 Test Good morning everyone Want to thank you guys for coming? It's been a long weekend for those of you who are at Black Hat as well long week, but it's been absolutely fantastic I want to thank Jeff Moss and his crew for doing this for the 11th year in a row How about a big round of applause for those guys? Let's hope it never ends I'm Michael Sutton. This is my colleague Pedro Mimini Topic today, obviously wireless hotspots. What are the risks and vulnerabilities surrounding them? What we'll be covering today what we won't be covering today We'll start off with just a brief overview of What what these hotspots are why companies think that you should pay for them? And then why they're vulnerable. We'll walk through some specific Attack scenarios and architectures and then we'll end up with some countermeasures that both the end user and Provider of the network can take with that. I'll hand it over to Padrum Everybody can hear me. Okay in the back Sounds good Before I even begin I'd like to get all the ladies attention up to the very eligible very successful Ralph Schindler on the front row After the conference if everybody can just come by and give him a little pat on the back It'd be greatly appreciated All right, so the purpose of our research we we studied the security of wireless ISPs from two viewpoints That are the providers. These are the guys actually running the network and that of the end users the people who are utilizing these networks We went through a variety of implementations. Mostly we found the them at cafes and hotels Our company is located in the DC metro area. So that is the area that we checked out But pretty much the companies are the same throughout the nation Tools that we use with a couple laptops We use virtual machines But because of the inability to get low-level network access within virtual machines We have to resurrect some older laptops as well to get Linux on it with a Dell axem This proved to be crucial. You know, you don't want to roll into a place and unpack everything just to find out that the Wisp is down. It's nice to be able to detect prior that it is up and running We had both Hermes and prism chipset cards reason for this is that there's different drivers Different capabilities some tools require one chipset others require another The software tools that we use mostly open-source either real TCP dump Doug songs a decent package and Over at the bottom tolerant bladder is essential to doing with research as When you go through these coffee shops, you definitely obliged to buy at least a cup of coffee and it to start to take a toll That's a shot of myself and my massive coffee cup at a Starbucks Mike Pedram mentioned the axem that we had and it was a crucial tool I'd like to pay tribute to that axem Unfortunately, it did not survive the weekend. It Got a crushed screen. It did not survive some Vegas partying. So fantastic tool not Vegas party proof What are these things why do they exist Wisp wireless internet service provider also known as hot spot Sometimes they call it a hot zone. If it's a whole series of networks tied together I I've heard scenarios where companies are trying to cover entire neighborhoods. I even read an article earlier I think it was Verizon wants to actually put 802 11 be access points in pay phones in Manhattan in the hopes of covering the entire city And providing that service to people who want to pay for it. It's definitely it's taken off Incredibly, it's a very successful technology, but it has some serious security implications Where do these things exist a lot a lot of places target business travelers things like airports hotels And then also just areas where you get recurring traffic cafes things of that nature It's often a value-added service something that you use to get the people in there and keep them there You know, you're you're more likely to buy two or three cups of coffee if you're in the middle of a big download Why why use wireless want to set up a wired service for your patrons? Why it's one of cost and convenience very very cheap to set this up as I'm sure most of you know We went to all sorts of places the picture that you see there is probably the most bare bones implementation You could possibly imagine. I mean really this is in the back of a coffee shop in Arlington, Virginia It's that's an access point slash router up on the top shelf next to the paper towels and the coffee cups And and I mean all they really did is bought a DSL line plug this thing in provided to their patrons So very easy to set up very cheap most mobile devices nowadays come with Wi-Fi enabled Most of these places use 802 11b. I don't think we saw any places that didn't there's no reason However, that I would fully expect that backward compatible 802 11g access points would start to emerge As that becomes more prevalent before we dive into the fun stuff the technical stuff I just think it's important to look at where the industry came from because that'll help us predict where it's going to go As as most industries do it followed a predict predictable pattern You know a couple years ago. We started to see hot spots all over the place ton of startups And now we're starting to see some of those go away Joltage unfortunately disappeared earlier this year We're starting to see some consolidation in the industry things of that nature a Sign that That it's here to stay and it's not a fad is that the big boys have arrived pretty much every Mobile phone company telecom company is in the industry in some way some have Gone in on their own like T-Mobile. You probably know they have a big contract with Starbucks Most locations across the US have wireless access now others have partnered December 2002 AT&T Intel IBM formed a joint venture a partnership called cometta I haven't seen a lot from them, but as I understand they plan to roll out their stuff at some point this year as Bedroom mentioned we chose to look at this from two standpoints when we looked at the security risks that were associated with the networks that of the provider and also the end user on the side of the provider There are a number of different risks the business risks relate to the fact that most of the Stores have chosen to use this as a pay-for-play method meaning that you pay some hourly fee or a recurring cost monthly cost and Obviously if somebody can use your network for free you're gonna lose money So there's a financial risk associated with that and we'll walk through various scenarios whereby We found ways to get around the the security that we're on these networks Tough networks to secure because the people are on your network. You're not keeping out an outsider You're keeping out an ins you're keeping in an insider Another another risk or a business standpoint is that wireless networks are a great avenue to Launch an attack and it's and it's tough to track down who did it You know, you don't even have to necessarily be on the premises to launch that attack later on We'll discuss some things that you want to do to protect yourself against that Network level attacks no sense of diving into this right now. That's really it's no different than what exists in the wired world Lastly denial of service attacks if somebody can shut down your network You're not gonna be able to generate any revenue from that because wireless networks are fairly open They're a little more susceptible to that sort of thing than a traditional wired network Okay, so the risk associated with being an end user on one of these networks Traditionally administrators are concerned with securing a network on a whole so they'll concentrate on perimeter security Firewalls little to no emphasis at place on node level security aside from anti virus really you don't see much protection on the workstation level So this is where the term crunching on the outside chewy on the inside comes from which is not a problem when you're You know on a knatted box sitting behind to save firewall But now we're finding no corporate users taking their laptops out of this safe perimeter And you putting them on public networks where unbeknownst themselves are many many vulnerabilities so examples of Vulnerabilities that are okay within the perimeter, but not okay on untrusted networks is things like internet safe services These are personal web servers that might be insecure anonymous FTP Maybe an open file share people want to trade music. They want to exchange files from one another This is great behind the office doors But you come outside and put in a hotspot area and you know your next-door neighbor can now get on your computer as well information leakage because Because you're on a shared network and because anybody can get on it There really is no point to employ web if an attacker wants to get on he can go to the coffee guy as well and get The web key so it's nothing more than a hassle So now all users are vulnerable to your basic traffic sniffing attacks such as the plain text protocols like pop There are spoof attacks DNS spoofing or spoofing even spoofing of the access point itself We'll get into this more later And so essentially we don't have end user awareness You have sales guys and people who just don't have a knowledge of what security is Taking their computers outside of the corporate network and putting them in insecure environments So security implementation this is how the wireless ISP keeps you from getting on the network Actually, this is how the authentication works Basically four steps firewall restricts you web requests to a login screen Authentication and then access is granted So here's a typical setup you see user one he's got the green arrow He's already connected and going through the firewall to the internet user to has just associated with an access point Any request that he makes he puts in Google.com on a web browser. It'll be redirected to the internal web server next screenshot and This is an example of wise you put in your username and password or you sign up and Access is granted firewall on restricts you next slide next slide So that's fine and dandy, but then how do they actually keep people who are not? Authenticated from getting on their network. This is like a pyramid scheme from top to bottom Everybody does IP address filtering so when you get on this network You're assigned an address through DHCP and if you have not authenticated the firewall will not allow traffic coming from you to go out The example of this is the wayport network So it's easily defeated by just sniffing traffic finding somebody who has a legitimate connection and and just changing your IP address to theirs Next level from that is a combination of IP address filtering and MAC address filtering Mac for those of you who don't know it. It's media access control. It's identifier burned into your Either your ethernet card or your wireless card and it can be spoofed Team mobile who's a provider for Starbucks? They do this. They have a combination of Mac and IP address blocking one step even further up from them is Deep blue wireless has the option for IP sec VPN So it requires a third-party client to actually get on But this is totally secure because every single user has an encrypted tunnel to the actual gateway And this is the ideal situation though a hassle. So you don't see it very often DHCP lease expiration when we were trying to get on to the Starbucks network for free We noticed that the DHCP lease times were very low on you know the order of like two minutes So the initial thought was that they were actually using the computer name that goes through the DHCP lease renew packet To also verify that you know the user hasn't been hijacked in the end though, you know as we're trying different things We found that using Non-statically based IP address leaving it to DHCP spoofing somebody's Mac address and just sending a renew packet is all you need to do So utilities for Windows. They're smack SM AC KLC consulting calm. It's a simple. It would take you two minutes. You go to Starbucks Fire up a sniffer see who's got a valid connection put in their hardware address and you're good to go Send in the DHCP renew packet and you're done So actually the lease expiration turns out to be for people who just pack up and walk out of the store to ensure that I'm being charged And actually one thing to add to that we found that we didn't actually have to spoof both the Mac and the IP address Because of the way it was set up all you had to do was actually spoof the Mac address and leave it set to DHCP And it would provide you with the appropriate IP address. So it was actually fairly trivial Oh my can you give me a glass of water, please? What is the guy I think he's a king now it's standing on stage. I'm abusing the mic power We mentioned one of the the risks to the provider is revenue loss So what are the scenarios whereby somebody can bypass the controls to get network access when they're not authenticated? Three scenarios that we that we decided we could try and and all were successful and we'll explain how we did them The first we noticed that on some networks not all networks, but some wayport was a particularly Good example of this we will shit on wayport throughout this presentation They are at the bottom when it comes to security And they're actually a pretty big provider. They have they have contracts with a lot of hotels Nobody in here is actually from wayport. Is there yeah anybody here my fending anyone? All right good Tunneling data through unfiltered protocols as I mentioned in certain cases some but not all protocols were filtered TCP was always blocked for obvious reasons. Most people are going to use this network to surf the web But some networks did not follow the cardinal rule of firewalls block everything. I can't believe you actually did that They did not follow the cardinal rule of a block everything, you know deny everything and then only allow through what is required We found scenarios where for example UDP port 53 was allowed because they were permitting external DNS traffic Before you had authenticated and we also found that there were scenarios where all ICMP traffic was allowed through so that you Could ping external hosts and I'm sure that when they were designing the network They did not you know, I mean ICMP has legitimate purposes, but they didn't think of this scenario What we found is actually I'm going to jump ahead the slides, but there was also connection hijacking Meaning that you kick somebody off the network and connections sharing The the scenario of tunneling What we used to do this was a tool called Loki. It's a great tool. It's not new. It's very old actually I think September of 1997 it was released in a frack article But it did the trick for what we were trying to do Basically, it was a two-part tool Client piece and a server piece. So this is not An attack that you can do on the fly you actually would have to plan ahead for something like this But you set up the Loki server at some external location on the internet Basically, it's sitting there listening on a particular port for ICMP traffic But it understands that what it's receiving is an encapsulated packet with something else inside it So you use the Loki client in the scenario that we actually set up what we were trying to do was create an SSH Session to a box that was out on the internet So we had that box out there Then we had the Loki server set up at a different location And then we had the client inside the network and we were not authenticated at that point We use the Loki client to encapsulate the SSH traffic, which was then permitted through the firewall It I'm following the green lines here from the bottom up That reached the Loki server because it was not blocked at the firewall the Loki server understands that this needs to be De-encapsulated then the SSH traffic is in there and it just forwards it on to the server the remote server And then the reverse happens on the way back So we were able to bypass The authentication by using that scenario obviously you couldn't do this on the fly You know, what would be a scenario where you would want to do something like this? Let's say you're at a conference in Vegas Let's call it Defconn you You know that your your hotel Besides charging an exorbitant rate for the for the hotel itself and the fact that they're going to rape you at the Blackjack tables. They also want to charge you for your internet access So you could set up your Loki server back home before you come for your access connection hijacking Pedram walked through this with With the T-Mobile example in Starbucks Actually every one of the networks that we looked at were susceptible to this at some level either Some some just simply all you needed to do was to spoof an IP address of a legitimate user in other cases It was also required Mac address spoofing The scenario starting off attack box has not paid for access target box has how do you find the target box? Again relatively easy sniff some traffic Look for look for a box that is not the gateway and not an obvious server on the network chances are That's that's a legitimately connected box. Look around the room see who you're about to screw then The spoofing of the IP address over the Mac address takes place Initially when we thought about this we assumed that it would be necessary to conduct the denial of service on the target Because otherwise you're gonna have two identical boxes on the network It's sort of an interesting thing that came out of it We found that that's not necessarily the case If you if you're using a Windows box to do the attack Windows is very fussy about If it ever sees somebody that's the same box because it sees the same Mac address or IP address It'll just not communicate on the network a Unix box is much less fussy So we found that when we were using a Unix box for the attack spot for the attack box and that the target was a Windows box The target the Windows box would just shut itself down as soon as it saw the other IP address that was identical But the attack box would keep right on going so the denial of service wasn't even necessary in that scenario If a denial service was necessary something like air jack could be used This is similar to the point attack. It was released like four years ago I remember as my freshman year of college and people would utilize it actually just send out a packet from you know Every single IP address on the subnet it knocks everybody off and all the bandwidth becomes yours Connection sharing is the last scenario that we looked at This is pretty basic. It was not a great deal that a provider could do to protect against this This is just a situation where a group of users collude to buy one account and share it And really one box is just being set up as a router that the others are using as their gateway And they and they're accessing the internet by paying one time There are ways to detect this there is a I've read some theoretical paper on how to detect the number of nadded machines behind the single IP address But really it's so much work involved that it's not worth it at all All right, so network level attacks against clients. Of course, there's traffic monitoring passive attack. It's a low-hanging fruit It's difficult to detect. There are tools out there that can try anti-sniff for example You've got the spoofing attacks, you know DNS hijacking. This is an active attack It is plausible to take any third-party software to do so. It allows you to do man-in-the-middle attacks So things like SSL SSH you can circumvent this if you can essentially what's happening is what a DNS request is made Because you the attacker are closer to the target than the actual DNS server is you can send out a reply faster than I can And the first answer that the target retrieves that is a resolution that's going to use So one interesting twist on this is I thought of a auto update hijacking It's a lot of windows software like Winamp AOL that periodically will check for an update or on a sign-on They'll check for an update. It's very plausible to spoof the actual DNS address set up a website Or whatever protocol it uses that to check for an update fake that and give your own binary that the user may or may not Sometimes even automatic download and run. Of course, that could be a trojan Public IP addresses again wayport wayport is the only company out there that did not use Natted addresses in this day and age of you know lack of IPv4 address availability These guys are giving every one of their clients a publicly addressable IP, which of course means that now they're susceptible to remote attacks an attacker can Figure out the subnet ranges that wayport is giving out and attack these insecure users from the comfort of his own home Last thing is a ARP spoofing ARP is the address resolution protocol Active attack also detectable Cisco has a Cisco switches can actually detect this and shut off ports that they detect duplicate Mac addresses on so we found here with something interesting is network crossover. I'll get into ARP in a second So here's a sample layout of wayport We have two boxes the Linux box dot 168 windows box dot 169 publicly addressable IPs They go through a series of access points through a gateway That's dot 129 and then apparently what occurs is there are wayport servers off-site that are periodically checking or Pulling the both the access points and the gateway through SNMP Maybe to see if they're up. Maybe to update something or for some auditing. We don't know we can't tell But when you are spoof Here is a this is a screenshot of it's actually a video. It's gonna show ARP spoofing this is either real running the top and the bottom left the bottom right is a shell to Linux box It's gonna do the actual ARP spoofing see the route dash and just pull up the gateway IP and we're pretending that we are the new gateway IP So what's happening is when a computer wants to send traffic to dot 129 if it has never done so before It'll send out an ARP request asking Hey, who has the hardware address for this IP address and of course with our ARP spoofer. We're answering We are the legitimate Mac address so the traffic you're seeing is just all normal traffic right now This is what you would see if you were to sniff on the wireless network. It's a shared environment like you're on a hub So this is just public traffic all on the wireless side What happens after a while is the ARP spoofing starts to kick in and machines all of a sudden become convinced that We are the new gateway and what we'll start to see is actual SNMP packets coming from the internet Going to these these boxes and you'll see it right there SNMP response You probably can't read it from the back these SNMP responses are Coming from the wayport network and they actually have the read-write community string Which is now gives us full control over their gateway over their access points. I mean we can do basically whatever we want here Interesting piece of information is within their MIB tables. They actually leave a very very descriptive Sys dot location field so I've seen things like you know access point located behind the pickle jar next to the Janitor's closet, you know behind the broom and so a savvy social engineer can actually use this kind of information to score some free hardware little hard hat utility belt visit suit clipboard Take yourself up some some free gear from wayport Nobody wrote down that a community string correct after the feds bedroom would be available in the parking lot after it So do not observe attacks. This is really silly. I mean you can't protect against these but just for shits and giggles On a physical layer. You can always put out 2.4 gigahertz noise There was a light bulb developed by some company a small company in Maryland They got bought out by three calm, but then they canned the project. It was a low consumption light bulb One single light bulb could actually knock out wireless like a two-mile radius. I don't know if anybody remembers this I tried to pick one up. I could not find it. It's actually very interesting though They were originally going to put it in street lamps, which would have put an end to the wireless days So thankfully that that didn't work out On the data layer you have again ARP spoofing As you spoof the gateway if you're not forwarding traffic everybody is sending it through you and since you're not forwarding It's not going anywhere. It's a dead end. It's another way to keep people from getting on the network and On the network layer this utilities like air jack air jack works by it's abusing 802.11 management frames So because they're you know, they're not authenticated by any means you can send out this a soak frames You can send out deauthentication frames and just knock people off the wireless network And if you do this fast enough the person will never get on again Yeah, we're flying through this. So we'll have lots of time for questions End user countermeasures What can both the end user do to protect themselves and what can the provider do to protect themselves start out with the end user? Number one rule here is that this is an untrusted network This should be viewed in the same light as you have a box just out on the internet no firewall unprotected You did not control this network You do not know anything about the security procedures policies whatever in place on this network It has to be treated as an absolute 100% untrusted network. So Implement your own security to the extent possible. This is especially critical if you're if you have Corporate users that are using this network You know, they have boxes with sensitive information or they're communicating sensitive information by email and other methods And and you're extremely vulnerable also something that's not on this list is end-user awareness 95% of what we talked about today The average user does not understand should not understand It's not you know, they they have their own role to play in the company. They're not meant to be a security expert So as a system administrator, you have to be the one who takes responsibility for doing your best to protect their machines and educate them that you know This these networks are vulnerable and you have to take care First of all VPN, that's honestly a bit of a no-brainer Do not rely on the encryption that they're employing if they are at all chances are they're not if you if you put up set up a VPN and then have your users access to email or the corporate network or whatever over that scenario Then obviously you are then in control of the encryption that is in place Keep in mind. However, whenever you're using encryption whether it's VPN or you're setting up an SSL connection SSH Whatever also you need to validate those certificates to ensure that there's no man in the middle attack that's taking place on the VPN though They're too crucial piece of information When you're connecting to a VPN if you're connecting through a DNS name taboo somebody can spoof it You can connect to the wrong VPN it should be a hard-coded IP address and Also on that note. There is an option in Windows VPN to route all traffic through the remote VPN router This should be enabled that way anything that you're sending whether it's to Google or your corporate network is going through the encrypted tunnel OS hardening typically we think of that at the server level. We don't think of it at the client level Actually a lot of the things that we'll talk about for countermeasures Historically people would have thought you only do that on a server now that we have so many mobile devices and Things do not stay inside your corporate network. You really need to start You know taking those same kind of security precautions for all of your hardware. I Mean that the historical view of security at the corporate level is that you build this great moat around your company with a big high wall and Alligators and all that stuff and nobody can touch you because there's no way in well Useless with mobile hardware because that the assets that that fortress is meant to protect no longer exist inside the fortress They're out at Starbucks and and the airport and the coffee shop. So they're completely vulnerable. So We as corporations really need to start taking a different view of security and move it from the network level to the node level So OS hardening should be done for all machines We all know that a default Windows box has a tremendous number of ports that are open and available If you're not using it shut it down node level firewalls IDS is again typically we've thought of that as a server side security measure In this day and age you would not Set up a box for one of your users without buyers protection node level firewall I really think that you should view that in the same light There's some great products out there free products things like zone alarm You know use that stuff I think hopefully within the next couple of years people will recognize that and you know It'll that'll get installed on the machine right after virus protection One other scenario that we that we thought of I don't know if this is practical for everyone is to just establish dedicated travel hardware for some of your corporate users Have a box that is a stripped-down box It has no sensitive information on it if your employee simply needs it to access for example or email or some other corporate resources Have that as an imaged box that you can wipe clean when it comes back You do not want to take that box and put it back on the corporate network because you don't know what's happened to it It could have been compromised while it was out on one of these other networks And just loan that out. I mean that's a shared shared piece of hardware What we talked about in the last slide was what the what can be done for the end-users What about for the provider of the hot spot? Keep in mind that you know, this is a coffee shop the guy who pours your coffee is not a security expert If you wise you probably want to be pouring your coffee But you know they shouldn't be that they're really placing a lot of reliance on these companies that are Offering up the solution to implement that level of security and as you've seen today In many cases those those companies have failed in their promise to do so So what can what can be done to improve the security on those networks? number one Non non internet addressable IP addresses why wayport shows not to do that. I have no idea That's an absolutely ridiculous thing You're exposing the clients on your network not only to attacks on that network But to the internet as a whole I just I find that phenomenal Number two filter out protocols again going back to the golden rule of firewalls if you don't need it to be passed through Block it and then only allow through what's needed that will prevent the tunneling attacks 802.1x for those who may not be familiar as an authentication protocol It's going to be part of 802.11i if they ever get around to releasing that It it's a good thing it has the potential to greatly enhance security because you cannot Access the network. You're not authenticated to network to do some of these attacks until until you go through the authentication process The problem with it today is one of compatibility Not all clients are capable of handling it newer versions of Windows for example Windows XP has it built in but older older editions do not Over time I suspect that we'll see that go away and and I think that likely we'll see a lot more of 802.1x Intrusion detection systems now we're talking it on the network side not the client side When when we first thought about this I actually thought it was kind of ridiculous. I mean big deal you implement an IDS By the time you go and look at those logs the guy who did the bad stuff is long gone He's not coming back who cares, but as we thought about it more and more I actually think it is a very important part of security on some of these networks if you remember earlier We talked about the fact that Wireless networks are great launch pads for attacks because you don't even need to be there to do it This at least gives you an audit trail of what took place so that you can figure out You know where your security broke down you can provide that information to the authorities So I definitely think that an appropriate IDS system is is viable for any of these hot spots Intrusion prevention system. I haven't seen a scenario where whereby an IPS was implemented in a hot spot it's still kind of an emerging new thing, but It makes a lot of sense to me if somebody's able to appropriately Implement that because then you're able to take take it from a detective control in the case of an IDS to a preventive control And actually do something about it kick the person off the network if they're not not behaving nicely With that we're open to questions the guys from DEF CON gave us some cool prizes So if you have some interesting questions to give some stuff away, we'll open it up to the audience Way at the back actually bedroom You want to be the right out? Yeah, he'll take a microphone out to you so that we can actually hear the question Wait wait at the back bedroom. Oh, is that the guy you chose? Yeah work out. That's the chosen one It better be good on the the Loki Scenario gave there can you hold the mic just a little bit closer on that Loki scenario you gave up there If you already have you have an IP address to get to that Loki server from the Loki client aren't you already authenticated? What are you what are you gaining by doing that? The IP address that you have is just an internal IP address so like you've got like a 10 dot address for example and You're going to be blocked at the firewall from doing anything like if you try to go to WWW google.com it's not going to let you out But what it is allowing out is ICMP traffic So you're able to take that web request or whatever you choose to use Encapsulated in an ICMP packet and get out so the short answer is no you're actually not authenticated You're just bypassing the authentication. It's not always ICMP as well a couple of people use external DNS servers So they you know DNS port, you know, you'd be 453 is allowed out as well so you can tunnel over that The difference is that the firewall is actually blocking you since you haven't authenticated with the server your IP address is being blocked So you could steal the connection of the guy who's actually paid for it or you can tunnel through the protocols That are unfiltered this difference between a firewall that denies all by default and denies none by default I live off of Connecticut Avenue in the district. So I'm out near near where you're at I was just curious if you were aware of any of the the honeypots put up by some particular Companies there and if you're aware of any of their research Starting folks checking out wireless access points I've certainly read about some of the honeypots that are people are implementing. I think it's really neat idea I think it's still kind of an experimental thing, but yeah, it's important I mean that way we can help learn about the attacks that are out there I just I don't know how seriously people are using it at this point. That's all Yeah, go ahead Hey, what about the human element like did any of the staff at the places look over your shoulder and see what you're doing or? Yeah, I mean that's a great question because we I mean we were kind of mean sometimes we'd Like talk our way into the back room because we wanted to see the hardware and stuff and and yeah, that's really important. I mean If for example when we went to Starbucks, they had a very strict corporate policy They would not let us take any pictures of their hardware and and good for them I mean that's completely the way it should be other other places, you know that we're just more one-off coffee shops They they were just you know, it was no big deal. But yeah, the education of your people absolutely vital That's a great question But you know what even with Starbucks all we have to do is obtain a green apron and that was the end of that rule as Well, green apron khaki pants black shirt Starbucks uniform Okay, I've got a question You've looked at it from a wisp point of view. What about you know, you've got a legitimate account So that you can wander around and use various whisk What do you tell people to do to help protect themselves from the wisp stupidity? I think the best thing to do is to stick with the VPN solution again as mentioned before Make sure using a static IP address to connect ensure that you're routing all traffic through the VPN Aside from that there really is no way to protect against the network of level attacks If somebody's spoofing you generally if you check your certs you can find that out Also, I thought the shmugroup made a great point yesterday in their presentation Why are we paying for this stuff? You know use this as a as a value-added service to attract your your patrons to come into your establishment and stay there You know, and I hope it changes Quick question over here. Have you guys actually bumped up against the 802.1 x networks out there or looked at the some of the Defensive wireless networks like air defense or air magnet I haven't seen that stuff on any of the hot spots So the short answer is no we really have not have not tested that stuff. Go ahead Yeah, have you seen any companies using it like peep or leap for authentication onto? Some of these networks like hotels I Haven't seen it yet. I think that goes back to like the 802.1 x stuff It's like an issue of compatibility. I think that What I would like to see is sort of Optional levels of security, you know for the for the end user who doesn't really care about security is not knowledgeable about it They just go on with the traditional username password for those that are more knowledgeable Don't don't mind downloading a client already have you know a client that can handle that sort of stuff But they have that as an option, but but no I haven't the best thing that we saw was Deep blue I think was the company where they had like the optional IP sec DPN I Think in it in this current time I think that's probably a great scenario and then I hopefully will see 802.1 x come out as time goes on All right. Hey, I got some quick advocacy to do here really quick All I got to do is I got to say paper boys pizza delivery boys you guys can get a 37 decibel card set up for about a hundred and sixty bucks and pretty much I mean That's it. I mean hold on. I mean Fuck it stays right. Fuck it. I think what you're saying is there are other options out there. Absolutely a fair statement here go ahead a Lot of smaller companies don't provide VPN. Do you think services such as a Nominizer oh a lot of smaller companies don't provide services like VPN. Do you think? Services that a nominizer would provide will help I'm not really because I mean that's just gonna you know mask what you're looking at and stuff It's it's not gonna help you to do things like connect to the corporate resources and and actually look You know get your email things like that. I mean there's some pretty inexpensive VPN solutions You know operating systems now have it built in so I think I think companies no matter how big or small really need to Look at implementing that kind of stuff Had to where do you go man? I lost you. Yes. Thank you It's been my experience that it don't need to stand up It's it's been my experience that often physical security as much easier to compromise than the network For example, most APs have got an additional cat5 jack on the back and it's pretty simple just to walk in Plug in your own access point to that and hide it behind the shelf What kind of measures have you looked at to provide better physical security because most employees will look at it And they'll see a new box there. Oh, I guess that's supposed to be there like a locked wire boxes or something like that Yeah, I mean no different in the wired world. You still have to have the physical security in place You also have to have the end user awareness I mean if if hardware doesn't belong there people should should know about it Actually, some guys Starbucks actually locks their stuff up in the cabinet. So not all of them do Hold out. I got one over here Yeah, from the hotspots and stuff from nowadays with people getting an IP on there If you're going to attack other networks if you're going to use it for The file sharing things of that nature and then have the RIA against you and everything What you know wouldn't they need to protect themselves as a business from those legal liabilities from that kind of stuff happening? Yeah, absolutely. I mean You know, that's the whole reason why I think things like having an IDS so that you can actually have a record of what took place on your network You know protect yourself because and it's not just people coming in to your establishment and using your network I mean keep in mind, you know, you can't the wireless network that you set up does not end where your walls end Chances are it's out in the parking lot wherever So it's really tough to to protect yourself against that But you know when the lawsuits happen the guy who conducted the attack isn't around Lawyers are going to go after the deep pocket So do what you can to keep the audit trails and and have something there to to be able to show Given the relative difficulty of and cost of securing wireless networks. Do you think that there is a? Any commercial viability to pay for play commercial wireless network providers at all in the long term I I Don't like the idea of it. I mean if I were running a company I Don't think that you're gonna make enough money off of it I think that what you are gonna do is make money off of how it's gonna track people to your business as I said I kind of said it jokingly that you know You're gonna drink more coffee if you're if you're sitting there surfing the web, but it's serious I mean I will I'm more likely to go to a place I'm more likely to be there and as there are more and more options for For mobile access, I don't see how you're gonna be get away with charging for it So I think you know be proactive and use it in a different different way Have you done any experimentation with with setting it up to hijack and route the traffic out through there? So that you don't just bounce the poor Windows user off, but you continue to route his traffic as well as yours Natting him behind the thing just so that you're you don't have you don't bounce somebody off and create a bigger visibility for yourself Yeah, that's interesting. The only problem is though that you're using their IP address So I mean you both have it so that I don't think there would be a way to to route it What's that is it I think it'd be a really cool scenario because yeah the downside to what to what we're doing there Is that you know you're blocking the person in a scenario? We're right. We we also had scenarios where we would that both the target and the attack box or unix boxes and in that case We were actually able to use both at the same time because they didn't get fussy about the fact that there were two identical IP addresses and You know, I mean you're a wired network wireless network is like a hub I mean it's just broadcasting traffic. So the network didn't really care either But chances are if you're attacking somebody they're not using a unix box on that network, but So interesting scenario you stop me on that one so you get a price Have you have you found the? TCP IP over DNS flaw that Starbucks T-Mobile Network has no tell me about it Okay, so for all of you out there that like Starbucks just enough to rip them off If you have NTSX it was a proof-of-concept software for people that use the free Microsoft dial up in Europe to get software patches It works with Yahoo dial up when you go to to grab the dial up numbers It also works with Starbucks T-Mobile Networks You can actually roam from wireless network to wireless network because it works by sending TCP over DNS and The way that it works is allowed out because they have recursive name queries through their name server So their firewall will actually pass your tunnel through their network So every Starbucks is an open wireless network and you can tunnel SSH over it And your tunnels won't die when you move to Starbucks to Starbucks Surfing SIP network to surf and SIP network and Wi-Fi network, you know A and B So did you indicate there was a tool that could be used or it's called it and TSX and TSX It's the name server transfer protocol. All right, cool. Thanks. Oh Actually, I think we're out of time. I think we should wrap it up Well, we're gonna head into like the chill-out area if you guys have further questions if you guys want business cards or whatever stop Bye. Thanks a lot for coming. This was a lot of fun