[fw-wiz] Anti-Warchalking attack?

From: Paul Robertson (proberts@patriot.net)
Date: 09/03/02

From: Paul Robertson <proberts@patriot.net>
To: firewall-wizards@honor.icsalabs.com
Date: Tue Sep  3 14:06:16 2002


So, I got to thinking and got some off-list mail that made me think of a
couple of interesting things.

An interesting anti-warchalking attack could be to put false chalks with
invalid SSIDs and WEP keys around the building(s).

I took the thought one step further- you could announce a honeypot in your
chalking and start gathering MACs and even do some interesting direction
finding stuff and recon patterns against would-be attackers/abusers/users.
While I wouldn't go banning all the MACs that connected, I'm pretty sure
I'd alert based on a MAC I'd seen on the chalked WLAN that didn't match a
"known" good one.

Might be an interesting way to get a WAP and a couple of servers into the
budget if your organization is going to do wireless networking.

Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation