Re: Wireless ISPs

[Scott Taylor <security () 303underground com>]

On Tue, 2004-05-11 at 15:15, D B wrote:
> --- Frank Knobbe <frank () knobbe us> wrote:
> > On Tue, 2004-05-11 at 13:33, D B wrote:
> > > All transactions done via secure websites are
> > secure,
> >
> > No, they are not. It's just harder to intercept the
> > data.
>
> The level of knowledge it takes to penetrate a SSL
> style transaction puts it beyond most peoples scope of
> abilities

The data in transit from SSL websites is rather secure. But that does
nobody any good if its saved on an unpatched M$/SQL Server.

> > > A wired internet connection
> > > limits the number of people who have access to
> > this
> > > data simply by the nature of the internet putting
> > it
> > > within acceptable risk.
> >
> > Same can be said for wireless. (Except that the
> > perimeter of the attack
> > arena is defined by the wireless emissions instead
> > of cable runs.)
>
> ... look at the aspect of what points does one have to
> have access to gain the amount of data on a wired
> network in comparison to the same level on a wireless
> AP... unless you can spoof to the gateways IP  / MAC
> or actually get access to the gateway it isnt
> possible, and on a switched network odds are if you
> spoof to that MAC  / IP you will confuse the network
> enough to be noticeable
>
> a high gain antenna attached to a laptop / PDA and a
> wireless AP such as an internet provider would mount
> would give access in some cases up to 17 miles away
> with no trace ....without a high gain antenna im
> getting ranges of about a half a  mile away ... plus
> spoofing to the gateways IP isnt noticeable to anyone
> unless they are watching that gateways logs complain
> about a duplicate IP /MAC ( yes i did try this on my
> own AP )

There are ways to eavesdrop on anything. People who sign up with large
ISPs like to think they can get lost in the shuffle, without realizing
there are techs and admins all across the country that can view data off
sniffers located across their infrastructure. Plus theres the
possibility that someone hacks a machine on a business/isp network and
uses it as a remote password sniffer, etc. With wireless, many similar
things can be accomplished without the need of expensive hardware or
difficult hacks, and can be done from the comfort of a nice air
conditioned car. But either way, once the data leaves your computer and
goes across the air or even a landline network - its out of your hands
and you must evaluate the risk and know that it exists. No method of
transit is immune. But many simple steps can be taken to reduce the
risk.


> > Maybe, INAL. But it is illegal to commit fraud with
> > the data gathered by
> > eavesdropping.
>
> and someone after credit card #'s is worried about
> legal ?
>
>  
> > Uhm... someone that accesses and uses the data is
> > already prosecutable.
>
> point being it is preventable and not being done so
> ... or at least preventable to a level beyond the
> scope of running a program and watching the data flow
>
> netstumbler on windows is quite simple to run
>
>
> all I am after is raising the level of knowledge
> needed to access the data beyond that of an 8 year old
> with windows on a laptop running netstumbler and a
> wifi card
>
> do u not agree this would be prudent ?
>
>
> Dan Becker
>
>
>
>
>       
>               
> __________________________________
> Do you Yahoo!?
> Win a $20,000 Career Makeover at Yahoo! HotJobs  
> http://hotjobs.sweepstakes.yahoo.com/careermakeover
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
--
Scott Taylor - <security () 303underground com> 

scribline, n.:
        The blank area on the back of credit cards where one's signature goes.
                -- "Sniglets", Rich Hall & Friends

    

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html