RE: [fw-wiz] Interlopers on the WLAN

From: Philip J. Koenig (pjklist@ekahuna.com)
Date: 11/09/02


From: "Philip J. Koenig" <pjklist@ekahuna.com>
To: firewall-wizards@honor.icsalabs.com
Date: Sat Nov  9 11:01:17 2002

On 9 Nov 2002 at 9:10, Frank O'Dwyer boldly uttered:

> On Wed, 2002-11-06 at 22:25, Philip J. Koenig wrote:
> > On 6 Nov 2002 at 21:41, Frank O'Dwyer boldly uttered:
> [...] Firstly, you're assuming the WLAN is "insecure" simply
> > > because it lets anyone connect without asking who they are.
> > > Maybe that's what the owner and users of the WLAN want. His
> > > network, his policy. If you don't like his policy, maybe
> > > you need make sure your network isn't connected to his in
> > > any way that matters to you.
> >
> > Once you connect a network to the internet, your security problems
> > often become everyone else's security problems.
>
> Absolutely, but you're still prejudging the issue by using loaded terms
> like "insecure" and "interloper". An open access point is not
> necessarily "insecure", it's just open. Someone connected to an open
> access point may not be an "interloper" but may in fact be using it
> exactly as intended by its owner. In this case the appropriate term is
> "user" not "interloper". In this sense it is rather like a public access
> web site, which don't authenticate users either, and are also a risk to
> the Internet. We could demand that all of those be shut down too using a
> similar argument, but actually they are pretty useful so we don't.
>
> Also note that these people are not particularly *likely* to be
> DDoS'ing, spamming, or hacking anyone. Certainly these abuses are
> possible and a real problem, but I'd hazard a guess that to three
> significant figures, 100% of such users simply want to surf and read
> their email. As far as providing open access goes, the security features
> of WLAN simply wouldn't apply even if they worked. (Except in so far as
> the current default installations make it far too likely that someone
> will *unwittingly* set up an open access point.)
>
> Basically the point I am trying to make here is that these sorts of
> networks are not useful only to hackers etc, they are also just plain
> useful.

I think you're stating the obvious. Of course they're useful, just
like open SMTP relay hosts are "useful".. but they also happen to be
a widely frowned-upon attractive nuisance on the internet these days.
Almost every security problem on the net starts out because someone
stuck some host or device online to do something "useful".. but
simultaneously overlooked the security implications.

I remember the days when running an open SMTP relay was considered
neighborly - and convenient if for example your normal ISPs MTA(s)
were having temporary problems. But the current situation makes it
an extremely bad idea to run such hosts any more.

> Disconnecting them would be a really draconian response, and the
> underlying issue would remain (these attacks occurred before WLAN even
> existed).

I have never advocated "disconnecting" open WLANs.

I have pointed out that A) those who deign to hop on them for a "free
ride" may find themselves the subject of criminal proceedings, B) I
hope to make people aware of the need for vendors to ship products in
a secure configuration by default (and fix the WEP problems) and C) I
hope to make people aware of the serious security implications of
(intentionally or unintentionally) running open WLANs.

> [...]
> > Bear in mind my main original point was about the legality or ethics
> > of hopping onto an open WLAN. But beyond that, there is this concept
> > of an "attractive nuisance" when someone connected to the internet
> > does something to encourage hacking activity from systems under their
> > control.
>
> Merely setting up an open access point hardly constitutes encouragement
> of that kind. If I lend you my mobile phone, am I encouraging you to
> make an illegal call? Or if someone uses a cab as a getaway vehicle does
> that mean there shouldn't be cabs, or cab drivers should ask for ID?

This is a pointless argument and I hope that your common sense and
(presumed) experience in the security field will allow you to
understand the big picture here. To wit, the argument you attempt to
make, taken to its logical conclusion, would excuse just about any
latent security problem on the net whatsoever.

> What would be more useful here is some kind of mitigation - e.g. the
> ability to perform some kind of 'egress filtering' - that could be a
> standard firewall operated in reverse, to filter certain protocols, or
> to drop signs of misuse, or to shape traffic. It might be more
> appropriate for ISPs to do that however, than to expect end users to do
> it. A useful feature for any developer of personal firewalls though -
> zonealarm could easily do some of this. This would also start to address
> wired abuses.

I personally am not a great fan of ISPs acting as "Big Brother" by
scrutinizing every packet their users send/receive, and I do think
the issues in question can be addressed without dumping that
responsibility on them. (and subjecting us all to constant
surveillance)

As we can see every day, relying on end-users to solve their own
security problems is generally a waste of time. (See ILOVEYOU,
BubbleBoy, Klez, CodeRed, various DDoS zombie client trojans, and
every other virus, trojan, worm, malicious code, ad infinitum.)

 
> > The term commonly used is that it's a "rogue" network or
> > system.
>
> Again this is a loaded term that doesn't necessarily fit the facts.
> Other terms that are commonly used for the same thing are "internet
> cafe", "open access point", and "wow, you mean I can get broadband
> access when on the road, how handy!". :)

A clueful internet cafe doesn't create internet security liabilities
just by being in business. Likewise, lots of things are convenient
but are REALLY BAD IDEAS. Telnet is pretty convenient too, but how
many people with any sense at all are using it for anything that has
any security importance whatsoever these days?

You also characterize things above as if open WLANs are the only
source of mobile connectivity in the world - hardly the case. But
even with all the issues I point out, with a little work using
existing standards and adjusting practices on the part of vendors and
users even WLAN security issues can be solved pretty easily.

The question of "anonymous strangers" using someone's network is a
bone of contention for anyone who runs an ISP or backbone and those
who are impacted by the resulting security issues - and I really
don't think WLANs are any different than any other potentially
anonymizing access-point in that respect. They're just a relatively
new, popular (and particularly appealing for a hacker, I'd surmise)
option at this point.

--
Philip J. Koenig                                       pjklist@ekahuna.com
Electric Kahuna Systems -- Computers & Communications for the New Millenium


Relevant Pages

  • Re: GMX Konto auf 2PCs mehrfach gehackt, Kaspersky und SP + Updates sind vorhanden... HILFE
    ... Security Taskmanager meldet auch nichts Verdächtiges. ... Verbindung zum Internet mit LAN oder WLAN? ... Das Passwort besteht auf 12 Ziffern, mit Zahlen und Ziffern, es ist nicht zu ...
    (microsoft.public.de.german.allgemein)
  • Re: TX/WiFi: Gotcha!
    ... > an Internet connection faster than 802.11b. ... > business WLANs, not hotspots. ... security is a factor too. ... And g doesn't screw-up a g WLAN (well, ...
    (comp.sys.palmtops.pilot)
  • Re: GMX Konto auf 2PCs mehrfach gehackt, Kaspersky und SP + Updates sind vorhanden... HILFE
    ... der Autostart und die Dienste sehen nicht verdächtig aus. ... Der Security Taskmanager meldet auch nichts Verdächtiges. ... Verbindung zum Internet mit LAN oder WLAN? ...
    (microsoft.public.de.german.allgemein)
  • Risks Digest 27.65
    ... ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ... Harvard student tried to dodge exam with bomb hoax ... Someone's Been Siphoning Data Through a Huge Security Hole in the Internet ...
    (comp.risks)
  • Risks Digest 26.65
    ... ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ... Internet Amorality, and Cutting Thailand Off From the Internet ... "Face Unlock feature in Galaxy Nexus poses security risk" (Matt Hamblen via ... Facebook Settles With F.T.C. Over Deception Charges ...
    (comp.risks)