"Free Wi-Fi" Scam In the Wild 332
DeadlyBattleRobot writes in with a story from Computerworld about a rather simple scam that has been observed in the wild in several US airports. Bad guys set up a computer-to-computer (ad hoc) network and name it "Free Wi-Fi." You join it and, if you have file sharing enabled, your computer becomes a zombie. The perp has set up Internet sharing so you actually get the connectivity you expected, and you are none the wiser. Of course no one reading this would fall for such an elementary con. The article gives detailed instructions on how to make sure your computer doesn't connect automatically to any offered network, and how to tell if an access point is really an ad hoc network (it's harder on Vista).
Avoid ad-hoc connections (Score:4, Informative)
Washington Dulles too (Score:1, Informative)
Not that hard in Vista (Score:5, Informative)
Re:Avoid ad-hoc connections (Score:5, Informative)
Even worse, their 200mW cards will out-power the real 40mW access points so Windows will prefer to use the attacker's "closer" "access point".
http://www.remote-exploit.org/backtrack.html [remote-exploit.org]
Not just airports (Score:2, Informative)
Re:Quick question (Score:4, Informative)
eg. if I ssh to my home computer, or use access an https site am I still ok?
As long as you exchange keys with the actual end host, and not the man-in-the-middle, you're fine.
If the Man-in-the-middle tries to give you his own SSL key, your browser will throw up an error message that the key is invalid. If you click "accept key", then you're hosed and the attacker can read all your traffic.
As far as ssh goes, if you've connected to the host before, SSH will (or at least on the clients I've used) throw up a big warning message that someone is trying to hack you. If you haven't connected, no such warning will appear and if you type in your password the attacker will get your password, and everything you type in your ssh session.
Re:Free is still free for me (Score:4, Informative)
Then I read this thread.
And pointed out my UserID to the same friend.
Too bad - I have actually seen that "Free Wi-Fi" ad-hoc network in a few airports in the last month or so (I think in Midway airport in Chicago). I did not join it, since I knew the SSID of the official wireless service (and knew that it was paid access)
In interesting thing to do is to join the network, fire up a Bonjour Browser (or your other favorite ZeroConf browser) and see available services. If people are sharing their iTunes libraries, if they have a ZerConf chat program, and so on...
Why just ad hoc? (Score:5, Informative)
Old problem, Old solutions (Score:3, Informative)
I see no problem here that cannot be solved by adopting the same principles that you would use for ordinary domestic internet access:
1) Turn on your firewall and close all open ports.
2) Don't send sensitive data over an unsecured network.
forget about the network (Score:4, Informative)
The message here shouldn't be "don't connect to untrusted networks," it should be "secure your machine."
Once you do that, these guys are just being nice and giving you a free connection!
-rsw
Re:P. T. Barnum... (Score:2, Informative)
http://www.historybuff.com/library/refbarnum.html
Re:Better yet... (Score:2, Informative)
If / when I ever get any wireless kit, I will change the name of my neighbours' unprotected router (currently set to the make and model name; a quick Google search revealed the default password) to "pWn3d", have my router emulate theirs but with suitably distorted graphics, and see what happens. Jut a shame I can't listen in on their call to tech support
Now, that does sound like serious PHUN!
Re:Not that hard in Vista (Score:2, Informative)
1. Become SYSTEM.
2. Open explorer to My Computer
3. Open share properties (be careful: do not open folder security)
4. Open share security
5. Change permissions to deny for all.
ad-hoc or access point (Score:2, Informative)
There you go - free wi-fi!
Re:Free is still free for me (Score:3, Informative)
Re:Relay? (Score:2, Informative)
Gmail has a secure login page [google.com] as well but you have to explicitly type in https in order to get to it.
These open WiFi networks are really scary. A criminal could park his car next to Starbucks with a laptop and an AP in the trunk. The AP would broadcast an SSID with the name "Starbucks" and forward almost all packets transparently. However, for banking websites, the laptop would form an SSL connection to the bank and forward an unencrypted page to the user. A lot of people wouldn't notice that the connection wasn't secure, especially if all other websites seemed to be working fine. I don't know if a hacker would really want to read your Gmail, but he would be thrilled to get the login info for your bank!
It is too easy to get screwed (and not even realize it) using an open WiFi network. At least if you physically lose your credit card or know that a hacker has gotten your information, you can cancel or freeze your accounts. But if you don't know your account has been compromised, it could be totally drained by the time you realize it. My advice is don't do anything requiring a login on an open WiFi network unless you use a secure VPN tunnel to a machine that you trust. Also, don't keep very much money in your checking/ATM account; invest it or put it in a savings account where it is not as easy to clean you out in one shot.
I switched away from Bank of America partially because they required me to enter my card number and PIN as part of the login process. They claimed it was secure because you entered the two pieces of data on two consecutive web pages. But I might not notice if that second page was not SSL encrypted but was otherwise identical to the real page. WaMu requires an Internet-only login and password. If a hacker somehow got my online banking login info, he/she would not be able to clean me out through an ATM. But if my BofA info had been stolen online, they would have been able to make a fake ATM card and withdraw everything in the account.
Another scary thing that I just realized is that phishers could use the same trick that I mentioned above. They could set up a similar sounding banking website except forming an HTTP connection rather than an HTTPS connection. However, they would forward the data so that it would seem to the end user that everything is fine. They could even create an unsigned certificate and use SSL between the phishing server and the user. Of course, the user would have to accept the certificate, but most people just blindly click "Accept", don't they? I don't know if phishers are using this technique yet, but I would definitely watch out for it in the future.
gmail Can start with a Secured Connection (Score:2, Informative)
Re:Free is still free for me (Score:1, Informative)