Anonymous Wireless Reporting

[Tiger Shark]

It came to my attention in another thread where people who wardrive for fun find open WAP's in Banks, Hospitals and other establishments that pass client data in clear via the airwaves. The people who find these, being responsible citizens, would like to report these security breaches but are frightened of the current laws in their country to do so for fear of retribution by the offending WAP owner labelling them a hacker and breaching the law by accessing their data.

It seems to me, that in the case of wireless access _only_ that since I live in Detroit and much of this is happening in other states that I could act as a no-cost "go-between" from the finder to the vulnerable WAP owner without fear of being accused of being the "hacker" myself.

It would prove to the WAP owner that the finder is indeed concerned but is sufficiently aware and afraid of the law that they would not report it for fear of retribution. It would be clear to the WAP owner that i have not been wardiving them since I can clearly prove that I live in a different city and can prove that I have not recently been to theirs.

This takes the 'heat' off the finder and shows the WAP owner that no malicious intent is intended... this is simply a "heads up" service provided to protect an innocent party from the potential backlash of an incompetent or insecure administrator.

I think it's a good idea.....

Anyone's thoughts?

[moxnix]

Well Tiger I think that is a very good idea, and if you need any help, or the WAP is in the Detroit or Michigan area, just contact me......I would be more than glad to help on this.

[Soda_Popinsky]

How nice would a goverment ran "disclosure" program be?

A place that you can report a vulnerability, have it on goverment record when that vulnerability was found, and know for sure that the vulnerable party got the message. I ran into this problem a while back, I had a vulnerability in my hands, and I needed to get a rather large corporation's attention. I failed for over 2 weeks to do so, so I went to Secunia.com. They also failed to get the company's attention... so they released an advisory.

I think a goverment ran program would be great for all of this, including storefront / WAP vulnerabilitys and such... Something "anonymous" that we can go to. Maybe like us-cert.gov?

I am reminded of those tiplines in high school...

[phishphreek]

TS: That is a very nice thing of you to do. Hopefully you don't get too many requests. If you start to get too many, then try to get some others on this site to help you out. I'd help if the demand was great enough.

On another note: If anyone out there is trying to make some extra cash and you like war driving...
Drive around neighborhoods and look for unprotected WAPs. Then post signs about the unprotected WAPs and why it is bad to have them open to the public. Leave a contact number or email address. If and when they contact you, offer to secure it for them for a small fee. (Fee will change depending on how many hosts you need to configure.)

The next best thing is... even though you tell them exactly what you are doing and leave a paper outlining and detailing all info that was used to configure it... they will call you back to add more machines to their wireless network. Instant customers and you'll even get some referrals. I've done this in two neighborhoods and made some decent pocket change from it. Just make it clear that you are not their tech support line.

[Tiger Shark]

Just make it clear that you are not their tech support line

Best piece of advice given here in a long time.....

If you offer any kind of service make it quite clear up front the limitations of that service otherwise they will call you for every last little thing...... trust me.... been there....