Network News

X My Profile
View More Activity

Wireless Awareness: Don't Be A Sheep

LAS VEGAS, NEV. -- iPhones and other mobile devices with wireless access were among the top contributors to this year's "Wall of Sheep," a public shaming exercise debuting at the Black Hat security conference in Las Vegas this week that aims to educate people about the dangers of sending e-mail and other online communications over open wireless networks.

Conference organizers issued a clear warning to attendees: If you check your e-mail or communicate using the ubiquitous conference wireless network, be sure to do so over an encrypted connection (https:// versus http://). Otherwise, your credentials will be projected onto a wall where everyone will ridicule your seeming inability to grasp a fundamental tenet of online security.

Apparently, a fair number of the most well-trained security professionals ignored this advice. The team responsible for monitoring the Black Hat wireless network posted more than 30 sets of credentials, many from individuals who had more security industry certifications to their name than would fit on a standard business card.

Curators of the project are still combing through the hundreds of gigabytes of data sent through the unsecured Black Hat wireless network.

"We've had some heavily credentialed people with every certificate you can imagine go up on the wall," said Brian Markus, president of Aries Security, the company that sponsors the Wall of Sheep. "The best of the best are at this conference, so if they're getting hit, what's happening to the average users?"

Aries pulled six sets of credentials off of the wall at the request of the hapless sheep. Amazingly, a few of those embarrassed by seeing their passwords up on the Wall actually went ahead and changed them in-the-clear, causing their new credentials to be posted for all to see, Markus said.

Aires Director Joseph Mlodzianowski said that many of the victims appeared to have sent their passwords using mobile devices like iPhones, which in many cases are configured to hop onto open wireless networks whenever they're available. Mlodzianowski said he suspects a number of the sheep probably thought they were accessing their e-mail via the iPhone's data network, when instead their phone was transmitting the information over the hostile Black Hat wireless network.

In a bit of drama that erupted yesterday, several reporters were ejected from Black Hat they poisoned the wired network in the press room, and proceeded to offer the stolen credentials to the Wall of Sheep operators. The interloping reporters allegedly swiped passwords belonging to journalists at CNET and eWeek.

"That's just ridiculous, and it's not what we're all about," Markus said. "Those were active attacks, and what we're doing is passive. We're simply watching the traffic that is going out on this network, kind of like turning a knob on a radio and listening to different stations."

-- Brian Krebs

By washingtonpost.com Editors  |  August 8, 2008; 1:40 PM ET
 
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Researchers Warn of Social Networking Scams
Next: Georgian Web Sites Under Attack

Comments

Unfortunately, many commercial vendors don't even offer secure access to web mail.

In Canada, for example, Rogers webmail is still unsecure.

Posted by: George D. | August 8, 2008 3:17 PM | Report abuse

The only email that I know of that is pretty secure...because sometime keys don't work right...is Gmail. They use encryption from IMAP and also their webmail now uses encryption.

Posted by: diddyho | August 8, 2008 3:25 PM | Report abuse

Yikes! If the security pros can't get it right, how can we ever hope the average user will?

As to wireless access, I refuse to use it for anything other than browsing passive information (news, weather, sports scores, etc.) whether on a mobile device or computer. Anything that requires credentials is done via a hardwired connection on a trusted network using encryption (even POP3 via Outlook) on a secured computer. That way there is little chance of exposing my credentials. Call me paranoid I guess.

Posted by: TJ | August 8, 2008 3:38 PM | Report abuse

You have to have something that is worth the time for people to bother stealing.

If some hacker is evesdropping on your phone call catching up with your grandma who cares? they must be really bored. If someone intercepts your daily messenger lolcat and youtube video links good for them.

Its only a real issue for personal documents and details, socials account numbers passwords, financial accounts etc or sensitive business communications.

I have no virus scanner, my computer is full of security holes someone could break in right now and browse through my HDD i wouldnt care - becuase there is nothing on there, i dont really care if my system is hijacked and used for a DoS attack and ill re-image it all the time.

The importance of security is relative to what you have to lose.

Posted by: Reality is.... | August 8, 2008 5:17 PM | Report abuse

"i dont really care if my system is hijacked and used for a DoS attack"

You my friend are the reason you are getting so much spam.
The rest of the world has you to thank.

Posted by: bob | August 8, 2008 5:28 PM | Report abuse

The only true Security is to have nothing worth stealing.

Posted by: Eric Swan | August 8, 2008 5:28 PM | Report abuse

Anyone who buys an iPhone is already a sheep.

Posted by: Kerberos | August 8, 2008 5:35 PM | Report abuse

I never send sensitive data over wireless or unsecured e-mail so this is a non issue to me.

Posted by: Gubinsky | August 8, 2008 6:02 PM | Report abuse

There is no such thing as secure, only secure enough.

Posted by: RangerX | August 8, 2008 8:16 PM | Report abuse

"The only true Security is to have nothing worth stealing." - Eric Swan

Whether one has sensitive info that can be had by hackers is not the issue... One needs to secure one's online connection to avoid hackers/crackers/crooks use whatever one has - and BANDWIDTH is as important as well - they may just use it to commander your system as "zombies" to infect others. Don't be an ignorant participant of these online evil activities...

So is bandwidth NOT A PRECIOUS commodity anymore?

Posted by: aRnulFo | August 8, 2008 9:32 PM | Report abuse

"The only true Security is to have nothing worth stealing." - Eric Swan

Whether one has sensitive info that can be had by hackers is not the issue... One needs to secure one's online connection to avoid hackers/crackers/crooks use whatever one has - and BANDWIDTH is as important as well - they may just use it to commander your system as "zombies" to infect others. Don't be an ignorant participant of these online evil activities...

So is bandwidth NOT A PRECIOUS commodity anymore?

Posted by: aRnulFo | August 8, 2008 9:32 PM | Report abuse

I" have no virus scanner, my computer is full of security holes someone could break in right now and browse through my HDD i wouldnt care - becuase there is nothing on there, i dont really care if my system is hijacked and used for a DoS attack and ill re-image it all the time."

you are an idiot! there are tons of things they can steal. there are also tons of things they can place on your system. stolen software. stolen credit card info . child porn. and they will probably hide it so you wont notice its on your system until cops knock on your door.

once more, you are an idiot!!!

Posted by: Anonymous | August 8, 2008 10:08 PM | Report abuse

Personally, I don't care if I have little to no security available while emailing. There isn't anything I write in my emails or talk on a wireless phone that I wouldn't want anybody to read...if they should choose, or listen into or overhear...if whomever should want to. Do I think private networks should be available? Yes. After all, a doctor could have a need to talk about a patient, and I'm certain there's other situations that need privacy. Therefore, I believe it's necessary for privacy and security to be an option, and I think it's necessary that companies providing Internet access and phone service should be required to provide that option and to inform their customers.

Posted by: NoSecretsHere | August 9, 2008 11:57 AM | Report abuse

"There isn't anything I write in my emails..." - you're missing the point maybe. It's not necessarily any given email that's of interest, it's that you're sending your credentials in cleartext as well. Once that's intercepted, anyone can then grab your emails from the server.

(and three jeers for waPo's inability to implement the simplest of mechanisms to keep out spam link comments)

Posted by: quarkdoll | August 9, 2008 5:26 PM | Report abuse

"The only true Security is to have nothing worth stealing."

Think you have nothing worth stealing? Ha Ha. Maybe you'll change your mind when the FBI comes knocking on your door because because some hacker is using your computer to host his illegal activities.

Posted by: j. vincent | August 11, 2008 11:21 AM | Report abuse

I can't even READ the article because an HP ad is blocking the lede. The comments are loaded to the gills with spam, too. And people wonder why newspapers are crashing and burning.

Posted by: peggy | August 15, 2008 8:47 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company