FC: Doonesbury, Allen Hutchinson on 802.11 networks and security

[Declan McCullagh <declan () well com>]

This is hardly a new topic, but it's a good reminder. Also see Sunday's 
Doonesbury:
http://www.doonesbury.com/shopping/buycomic.cfm?uc_fn=1&uc_full_date=20020721&uc_daction=X&uc_comic=db 


-Declan

---

From: "Allen Hutchison" <allen () hutchison org>
To: <declan () well com>
Subject: Watch your wireless configs...
Date: Sat, 20 Jul 2002 19:17:30 -0700


Declan,

I thought you might like this small piece I posted on my blog this evening.
Feel free to forward to politech if you find it interesting.

Regards,

Allen Hutchison
www.hutchison.org/allen
Allen () Hutchison org

-----------Forwarded Message------------
Watch your wireless configs
Last night I was playing around with the newest version of Lindows. I
haven't worked with the OS much to date, because it didn't have support for
my Cisco Aironet card. Since the card was the only way laptop can connect to
the network I didn't want interrupt that ability. Anyway, yesterday a
college of mine told me that Lindows now had support for wireless cards. So,
I took the plunge and installed the OS on my laptop.

The first thing I noticed, after the installation completed, was that my
wireless card was blinking. I thought that the Lindows install had grabbed
the settings for my card before it wiped windows off the machine. So I
started trying to download software and access my network resources. Then I
noticed that the network seemed really unresponsive. I started looking more
closely at the network, and found that Lindows had not grabbed my previous
settings, and I was associated with someone else's access point. To be sure
I went to the default router address with a www browser, and found that it
was a linksys.

Well, I thought, that isn't too strange, I have a linksys on my network too.
So I tried to log in, but it wouldn't take my password. So I tried the
default password on a linksys router "Admin" and I got in. Then I realized
that I wasn't logged into my network at all. I was getting to the net
through somebody else's access point somewhere else in the network.

This person had never bothered to do anything to secure his network. Upon
further inspection with a sniffer, I found that I could grab all of his
traffic off the air in my office. He was using no encryption and no access
control. I could browse the shares on his computer, I could see his password
flying by. If I only knew where he lived, I could go tell him, and help him
set up something more secure. All I know, however, is a general direction
from my condo, South.

This goes to show how important it is for vendors to stress security with
their wireless products. Information is becoming more and more of a
commodity, and the information that describes us is moving around on the
Internet every day. When we install new technology, it is the responsibility
of a vendor to explain the security consequences. It was obvious in the case
of my mysterious neighbor that he hasn't installed any security on his
network. It is quite possible he isn't even aware of the security hole he
has opened onto his data.

Something to think about.




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Declan McCullagh's photographs are at http://www.mccullagh.org/
-------------------------------------------------------------------------
Like Politech? Make a donation here: http://www.politechbot.com/donate/
-------------------------------------------------------------------------