Andrew Pollack's Blog

Technology, Family, Entertainment, Politics, and Random Noise

Easy hack at WiFi hotspots - Defensive measures

By Andrew Pollack on 08/07/2004 at 11:13 AM EDT

The recent Defcon 12 hacker conference was the scene of the release of a brilliant new tool for creating havoc on public wifi sites. Now I'm not in favor of actually doing any of this but from a purely technical perspective, I must say I love this.

What this tool does is "inject application layer data" on the network. In other words, its a man in the middle attack at a fairly high level. The most fun they had with it, was to interrupt all http image requests and respond pretending to be the source server with a different image. In this case, a less polite one.

Here's a link to see the results. link

This kind of thing is the #1 reason why when I'm on a wifi hotspot, or on anyone's network I don't know fairly well, make it a rule to establish a vpn to my home network and use that for my traffic. Funny jokes aside, this showed how easy it was to download this tool, run it in linux, and replace an image or bit of javascript with anything they wanted, thus exploiting any holes in a browser's security as easily. If you combine this method with a known IE exploit, you could load active-x onto someone's browser while they're cruising websites they know and trust. You can own their machine 10 minutes after they sit down at Starbucks.

You should be telling your clients how important it is to know where they're surfing. Particularly executives or people with heavy I.P. related data to work with. A professional hacker who is paid to get data from a targeted executive or developer will not spend his time flashing a giant picture of an anus on the screen. All he has to do is notice that the target executive likes to sit and have coffee in Starbucks or Borders on the way work a few times a week while catching up on mail; or uses the wifi at the airport while waiting for an international flight.. The hacker uses this tool to inject a bit of active-x and installs a backdoor remote control tool in a few minutes. A few more minutes and he installs a capture tool on the PC that operates (for example) when the machine is in screen saver or low-processor use mode (or when the system idle process is at 80% plus or something). Then, ever time hacker catches users at the wifi spot, one quick call out and the user's pc happily forks over the data.

Note: HTTP is the obvious place to capture and inject data, but all unencrypted protocols are vulnerable -- pop3 or IMAP mail transfers are commonly used for example and an interruption there could insert a mail message containing the corrupting code. Lots of other things.

Defensive measures?

1. When possible, use a vpn connection to do your surfing when at a wifi spot. Depending on the vpn, this will route all your data through the vpn encrypted to your home or office network and the actual connection to the remote site is made as if you were in the office. Note that not all vpn's work this way. Some are address specific and only route traffic to the company servers over vpn. You can also take a more sophisticated approach by setting up your own vpn tunnel with software available if you want, or subscribe to a secure anonymous service. There are several and you should shop around. most are surprisingly cheap.

2. Install and use a personal firewall on your machines that travel. Aside from protecting you from outside hackers directly attacking your machine, these tools also watch programs on your machine making outbound connections and alert you -- asking permission first -- when they do. At first, these tools bug you because they have to ask permission for your email client or browser to use the network, but once you've allowed your various tools to go the products are mostly unobtrusive. If you do happen to get hacked and your PC wants to start connecting to somewhere you don't know the tools will alert you and give you a chance to stop it. Two such tools are ZoneAlarm and Norton Personal Firewall. I've found the Norton one is easier for end users but both are a pain for the first few days. ZoneAlarm has a free version for home users and its not too expensive for business use. I'm sick to death of Symantec's seemingly constant need for subscriptions to stay up to date on things so I don't use theirs but it is a good product. Personally, I think Mcafee (formerly Network Associates, formerly Mcafee) have really ruined the good name that Mcafee himself made almost 20 years ago with the original "scan.exe" and "clean.exe". I don't use their products now.

3. Products like SpyBot S&D include utilities to watch the registry and make you approve any changes. They work, but can be hard for end users to decide which to allow and which not.

4. Consider surfing only https (ssl) connections if none of the above are in place.

There are  - loading -  comments....

My own thoughts on this are...By Bob Balaban on 08/08/2004 at 10:48 AM EDT
Oh my God, they killed Kenny!
You bastards!
Number four no goodBy Biscuit on 08/25/2004 at 11:58 PM EDT
Using ssl will not protect you from airpwn.
As it is a higher level attack, it is inserting packets directly in and the
https can do nothing.
Note, you also cannot modify your hosts file. =)
I'd need to see alot of detail to believe thatBy Andrew Pollack on 08/26/2004 at 07:41 AM EDT
SSL should provide a means to know that the data is from the site you think
it is, and is unaltered from that site, and is unreadable by packet layer man
in the middle attacks.

To interfere, the tool would need to read the key exchange, at least.

-- AP

Other Recent Stories...

  1. 01/26/2023Better Running VirtualBox or VMWARE Virtual Machines on Windows 10+ Forgive me, Reader, for I have sinned. I has been nearly 3 years since my last blog entry. The truth is, I haven't had much to say that was worthy of more than a basic social media post -- until today. For my current work, I was assigned a new laptop. It's a real powerhouse machine with 14 processor cores and 64 gigs of ram. It should be perfect for running my development environment in a virtual machine, but it wasn't. VirtualBox was barely starting, and no matter how many features I turned off, it could ...... 
  2. 04/04/2020How many Ventilators for the price of those tanks the Pentagon didn't even want?This goes WAY beyond Trump or Obama. This is decades of poor planning and poor use of funds. Certainly it should have been addressed in the Trump, Obama, Bush, Clinton, Bush, and Reagan administrations -- all of which were well aware of the implications of a pandemic. I want a military prepared to help us, not just hurt other people. As an American I expect that with the ridiculous funding of our military might, we are prepared for damn near everything. Not just killing people and breaking things, but ...... 
  3. 01/28/2020Copyright Troll WarningThere's a copyright troll firm that has automated reverse-image searches and goes around looking for any posted images that they can make a quick copyright claim on. This is not quite a scam because it's technically legal, but it's run very much like a scam. This company works with a few "clients" that have vast repositories of copyrighted images. The trolls do a reverse web search on those images looking for hits. When they find one on a site that looks like someone they can scare, they work it like ...... 
  4. 03/26/2019Undestanding how OAUTH scopes will bring the concept of APPS to your Domino server 
  5. 02/05/2019Toro Yard Equipment - Not really a premium brand as far as I am concerned 
  6. 10/08/2018Will you be at the NYC Launch Event for HCL Domino v10 -- Find me! 
  7. 09/04/2018With two big projects on hold, I suddenly find myself very available for new short and long term projects.  
  8. 07/13/2018Who is HCL and why is it a good thing that they are now the ones behind Notes and Domino? 
  9. 03/21/2018Domino Apps on IOS is a Game Changer. Quit holding back. 
  10. 02/15/2018Andrew’s Proposed Gun Laws 
Click here for more articles.....

pen icon Comment Entry
Your Name
*Your Email
* Your email address is required, but not displayed.
Your thoughts....
Remember Me  

Please wait while your document is saved.