Fun Ball" 


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------