Re: Interlopers on the WLAN

["R. DuFresne" <dufresne () sysinfo com>]

On Tue, 5 Nov 2002, Philip J. Koenig wrote:

        [SNIP]

> So in regards to banners, I have a couple of questions/points.
>
> First of all, while banners can be argued for as a good way of 
> ensuring "prosecutability" in a particular case, are there actually 
> many cybercrime laws that require such notification in order for a 
> violation of the law to take place?  The California law I cited, for 
> example, certainly doesn't have this kind of prerequisite. (although 
> I'll admit it might make someone easier to prosecute)

As others have pointed out, you need to broaden the perspective on all the
legalities some.  While the law, criminal, might not make specific
mention of banners, your insurance company might well take this into
consideration.  Also, civil law may well make this an issue, especially
when your wlan allows others routes to do damage or DDOS others and they
comeback seeking to sue you for lack of due dilligence.

> Secondly, banners are perfectly logical and obvious on systems that 
> are open via telnet, ssh, ftp etc.. but on a WLAN that may just be 
> routing packets, I don't see a reliable way to guarantee anyone sees 
> a "banner" when all they're doing is routing packets. (yeah if you 
> assume all anyone wants to send/receive is http you could run an http 
> proxy, but that doesn't cover all the bases either)
>
> Seems to me that ignorance is not a good defence for unauthorized 
> network access, and claiming you "didn't know who owned it" doesn't 
> seem to wash either. (if an interloper truly felt that permission was 
> needed, if they didn't have *explicit* permission - not just "WEP 
> isn't turned on" - then I'd argue they have no business hopping on.
> The problem, seems to me, is that people assume if it's not locked-up 
> like Fort Knox with a bunch of guns at your head, it's "free for the 
> taking".
>
> What I wonder about is this presumption that some arbitrary level
> of security features enabled is what distinguishes "public" vs
> "private".  There certainly doesn't seem to be a consensus on that, 
> and absent a consensus it seems like a case of "blame the victim" to 
> me.
>
> This new WiFi security feature (WiFi Protected Access, or WPA - an 
> early subset of 802.11i) shows some potential to solve some of this 
> stuff by A) creating a standard 802.11 authentication method and B) 
> eventually requiring the security features to default to "on".. 
> although the only clue as to when this might happen in the 
> documentation I've read is they say this will occur "someday". LOL.
>
> In the meantime, it seems the most WLAN equipment comes out of the 
> box in default configuration with security turned off and it seems 
> like a big stretch to me when a network configured in that way is 
> automatically assumed to be "public".

There have been a number of threads mentioning how vendors tend to not
secure their products on shipping or default installs.  This is one of the
reasons there are so many groups and lists and what not <bugtraq,
firewalls mailing list, vuln-dev, vulnwatch, firewall-wizards, local
infragard chapters, etc, etc> in which people try to get the word out and
help others learn this is a dangerous medium in many respects for sharing
data, information, and in which to engage in discussion, let alone do ones
work.  People need to educate themselves on the issues, especially those
tasked with network design and network defence/monitoring to safegaurd
their installs and deployments.  The home user that connects his PC to the
internet without at least a minimum of an updatable anti-virus product is
in danger, to himself and a danger to others on the internet.  Someone
deploying wlan AP's in "out-of-the-box" unsafe default setups is as much a
fool and a risk too themselves and others on the internet.  Not that this
pulls some responsibility from vendors shipping their toys in those
uunsafe modes, but, there people have to vote with their dollars, as well
as shout at their vendor reps and to the various help desk folks they
need to contact to get the info to setup something with some sense of
'security' in mind.  Doing nothing here to safe gaurd your network puts
some of the onus upon yourself for the 'free-riders' and worse.  In fact,
doing nothing to change the unsafe defaults means others do not really
have to connect actively to your AP or systems, they can passivley sniff
all the traffic if they just want to pull all your private information
together.  And, they do not have to be in the parkinglot or accross the
street to do so, they can cheaply acquire the means to do so at a much
longer distance <http://sysinfo.com/wire1.html
http://sysinfo.com/wired2.html>.


Of course, if you catch an intruder, try and get the legal authorites
involved and see what is really required in damage layouts to really get
someone to show up to do more then merely take a report on the issue.
It's kinda like when you report your car has been vandalized, you
certainly are not going to expect the police or other legal authoriities
to comeout and take fingerprints and photos and send ot the search dogs to
apprehend the culprit.

Then again, should this wlan you are putting up connect into your
*firewalled* wired systems/network, you not only have changed the
defaults, and enabled wep, but, require a strong vpn to get inside, which
might be the place for a banner notice or popup window of similair
statment.


Thanks,


Ron DuFresne

<remember;  what you don't know and do not do, can hurt you>
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards