Schneier on Security
A blog covering security and security technology.
« RuggedCom Inserts Backdoor into Its Products |
| Smart Phone Privacy App »
May 10, 2012
Posted on May 10, 2012 at 5:46 AM
• 36 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Single point of failure... :-)
From the looks of things, those appear to be only semi-private networks, there as a courtesy for the sports press, and not the actual private network of the MLB organization.
Given that their HQ is a few floors up from the ground floor (if that is inside their HQ, and not some other facility), the loss of bandwidth to public leechers is likely minimal, at worst. You might be able to get results from across the street with a Pringles cantenna, but if you're thatdriven to eavesdrop on the sports press, it'd probably be easier to get credentials of your own, or somehow get access to to an adjacent floor.
Way to miss the point. It's funny. We're not doing a risk assessment deep dive. It's passwords on a wall during a live tv show.
Just funny, calm down :)
Took me about 20 seconds till i got. What a classic. That brightens up my day. Cheers :-)
Not just funny...I want free wifi the next time I go to Chelsea Market.
Actually, the 'publicly-posted-password' is so that individual users of the Wifi network can't snoop on each other. Each user on the network gets his/her own nonce.
In unencrypted Wifi networks, everyone can snoop on everyone else.
This, rather than being a fail, is a success.
There was a CTF (capture the flag) last year, in which one of the steps needed to solve the puzzle was to hack into the network-connected webcam, steer it around, and read a password off a post-it note.
We're not doing a risk assessment deep dive. It's passwords on a wall during a live tv show.
And yes it's quite funny (but then many journalists and the organisations around them are more than worthy of "Oi thicko" awards.
But there is a dark side that can lead to pain (which is why we laugh at it because it gives us "We'd never be that daft" sense of superiority which most jokes are based on)...
So hopefully the details are realy randomly selected and used only for that one occasion (now past) then we can have a laugh at them and move on...
But what if they are not? then you've got some information, that you can use to get into the network and any machine that connects to it. Whilst MLB might have their systems set up properly how many "Journalists" or others there do?
How about setting up a fake AP using those details, chances are good you might catch a journalist and be able to trap one of their requests to the web and thus use it to download malware of some form onto their laptop...
After all it's not as though people (who should have thought about it) have not been caught out at various monotone "Hat" conferences just about every year...
And once you've got "ET Malware" software onto one journalists laptop the chances are you can then use it to get other journalists working for the same organisation maybe on the city or celebs desks.
And as we very well know in the UK major news stories (on News International rags) were obtained by both phone and computer hacking with atleast one UK journalist having been jailed for it in the past with a whole bunch having recently been arressted and awaiting their fate.
In fact it appears to be so rife that it's probably better than evens that in the US exactly the same tactics are being used by other news organisations "in the same stable" with the same (previous) success [Google 'lord leveson inquiry' to get the low down on it].
But look at it another way like thieves most journalists have no honour amongst themselves, if you are an "up thrusting" journalist what better way to get career enhancing scoop or two than by nicking it from another journalist who's working on it for a rival news organisation?
And yes we know that some journo's have stolen stories from each other, what has never been clear is the mechanism used ;-)
But those passwords are obviously only valid for this year- how are we supposed to work out what next year's might be?
Actually, thats a common strategy, we use it where we work...
A WPA password has three purposes: It prevents casual snooping, it prevents casual leeches, and its a nice digital "No Tresspassing" sign so if you do catch a leech you can throw the book at them.
Putting the WiFi password up on the walls inside means you have the same usability of a purely public wifi netork, but with the benefits of the WPA password.
Easier than checking the Post-it note under the keyboard ;-)
In the pre-HDTV days, such a piece of paper on the wall would likely be illegible to the TV viewers.
Talk about security by obscurity...
I think Clive has the level of danger correct. There are many people who use that network who would be endangered by this security lapse, and not all of them work for the corporation that manages the network.
Paul R's comment @ 7:04 brings up a question for me.
I've never used a public wifi network. I'm assuming that most of them at places like McDonalds and Starbucks do not have a password. Are you saying that this allows people to snoop on eachother, but that if there were a password (even one given to everybody) that snooping would be (hopefully much) more difficult?
Jeff at May 10, 2012 8:55 AM
If the WiFi is protected by a simple WEP key, then the public password is completely useless: anyone knowing him could sniff traffic from any other device.
I'm not sure about WPA. AFAIK the password is used to associate then a private key is excanged for traffic encryption which changes over time, what I don't know is if this random private key is global or unique for each device.
Thanks for referencing this post, Bruce!! I've never seen so many hits to my blog at once. :)
For those times when a post-it note would be too small or too tacky.
@Jeff, depends on the WAP. Some have features that try to restrict Wifi client to client traffic. I'm not sure how easy they are to get around.
As alluded to by others here, how big of a gaffe this is depends on the purpose and security posture of the networks. At the end of the day though, it still looks bad.
Having your wireless network access details appear on TV is a more sweeping form of "broadcast SSID" than most people imagine.
Now, where's that old Pringles can ... ?
Funny! I occasionally do Sports Photography at pro and NCAA sporting events. This is how they do it in the Media Room at NCAA Div 1 events too... Just a temporary wireless network set up to let the press send off articles and images to their Editors while at the event. The password is ALWAYS on the wall or taped to the desk.
In case someone forgets the password, they can google the SSID and find the password here:
Apparently the word "funny" underlined in blue is funny. I don't get it. Explain?
(no, I'm not going to click the link)
This is sloppy and unnecessary. In the UK he would just have someone read the SSID & password clearly into his voice mail and any real journalist would listen to it there.
Isn't this just a step above an open WiFi as used by Bruce?
It might by a TV fail, but not really a security fail.
@ B Journo
It might by a TV fail, but not really a security fail.
What do you mean "not a security fail" ? Every day, security professionals are trying to educate folks to treat their passwords as they would their tooth brush: use them often, change them regularly and don't share them with anyone (courtesy Damien Mulley). And than in this case it would be OK ? It isn't, and for the technical part of the answer, do re-read Clive's post.
Took a tour of an unnamed midwestern MLB ballpark this summer. Had access to a lot of offices with PCs sitting around. You'd be amazed at how many of them had username/password combinations on post-it notes slapped on the monitor and/or keyboards.
Maybe the admins have read Liars and Outliars and realized that if they are going to give wifi passwords to members of the press they might as well just print them out and put them on a wall.
must be for public use. Perhaps it should have been left open.
Yes, public use, like in airline lounges "today's password is united11052012".
I've seen a lot of worms lately while traveling that set up fake access points based on access points that people's laptops have accessed in the past. They are easy to spot if you are looking, but as sadly as is all too common. Most people I know think things like thinking and paying attention are for the "Smart Guy."
Jeff at May 10, 2012 8:55 AM
Yes: The WPA password is used to negociate a 'session key' which is used to encrypt the data flow. Every device connecting to the Wifi point gets their own, different session key.
The session key gets renegociated after some time, typically every hour.
If you have to set your Wifi to use WPA (instead of WPA2), look for something like "Group Key Update Interval". It's typically set to 3600 seconds (1 hour). This is too long, there's a risk that part of the session key can be guessed correctly.
Set the interval to something less than 12 minutes. That interval is shorter than the minimum time it takes to guess one character correctly. If the session key is changed every 11 minutes, then the so-called 'chopchop' attack can never manage to guess one character of the currrent session key.
I'm there with G-man. News photography, and especially sports new photography, requires us to upload shots very soon after they are taken. Even when under contract, we often have to race past others in order to get published (and paid).
BUT ... It is a funny picture.
The password behavior of the admin is really simple. The yyyy is common, might be he is following the fact, the best security is always simple.
Here you are;
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.