The recent Defcon 12 hacker conference was the scene of the release of a brilliant new tool for creating havoc on public wifi sites. Now I'm not in favor of actually doing any of this but from a purely technical perspective, I must say I love this.

What this tool does is "inject application layer data" on the network. In other words, its a man in the middle attack at a fairly high level. The most fun they had with it, was to interrupt all http image requests and respond pretending to be the source server with a different image. In this case, a less polite one.

Here's a link to see the results. link

This kind of thing is the #1 reason why when I'm on a wifi hotspot, or on anyone's network I don't know fairly well, make it a rule to establish a vpn to my home network and use that for my traffic. Funny jokes aside, this showed how easy it was to download this tool, run it in linux, and replace an image or bit of javascript with anything they wanted, thus exploiting any holes in a browser's security as easily. If you combine this method with a known IE exploit, you could load active-x onto someone's browser while they're cruising websites they know and trust. You can own their machine 10 minutes after they sit down at Starbucks.

You should be telling your clients how important it is to know where they're surfing. Particularly executives or people with heavy I.P. related data to work with. A professional hacker who is paid to get data from a targeted executive or developer will not spend his time flashing a giant picture of an anus on the screen. All he has to do is notice that the target executive likes to sit and have coffee in Starbucks or Borders on the way work a few times a week while catching up on mail; or uses the wifi at the airport while waiting for an international flight.. The hacker uses this tool to inject a bit of active-x and installs a backdoor remote control tool in a few minutes. A few more minutes and he installs a capture tool on the PC that operates (for example) when the machine is in screen saver or low-processor use mode (or when the system idle process is at 80% plus or something). Then, ever time hacker catches users at the wifi spot, one quick call out and the user's pc happily forks over the data.

Note: HTTP is the obvious place to capture and inject data, but all unencrypted protocols are vulnerable -- pop3 or IMAP mail transfers are commonly used for example and an interruption there could insert a mail message containing the corrupting code. Lots of other things.

Defensive measures?

1. When possible, use a vpn connection to do your surfing when at a wifi spot. Depending on the vpn, this will route all your data through the vpn encrypted to your home or office network and the actual connection to the remote site is made as if you were in the office. Note that not all vpn's work this way. Some are address specific and only route traffic to the company servers over vpn. You can also take a more sophisticated approach by setting up your own vpn tunnel with software available if you want, or subscribe to a secure anonymous service. There are several and you should shop around. most are surprisingly cheap.

2. Install and use a personal firewall on your machines that travel. Aside from protecting you from outside hackers directly attacking your machine, these tools also watch programs on your machine making outbound connections and alert you -- asking permission first -- when they do. At first, these tools bug you because they have to ask permission for your email client or browser to use the network, but once you've allowed your various tools to go the products are mostly unobtrusive. If you do happen to get hacked and your PC wants to start connecting to somewhere you don't know the tools will alert you and give you a chance to stop it. Two such tools are ZoneAlarm and Norton Personal Firewall. I've found the Norton one is easier for end users but both are a pain for the first few days. ZoneAlarm has a free version for home users and its not too expensive for business use. I'm sick to death of Symantec's seemingly constant need for subscriptions to stay up to date on things so I don't use theirs but it is a good product. Personally, I think Mcafee (formerly Network Associates, formerly Mcafee) have really ruined the good name that Mcafee himself made almost 20 years ago with the original "scan.exe" and "clean.exe". I don't use their products now.

3. Products like SpyBot S&D include utilities to watch the registry and make you approve any changes. They work, but can be hard for end users to decide which to allow and which not.

4. Consider surfing only https (ssl) connections if none of the above are in place.