March 7th, 2003, 06:04 PM
wireless insecurity... report?
EDIT: Sorry about the multiple posts... my connection kept timing out... I didn't think it ever posted. I've been having trouble posting lately... my bad. They should all be deleted by now.
I was in lab the other night at school and I working with this guy who has a hosting comany and also a small wireless ISP (802.11g) going on. He had his laptop with him and he was looking to see if he could get to his WAPs from our school. We could not.
But.... here is what we discovered...
Turns out that our school has 3 WAPs all broadcasting their SSID and are wide open. We didn't breach any security... we just discovered them. We have better things to do than mess with the schools network. It is a state run college and we could get in a sh17 load of trouble for messing around. I'm trying to get my education... not get kicked out/jail time.
I want to tell the admins... but want to be sure that they won't turn it around on us... like we were trying to break in... which we were not. Mabye we'll send an "annonymous" e-mail alerting them without giving our contact info. Mabye we'll just say that we live in the area (which there are plenty of dorms/apartments near by) and that we discovered their unprotected WAPs and they should look into securing it better. For now... I'm taking ALL of my stuff off their network...
Pretty scary with all of those kids at school getting in trouble for trying to help out the admins and the school alike. I'm tempted to just forget it... but what would that make me? No better than their admin(s). I have read the horror stories of others trying to help too.
Like most people know... I'm not a malicious person and neither is he. We both want to be in the security field at some point in our carreers and we are well on our ways. We feel we have a responsablility to both the school and the students to report it. We just don't want to get in trouble...
What do you all think we should do? Just forget it and let them worry about it?
March 7th, 2003, 06:37 PM
I've been in network security for five years and its been my experience that some admins are territorial lil' *****s. Despite this, something must be done to inform these "individuals" of the flaws in their network. Just forgetting such a matter makes you just as irresponsible and unprofessional as your substandard admins. If you foresee an issue in elightening them, then just do it anonymously if need be. But ultimately do the right thing and report the issue to the best of your means available.
March 7th, 2003, 06:54 PM
Re: wireless insecurity... report?
Why not call them from some phoneboot in town?
i m gone,thx everyone for so much fun and good info.
cheers and good bye
March 7th, 2003, 06:59 PM
Yes I totally agree with DJay. I've tried going to the admins of my high school about problems, only to have them laugh in my face. But I laughed whenever they got in trouble for all the security flaws ;D Though letting them know at least lets you know that you did the right thing, it is up to them to take measures.
I would think though that if you might know any staff members of your college, maybe you should let them know so they can actually talk to the admins or place "help desk tickets" like we have here at Penn State. That way the problem can be logged and dealt with, and you don't really have to have your name mentioned, so you can't be acused of doing any "hacking".
[shadow]There is no right and wrong, only fun and boring...
Formatting my server because someone hacked into it sounds pretty boring to me...
That\'s why it\'s all about AntiOnline.com![/shadow]
March 7th, 2003, 07:07 PM
I have had mixed reaction from informing Administrators that their wireless network needs to be better secured.
The "I don't give a crap admin"
One instance noticed that at this particular intersection I was picking up a lot of public IP traffic on my wireless software (kismet). I later analyzed the ethereal log that I had obtained and noticed a lot of POP passwords, IRC traffic (w/passwords), etc... I did a nslookup on the IP's that I found. I called the tech support at the ISP that registered those IP's. They said that it was " A new network and they weren't finished with it". Kind of odd that a network with customer traffic on it was "new and not finished". Well anyways, months went by and they still never fixed. Never heard from them again.
The "Thank God you told me this Admin."
Other instance, involving a major Oil Company. On my day of driving around I noticed a new AP. So I went to check it out and gather some more info. It also had publicly registered IP's. As well as a lot of http traffic, again my friend ethereal helped me out. I decided to call the Admin at this oil company, and when I say big, think Chevron, Connoco, Shell, etc... I called thier main number and asked to speak to a network administrator. Can you believe this, they patched me directly to one of their network security admins. Thought that was un-bellievable. Anyways, the admin was very pissed at the person that had done this. He asked for the ethereal log, which I was happy to send him, and he said it would be taken care of immediatly.
Those are the two instances so far that I have dealt with personally. Of course there are those admin's that would take you to court and sue you. But those are the chances you take by divulging information that you learned. Personally, I am one of those Administrators that would appreciate someone sharing with me information about insecurities in my network that I manage. Just be careful in how you approach the administrator and or management.
March 7th, 2003, 07:19 PM
I have thought about this, but most of the ones I know... know that I am learning network security, and might think I tried to find a vulnerablility. I am really cool with some of them.. but policies are policies. I don't want my name in the picture. I don't have too long to go with my first degree and would hate to jepordize it over something like this. Especially since I'm going to be returning for a second degree and some certs.
I would think though that if you might know any staff members of your college, maybe you should let them know so they can actually talk to the admins or place "help desk tickets" like we have here at Penn State.
I've had this happen to me too. Makes you feel like crap that someone thinks that you can't know anything because of your age and education. Try living with my Dad... he is always "right"... lol
I've tried going to the admins of my high school about problems, only to have them laugh in my face.
That is exactly what I'm thinking. I guess I will report it annonymously.
Just forgetting such a matter makes you just as irresponsible and unprofessional as your substandard admins.
Thank you for your suggestions.
I can always count on the AO community to point me in the right direction!
Its a good thing that we follow a good set of ethics...
/off to yahoo to create a "Joe User" account...
March 9th, 2003, 04:30 AM
hter is the third type of admin who think they are teh **** and everyone lese just stink...
I just recently re-became a student. after notr being able to check my email (school) for 3 days i went to ask some ???? got as an aswer a shitty it'll get better in2 months... sorry not good enough for me.
I know i'm not the best but 2 month is not acceptable in this kind of environment. so i wne and told him the truth about his netowrk (or at least my version) and he went like you know crap.... ok but the network is still down and right now we are 4 weeks later ...
this is the worst attitude i've ever ran into.
assembly.... digital dna ?
March 9th, 2003, 04:37 AM
I say you should just chalk right in front of the sysadmins office. You can't get it turned around on you as attempting to break in, you get to have a clear concience, and hopefully the guy will take it for what it's worth and fix the network before someone does exploit it.
--edit: edited to add the winking smiley.
March 9th, 2003, 04:57 AM
That's a very intersting site, thread_killer....especially how they address the legalities of warchalking. Pretty cool / funny.
March 9th, 2003, 05:18 AM
phish: I have been dealing with this around my town for quite some time. I have infiltrated quite a few networks ( some without even trying) and finally it got one my nerves so badly that I contacted one companies ISP, and the local paper with some information.
I've reported incidents to a handful of businesses, institutions etc about their flaws, and yes some admins are indeed *****s. Some aren't. What hasn't failed me yet is to go above the admin, directly to the person whose network is supposed to be being secured by the admin..
(You usually get a prompt and serious response.) namely the director, CIO, CEO, COO etc etc. My suggestion would be the following. kindly send a letter of concern to the admin. Make sure you word it so as not to implicate a hacking. After all Wireless signals are broadcasted...its not your fault you picked it up..much like a radio signal in your car. If the admin does not respond or responds negatively, go over his head and contact his boss.
Antionline in a nutshell
\"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"
Trust your Technolust