She said about half the hotels use shared network media (i.e., a hub versus an Ethernet switch), so any plain text password you transmit is sniffable by any like-minded person in the hotel. Most wireless access points are shared media as well; even networks requiring a WEP key often allow the common users to sniff each other’s passwords.
She said the average number of passwords collected in an overnight hotel stay was 118, if you throw out the 50 percent of connections that used an Ethernet switch and did not broadcast passwords.
The vast majority, 41 percent, were HTTP-based passwords, followed by e-mail (SMTP, POP2, IMAP) at 40 percent. The last 19 percent were composed of FTP, ICQ, SNMP, SIP, Telnet, and a few other types.
As a security professional, my friend often attends security conferences and teaches security classes. She noted that the number of passwords she collected in these venues was higher on average than in non-security locations. The very people who are supposed to know more about security than anyone appeared to have a higher-than-normal level of remote access back to their companies, but weren’t using any type of password protection.
At one conference, she listened to one of the world’s foremost Cisco security experts as his laptop broadcast 12 different log-in types and passwords during the presentation. Ouch!
I am interested in analyzing that password database. What percentage of those passwords are English words? What percentage are in the common password dictionaries? What percentage use mixed case, or numbers, or punctuation? What’s the frequency distribution of different password lengths?
Real password data is hard to come by. There’s an interesting research paper in that data.
Posted on November 9, 2005 at 2:39 PM •
It’s at MIT:
MIT’s newly upgraded wireless network — extended this month to cover the entire school — doesn’t merely get you online in study halls, stairwells or any other spot on the 9.4 million square foot campus. It also provides information on exactly how many people are logged on at any given location at any given time.
It even reveals a user’s identity if the individual has opted to make that data public.
MIT researchers did this by developing electronic maps that track across campus, day and night, the devices people use to connect to the network, whether they’re laptops, wireless PDAs or even Wi-Fi equipped cell phones.
WiFi is certainly a good technology for this sort of massive surveillance. It’s an open and well-standardized technology that allows anyone to go into the surveillance business. Bluetooth is a similar technology: open and easy to use. Cell phone technologies, on the other hand, are closed and proprietary. RFID might be the preferred surveillance technology of the future, depending on how open and standardized it becomes.
Whatever the technology, privacy is a serious concern:
While every device connected to the campus network via Wi-Fi is visible on the constantly refreshed electronic maps, the identity of the users is confidential unless they volunteer to make it public.
Those students, faculty and staff who opt in are essentially agreeing to let others track them.
“This raises some serious privacy issues,” Ratti said. “But where better than to work these concerns out but on a research campus?”
Rich Pell, a 21-year-old electrical engineering senior from Spartanburg, S.C., was less than enthusiastic about the new system’s potential for people monitoring. He predicted not many fellow students would opt into that.
“I wouldn’t want all my friends and professors tracking me all the time. I like my privacy,” he said. “I can’t think of anyone who would think that’s a good idea. Everyone wants to be out of contact now and then.”
Posted on November 4, 2005 at 12:44 PM •
Don’t believe wireless distance limitations. Again and again they’re proven wrong.
At DefCon earlier this month, a group was able to set up an unamplified 802.11 network at a distance of 124.9 miles.
The record holders relied on more than just a pair of wireless laptops. The equipment required for the feat, according to the event website, included a “collection of homemade antennas, surplus 12 foot satellite dishes, home-welded support structures, scaffolds, ropes and computers”.
Bad news for those of us who rely on physical distance to secure our wireless networks.
Even more important, the world record for communicating with a passive RFID device was set at 69 feet. (Pictures here.) Remember that the next time someone tells you that it’s impossible to read RFID identity cards at a distance.
Whenever you hear a manufacturer talk about a distance limitation for any wireless technology — wireless LANs, RFID, Bluetooth, anything — assume he’s wrong. If he’s not wrong today, he will be in a couple of years. Assume that someone who spends some money and effort building more sensitive technology can do much better, and that it will take less money and effort over the years. Technology always gets better; it never gets worse. If something is difficult and expensive now, it will get easier and cheaper in the future.
Posted on August 8, 2005 at 1:37 PM •
I’ve already written about the stupidity of worrying about cell phones on airplanes. Now the Department of Homeland Security is worried about broadband Internet.
Federal law enforcement officials, fearful that terrorists will exploit emerging in-flight broadband services to remotely activate bombs or coordinate hijackings, are asking regulators for the power to begin eavesdropping on any passenger’s internet use within 10 minutes of obtaining court authorization.
In joint comments filed with the FCC last Tuesday, the Justice Department, the FBI and the Department of Homeland Security warned that a terrorist could use on-board internet access to communicate with confederates on other planes, on the ground or in different sections of the same plane — all from the comfort of an aisle seat.
“There is a short window of opportunity in which action can be taken to thwart a suicidal terrorist hijacking or remedy other crisis situations on board an aircraft, and law enforcement needs to maximize its ability to respond to these potentially lethal situations,” the filing reads.
Terrorists never use SSH, after all. (I suppose that’s the next thing the DHS is going to try to ban.)
Posted on July 14, 2005 at 12:02 PM •
Police have arrested a man for using someone else’s wireless Internet network in one of the first criminal cases involving this fairly common practice.
Near as I can tell, there was no other criminal activity involved. The man who used someone else’s wireless wasn’t doing anything wrong it it; he was just using the Internet.
Posted on July 13, 2005 at 12:39 PM •
Interesting law review article:
Suppose you turn on your laptop while sitting at the kitchen table at home and respond OK to a prompt about accessing a nearby wireless Internet access point owned and operated by a neighbor. What potential liability may ensue from accessing someone else’s wireless access point? How about intercepting wireless connection signals? What about setting up an open or unsecured wireless access point in your house or business? Attorneys can expect to grapple with these issues and other related questions as the popularity of wireless technology continues to increase.
This paper explores several theories of liability involving both the accessing and operating of wireless Internet, including the Computer Fraud and Abuse Act, wiretap laws, as well as trespass to chattels and other areas of common law. The paper concludes with a brief discussion of key policy considerations.
Posted on April 21, 2005 at 9:16 AM •
The U.S. is laying a minefield in Iraq that can be controlled by a soldier with a wi-fi-enabled laptop. Details via AP.
Put aside arguments about the ethics and efficacy of landmines. Assume they exist and are being used. Given that, the question is whether radio-controlled landmines are better or worse than regular landmines. This comment, for example, seems to get it wrong:
“We’re concerned the United States is going to field something that has the capability of taking the man out of the loop when engaging the target,” said senior researcher Mark Hiznay of Human Rights Watch. “Or that we’re putting a 19-year-old soldier in the position of pushing a button when a blip shows up on a computer screen.”
With conventional landmines, the man is out of the loop as soon as he lays the mine. Even a 19-year-old seeing a blip on a computer screen is better than a completely automatic system.
Were I the U.S. military, I would be more worried whether the mines could accidentally be triggered by radio interference. I would be more worried about the enemy jamming the radio control mechanism.
Posted on April 18, 2005 at 11:15 AM •
Anonymice on Anonymity Wendy.Seltzer.org (“Musings of a techie lawyer”) deflates the New York Times‘ breathless Saturday (March 19) piece about the menace posed by anonymous access to Wi-Fi networks (“Growth of Wireless Internet Opens New Path for Thieves” by Seth Schiesel). Wi-Fi pirates around the nation are using unsecured hotspots to issue anonymous death threats, download child pornography, and commit credit card fraud, Schiesel writes. Then he plays the terrorist card.
But unsecured wireless networks are nonetheless being looked at by the authorities as a potential tool for furtive activities of many sorts, including terrorism. Two federal law enforcement officials said on condition of anonymity that while they were not aware of specific cases, they believed that sophisticated terrorists might also be starting to exploit unsecured Wi-Fi connections.
Never mind the pod of qualifiers swimming through in those two sentences — “being looked at”; “potential tool”; “not aware of specific cases”; “might” — look at the sourcing. “Two federal law enforcement officials said on condition of anonymity. …” Seltzer points out the deep-dish irony of the Times citing anonymous sources about the imagined threats posed by anonymous Wi-Fi networks. Anonymous sources of unsubstantiated information, good. Anonymous Wi-Fi networks, bad.
This is the post from wendy.seltzer.org:
The New York Times runs an article in which law enforcement officials lament, somewhat breathlessly, that open wifi connections can be used, anonymously, by wrongdoers. The piece omits any mention of the benefits of these open wireless connections — no-hassle connectivity anywhere the “default” community network is operating, and anonymous browsing and publication for those doing good, too.
Without a hint of irony, however:
Two federal law enforcement officials said on condition of anonymity that while they were not aware of specific cases, they believed that sophisticated terrorists might also be starting to exploit unsecured Wi-Fi connections.
Yes, even law enforcement needs anonymity sometimes.
Open WiFi networks are a good thing. Yes, they allow bad guys to do bad things. But so do automobiles, telephones, and just about everything else you can think of. I like it when I find an open wireless network that I can use. I like it when my friends keep their home wireless network open so I can use it.
Scare stories like the New York Times one don’t help any.
Posted on March 25, 2005 at 12:49 PM •
I have no idea how well this works, but it’s a clever idea. From Information Week:
Force Field Wireless makes three products that it says can dramatically reduce the leakage of wireless signals from a room or building.
One odd side-point from the article:
Force Field has been trying to interest the Department of Homeland Security, but discussions are ongoing, Wray says. “Ironically, we have had foreign governments contact us–from the Middle East. Kind of scary.” Wray says he won’t sell to them.
I wonder what’s so scary about selling metal paint to a Middle East government. Maybe the company thinks they will use the paint to “cover up” their misdeeds or poison political prisoners?
Posted on December 30, 2004 at 5:52 PM •
Sidebar photo of Bruce Schneier by Joe MacInnis.